Counting to 10, Internet Fact-Checkers, and Integrating Acquisitions

My saintly mother used to tell me that when I get upset, I should count to 10 before I opened my mouth. It saves you, she would tell me, from saying something that you don’t mean, or that will make you look stupid. This wisdom applies doubly for a writer. Just like you shouldn’t shop when you’re hungry, you shouldn’t write when you’re riled up. I ignored that advice. But thanks to the wonder that is the Internet, I always have people fact-checking my work.

To this particular fact-checker—and you know who you are—thank you for pointing out what I should have caught the first time.

On Friday, I wrote about the Nordam Group non-prosecution agreement, and how Dan Kahn and Stephen Spiegelhalter at DOJ, along with their boss Chuck Duross, plus Nordam’s counsel Carlos Ortiz all had a brain freeze and included a requirement that Nordam train all their third parties.

Turns out, it was me who had the brain freeze, not them.

I wasn’t wrong: requiring a company to train all their third parties is stupid and unrealistic. Totally unworkable.

And if that’s what the Nordam Group agreed to, that would be ridiculous. This is an example of why it’s so important that you actually read all of the NPA, not just the single paragraph that generated so much ire. If I had bothered to actually research rather than just react, I would have written something entirely different, and much more complimentary.

As it turns out, both DOJ and Nordam’s counsel were actually pretty reasonable about training. More than that…very reasonable, incredibly reasonable, perfectly reasonable. Let’s look at what the Nordam Group NPA actually requires Nordam to do vis-a-vis training.

In paragraph 8, Nordam agrees that its compliance program needs to be communicated effectively both internally and “where necessary and appropriate” to agents and business partners. This requirement comprises training employees and, “where necessary and appropriate,” training third parties. It also requires annual certifications of compliance with the training requirements signed by its internal employees and by its third parties, but again, only “where necessary and appropriate.”

In fact, I’d find it difficult to find another place where Dan, Stephen, and Chuck could have included “where necessary and appropriate” without it looking like subliminal advertising. “The company agrees to implement financial [cough…where necessary and appropriate…cough] controls that [cough…where necessary and appropriate…cough] ensure transactions will accurately [cough…where necessary and appropriate…cough] reflect….” You get the idea.

What the DOJ required of Nordam makes perfect sense, and allows for exactly the kind of flexibility I accused the Department of neglecting. I would also argue that it’s a loophole that you can drive a truck through, and I would suggest using the biggest 18-wheeler you can find, but that’s another post.

Upon reflection, and upon doing the work I should have done last Friday, I now think this was just the DOJ suggesting that training third parties is a good practice, but recognizing that third parties present their own challenges.

If I were in Chuck’s seat (or Dan’s or Stephen’s) I would likely take a different approach. I would probably require companies ensure that third parties have their own program; I wouldn’t make Nordam export their training to anyone. But the difference isn’t nearly the chasm that I thought it was on my reading of just the one paragraph—which I’ll get to in a second—that I wrote about in the last post.

We’re much closer together than I thought we were, as it turns out. Just a short hop, as it were. I can’t argue with an approach that doesn’t make it too prescriptive. The DOJ seems to recognize that each company in each market is different, and each company’s risk profile is something that can change over time. And the DOJ seems to be indicating that this is something companies should be thinking about based on what’s practical, the market risk, business risk, transaction risk, and other red flags. The DOJ is trying to thread the needle here, and does a damn fine job of it, IMHO (more H, now that I’ve actually read the thing).

As it turns out, the requirement as it’s actually written seems to prove a different one of my central contentions: that the DOJ is extremely reasonable and measured in how it prosecutes corporations.

So where does the offending paragraph from my last post come from?

In paragraph 13 of the NPA, the DOJ talks about how Nordam should integrate new acquisitions. The NPA requires Nordam to do appropriate due diligence [n.b. is “appropriate due diligence” redundant?]

It also requires that Nordam apply its policies to the new acquisition “as quickly as practicable.” Including requiring Nordam to “train directors, officers, employees, agents….” Even here, it only requires this training “promptly.”

Plus, the DOJ includes a separate qualifier: it only requires training of employees of a new acquisition “who present corruption risk to the Company.” I would suggest that this qualifier has exactly the same effect as “where necessary and appropriate” that we saw above.

I’m actually blown away at how reasonable the DOJ is being in this thing, yes? [One assumption I’m making is that this wasn’t something that the DOJ didn’t want in there, but outside counsel did. It’s possible, but I would think, unlikely]. I hear outside counsel say all the time “train everyone.” Even the DOJ isn’t saying that. The DOJ is saying that companies need first and foremost to think. Where’s the risk? How does that risk impact my operations? What’s the most reasonable way to respond to that risk?

In this context, the requirement to train all employees who present corruption risk makes perfect sense. I would suggest the DOJ could have reasonably gone further and required training every employee in a new acquisition.

This requirement isn’t about training everyone in a third party, it’s training everyone in a new acquisition. One problem that we see over and over is companies not integrating new acquisitions. Watts Water comes to mind. If that new acquisition has or initiates problematic transactions, the DOJ has little pity (and rightfully so). Requiring Nordam to integrate “as quickly as practicable” and “promptly” seems eminently fair and reasonable.

I would love to blame Dick Cassin. After all, he made the same mistake. But what’s written on my site isn’t Dick’s responsibility, it’s mine. As soon as I hit “publish,” it became my error.

So, let’s just get past this little SNAFU, shall we, and back to our regularly scheduled ranting and raving? Just better informed.

“The Limit Should Be Zero Dollars”

If you don’t read Mark Herrmann’s column on Above the Law, you should.

Today’s column was on one of my favorite topics: the UK Bribery Act, and the semi-ridiculous advice that companies are getting from “experts.”  By the way, if you want an expert, go talk to Barry Vitou at Pinsent Masons.  There’s an expert.  Let’s remember that there hasn’t been a case brought under the UK Bribery Act yet.  (Yes, I know.  But no, there’s hasn’t been).  So most of the so-called experts are people who have just read the statute, and attended some conferences where other people who have no idea what they’re talking about talk about the UK Bribery Act.

Herrmann talks in today’s column about advice he got about complying with the UKBA.  His approach was that the firm who gave him the advice violated that advice about thirty seconds later.  He said “I could rant at this point about law firms giving utterly impractical advice, but I won’t.”

I will.

What was the advice that Herrmann got?  He attended a law firm presentation on the UKBA, and there was a question asked about what the right entertainment limits were.  The answer he got back exemplifies the problem I have with some outside counsel:

The limit should be zero dollars.  That will keep you safe.

Really?  Zero?

Leave out for a moment that the rest of Herrmann’s column is about how that same law firm sponsored a dinner for some in-house folk.  Let’s just talk about how advice likes this harms not just the giver, but the receiver too.  First, the giver.  The person who gives this advice will give it to one of two types of people: people who know what they’re talking about, or people who don’t.  I don’t know which comes out on the bottom.  If the lawyer is giving this advice to a knowledgeable person, that person will likely politely smile, nod, and then put the lawyer in the “idiot” box in his head, and not listen to another thing that lawyer says.  Which is a problem, because maybe in the future—even a stopped clock is right, twice a day—that lawyer will give some advice the client should listen to.  But getting out of the “idiot” box is a rare feat.

Or the recipient won’t know what they’re talking about.  In which case, like a wide-eyed doe, they’ll just accept what the lawyer says as a best practice.  Heaven forbid they go back to their own company and repeat that advice out loud.  (We’re back to the “Idiot” box).  Or even worse, that they’re in a position of authority, and could implement that advice.

Like I said, I don’t know who comes out worse.  Either way you go, someone’s in the Idiot box.

When it comes to hospitality—and here’s my opinion on this—everyone needs to calm down.

Zero is not the answer.  Herrmann’s concern about “killing the business” is probably also a little overblown, if someone wants to go that way.  It’s uncompetitive, certainly.  But you’d be amazed what the market will adjust to.  It’s not something I would recommend.

The number you come up with is entirely less important than the process by which you determine it.  The number can’t be outrageous, but here’s the thing: the DOJ has never brought a case against a company that came up with a reasonable number, and enforced it.  There are few cases where gifts play any role, none where they play a truly primary role, and absolutely none where the DOJ overruled a business decision.  That’s not something the DOJ does, as a rule.  They don’t take a reasoned decision and say “you made the wrong choice.”  Almost all of the time, the company failed to consider the problem, or considered it but said, “who cares,” or the equivalent.

So pick a number.  I’ve heard companies pick one number globally—say, $150 per person—or use different numbers for each region, or each market.  I’ve seen people use their own internal numbers—that is, whatever they’ll reimburse an employee for, that employee can spend on others.  That’s not a bad idea.

The point is, there is no “right answer” here.  It’s what’s right for you.

Just remember, as my friend and colleague Tom Fox always says, “document, document, document.”  Be prepared to tell the DOJ what your number is, why you chose it, who was involved in the decision, and how you’re enforcing it.  Remember, this is a company decision on how it wants to act.  People should know the number.

This applies not just to meals, but to gifts as well.  Same idea applies.  Whatever you decide, just decide.  Pick a number and stick with it.  Enforce it.

By the way, that “zero dollars” idea doesn’t keep you safe.  The business will ignore it, sidestep it, and will do that for just about any advice you give from now on.  You lose credibility with the business, and that’s the ball game!

I have to admit, though, I was always a softy when it came to gifts.  Absent some totally inappropriate gesture, most gifts are harmless, in my opinion.  Tickets to a ball game (or the Olympics) are not, absent something more, really a problem.  Where you need to be a little more careful is when you’re inviting someone where you have an open tender and that person is the decision-maker.  I’ve seen rules which say “here are the rules for everyone except people from whom we’re awaiting a decision, and for those people, they get gornisht.”  That’s a damn fine rule.  Sometimes, zero might be the answer.

But not usually.  And telling people that in a public setting, in my opinion, puts you in the idiot box.

Schedule C, Element #5

At this rate, I know, it’ll take quite a while to get through all 13 steps.  But one small step at a time.

Today’s step is all about reviewing your program on a regular basis.

I want to lay out the importance of this element first, then go into the specifics.

Not too long ago, Morgan Stanley got a bye—a total pass—because of their pre-existing compliance program.  The DOJ issued a press release on the case, and listed three things in it about Morgan Stanley’s compliance program that influenced the decision.

The first one:

“…Morgan Stanley maintained a system of internal controls meant to ensure accountability….  Morgan Stanley’s internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery….”

Now let’s turn to the language of the DPA itself, and element #5:

Alcatel-Lucent shall review its anti-corruption compliance standards and procedures, including internal controls, ethics, and compliance programs, no less than annually, and update them as appropriate, taking into account relevant developments in the field and evolving international and industry standards, and update and adapt them as necessary to ensure their continued effectiveness.

What does this mean, and how do you implement this in a real way?

Some might take a look at this and see a requirement to pull their policies off the shelf once a year, dust them off, and put a new coat of polish on them.  Then, after their “annual review” they can put their program on the shelf for another year, and check that box.

And don’t think that this description doesn’t apply to you.  I know I stated it a little more bleakly than usual, but if you’re really paying attention to this series, you are probably open-minded about the state of your program.  Think realistically about how you approach your policies and processes.  Because the annual review—and yes, you need to do an annual review—is not what this element is all about.

“Update them as appropriate” is important, and even more important is “taking into account relevant developments.”  Because this is the crucial piece of the program: the ability to be nimble.

This is something that Tom and I talk about all the time.  It’s crucial, but don’t get the impression that it’s easy.  Like all things worthwhile, this is difficult, and it’s going to take effort, willpower, and resources to get it right.  Let’s talk about the most cost-effective way to make this happen.  Because as Morgan Stanley found out, getting it right generates some huge benefits.

So what does it mean for a program to be “nimble?”

It means a few things:

1. You need lines of sight into your program so you can find information quickly.  For example, when you read new enforcement actions, and see a corrupt third party identified, you should be able to ping your program to see whether you’ve ever had dealings with that third party.  If you do find something, you need to be able to adjust to that fact.  In the case of a third party, you need to adjust your transaction monitoring of that individual, the risk ranking, and potentially start an audit.  (n.b. a lot of attorneys would tell you “terminate the relationship.”  Terminate, terminate, terminate.  That’s their answer to bad news.  I don’t think that’s always—or even usually—the right call.)  Whatever you decide, it should be a decision, not a default.
2. You need to review your policies and procedures when they fail.  This is also not so easy.  The main reaction to a failure is usually “move on.”  No one wants to dwell on—and certainly not to take ownership of—a compliance failure.  But the failures are where you learn.  And learning from failure is exactly what we’re supposed to do.  Revel in it.  Own it.  And make sure that you figure out what went wrong.  A side note: my practice is to figure out what went wrong, but I rarely dig too deeply into whowent wrong.  That is, why the old process—the one that failed—was like it was.  You must find out—and potentially discipline—the employee who did something wrong.  But figuring out why the old policy was like it was is usually a wasted effort.
3. You need a line of sight into the business. If you’re doing compliance right, you are a partner to the business. I often say that 80% of compliance is “being in the room.” That is, knowing what the business is doing at any particular time. In this case, it’s knowing what the business is going to be doing. Is the business entering a new market? Developing a new product? Is there a new push toward opening new stores? (Not to think of any company in particular). If you know what the business is up to, you can anticipate new risk.

Recognizing the business priorities and the concomitant risk, and working the new issues into your risk assessment and plan, is what “nimble” is all about.

Notice, by the way, that this is an entirely different effort from the yearly review.

These three things aren’t easy. Developing a relationship with the business takes time and effort. It takes not saying “no” so much. It takes not being the “business prevention department.” Saying “yes” requires more work, on our part. You need to get creative. I used to call myself a creative solutions vendor to the business. You also need the right “ask.” Make sure you’re in the room. Get yourself invited to meetings. Don’t say anything in the meetings. Just listen. Add value where you can. Offer to help. Get one-on-one time with senior leaders. Listen to them.

Getting a line of site into your program is technology. You need the ability to interrogate the data you already have. This means payment data, contract data, salesforce.com data (or whatever CRM system you use). Plus, if you want to get advanced, you can use your eDiscovery technology to search your actual data. I love this convergence, because you already own the technology. Why not get the most out of it? That’s the essence of compliance convergence: using technology you already own in a different silo. I’m sure you have eDiscovery people: get to know them. For payments, talk to your finance people. You need to understand your finance controls to know where, and how, to interrogate your payments data. Plus, remember there are different kinds of payments: wires, ACH, checks, refunds, credits, loyalty point grants, and more.

Being willing to face your program head on takes investment of an entirely different type. Emotional investment. Or emotional humility. Either one. Both, more likely.

I heard Charles Cain at a conference. He was asked what factors in a company’s compliance program he considers important to a decision to decline prosecution. The first answer he gave was the ability of a program to be nimble.

And because I’m a fan of multi-channel return on investment, I’m happy to say that being nimble presents benefits beyond the immediate—and immense—positives for the program. There are controls that look good and there are controls that actually prevent bribery. You need both, but I’d rather have the latter. What you gain from being nimble—a partnership with the business, technology use efficiencies, and an ability to look dispassionately at your own program—actually prevents bribery. When you add value to the business, when the business knows that all you want is their success, you get something valuable: credibility.

We always talk about credibility in terms of your relationship with the DOJ. And we’re right to. It’s among the most important things.

Credibility with the business is more important.

Being nimble, going through what you need to go through to be nimble, leads to credibility, which leads to sticky advice. And that’s the endgame.

A nimble program has its priorities in order, a nimble program learns from itself, a nimble program can adapt, change, and actually works to decrease bribery across the business.

Defending Wal-Mart

I’m thinking that if I wanted to cement my standing as the reigning anti-corruption iconoclast, a headline like this one would do it.  In the face of the indefensible, let me offer a defense.  Or, at least, some mitigating facts which you should take into account.

The overriding thing I thought of when I read the New York Times article was a quote from the New Testament:

“When they kept on questioning him, he straightened up and said to them, “Let any one of you who is without sin be the first to throw a stone at her.”

I remember the first thing I thought of when I heard about the Madoff case, and how it was a closed investigation that came back to bite someone.  I thought, “please Lord, let it not be one of my closed cases.”  Because I knew that it could have been me, easy peasey.

For all the trashing of Wal-Mart that’s going on right now, let he who is without sin cast the first stone.

Because while I don’t agree with the FCPA Professor—shocking, I know—that there was barely a violation, I do believe that Wal-Mart’s actions weren’t as uncommon as you’d think.  Parts of them, anyway.  Let me explain.

I would guess that about 95% of corporate internal investigations remain undisclosed to the regulators.  That number may be a bit low.  And while the allegations that the Mexican subsidiary—it’s not really a subsidiary, I suspect, as it’s all just Wal-Mart—changed the reports, and then got assigned, and quickly scuttled, the investigation seem pretty bad, it’s not something that doesn’t happen, and more frequently than you’d think.

So what’s the normal path of an investigation?

Let me digress here for one minute to disclose my own bias.  My background is in prosecuting, and later in creating and managing compliance programs for, large multinational corporations.  My bias when I describe investigations—and compliance in general—is to describe life in large corporations.  Not just the ones I’ve worked at, but at others against whom I’ve benchmarked and with whose compliance officers I’ve spoken informally.  But even then, my extended experience is similarly with large corporations.  Keep that in mind.

The normal investigation path is this: something comes to the attention of legal or compliance.  This can be just about anything: a call from the Wall Street Journal, a formal whistleblower complaint, a “quick question” from someone in the field, or an email.

Assuming that the person receiving the initial information works in the general area of the complaint, he or she might do a little preliminary digging to see if there’s anything worth really looking into.  Just a couple of phone calls, or checking generally available company resources (like who reports to whom kind of stuff).  Then, thinking, “oh, crap!” the person goes to his or her boss and says, “here’s a new issue; I think we need to look into this.”

The case then gets sent to someone to investigate.  Some companies have dedicated investigation resources, some don’t.  Assuming not—I tend to think it’s rarer to have a dedicated investigation staff than not to have one—the person doing the investigation will be in legal or compliance for the affected business unit.  That person may or may not have real investigative experience.  Conducting an investigation isn’t something that comes naturally, even to lawyers.  It’s a skill, and like all skills, disuse causes atrophy.  This assumes, of course, that the person doing the investigating ever knew how to do it properly.  I’ve seen people conduct interviews, and it’s often a combination of NYPD Blue episodes, Matlock, and Columbo.  I learned from the best, starting with Bronx ADAs Linda Tacoma and Bill Zelenka and going through to some incredible people at the SEC.  I learned the art—yes, it’s an art—of the interview from a couple of first-grade detectives, and plenty of second-grade detectives (first and second grade are ranks within the detective bureau; first-grade detectives are the best of the best that the NYPD has to offer).

But since I don’t do it every day, I’m incredibly rusty.  If I were to start up again, my first 10-20 interviews would be awful.  This is my point: a lot of times the person doing the investigating isn’t an investigator.  Besides that this kind of investigation is even more difficult: multi-national, different languages, specialized financial knowledge.  How many lawyers had even heard of the term “gestores” before the article?

Of course, Wal-Mart had internal investigators, but the unit was mired in political haggling.  I’m sorry, but that doesn’t particularly shock me either.  If you don’t think there are politics flying around during an investigation, especially an investigation of a high-performing person or unit, you’re out of your mind.  And remember the all-important distinction: investigators are a cost center.  Wal-Mex was a profit center, and an important one at that.  So those investigators had the chips stacked against them to begin with.

Even so, they found enough to generate some worry.  Here’s where there are some things we don’t know.  Were the results ever disclosed to the Chief Compliance Officer?  Did the CCO go to the Board?

In any event, they reassigned the investigation back to the Mexican subsidiary.  It’s hard to see the thought process behind that, now that we know how things turned out.  On the front end of that decision, who better to investigate the alleged misconduct within the Mexican subsidiary than the people who traditionally probably did investigations in Mexico?  One of the key questions, from a blame perspective, is what did the person who made that decision know before he or she made it.  Was that decision-maker aware of specific and credible information linking the illegal conduct with the person proposed as the new investigator?  If so, that’s a bigger problem.  I suspect, however, that it’ll be somewhat less black-and-white than that.

Once the investigation got turned over to the people allegedly involved in the wrongdoing, it’s clear to us that the investigation would be scrapped.  But that’s a certainty that comes again from hindsight.

And corporate headquarters took that conclusion and said, “fine, we’re closing this out.”  Again, in hindsight, that looks horribly bad.  But look at it from their perspective: they turned over the investigation to the proper in-country team, and heard back that there were no issues.  What was HQ supposed to do?  Yes, certain people within Wal-Mart knew that the watchers needed watching, and it’s an open question who knew what, and when.

Again, what doesn’t shock me is that an investigation—even one started with serious allegations—ended internally.

Because let’s face it, what if they had found illicit conduct?  Does that mean that there’d be an automatic self-disclosure to the regulators?  Not on your life.  Investigations that end with a finding of wrongdoing are hardly ever reported to the government.  I think the small subset of self-disclosed internal investigations generally get reported because there’s a calculus that they can’t keep it quiet.

I think “we’ll be found out” is more of a self-disclosure motivator than “we did something wrong.”

Normally, investigations where wrongdoing was found end with some sort of discipline against the offending party, some remedial actions like additional training, maybe a change in controls, and likely an increased audit periodicity.  Maybe suspension or, less likely, termination for an employee.  A low-ranking employee.  Rarely, if ever, a high-ranking one.  And a high-performer?  Almost never.

Do I sound a bit cynical?  Maybe so.

So the investigation ends.  And the question is raised: do we self-disclose?

Ask any outside counsel and certainly any in-house counsel whether their default position is disclose or not to disclose, and you’re sure to hear “not to disclose.”  I don’t know whether, when push comes to shove, that opinion holds up, but it’s certainly the starting point.

A colleague of mine put it very well: not disclosing is like loading one bullet in a gun with 1,000 chambers and pointing it at your head; disclosing is like putting six bullets in a six-shooter, and pointing it at your leg.

You have a 1-in-1,000 chance of getting found out—like Wal-Mart just has been—and suffering a worse fate (like they will).  Those are betting odds.  But disclosing?  You’ll definitely get stung.

Most companies facing that decision will take the odds.

As did Wal-Mart, according to the article.

Some of what was reported seemed pretty bad.  I don’t think it spells the death knell for the reform-the-FCPA movement.  Nor do I think that it’s another example of the need to eliminate corporate subsidiary liability.

I think that it’s nothing out of the ordinary.  A company conducted an investigation, decided there was nothing to the charges, and didn’t disclose.

Happens every day.

 

Post Script: One personal story about Wal-Mart.  Several years ago, I reached out to one of their anti-corruption people—at the time, it was a guy named Martin Montes—to benchmark.  Incredibly generous.  So much so, in fact, that two of our people got invited to Bentonville to see it firsthand.  I forget why I couldn’t go, but there was some conflict that sent two others instead of me.  Our people went down there and saw how they worked.  They were open with their processes and policies, and it really helped in the development of our program.

The Nightmare Scenario

Please tell me where I go wrong here, because this is something I’ve been worried about for a long time.  So much so, in fact, that I call it my “nightmare scenario.”

It might be unlikely, but legally, am I wrong to worry about this?  And if legally correct, what’s the best argument about why I shouldn’t worry about it.

Here goes:

A business development executive—read, sales person—is traveling to…the location changes in my nightmare, sometimes Azerbaijan, sometimes Kazakhstan…and is stopped at Customs.  The Customs Official has his hand out, saying that there’s a new tax on entry, $5 US dollars.  The sales guy pays the $5 bucks, and sees the Customs Agent put the money into his pocket.  Having had his passport stamped, he doesn’t really care.  But he wants his $5 back, so when he fills out his expense reimbursement form, he says that he spent $5 on tips.  It’s not entirely inaccurate, he figures.

Now we’re off to the races.

Under Kazakh or Azeri law, Customs Agents have the theoretical power to turn people away at the border.  What that means, for those people who are always wondering exactly what a “facilitation payment” is, is that this isn’t a facilitation payment.  The best demarcation point for facilitation payments is discretion.  If what you’re looking for is discretionary action—getting someone to decide your way when the decision could go either way—and you pay for it, it’s a bribe.  So that $5 payment, it’s a bribe, not a facilitation payment.  So we have an FCPA violation, albeit a minor one.

But it’s the violation that matters.  Because let’s spend some time talking about what “material” means, in the context of financial misstatements.  Corporations must disclose material misstatements.

As a “rule of thumb,” corporations generally paint errors of less than 5% of income as immaterial.  That’s not the definition, however, and the SEC made it clear—read Staff Accounting Bulletin 99—that “materiality” is about more than just percentages.  The SEC laid out a non-exhaustive number of considerations for when a small misstatement is transformed into a material one:

• whether the misstatement arises from an item capable of precise measurement or whether it arises from an estimate and, if so, the degree of imprecision inherent in the estimate
• whether the misstatement masks a change in earnings or other trends
• whether the misstatement hides a failure to meet analysts’ consensus expectations for the enterprise
• whether the misstatement changes a loss into income or vice versa
• whether the misstatement concerns a segment or other portion of the registrant’s business that has been identified as playing a significant role in the registrant’s operations or profitability
• whether the misstatement affects the registrant’s compliance with regulatory requirements
• whether the misstatement affects the registrant’s compliance with loan covenants or other contractual requirements
• whether the misstatement has the effect of increasing management’s compensation – for example, by satisfying requirements for the award of bonuses or other forms of incentive compensation
• whether the misstatement involves concealment of an unlawful transaction.

I’ve put into bold the two that most concern me.  Because the FCPA is a regulatory requirement, and the payment to the Kazakh/Azeri official is an unlawful transaction.

Does this mean that every FCPA violation, no matter how small, is a material event in the life of a company?

Because let’s bring in something else.  Right now, companies get credit for self-disclosure.  But the rules around self-disclosure aren’t without limits.  They’re cabined by factors which make the disclosure less-than-voluntary.  For example, if you get a call from the Wall Street Journal asking for comment on a bribery accusation to appear the next day, and you run into the DOJ, that’s not a “voluntary” disclosure.  Wouldn’t that also mean that if a company were required by regulation to disclose—say, if there were a requirement to disclose material misstatements in an SEC form—wouldn’t that mean that disclosures pursuant to that requirement wouldn’t be “voluntary” for purposes of the self-disclosure credit?  I would think so.

The form that companies use to disclose material events is an 8-K.  It’s an out-of-cycle disclosure form for events that won’t wait for the next 10-Q or 10-K.  They matter.  The market cares about 8-Ks.  So now we’re talking about a corporation having to file an 8-K disclosing a $5 payment in Kazakhstan.  That’s what I call a “stock price event.”

All because of a $5 payment.

That’s my nightmare.

Now, we haven’t seen cases based on this kind of thing.  But we contrive controls not based on the enforcement record, but on our perception of the risk.  I couldn’t in good faith recommend that you set up controls to cover this, but it’s something to think about.

Please, help me sleep: where am I wrong about all this?

Post Script: Mike Volkov and I are subconsciously on the same wavelength lately.  I write about the Compliance Defense, he writes about the compliance defense.  Now, I write this about a problem with customs, and he writes on the problems with customs.  Weird.

You’re Hired. Now What?

One of the pieces of advice I regularly give to compliance people wanting to know “where do I start?” is to pick a place and start.  The act of starting brings its own momentum.  And there’ll be enough to do that you can start anywhere.  Like in military parlance, any action is better than none.

But that’s advice for the curious.  Advice for the serious is slightly different.  It’s not that my advice isn’t good, it’s just that, for serious people, more specifics are necessary.

So, let me pretend for a moment that I’m a new compliance officer at a new company, and tell you how I would approach things.  Here are my requests to the Chief Compliance Officer.

1. Show me the Code of Conduct and the Anti-Corruption Policy (and let me know when they were last updated).
2. Show me the most current risk assessment
3. Show me the training that we give to high-risk employees
4. Show me the due diligence process we use for third parties

Those four things will tell you a lot about the compliance program.  The policy will tell you whether the program is designed and documented by lawyers, for lawyers.  Also, you can see if the company has made the hard choices: how do they want to handle facilitation payments, to use one example.  The current risk assessment will tell you about whether the company understands its risk.  The first question is whether there’s a separate risk assessment at all.  If so, you’re already one step ahead.  Same with the training to high-risk employees.  If the company has it, you know that (a) they understand their employee base, to understand risk and (b) whether the training is any good.  If you see training that’s all about the law, the company is doing it wrong.  If the answer is that the company has one training for all employees, they don’t recognize tiered controls.

Tiered controls is the way to maximize your return on compliance investment.  You want to spend the most money on those areas that address the highest risk.  Otherwise, you’re misallocating assets.  Compliance is hard enough without the business knowing that you don’t know how to spend money effectively.  Training everyone the same way is a waste of money on some, and an underinvestment for others.

Finally, I would want to see the due diligence process.  I’m looking for one thing: how does the risk rating—there’s sure to be a risk rating—change the going-forward relationship?  If you risk-rate, and then nothing, it’s a problem.  For a lot of companies, the risk rating affects the contract provisions, maybe the need for a certification, but doesn’t really affect things going forward.  There’s no transactional due diligence, no KPIs, no single-point-of-contact.  (In case you’re wondering, “KPI” stands for key performance indicators.  They’re how you measure the performance of your third party).

So that’s my preliminary analysis.

Next, I would want to travel.  Go meet people.  Mainly, in my opinion, business people.  Talk to various levels of the organization in your riskiest markets first.  If you don’t have the budget to travel, the first people you need to talk to are your senior management.  Because talking to people—whether it be for training, or to enhance the risk assessment; which is what you’re doing—is something to spend money on.  And while you’re talking to your senior management, give them two messages: (1) anti-corruption compliance programs don’t come free and (2) they need to start asking one question, “what does compliance think about that?”  By asking that single question, you start driving compliance down into the business.  Because once people know that the question will be asked, they’ll start getting the answer through better engagement with compliance.  That’s your first ask.

Now you’re pretty deep into your program, but you’re still maybe 30 days in.

For the next 30 days, it’s all about learning the business.  Your mission is to dig into business processes.  You need to learn everything there is to know about how the business does business.  You need to learn their metrics, their language, their processes.  You need to engage with the business and let them get to know you.  Your travels should have introduced you to many of the key players.  Use those relationships—as new as they might be—to learn what their concerns are.  What keeps them up at night?  What are their pressures?  How are they measured?  Don’t make any suggestions at this point, no matter how tempted you are.  You’re just there to learn.

From day 60-90, you learn a new word, “tweak,” and you stay on message.  You’re not going to change processes, or institute new process.  You’re going to tweak processes that already exist.  The first thing you add to is the process for the ongoing evaluation of third parties.  Then the controls around paying third parties.  What you’re trying to do is answer the question: “how do I know that I’m getting what I’m paying for?”  If you have controls to address that question, you’ve significantly addressed the real risk you face.

Also, some low-hanging fruit.  Get a hotline number (either internal or through a third party), and advertise it.  Improve your training by focusing on your policies, not the law.  Find out what your existing finance policies are and link and label them into your anti-corruption program description.  For that matter, create an anti-corruption compliance program description.  You probably don’t have one.  Third, from your business “listening tour,” you should have an idea of how better to segregate your employee base by risk.  Do that.  Give some additional training—short, sweet, to the point, easy—to the highest-risk employees.  Include, at the end, a printable page with your name, email, and phone number.  Tell them to print it out, and keep it.  Follow up with an email that has the PDF of the same information.  Use that email list on a monthly basis to send around information you might want them to have, describing new cases, and what other companies did wrong.

Finally, use everything you’ve learned to sit down with the business and discuss where you want to improve the program.  This should be at least a half-day, if not a full day, activity.  At the end of the day, you should have crystal clear goals, designated resources within the business, budget, and a timeline for implementation.

Now you’re 90 days in.  You have a plan, you’ve used all your learnings to update your risk assessment, and you should start reporting out every month on your progress.  Start trumpeting your successes.  Let senior leaders know when new training has been rolled out.  Tell them why it’s better.  If you start getting calls into your hotline, let leaders know that you’ve established information chains, and are starting to see results.  Make sure to praise those business leaders who are helping you.  Be sincere, and make the praise visible.  I don’t care how senior someone is, they like seeing that their boss got an email saying how wonderful they are.

Eventually, you’re going to have to tackle the harder things: really improving your due diligence process, getting your CCO to report out to the Board, getting business-wide involvement in your risk assessment process, instituting technology fixes to your payment monitoring deficiencies (and you have payment monitoring deficiencies, I promise), getting Internal Audit involved in testing your program, and getting sufficient resources and budget to operate long term.  But those problems are the subject of another post.

What Does the DOJ Expect From You: Schedule C Explained

This FREE 3-Part webinar series will provide a step by step guide to ‘Schedule C’ – a list of elements found in recent deferred prosecution agreements by the Department of Justice (DOJ).  Register HERE for times convenient to Asia. (It’s noon, Singapore time, over one day a week for three weeks.)

In this webinar series I argue that Schedule C provides a colour-by-numbers guide to compliance. I will cover each of the ‘Schedule C’ elements and describe what they mean and how to implement them in a robust yet cost-effective way.

This webinar series is NOT just for US companies. For those organisations outside of the US which are still subject to FCPA enforcement, it can be argued that following Schedule C, while taking into account local anti-bribery law’s specifics, will certainly lead to “adequate” procedures. Particularly in jurisdictions where authorities may have been less explicit about their expectations.

Dates and Times

Wednesday 21st March, 12pm SGT (4am GMT)

Wednesday 28th March, 12pm SGT (5am GMT)

Wednesday 4th April, 12pm SGT (5am GMT)

Reading the Tea Leaves

There is absolutely no percentage in disagreeing with Mike Volkov.  Besides being—and I don’t use this word all that often—brilliant, and an experienced practitioner, and a former prosecutor, and just a heck of a nice guy, he’s usually right.

But with a slight tremor of my fingers on the keys, let me venture into this dangerous world of those who disagree.

To be fair (and I recognize this is another caveat), it’s not just Mike I disagree with.  Mike, in his latest blog post, echoes a common theme.  The theme—like a lot of the latest drivel masquerading as commentary lately—is something that sounds like someone wants it to be true.  But it’s not true at all.  It’s a lie.  And a dangerous lie at that.

Mike says that the Department’s enforcement regime is well into hubris [don’t be ashamed, go ahead and click through to the definition: I did].  He claims that companies just want clarity:

Companies and practitioners are frustrated because they have to read tea leaves of Justice Department expectations from criminal settlements and official speeches to decipher what is expected of them in the compliance world.

Most business want to comply in good faith but want more specific guidance on what they have to do to comply with the law. Legal interpretations of terms are made by DOJ lawyers with little judicial supervision. These are issues which should be addressed by some type of overall regulatory framework or even like the Ministry of Justice tried to do in releasing guidance for the UK Bribery Act.

I’m sorry, but no. I don’t accept this at all. Whether the Department’s habit of trumpeting its settlements ventures into hubris is something reasonable people can disagree on. I tend to think not, if only because every single agency—and law firm—does the same thing. If everyone has hubris, no one does, don’t you think?

But the idea that companies would jump to comply with the FCPA if only they knew what the DOJ expected of them is total crap. In case you missed the Metcalf and Eddy case back in the 90s, or the 2004 opinion release (04-02) which defined effective compliance, you need only look at Schedule C to any recent deferred prosecution agreement. Or go to any “Luncheon Law” event, or read any of the books written about effective FCPA compliance (including, not for nothing, Mike’s)[which I bought, by the way, and I recommend you buy as well]. At the conference I just chaired (I’m writing this post in the Hong Kong airport), Chuck Duross appeared via Skype and talked about this very thing. How many times have we heard from Chuck, and Mark before him, that programs need to be more than paper?

I’ve done a metric ton of benchmarking, and you’d be amazed at what companies don’t do. What amazes me isn’t that there are 80 companies under investigation, but that the number is only 80.

The problem isn’t that people don’t know what to do. The problem is that they don’t want to do it. Not really. They tell their compliance officer that an extra $500 spent on diligence would “kill the business.” Or “that’s just not how things are done here in ______”. And their senior leaders say they want ethical business, but push comes to shove, they get their bonus only if they meet their sales targets. Which are set in stone.

Or worse, companies come up with all kinds of workarounds, or set up their program to give the appearance of diligence without actually learning anything about the partner.

Companies also know—within a range—what kind of benefit they’ll get from having effective compliance. But because each case is different, the Department must have—absolutely must have—significant discretion on what to reward and how much.

But is this what we want? And do you mean what you’re saying? Companies shouldn’t have to implement effective compliance without knowing their ROI? Companies have to implement effective anti-corruption compliance because companies shouldn’t bribe! Bribery is bad. I think we can all get behind this concept, yes? Bribery leads to things like kids getting killed because construction projects use substandard materials approved through bribery, and the buildings fall down during an earthquake. And if you think I’m being melodramatic, someone at my conference used that very example in training. It really happened. Bribery is a blight that warps markets, and ends up impacting the most the segment of the population that can bear it the least. People struggling with poverty shouldn’t have to deal with forced expediting payments.

And if you’re interested in ROI, let’s talk about the effect of bribery on the ROI of product developement and customer service.

But why do I call this a “dangerous lie?” It’s dangerous because it’s an excuse for inaction. And inertia is a compliance officer’s worst enemy. “Let’s wait until we get some better guidance on what we need to do.” “If the Department can’t tell us what they want, we really can’t justify the expense of the system you want to build; maybe next quarter when the DOJ comes out with the guidance.” It’s tough enough to move companies into the light without experienced practitioners giving them ammunition.

I don’t think the DOJ could be clearer if they gave us a checklist. Oh wait, they did. By the way, for those of you waiting for the guidance, prepare to be underwhelmed. There’s no way—no way at all—that the DOJ is going to put into writing something that will limit their discretion in a meaningful way. They’ll define “foreign official” using the recent decision—I’m betting they’ll quote it exactly—and they’ll talk generally about rewarding effective compliance. But if they say anything significantly different from what they’ve already been saying for the last 6 years, I’ll eat my hat. (A different hat, Barry)

Let’s move the discussion along, shall we? What are the best ways to implement what the DOJ has been telling us for 8 years that they want? That’s a discussion we should be having.

Teachable Moments

Rather than do a standard “10-most…” post, I thought I’d do something different.  It’s still my way of conveying the most important lessons of 2011, but because I’m by nature a contrarian, I’m going to do a list of 5 rather than a list of 10.  Can’t you just taste the counterculture?

By “teachable moment,” I mean a point in time when a small word or proper action could have avoided major problems down the road.

So here are my Top 5 Teachable Moments of 2011

Number 5: “We’re a non-US company, how can we have FCPA liability?”

Take a look at the top ten highest dollar-value enforcement actions.  See how many are against US companies?  One.  That’s not a typo.  One.  You could almost go so far as to say that if you’re a US company, your FCPA risk is lower than if you’re headquartered outside the US.  I have a gut feeling that when the SFO gets off the dime, you’re going to see a similar dynamic.  For different reasons, mind you, but a similar pattern will emerge.  I suspect that in the UK, it’ll be a more deliberate exercise than here.  I believe the SFO will target non-UK companies.  For them, it’ll be a win-win.  They get to enforce the act, they get to show they’re a player on the global stage, and they get to reassure UK companies that the world didn’t end with the implementation of the UK Bribery Act.  (Or is that a win-win-win?)  But until then, just know that the US government doesn’t care that your attitude is “it’s a US law, it doesn’t apply to me.”  It is, but it does.

Number 4:

“No, supervisor, you can’t see the policy and no, I won’t have it translated.”
“Okay, that sounds good to me.”

That was apparently the conversation in the Watts Water case. A Chinese employee told his US higher-ups that they couldn’t see the sales policy, and wouldn’t have it translated into English. To which, they apparently said, “that’s fine,” because they didn’t do what my This Week in FCPA co-host Tom Fox said they needed to do: “get on the next plane to China.”  In case you were living under a rock (with the Geico guy) for the last several years, you know that China is a risky place to do business.  Missing—ignoring—a huge waving red flag like a refusal to translate a policy is inexcusable.

Number 3:

CFO: “Hey, Head of Compliance, my superiors are telling me that I need to pay some bribes to get a contract, what should I do?”
Head of Compliance: “Solve the problem yourself.”

Another conversation that should never have happened. One of the Siemens defendants, indicted a few weeks ago, was the incoming CFO of the affected business unit. His Argentina people told him about the bribery scheme. He wouldn’t authorize the bribes. He spoke with the CEO of Siemens Argentina (also indicted), and the Head of Compliance in Germany, along with two members of the Managing Board (sort of the US version of a senior leadership team), and the Siemens CFO. All of them told him that it was his responsibility to find a solution to the problem. Seriously?! Not surprisingly, he authorized the payments. And got indicted. He knew something was wrong. In his defense, where was he to go? When the head of Compliance doesn’t tell you “no way in hell should you make those payments, and I’m going right now to see the Board,” there’s a culture of corruption in the company. My good friend Dan Newcomb (probably the most experienced FCPA lawyer in the world) once told me that “Siemens had a world-class compliance program, with a German-engineered workaround.” I hate to disagree, but when the head of Compliance tells you to solve your own problems, that’s not world-class. That’s not even in class; it’s in detention.

Number 2: “So we didn’t turn over one lousy day of Grand Jury testimony…what’s the worst that can happen?”

Despite my belief that the Lindsey prosecutors got a raw deal, it’s not like failure to turn over Grand Jury testimony is a good thing.  Along with their other mistakes, all lamentable, it was a case where the DOJ didn’t live up to their own high standards.  I don’t think the case should have been dismissed, but it’s not a case that the DOJ will hold up as a shining example of prosecutorial efforts either.  The really sad thing in all this is that—assuming the DOJ loses the appeal—some really guilty people are going to walk.  That makes me mad.

And the number 1 teachable moment of 2011:

“I have a great idea: let’s hack into the voice mail of famous people (and the PM!  And Hugh Grant!  And while we’re at it, how about a murder victim or two!).  We can get fresh information!”

I know that this conversation didn’t take place in 2011, but wow, did it pay dividends this year.  News of the World—a publication that started soon after Queen Victoria started her reign, and when John Tyler was President—was shut down; pretty much everyone in authority not named Murdoch was fired, or arrested, or both; News Corp. is still being investigated, and arrests continue; and the WSJ Corruption Currents column has to put a disclaimer in every post on this subject about how News Corp. publishes them (a state of affairs I find amusing, for some reason).  This is the case that just keeps on giving.  Two more arrests in the last two weeks, by the way, including a London Metropolitan Police officer.

 

The question you have to ask yourself is, what teachable moment are you missing right now?

 

Scare the Crap Out of Them

I’m taking a page from my colleague Ralph Losey (let there be truth between us: I’ve met him once and talked to him twice, but he’s a “colleague” in the general sense, and I’m entitled to a little literary license, no?). In a recent piece, Losey wrote about the dirty little secret of attorney incompetence around eDiscovery. I feel the call to also write something uncomfortable. 
 
I know this is a strange thing to hear coming from a man who writes constantly about anti-corruption, and even who co-hosts a weekly videocast on that very subject, but I’m frankly wondering if the whole area hasn’t gotten a little bit overblown. Sometimes I want to tell everyone—the Chamber of Commerce comes to mind—to just calm down.
 
Our dirty little secret, if this could rightly be called that, is that we practitioners vastly overstate the risk that the FCPA brings to companies. In-house Compliance officers have a good reason for it: we need to spur change. In order to get a corporation, especially a large multi-national corporation, to move you sometimes need a significant amount of pressure to overcome its inertia. Once you get things moving—that is, get budget, resources, and priorities—around the effort, momentum and positive inertia will keep you going.
 
Slight digression: most people use “inertia” to mean that it’s tough to get people to move. That’s true, but only half the definition. Bodies at rest tend to stay at rest, bodies in motion tend to stay in motion unless acted on by an outside force. I call “positive inertia” the second half of that statement: once you’ve got the corporation moving, it’s easier to keep it moving. Budgets, however, always act as a net negative force on Compliance.
 
Anyway, that’s why Compliance people have a motive to overstate risk: if they correctly state the risk, it won’t exert enough pressure on the business to get them to do anything. I’m trying to understand why outside counsel does it. The cynic in me believes that I already know the answer, but my better angels are still searching for a reason.
 
First, though, let’s explore whether I’m correctly stating a problem: do we overstate FCPA risk?
 
I’ve read with interest (and sometimes distaste) the efforts to reform the FCPA. I’ve seen presentations by firms about gifts and hospitality, and I’ve heard Ken Clarke talk about it in front of the House of Lords. He was talking about why the MOJ was going to issue guidance (which they did, and which I pilloried). He said that British companies were afraid:

fears sometimes aroused by the compliance industry, the consultants, the lawyers who will of course try to persuade companies that millions of pounds must expended on new systems which in my opinion no honest firm will require to comply with the act.

The only issue I’d raise with this quote is the word “sometimes.”
 
Compliance officers regularly talk about how they need to “scare the sh%t out of the business.” We develop Powerpoint slides with headlines like “Siemens pays $1.2 billion.” If we can get away with exclamation points, it’s “SIEMENS PAYS $1.2 BILLION!!!” We talk about “hundreds of millions” in fines. Truth be told, in the 34 years since the Act was passed, there have been, what, 8 cases where the fine has gone over $100 million?Eight. Granted, they were mostly in the last two years, but if we’re going to honestly quantify financial risk, it’s not nine figures.  And reputation risk?  What’s the real risk?  How much business did Siemens lose after their incident?  Answer: I understand they gained revenue. Sure, being on the front page is uncomfortable, but it’s not a show-stopper.  
 
Same thing with the whole knowledge argument. Theoretically, a company can be held liable for the actions of an employee of which no senior management was aware. But has it happened? I can’t think of a case. In the vast majority of cases, senior management not only knew, but either actively participated or gave a wink and nod to the scheme.
 
Same thing with the whole “the FCPA is vague” argument. Oh, please. The DOJ has taken a remarkably even-keeled stance on interpreting the FCPA. The “novel” legal theories simply aren’t. You have your run-of-the-mill respondeat superior cases. Successor liability cases. And state-owned-entities are government officials. Even if you disagree with it, you can’t say it’s vague, or that the DOJ has inconsistently applied its definitions. I think the SOE interpretation has been around since the Stone Ages (aka Peter Clark). These are not novel legal theories, and any attempt to paint them as such is disingenuous at best.
 
Nor can you say that the DOJ hasn’t been clear about what it expects from companies. As far back as the Metcalf and Eddy case in 1999, the DOJ has—I was going to say “signaled,” but it’s more overt than that—outright told us exactly what they expect. Over time, it’s been clarified: opinion release 04-02, then the current Schedule C, and the enhanced obligations of J&J. It’s not rocket science. Have a clear policy. Implement it in a real way. Make sure that senior people take accountability for it. The rest is just details. And by the way, you can read everything you need and never attend a single luncheon. The problem here isn’t “I don’t know what to do,” the problem is “I know what I need to do, I’m just not willing to do it; it’s too hard, and it costs too much.” (Or the ubiquitous “you’ll kill the business.” Or worse: “if we don’t make these payments, our competitors will.”) That’s a horse of an entirely different hue.
 
And who says we’re even entitled to this kind of hand-holding? We don’t expect the DOJ to fall over themselves when it comes to antitrust laws, telling us how to comply. And talk about vague! What exactly is a “contract, combination, or conspiracy in restraint of trade?” We don’t expect it when it comes to the False Claims Act. And wow, what a gold mine that is for the government. Between 1986-2010, the government recovered over $25 BILLION for violations of the FCA. Take out the “P”, and boy do the numbers get big in a hurry. That’s what, 8 times the FCPA? 9 times?
 
What about facilitation payments? Neither the DOJ nor the SEC has ever brought a case solely because of a facilitation payment. Talk about overblown hype! It’s also not a definitional problem. If you are legally entitled to what you’re paying for, it’s a facilitation payment. If it’s a decision, however minor, it’s a bribe. Plus, let’s face it, facilitation payments aren’t your problem. They’re a red herring. I’ve done this myself, sadly. What I used to call the “nightmare scenario.” A facilitation payment gets made. Because SAB 99 doesn’t quantify “materiality,” but instead uses factors to be considered, including whether a payment violates a law, you could conceivably have a $5 payment which you thought was a facilitation payment—but which wasn’t—be a material misstatement which would require an 8-K. Is that full of crap, or what? Again, facilitation payments aren’t your problem. If you’re thinking about those, you’re wasting your time. We all need to take a deep breath and lighten up about it. I don’t like them, but seriously, lighten up. The chance of you getting prosecuted for foreign bribery because you paid some cop $5 to let you out of a ticket is exactly nil. The chance of the SEC bringing a books-and-records case because of facilitation payments is nil. What you can get is an internal controls problem, if the numbers get big, but even that’s unlikely.  And your internal controls problem isn’t because you’re not measuring your facilitation payments. It’s a symptom of a larger problem.  Plus, in every case I can think of, any mention of facilitation payments was a minor adjunct to a more traditional bribery scheme.
 
Dodd-Frank?  Well, maybe the odds of a whistleblower going in are a little higher, but the Whistleblower Action Network says that most whistleblowers report in-house first, and get rebuffed at best. So your problem is cultural. But even so, the SEC can’t possibly act on every whistleblower complaint: not enough resources. So even that “increased risk” is minuscule. 
 
These are picayune details. The DOJ doesn’t deal with the small stuff, frankly. There’s just too much huge, obvious, blatant, right-in-the-wheelhouse, didn’t-care, out-and-out bribery going on to worry that someone put a tenner in their passport when they handed it to the Customs guy, you know? Even the poster boy for petty prosecutions, the SEC bringing the Veraz Networks case, I don’t think would have been brought if there hadn’t been that “gift scheme” email. I might be wrong. Could be, some supervisor at the SEC needed a stat. I also don’t know how significant it was that it wasn’t a home-office case. It was brought by the San Francisco office; it was also brought about two months after the FCPA Office in San Francisco was formed.  Cheryl Scarboro’s name is nowhere to be found on the complaint. Significant?  There might have been other forces at work, besides how bad the underlying acts were. And the former AG, talking about the “$200,000 cab ride?” That is, the DOJ getting a company to spend over $200,000 on an investigation because of a cab ride? Never happened. They tried to track it down, and it was one of those “it happened to a friend of my brother’s cousin” kind of stories. In other words, bullsh%t.
 
And we’re all talking about 2011 being “the year of the trial.” Really? How many trials have there been? Five? Maybe? WooHoo! Five whole trials. Even Chuck Duross, at a recent conference, when asked about trends in trials, said that the sample size was too small to form any real conclusions.
 
The DOJ’s enforcement record, and the perception of that record, are wildly different. I would call the DOJ’s enforcement of the Act to be restrained, reasonable, conventional, and maybe even unoriginal. If a legitimate criticism could be leveled, I would rather take the DOJ to task for structuring deals to the benefit of corporations! Why charge subsidiaries with bribery, and internal controls violations for the parent? Because that avoids debarment issues. Fines, as a percentage of corporate revenue, are tiny. I would push the DOJ to be more aggressive, not less.
 
Are we wrong to try to scare the crap out of the business? I don’t know. The business doesn’t move over theoretical risk.  But certainly the degree to which the industry that has popped up around the FCPA has an inherent interest in puffing up the underlying risk creates at the least an apparent bias. We all feed off it: risk equals fear equals action equals money for consultants, lawyers, compliance people (in the form of jobs, resources, and budgets), training suppliers, and everyone down the line. It’s not a flattering equation.