Wow, did I have a lot to say about this. Be warned: it’s long.
Case Study #4: Hospitality
I have to admit that I’ve been looking forward to this one. So much so, in fact, that I even considered going out of order. I mean, who would rather write about proportionate procedures when you can write about hospitality. Alas, I’m a rule follower, and I had to sit through writing three case study evaluations before I could write this one.
I used to abbreviate this whole area of meals, gifts, travel, and entertainment as the “thorny issues.” Because they’re plentiful, and it’s easy to cut yourself if you’re not careful.
From a compliance perspective, these types of issues present particular problems. But not insurmountable ones. In fact, just the opposite. It’s not that the questions are hard, it’s getting the business to follow the procedures. Because with the thorny issues, the business is going to yell and scream. This is where the Act’s prohibition on private-sector bribery is a pain point for the business. It’s no longer just government beneficiaries you have to control, it’s everyone. Every meal, every gift. It’s one thing to tell your Indian operations that they can’t give government officials gifts during Divali. It’s a horse of an entirely different hue to say that you can’t give any gifts to anyone. But I’m getting ahead of myself.
Case Study #4 posits an engineering firm that hosts annual events with food, tickets to sporting events, and entertainment. Private-sector attendees pay their own travel; the engineering firm pays for the government officials’ travel.
As usual, the controls suggested by the Guidance aren’t prescriptive, it’s “any or a combination.”
• Conducting a risk assessment specifically addressing hospitality
• Publishing a policy statement committing it to “transparent, proportionate, reasonable, and bona fide” hospitality
• Issuing internal guidance addressing a) that the firm’s procedures are to ensure transparency and conformity with local law; b) and with the laws that cover the official receiving the amenity; c) that hospitality is given to cement good relations and show appreciation, and to improve the image of the firm as a commercial organization, to better present its products or services, or establish cordial relations, d) that the recipient isn’t under any obligation; e) the policy should lay out criteria to be applied when deciding appropriate levels of hospitality in different circumstances; f) that hospitality for public officials should be cleared with their agency; g) approval for expenditures over certain limits; h) accounting
I have to interrupt. There’s more, and I’ll get to it in a minute, but I just can’t help myself. It takes a special paragraph about hospitality to get me nostalgic for the FCPA’s provisions on the subject. I suppose—like the FCPA Professor said at the Global Compliance Symposium—I should celebrate the fact that the UK issued guidance at all. But I have to say that if you follow the advice above, you’re going to get into trouble. Not so much because it’s bad advice, but because it’s a big gaping hole that your business partners will drive a bus full of gifts right through. It’s obvious to me after reading this “guidance” that neither the writer nor approver has ever met an actual salesperson. Someone with responsibility to meet a sales target if they wanted to feed their children. Sales people aren’t measured on compliance—and anyone who’s been around me for more than 5 minutes knows how I feel about that—but only on how much they sell; they can get a little tunnel-visioned. It’s not that they set out to give inappropriate gifts, it’s that they rationalize what they want to give as appropriate. You need controls that prevent that. But I’ll get to that too.
• regular monitoring, review, and evaluation of internal procedures
• appropriate training
There’s just too much here to talk about. An embarrassment of riches. I really don’t know where to start. Why don’t I just start by telling how I think hospitality should be handled, and you can compare and contrast.
First, all hospitality to government officials is high risk. Risk assessment done. I have a harder time with the UK Act because of the private-sector piece, and I don’t know how that’s going to be enforced. [By the way, if I were the SFO, and wanted to send a message that the times have changed, the first case I’d bring, on day 2 of the act being in force, would be a private-sector case.]
There are simple controls you can use for hospitality. I prefer different controls for meals, for gifts, and for travel.
For meals, pick a number. By “number” I mean a pre-set limit to how much can be spent on meals that include government officials. Personally, I think it better for each market to set their own number. What’s important here isn’t the number, it’s the process. If you have a market-level risk committee, use it. They should meet, decide what’s reasonable in the market (if there’s an internal limit to how much employees get reimbursed for meals in the market, take that into account), set a number as the rule, and enforce it. The decision should be reviewed annually. If you don’t have a pre-existing committee, get your country leader, your head country lawyer, your head of sales for the market, and your market compliance officer together and call it a risk committee.
Or, you can have a global number. £125 a person anywhere in the world. If you can show how you came up with the number—meaning that there was a thoughtful process, and the number isn’t totally outrageous—you will likely never get into trouble if the meal in question followed the rule. The key is reinforcing the rule at every opportunity. The difficulty here, of course, is monitoring. Ideally, your expense reimbursement system would have the capability to monitor these things. If it doesn’t, upgrade.
I’m not a fan of pre-approval for meals. There are just too many, and some are impromptu. Plus, if the UK takes the private-sector bribe sections seriously, you’re going to have a real problem getting your approval process to scale up to handle the increased volume of approval requests. This is one of my real worries about the impact of the private-sector laws: compliance controls, in most cases, are not scalable. That fact is something no one is talking about yet. But they will, because it’s the drop-off that we’re all running toward. One pitfall with no pre-approval is you can have someone get taken out regularly, like how some doctors get their lunch every day from their drug reps. I would mandate that managers must be notified of meals with government officials. Then ensure that managers get the message that repeated meals with the same government official should be monitored. Not prohibited, monitored. What you really don’t want to happen is that you prescribe rules which, because they’re too intrusive, get ignored. You’re far more likely to get into trouble that way than because you spent too much.
For travel, there are some simple rules: don’t fly relatives. No first class. No side trips. Travel cannot include more than the event (in other words, if it’s a two-day conference, the trip can’t be two weeks.) If you’re in a high-risk industry, I might include notification/approval from the agency the official works for. Lodging follows similar rules: no suites, relatives can stay in the room with the official, but no other rooms (for children, e.g.). I would also require pre-approval for all government travel. Unlike meals, travel is never impromptu. You always have lead time, usually significant.
One complication is in the event space; this is the area the case study directly addresses, remember. Corporations, especially large corporations, plan events. Conferences, etc. I believe that all conference expenses, including travel, should be handled as a group, and aggregated, and pre-approval should be required. Remember, these kinds of events have huge lead times. All event expenses should be put on a spreadsheet, including who is getting transported, how, what hotel are people staying at, entertainment during the conference, gift baskets, drawings or door prizes, etc. I don’t want to get too deep into the weeds here, but suffice it to say that there are policy decisions that need to get made, and the risk committee should be the one to make them.
Gifts are the most difficult, mainly because they’re so common. I would not require pre-approval for smaller gifts that are given for normal reasons (birthdays, Christmas, Divali, Chinese New Year, etc.). Anything under £25, go to town. Similar to meals, I would require manager notification so you can avoid the small-but-often issue. Over £25 needs active first-level manager approval, over £100 needs a VP, over £1,000 needs an SVP plus the compliance officer. Again, the dollar amounts aren’t as important as the process you went through to arrive at them. Make sure your risk committee has a discussion around what’s common in the market, what they feel the right number is, and why, and make sure someone is taking notes. Put those notes away.
Entertainment is a subcategory of gift. Tickets to sporting events (including invitations to the box at Wimbledon or to the World Cup or Formula One) are gifts, and need to go through that process. For entertainment, I would include some additional prescriptive rules, rather than change the gift process. No adult entertainment (you’d be surprised how often that question gets asked), no casinos, no tickets to Disney World. Right there, you’ve covered 70% of your entertainment risk. You have the same scalability issue here as you do with meals: there are too many of these amenities given in a year for your regular compliance team to handle.
That’s my take. [Let me be a lawyer for a second and give you my standard warning: I’m a lawyer, but I’m not your lawyer, and I’m not licensed to practice in the UK. If you want legal advice, hire someone…there are plenty of good lawyers who would love to help you structure your anti-corruption compliance program for hospitality. I’m offering you opinion commentary, not legal advice. Thanks.]
Let me finish off by returning to the advice that the UK guidance gives you.
Point 1: (if you can remember that far back) doing a risk assessment. Once again, water is wet, and thank you for that blinding glimpse of the obvious.
Point 2: publishing a policy…okay, do this. In this area, the devil is in the details, so telling you to commit to “transparent, proportionate, reasonable, and bona fide” hospitality doesn’t really move the needle, or guide. But from a beat-the-FCPA perspective, it has 24 more letters than the FCPA’s provision. Let me add that your policy should not be written by a lawyer, for a lawyer. You need salespeople involved, and marketing people, and event planning people. Figure out who your stakeholders are and get them involved in the policy writing process. Because as you draft the policy, questions will arise that require policy decisions, and you want the business to have bought into what your decisions are.
Point 3: the ridiculous internal guidance. In the field, people are looking for direction, not platitudes. Don’t say, “hospitality should be reasonable.” Say, “you can’t spend more than £125 per person on a meal.” People in the field appreciate, in my experience, the directness and guidance. (And yes, I chose that word deliberately.)
Point 4: monitoring and review. Good idea. Do this. Regularly. The monitoring piece is going to cost you money. It’s more than likely a tech build for you, which is expensive. I would try to glom onto the pre-existing expense reimbursement system, as I’ve said.
Point 5: appropriate training. Another good idea. Do lots of this. Here’s one tip: concentrate on your first-level managers here. You need these people to buy into what you’re doing. You have to explain the rationale, and explain why you’ve made the choices you have. I would have these people messaged from folks within their chain of command. Do NOT have lawyers talk to them. It should be stressed over and over that this is a business decision (another reason to have the right stakeholders in the policy-drafting stage), and responsibility falls on the managers to enforce the policy. Then, make it a metric.