foreign agents, partners & intermediaries: you can’t live ... · • low maturity of...
TRANSCRIPT
1
1October 15-18, 2017 | Las Vegas, Nevada | SCCE 16th Annual Compliance & Ethics Institute
James Lord, Shareholder, Glade, Voogt, Lord & Smith
Andy Hinton, Vice President & Chief Compliance Officer, Google Inc.
Harvey Woodford, Chief Ethics & Compliance Officer, Avnet, Inc.
Xavier Oustalniol, Partner, StoneTurn
Foreign Agents, Partners & Intermediaries: You Can’t Live With Them, But You Can’t Live Without Them
2
Agenda For Interactive Presentation With Hypos
Overview of the FCPA & Associated Third Party Risks
Third Party Due Diligence in Practice
DOJ Guidance re: Evaluation of Compliance Programs
Sapin II: The French Anti-Corruption Law
Data Analytics & Risk-Based Sampling
ISO 37001 (Anti-Bribery Management Systems)
2
3
Overview of the FCPA & Associated Third Party Risks
4
The Foreign Corrupt Practices Act (“FCPA”)
Anti-bribery provision: Makes it unlawful to offer or make a corrupt
payment to a foreign official in order to influence any act or decision of the
foreign official in his or her official capacity or to secure any other
improper advantage in order to obtain or retain business.
Books & Records provision: Requires corporations to:
• Make and keep books and records that accurately reflect the
transactions of the corporation; and
• Devise and maintain an adequate system of internal accounting
controls.
3
5
The FCPA prohibits knowingly making corrupt payments through third parties, agents, and intermediaries, including subsidiaries and joint venture partners.
• “Knowing” includes conscious disregard, willful blindness, and deliberate ignorance.
• “Knowledge” exists were one is aware of a high probability a bribe would be offered or paid.
• Requires “due diligence” in dealing with third parties and knowledge of red-flag issues.
Anti-Bribery Provision – Third Party Relationships
6
• Anti-Bribery Violations:
• Individuals: Up to 5 years’ imprisonment and a fine of up to $250,000 (or twice the benefit defendant sought to obtain)
• Companies: Fines of up to $2 million per violation
• Books & Records Violations:
• Individuals: Up to 20 years’ imprisonment and a fine of up to $5 million
• Companies: Fines of up to $25 million per violation
• Collateral Consequences:
• Debarment from government contracts
• Ineligible to obtain export licenses
• Private cause of action for treble damages
FCPA Penalties
4
7
• Companies face liability for third parties acting on their behalf
• 90%+ of reported FCPA cases involve third-party intermediaries
• 2017 FCPA Cases Involving Third Parties
� Halliburton (July 2017): Engaged local supplier in Angola with ties to government official with authority to approve business deal
� Orthofix (January 2017): Used high discounts and improper payments through commercial reps and distributors to induce doctors under government employment to use Orthofix’s products
� Cadbury and Mondelèz (January 2017): Subsidiary paid a consultant to obtain government licenses and approvals for a chocolate factory in India
� Sociedad Quimica y Minera de Chile S.A. (SQM) - SQM, a Chilean-based chemical and mining company, charged with violating FCPA by making nearly $15 million in improper payments to Chilean political figures and others connected to them through entities posing as legitimate SQM vendors.
� Biomet - In connection with its second FCPA violation in 5 years, Biomet continued to interact and improperly record transactions with a known prohibited distributor in Brazil, and used a third-party customs broker in Mexico to pay bribes to customs officials to facilitate the importation and smuggling of unregistered and mislabeled dental products.
Can’t Live With Them…
8
• Use of third-party intermediaries is a business necessity
• But CEB 2015 Third-Party Research suggests compliance challenges:
• Low maturity of third-party risk management
• 40% of total compliance risk attributed to third parties
• Median organization works with 5,000 third parties
• Average of 17 business days to complete due diligence
• Small minority of third parties are subject to compliance due diligence (1-25%)
Can’t Live Without Them!
5
9
SCENARIO:• Your company is bidding on a public contract in a high-risk emerging market.• The law on public procurement consists of a single statute established a complex public bidding
process plus a variety of government decrees, circulars and official guidance letters.• Due to the detailed and complex legal process, you determine the company needs assistance
navigating the public procurement process.• A local contact familiar with the process strongly recommends a specific consultant to help avoid
problems commonly encountered by foreign companies.• The local consultant seems established, has a reputation for “getting things done” and appears to
have a good relationship with the procuring agency’s procurement director.• You have been unable to find any adverse information in public database or media searches.• You cannot identify any other recommended consultants to use in that country.
Any concerns or red flags?
Recommendations to get comfortable?
Only Show in Town
10
SCENARIO:• You have been offered a deal in an emerging market with a joint venture company consisting of JV
Partner #1 (the operating partner) and JV Partner #2 (the operating partner’s funder).• JV Partner #2 is a venture capitalist that JV Partner #1 (the operating partner) has declined to give
you further information on, claiming they are a passive investor who insists on anonymity.• Amounts owed to you by the joint venture will be paid to your U.S.-based bank through a special fund
created by JV Partner #2 in their own local bank.• JV Partner #2 will also directly pay other companies involved in the deal any amounts owed to them
by the joint venture.• JV Partner #1 (the operating partner) explains that JV Partner #2’s anonymity and this payment
arrangement are conditions of the funder’s investment in the joint venture.• No adverse information has been discovered on the identified companies, although this emerging
market has a high risk CPI rating per Transparency International.
Do you need to know the full identify of JV Partner #2 (the funder)?
What other controls or measures, if any, can you take if you do not know who the funder is?
Who’s On First?
6
11
SCENARIO:• You discover that the principal of your strategic partner in a certain emerging market was
convicted of “corruption against the people” and tax fraud several years ago.• Your partner has a long history of conducting business with political opponents of the
country’s ruling party and claims the charges and conviction were politically motivated.• The country’s ruling party has been known to trump of charges against political
opponents, but this country also is also considered high-risk for corruption.• Your business leaders insist that the partner is trustworthy and is simply the victim of
political fighting.
What can you do to help assess whether the past convictions were
politically motivated or evidence of actual corruption?
How can you manage situations where the local business leaders do not
agree with your risk assessment? Who makes the final decision?
Corruption History v. Mere Politics
12
BREAK(10 minutes)
7
13
Third Party Due Diligence in Practice
14
“Risk-based due diligence is particularly important with third parties and
will also be considered by DOJ and SEC in assessing the effectiveness of a
company’s compliance program.” DOJ FCPA Resource Guide (Nov. 2012).
What do regulators expect to see?
• Reasonable Risk Based Approach
• Higher the Risk = Higher Level of Due Diligence
• Consistent Application of Process
• Documentation
• Periodic Review
Third-Party Relationships: Assessment of Risk
8
15
World Economic Forum Good Practice Guidelines on Conducting
Third-Party Due Diligence (2013)
• “I am confident that my agent, reseller, supplier etc. does not make corrupt payments, and that our business relationship is a normal, legitimate one. I can explain to, and convince others why my confidence is justified.”
• “This means making appropriate inquiries to determine whether an organization’s existing or prospective third parties are honest and can be reasonably expected to refrain from corruption. The higher the risk, the broader and deeper the third-party due diligence should be.”
Third-Party Relationships: “The Standard?”
16
Automating Third-Party Due Diligence: One Solution
9
17
18
SCENARIO:• Your screening of a potential new reseller discovers media reports of an ongoing
government corruption investigation involving a 15% owner of the reseller company.• This 15% minority owner had other business dealings with the local government through
a separate company, and is alleged to have conspired with government officials to purchase prime public land at below-market values.
• In addition to being a minority shareholder, the 15% owner is also one of the corporate directors of the reseller company.
• You are not sure what role that 15% owner has in directing or overseeing the reseller’s business.
What further due diligence would be prudent to do, and on whom?
Are there any mitigating measures that might get you comfortable with
doing business with the reseller company?
Mitigating Measures
10
19
SCENARIO:• You have a potential distribution deal with a local partner in a high-risk emerging market where local
law requires foreign businesses to partner with a local company.• You have no experience with the potential new partner, so decide to conduct due diligence.• Public database and media screening reveals commercial disputes by the partner’s shareholders in
other countries involving claims of counterfeiting by one claimant and breach of contract by another claimant.
• Enhanced due diligence reveals a complex ownership structure, with no single person or company owning the majority of the potential partner company.
• You learn that the potential partner company was only formed in this emerging market a year ago and does not have a established business history in this market.
• You learn that the potential partner has a local office in the country, a legal requirement for this type of business venture.
Is further “boots on the ground” diligence appropriate?
If so, what type of “boots on the ground” diligence would you recommend?
How Much Due Diligence Is Enough?
20
DOJ Guidance re: Evaluation of Compliance Programs
11
21
In 2017, DOJ published comprehensive and consolidated guidance on how it would evaluate the effectiveness of a corporate compliance program in the context of a criminal matter, providing detailed analysis of its expectations in such areas as -• Analysis and Remediation of Underlying Misconduct
• Ethical Leadership from Senior and Middle Management
• Autonomy and Resources of the Compliance Function
• Compliance Policies and Procedures
• Risk Assessment
• Training and Communications
• Confidential Reporting and Investigations
• Compliance-related Incentives and Disciplinary Measures
• Continuous Improvement, Periodic Testing and Review
• Third-Party Management
• Mergers and Acquisitions
DOJ Guidance re: Evaluation of Compliance Programs
22
SCENARIO:• You lead an Ethics and Compliance program at a small multi-national hardware manufacturing
business.• You organizationally report to the head of Internal Audit, who in turn reports to the CFO, who in turn
reports to the CEO of your business.• An internal investigation in response to a helpline concern has confirmed that an intermediate
engaged by the VP of Sales at your Angola division (who reports directly to your CEO) has made improper payments to an Angolan government official in order to receive the official's support in permitting the importation of your newest hardware component into Angola for sale to consumers.
• You are considering recommending disclosure of the matter to the DOJ as part of its “Pilot Program”, but you are aware of the DOJ’s recent guidance on the evaluation of corporate compliance programs and are concerned that your program may not meet a number of the expectations outlined by the DOJ in that guidance.
What do you do now?
What might you have done earlier in anticipation of this situation?
Nobody’s Perfect
12
23
Sapin II: The French
Anti-Corruption Law
24
• Companies (groups) with operations in France, over 500 employees and more than €100 million in revenue (consolidated)
• Issued in December 2016 and effective now, in regard to a number of provisions (since June 2017)
• Decrees issued:
• March – Functioning of the Agence Française Anti-corruption (“AFA”)
• April – Implementation of whistleblower provisions
Sapin II – The French Anti-Corruption Law
13
25
Overview of provisions• Creation of the AFA (70 employees and a budget of €10 – €15 million).
• Companies must implement:
� Anti-corruption assessment processes, including prioritization of risks and mapping to controls based on the markets and industries in which the company operates;
� Internal and external accounting controls relied upon by the company to prevent books and records from being used to conceal corrupt activities;
� Code of conduct and clarity of policies against corruption and influence peddling;
� Internal alert process for employees to report violations of the code of conduct;
� Vendor, client and other third-party vendor management, including corruption risk assessment and diligence;
� Training of management and employees exposed to risk of corruption and influence peddling; and
� Disciplinary process to sanction violators.
• AFA can use professionals and experts – they are bound by secrecy
• Potential criminal consequences for management for failure to remediate, prison / fines
• DPA “à la Française” – fines are capped and built into the law
• Whistleblower provisions – unlike the U.S. in some respects
Sapin II – The French Anti-Corruption Law
26
“A physical person who reveals or signals, without personal interest and in good faith, a crime or
misdemeanor regarding, or a grave and flagrant violation of which he or she became aware, of an international commitment ratified or approved by France, […], the law or regulation, or the threat of a
grave prejudice to the public.”
• Anti-corruption AND other violations.
• Effective date to implement whistleblower internal reporting process – 6/1/2017
• Reporting is a 3 step process:
1. Internal first - required (could be a hotline firm/lawyers)
2. Authorities - if no action is taken within a “reasonable delay” (judiciary, AMF, ACPR)
3. Third the press/the public – if all else fails, after a 3-month period, if no action has been taken
• No financial incentives for whistleblowers to report wrongdoing; in fact, the whistleblower should act without any self-interest.
• Anonymity and confidentiality must be provided
• Personal data governed and authorized by CNIL
• In case of wrongful termination, the State may financially support the whistleblower
Sapin II – Whistleblower Provisions
14
27
SCENARIO:Your company is a U.S. manufacturer of airplanes with operations in the U.S. and in France.• You know it is subject to the new French anti-corruption law called “Sapin II.”• You were awarded a large contract with an African nation, and received a tip through
new established hotline from a whistleblower located in France concerning possible commissions paid to government officials of that country through an intermediary, with the issuance of false invoices concerning a fictitious project.
What should you do? How much time do you have internally to get back to the whistleblower?
Assume the French authorities get involved, what should you do in regard to the U.S. authorities (SEC/DOJ?)
If an investigation bears out the allegations and a settlement can be reached, is there a risk for management?
Whistleblower / Lanceur d’alerte?
28
BREAK(10 minutes)
15
29
Data Analytics &
Risk-Based Sampling
30
Use data analytics to make risk-based judgmental samples over three
years of disbursement data (~60K transactions).
� Manual review is time consuming, requires too many resources,
and can be ineffective.
Data Analytics & Risk-Based Sampling
16
31
Partial Use of Data Analytics to Identify High-Risk Areas
32
1. Focus on the appropriate period to test whether controls are effective.
2. Select the right locations.
3. Look at trends on an analytical basis – make sure the trends match
the books!
4. Understand customs & practices and assess reasonableness.
5. Judgmentally select a sample of transactions for high-risk contracts /
payment recipients.
6. Sometimes the books may be correct, even when you find something.
7. Follow through with interviews.
Risk-Based Approach
17
33
1. Selection of 80 disbursements
for testing, with a focus on high-
risk areas such as payments to
/ for:
a. High-risk vendors
b. Vendors not on approved
list
c. Employees
d. Travel & entertainment
expenses / Consulting fees
e. Seminar / conference /
training expenses
Risk-Based Approach
Focus on Employees
34
Transaction Testing / Expensive Subway Fare
Typical monthly subway
costs in Shanghai (~120
CNY) � a small fraction of
the expenses (4,500 CNY)
that had been reimbursed.
18
35
SCENARIO:A global company with worldwide operations in high-risk countries has annual sales of $100MM, expenses of $80MM (consisting of ~20,000 A/P transactions annually).• Based on the risk profile of your operations, it is determined that your
Shanghai subsidiary may be high risk.• The company has a local compliance officer on staff, has uncovered corruption
issues before, and is currently operating under a monitorship.• The company uses Concur to manage travel & employee expenses.
• Should you direct internal audit or other consultants to conduct a transactional review? If you do, what and how do you think they should
look at the activities?
• Given the critical gatekeepers were “aware” of this scheme, how would
you proceed to strengthen internal controls?
Identifying and Monitoring High-Risk Transactions
36
SCENARIO:• A global company, in the business of building power stations, sold a 25% stake
in a South African subsidiary (“Sub”) to a company called Front in 2014 for $200K.
• In 2015, Sub was awarded $6B in power station contracts in South Africa. • In late 2016, Company repurchased 25% share of Sub from Front for $4MM.• In reviewing the books & records of the South African subsidiary, you noticed a
consulting fee of $1.5MM to Front in 2015, plus dividend payments of $1MM to Front in 2016.
How would you proceed to determine the legitimacy of the consulting fee,
dividend payments, and repurchase of shares?
You Need More Than Technology
19
37
ISO 37001 (Anti-Bribery Management Systems)
38
• International Organization for Standardization (ISO) released new standard 37001 in September 2016.
• A global standard for organizations to establish anti-bribery controls.
• Organizations can seek certification of compliance with this standard from an accrediting body.
• Alstom obtained the first certification under ISO 37001.
• Wal-Mart and Microsoft have announced their intent to seek such certification.
ISO 37001 (Anti-bribery Management Systems)
20
39
ISO 370001 requirements include, among others:
• Establishing an anti-bribery program
• Identifying role of leadership/management in enforcing the compliance program
• Requiring operational integration of processes around anti-bribery
• Monitoring the compliance program and investigating any type of misconduct
• Addressing misconduct and understanding the system shortcomings responsible for it
• Ensuring program is adequately staffed with qualified personnel and sufficient authority
• Training and resources for employees and third parties
• Reporting channels for misconduct, including anonymous reporting
• Implementation and testing of financial controls around payments
• Conducting a risk assessment
• Implementing incentives/penalties to foster ethical employee and third party conduct
• Conducting due diligence on third parties before onboarding and periodically thereafter
ISO 37001 (Requirements)
40
• Section 8.2 requires organizations to “assess the nature and extent of the bribery risk in relation to . . . business associates.”
• However, the organization “can conclude that it is unnecessary, unreasonable or disproportionate to undertake due diligence on certain categories of business associates.”
• The assessment “shall include any due diligence necessary to obtain sufficient information to assess the bribery risk.”
• The due diligence “shall be updated at a defined frequency, so that changes and new information can be properly taken into account.”
ISO 37001 (Third Parties)
21
41
SCENARIO:• Your company is entering into an emerging market and have created a detailed questionnaire
for prospective third-party resellers to complete and have established a set of compliance requirements to demonstrate that third party’s commitment to anti-corruption compliance.
• You believe your due diligence process is fair, well-designed and effective.• However, a number of prospective resellers in that local market are not willing to complete
your process, claiming that it is unduly cumbersome. Further, your internal sales management is under pressure to select a number of resellers for this new market quickly.
In lieu of completing of your own questionnaire and risk review process, would you accept any of the following?� A letter signed by their CEO providing detailed assurances about their anti-corruption
compliance program coupled with strong anti-corruption language in the contract?� A certification provided by a reseller from a third-party organization?
� Evidence that the reseller was recently certified as ISO 37001 compliant?
Is there a benefit to requiring ISO certification as an additional requirement of your third-party risk assessment process? If so, for which of your third parties?
Third-Party Certifications – Can You Trust Them?
42
Foreign Agents, Partners & Intermediaries: You Can’t Live With Them, But You Can’t Live Without Them
COMMENTS OR QUESTIONS?
October 15-18, 2017 | Las Vegas, Nevada | SCCE 16th Annual Compliance & Ethics Institute