Aside

Something I’m Really Excited About: FCPA TV

11 Jul

Obviously, I’m a fan of video.  I subscribe myself to numerous video podcasts: This Week in Google, iPad Today, HBR, This Week in Startups, and more.

I also have This Week in FCPA, my weekly video with Tom Fox.

Now, I’m happy to present a video podcast on iTunes: FCPA TV.

These will be shorter videos, mainly my opinions on various anti-corruption topics, plus some others thrown in occasionally.

You can subscribe here.

If you don’t have iTunes (seriously?), you can watch the episodes online at fcpa.tv.

Where I Am Now

6 Sep

I’ve moved!

Open Air Blog is now on the Svbtle platform.

It’s an easy fix: just go to openairblog.com!

Don’t worry, I’ll keep reminding you.

Best. Quote. Ever.

13 Aug

Preparing for This Week in FCPA today, I came across this quote in the New York State Department of Financial Services’ Order against Standard Chartered:

You fucking Americans. Who are you to tell us, the rest of the world, that we’re not going to deal with Iranians.

This was from SBC’s Group Executive Director to its head of Compliance in New York.

In the anti-corruption space, we encounter this sentiment probably as often as the Sanctions compliance community does.

But it’s a legitimate question (if phrased, shall we say, indelicately?) Why is it okay for the US to export its foreign policy and mandate compliance by non-US institutions?

The DFS gives its answer a few paragraphs later:

In November 2008, the US Treasury Department revoked authorization for [a previously approved type of transaction] because it suspected Iran of using its banks—including [the banks Standard Chartered transacted with]—to finance its nuclear weapons and missile program. The US also suspected that Iran was using its banks to finance terror groups, including Hezb’Allah, Hamas, and the Palestinian Islamic Jihad, and engaging in deceptive conduct to hide its involvement in vairous other prohibited transactions, such as assisting OFAC-sanctioned weapons dealers. (emphasis mine)

It’s simple (at least to me). Because there’s no such thing anymore as “just in your country.” If what happens in your country stays in your country, you’re right, the US has no business getting involved (absent extraordinary circumstances like genocide etc.)

But honestly, the idea of an Iranian atomic weapon scares the crap out of me. If Iran is funding its program using money illicitly obtained at least partially through stripped wire transfers, whoever does that needs to stop.

Nor, I believe, is the problem exaggerated. When I was in the Bronx DA’s Office, one of the types of cases I was in charge of was video piracy. I’m talking about the counterfeit videotapes they sell on the street. The Bronx is, strangely enough, the counterfeit videotape capital of the United States, and tied for first (with Bangkok) in the World. It’s a big business, and part of what I tried to do was follow the money.

We found the money went to two different places. One was to Nigeria. The other was to Palestinian terror organizations.

So yes, I have no problem believing that Iranian nuclear ambitions are tied to stripped wire-transfer documents. There’s a reason that OFAC talks about the sanctions programs as implicating national security.

I conclude, therefore, that because the US is most certainly directly affected by Iran’s nuclear program, we do have standing to tell you that if you’re a US company, or your non-US company has US citizens in it, or is a subsidiary of a US company, then you can’t engage in certain types of financial transactions with people trying to blow up us and our allies. Sorry.

Ambitious Is Good: FCPA World Monitor

7 Aug

Via the Professor, I’ve read some posts by Rajat Soni, a lawyer who has entered the FCPA Commentariat with his FCPA World Monitor. Claiming to monitor the world is ambitious, but then again, I like ambitious.

Truth be told, I’ve read of couple of posts of Soni’s and I disagree vehemently with both of them. He sounds, in fact, like an acolyte of the aforementioned Professor. That said, and as the man once said, just because he disagrees with me doesn’t mean he’s wrong.

I’ll keep reading (I’ve already subscribed to the site via my RSS reader), if only because I like to know what the opposition is thinking. And who knows, he might trip over something and come down on the right side of an issue someday.

New voices are always welcome. Even if—maybe especially if—he disagrees with me.

By the way, when are we going to get a woman into the Commentariat? There are lots of incredible women lawyers in this space (Lucinda Low comes to mind. As do Cheryl Krause and Palmina Fava). But no one in the Commentariat (I see that Jessica Tillipman and Elizabeth Spahn are “Contributing Editors” to the FCPA Blog, but I’m talking about owning a site).

The Importance of Context

6 Aug

Here’s a sample of the kind of thing I post on fcpa.tv.

You can go to that site, or you can subscribe on iTunes here and watch it on your iPad.

I talk about the importance of context in evaluating potential FCPA violations. No inappropriate behavior occurs in a vacuum. Companies who can show that they take anti-bribery seriously can easily weather an inquiry by the DOJ or the SEC.

Counting to 10, Internet Fact-Checkers, and Integrating Acquisitions

6 Aug

My saintly mother used to tell me that when I get upset, I should count to 10 before I opened my mouth. It saves you, she would tell me, from saying something that you don’t mean, or that will make you look stupid. This wisdom applies doubly for a writer. Just like you shouldn’t shop when you’re hungry, you shouldn’t write when you’re riled up. I ignored that advice. But thanks to the wonder that is the Internet, I always have people fact-checking my work.

To this particular fact-checker—and you know who you are—thank you for pointing out what I should have caught the first time.

On Friday, I wrote about the Nordam Group non-prosecution agreement, and how Dan Kahn and Stephen Spiegelhalter at DOJ, along with their boss Chuck Duross, plus Nordam’s counsel Carlos Ortiz all had a brain freeze and included a requirement that Nordam train all their third parties.

Turns out, it was me who had the brain freeze, not them.

I wasn’t wrong: requiring a company to train all their third parties is stupid and unrealistic. Totally unworkable.

And if that’s what the Nordam Group agreed to, that would be ridiculous. This is an example of why it’s so important that you actually read all of the NPA, not just the single paragraph that generated so much ire. If I had bothered to actually research rather than just react, I would have written something entirely different, and much more complimentary.

As it turns out, both DOJ and Nordam’s counsel were actually pretty reasonable about training. More than that…very reasonable, incredibly reasonable, perfectly reasonable. Let’s look at what the Nordam Group NPA actually requires Nordam to do vis-a-vis training.

In paragraph 8, Nordam agrees that its compliance program needs to be communicated effectively both internally and “where necessary and appropriate” to agents and business partners. This requirement comprises training employees and, “where necessary and appropriate,” training third parties. It also requires annual certifications of compliance with the training requirements signed by its internal employees and by its third parties, but again, only “where necessary and appropriate.

In fact, I’d find it difficult to find another place where Dan, Stephen, and Chuck could have included “where necessary and appropriate” without it looking like subliminal advertising. “The company agrees to implement financial [cough…where necessary and appropriate…cough] controls that [cough…where necessary and appropriate…cough] ensure transactions will accurately [cough…where necessary and appropriate…cough] reflect….” You get the idea.

What the DOJ required of Nordam makes perfect sense, and allows for exactly the kind of flexibility I accused the Department of neglecting. I would also argue that it’s a loophole that you can drive a truck through, and I would suggest using the biggest 18-wheeler you can find, but that’s another post.

Upon reflection, and upon doing the work I should have done last Friday, I now think this was just the DOJ suggesting that training third parties is a good practice, but recognizing that third parties present their own challenges.

If I were in Chuck’s seat (or Dan’s or Stephen’s) I would likely take a different approach. I would probably require companies ensure that third parties have their own program; I wouldn’t make Nordam export their training to anyone. But the difference isn’t nearly the chasm that I thought it was on my reading of just the one paragraph—which I’ll get to in a second—that I wrote about in the last post.

We’re much closer together than I thought we were, as it turns out. Just a short hop, as it were. I can’t argue with an approach that doesn’t make it too prescriptive. The DOJ seems to recognize that each company in each market is different, and each company’s risk profile is something that can change over time. And the DOJ seems to be indicating that this is something companies should be thinking about based on what’s practical, the market risk, business risk, transaction risk, and other red flags. The DOJ is trying to thread the needle here, and does a damn fine job of it, IMHO (more H, now that I’ve actually read the thing).

As it turns out, the requirement as it’s actually written seems to prove a different one of my central contentions: that the DOJ is extremely reasonable and measured in how it prosecutes corporations.

So where does the offending paragraph from my last post come from?

In paragraph 13 of the NPA, the DOJ talks about how Nordam should integrate new acquisitions. The NPA requires Nordam to do appropriate due diligence [n.b. is “appropriate due diligence” redundant?]

It also requires that Nordam apply its policies to the new acquisition “as quickly as practicable.” Including requiring Nordam to “train directors, officers, employees, agents….” Even here, it only requires this training “promptly.”

Plus, the DOJ includes a separate qualifier: it only requires training of employees of a new acquisition “who present corruption risk to the Company.” I would suggest that this qualifier has exactly the same effect as “where necessary and appropriate” that we saw above.

I’m actually blown away at how reasonable the DOJ is being in this thing, yes? [One assumption I’m making is that this wasn’t something that the DOJ didn’t want in there, but outside counsel did. It’s possible, but I would think, unlikely]. I hear outside counsel say all the time “train everyone.” Even the DOJ isn’t saying that. The DOJ is saying that companies need first and foremost to think. Where’s the risk? How does that risk impact my operations? What’s the most reasonable way to respond to that risk?

In this context, the requirement to train all employees who present corruption risk makes perfect sense. I would suggest the DOJ could have reasonably gone further and required training every employee in a new acquisition.

This requirement isn’t about training everyone in a third party, it’s training everyone in a new acquisition. One problem that we see over and over is companies not integrating new acquisitions. Watts Water comes to mind. If that new acquisition has or initiates problematic transactions, the DOJ has little pity (and rightfully so). Requiring Nordam to integrate “as quickly as practicable” and “promptly” seems eminently fair and reasonable.

I would love to blame Dick Cassin. After all, he made the same mistake. But what’s written on my site isn’t Dick’s responsibility, it’s mine. As soon as I hit “publish,” it became my error.

So, let’s just get past this little SNAFU, shall we, and back to our regularly scheduled ranting and raving? Just better informed.

Unrealistic Expectations: Training Third Parties

3 Aug

Thanks to the FCPA Blog for pointing this out. I think we covered Nordam on This Week, but I glossed over the piece that Dick Cassin wrote about today.  Buried in Nordam’s non-prosecution agreement is a requirement that the company train its third parties. The company is required to:

train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to the Company, on the anti-corruption laws and the Company’s policies and procedures regarding anti-corruption laws.

Um…no.

I’m hoping that the DOJ prosecutors assigned to the case, Dan Kahn (who I know) and Stephen Spiegelhalter (who I don’t), just overlooked this. Or more likely—since I know for sure that Dan is a really smart, reasonable guy, and since they both report to Chuck Duross, who is another really smart, very reasonable guy—this was something that Nordam proposed.

It’s possible that Nordam doesn’t have a whole lot of third parties.  I’m willing to buy into that for two reasons.  First, like I said, Dan and Chuck are reasonable people: they don’t want to put a company in a position of adopting an impossible requirement.  Second, Nordam was represented by LeClair Ryan’s Carlos Ortiz.  Ortiz is the real deal, from what I can tell (I’ve never met the guy…we’re not even connected on LinkedIn), and LeClair Ryan had the incredible intelligence to hire Mike Volkov, so it’s a firm that has its head on straight.

But what Nordam agreed to?  Training everyone?

Um…no.

This is such a misguided requirement. I sincerely hope it doesn’t become a part of DPAs and NPAs going forward.

Let’s take a step back from training third parties for a moment. Let’s talk about audit rights. Because I see in the training requirement the same drawbacks that I see in audit rights.

Audit rights come in two forms, when-something-goes-wrong audit rights, and once-a-year audit rights. The former I’m fine with, the latter, not so much.

Don’t get me wrong, it’s a great story, if you can pull it off. But it’s a classic example of “be careful what you wish for.” Take a moment and think about what it takes to do periodic audits of your third parties. This might actually be easier for smaller companies to pull off than larger ones. Because for larger ones, it’s a nightmare, bordering on impossible. Actually, I’m temporizing. It’s not bordering on impossible, it is impossible.

Some larger companies have literally a hundred thousand third parties. Or more. Putting aside the actual work of sending people to 100,000 companies around the globe, how about just the administrative burden of arranging the audits, collating the results, analyzing the results, deciding on action plans. Just collecting the list takes time, a lot of time.  It took Tyco more than 6 months just to pull together a preliminary list that was 1/8 of the final list.  Plus the follow-up on any management action plans that results from the audits. Consequence management for companies that fail to implement or successfully implement action plans. Or for companies that fail to allow audits. Following up to make sure that issues aren’t recurring. Just think about all the electronic detritus that would be generated from auditing 100,000 companies every year.

Ah…I hear you. If done right, it wouldn’t be 100,000. You’d risk-rate the third parties. No reason to audit the people from whom you buy copier paper, right? First, that assumes you get competent advice from outside counsel on how to properly risk-rate anything. Asking a risk-averse industry how to risk-rate will only lead to agita. Sorry, I’ll end this foray into that particular frustration of mine.

So assuming you get good advice, you’ll actively be auditing maybe 5% of your total number of third parties (Tyco’s program had 5.6% rated high risk). So…5,000 third parties, every year. All of them the highest of the high risk. Or maybe I’m being overly risk averse myself. Let’s say 1%. So…1,000 independent companies to audit, every year. That’s 2 1/2 companies a day, every day, every year (if you go with business days, and national holidays, it’s 4 companies a day).

Oh yes, one other thing: do you have 4-5 people who are competent to even do these types of audits?  Do you have even one?

All of this, by the way, for a totally non-profit-generating activity, which will have the gratuitous side effect of pissing off your suppliers, distributors, and agents.

Now let’s transition the topic back to training. You have 1,000 companies to train. Who do you train in those companies? Everyone? “Directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof”?  How do you even figure out who the “relevant” employees are?  How do you ensure that your high-risk partner is training the right people?  Who pays?  How do you monitor? What’s the consequence management program? What do you do if the third party says no?

That’s a serious consideration, by the way. Sure, sometimes, it’s a huge corporation whose business is so important to the third party that the huge company can pretty much force the smaller company to do anything they want. Including training.

But sometimes it’s a huge company contracting with another huge party. How do you enforce your training requirement on, say, Hewlett-Packard? Or Siemens, for that matter? Do you require HP to train all of its 300,000 employees? Do you accept their training program? How do you evaluate their training program to see if it meets your standards? Do you require American Express to put their board members through your training? Ursula Burns, the CEO and Chairman of Xerox is on there. What about Microsoft? Are you going to require Microsoft to go through training? Their Board?

The ability to get anyone to train is heavily dependent on your bargaining position. Nordam is a big company in its space, so perhaps it has negotiating power. But what about smaller companies? How are they supposed to get their larger distributors to agree to training?

By the way, the companies you’re required to train are the same companies you’re going to audit.  Control fatigue, anyone?

It’s an impossibly complicated task, just that one little paragraph. The company has overpromised, in my opinion.

Let’s hope this doesn’t become SOP for the DOJ, like the FCPA Blog thinks it’s going to.

FINCEN & Customer Due Diligence

1 Aug

Yesterday, the Financial Crimes Enforcement Network held an all-day meeting at the Treasury Department to discuss the new proposed rule on customer due diligence. The proposed rule requires collection of beneficial owner information.

I wasn’t there. I’d like to find someone who was for an article I’m going to write about it on Forbes.com.

Can someone point me to someone who attended? And make an introduction?

Follow

Get every new post delivered to your Inbox.

Join 103 other followers