Investigations Quarterly Magazine Issue 14

2013 » VOLUME 1 » ISSUE 14

INVESTIGATIONS QUARTERLY

7 ConflictsofInterest 7 ConflictsofInterest

3 TheNextComplianceDeluge13 RegulatoryConsumerProtection17 BeneaththeCanopy

3 TheNextComplianceDeluge13 RegulatoryConsumerProtection17 BeneaththeCanopy

Tone at the TopEthics, culture and code of conduct are just a few words that come to mind when we think of “tone at the top” and corporate governance. Since the enactment of the Sarbanes-Oxley Act in 2002, “tone at the top” has become a ubiquitous phrase used within boardroom, business and government agency circles. It is no surprise, in today’s economic environment where companies are under intense pressure to meet shareholder expectations and regulatory com-pliance, that combatting fraud and corporate misconduct have become synonymous with developing a “tone at the top.” Increasingly, senior executives are leading by example and re-inforcing organizational integrity as a means to minimizing compliance risks and preserving corporate reputation.

In our cover story, “Conflict of Interest: Why You Can’t Serve Two Masters,” the author looks into the individual psyche and the inherent struggle between power and accountabil-ity. Conflicts of interest can occur anywhere within an organization and are often hard to detect. The motives behind conflicts of interest are numerous. Organizations should remain vigilant in managing their compliance and ethics programs as well as maintaining a consis-tent “tone at the top.”

The article, “The Next Compliance Deluge: Corporate Social Responsibility Reporting,” addresses the challenges of corporate social responsibility reporting (CSR). CSR reporting is becoming increasingly important to multinational companies as consumer and business groups around the globe embrace social, labor and environmental activism. Once used by companies primarily as a means to demonstrate corporate transparency and enhance corpo-rate reputation, CSR reporting is quickly becoming a mandatory requirement as part of con-ducting business overseas and in the United States.

In “Responding to a CFPB Civil Investigative Demand,” we introduce readers to the Consumer Financial Protection Bureau (CFPB) and its broad enforcement authority over potential violations of federal consumer finance laws. The author discusses the agency’s fast track approach toward conducting regulatory investigations. Companies which receive a formal notice of a CFPB investigation are expected to understand the agency’s investigatory process and to mobilize resources quickly in order to respond to agency requests. The pace and type of information that companies must produce are in many ways similar to discovery requests prepared under the Federal Rules of Civil Procedure.

Finally, we leave you with a broad overview about corruption risks in Latin America in the article titled, “Beneath the Canopy: Understanding Corruption Risks in Latin America.” The authors describe recent Foreign Corrupt Practices Act (FCPA) enforcement actions in Latin America and common corruption challenges associated with doing business in this business-critical region. Every country in Latin America has unique business and cultural challenges and it behooves multinational companies to have a fundamental understanding of the country, culture and government structure in which they operate in order to effectively assess their corruption risks.

We hope you find this issue of IQ Magazine to be informative and enlightening and welcome your comments and questions.

Complimentary Subscriptions You, your colleagues, and your audit committee and board members can receive complimen-tary subscriptions to IQ Magazine. Please visit navigant.com/iq.

PUBLISHERSJeff Green +1.202.973.2441 [email protected] Zimiles +1.212.554.2602 [email protected]

EDITORSDarcy Healy Jeffrey Locke

DESIGNElliott Robinson

FEEDBACKANDINQUIRIESInvestigations Quarterly welcomes all letters, comments and inquiries to the authors. Please address all correspondence to:Darcy Healy (U.S.) +1.202.973.3128 [email protected] Gendler (U.K.) +44.207.469.1120 [email protected] Chan (Asia) +1.852 2233.2500 [email protected] manuscripts on matters dealing with fraud and investigations are welcome and will be considered for publication.

Investigations Quarterly is published by Navigant. Copyright ©2013.

The opinions expressed here in are those of the authors and editors.

Investigations Quarterly (IQ) is not published with the intention of rendering legal, professional or account-ing advice or services.

The media are welcome to quote from the contents if properly attributed. Any substantial reproduction of the content of Investigations Quarterly requires the permission of the publishers and authors of the articles.

Cover illustration by Peter Giesbrecht

Letter from the publishers Jeff Green, [email protected] Ellen Zimiles, [email protected]

navigant.com


3


» Corporate Social Responsibility (CSR) has evolved from a “nice idea” or “marketing opportunity” to a true business imperative.

» Companies are increasingly becoming sophisticated with respect to CSR reporting and are checking internationally accepted reporting guidelines for comparison and bench marketing.

» Consumer boycotts, shareholder lawsuits and states are willing to prosecute companies that provide inaccurate disclosures. Counsel needs to become conversant with human rights law, environmental law and international mandatory CSR reporting standards.

Henry Thoreau once mused “What we call wildness is a civilization other than our own.”1 Picking up on the theme, scouring other countries’ national mores, standards and priorities concerning human rights, the environment, labor practices and other social and governance issues for inspiration and practical lessons was once the luxury of the inquisitive scholar or traveler. For litigators representing busi-ness interests in the “wilderness” of other nations, in contrast, domestic corpora-tion law was the only platform dictating behavior. Little attention was paid to the effects a foreign organization might have on the local population, rule of law, or ecosystem. This terra incognita approach to comparative law, however, began to erode as the concept of CSR began to gain transnational currency.

While CSR today may have the atten-tion of corporate counsel, executives, and board members, this was certainly not always so. CSR, indeed, has undergone a dramatic revolution – a revolution that should be front-of-mind for litigators working with transnational clients. The practice has evolved from a “nice idea” or

“marketing opportunity” to a true busi-ness imperative mandating compliance.

CSR reporting is variously referred to as environmental, social and governance reporting (ESG), integrated reporting, or Global Reporting Initiative (GRI) compli-ance. Setting aside the issues of nomen-clature, they all share a similar focus on laws and business behavior at the inter-section of three key areas: human rights (broadly defined), impact on the environ-ment, and how a company conducts itself

The Next Compliance DelugeUnderstanding foreign states’ mandatory corporate social responsibility reporting

MIKHAILREIDER-GORDON, [email protected] T.MARKUSFUNK, [email protected]

with regard to corporate behavior such as bribery and labor laws. Disclosure, thus, is the name of today’s CSR game.

2012 and Beyond: The United States Transformed Into the Global CSR LeaderWhile legislatively-dictated CSR was once viewed as a largely European-led phe-nomenon, between 2011 and 2012 the United States rocketed to a position of

1. The Journal of Henry David Thoreau, February 16, 1859 entry (Houghton Mifflin Co., 1906).

Illustration by Peter Giesbrecht


4

primacy when it comes to enacting new and innovative CSR initiatives. There, in-deed, has been a veritable U.S. ground-swell of recent (and recently-announced) CSR laws and regulations, including the Executive Order On Strengthening Pro-tections Against Trafficking in Persons in Federal Contracts, California Transparency in Supply Chains Act, Business Transpar-ency in Trafficking and Slavery Act, and the Security and Exchange Commission’s (SEC) Conflict Minerals Rules. Despite the recent U.S. Supreme Court ruling in Kio-bel v. Royal Dutch Petroleum,2 these en-actments, alongside European efforts and newly emerging legal principles around corporate responsibility emanating from the United Kingdom among other places, make for a new disclosure regime.

Today’s compliance reality is that, while specialization certainly has its place, busi-nesses and organizations are well advised to seek compliance professionals with broader compliance experiences to help them devise customized, integrated com-pliance programs that are responsive to the broad spectrum of today’s domestic and foreign risks. To underscore this point, consider the focus and scope of some of these new U.S. laws.

Executive Order on Strengthening Pro-tections Against Trafficking in Persons in Federal Contracts

On September 25, 2012, President Obama signed a landmark Executive Order aimed at rooting out human trafficking in federal contracting. To strengthen the govern-ment’s zero-tolerance policy on human trafficking by federal contractors and sub-contractors, the Executive Order prohib-its federal contractors (and their subcon-tractors) from engaging in a number of trafficking-related activities, such as using misleading or fraudulent practices to re-cruit employees or destroying or confis-cating an employee’s identity documents. Although Federal Acquisition Regulation

(FAR) rules are expected to be released any day now, the Executive Order seeks to require all federal contractors and sub-contractors to take the mandatory actions including: taking concrete steps to pre-vent employees engaging in trafficking; filing annual certifications confirming that neither the contractor nor its employees engaged in any trafficking-related activi-ties; developing and maintaining detailed compliance plans for contracts exceed-ing $500 million and involving services to be performed abroad; and reporting any activities “inconsistent with” the Execu-tive Order.

Groundbreaking Disclosure Rule: California Transparency in Supply Chains Act

The California Transparency in Supply Chains Act of 2010, which went into effect on January 1, 2012, applies to all:

1. retail sellers and manufacturers;

2. with more than $100 million in annual global gross receipts;

3. that “do business” in California.

The Act requires these businesses to dis-close (through a link on the homepage of their websites) in considerable detail their efforts to eradicate slavery and human trafficking from their direct supply chains for tangible goods offered for sale.

SEC Conflict Mineral Disclosure Rules

The SEC’s promulgation of the Dodd-Frank Wall Street Reform and Consumer Protection Act disclosure and report-ing rules concerning “conflict minerals” defines in the Act conflict minerals to include gold, tin, tantalum, tungsten and their derivatives, or any other mineral or mineral derivative as determined by the Secretary of State to be financing con-flict in “covered countries” – the Demo-cratic Republic of Congo or an adjoining country. Subject companies, beginning for calendar year 2013, must conduct a rea-

sonable country of origin inquiry, due dili-gence on source suppliers and report via the filing of Form SD with the SEC.

The Promises and Pitfalls of CSR ReportingHitherto, the United States had appeared to lag behind other countries in issuing CSR reports, largely because CSR report-ing in the United States has been un-regulated. However, with this patchwork of new regulations, a reporting regime is gradually forming. As a consequence, different types and names of reports ex-ist under the umbrella of CSR reporting. By way of example, consider “trafficking reports,” “climate change reports,” “envi-ronmental reports,” or the catch-all “sus-tainability report” or “CSR report.”

Regulated or not (and compulsory or not), scores of Fortune 500 companies annu-ally let their stakeholders know what they are doing to comply with compulsory

2. Kiobel, et al. v. Royal Dutch Petroleum, SCOTUS, 10-1491

5


U.S. and foreign laws and regulations, as well as their “voluntary” CSR efforts. While such reporting has many benefits, there are also some very real (and often overlooked) pitfalls. What is included in a company’s CSR report may, for example, trigger government investigations, civil tort claims, class action lawsuits, share-holder and consumer initiatives, and other actions.

Failing to file, however, is in most coun-tries (other than the United States) a rap-idly disappearing option. For example, in India, France, Brazil and Malaysia, a listed company failing to file a CSR report runs the risk of being de-listed. Those counsel-ing companies doing work in these ge-ographies must be particularly attuned to these evolving issues.

Imagine Yourself in the Middle of This Situation…It is an otherwise ordinary Wednesday when you get an email informing you that protestors are amassing outside your cli-ent’s Paris headquarters. Their placards decry human rights abuses and call for an end to “the slave trade” at one of your cli-ent’s Asia-based assembly plants. You just finished a call with the client-company’s general counsel when she phones back to tell you that the company has just been served with process by a non-profit at their corporate offices in California. The suit alleges that one of the company’s most popular products, frequently touted for its “green credentials” because it was made with “90% recycled materials,” is deceptive and that the client is engaged in “green washing.”

The client prides itself on its reputation in the marketplace as an environmentally conscious corporation. The company’s annual report even had a section in it re-garding efforts to source and incorporate recycled material into their products and touting their commitment to “treating all

employees fairly” and that they made an “effort to monitor their third-party manu-facturing operations in Asia.”

Later in the week, the senior vice presi-dent of Asian operations contacts the general counsel to tell her that he has just received notice from an overseas securi-ties regulator where their subsidiary was listed, informing the company that, be-cause the company had failed to file the new mandatory CSR report, it is being investigated. Meanwhile, workers in the Asian assembly plant had gotten wind of the demonstrations in Paris and taken their story to the international press, al-leging that local labor officials had been bribed to look the other way, allowing children to be hired on the assembly lines. By Monday, the company share price has dropped and appears to be on the decline.

Consumer groups or human rights activ-ists are frequently the first to raise a ques-tion or make an issue out of something a company has reported on, or failed to mention, in its CSR report. Consider the recent U.S. Supreme Court ruling on requirements for class certifications3 granting that plaintiffs claiming material misstatements in a securities fraud claim did not have to prove the misrepresenta-tion materially affected the stock price. Inquiries by private parties can, in turn, prompt questions by authorities or regu-lators in host countries. An allegation of labor officials being paid to look the other way when children are involved or work-ing conditions fail to meet standards can turn into a bribery investigation, prompt-ing the interest of U.S. regulators as well as those in the host country. Conversely, an investigation into allegations of cor-ruption may identify potential violations of labor rights or evidence of human trafficking. If a company has incorrectly claimed in its annual CSR report to have examined its supply chain and deter-mined it clean, this could be grounds for a shareholder or consumer claim against

the company for publishing false or mis-leading information. Corruption, human rights, environmental practices and labor policies all roll up under CSR and increas-ingly are having material financial impacts on corporate balance sheets.

If the company’s annual report touches on its CSR policy, but fails to make men-tion of problems, boycotts can ensue and shareholder or consumer class actions may be launched against the company for failing to disclose critical information. At-torneys counseling organizations issuing CSR disclosures must, therefore, ensure that they can be backed up by hard data.

Additionally, if a company is listed on one of the exchanges that now require trans-parency, but has failed fully and accurately to report both the efforts it has made to meet CSR international norms (or has downplayed challenges in meeting CSR obligations), the company could face pos-sible de-listing, prompting perhaps yet another shareholder lawsuit.

Some form of mandatory CSR-related reporting already exists in Argentina, Austria, Belgium, Brazil, Denmark, China, France, Germany, Greece, India, Indo-nesia, Italy, Malaysia, the Netherlands, Norway, Portugal, Spain, Sweden, and the United Kingdom. Many directives of international institutions are now ratified by states, for example the United Nation’s (UN) Guiding Principles on Business and Human Rights, ratified in 2011 [stating that all businesses have direct responsibil-ity for all of the ways in which they impact and prevent human rights abuses their actions cause, while obligating them to ensure adequate remedies exist to address reported abuses]; mandatory ESG report-ing efforts by the European Union (EU) (anticipated to be passed in 2013); the UN World Economic Forum; and the UN Dec-laration on the Rights of Indigenous Peo-ple. This means that between local coun-try law and international treaties, many

3. SCOTUS, Amgen, Inc. v. Connecticut Retirement Plans (11-1085)


6

multinationals are obligated to comply with and report under multiple CSR re-porting laws. That wilderness of differing values in different countries can mean op-erating under conflicting and overlapping regulations, increasing the chance for vio-lations of the disparate laws and follow-on investigations and litigation.

Many of the most recent international CSR reporting requirements have ema-nated from securities regulators. By way of illustration, in May 2008, the Shang-hai Exchange issued the Shanghai CSR notice, informing all listed companies that henceforth they were expected to estab-lish a CSR strategy and to file an annual report detailing what steps each company has taken to achieve its CSR elements (such as employee health and safety, envi-ronmental quality, etc.). This was followed

recently by the Chinese Government’s Assets Supervision and Administration Commission (SASAC), which issued a directive in early January of 2012 for sus-tainability reporting by all state-owned enterprises (SOEs). Spain, too, passed in 2012, a Sustainable Economy Law requir-ing all state-owned companies to produce sustainability reports and all businesses with more than 1000 employees to pro-duce an annual CSR report and file it with the Consejo Estatal de Responsabilidad So-cial de las Empresas.

How to Get Ahead of the Problem(s)Familiarity with the CSR reporting standards required of businesses in the country or countries where your client is

conducting business is crucial to building an advance defense via the CSR report. Corporate culture has typically removed both the general counsel’s office and its external litigation team from CSR depart-ments, lodging them in marketing, public relations, or even human resources. But increasingly, the CSR policies and the way in which a company discloses how it implements those policies have a di-rect impact on the legal department and ultimately the matters on which exter-nal litigators will defend the company. Stakeholders are increasingly sophisti-cated with respect to CSR reports and are checking internationally accepted reporting guidelines for comparison and benchmarking, meaning that companies and their counsel need to be cognizant of international norms around expected CSR behaviors and reporting.

The uptick in “name and shame” cam-paigns, consumer boycotts, shareholder lawsuits and states willing to prosecute companies means that the risks involved with inaccurate disclosures cannot be ignored. Business trial lawyers as well as corporate counsel need to become con-versant with human rights law, including anti-trafficking efforts, environmental law, and international mandatory CSR report-ing standards, among other things.

Compliance professionals recognize that today’s effective CSR compliance and re-porting go far beyond simply arranging for the occasional FCPA training, patching together an “Environmental Sustainabil-ity Report,” or maintaining a “paper-only” code of business conduct. By coordinating compliance efforts to address the various risks sketched out above, businesses put themselves in the best position to avoid potentially devastating criminal and civil liability. Moreover, these companies may avoid consumer and advocacy group ac-tions, and can demonstrate to U.S. and foreign authorities that their compliance efforts are genuine and up to contempo-rary best-practices standards.

7


MARTINT.BIEGELMAN, [email protected]

» We are often a poor judge of our own possible conflicts and are not usually motivated to stop or disclose them.

» The failure to report conflicts of interest to management may result from poor or ineffective communication of the policy to employees.

» Company leadership and managers should be among the first to complete any required ethics and compliance training including conflicts of interest policy training.

The timeless adage that you can’t serve two masters is never truer than when it comes to the serious issue of conflicts of interest and the damaging impact they can have on business organizations. There is no better example of this than the case of Peter B. Madoff, the brother of con-victed Ponzi fraudster Bernard L. Madoff. Peter was the Chief Compliance Officer for Bernard L. Madoff Investment Securi-ties LLC. In that very important role, he was responsible for compliance oversight, conducting and documenting internal reviews to ensure the securities firm was following established trading rules, and providing ongoing reports to regulators.1 Most importantly, Peter was accountable for implementing sound policies and pro-cedures that would prevent violations of federal securities laws and regulations.

It wasn’t as if this work was something new to Peter as he had been in this role for 38 years and he was an attorney. In fact, not only did he not perform his job to protect investor interests but he went out of his way to help perpetuate the $17.3 billion dollar fraud for decades. According to prosecutors, Peter Madoff “signed many weeks of compliance re-ports in one sitting, intentionally chang-ing pens and ink colors to disguise the fact that he created them at one time and that they were false.”2 He intentionally

Conflicts of InterestWhy you can’t serve two masters

turned a blind eye to the many red flags of fraud at his firm and utterly failed to per-form the role of chief compliance officer. This was a colossal conflict of interest for

him that crossed the lines into criminality and resulted in a sentence of 10 years in prison following his guilty plea.

1. Dan Strumpf, “Madoff’s Brother Sentenced to 10 Years,” Wall Street Journal, December 21, 2012, C3.2. Bruce Golding, “Bernie bro: I was shocked,” NewYorkPost.com, June 30, 2012, www.nypost.com/p/news/local/manhattan/bernie_bro_was_shocked_usIZtFXIQHmA3KY6AMKoAN.



8

tion. Even with enhanced whistleblower protections in recent years, retaliation continues to be a major concern for em-ployees. For example, if the CEO or board members don’t complete the company’s code of conduct training, does anyone dare to hold them accountable?

Yet conflicts of interest can occur at any level in an organization. I once conducted an internal investigation of a manager who hired a close friend to provide ven-dor services. The manager did not disclose this conflict to her supervisor or anyone else as required by the company’s code of conduct. Yet, this conflict was known to a number of the manager’s direct reports. The direct reports knew that this arrange-ment was in violation of policy but said nothing out of concern that any reporting might impact their bonuses and promo-tions. The misconduct was finally dis-closed when one of the manager’s direct reports took the annual code of conduct training and saw a similar conflict of in-terest scenario in the training. The em-ployee realized that keeping silent was wrong and decided to call the company’s hotline to report the violation.

The failure to report conflicts of interest to management may result from poor or ineffective communication of the policy to employees. I am often surprised when I conduct a conflict of interest investi-gation and learn that other employees either knew of the conflict of interest or suspected it but never reported it. Some-times it was a lack of understanding about conflicts of interest that resulted in no re-porting but in other cases it was a concern about the personal impact of getting in-volved. One important reason for educa-tion and awareness of compliance issues in general and conflict of interest policy in particular is to encourage employees to ask questions and seek guidance before they engage in potential conflicting mat-ters. Experience has shown that many conflicts of interest can be successfully resolved if addressed early.

Conflicts of Interest Are EverywhereConflicts of interest occur everywhere and in all types of organizations whether public or private, large or small, foreign or domestic. By their very nature, they are some of the hardest cases to detect and investigate. They are usually secretive and the financial benefit is often hidden. In their worst forms, bribes, kickbacks, fraud and corruption place the involved indi-viduals and their organizations in severe legal and reputational jeopardy. The New York Stock Exchange’s Corporate Gover-nance Rules define conflicts of interest as the following:

Most conflicts of interest involve finan-cial motives but others may involve rec-ognition and advancement. Conflicts of interest increase the risk of bias and poor judgment because of the obligation to two or more competing interests. Whether ac-tual or perceived, conflicts of interest can tarnish public image and erode trust and integrity. Personal interests of employees must not interfere or appear to influ-ence company transactions. Government regulators require organizations to assess their exposure to the many variations of conflicts of interest and mitigate that risk through effective compliance programs.

Conflicts of interest usually do not end well for those who have turned a blind eye to ethical business practices.

Some of the many actual and potential common conflicts of interest include:

» Improper use of company intellectual property, information and assets for personal gain such as insider trading and selling trade secrets

» Self-dealing and inappropriate financial interests including hidden ownership in vendors, bid-rigging, political donations, professional sporting sponsorships and procurement fraud

» Moonlighting including current and future employment that may influence employee behavior

» Service on a board of directors

» Family and romantic relationships that may impact objectivity and fairness in the workplace

» Spouses, domestic partners, immediate family members, relatives and friends as vendors, agents, contractors and customers

» Implied pressure on employees to use a manager’s friend or family member

» Other inappropriate vendor relationships including gifts and kickbacks to influence business decisions

Human Nature of ConflictsHuman nature is such that some people have a very hard time avoiding conflicts of interest. We are often a poor judge of our own possible conflicts and are not usually motivated to stop or disclose them. Con-flicts of interest can occur at high levels in an organization because of the power and authority vested in executive leadership roles. When higher-level personnel do not follow policies and procedures, the people below them may not be willing to hold them accountable or report the business conduct violations out of a fear of retalia-

A conflict of interest occurs when an individual’s private interest interferes in any way - or even appears to interfere - with the interests of the corporation as a whole. A conflict situation can arise when an employee, officer or director takes actions or has interests that may make it difficult to perform his or her company work objectively and effectively. Conflicts of interest also arise when an employee, officer or director, or a member of his or her family, receives improper personal benefits as a result of his or her position in the company.

9


Organizational Conflicts of InterestOrganizations can face conflicts of inter-est when the business mission of the entity is compromised due to financial or other business relationships. We see these conflicts in the pharmaceutical industry where gifts and money have been given to researchers by clinical trial sponsors in an attempt to influence clinical trial out-comes. Pharmaceutical companies have been charged by the government with paying kickbacks to doctors to prescribe drugs for off-label uses resulting in the illegal and fraudulent promotion of unap-proved drugs. The pharmaceutical indus-try is not alone in facing organizational conflicts of interests as they can be found in almost any industry, including invest-ment banks and financial institutions.

The financial crisis exposed conflicts of interest galore. In an October 22, 2012 speech to the National Society of Com-pliance Professionals, Carlo V. di Florio, Director of the Securities and Exchange Commission’s Office of Compliance In-spections and Examinations, stated that the “failure to manage conflicts of interest has been a continuing theme of financial crises and scandals since before the in-ception of federal securities laws.”3 In one of many recent examples, the credit rating agencies were faulted for conflicts of in-terest in their ratings of mortgage-backed securities for sale to investors. The three main rating agencies were in competition with each other for the lucrative grad-ing work for mortgage-backed securities and collateralized debt obligations sold by investment banks. Rather than carefully scrutinize mortgage-backed securities and risk losing work to the competition, it is alleged that rating agencies lowered

their standards, which contributed to the financial meltdown.

Arrogance and Romantic RelationshipsArrogance and a mistaken belief that the rules don’t apply to everyone can be a frequent cause of conflicts of inter-est. World Bank President Paul Wolfow-itz was forced to resign in 2007 after the details of his girlfriend’s promotion and pay package at the same institution be-came known. Wolfowitz was well known as Deputy Defense Secretary in the administration of President George W. Bush and one of the architects of the war against Iraq. After leaving government service, he joined the World Bank. An internal investigation found Wolfowitz responsible for breaking World Bank rules by arranging the lucrative promotion package for his girlfriend. The investiga-tion also found that he “tried to hide the salary and promotion package from top ethics and legal officials within the bank” and that there was a “crisis in the lead-ership at the World Bank.”4 How could he not think that his unthinking action would not attract attention, complaints and a call for an investigation? Interest-ingly enough, when Wolfowitz joined the World Bank in 2005, he made improved governance a hallmark of his agenda.

In another example, Best Buy CEO Brian Dunn resigned in April 2012 during an internal investigation of an inappropriate office romance. The company disclosed that the 52-year-old Dunn “had engaged in an extremely close personal relation-ship with a 29-year-old female subor-dinate.”5 Upon learning of the allega-tion, Best Buy’s audit committee retained

3. Carlo V. Di Florio, “Conflicts of Interest and Risk Governance” (speech, National Society of Compliance Professionals, Washington, DC, October 22, 2012), U.S. Securities and Exchange Commission, www.sec.gov/news/speech/2012/spch103112cvd.htm.

4. Jennifer Parker, “World Bank Chief Paul Wolfowitz Resigns,” ABCNews.com, May 17, 2007, http://abcnews.go.com/Politics/story?id=3152373&page=1.5. Joann S. Lublin and Lauren Weber, “2012, a Year of Corner-Office Twists,” Wall Street Journal, December 31, 2012, B1.6. Miguel Bustillo, “Best Buy Chairman to Resign After Probe,” Wall Street Journal, May 15, 2012, B3.7. Best Buy Co., Inc., “Best Buy Releases Results of Independent Investigation: New Chairman of the Board Elected,” press release (May 14, 2012),

http://pr.bby.com/best-buy-releases-results-of-independent-investigation-new-chairman-of-the-board-elected/.

outside counsel to conduct an indepen-dent investigation. The internal investi-gation report found that Dunn’s “con-duct damaged employee morale and led some employees to question the com-pany’s commitment to corporate eth-ics.”6 In a strange twist, Best Buy founder and Chairman Richard Schulze was also forced to resign because it was discovered that he failed to alert Best Buy’s other di-rectors of the allegations against Dunn. An employee provided a written state-ment to Schulze about the inappropriate relationship but rather than tell the Board of Directors, he decided to confront Dunn who denied the allegations.

Ethical challenges often result in a greater focus on compliance, especially in organi-zations with ongoing compliance issues. In a refreshing action, Best Buy’s Board of Directors decided “in the interest of trans-parency and accountability” to publicly release the Audit Committee’s findings of the internal investigation in a report dated May 12, 2012. In addition to detail-ing the investigative findings that resulted in the resignations of Best Buy’s CEO and Chairman, the company stated that “In light of these findings, the Audit Commit-tee of the Board will launch an effort to review and enhance, if appropriate, Best Buy’s relevant corporate policies and pro-cedures. The goal of this review is to en-sure a positive and consistent workplace environment for employees at all levels.”7

Companies should not wait for ethi-cal issues and misconduct to occur be-fore evaluating and enhancing corporate policies and procedures. Best-in-class organizations are constantly looking at opportunities to provide their employees with the most current guidance on new and emerging ethical issues. In October


10

2012, PepsiCo revised their Global Code of Conduct to better address the chang-ing laws around the world that impact their business. In the Conflicts of Inter-est section of the PepsiCo code there are numerous examples of potential conflicts of interest. There is also a practical sec-tion entitled “Putting Conflicts of Interest Concepts into Practice” which provides employees with a list of questions to ask themselves in order to identify potential conflicts of interest.

Preventing Conflicts of InterestIt would be simple if people considered the Wall Street Journal Rule before they acted as that would undoubtedly reduce or eliminate conflicts of interest. All one would have to do is ask how one’s actions would look if posted on the front page of this major newspaper? Would that person be concerned if other people found out? For help in preventing conflicts of inter-est as well as other violations of business conduct, don’t look any further than the Federal Sentencing Guidelines for Organi-zations and its seven steps for effective compliance. The Sentencing Guidelines hold organizations accountable by apply-ing just punishment for criminal conduct as well as providing deterrence incentives to detect and prevent crime and miscon-duct. The seven steps include:

1. Standards and Procedures (Code of Business Conduct and Conflicts of Interest Policy)

2. Organizational Leadership and a Culture of Compliance (Tone at the Top)

3. Reasonable Efforts To Exclude Prohibited Persons (Due Diligence)

4. Training and Communication (Education and Awareness)

5. Monitoring, Auditing and Evaluating Program Effectiveness (Program Evaluation)

6. Performance Incentives and Discipline (Recognition and Enforcement)

7. Remedial Action (Prevention and Risk Assessment)

Conflicts of interest can be managed by incorporating these seven steps in the de-sign and implementation of the organi-zation’s compliance and ethics program along with best practices.

Code of Business Conduct and Con-flicts of Interest Policy

A well-written and compelling code of business conduct is a key component of any successful ethics and compliance pro-gram. Robust standards of business con-duct establish the organization’s expecta-tions for its employees, provide a moral compass by defining the organization’s position on ethical issues and promote integrity, accountability and a culture of compliance. The creation and periodic revision of the code should involve col-laboration across company departments including legal, compliance, human re-sources, finance as well as the various business units.

A detailed conflict of interest policy should be incorporated in the code of business conduct. The code should ex-plain the issue of conflicts of interest and how the policy applies to all employees including executives and directors. The code must discuss why conflicts create legal and reputational risk and must be avoided. The code should detail that even the appearance of a conflict of interest can be problematic. Be sure to include a requirement that conflicts must be dis-closed to designated legal and compli-ance personnel.

Best-in-class codes contain situational ex-amples of ethical challenges. This is par-ticularly important for conflicts of interest. The use of scenarios detailing examples of both expected and unacceptable behav-iors are great employee reinforcement tools. Consider including questions and answers around conflict issues to further reinforce compliance. Providing questions and answers for guidance throughout the code helps employees better navigate the gray areas and understand expectations.

Certifications and Disclosures

Ongoing employee certifications of com-pliance with the organization’s conflicts of interest policy is an essential program element. This process provides employees the opportunity to certify that they have read and are knowledgeable of the con-flict of interest policy and agree to report any actual or suspected conflicts. Organi-zations can decide using a risk-based ap-proach whether to require all employees to complete the certification or just certain designated positions. Annual certifica-tions are recommended but frequency should be based on business risks and or-ganizational needs.

Conflicts of interest disclosure statements should include detailed questions around the various conflicts of interest that are germane to the organization. Besides including a Yes or No response, disclo-sure statements need to include comment sections where employees responding in

11


the affirmative to a potential conflict can explain in detail the circumstances of the conflict of interest. This will allow for the organization’s legal and compliance de-partment to opine on and determine now to resolve the conflict.

The conflict of interest attestation section that the employee signs upon completion of the disclosure form should include the following statements:

» I have read the organization’s code of conduct and the conflicts of interest policy;

» I understand and acknowledge the policy’s requirements;

» I agree to comply with the conflict of interest policy and the overall ethical code;

» I agree to immediately report any potential conflicts of interest whether mine or that of another employee or vendor; and

» To my knowledge, I attest that the answers provided in this disclosure form are true and accurate.

Tone at the Top

Chief executives, officers and directors, as well as managers, set an important tone with their employees and should lead by example and evangelize the issues around conflicts of interest. Their responsibility and accountability to push the compliance message down to the entry level employ-ee may be the most important aspect of an effective compliance program. Compa-ny officers and directors must be particu-larly careful to avoid even the appearance of conflicts of interest and not be moti-vated by personal interest or gain. Com-pany leadership and managers should be among the first to complete any required ethics and compliance training including conflicts of interest policy training.

Due Diligence

The best indicator of future performance is past performance and that can defi-

nitely apply to reducing the impact of conflicts of interest. Use of due care and diligence is needed to ensure that indi-viduals who might engage in illegal or otherwise inappropriate activities are not placed in positions of authority in the or-ganization. Instituting background checks upon hire and for promotions lessens the chances that people with a propensity for misconduct will be placed in those roles. Due diligence and background checks also are important in disclosing and pre-venting conflicts of interest. Even the best background checks conducted at the time of hire will not help if there are no peri-odic updates to learn of any subsequent arrests, civil actions, or adverse media reports involving employees. Periodic up-dates performed at five-year intervals may disclose potentially problematic issues including conflicts of interest and should be considered.

Risk Assessment

Organizations need to periodically evalu-ate their compliance programs and in-ternal controls, assess the risk of criminal conduct and policy violations, and make program modifications as appropriate. This includes documenting the risk from conflicts of interest within the organiza-tion, identifying the potential likelihood and magnitude of various conflicts, and taking action to lessen or eliminate those potential conflicts. The risk assessment process must include the various types of conflicts of interest that may occur and impact the organization, such as historical occurrence of the various conflicts, op-portunity and employee motivations and others (e.g., vendors) to engage in these various conflicts, how these conflicts are discovered, and metrics, trends and pre-vention efforts. The resultant risk assess-ment will assist in determining whether all or some employees need to provide periodic disclosures of conflicts, the level of training required and whether the compliance program is effective in reduc-ing the risk of conflicts.

Training, Training and More Training

Training at all levels in an organiza-tion, from the CEO and Board down, is an absolute requirement in minimiz-ing misconduct and creating a culture of compliance. Training reinforces an entity’s commitment to ethical conduct and com-pliance with company policies, as well as government laws and regulations. An im-portant element of the training program is the subject of conflicts of interest. The po-tentially damaging impact of conflicts of interest needs to be addressed. Employ-ees must understand the consequences for both the employee and the company of noncompliance with company policy. When evangelizing the company’s poli-cies regarding conflicts of interest, robust scenarios and examples should be includ-ed to provide reinforcement of appropri-ate conduct. Consider using the types of conflicts of interest that were disclosed in the past year and that were the most problematic. There are many ways to de-liver quality training; all of them must be considered in designing an effective company-wide training program.

Gifts and Entertainment Policy

Gifts, entertainment, travel and hospitality can be problematic for any organization, and strong policies need to be in place, especially when interacting with foreign government officials or third parties and intermediaries. Conflicts of interest and other business misconduct can easily oc-cur if employees are not fully aware of and compliant with organizational gift and entertainment policies. Gifts and entertainment policies need to focus on expected employee behaviors while un-derstanding the company’s culture of compliance and appropriate business needs. In designing gift and entertain-ment policies, companies should incor-porate comprehensive gift-giver and gift-recipient guidelines as well as frequently asked questions and scenarios. Providing employees with questions and answers and rich examples of both expected and


12

unacceptable conduct reinforces proper standards of business conduct. Tailor the gift policy to the industry and company as well as to the country and culture but always be mindful of the risks and under-stand that applying more restrictive poli-cies may be the wise choice.

The holiday season is a potentially risky time of year for conflicts of interest due to the abundance of gifts provided to em-ployees by vendors and prospective ven-dors. Employees can easily be challenged by business relationships versus busi-ness risk. Clear guidance and common sense should be provided to employees and vendors to reinforce company policy around conflicts of interest. Good judg-ment, discretion and moderation are key messages to communicate. A best practice is to send out a holiday season gift policy reminder prior to the start of the holiday season to both employees and vendors. Prohibitions, limitations and exceptions should be explained along with policy re-minders. Gift-giving and gift-acceptance questions and answers should be pro-vided as best practices to help employees and vendors understand potential con-flicts and how to avoid them.

Event-specific gift policies should also be considered to educate employees and mitigate risk. For example, companies can design policies to provide guidance on events such as the Olympics and World Cup, where gifts, entertainment, travel and hospitality may pose an elevated risk of conflicts of interest as well as violations of the Foreign Corrupt Practices Act, the UK Bribery Act and other international anti-corruption legislation.

Employee Exit Interviews

The employee exit interview is a useful tool for detecting conflicts of interest is-sues and should be part of your compli-ance program. Organizations will be sur-prised at the information they will learn from employees leaving the company. Many internal investigations ensued from information gleaned from exit interviews.

Employees may be more inclined to dis-close misconduct and business conduct violations when they leave an organiza-tion than during their employment. This is especially true when existing employees are reporting previously undisclosed con-flicts of interest involving their managers or others at the company because they were fearful of retaliation. Employee exit interviews are a best practice.

Auditing the Process

Ongoing auditing of compliance with company policy for conflicts of interest and violations of policy is another impor-tant element of an effective compliance program. Government prosecutors look for compliance with monitoring, audit-ing and modifying program effectiveness when determining whether to bring pros-ecutions and enforcement actions. The auditing process is critical to determine the value of the program to the organi-zation by capturing key metrics, find-ings, successes and weaknesses. Audit-ing should include review of conflict of interest training materials to determine if they have been modified and updated as appropriate. Employee certifications and training completion logs should be reviewed for full compliance. It is not un-common during auditing to learn than employees have not completed the re-quired training and disclosures. Ques-tionnaires, employee surveys and focus groups, targeted interviews, review of ex-penditures and expense reports, and data analytics are other aspects of the auditing process. An important outcome is gauging employee awareness of the conflicts of in-terest policy, effectiveness of training and communication and whether reported is-sues have increased or declined.

Benchmarking

A best practice to consider is benchmark-ing your conflict of interest policy and pro-cedures with other companies. Every orga-nization has conflict of interest challenges and there is much to learn from how others have responded to these conflicts

both from a proactive and reactive ap-proach. Whether it relates to policies, risk assessments, training and communication, investigations, incentives and discipline, or program modification, there is much to learn from peers. Sharing experiences around conflicts of interest and other com-pliance program design and implementa-tion is an excellent way to advance organi-zational ethics and compliance. Consider hosting a compliance summit with other companies, both from your particular in-dustry and from other industries, to share red flags, best practices, training tech-niques, and other related issues. In my prior role as Director of Financial Integrity at Microsoft Corporation, we hosted com-pliance summits for benchmarking that proved very beneficial and advanced cor-porate compliance best practices.

Effective Management of Conflicts of InterestOrganizations will always face the issue of conflicts of interest whether it’s the use of company information for personal gain, unauthorized moonlighting, inappropri-ate vendor relationships or violations of gift policy. While employees are told to avoid even the appearance of conflicts of interest, human nature being what it is will ensure that policy violations will occur. The good news is that strong com-pliance programs can be very effective in responding to conflict issues both in stopping them from occurring in the first place and managing them when they are discovered.

13


» The Consumer Financial Protection Bureau (CFPB) is a new agency tasked with enforcing Federal consumer finance laws and to investigate potential violations by companies and individuals not subject to its direct supervision.

» CFPB investigations can arise from consumer complaints regarding bank services, credit reporting, credit cards, mortgages, and consumer loans.

» Civil Investigative Demands (CID) issued by the CFPB can require extensive electronic discovery. Be prepared to demonstrate that the CFPB’s investigative needs can be satisfied by a narrower and less burdensome response.

Companies in the business of providing consumer financial products or services and who are accustomed to dealing pri-marily with state regulators may soon find themselves embroiled in the world of fed-eral regulation. The CFPB is a new agency created by Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, entitled the Consumer Financial Pro-tection Act of 2010 (the “Act”). The CFPB is an independent bureau within the Fed-eral Reserve created to “regulate the offer-ing and provision of consumer financial products or services under the Federal consumer financial laws.” Act § 1011.

The CFPB has broad supervisory pow-ers over certain businesses. It has even broader authority to enforce federal con-sumer finance laws and to investigate po-tential violations of those laws, including violations by companies and individuals not subject to its direct supervision. Tens of thousands of companies could now be within reach of the CFPB enforcement authority. Some will inevitably find them-selves the subject of a federal regulatory investigation. The first notice of that in-vestigation may be a CID from the CFPB.

The CFPB launched its operations on July 21, 2011. It is still hiring personnel,

DAvIDR.DUGAS, [email protected]

writing its regulations and defining its goals. In the process, it is developing its own agency “culture” that will differ from other federal agencies and will affect how it exercises its authority. The CFPB’s ap-proach to dealing with CID respondents has been somewhat more formal than is typical of other federal agencies, particu-larly with respect to deadlines and exten-sions of those deadlines. This will require that companies who receive a CID from the CFPB understand the process in detail and mobilize resources quickly, usually within days, in order to manage the pro-cess effectively.

The CFPB’s Authority To Supervise, To Investigate and To Issue CIDsThe Act gives the CFPB specific superviso-ry authority over the following businesses:

» “Very large” banks, thrifts, credit unions and their affiliates;

» Non-bank businesses offering or providing (1) origination, brokerage, or servicing of residential mortgage loans secured by real estate, and related mortgage loan modification or foreclosure relief services; (2) private education loans; and (3) payday loans.

» “larger participant[s] of a market for other consumer financial products or services,” as the CFPB defines by rule. To date, the CFPB has issued rules defining larger participants in the consumer reporting market and the debt collection market, giving the Bureau supervisory authority over those participants.

By some estimates, as many as 132,000 money transmitters, prepaid card issuers, student lenders, check cashers, payday lenders, and non-depository finance com-panies could be subject to CFPB super-vision. In addition, retailers, automobile dealers, sellers of manufactured homes, real estate brokers and others who extend

Regulatory Consumer ProtectionResponding to a CFPB civil investigative demand

credit or offer other consumer financial products and services could become sub-ject to supervision. This supervisory au-thority is broad and includes the authority to require reports and conduct examina-tions in order to assess compliance with the requirements of federal consumer finance laws.

In addition to its supervisory authority, the CFPB has enforcement authority to investigate potential violations of federal consumer finance laws. Section 1052 of Subtitle E of the Act authorizes the CFPB to engage in investigations and requests for information where it has “reason to believe that any person may be in pos-session, custody, or control of any docu-mentary material or tangible things, or may have any information, relevant to a violation…” Act § 1052(C)(1). “Violation” is defined as “any act or omission that, if proved, would constitute a violation of any provision of any Federal consumer fi-nancial law.” Act § 1051(5).

CFPB investigations can stem from a number of sources. The CFPB has a tips hotline and an email address for han-



14

dling tips from whistleblowers, and the Act protects employees from retaliation if they report their employers. The CFPB has also created a system to accept consumer complaints about bank accounts or bank services, credit reporting, credit cards, mortgages, student loans, vehicle loans and other consumer loans. In addition, the CFPB can initiate an investigation based on information collected by its staff or by other federal agencies.

The CFPB’s principal investigative tool, CID, allows it to collect documents and other evidence as well as to take oral tes-timony. Using the authority granted by Section 1052, the CFPB has issued CIDs to participants in a number of consumer finance-related industries. The CIDs are typically quite broad and in some cases ap-pear to be an effort by the CFPB to gain an overview of the entire industry as well as individual businesses within that industry.

The information gathered through these CIDs could lead to enforcement actions, or could cause specific companies to be-come subject to future supervision by the CFPB. Section 1024 of the Act gives the CFPB supervisory authority over persons whom “the Bureau has reasonable cause to determine, by order, after notice to the cov-ered person and a reasonable opportunity for such covered person to respond, based on complaints collected through the system un-der section 1013(b)(3) or information from other sources, that such covered person is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” Act § 1024(a)(1)(C).

The CFPB’s jurisdiction overlaps the juris-diction of other federal agencies, prin-cipally the Federal Trade Commission (FTC). The Act specifies when the CFPB will have primary or exclusive jurisdic-tion, but also requires the CFPB to coor-dinate its activities with other agencies. The CFPB and the FTC have entered into

a written Memorandum of Understanding (MOU) that requires each agency to notify the other of investigations and to coordi-nate their activities to the extent possible.1 The CFPB has also entered into MOUs with the U.S. Department of Justice (DOJ), other federal agencies and state regula-tors. In the context of investigations, these can help a company avoid duplicative CIDs or overlapping investigations.

Even if a company has dealt with CIDs is-sued by other federal agencies such as the FTC, the Securities and Exchange Com-mission or the DOJ, there are practical and legal differences that can be impor-tant when responding to a CID issued by the CFPB.

What Is a CID?A CID is a formal, written demand by a federal agency for the recipient to provide evidence that is relevant to a civil investi-gation. It is similar to discovery requests under the Federal Rules of Civil Procedure in that the recipient is expected to collect the requested evidence and provide it to the agency. If the recipient fails to do so, then the agency can seek enforcement of the CID in federal court. 12 C.F.R. § 1080.10(b). The agency may demand doc-uments, other tangible things, answers to interrogatories or testimony.

However, unlike discovery requests under the Federal Rules of Civil Procedure, the CID process is not subject to direct super-vision by a court. In the case of the CIDs issued by the CFPB, objections to the CID must be submitted to the Director of the CFPB. Before doing that, the recipi-ent must attempt to resolve its objections with the staff attorneys handling the in-vestigation. Failure to do so can result in waiver of the objections.

All CIDs establish a return date by which documents and other items must be produced. However, other preliminary deadlines must be met if the recipient is

to preserve its rights to object to or seek modification or rescission of the CID.

Deadlines for Responding to a CIDThe “Meet and Confer” Deadline

Many of the CIDs issued by the CFPB so far have been broad in scope and appear to be designed to give the CFPB general information about the business prac-tices of the subject of the investigation. Compliance with these CIDs has proven to be quite burdensome, particularly by the initial return date in the CID, which is typically 30 days. Extensions of time can be obtained, but only by following the specific procedures set forth in the CFPB’s rules. For that reason, the first deadline for responding to a CFPB CID, the 10-day “meet and confer” deadline, is critically important and requires detailed prepara-tion by the company and its legal team.

CFPB rules require that a company served with a CID “meet and confer with a CFPB investigator within 10 calendar days after receipt of the demand or before the dead-line for filing a petition to modify or set aside the demand, whichever is earlier.” 12 C.F.R. § 1080.6(c). This “meet and con-fer” may be done in person or by phone and its purpose is “to discuss and attempt to resolve all issues regarding compliance with the civil investigative demand.” 12 C.F.R. 1086(c).

1. http://www.ftc.gov/os/2012/01/120123ftc-cfpb-mou.pdf

15


CFPB investigators, typically staff at-torneys, do not have authority to grant extensions of time or modifications to the CID. That must be done in writing by the Assistant Director of the Office of Enforcement or by one of the Deputy Assistant Directors. 12 C.F.R. 1086(d). However, failure to raise objections dur-ing the meet and confer process could result in waiver of those objections, so the respondent should be ready to raise and discuss all potential objections. 12 C.F.R. 1086(c)(3).

The CID recipient “must make available” at this meeting all personnel with knowl-edge to resolve any issues concerning the company’s ability to comply with the CID, including persons with information about the company’s records management sys-tem or organizational structure. If the CID seeks electronically stored information (ESI), then the recipient “shall” ensure that a person familiar with the company’s ESI system participate in the meeting. 12 C.F.R. 1086(c)(3).

Many of the CIDs issued by the CFPB have requested extensive ESI, including massive amounts of raw data and emails for the time period covered by the CID. Most companies will want to negotiate reasonable, but substantial, limitations on those requests. It is important to enter the initial meeting prepared not only to raise all valid objections, but also to support those objections with facts, data and legal authorities. If a company believes that the CID is overly broad and unduly burden-some, it must be prepared to demonstrate the extent of the burden placed on the company by the CID, including cost of compliance, and why the CFPB’s inves-tigative needs can be satisfied by a nar-rower, less burdensome response.

CFPB attorneys have been receptive to rolling production schedules, but have generally required specific deadlines for each wave of production. The company must be prepared to propose supportable

deadlines that allow the company time to comply with the CID in an efficient and cost-effective manner.

Modifications to the CID cannot be ap-proved by the staff attorneys with whom the company is negotiating. If the com-pany is successful in convincing the attor-neys that modifications are appropriate, including extensions of deadlines, these modifications must be approved in writ-ing by the Assistant Director of the Office of Enforcement or one of the Deputy As-sistant Directors. 12 C.F.R. 1086(d). The approval typically comes in the form of a letter signed by the approving official, so the company will need to allow enough time for that letter to be drafted, reviewed, approved and signed before expiration of the deadline to file a Petition for Order To Modify or Set Aside the CID.

The Deadline to Object

The next important CID deadline is the 20-day deadline to file a Petition for Or-der To Modify or Set Aside the CID. See 12 C.F.R. § 1080.6(e). The Petition must “set forth all factual and legal objections to the civil investigative demand” and must certify that the company’s counsel has conferred with the CFPB in good faith to resolve the disputed issues. Extensions of this 20-day deadline are disfavored, 12 C.F.R. 1086(e)(2), although the CFPB will grant short extensions for good cause.

CFPB rules provide that objections to the CID are waived by failure to confer with the investigators before filing the Petition, by failing to timely file the Petition and by failing to include an objection in a timely filed Petition. The Director of the CFPB has been quite strict about enforcing this Rule and has denied both untimely Peti-tions and Petitions raising objections that were not raised during the meet and con-fer process.

The filing of a Petition stays the time per-mitted for CID compliance. If the petition is denied in whole or in part, the Direc-

tor’s ruling will set a new return date for compliance with the CID.

Both the 10-day deadline to meet and confer and the 20-day deadline to file a Petition are draconian and require a quick, thorough and informed response by the company in order to preserve its rights. An informal call or email to the CFPB will not suffice and the CFPB attorneys will not agree to indefinite extensions or modifications. If a company receives a CID from the CFPB, immediate action is required and any delay could prejudice the company’s rights.

The Return Date

The third deadline is the return date for the CID, which is typically 30 calen-dar days from service of the CID. Most federal agencies are flexible with return dates and will often agree to a fairly com-fortable rolling production schedule. The CFPB, perhaps because it is a new agen-cy, has been less flexible than other agen-cies. Extensions of the return date and a rolling production schedule will usually be allowed, but the CFPB will probably insist upon a specific deadline for each item in the CID and justification for each such deadline.

The recipient must carefully review the CID requests and be prepared to negoti-ate the production schedule item by item. The CFPB has responded favorably to well-supported claims of excessive bur-den or expense, but has been careful to guard against dilatory tactics by CID re-cipients. It will be important for the com-pany to set the right tone with the CFPB from the initial meet and confer and to make every effort to begin responding to the less burdensome responses as close to the initial return date as possible. Once the company has established that it is taking the CID seriously and is being dili-gent in its response, then the CFPB will typically become somewhat more flexible with extensions for the more burdensome and time-consuming requests.


16

Producing Documents in Response to the CIDWith the adoption of the new Document Submission Standards by federal agencies, including the CFPB, document production in response to a CID now requires consid-erable technical capability. Many compa-nies will need experienced e-discovery experts who can retrieve emails and other ESI quickly, process the material so that it can be reviewed efficiently by the compa-ny’s attorneys and then prepare the mate-rial for production in accordance with the Document Submission Standards.

The CFPB “strongly encourages” respon-dents to produce all documents in elec-tronic form. Documents created or stored electronically must be produced in their original electronic format, not printed to paper or converted to pdf or image for-mat. The CFPB “prefers” to receive pro-ductions in native format. Bates number-ing must include an alpha prefix unique to each party and custodian. All metadata associated with emails, audio files and na-tive electronic document collections must be produced and linked and must include the fields specified in the Standards. Searchable text for each document must also be provided.

The media used to produce the mate-rial (thumb drive, hard drive, etc.) must be labeled as specified in the Standards, encrypted with Microsoft Bitlocker and the decryption keys provided in a separate transmittal from the media. Careful at-tention should be devoted to these issues during the initial meet and confer and any variances from the Standards should be specifically approved by the CFPB in advance.

The CFPB’s Rules require that a detailed privilege log be provided by the return date. 12 C.F.R. § 1080.8. The privilege log must contain 1) the type, specific subject matter, and date of the withheld item; 2) the names, addresses, positions, and or-ganizations of all authors and recipients

of the item; 3) the specific grounds for claiming that the item is privileged; and 4) the interrogatory or request to which the privileged document is responsive. Typically, the CFPB will agree to an exten-sion of the deadline for submitting the privilege log to allow time to complete the log after production of the non-privileged responsive documents.

What To Do Following Receipt of a CID » Immediately issue a company-

wide “litigation hold” to preserve documents responsive to the CID. All document destruction should stop immediately and for the pendency of the investigation, including routine destruction pursuant to the company’s document retention policy and overwriting of backup tapes or data. Employees should also preserve emails, text messages, etc. Destruction of responsive documents could lead to charges of spoliation of evidence or even obstruction of a government investigation.

» Immediately assemble the company’s legal team, preferably on site at company headquarters. The legal team will have only a few days to familiarize itself with the CID and with possible objections before it must start a dialogue with the CFPB to negotiate an acceptable response schedule. This will require “all hands on deck” until the production schedule is hammered out with the CFPB.

» Ensure that all discussions and negotiations with the CFPB are well documented and that all agreements are approved by CFPB officials with the requisite authority.

» Make sure that the proposed response schedule allows adequate time to collect, process, review and prepare documents for production according to the Document Submission Standards and, if necessary, to supplement any incomplete or inaccurate responses before the final certification of compliance.

» Impress upon everyone involved in the process that responding to a CID from a federal agency is different than responding to civil discovery. False statements and deliberate destruction of documents can have far harsher consequences for the company and the individuals involved.

ConclusionWhen a CID is received from the CFPB, important decisions must be made in a matter of hours or days. The 10-day dead-line to meet and confer and the 20-day deadline to file a Petition for Order To Modify or Set Aside the CID are draco-nian. The CFPB rules disfavor extensions of the latter and the former must be com-pleted before a Petition can be filed.

Even those accustomed to dealing with civil discovery under the Federal Rules of Civil Procedure, with CIDs from other federal agencies or with federal grand jury subpoenas will likely be surprised by the pace of activity involved in responding to a CID from the CFPB. It will be important to assemble a response team quickly, to ensure that the team includes personnel with the requisite technical expertise to comply with the Document Submission Standards and to pay careful attention to the statutes and regulations governing CFPB investigations.

17


» No company should assume that any corrupt payment or unintentional violation of the Foreign Corrupt Practices Act (FCPA) is too small to warrant regulatory scrutiny.

» The recently published “Resource Guide to the U.S. Foreign Corrupt Practices Act” does not provide a “boilerplate” program addressing all corruption risks but it does provide guidance regarding fundamental aspects of an effective compliance program.

» Companies can realize significant business growth if they respect and adhere to international laws and act as a first-class corporate citizen in the countries in which they operate.

Opportunities abound for multinational companies operating in Latin America. The recent U.S. financial crisis and the ongo-ing economic difficulties in Europe have led many companies to shift their search for growth opportunities to Latin America. The International Monetary Fund (IMF) projects that Latin America will continue to demon-strate strong GDP growth in 2013, which will be significantly above the average growth rates in developing countries. Latin Ameri-ca’s proximity to the United States and large potential customer base also add to the busi-ness allure of the region for U.S. companies.

But, these opportunities are not risk free. In addition to the standard business risks as-sociated with operating abroad, the relatively high degree of corruption or perceived cor-ruption in certain Latin American countries pose unique challenges for multinational companies. While recent corruption surveys do identify some relatively low-risk countries (e.g., Chile and Uruguay), a number of the larger economies in the region (most nota-bly Mexico, Brazil, Columbia, Venezuela and Argentina) have all been identified as hav-ing significant corruption risks. Companies looking to enter these markets must tread carefully and ensure their compliance pro-grams are tailored to the unique cultural, po-

BERNIEWOOLFLEy, [email protected], [email protected] TAMMyALBARRáN, [email protected]

litical and economic risks that exist in each of the different countries where they operate.

Overview of the FCPAThe FCPA, which was signed into law in 1977, prohibits corrupt payments to foreign government officials for the purpose of ob-taining or retaining business. The act initially applied to all U.S. persons and certain foreign issuers of securities, but was subsequent-ly amended to include foreign companies and persons who cause, directly or through agents, an act in furtherance of a corrupt payment to take place within the United States. The act contains two main sections:

» The anti-bribery provisions are very broad and make it unlawful to knowingly make or authorize any offer, payment (or promise to make a payment) of money or anything of value to any foreign official to influence the foreign official in any way or to secure any improper advantage while attempting to obtain or retain business.

» The accounting provisions require U.S. issuers to maintain books and records that accurately and fairly reflect the true nature of transactions and an adequate system of internal controls (collectively, the “accounting provisions”). These provisions are intended to make it more difficult for parties to make or hide corrupt payments.1

The U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have jurisdiction to enforce FCPA vio-lations. These two agencies typically work together to investigate FCPA violations and have recently issued a resource guide which provides useful information regarding a va-riety of topics associated with the enforce-ment of the FCPA.2

Companies operating in the international arena may also find themselves subject to a growing number of foreign anti-corruption statutes. For example, entities operating

abroad may find that they are also subject to the UK Bribery Act, an anti-corruption statute enacted in 2010 that is more restric-tive than the FCPA. Another example is the Mexico Federal Law Against Corruption in Public Procurement that was signed in June 2012 and contains wide ranging restrictions on bribery that apply to Mexican and non-Mexican individuals and entities.

Recent FCPA Latin America Enforcement ActionsThere are an increasing number of examples illustrating the difficulties companies face in Latin America. Between 2009 and 2012, there were at least 15 FCPA enforcement actions by the DOJ and/or the SEC that in-volved conduct in Latin American countries. Some examples of these enforcement ac-tions include:

» In 2010, Alcatel-Lucent, S.A., a French telecommunications company, entered into a deferred prosecution agreement with the DOJ regarding certain corrupt payments to foreign government officials to illicitly win business in Costa Rica and Honduras. These payments were generally made through the use of a series of consulting firms that subsequently made payments to various foreign government officials. The company paid $137 million to resolve these FCPA charges (which also included offenses in Asia).3

» Orthofix International, a Texas-based medical device company, and its Mexican subsidiary Promeca S.A. de C.V., were charged with securing contracts from Mexican officials employed at state-


Beneath the CanopyUnderstanding corruption risks in Latin America

1. While these provisions may seem more benign to some, more enforcement actions have come from the accounting provisions than the anti-bribery provisions. 2. A copy of this guidance is available on the DOJ website (http://www.justice.gov/criminal/fraud/fcpa/guidance/.) 3. The SEC alleged that Alcatel failed to keep accurate books and records by, among other things, (1) using intermediaries to obscure the source and destination of funds; (2) making payments pursuant to business consulting

agreements that inaccurately described the services provided; and (3) recording illicit payments as legitimate consulting fees. (Source: www.sec.gov/news/press/2010/2010-258.htm)


18

a multinational can be held liable for FCPA violations committed by its third party agents or intermediaries. It is therefore critical for such companies to perform thorough risk ranking and due diligence during the third-party onboarding process to minimize their compliance risks. In at least seven recent enforcement actions relating to operations in Latin America, the government cited the use of consultants, third-party brokers, agents or distributors in the settlement agreements or complaints.

» Transactions with State-Owned Entities. Many Latin American businesses are state-owned and operated, including utility companies, banks and financial institutions, mining companies, and telecommunication and healthcare entities. Employees of state-owned entities are considered “foreign officials” under the FCPA and companies need to be cognizant of the parties with which they are dealing. For example, Brazil has a socialized public healthcare system that provides universal healthcare to all Brazilian citizens, and the majority of hospitals are publicly-controlled. The DOJ has historically considered many of these health care providers (i.e., doctors, nurses and lab technicians) to be “government employees” who provide health care services in their official capacities. Thus, the DOJ would consider these health care providers “foreign officials” for FCPA purposes and any dealings with them could create FCPA risks.

» Payments to Customs Officials. Several of the DOJ/SEC enforcement actions during the past few years have involved allegations that companies made inappropriate payments to customs officials in Latin American countries. While companies sometimes view these transactions as “facilitation payments” (which are permitted under the FCPA), the DOJ and SEC often take a different

including Wal-Mart, suggest that there are a number of ongoing corruption investi-gations related to their activities in Latin America. These investigations can cost com-panies millions of dollars in legal and con-sulting fees,4 as well as significant fines and penalties. In addition, both executives and employees involved in bribery schemes can face lengthy prison sentences.

When considering the risk of detection by the DOJ or the SEC, no company should as-sume that it (or the corrupt payments it may have made) will be considered too small to warrant scrutiny. Recent settlements have involved both large corporations and a num-ber of smaller companies (both publicly and privately held). Similarly, while the amount of the corrupt payments was significant in several matters, a number of the settlements involved far more modest amounts.

Some Common Corruption Risks in Latin AmericaA key component to developing any compli-ance program includes understanding the risks associated with operating in the spe-cific region. With regards to Latin America, a review of recent SEC and DOJ enforcement actions (including those listed above) sug-gest that there are several common areas of concern in Latin America:

» Payments of Consulting Fees or Commissions. Bribes are often disguised and recorded as consulting fees or commission payments. Companies should be on alert whenever a consulting agreement vaguely describes the services to be rendered and yet calls for the payment of large fees, or when the agreement calls for a higher commission rate than the company would normally award to such a consultant. These are red flags that need to be delved into further to determine if the payment is legitimate or if any portion may be used to improperly influence government officials. It is important to note that

owned hospitals and a social services provider in exchange for various gifts and a percentage of the unlawfully obtained sales revenue. Orthofix entered into a deferred prosecution agreement and paid penalties (including disgorgement of profits) totaling $7.4 million.

» LatiNode, a Florida telecommunications company, agreed to pay a $2 million fine for payments made to officials of Hondutel, a state-owned telecommunications entity in Honduras, in exchange for reduced rates and an exclusive long-distance services contract. Several executives from LatiNode plead guilty for their roles in the scheme and in 2010 and 2011 were given sentences ranging from three years’ probation to 46 months in prison.

» In December 2012, Eli Lilly agreed to pay nearly $30 million in disgorgement, interest, and penalties for improper payments in Brazil as well as several other countries. Eli Lilly’s subsidiary in Brazil allowed its pharmaceutical distributors to pay bribes to government health officials to secure sales of Eli Lilly’s products to government institutions.

» In 2009, Helmerich & Payne (H&P), an Oklahoma-based oil and gas driller, was charged with violating the FCPA after it paid (directly, and through third-party customs brokers) approximately $185,000 to customs officials in Argentina and Venezuela in order to import and export equipment and materials without the required certifications or inspections. According to the SEC, these payments were inaccurately invoiced and improperly recorded as facilitation payments. H&P agreed to pay a $1 million criminal penalty and $320,604 in disgorgement fees.

In addition to the above settled matters, there are a number of ongoing investiga-tions that relate to conduct in Latin America. Recent disclosures by several companies,

4. In January 2013, Wal-Mart indicated that its on-going investigation (which also included the review of certain activities in Brazil) had already incurred $157 million in fees and expenses (http://www.sec.gov/Archives/edgar/data/104169/000010416913000011/wmt10-k.htm). Press reports indicated that the conduct related to efforts to obtaining certain types of permits and licenses needed to expand throughout the country. (See, for example, http://www.nytimes.com/2012/04/22/business/at-wal-mart-in-mexico-a-bribe-inquiry-silenced.html)

19


view. This is particularly true in cases in which the payments relate to the importation or exportation of non-conforming or unapproved products.

Of course, not every transaction with an agent, a state-owned entity or a customs of-ficial is a corrupt payment. But, the influence that these individuals or entities can have on a company’s business makes them a higher risk. Thus, transactions with these individu-als or entities in high-risk regions should be vetted thoroughly by the company. In ad-dition, each company will have to make its own assessment of other risks that might ex-ist within a specific country given the nature and structure of the Company’s operations.

Addressing Corruption Challenges through an Effective Compliance ProgramAn effective compliance program that ade-quately addresses corruption risk is one that is properly designed and tailored to meet the organization’s particular needs, and takes into account the countries and the specific industry in which the company operates. The recently published Resource Guide to the U.S. Foreign Corrupt Practices Act provides some insights as to what the SEC and DOJ be-lieve to be an effective compliance program. While the Resource Guide does not provide companies with a “boilerplate” program that will address all corruption risks (and it is not specific to Latin America), it does provide some guidance regarding the key elements of an effective compliance program:

» Commitment from Senior Management – An effective compliance program starts from the top. The Board of Directors and Executive Management must clearly articulate and enforce policies and procedures across the organization and must set the example of proper and acceptable conduct in

order to reinforce a strong tone at the top. In several recent Latin American enforcement actions, the SEC and DOJ specifically described at length the involvement of C-suite professionals in the related schemes.

» Code of Conduct and Policies and Procedures – A company’s code of conduct is the foundation for a strong compliance program and needs to be clear, concise, and available to employees throughout the world in multiple languages. In a recent FCPA enforcement action against Orthofix (which involved its operations in Mexico), the DOJ cited the failure to translate the anti-corruption policies and the absence of adequate training on those policies as evidence of an ineffective compliance program.

» Oversight, Autonomy, and Resources – Oversight of the compliance program should be given to senior executives who have appropriate autonomy (and funding) within the organization, including direct access to a company’s board of directors and/or audit committee.

» Risk Assessment – Compliance programs should be developed around the particular risks inherent to that company’s business model rather than a one-size-fits-all approach. Transactions occurring in high-risk countries and industries should receive more scrutiny than similar transactions in low-risk countries or industries.

» Incentives and Disciplinary Measures – Enforcement of a compliance program is fundamental to its success. Companies need to ensure that they have clear disciplinary procedures, that those procedures are applied fairly and immediately, and that they are commensurate with the violation.5

» Third-Party Due Diligence – Since third parties are commonly used to

facilitate improper or corrupt payments, it is necessary to incorporate a risk-based program that includes a due diligence component.6

» Confidential Reporting and Investigation – An effective compliance program must have a mechanism such as a hotline for employees to confidentially report suspected inappropriate activity. Once reported, companies must have properly-funded resources to investigate the allegation and document the company’s response.

» Continuous Improvement – Successful compliance programs should evolve over time with the company’s business and should be tested on a regular basis. As a company’s business changes, the compliance program must adapt to meet the potential new risks that come with those changes.

In summary, the DOJ/SEC guidance indi-cates that a compliance program needs to be well thought out, based on the specific needs of the company, the industry, and the countries where business is conducted. Hav-ing a strong compliance program on paper is simply not sufficient - there must be evi-dence that the company’s program is being actively incorporated into (and tailored to) the company’s operations and that it must have the ability to evolve over time to be able to address the changing environment in which the company operates.

Additional Ways To Minimize Corruption ChallengesWhile the Resource Guide offers good ad-vice about the fundamental aspects of a compliance program, there are some ad-ditional steps a company can take when developing its operating protocols for its non-US operations. In many ways, these steps are similar to the way in which a com-pany would manage its expansion within the United States:

5. In addition, the DOJ and SEC suggest that compliance programs should provide positive incentives (e.g. rewards, increased bonuses, etc.) for adherence to and reinforcement of the program.6. The Resource Guide suggests that companies communicate their program and adherence to lawful business practices to, and request assurances of compliance from, these third parties and should conduct ongoing monitoring of

third parties.


20

» Know the Local Environment. To operate effectively in a region like Latin America (or any region), a company should have a fundamental understanding of a country’s cultural norms, political climate, and government structure, including the government’s ownership in, and control status of, foreign entities with which a company interacts. This is particularly true in Latin America where there are significant differences and nuances between countries. While some companies attempt to learn the rules and regulations after they begin operating in a country, they do so at significant risk. Instead, foreign laws and business culture should be assessed in advance of investment or outsourcing. When a company lacks the ability to fully research and vet these new requirements, it should retain advisors who can assist with this type of assessment before any decision regarding expansion is made.

» Perform Thorough Due-Diligence on Key Partners in the Region. In many cases, companies operate in Latin America through a joint venture or business relationship with either a local partner or with individuals who are hired on as employees of the company. Given their in-depth knowledge about local practices, these partners often end up managing the company’s in-country operations on a day-to-day basis. While such entities or individuals can be of significant value, it is important to perform thorough due diligence on these parties at the inception of the relationship and to periodically re-assess that due diligence to ensure that the company is comfortable with the entity/individuals involved in the business.

While this is similar to the due diligence that the DOJ recommends for third-party providers, the nature and extent of the relationship with key partners requires an even deeper investigation.

» Ensure Appropriate Level of Monitoring of Company Activities. The home offices of U.S. companies need to adequately supervise and communicate frequently with their Latin American subsidiaries. While the establishment of a robust compliance program can improve the likelihood that the company will detect (and prevent) corrupt payments, companies also need to incorporate regular communications between their Latin American-based employees and U.S. counterparts. Such interactions (which should include in-person meetings at some regular intervals) will allow the U.S.-based executives the ability to better understand how business is obtained (and retained) within each of the regions in which the company operates.

» Develop Effective Internal Controls Over Cash. The development of a strong internal control structure is a good practice for any company, and such a structure should include controls around cash disbursements (including those made from petty cash funds). In international settings, these cash controls are particularly important and there may be some benefit to setting up additional controls in this area. These additions may include greater controls over approved signatories, more detailed documentation requirements, limits on the size of in-country payments, and a process to ensure closer review of significant transactions by personnel in

regional or home offices. In addition, companies should consider whether their existing transaction approval limits are appropriate given the economic conditions in certain countries.7

» Track All Instances of Corrupt Behavior. When operating in a country with high corruption risk, a company should assume that even appropriately trained (and highly ethical) employees will, at some point in time, be subjected to pressure to make some level of corrupt payments. While any good compliance program will have a vehicle for reporting actual inappropriate conduct by a company’s employees, it can be very beneficial to a company to require employees to report instances in which corrupt payments were solicited and not paid. This will allow the company to better understand the landscape in which its employees operate the types of pressures that are brought to bear by certain customers, and the actions taken by employees in response to such pressures.

ConclusionWith five hundred million well-educated citizens and a strong and growing economic base, Latin America is a region that must be looked at closely by companies consider-ing international expansion. The opportuni-ties are significant and, while there are risks, these risks can be mitigated by a company through the development of a robust com-pliance program and other appropriate op-erational protocols. In taking such actions, the company can see tremendous growth and profits while still following the rules and being a recognized good corporate citizen in the countries in which it operates.

PREvENTINGREGULATORyExPOSUREINPRIvATEEQUITyFIRMS

Recent events suggest that Private Equity (PE) firms may be high on regulators’ watch lists. In July 2010, Congress passed the Dodd-Frank Act, which requires large PE firms to register with the Securities and Exchange Commission (SEC), and subjects smaller firms to state regulations. In December 2011, the SEC issued a 16-page letter to several PE firms asking for information on their fund valuation methods and details about their investors. The parallels between this sequence of events and what occurred in the pharmaceutical industry beginning in 2009 are striking.

These regulatory inquiries, coupled with the ongoing trend of investors shifting more of their assets to PE funds (estimated to have exceeded $3 trillion at the end of 2011) suggests that we will see increased scrutiny of the PE industry over the coming years.

As this increased scrutiny occurs, PE firms will begin to feel pressure to develop or refine compliance plans for their own firms as well as any acquired companies, and will need to provide assurance that the requirements of anti-bribery, privacy and other applicable laws are being heeded.

There is the potential that the uncovering of violations at some PE firms will result in increased scrutiny and “copycat” investigations of other PE firms.

StaytunedforthenextissueofIQmagazine,asKenyormark,adirectorinNavigant’sNewyorkoffice,addressesthesedevelopmentsinmoredetailanddiscussestheimportanceofeffectiveduediligenceandcomplianceprogramsforPEfirmsandtheirportfoliocompanies.

7. For example, a company may find it reasonable to have an approval limit of $20,000 for certain employee in the United States (which has a per capita income of $49,000), but might find that a smaller amount might be warranted for similarly situation employees in Guatemala (where the per capita income is approximately $5,100).

Date post:	06-May-2015
Category:	Business
Upload:	navigant
View:	747 times
Download:	0 times