Counting to 10, Internet Fact-Checkers, and Integrating Acquisitions

My saintly mother used to tell me that when I get upset, I should count to 10 before I opened my mouth. It saves you, she would tell me, from saying something that you don’t mean, or that will make you look stupid. This wisdom applies doubly for a writer. Just like you shouldn’t shop when you’re hungry, you shouldn’t write when you’re riled up. I ignored that advice. But thanks to the wonder that is the Internet, I always have people fact-checking my work.

To this particular fact-checker—and you know who you are—thank you for pointing out what I should have caught the first time.

On Friday, I wrote about the Nordam Group non-prosecution agreement, and how Dan Kahn and Stephen Spiegelhalter at DOJ, along with their boss Chuck Duross, plus Nordam’s counsel Carlos Ortiz all had a brain freeze and included a requirement that Nordam train all their third parties.

Turns out, it was me who had the brain freeze, not them.

I wasn’t wrong: requiring a company to train all their third parties is stupid and unrealistic. Totally unworkable.

And if that’s what the Nordam Group agreed to, that would be ridiculous. This is an example of why it’s so important that you actually read all of the NPA, not just the single paragraph that generated so much ire. If I had bothered to actually research rather than just react, I would have written something entirely different, and much more complimentary.

As it turns out, both DOJ and Nordam’s counsel were actually pretty reasonable about training. More than that…very reasonable, incredibly reasonable, perfectly reasonable. Let’s look at what the Nordam Group NPA actually requires Nordam to do vis-a-vis training.

In paragraph 8, Nordam agrees that its compliance program needs to be communicated effectively both internally and “where necessary and appropriate” to agents and business partners. This requirement comprises training employees and, “where necessary and appropriate,” training third parties. It also requires annual certifications of compliance with the training requirements signed by its internal employees and by its third parties, but again, only “where necessary and appropriate.”

In fact, I’d find it difficult to find another place where Dan, Stephen, and Chuck could have included “where necessary and appropriate” without it looking like subliminal advertising. “The company agrees to implement financial [cough…where necessary and appropriate…cough] controls that [cough…where necessary and appropriate…cough] ensure transactions will accurately [cough…where necessary and appropriate…cough] reflect….” You get the idea.

What the DOJ required of Nordam makes perfect sense, and allows for exactly the kind of flexibility I accused the Department of neglecting. I would also argue that it’s a loophole that you can drive a truck through, and I would suggest using the biggest 18-wheeler you can find, but that’s another post.

Upon reflection, and upon doing the work I should have done last Friday, I now think this was just the DOJ suggesting that training third parties is a good practice, but recognizing that third parties present their own challenges.

If I were in Chuck’s seat (or Dan’s or Stephen’s) I would likely take a different approach. I would probably require companies ensure that third parties have their own program; I wouldn’t make Nordam export their training to anyone. But the difference isn’t nearly the chasm that I thought it was on my reading of just the one paragraph—which I’ll get to in a second—that I wrote about in the last post.

We’re much closer together than I thought we were, as it turns out. Just a short hop, as it were. I can’t argue with an approach that doesn’t make it too prescriptive. The DOJ seems to recognize that each company in each market is different, and each company’s risk profile is something that can change over time. And the DOJ seems to be indicating that this is something companies should be thinking about based on what’s practical, the market risk, business risk, transaction risk, and other red flags. The DOJ is trying to thread the needle here, and does a damn fine job of it, IMHO (more H, now that I’ve actually read the thing).

As it turns out, the requirement as it’s actually written seems to prove a different one of my central contentions: that the DOJ is extremely reasonable and measured in how it prosecutes corporations.

So where does the offending paragraph from my last post come from?

In paragraph 13 of the NPA, the DOJ talks about how Nordam should integrate new acquisitions. The NPA requires Nordam to do appropriate due diligence [n.b. is “appropriate due diligence” redundant?]

It also requires that Nordam apply its policies to the new acquisition “as quickly as practicable.” Including requiring Nordam to “train directors, officers, employees, agents….” Even here, it only requires this training “promptly.”

Plus, the DOJ includes a separate qualifier: it only requires training of employees of a new acquisition “who present corruption risk to the Company.” I would suggest that this qualifier has exactly the same effect as “where necessary and appropriate” that we saw above.

I’m actually blown away at how reasonable the DOJ is being in this thing, yes? [One assumption I’m making is that this wasn’t something that the DOJ didn’t want in there, but outside counsel did. It’s possible, but I would think, unlikely]. I hear outside counsel say all the time “train everyone.” Even the DOJ isn’t saying that. The DOJ is saying that companies need first and foremost to think. Where’s the risk? How does that risk impact my operations? What’s the most reasonable way to respond to that risk?

In this context, the requirement to train all employees who present corruption risk makes perfect sense. I would suggest the DOJ could have reasonably gone further and required training every employee in a new acquisition.

This requirement isn’t about training everyone in a third party, it’s training everyone in a new acquisition. One problem that we see over and over is companies not integrating new acquisitions. Watts Water comes to mind. If that new acquisition has or initiates problematic transactions, the DOJ has little pity (and rightfully so). Requiring Nordam to integrate “as quickly as practicable” and “promptly” seems eminently fair and reasonable.

I would love to blame Dick Cassin. After all, he made the same mistake. But what’s written on my site isn’t Dick’s responsibility, it’s mine. As soon as I hit “publish,” it became my error.

So, let’s just get past this little SNAFU, shall we, and back to our regularly scheduled ranting and raving? Just better informed.

Unrealistic Expectations: Training Third Parties

Thanks to the FCPA Blog for pointing this out. I think we covered Nordam on This Week, but I glossed over the piece that Dick Cassin wrote about today.  Buried in Nordam’s non-prosecution agreement is a requirement that the company train its third parties. The company is required to:

train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to the Company, on the anti-corruption laws and the Company’s policies and procedures regarding anti-corruption laws.

Um…no.

I’m hoping that the DOJ prosecutors assigned to the case, Dan Kahn (who I know) and Stephen Spiegelhalter (who I don’t), just overlooked this. Or more likely—since I know for sure that Dan is a really smart, reasonable guy, and since they both report to Chuck Duross, who is another really smart, very reasonable guy—this was something that Nordam proposed.

It’s possible that Nordam doesn’t have a whole lot of third parties.  I’m willing to buy into that for two reasons.  First, like I said, Dan and Chuck are reasonable people: they don’t want to put a company in a position of adopting an impossible requirement.  Second, Nordam was represented by LeClair Ryan’s Carlos Ortiz.  Ortiz is the real deal, from what I can tell (I’ve never met the guy…we’re not even connected on LinkedIn), and LeClair Ryan had the incredible intelligence to hire Mike Volkov, so it’s a firm that has its head on straight.

But what Nordam agreed to?  Training everyone?

Um…no.

This is such a misguided requirement. I sincerely hope it doesn’t become a part of DPAs and NPAs going forward.

Let’s take a step back from training third parties for a moment. Let’s talk about audit rights. Because I see in the training requirement the same drawbacks that I see in audit rights.

Audit rights come in two forms, when-something-goes-wrong audit rights, and once-a-year audit rights. The former I’m fine with, the latter, not so much.

Don’t get me wrong, it’s a great story, if you can pull it off. But it’s a classic example of “be careful what you wish for.” Take a moment and think about what it takes to do periodic audits of your third parties. This might actually be easier for smaller companies to pull off than larger ones. Because for larger ones, it’s a nightmare, bordering on impossible. Actually, I’m temporizing. It’s not bordering on impossible, it is impossible.

Some larger companies have literally a hundred thousand third parties. Or more. Putting aside the actual work of sending people to 100,000 companies around the globe, how about just the administrative burden of arranging the audits, collating the results, analyzing the results, deciding on action plans. Just collecting the list takes time, a lot of time.  It took Tyco more than 6 months just to pull together a preliminary list that was 1/8 of the final list.  Plus the follow-up on any management action plans that results from the audits. Consequence management for companies that fail to implement or successfully implement action plans. Or for companies that fail to allow audits. Following up to make sure that issues aren’t recurring. Just think about all the electronic detritus that would be generated from auditing 100,000 companies every year.

Ah…I hear you. If done right, it wouldn’t be 100,000. You’d risk-rate the third parties. No reason to audit the people from whom you buy copier paper, right? First, that assumes you get competent advice from outside counsel on how to properly risk-rate anything. Asking a risk-averse industry how to risk-rate will only lead to agita. Sorry, I’ll end this foray into that particular frustration of mine.

So assuming you get good advice, you’ll actively be auditing maybe 5% of your total number of third parties (Tyco’s program had 5.6% rated high risk). So…5,000 third parties, every year. All of them the highest of the high risk. Or maybe I’m being overly risk averse myself. Let’s say 1%. So…1,000 independent companies to audit, every year. That’s 2 1/2 companies a day, every day, every year (if you go with business days, and national holidays, it’s 4 companies a day).

Oh yes, one other thing: do you have 4-5 people who are competent to even do these types of audits?  Do you have even one?

All of this, by the way, for a totally non-profit-generating activity, which will have the gratuitous side effect of pissing off your suppliers, distributors, and agents.

Now let’s transition the topic back to training. You have 1,000 companies to train. Who do you train in those companies? Everyone? “Directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof”?  How do you even figure out who the “relevant” employees are?  How do you ensure that your high-risk partner is training the right people?  Who pays?  How do you monitor? What’s the consequence management program? What do you do if the third party says no?

That’s a serious consideration, by the way. Sure, sometimes, it’s a huge corporation whose business is so important to the third party that the huge company can pretty much force the smaller company to do anything they want. Including training.

But sometimes it’s a huge company contracting with another huge party. How do you enforce your training requirement on, say, Hewlett-Packard? Or Siemens, for that matter? Do you require HP to train all of its 300,000 employees? Do you accept their training program? How do you evaluate their training program to see if it meets your standards? Do you require American Express to put their board members through your training? Ursula Burns, the CEO and Chairman of Xerox is on there. What about Microsoft? Are you going to require Microsoft to go through training? Their Board?

The ability to get anyone to train is heavily dependent on your bargaining position. Nordam is a big company in its space, so perhaps it has negotiating power. But what about smaller companies? How are they supposed to get their larger distributors to agree to training?

By the way, the companies you’re required to train are the same companies you’re going to audit.  Control fatigue, anyone?

It’s an impossibly complicated task, just that one little paragraph. The company has overpromised, in my opinion.

Let’s hope this doesn’t become SOP for the DOJ, like the FCPA Blog thinks it’s going to.

Why I Hate The Case Against Walmart

For long-time readers, this post will take a familiar tone: you’re all wrong.

The FCPA Unit in the Fraud Section has a lot to do.  At last count, there were over 80 companies facing FCPA investigation (all publicly disclosed), including HP, Avon, Weatherford, Ingersoll-Rand, News Corp., Archer Daniels Midland, and lots more.  Household names.  Plus, of course, Walmart.

I’ve advocated harsher penalties for corporations, and I’m second to only one (Alexandra Wrage) in my distaste for bribery.

But I hate the Walmart case.

In my humble opinion, Walmart should get a nominal fine via an NPA.
Maybe $2 million.  Something like that.  I’d prefer less—maybe a declination with undertakings? Totally private?—but I can’t see it happening.

You’d think I’d be salivating over the prospect of Walmart getting a massive fine.  It’s a huge US multinational company which went overseas and bribed government officials in order to gain an improper advantage for the purpose of obtaining or retaining business.  Straight out of 15 USC sec. 78dd-1(a). And like I said, I’ve advocated for larger fines.

Why do I hate the Walmart case so much?  Let’s lay it out.

1. Walmart’s Bribes Were Arguably Facilitation Payments

This is going to be fact-dependent, and no one has all the facts right now.  It’s likely even Walmart doesn’t have all the facts.  But here are some.  It’s an exception to the FCPA—not an affirmative defense; that’s important—when payments are made to secure routine government action.  The exact wording of the statute is:

Subsections (a) and (g) of this section shall not apply to any facilitating or expediting payment to a foreign official, political party, or party official the purpose of which is to expedite or to secure the performance of a routine governmental action by a foreign official, political party, or party official.

What’s important in that quote is what isn’t said: there’s no discussion of amounts, only purpose.  So the fact that some of the payments that Walmart made were high (the number I keep hearing is upwards of $250,000) is neither here nor there.  It’s what the payments were designed to get.

Here, the payments were designed to get building permits. It may be that the issuance of building permits is discretionary, but I’m guessing that it’s not so simple. There’s discretionary meaning that it’s truly a decision in contention. Like the decision to award a contract. Then there’s totally non-discretionary, like postal service. In the middle, there’s an area where something might technically be discretionary, but in reality, it’s either a rubber stamp, or it’s simply always one way. Building permits could be a case like this. It’s always worked out, as long as you wait long enough and do what you’re asked. Remember also that “obtaining permits” is one of the things specifically mentioned in the Act as falling under “routine governmental action.”

And that brings me to reason #2.

2. Walmart Didn’t Bring Its Corruption Into Mexico

There’s a reason that Mexico is #100 on the Transparency International Corruption Perceptions Index. In corporate-speak, it’s a “challenge” to do business there. In regular-person speak, I’m sorry to say that corruption is rampant. Not that I’d use the word “cesspit,” but if someone else were to, I wouldn’t correct them.

Just to give one example: if you want to get a copy of a judgment or filing, you need to tip the court clerk. This person is undeniably a government official, and you’re paying him or her money. No tip, no document. Law firms regularly pay these morditas; (“little bites”) and list them on invoices as “miscellaneous expenses.” [I’m sorry if this comes as a shock to you, and you’ve been paying—and mislabeling in your books and records—these payments].

Like I said, a challenging place to do business. I’ve never dealt with getting building permits and such in Mexico, but I’m ready to believe that there’s a “no payment, no permit” culture there. In other words, Walmart wasn’t a corrupt organization that had bribery in its DNA. It was responding to market conditions.

I can hear the cries now. No, I’m not excusing bribery. But give me a break. I’m an anti-bribery advocate, but I also like to think of myself as a realist. I don’t think a company should ever pay a bribe. But I also recognize that we’re not there yet. There are still places in the world where the wheels of business are greased by money.

Building permits in Mexico might be like that. If the only time a permit is denied is when there’s no payment, I have a hard time working up a visceral anger at the company paying it. Or thinking that the type of payment was for a discretionary benefit. I’m not saying it’s right (remember, I think Walmart should get fined something), but it’s also not the worst thing in the world.

There’s a combination aspect at work here too. I might not accept the “it’s how business gets done here” if it were a true “bribe,” as my gut interprets the word. I have a hard time seeing it as a bribe, so I’m quicker to accept the “it’s the market” excuse.

Again, I’m not saying it’s right, but I am saying that I’m going to save my anger for true bribery cases.

3. Where’s the Harm?

Anyone who has heard me speak on anti-corruption has likely heard my refrain: I hate bribery because it most heavily impacts that segment of the population that can least afford it. The poor, the disenfranchised, the marginalized, all get hit hardest. Roads deteriorate faster, buildings are built with substandard materials (some fall down, on people), small businesses can’t start up, employment rates fall, small bribes become a necessity for people who can’t afford them.

In one market, a new mother can’t get her baby from the nursery without greasing the nurse. As I’ve often said, say what you will about bribery, but can’t we all get together on the idea that “grease the nurse” shouldn’t exist as a concept? That things have gone too far?

So what was the harm to the populace in Mexico? That they can now buy quality goods at cheaper prices? Okay, in a theoretical sense, it perpetuates a culture of corruption that impacts other areas. I get it. But that’s a little too far outside the zone of causation for me to get pissed at Walmart over.

And that’s the bottom line for me. I can’t work up any visceral anger at Walmart. And if I—a person who hates bribery more than most—can’t work up anger at Walmart, I’d submit that their actions weren’t all that bad.

Two other considerations, one in each direction.

First, Walmart’s real problems, in my opinion, were in the corporate governance area rather than the bribery arena. The way the information was handled by Bentonville when it was presented to them is less than satisfactory.

But we haven’t yet criminalized lack of good corporate governance.

The result of Bentonville’s mishandling of the allegations to me should result in Walmart being given no self-disclosure credit. Maybe some undertakings to improve their investigations process. Schedule D stuff. Walmart should also revise their corporate policy to disallow facilitation payments globally.

The second consideration, which plays into why the DOJ should get out now, is something I mentioned up top: facilitation payments are not an affirmative defense, they’re an exception.

Which to me means that the burden of proof is on the government.

This is not an easy case by any stretch for the government. And Chuck Duross—who I’m assuming has taken a personal interest in the case, if not taken it over as one of his cases—is a reasonable guy. He’s not going to bring a case, or even recommend bringing a case, that he knows he can’t prove at trial.

Chuck’s integrity as a prosecutor is Walmart’s ace-in-the-hole.

It’s not going to be an easy case to make. Building permits are specifically mentioned, as I said. Even though there might be a discretionary element, that element is something that Congress had to consider before putting what they did in the statute.

And let’s not forget, for all the political pressure to be harsh on Walmart, there’s got to be a little bit of back-pressure too. After all, no one—especially not a career prosecutor—likes to have their agenda set by a newspaper, even the New York Times.

There’s a possibility there’s more to the story.  The most dangerous thing for Walmart right now, in my opinion, is the investigation they’re forced to conduct.  They might find something.  If they find actual bribery, all bets are off.

Plus, the original article was in the New York Times.  Say what you will about the Times—and I often think of subscribing just so that I can resign my subscription in protest—they set the journalistic agenda for the entire world.  So every reporter in the entire world is looking at Walmart right now. It’s like the world’s most intrusive external auditor poking through your business, without the ethical constraints. So yes, Walmart has incentive to settle. They can’t afford to let it drag on like the News Corp. case.

So both Walmart and the DOJ have good reasons to want to end this soon (like now). Let’s all do the right thing and support a fair conclusion to this fiasco.

Prosecutorial Fatalism: An Open Letter to Lanny Breuer and Chuck Duross

Dear Lanny (or, as I like to call you, Mr. Assistant Attorney General, sir) & Chuck,

Like any member of the public, I’ve been discouraged and disappointed by recent headlines in the press about FCPA prosecutions.  When I read things like “‘Foolish and Unprofessional’ Behavior Infected FCPA Prosecutions” in today’s FCPA Blog, or read about prosecutorial misconduct causing dismissals (even after guilty verdicts), or read about a massively publicized sting case reaching an ignominious end, or read about the Department bringing a case based on “gossip” where the main witness “knew almost nothing,” I feel bad, as a member of the public.

But I’m not just a member of the public.  I’m a former prosecutor, at the state and federal level.  I’m also an experienced FCPA practitioner.  And, for better or worse, I’m part of what I call the FCPA Commentariat.  I like to think this makes me particularly well-informed about FCPA enforcement.  This means, to my mind, that I have a special responsibility: I have to look at the facts of every case—and I’m constantly amazed at how many people are willing to criticize you without even trying to gather all the facts—make my own determination, and speak out, about both the good and the bad.

And, despite the thoughts of some, I’ve done both.  At the FCPA Business Roundtable, I echoed others in requesting that you make public your declination decisions.  I can’t understand why you don’t.  Obviously, the information needs to be de-identified.  But you already do that in your Opinion Releases.  Making more transparent your evaluation of compliance programs will only bring you benefits: from blunting the effort to create a legislated compliance defense to calming the business community who still maintain—rightly or wrongly—that they just want more guidance.

I’ve been critical of your failure to seek, in any case of which I’m aware, debarment from US government contracts as a penalty.  Why you’d leave that significant enforcement tool completely unused is beyond me.  Similarly, your history of structuring settlements for the apparent sole purpose of avoiding that penalty is unseemly at best.

I’ve also criticized particular settlements, most notably the Alcatel settlement.  I won’t write more because (a) I’ve already said everything I want to say on that and (b) I don’t want to aggravate myself and start ranting.  Because once I start, I would definitely start ranting again.  That settlement was so bad I can’t even think about it without getting angry.  How do you expect companies to stop bribing if you make bribery as profitable as it was for them….  Sorry.  See?

All that said, the commentary over the last two months has been over-the-top, wrong, mean-spirited, and, in some cases, just plain asinine.  I hope that you don’t forget that you’re doing G-d’s work.  I don’t harbor illusions that you’re going to stop bribery, but your work makes a positive difference.

Bribery is a blight on our moral universe.  It makes us cynical.  It does the most harm to the segment of the population able to handle it the least.  People dealing with crushing poverty should not have to pay money to get phone service, or police protection, or to avoid arrest on trumped-up charges.  Mothers should not have to grease the nurse to get their babies.  I’ve said it before, say what you will about FCPA enforcement priorities, but can we all get together on the idea that having to “grease the nurse” is bad, and should be stopped?  Roads are bad, bridges fall down, and there’s a general malaise that settles in, stinking of unfairness.

Plus, from a business perspective, it horribly distorts the markets.  It makes investment in people, products, and customer service unnecessary or irrelevant.  This directly harms consumers.

I hope you remember also that your failures get huge play in the press and via the Commentariat, but there have been many more successes than failures.  For every Lindsey case, there’re five Bonny Island cases.  For every Africa Sting case, there are Daimler, Panalpina, Bridgestone, Innospec and the individual Siemens indictments.  And yes, the ABB case too.  Nicola did an amazing job with that, all the way around.  Companies actively enhance their compliance programs because of what you do.

Your successes far outweigh your failures.  They’re not even in the same time zone.

And I take comfort that you take your failures to heart.  I don’t really know you at all, Lanny, but I’ve had the opportunity to hear Chuck speak many times, and have usually cornered him after each speaking engagement to speak with him myself.  He has always struck me, Lanny, as a guy who always wants to be a better prosecutor.  I can’t imagine the level of frustration he has to deal with when he hears criticism that is bereft of actual facts, and knows that he can’t respond.

So don’t get down, fellas.  My recommendation—not that you asked for it, but giving unsolicited advice is the province, even the duty, certainly the pleasure, of the commentariat—is to change the story.  Bring some solid, middle of the road cases.  We’re only 7 weeks into 2012, as strange as it seems.  At the end of the year, this will all be seen as a hiccup.

That said, you should also do some remedial work on file management and case preparation.  It’ll be a pain for the line prosecutors, but a little extra supervision for the next 6 months is the price you pay for making stupid mistakes that end up in a 2+2=7 equation.  You can’t help other people’s inability to add.  You can avoid giving them ammunition in the future.

And don’t forget to stay creative.  There’s a perfectly understandable impulse to only bring safe cases.  Once bitten, twice shy, as they say.  But resist that urge.  Even I recognize there won’t be another sting case for a long time, but wiretaps are still good evidence.  Bring another Travel Act case; that’ll scare the crap out of people.

And if you still feel down, just look at what’s going on in the SFO (today’s headline: Unshakable Fatalism at the SFO).  Misery loves company, and no one is saying the DOJ shouldn’t exist.  There’s always someone worse off than you.

Best Regards,

Howard