Schedule C, Point #3: Policies & Procedures

14 Mar

And I’m back.  I really have to increase the frequency of these Schedule C posts, don’t I.  The last one was more than a month ago.  Sorry about that.

So we’re now at point #3.  As always, I will start with the exact language of the DOJ’s language in the Alcatel-Lucent DPA schedule C.

Alcatel-Lucent will develop and promulgate compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and Alcatel-Lucent’s compliance code, and Alcatel-Lucent will take appropriate measures to encourage and support the observance of ethics and compliance standards and procedures against foreign bribery by personnel at all levels of the company.  These anti-corruption standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of Alcatel-Lucent in a foreign jurisdiction, including but not limited to, agents and intermediaries, consultants, representatives, distributors, teaming partners, contractors and suppliers, consortia, and joint venture partners (collectively, “agents and business partners”), to the extent that agents and business partners may be employed under Alcatel-Lucent’s corporate policy.  Alcatel-Lucent shall notify all employees that compliance with the standards and procedures is the duty of individuals at all levels of the company.  Such standards and procedures shall include policies governing:

a.  gifts;
b.  hospitality, entertainment, and expenses;
c.  customer travel;
d.  political contributions;
e.  charitable donations and sponsorships;
f.  facilitation payments; and
g.  solicitation and extortion.

There’s a lot of stuff going on in that paragraph, so let’s spend some time first unpacking what’s in there, and then talking about what it means and how to implement it in a real way.

I’m a bit of an iconoclast—when am I not?—when it comes to policies.  I’ve seen policies that are tomes.  A hundred pages or more.  Wrong, wrong, wrong.  Policies should be short.  There is one absolute requirement for policies.  One.  Everything else is a nice-to-have.

Policies must be read.

Simple, right?  You’d think so.  But I’ve seen too many policies that are written by lawyers, for lawyers.  I’ve read policies that I couldn’t get through, and I’m not only a lawyer, but a compliance officer.  It’s like reading a badly-written brief, “party of the first part shall not, except as described in sub para (c) of section (A) and subpart (1) of the aforementioned section”…zzzz..zzzz…sorry, what was I saying?  And yes, some policies I’ve seen are that bad.

Policies should be written so that a salesperson, who has little time and less desire to read policies, will read them.  Because the DOJ will ask.  “Does your company have an anti-corruption policy?  Where can you find it?  Have you read it?” are questions you should expect.  Not of you, but of the Director of International Sales in a situation where he approved a bribe payment.  And of his direct reports.

The decisions you make within a policy are frankly much less important than whether they’re read.  The DOJ doesn’t particularly care to second-guess a corporation’s faciliation-payment-escalation path.  Or whether your global gift policy requires pre-approval for anything over $150 versus $200.  They don’t care about the decision (within wide parameters), they care about the process.

But the policy isn’t the place to discuss that.  It’s about making your policy decisions approachable to your line staff.

So let’s talk about these two things: what policy decisions do you need to make, and how do you write a policy that is readable, and read, by the line staff?

The toughest part about writing a policy isn’t the writing, it’s the pre-work.  Because 90% of policy writing is in the decisions you need to make.  Here, the DOJ makes your life easier by listing, conveniently, what you need to decide.  And to make your life even easier, I’m going to make these decisions for you.

Gifts: I don’t believe in pre-approval for gifts.  Set a limit—$200 maximum, globally—and stick with it.  There should be separate rules for senior management. That’s just the way of the world.  One way you can say it is “any gift request by a senior VP or up will be handled by the head of anti-corruption compliance or the Chief Compliance Officer.”  Or something like that.  You should monitor, too.  Run reports of the top five gift-givers every quarter.  Or require semi-annual certifications by managers, or something.  Pick any monitoring mechanism, and use it.

Hospitality, entertainment, and expenses: I don’t believe in pre-approval for these things either.  Set rules and limits.  No adult entertainment.  Yes, you need to say that, and say it explicitly.  You’d be shocked at what goes on.  When I would write policies, I would say “strip clubs.”  You need to be descriptive and obvious.  Subtlety and tact won’t work here.  No five-star hotels, so suites.  No paying for spouses or children.  I also think this is an area where each region—maybe even each market—should come up with their own limits.  “Reasonable” is a geographically moving target.  It also makes a good story that the business sets its own limits.  What hotels, what restaurants, all can be laid out in a market-level implementation.  Say that again.  “Market-level implementation.”  Repeat it, this time thinking about sitting in front of the DOJ explaining your program.  Gives you the warm fuzzies, no?

Customer Travel: this might be an exception to my “life is simpler if you don’t require pre-approval” way of thinking.  The thing about travel is that it’s usually got plenty of lead time.  Which means that, unlike meals or gifts, there’s rarely a spur-of-the-moment, I-need-it-today travel requirement.  That said, it’s just as amenable to monitoring, and there are some easy rules for travel.  No first class, no buying travel for spouses or children.

Political Contributions: Much, much more difficult.  There are a whole bunch of regulations that generally fall outside of an anti-corruption compliance officer’s purview around pay-to-play, lobbying, and political gift-giving.  I myself don’t know a whole lot about lobbying rules.  Which is strange, because one of the most common questions I get is “isn’t lobbying just bribery?”  Where I think political contributions meet the FCPA is when they’re thinly disguised bribes.  These should be prevented or detected by your current program.  But realistically, you need an expert in lobbying to assist you.  There’s no reason a company can’t contribute to the political process, both through speech and through money (yes, I know that money=speech, but still).  But you really need someone who knows more than an anti-corruption compliance officer usually does about that process.  This is especially true in the US, where local laws are sometimes pretty out there.

Charitable Donations and Sponsorships: These are tricky too.  Your controls should be around ensuring that the donation goes to the charity, not to the person, and that there are no connections to the politician.  For example, building a local elementary school is probably fine, as long as the politician’s brother-in-law isn’t the general contractor.  Capische?

Facilitation Payments: There are two problems with facilitation payments: (1) they’re often bribes, and it’s tough to tell when you’ve crossed over the line and (2) you still have to account for them correctly.  I’ve heard a lot of people complain that they want a better definition of the term.  That they don’t understand what a facilitation payment is, exactly.  Let me dispel that concern.

A facilitation payment is one that is made in order to induce a NON-DISCRETIONARY action

That’s it.  Understand what it is turns out to be much easier than identifying it in the field.  Because that element of non-discretionary action can turn on the local administrative law of the country you’re in.  And personally, I don’t know the local Azeri customs laws, to know whether a customs official is allowed to turn you away.  Plus, if you pay a facilitation payment, you have to record it correctly.  Which looks really bad.  I’ve seen companies record payments locally as one kind of payment, but then roll it up into a “legal facilitation payment” account.  My friend Manny Alas always talks about understanding your “chart of accounts.”  Again, most anti-corruption compliance officers have no idea what that is.  You need to understand how your company records payments, and how payments flow into their respective accounts.  All to understand what controls are in place to keep a payment of one type (facilitation payment) being recorded as a payment of another type (cost of sales, marketing expense, etc).

Remember, no case has been brought solely on facilitation payments, but the SEC  can much easier bring a books and records case than the DOJ can bring a bribery case.  (see, e.g., the Veraz Networks case).

Your question: do you permit facilitation payments or not.  I’ve seen two types of policies.  “No.”  And “no, but…”  I don’t know that you will ever be able to fully stop paying facilitation payments—sorry, Alexandra—but it’s a worthy effort.  When I talk about the damage that bribery does to the poorest of the population, it’s often facilitation payments that I think of.  Having to grease the nurse, as I say.

What I sometimes see—something I think is dangerous, from a programmatic perspective—is a policy that says that you can make facilitation payments, but that you have to follow some ridiculous approval path.  I’ve actually seen multinational companies that say you need approval from the General Counsel.  Seriously?  Where’s the danger?  Well, the DOJ is going to ask you two questions: how many times has that escalation path been used?  And if zero (and the answer will definitely be zero), do you think that means no facilitation payments are being made?  Because facilitation payments are definitely being made.  It reminds me of the find-the-hat story.  A sales guy has Texas as his region, and submits a T&E report that includes $54.00 for a 10-gallon hat.  The supervisor says he can’t have one, and sends back the report.  A day later, the employee submits the report again, for the same total amount, but there’s no hat on it.  He brings the report into his boss’ office, throws it down on the desk, and says “find the hat.”

When it comes to your facilitation payments policy, make it reasonable.

Solicitation and extortion: apparent opposites.  So why did the DOJ list them together?  Let’s say that a government official says to you “it would really help your application if you were to hire my sister as your lawyer.”  Pretty blatant solicitation, right?  But isn’t there a subtext here that if you don’t, your application will be rejected?  Isn’t that extortion?  Or even more blatant.  How about the Chiquita Bananas case.  They were essentially told that if they didn’t pay off the local terror organization, their banana fields would burn down.  How do you control for that?  This is simply a question of corporate willpower.  Can you say no? Can you tell that official: “we’re not comfortable with hiring your sister to represent us to your agency.  And if that delays things, so be it.”  If you aren’t willing to say that, you need to re-evaluate your commitment to anti-corruption compliance.

Once you make the decisions on these issues, the policy just lays out what you decided.  Not the why.  This makes things easy, and short.  If you want to talk about the why, do that in training.  In fact, I recommend that.

Let’s talk about that: training.  You don’t train on the FCPA.  You train on your policy.  This, more than most topics, will bring on a rant.  And it’s amazing to me how many outside counsel don’t get this.  If I see one more “FCPA” training that starts will “The FCPA was passed in 1977….”  Why would you think a business-person would care when the FCPA was passed?  You should say things like, “this company says that we’ll only spend $150 on gifts.  Let’s take a second and understand why we made that decision, and why we think it’s the right one. …”  That’s an effective training.

Back to policies: short, and in simple language.  I put something in a policy once (something my supervisor edited out…wrongly, in my opinion) that said “don’t ask for an exception, it won’t be granted.”  I liked the line.  It was clear, simple, used plain English, and was easy to understand.


Let’s end with one more issue: third parties.  Did you see up in that long paragraph about applying your standards to third parties?

These anti-corruption standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of Alcatel-Lucent in a foreign jurisdiction, including but not limited to, agents and intermediaries, consultants, representatives, distributors, teaming partners, contractors and suppliers, consortia, and joint venture partners (collectively, “agents and business partners”), to the extent that agents and business partners may be employed under Alcatel-Lucent’s corporate policy.

Do you apply your policies to these third policies?  That’s a tough call.  I used to feel a bit of a hypocrite when I would require third parties to adopt our standards but push back when third parties required it of me.  In fact, one of the better anti-corruption compliance officers around—I won’t mention her name because I haven’t asked if it’s okay, and because I’m about to criticize her company—and I met when we were negotiating just this point.  Her company required their suppliers to sign onto their Supplier Code of Conduct.  The Code made sense for the majority of their suppliers, but was completely irrelevant to us.  And I pushed back hard.  Their metrics included how many suppliers they signed up who accepted the Code.  So I was the rock, and they were the hard place.

The point?

It’s much better to have a plan and stick with it, even if that means you don’t always do what outside counsel or your consultants say is the “best practice” of applying your program to third parties.  It’s not always necessary.  Which means that if you require it, you’re going to have some pretty ridiculous arguments saying “you must” when the person is looking at you crazy, and is right to.  You should craft a requirement that makes sense for your business and for your program.  Unless absolutely necessary, you need to discriminate, to identify which third parties you really want to apply your policy to.  One suggestion: make your third parties have their own programs.  If you have certifications, one of the things you can have the third party certify to is the existence of a robust program.  Hey, don’t knock it.  It’s just as effective as making a third party “sign onto” your policies.  This is all optics.

What isn’t optics is making sure that when you have a rule, you follow it, every time.  Requiring too much of third parties, without taking into account different cultures—both geographic and corporate—different attitudes, different capabilities, is a disaster waiting to happen.

And what else isn’t optics is making sure you draft a short, comprehensible, easy-to-get-through, easily found policy that spells out the decisions you’ve made.  Really, if you’ve thought this stuff through, and actually made decisions (and, remembering the sage advice of my This Week in FCPA colleague Tom Fox, have completely documented), you’re 80% of the way to an effective program.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: