Case Study #6: How Much Diligence is Due?

I had been waiting for the hospitality case study.  Everyone else has been waiting for this one: due diligence of agents.

Diligence presents a number of difficulties for companies of all sizes.  It’s like the old journalism class I took: the question words.  Who?  What? Where?  When?  Why?  In fact, that’s a good mental framework for addressing the issues of due
diligence.

Who?  Who should do the diligence?  This is a major decision for a company implementing a program; don’t underestimate the costs or the effort.  Diligence is a huge undertaking, and one that continues over time.  In fact, it not only continues over time, but also gets more important over time.  The reason its importance continually increases is that there is very little more damaging to a program to have great controls that last for 3 months.  This is why I always say that I’d rather have 2 controls that are kept religiously than 5 controls that are only followed every once in a while.  Because as sure as the sun will rise tomorrow, the agent who gets you into trouble will be one who fell through the cracks.  Also, this is a budgetary issue: you’ll have S&B spend, IT spend, outside counsel spend, probably some consultant spend.  Diligence costs, and one of the first ways that companies get themselves into trouble is to fail to plan for those expenses. Implementing appropriate diligence also requires a significant internal marketing effort, because you’re going to be delaying and in some cases terminating relationships the business thinks it needs.

Another “who” is, who do you do diligence on?  This is going to be the next big thing in anti-corruption compliance: segmenting your vendors pre-diligence.  The reason this is such a big deal—and something that no one, no one, is talking about—is the UK Bribery Act’s prohibition on private-sector bribery.  Instead of being able to segment your vendor/agent population into the majority who has no interaction with government, versus the minority who do, and only doing diligence on the latter, programs will now have to do diligence on everyone.  And the compliance programs I’ve seen simply aren’t scalable like that.  Companies are facing a tremendous increase in volume being pushed through their diligence programs.  Ask any financial services company’s Financial Intelligence Unit whether they can handle 50%-70% additional volume.  Most are straining at the seams as it is.  And FIUs are staffed, generally speaking, with investigators. People who know how to do this stuff.  Most anti-corruption programs aren’t.  Lawyers, compliance officers yes.  Investigators, not so much.  So who can you exclude?  Public companies?  Companies with over 500 employees?  Companies whose relationship goes back more than one year?  These are all possibilities that will have to become part of the conversation over the next few months and years.

What?  What information should you collect?  And another question word, “how.”  There’s also a hidden question here, which is, when you have all this information, what do you do with it?  When most people think of due diligence, they think questionnaire.  Questionnaires are important, and I’ve designed them and sent them out myself (always in consultation with outside counsel).  There’s an “after the questionnaire” also, though, called “verification.”  What information that you receive from the agent do you then have to verify?  And how do you verify it?  In a lot of markets, your available information sources are, shall we say, limited.  Finally, in addition to the information you collect from the agent, and
the verification of that information, there’s another question: what independent research should you do?  Do you need a “records check” (whatever that means)?  Do you need to check with the embassy (something I used to mock, but now think is a good idea)?  Do you need to hire one of the many—many, many—vendors who purport to do background checks?

Where?  The first decision is the easiest: centralized diligence or decentralized diligence.  The answer?  Decentralized.  You can’t conduct diligence around the world from one location.  Or rather, you can, but it’ll be done badly.  Local people must do the diligence, if for no other reason than being able to read the documents you’ll collect.

When?  This is more of an implementation problem than a design problem.  You need to insert these controls early enough in the process that you can act on information before the relationship comes into being.  There will normally be Procurement involvement when you onboard a vendor (one would hope), but in my experience, avoiding Procurement has evolved into an art form. If there’s no pre-relationship legal involvement, getting Legal in there is a tough sell, and
tough to implement.  This is also where you’re going to have problems with people trying to circumvent.  There’s going to be a lot of “a lack of planning in your life does not constitute an emergency in mine” going on, as people come to you with agents they HAVE TO USE TOMORROW OR THE DEAL WILL DISAPPEAR! “Process” is an important noun here.  Follow the process.  Because, again, the one time you don’t, that’ll be the one to bite you.

Why?  What’s the purpose of all this?  I really like the saying, “if you don’t know where you’re going, you stand little chance of getting there.”  The purpose of diligence is to allow you to collect enough information so that you can make a reasoned decision on whether to accept the risk of doing business with the third party who was the subject of the diligence.  There will always be risk.  Most of the time, the level of risk is acceptable.  That’s why most discussions about risk end too early.  They talk about the questionnaire, and maybe the risk rating, but not how that rating comes about, or what happens next.  Because here’s the truth that you need to internalize if you want to stay out of trouble: the diligence process begins at a definable point, but never ends. Your diligence leads into—and, if you’re doing it right, defines—a monitoring program that you must maintain throughout your relationship with the third party.

Let’s look at the case study with that in mind, that diligence is a marathon, not a sprint.

Case study #6 posits a medium to large manufacturer of equipment, with an opportunity to enter an emerging market by way of a government contract.  Local “convention” requires foreign businesses to operate through a local agent.

The optional controls are:

• Having a questionnaire requiring a) ownership details, b) CVs and references for those involved in performing the service, c) details of directorships held, existing partnerships, and third-party relationships, and any relevant judicial or regulatory findings.
• Having a clear SOW, including fees, costs, commissions, etc.
• Undertaking research, including Internet research on everyone, including control people if the third party is a corporation.
• Make inquiries “with relevant authorities” in the market to verify “the information received in response to the questionnaire.”
• Following up on references and clarifying any matters arising from the questionnaire
• Looking at the agent’s anti-bribery policies and procedures, and, if applicable, records
• Being alert to key commercial questions such as a) is the agent really required, b) does the agent have the required expertise, c) is the agent going to interact with the government official, and d) is the payment reasonable
• Renewing due diligence on a periodic basis

This actually isn’t a bad list.  The problem isn’t what’s included, the problem lies in what’s omitted.

First, a glaring omission is any OFAC/Sanctions check.  That’s a must-do.  Also missing is what you do with the diligence.  But let’s leave that for a bit while I comment on each of the proposed controls.

Second, the questionnaire.  Undoubtedly an important piece of diligence, be careful not to put too much effort into it.  It’s a blunt tool.  And, since you’re relying on the agent to answer everything honestly, you need to put more effort into designing how you’re going to verify, and then react to, the answers.  In other words, for every question you ask, ask yourself, “what am I going to do with the answer? How will my actions change depending on what the person says?”  You need questions that will be more likely to generate honest responses, and you need questions that make sense.

It’s important that this is a medium to large company.  Larger companies can force these things on smaller companies.  But smaller companies have a much harder time.  I worked in large companies, and I would always a) send out my own questionnaires and b) push back on people trying to send questionnaires to us.  Was I just being mean?  No.  The question, “who are your beneficial owners?”  is a common question.  But for a large, public company, it’s an almost impossible question to answer.  A better question is “if public, who owns more than 10% of your company?”  But I saw really badly drafted questionnaires.  And really, if a company is in the US, and listed on a national exchange, why bother with a  questionnaire?  The information is all on Google Finance anyway.  And let’s see, you want a CV, and references, from those performing the service.  Yeah, right.  Good luck with that.  This is where you really have to be careful what you ask for.  Because let’s say you’re hiring me as an external sales agent.  I have 400 employees who are going to actively push your product in the Democratic People’s Republic of Bribe-istan.  You ask for the CVs and references of everyone  providing the service.  Fine.  Being the good-hearted, wholesome vendor that I am, I give them to you, three references each.  So now, you have 401 (the workers, plus me) resumes to look over, and 1,203 calls to make to check the  references.  Because, oh yes, if one of my workers pays a bribe, you’ll get asked, “you asked for references, did you get them?  And if so, did you check them?”  If you say “no” to either of those questions, you’re toast.  And you’re planning on
making those 1,200 calls with what resources?  Oh, just you?  And do you speak the local language?  Because the references don’t speak English.  See why choosing the right questions becomes really important?

Next control suggestion from the guidance: get a detailed SOW.  This sounds more like a business requirement than a compliance one, but I suppose it’s both.  This looks like a pre-relationship control, but really, it’s more in line with the ongoing monitoring requirement.  In anti-money laundering compliance, one of the requirements is to understand what the expected account activity will be.  This is like the SOW requirement.  It’s important not for what it is at the start, but because it sets the expectation.  If you have an expectation that payment will be by check, and you get a request for a wire, that’s outside the SOW, and inherently suspect.  It’s situations like this that illustrate and validate the marathon v. sprint paradigm.  It’s not enough to have an SOW.  You have to understand when the relationship veers outside of the boundaries of the SOW.  The only way to do that is by monitoring the activity.  Vendors need key performance  indicators that should be reported monthly, and compliance should have some KPIs in there; KPIs like “did the vendor’s payment vary from the SOW this month?”  “have we verified that whatever the vendor was supposed to provide this month was actually provided, and worth what we pay for it?”  “Were there any requests for non-SOW payments this month?”  If you get dodgy answers, you have to follow up.

Next: independent research.  Yes, thanks.  Now, the tougher question isn’t whether to do it, but how much to do.  Figuring out what information to collect is one of the trickiest pieces to diligence.  As I said above, there are two elements:
information from the vendor/agent, and information you collect independently.  Here’s where setting global definitions becomes hard.  Local information sources around the globe vary in quality.  Vary dramatically.  So if you say that you
want to independently collect beneficial owner information, you may just not be able to do that everywhere.  (Or anywhere, frankly, with that particular piece of information.)

Make inquiries with relevant authorities to verify: a really good idea, if you can find “relevant authorities” with knowledge of what you want to verify.  “Relevant authorities” might not know about beneficial ownership, or whether the  proposed price is reasonable for the market.  Or whether a particular agent is the brother-in-law of the zoning board official you’re dealing with.  But like I said, after Sophie and Herbert and Billy said it was a good idea, I bowed to their
greater knowledge and said reaching out to the Embassy was a good idea.  Just remember that “relevant authorities” is just another information source for your independent research.

Following up: It’s amazing to me how two little words can translate into so much work.  The difficultly here is that you’re not doing diligence on one vendor, you’re designing a repeatable process to do diligence on all vendors.  And sometimes it’s not so easy to know what you need to follow up on.  References?  Absolutely yes.  I told the story of the thief who put a prior victim down as a reference, and almost bankrupting the company who didn’t check the reference.  That’s true here.  There’s just no excuse for not following up on a reference once you’ve asked for it.  Then again, I think a regulator would say that there’s no excuse for following up with any information you ask for.  That’s why I think you have to be very careful what you ask for.  You have to know, and I’ve said this before, for every question you ask, what’s the riskier answer, and what am I going to do with a risky answer?

Looking at the agent’s anti-bribery policies and procedures.  To which I respond, what if they don’t have any?  Seriously, do you expect every two-bit company that provides marketing services in Azerbaijan to have an anti-bribery policy or procedure?  And  what exactly does that get you?  We’re told over and over that paper policies are no good.  So now we’re supposed to take a paper policy and use it as part of our diligence?  What you’re really looking to know is, does the vendor take seriously its commitments to anti-corruption?  Because everyone will tell you they’re strong on anti-corruption.  Most will even sign a certification to that effect (don’t get me started).  But I haven’t met a vendor/agent yet who would pay a bribe but refuse to sign a piece of paper saying they won’t.  So the question is, does having a policy represent evidence of a serious commitment to anti-corruption.  To which I reply, not so much.  It may prove the opposite: not having a policy might show that you’re not serious.  But even that’s iffy, in my opinion.  And again, remember follow-up.  If the person says they have a policy, you have to physically see it.  And have it translated.  And read it.  Then, what if it stinks?  Is that more trouble than the existence of a policy is worth to your diligence efforts?  Tough call.

Being alert to commercial questions: I’m going back to “water is wet, thanks,” on this one.  If you’re  not alert to a commercial question like, am I paying an unreasonable amount for this product or service, you’re not going to be in business long.  But, kudos to the author, being alert to expertise and government interaction are key.  Key.  You see cases all the time where an agent was hired who has no expertise other than his or her political connections.  And, who could have known, they bribed someone.  I would go so far as to say that if you can metric expertise, and you monitor just that metric in hiring agents, you’re probably going to be fine.  But remember, the metric is more than “gets results.”  The other  metric, by the way, that I think is absolutely necessary is verifying that what you’re receiving is worth what you’re paying.  Verifying it, mind you.  I would go so far as to say that verification can even come from somewhere else inside the  company.  Someone unconnected with the hiring of the agent to be a reality check.

Lastly, renewing the diligence.  Absolutely yes.  No more need be said: you must do this.  One thing, though.  You should stagger the periodicity of the renewal based on risk.  That is, higher risk vendors/agents get more diligence, more  often.

Now, let’s look to Principle #4 on due diligence.  The Guidance states, “the significance  of the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right,” as opposed to diligence to mitigate  general third-party risk.  I think they’re right; diligence for the purpose of assessing bribery risk is so major an effort that it deserves attention in its own right.  The Principle also correctly (in my opinion) states that the purpose of diligence is to “inform the application of proportionate measures” to prevent associated persons from  bribery.  The Principle also correctly (again, in my opinion) explains that diligence procedures should vary according to the risk that the third party presents.  There’s a little of a chicken-egg problem here, because the diligence should help identify that very risk.  But really—and I agree with the Guidance on this point—the type of third party, the category of service, can provide enough  guidance to define what level of diligence is necessary.  You have to start somewhere, and service type is a really good place.

The Principle then degenerates into some “water is wet” statements about how the amount of care needs to vary with the type of third party relationship.  I think it’s also obvious (but as I’ve said before, I’ve been surprised at what some  people don’t recognize as obvious) that lower risk gets lower diligence, and higher risk should incorporate more stringent diligence like hiring local firms to investigate the partner.

If you’ve read this far, you’re a trooper, so stick with me just a little longer while I talk about my ideas for effective due diligence.

First, TRACE (an organization you know I’m a fan of, if you’ve read this blog at all) has put out a pamphlet on what a minimum amount of diligence looks like.  A valiant effort, and always worth paying attention to.

Here’s what I think.  I’m prefacing this, however, by saying that if the UK actually prosecutes private-sector bribery, this is going to change.

First, you have dual requirements to differentiate your diligence processes (simply because of expense and ensuring it’s repeatable) into high-risk diligence and low-risk diligence.  Assume that everything is low risk except for the following: proposed JV partners, external sales agents or other product-distribution agents, external marketing firms, external law firms, anyone hired specifically to interact with the government on your behalf, and anyone whose low-risk diligence produces a red flag.  You can exclude from diligence altogether any firm that is regulated by a government entity in its own right.  (Some will argue with this rule, and reasonable people can disagree, but if it’s a regulated entity, there’s  nothing you’re going to find out about it that isn’t already known, so why bother?)

Low risk diligence should include, at a minimum, the following: identifying the beneficial owners of the third party, identifying senior management, identifying supervisory personnel servicing your account.  The level of management to be
identified can vary with the size of the third party.  Run all names through an OFAC/Sanctions check.  As the third party if they do business in sanctioned countries (don’t say that…list out the sanctioned countries and ask if they do business there).  Perform a news search using Google news, or Lexis/Nexis.  There’s a negative-news search string that your AML people will have, use it.  Save the search as a search agent, so you’ll get notified if anything pops up.  Call the contact  number given by the third party to see if they answer.  Go to the  web site, print out the front page.  Cal the embassy in the country, talk to the commercial attaché, and take notes.  Ask the third party for a customer reference.  Call the  reference.  Take notes.  If feasible, have the businessperson who wants to onboard the third party conduct a site visit.  That’s it.

Here’s the trick: first, take notes of everything, and put those notes in a vendor/agent file for that third party.  Keep the file safe, and take it out every 2 years for low risk.

For high-risk, you do more.  And how much depends on why the third party is in this bucket.  For high-risk diligence, at a minimum, I’d inquire whether anyone at the third party company is related to a government official.  I’d think about  “boots on the ground.”  And I’d get more than one customer reference.

Finally, remember that, as I understand it, no company—no company at all—has gotten into trouble for doing their due diligence, but later having the amount of diligence questioned.  If a company gets into trouble, they did NO diligence, not insufficient diligence.  Process is just as important here as the specific diligence information collection points.  If you collect information, conduct independent inquiry on that information, present that information to a disinterested committee, and follow that committee’s recommendation, in my mind, you’re fine.

[Remember my standard disclosure: I’m a lawyer, but I’m not your lawyer, and I’m not licensed to practice in the UK.  If you want advice you can rely on, hire someone.  I offer opinion commentary, not legal advice.)

On Its Way…Soon…I Promise: Case Study #6

I’m working diligently on case study #6, on due diligence. There’s a lot to say; I should have something up later tonight.

Case Study #5: Great Job!

Case Study #5: Even a Stopped Clock

You probably think by now that I’m a crusty, irascible curmudgeon. I’ve had absolutely nothing positive to say about these case studies. All this negativity is getting me down, and me, such a lovely fellow (or so say my kids).

It delights me to tell you that if you’re a small company looking to do a risk assessment on the cheap, case study #5 is a must-read. I’ve also realized that in discussing these case studies, I’ve been neglecting to include commentary on the Principles that underlie the UK government’s suggested remediating points. A glaring omission that I realized while soaking up the great posts of my colleague Tom Fox (an everyday read for me). What I’m happy to report is that Principle 3, on risk assessments—while far from perfect—is really very good.

I’ve been “in the middle of” drafting a mammoth post on risk assessments for about 3 weeks now. I’m feeling inertia set in on that post, so I’ll include some of my suggestions from that post in here.

What’s important to remember is that most companies—I’m tempted to say “all companies,” but I like to leave room for my own incomplete knowledge—have a risk assessment that, in a word, sucks. There are exceptions, I’m sure, but most aren’t as rigorous as their creators think they are, or don’t cover the right things, or are back-of-the-napkin, or are anecdotal. I’ve seen far too many compliance officers skip this important step, rationalizing that they have a good handle, from their gut, on the risks the business face.

Here’s something that you don’t hear often, but it’s a true statement that you ignore at your peril: you need two risk assessments. Risk assessment #1 is where corruption falls on your enterprise risk chart. This pits corruption against other risks like money laundering, sanctions/export, antitrust/fair competition, privacy, and other regulatory risks specific to your business. Some companies combine all these into one “regulatory risk” category and four-box it along with operational risks. That’s one way to go. Reasonable people can disagree which model is better, and it comes down to your specific business model. My preference is the former, but people smarter than me choose the latter also. The reason you need this cross-risk assessment is to justify where you’re spending—and more importantly, not spending—your limited budget. If your diligence is lacking on a third party, it’s hugely beneficial to be able to show that you weren’t ignoring that risk, but your budget this year went to another risk mitigation effort.

Your second assessment is particular to corruption, and helps you determine where your anti-corruption budget should be spent this year. The most important two words in that sentence are the last two. A risk assessment lasts a maximum of one year. Often less, because the business changes fast. If the business reorganizes, your risk profile changes. If your business introduces a new product or enters a new market, your risk profile changes. Spend an hour and update your assessment: talk about great optics!

Before I get to what the right process is for a risk assessment, let’s look at the case study, and what the MOJ’s suggestions are.

Case study #5 posits a small specialist manufacturer who wants to expand into a new market, but hasn’t decided which market. The firm has no particular risk-assessment expertise, and is a little lost.

The MOJ’s optional suggestions are:

• Incorporate bribery risk into the business’ market analysis (presumably alongside customer base, competition market share, ease of entry, labor costs etc.)
• Seek advice from UK government sources like embassies and Chambers of Commerce
• Consult the TI list (it says “general country assessments undertaken by local chambers of commerce, relevant non-governmental organizations and sectoral organizations,” but it means the TI list)
• Seeking advice from industry reps, and
• Follow up with independent research

Here’s where I’m happy to say that I really like this list. Excellent job, MOJ! Except for the one about seeking advice from industry reps. What were you thinking on that one? This is an extremely sensitive and strategic decision: the idea that you’d ask outsiders for advice, absent an NDA or fiduciary relationship is ludicrous. But other than that, well done!

Let’s talk about this for a second. First, the hypothetical posits a small company. For larger companies, for Heaven’s sake, call Manny Alas at PriceWaterhouseCoopers and get some professional advice. Tell him I sent you and he’ll give you a free set of steak knives. (kidding). I doubt anyone better at this than Manny exists on the planet, but if you have someone else, the point here is to pay the money and get the advice you need.

Smaller companies can’t afford that level of completeness, and have to compensate. I love, absolutely love, that first suggestion. So much so, in fact, that I’d recommend it for every company of any size. It’s hard to overstate how important it is that you embed compliance discussions in business discussions. Not just for anti-corruption, for everything. I have this mantra: there’s no such thing as “compliance training,” it’s all business training. A person can’t do their job well if they don’t meet their targets, and can’t do their job well if they embroil the company in a regulatory issue. I’d broaden that statement to include all of compliance: all controls are business controls. The more integrated your compliance program is with your business processes, the better off you are. A great start is with someone as basic as market choice. Why wouldn’t the business equate corruption costs with labor costs in their thinking?

Point 2: seeking advice from government sources. Absolutely. It’s free, looks great, and doesn’t take much effort. A trifecta! My addition here is to consult the embassies of each market you’re considering. They’ll have the on-the-ground experience that will prove invaluable. I used to poo-poo embassy calls. But the panel on Africa at the Global Compliance Symposium changed my mind. If Billy Jacobson, Sophie Lamont, and Herbert Igbanugo—the three who I was so impressed with—say it’s a good idea, who am I to argue?

Point 3: consult the TI list. There are other lists out there, but Transparency International’s Corruption Perceptions Index (aka “the TI list”) is the authoritative one for corruption. Everyone uses it, companies, regulators, everyone. Looking at other lists lends a great coat of polish to an inexpensive risk assessment, but the TI list is mandatory. I’ve never worked at an extractive industry corporation, or pharma company, so there might be industry-specific lists out there of which I’m unaware in those, or other, industries. For financial services, there are money-laundering country lists out there. In any event, those will be in addition to, not instead of, the TI list.

Point 4: industry reps. As I said, this is unrealistic, if not downright silly. But if you don’t care if your competition knows your strategic plans, go to town.

Point 5: following up with independent research. Maybe a little flavor here of the water-is-wet obviousness that I’ve painted other case studies with. But I’m always amazed at the ridiculously obvious things some companies don’t do, so I’ll reserve that particular complaint and say that any amount of follow-up research is like gold. A little is great, more is better. But it’s always true that a little is better than none. And with the Internet, research is easier than ever. Here’s one example of market diligence gold. If you’re looking at a risky market, use the Internet to find the name of a dissident in exile, and arrange a phone interview; ask that person what the risks are of doing business in that market. Incorporate at least one suggestion from that conversation into your program. Can you imagine how diligent that makes you look? If you can’t arrange a conversation, find newspaper articles about the dissident, in which I’m sure you’ll find some tidbits about the risks of having a presence there. I’m ready to give you an NPA right now.

Another suggestion: ask TRACE. If you don’t know about TRACE, it’s a member organization with great resources. It costs a little money, but it gives great value for the money. And not for nothin’, but I put my money where my mouth is on this: I had both companies I worked for join, or renew, membership. Call Alexandra Wrage (the last name rhymes with “foggy,” you’ll be a step ahead if you pronounce her name right); I’m a fan, and it’ll be worth it.

Let’s turn now to the Principles. The first point made in Principle 3 is that the risk assessment should be periodic, informed, and documented. I can’t think of anything to add to that statement. The commentary to the principle recognizes first that the risk assessment will be part of an overall business effort to examine business risks. Dead on. The MOJ suggests that the assessment process requires a) top-level oversight, b) appropriate resourcing, c) identification of information sources, d) diligence inquiries, and e) documentation. Exactly right. I personally think the information sources issue will probably be the hardest, but in practice, the resource allocation issue probably takes first place. You can get by with a “quick and dirty” assessment for a while, but you’re going to need a real one sooner or later.

The commentary on principle 3 also recognizes that risks change over time, and therefore so will the risk assessment. It’s a living document, in other words, and should be re-evaluated often.

Here’s where the commentary really gets good. It lists five commonly encountered risks:

• Country
• Sectoral
• Transaction
• “Business Opportunity” risk
• Business Partnership

We’ve talked already about the first two, so let’s skip to the third. My reaction: YES!! Transaction risk is too often ignored. This is doubly true with third-party diligence, where a third party gets cleared to form the relationship, and the diligence stops. Once you bring a high-risk third party on board, you need to monitor the transactions to ensure that risker transactions get their own response.

I think that “business opportunity risk” is just another flavor of transaction risk, at least from how it’s written up in the commentary to principle 3.

Transaction risk first and foremost identifies and analyzes the financial aspects of the deal. Is there money left on the table, or money that’s spent in a non-transparent way? Who is the end-user?

The commentary then moves onto internal risks, and again does a fantastic job:

• Where is your training lacking?
• Do you have a culture that rewards excessive risk-taking?
• Are your policies prohibiting bribery unclear? (Or, I’d add, are they written by lawyers and for lawyers)
• Are your financial controls unclear?
• Is there a lack of effective messaging from the top?

This is an excellent list. The only thing I’d add is to point two: in addition to asking whether the culture celebrates risk, I’d ask how your salespeople are measured. If only on the amount of sales, I’d take that into account. I would also pay special attention to your financial controls. You need to identify what financial controls you have and link-and-label them back to your anti-corruption program. When you say, here’s my anti corruption program, your total gamut of financial controls needs to be identified.

Now we’ve reached an inflection point, and I’ll give you another true statement you ignore at your peril: a risk assessment is a tool, a compass, not an end unto itself. I really like the word “compass” here. A risk assessment points your compliance program in the right direction.

You take your risk assessment and structure your resources, both time and money. If you find that your training is deficient, you need to prioritize that in your spending. Are your procedures tailored to your riskiest employee base? Do you even know who your riskiest employees are? Can you say with assurance that your financial controls will keep someone from signing an invoice to pay for $100,000 worth of services that were never provided? Your risk assessment should tell you these things.

And how do you get to this nirvana? What’s the process you should follow? Well, the most common answer would be “surveys.” That’s not entirely correct, and it’s not something that the guidance tells you. The most important thing about conducting a thorough risk assessment is involving the right people. You need a group at all levels of the organization; the more the merrier. You need the entire leadership team, and you need legal and compliance. You need to understand what’s actually going on in the organization, because that’s where you’ll capture real risk, rather than theoretical risk.

In any case, for smaller companies, this case study is great. I’m tempted to say that even a stopped clock is right…twice every day. But let’s celebrate the good job that they did here.

Case Study #4: Hospitality

Wow, did I have a lot to say about this. Be warned: it’s long.

Case Study #4: Hospitality

I have to admit that I’ve been looking forward to this one. So much so, in fact, that I even considered going out of order. I mean, who would rather write about proportionate procedures when you can write about hospitality. Alas, I’m a rule follower, and I had to sit through writing three case study evaluations before I could write this one.

I used to abbreviate this whole area of meals, gifts, travel, and entertainment as the “thorny issues.” Because they’re plentiful, and it’s easy to cut yourself if you’re not careful.

From a compliance perspective, these types of issues present particular problems. But not insurmountable ones. In fact, just the opposite. It’s not that the questions are hard, it’s getting the business to follow the procedures. Because with the thorny issues, the business is going to yell and scream. This is where the Act’s prohibition on private-sector bribery is a pain point for the business. It’s no longer just government beneficiaries you have to control, it’s everyone. Every meal, every gift. It’s one thing to tell your Indian operations that they can’t give government officials gifts during Divali. It’s a horse of an entirely different hue to say that you can’t give any gifts to anyone. But I’m getting ahead of myself.

Case Study #4 posits an engineering firm that hosts annual events with food, tickets to sporting events, and entertainment. Private-sector attendees pay their own travel; the engineering firm pays for the government officials’ travel.

As usual, the controls suggested by the Guidance aren’t prescriptive, it’s “any or a combination.”

• Conducting a risk assessment specifically addressing hospitality
• Publishing a policy statement committing it to “transparent, proportionate, reasonable, and bona fide” hospitality
• Issuing internal guidance addressing a) that the firm’s procedures are to ensure transparency and conformity with local law; b) and with the laws that cover the official receiving the amenity; c) that hospitality is given to cement good relations and show appreciation, and to improve the image of the firm as a commercial organization, to better present its products or services, or establish cordial relations, d) that the recipient isn’t under any obligation; e) the policy should lay out criteria to be applied when deciding appropriate levels of hospitality in different circumstances; f) that hospitality for public officials should be cleared with their agency; g) approval for expenditures over certain limits; h) accounting

I have to interrupt. There’s more, and I’ll get to it in a minute, but I just can’t help myself. It takes a special paragraph about hospitality to get me nostalgic for the FCPA’s provisions on the subject. I suppose—like the FCPA Professor said at the Global Compliance Symposium—I should celebrate the fact that the UK issued guidance at all. But I have to say that if you follow the advice above, you’re going to get into trouble. Not so much because it’s bad advice, but because it’s a big gaping hole that your business partners will drive a bus full of gifts right through. It’s obvious to me after reading this “guidance” that neither the writer nor approver has ever met an actual salesperson. Someone with responsibility to meet a sales target if they wanted to feed their children. Sales people aren’t measured on compliance—and anyone who’s been around me for more than 5 minutes knows how I feel about that—but only on how much they sell; they can get a little tunnel-visioned. It’s not that they set out to give inappropriate gifts, it’s that they rationalize what they want to give as appropriate. You need controls that prevent that. But I’ll get to that too.

• regular monitoring, review, and evaluation of internal procedures
• appropriate training

There’s just too much here to talk about. An embarrassment of riches. I really don’t know where to start. Why don’t I just start by telling how I think hospitality should be handled, and you can compare and contrast.

First, all hospitality to government officials is high risk. Risk assessment done. I have a harder time with the UK Act because of the private-sector piece, and I don’t know how that’s going to be enforced. [By the way, if I were the SFO, and wanted to send a message that the times have changed, the first case I’d bring, on day 2 of the act being in force, would be a private-sector case.]

There are simple controls you can use for hospitality. I prefer different controls for meals, for gifts, and for travel.

For meals, pick a number. By “number” I mean a pre-set limit to how much can be spent on meals that include government officials. Personally, I think it better for each market to set their own number. What’s important here isn’t the number, it’s the process. If you have a market-level risk committee, use it. They should meet, decide what’s reasonable in the market (if there’s an internal limit to how much employees get reimbursed for meals in the market, take that into account), set a number as the rule, and enforce it. The decision should be reviewed annually. If you don’t have a pre-existing committee, get your country leader, your head country lawyer, your head of sales for the market, and your market compliance officer together and call it a risk committee.

Or, you can have a global number. £125 a person anywhere in the world. If you can show how you came up with the number—meaning that there was a thoughtful process, and the number isn’t totally outrageous—you will likely never get into trouble if the meal in question followed the rule. The key is reinforcing the rule at every opportunity. The difficulty here, of course, is monitoring. Ideally, your expense reimbursement system would have the capability to monitor these things. If it doesn’t, upgrade.

I’m not a fan of pre-approval for meals. There are just too many, and some are impromptu. Plus, if the UK takes the private-sector bribe sections seriously, you’re going to have a real problem getting your approval process to scale up to handle the increased volume of approval requests. This is one of my real worries about the impact of the private-sector laws: compliance controls, in most cases, are not scalable. That fact is something no one is talking about yet. But they will, because it’s the drop-off that we’re all running toward. One pitfall with no pre-approval is you can have someone get taken out regularly, like how some doctors get their lunch every day from their drug reps. I would mandate that managers must be notified of meals with government officials. Then ensure that managers get the message that repeated meals with the same government official should be monitored. Not prohibited, monitored. What you really don’t want to happen is that you prescribe rules which, because they’re too intrusive, get ignored. You’re far more likely to get into trouble that way than because you spent too much.

For travel, there are some simple rules: don’t fly relatives. No first class. No side trips. Travel cannot include more than the event (in other words, if it’s a two-day conference, the trip can’t be two weeks.) If you’re in a high-risk industry, I might include notification/approval from the agency the official works for. Lodging follows similar rules: no suites, relatives can stay in the room with the official, but no other rooms (for children, e.g.). I would also require pre-approval for all government travel. Unlike meals, travel is never impromptu. You always have lead time, usually significant.

One complication is in the event space; this is the area the case study directly addresses, remember. Corporations, especially large corporations, plan events. Conferences, etc. I believe that all conference expenses, including travel, should be handled as a group, and aggregated, and pre-approval should be required. Remember, these kinds of events have huge lead times. All event expenses should be put on a spreadsheet, including who is getting transported, how, what hotel are people staying at, entertainment during the conference, gift baskets, drawings or door prizes, etc. I don’t want to get too deep into the weeds here, but suffice it to say that there are policy decisions that need to get made, and the risk committee should be the one to make them.

Gifts are the most difficult, mainly because they’re so common. I would not require pre-approval for smaller gifts that are given for normal reasons (birthdays, Christmas, Divali, Chinese New Year, etc.). Anything under £25, go to town. Similar to meals, I would require manager notification so you can avoid the small-but-often issue. Over £25 needs active first-level manager approval, over £100 needs a VP, over £1,000 needs an SVP plus the compliance officer.  Again, the dollar amounts aren’t as important as the process you went through to arrive at them.  Make sure your risk committee has a discussion around what’s common in the market, what they feel the right number is, and why, and make sure someone is taking notes.  Put those notes away.

Entertainment is a subcategory of gift. Tickets to sporting events (including invitations to the box at Wimbledon or to the World Cup or Formula One) are gifts, and need to go through that process. For entertainment, I would include some additional prescriptive rules, rather than change the gift process. No adult entertainment (you’d be surprised how often that question gets asked), no casinos, no tickets to Disney World. Right there, you’ve covered 70% of your entertainment risk.  You have the same scalability issue here as you do with meals: there are too many of these amenities given in a year for your regular compliance team to handle.

That’s my take. [Let me be a lawyer for a second and give you my standard warning: I’m a lawyer, but I’m not your lawyer, and I’m not licensed to practice in the UK. If you want legal advice, hire someone…there are plenty of good lawyers who would love to help you structure your anti-corruption compliance program for hospitality. I’m offering you opinion commentary, not legal advice. Thanks.]

Let me finish off by returning to the advice that the UK guidance gives you.

Point 1: (if you can remember that far back) doing a risk assessment. Once again, water is wet, and thank you for that blinding glimpse of the obvious.

Point 2: publishing a policy…okay, do this. In this area, the devil is in the details, so telling you to commit to “transparent, proportionate, reasonable, and bona fide” hospitality doesn’t really move the needle, or guide. But from a beat-the-FCPA perspective, it has 24 more letters than the FCPA’s provision. Let me add that your policy should not be written by a lawyer, for a lawyer. You need salespeople involved, and marketing people, and event planning people. Figure out who your stakeholders are and get them involved in the policy writing process. Because as you draft the policy, questions will arise that require policy decisions, and you want the business to have bought into what your decisions are.

Point 3: the ridiculous internal guidance. In the field, people are looking for direction, not platitudes. Don’t say, “hospitality should be reasonable.” Say, “you can’t spend more than £125 per person on a meal.” People in the field appreciate, in my experience, the directness and guidance. (And yes, I chose that word deliberately.)

Point 4: monitoring and review. Good idea. Do this. Regularly. The monitoring piece is going to cost you money. It’s more than likely a tech build for you, which is expensive. I would try to glom onto the pre-existing expense reimbursement system, as I’ve said.

Point 5: appropriate training. Another good idea. Do lots of this. Here’s one tip: concentrate on your first-level managers here. You need these people to buy into what you’re doing. You have to explain the rationale, and explain why you’ve made the choices you have. I would have these people messaged from folks within their chain of command. Do NOT have lawyers talk to them. It should be stressed over and over that this is a business decision (another reason to have the right stakeholders in the policy-drafting stage), and responsibility falls on the managers to enforce the policy. Then, make it a metric.

My Own Guidance

I decided it’s not entirely fair for me to be so critical of the UK Guidance without offering an alternative. So here’s what I’ve decided: after I’ve finished the case study series—oh, yes, I’m going to finish; it’s just too much fun—I’m going to write my own version of the Guidance. The guidance as it should have been written.

Just something to look forward to.

Case Study #3: Junior Varsity…I Mean, JVs

Case Study #3: Joint Venture or Junior Varsity

Before I start in on my now-familiar criticism of the Guidance case studies, I want to pass along something from the Dow Jones Global Compliance Symposium. A little while back, I published a post called “On Getting Advice” in which I named several outside counsel and in-house compliance officers who I liked. As I’ve told my boss numerous times since, I enjoy competence. I like reading good writers, hearing good speakers. It’s something you know right off, and it’s incredibly hard—if not impossible—to fake.

The Dow Jones GCS panels were all high-quality; it’s one of the reasons I like going to their conferences. But three people stuck out. With these three, they wore their competence on their sleeve. I had not known these people beforehand, and other than thanking two of them for their panel performance, I’ve never spoken with or worked with them.

But I would, in a New York minute.

Two were on the same panel, one about avoiding problems in Africa. A third panelist was one who I’ve already mentioned as fantastic in On Getting Advice, Billy Jacobson. He lived up to my high expectations. Two of his other panelists, Sophie Lamont and Herbert Igbanugo, blew me away. I think at one point, I might have heard of Nardello & Co, which is where Ms. Lamont is head of their Africa practice, but I don’t really know anything about them. But they have a star on their hands. First, she held her own with Billy, which is something not many can do. She spoke about the cultural differences in different parts of Africa. The other panelist has his own legal practice. Let me tell you, if I were opening an office in sub-Saharan Africa, he and Sophie would be my first calls.

The third person was Josie Jardim, General Counsel for Latin America for GE. If you’re a large business with operations in Latin America, the best possible move you can make, I guarantee it, is to back up a money truck and try to hire her away from GE. It might be tough, because GE is a great company, but for your sake, try. It’s also the first time I’ve heard a panelist say, “I have no idea how to do that; if you figure out a way, give me a call.” Refreshing. Especially so because her depth of knowledge was encyclopedic. I wish I could go back and watch her speak over again.

Okay, back to Case Study #3.

This hypothetical involves the formation of a joint venture by a medium sized company. The JV was formed between a UK company and a company local to a risky country with foreign mineral deposits. The UK company recognized in their risk assessment that this JV presents serious risks of bribery.

As usual, the guidance names optional controls, neither prescribing nor suggesting the mixture:

–Parity of representation on the board of the JV
–That the JV put into place measures designed to ensure compliance with applicable laws. These measures “might cover such issues as:” a) gifts and hospitality; b) decision-making rules agreed to by the local partner; c) procurement; d) rules for engaging third parties, along with due diligence procedures; e) conduct off relations with public officials; f) training for staff in high-risk positions; and g) record-keeping and accounting.
–Establishment of an audit committee with at least one representative from the UK company and the local partner; the committee should have the power to view accounts and certain expenditures, and should prepare regular reports.
–Binding commitments by both partners to comply with all applicable bribery laws; a breach by one is a breach by the JV, with material breaches allowing termination.

I’m frankly weary of telling you how little the case study suggestions help. But the total lack of common sense that is evidenced by these four suggestions spurs me to new efforts.

A JV is one of the riskier methods of engagement and entry into a market. You get all the worry of a proprietary operations, all the risks, but lack the complete control. A JV is you, but not you, and you get the worst elements of each. If a JV bribes someone, the UK partner faces UK liability. Even under the self-limited jurisdiction the guidance espouses, the SFO has jurisdiction here. So you have to constantly monitor the actions of the JV.

The first thing that sticks out is the lack of audit rights of the UK company. Now, I know, the six of you that regularly read this are shouting, “audit rights?! You?!” Yes, I can actually at times—very limited times—think that audit rights are a good idea. This is one. If you form a JV, having an audit committee of the JV audit itself just isn’t good enough. This would be one of the few times I’d say that you should spend whatever you need to, hire Manny Alas, and have PWC audit the hell out of the JV. If the JV partner objects, tell them it’s a deal-breaker.

Remember, the reason you’re forming a JV in the first place is that it’s a riskier market where you don’t want proprietary operations. Or it’s a location like China where foreign ownership rules make JVs more attractive. It’s not like China poses any risks, right? Yes, I know that there are other reasons to form a JV, like a pre-existing smaller company getting better distribution, and the larger partner getting a local presence. There are lots of reasons. I maintain that JVs are riskier entities.

The other thing that stands out as totally lacking is any mention of due diligence on the partner before formation of the JV. You might say that a JV partner is just another type of third party that we’ll cover in Case Study #6. You would be wrong. Because of the closeness of the relationship, I put JVs in a whole other category. You need better, more frequent diligence.

Given these two stunning omissions, I’m hesitant to say I agree with the four bullet points. It’s like, “other than that, Mrs. Lincoln, how was the play?” But let’s go through them anyway.

Point one: have you ever heard of a JV formed where both component companies didn’t get board representation? Me either. Parity is something else. I take parity to mean that you and I get an equal number of seats. I’ve never seen that, either. It’s based, in my experience, on percentage of ownership. I own 75%, I get 3 out of the 4 board seats. I’ve seen a lot of China JVs that were 51%/49% because of the foreign ownership rules. But the China company got a majority of seats, albeit only by 1. Here’s what I would suggest: you must have a representative on the board, but I would ask for management control, or at least veto power over management personnel decisions. You want your people in key positions. CFO. Head of HR. Some senior sales position. Marketing. Whatever is relevant in that market. In China, for instance, I would make sure the head of HR is mine. And even then, I’d rotate my people out of that position every 18 months. I’d do the same with the CFO. And I’d make sure that each of those positions had a mandatory 2-week vacation, where I’d bring someone else in for those two weeks to see what was what.

And why would the guidance list “measures designed to ensure compliance” rather than just say that the JV should have all the same controls as a UK company. It would take up less space, anyway. As it is, ensuring policies and procedures exist for gifts, hospitality, procurement, and diligence are all good ideas. I would place a greater emphasis on training than the bullet points seem to. Just one mention, and even then only for “staff in high risk positions.” I’ll forgive them for not hyphenating the phrasal adjective (it should be “high-risk positions”) but not for the oversight of the need to train everyone. I think that “conduct of relations with public officials” is redundant in an effective program, but I guess it doesn’t hurt anything.

Having an audit committee within the JV is okay, I guess. But as I lay out above, I’d want audit rights for the UK partner.

Termination provisions. Let’s talk about that. In most circumstances, exiting the JV means exiting the market. So we need to be very careful about termination. Plus, it will almost always open you up to litigation in the market against a local company.

The DOJ’s position on terminating JVs has, in my opinion, evolved over the years. I remember hearing DOJ personnel say that if there were a suspicion of bribery, and it couldn’t be resolved, the partner had to exit. I don’t know that they’d say that now. I would love an opinion release request on the subject, but that’ll never happen. What’s the right thing? Can I be like Josie for a moment and say, “I have no idea?” The question is self-disclosure if your objections to the deal aren’t heeded by the JV. Do you blow the whistle on your own JV? Do you have to back out the revenue, but be allowed to maintain the JV?

I don’t know. Put your suggestions in the comments.

I think my summation for this case study’s suggestions is “woefully inadequate.” Definitely not a varsity effort. More worthy of the JV team. (Sorry for the pun).

Case Study #2

Case Study #2: Proportionate Procedures

Continuing my series on the UK Bribery Act Guidance, what follow are my comments to the second case study in that document.

As I further consider the Guidance, I waver between “it met my incredibly low expectations,” and “it didn’t move the bar at all.” I think the truth lies between those extremes.

So here we go:

Before I even get into the hypothetical, can I just point out that by saying “proportionate,” that already injects uncertainty into the document? Because it does. The FCPA Professor, Mike Koehler (pronounced KAY-lur), said on a panel today that if anyone expected the guidance to be prescriptive, they were unrealistic in their expectations. He also pointed out that the UK has at least put out guidance. Both true. But still.

So here, a small to medium sized company is operating only within the UK. It relies on independent consultants in its overseas sales process. The consultants work on a cost-plus-fee basis. They are chosen because of their extensive business contacts. This setup registered as a medium-to-high risk on the company’s risk assessment.

Mitigation, according to the Guidance, could include all or some of the following:

–Communicate a zero-tolerance policy statement internally and externally, including “sectoral bodies and local chambers of commerce.” [You just have to know that if I put something in quotes like that, I’m going to criticize it later, right?]

–Due diligence on the consultants including a) making inquiries through local business contacts, chambers of commerce, business associations, b) internet searches, and c) following up on references and financial statements.

–Including stricter language in contract provisions with the consultants. The terms should a) reflect a commitment to zero tolerance, b) set clear criteria if the consultants want to provide hospitality, c) define specifically how the consultant is to be paid.

–Make the consultants’ contracts subject to periodic review and renewal,

–Draft a guide for salespeople

–Mentioning the commitment against corruption in business meetings, even to include anti-corruption as a topic regularly

–Running an anonymous hotline.

Let’s talk about each of these points in turn.

Zero tolerance is ridiculous. Here’s the problem with zero tolerance. Let’s say you have a critical supplier. That supplier does something you’re not comfortable with. The rational businessperson says, “let’s express our displeasure, figure out some reasonable mitigating controls, and move forward.” That’s the right call. Zero tolerance gives you two choices: abandon your critical supplier, or violate your own policies. That’s a terrible option. Violating your own policies is never a good option. It turns your whole program into a farce. So if you say “zero tolerance” you’re out of options. It’s never the function of a compliance officer to eliminate options. The job is to open up options. To be a creative solutions vendor for the business.

Again, I’m not apologizing for bribery, or suggesting that remedial actions can never include termination or severing a long-standing or even critical relationship. It’s just that, in my opinion, that “nuclear option” will almost never be used.

Also, they want companies to convey this zero tolerance policy to the community at large? Get real.

Remember also that this is a small to medium sized company. I’ve worked for two huge companies, and it was always, always a challenge to get language in contracts or alter the behavior of third parties. I don’t know that truly altering third-party behavior can’t be done, but it takes more skill than I possess to do it.

Next: diligence. The Guidance suggests inquiries through business contacts and chambers of commerce, etc., internet searches, and following up business references. Wow…that’s it? I mean, no OFAC/Sanctions lists checks? No questionnaires? No identification of beneficial ownership? No site visits? Don’t get me wrong, all they suggest is good stuff. I especially like the follow-up-on-references thing. A must do. I once prosecuted a woman that almost bankrupted the company she worked for through her embezzlement. Turns out, she had done the exact same thing before with the last company she worked for. The first company fully cooperated with the prosecution, and she went to jail. When she got out, she applied to the second company. When she applied, she put the first company—the one that prosecuted her for theft—as a reference! The second company she worked for never checked the references. So yes, please always check references.

All in all, none of the actions suggested by the guidance are useful in determining future conduct. Any prosecutor will tell you that the best indicator of future conduct is past conduct. So the best of all options is the internet search, which I presume includes a negative news search.

After diligence comes contract language, again with the zero tolerance. Setting criteria for hospitality sounds good, but what should the criteria be? Reasonable, non lavish expenses? Thanks so much. If you can’t tell me what the criteria should be, how can I tell my third parties? Defining the basis of remuneration…thanks so much. Is there a contract that doesn’t do that? And “consider” making the contracts subject to periodic review. To me, that’s mandatory. If you’re not going to do real diligence, you need to more closely monitor performance.

The key to third parties lies in three things. First, make sure you’re paying market value for whatever you’re buying. Second, make sure that you’re only paying that amount. Third, make sure you’re actually getting what you’re paying for. If you’re doing those three things, you’re mitigating most—if not all—of your risk. Where companies get into trouble is not knowing a) that there’s money left on the table, or b) where that money is going.

Point five is drawing up key points for sales staff. Okay. Do it. In fact, I’d say that with this little diligence, you better do a lot of training.

Point six, emphasizing these policies and procedures at meetings. Okay, do this too. I would think you’d do it anyway, and for compliance generally, not just FCPA. But if you don’t, FCPA is a great place to begin.

Finally: have a hotline. Yep, another blinding glimpse of the obvious. Thanks.

It amazes me that the preface to this list is that companies might consider “any or a combination” of the points. I would think that all seven are mandatory. More than mandatory: they’re the absolute minimum.

Once again, with this hypothetical, the UK government commits to nothing and guides no one. It lays out a list of optional points that, if a US company did all of them, would still be considered inadequate.

Yeah, I’m back with didn’t move the bar at all.

Tomorrow for Case Study #3.

Case Study #1: Facilitation Payments

Tom is starting from the front of the Guidance, the Quick Start Guide.  I’ll start from the rear, the Case Studies.

Case Study #1: Facilitation Payments

As we’re all aware, painfully aware, the UK Bribery Act makes facilitation payments illegal.  Actually, it doesn’t “make” them illegal; they already were illegal.  The first case study identifies a medium size company that has signed a new customer through a sales agent.  The geography is risky, call it Bribeistan.  Company A is worried because importing goods into Bribeistan sometimes requires “inspection fees” at the ports before the inspectors will issue a certification and clear the goods.

The Guidance suggests any or all of the following for Company A

1. Communicate its policy of non-payment of facilitation payments to its sales agent (the one who will actually be paying the “inspection fee.”)
2. Seek local-law advice to determine if this is actually a bribe.
3. Have the business adjust the timeline to accommodate the delay
4. Request that the agent company train its staff on resisting facilitation payments
5. Include contract provisions with the agent that include one or more of the following: questioning the legitimacy of demands, requesting receipts, escalate to senior officials, don’t pay in cash or directly to the official, tell the official that if the payment is made, Company A might be violating the UK Bribery Act, and tell the official that you’re going to tell on him.
6. Maintain a close relationship with the agent company so you can know about local developments that may solve your problem, and
7. Use UK diplomatic channels to apply pressure.

I’m reminded of an FCPA breakfast I once attended where a CEO of a company in India told us about an experience he had.  He was told that there was a shipment on the docks that was being delayed because the port official wouldn’t clear the goods without a grease payment.  The CEO had just gone through FCPA training, and knew what to do.  He called his friend, the Minister of Transportation.  The Minister himself came down to the port, with the CEO, and they held a joint press conference about clearing goods through customs and how you don’t need to bribe.  The port official pulled the CEO aside and said, “you have stuff coming through this port every day.  I’m here every day.  How many times do you think you can get the Minister to come down here?”

Ouch.

Let me comment on some of the “guidance” above.

On point 1: water is wet, thanks.  Yes, of course you need to a) have a policy and b) communicate it to your local agent.  Maybe if you’ve never heard of anti-corruption before, this is news.

On point 2: does the MOJ have any idea how expensive this is?  Maybe not here, but how many countries does Company A operate in?  Multiply that number by $5,000 minimum.

On point 3: What if the timeline is “never?”  Perishable goods, for example.  Or if the port official just turns the goods away.  Plus, companies ship in order to fulfill orders.  Sometimes those orders are for goods needed for further processing.  You’re not just changing your timeline, you’re changing your purchaser’s timeline.  Plus, you’re going to get 6 kinds of hell from the business when you try to put this through.  This will come back to haunt you somewhere down the line.

On point 4: The optics on this are good, but really, this will have no effect.  The agent has every reason to pay the fee, and every reason to pay lip service to requests not to pay.

On point 5: Not paying directly to the official is good.  Keep that.  Telling the port authority agent you’re going to report him…good luck with that.  I would really like to be a fly on the wall when you tell the official that if you pay, you’d be causing Company A to violate the Act.  He’ll pull out the smallest violin in the world and play “My Heart Bleeds For You.”  After laughing hysterically.    Plus, you have to get these contract provisions into the contract.  What are you giving up to do that.  It’s called contract “negotiation” for a reason, you know.

On point 6: Go ahead and do this.  I would suggest holding your breath while you wait for this mysterious solution to appear…I’m sure it’ll be here at any moment.

On point 7: Go to town.  This might actually work.  I doubt it, but you never know.

If a company wants to stop paying facilitation payments, it need only tell its employees—and then back it up by action—that if business is lost because of refusal to pay a facilitation payment, there will be credit given for that business on the salesperson’s metrics.  That would be tone from the top.  Companies generally have two forms of policies for facilitation payments: “no” and “no, but.”  The problem is, companies should not have policies it doesn’t monitor and enforce.  And I haven’t seen a company that has an effective facilitation payments monitoring program, and I’ve never even heard of a company disciplining an employee for paying a facilitation payment that succeeds in getting the service.  Paper programs do no good for anyone, and the regulators in the US hate them.  The other type of policy, “no, but” means that the company takes a position that they don’t like facilitation payments, but allows them under certain circumstances, generally revolving around some onerous approval process (most I’ve seen require sign-off by the General Counsel or Chief Compliance Officer).  I have only one question for those companies: how many times has the escalation process been used?  I’ll bet all the money in my pocket that the answer is “never.”  Does that mean that no facilitation payments have been paid?  Or does it mean that no one follows the policy?  I’m guessing the latter.

If you’re entering a new market, my suggestion is to not pay facilitation payments.  Take a stand and take the consequences like a man.  You might feel some short-term pain, but it’ll level off as the market adjusts, and you won’t get extortive requests.  If you’re already in a market, I’d concentrate on making sure you’re aware of what facilitation payments you’re making, and making sure you’re recording them correctly.  The most dangerous thing is if you’re in a risky market and don’t know where you’re paying.  Because in a risky market, believe me, someone is paying facilitation payments.  If you’re getting silence from the market, it’s not because the payments aren’t happening; you’re just not hearing about them.

Also, pay close attention to point 2.  Because that’s where the really tricky stuff comes in.  I tend to think that if you pay this port official to let you’re goods enter Bribeistan, it’s NOT a facilitation payment.  My supposition is that it’s a bribe.  I would think that a port official has the authority to turn goods away.  That means that letting something into the country is NOT a ministerial or administrative act that can be expedited through a payment.  It’s a decision that the port official needs to make, and you’re paying him to make one decision, in your favor and to your benefit.  By any definition, that’s a bribe.  Frankly, I’d be extremely suspicious of a legal opinion that said otherwise.

 

UPDATE: I’ve just read the SFO Guidance (different from the MOJ main guidance) and its section on facilitation payments.  I just had to relate one “factor tending against prosecution”: “A single small payment likely to result in only a nominal penalty.”  Are they serious?  Has anyone ever made just one facilitation payment?  For guidance that can be fairly criticized as overly business friendly, it is significantly detached from reality.

Another Must-Read

As long as I’m sharing the love, let me refer another site to you.  If you’re interested in the UK Bribery Act—and if your company has any connection with the UK, you should be—then you must, simply must, read Barry Vitou and Richard Kovalevsky’s The Bribery Act.  It is, simply put, the best, most comprehensive site there is.  They are thorough, thoughtful, and really, really smart.  I have it in my RSS reader, and so should you.