©2012
RISK MANAGEMENT & COMPLIANCE:
LOOKING AT THE BIG PICTURE
COMPLIANCE CHALLENGES WITH DODD-FRANK SECTION 922
The Dodd-Frank Act’s Section 922 requires the SEC to make payments to whistleblowers
that provide information leading to successful enforcement actions yielding monetary sanctions
of more than $1 million. This presentation will focus on how companies and their executives
should prepare for this new, whistleblower-friendly environment, drawing upon real-life best
practices for encouraging whistleblowers to report potential violations internally.
SHRUTI J. SHAH, CFE, CTA, CA
Senior Policy Director
Law and Regulation
Transparency Internation-USA
Arlington, VA
Ms. Shah is Senior Policy Director of Transparency International-USA, responsible for the
promotion of TI-USA’s anti-corruption law and regulation policy agenda. In that capacity, she
develops and implements advocacy campaigns and builds strategic partnerships with
international organizations, senior government officials, and private sector and NGO
representatives to ensure that laws against bribery and corrupt practices, and favoring
transparency, are implemented and effectively enforced. She also works with companies and
industry associations to compile best practices related to compliance with anti-corruption laws.
Prior to working in TI-USA, Ms. Shah worked at both PricewaterhouseCoopers and KPMG.
The focus of her experience had been in assisting clients and outside counsel with complex
financial and accounting matters related to fraud, anti-corruption/FCPA compliance, and
accounting irregularities. She has managed investigations of alleged accounting fraud in publicly
held companies. Ms. Shah has assisted companies in designing anti-corruption/FCPA
compliance programs. Ms. Shah was involved in developing PwC’s fraud methodology and
procedures for client audits.
Ms. Shah is a CPA, a Chartered Accountant (India), and a Certified Fraud Examiner.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
1
23rd
Annual ACFE Fraud Conference and Exhibition
4F: Compliance Challenges with Dodd-Frank Section 922
Shruti Shah, CFE, CPA, CA
Senior Policy Director, Transparency International-USA
Key Points of the Dodd-Frank Act
In 2008, the U.S. plunged into a recession, as the rising abuse derivatives, particularly mortgage-
backed securities, set off a chain of defaults and credit freeze that contracted the economy. Over
the next year, major investment firms went bankrupt, housing prices plummeted, unemployment
topped 10 percent, and the government made bailouts of almost $700 billion as it strived to keep
the economy afloat.
Public outcry over the lack of oversight in the financial sector prompted legislators to introduce
the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the most
significant o regulatory reform of the US financial system since the Great Depression. The bill,
passed into law in July 2010, includes provisions to regulate derivatives contracts, create a
consumer protection bureau and strengthen regulation of credit rating agencies. It also includes
the Volcker Rule, which limits the amount of capital depository banks can invest in private
equity and hedge funds.1
Dodd Frank also requires companies in the oil, gas and natural resources sector to disclose more
information on payments made to governments for the extraction of oil, natural gas or minerals
for commercial development. It requires those who file with the SEC and use minerals
originating in the Democratic Republic of Congo or several adjoining countries to disclose
measures taken to exercise due diligence, as well as a description of minerals used that are not
"conflict free" (meaning the products may contain minerals that finance armed groups in the
DRC or adjoining countries).
Section 922: The Whistleblower Provision
Significant among the provisions of Dodd-Frank is a measure providing incentives for
whistleblowers- Section 922 of the bill. According to the whistleblower incentive provision,
individuals who voluntarily provide original information to the Securities and Exchange
Commission that leads to successful enforcement actions with monetary sanctions over $1
1 “Brief Summary of the Dodd-Frank Wall Street Reform and Consumer Protection Act.” United States Senate
Committee on Banking, Housing, & Urban Affairs. http://banking.senate.gov/public/_files/070110_Dodd_Frank_Wall_Street_Reform_comprehensive_summary_Final.pdf
2
million are eligible for an award. This award may be 10 to 30 percent of the total monetary
sanctions.2
The SEC proposed rules for implementation of the whistleblower provision in November 2010
and opened up a comment period. They received more than 240 comment letters and
approximately 1300 form letters during the review period. The whistleblower provision elicited
several complaints from the business and legal sector that such incentives will undermine
reporting by whistleblowers to a company’s internal channels. Several of the comment letters
suggested that the SEC should require a whistleblower to report the violation internally to
receive the award.
The final rules were approved by the SEC on May 25, 2011 and became effective on August 12,
2011.3 While the whistleblower is still not required to report violations internally to receive the
monetary award, the SEC final rules attempt to incentivize such internal reporting. For example,
if the whistleblower reports the violation to internal controls and the company informs the SEC,
the individual is still eligible for the award. The whistleblower has 120 days from reporting
internally to the company to report to the SEC and still be treated as if the whistleblower
reported at the earlier time, an increase from 90 days in the proposed rules. Finally, if a
whistleblower does participate in the internal compliance program, the amount of the award may
increase, and if the individual interferes, the amount of the award may decrease.4
Foreign Corrupt Practices Act (FCPA) Implications
While the whistleblower incentives apply to any violations of U.S. securities laws, the possibility
of prosecutions under the Foreign Corrupt Practices Act has generated excitement because of the
significant penalties in FCPA cases. Companies settling FCPA-related charges in 2011 paid
$508.6 million in penalties.5 Notable previous penalties include $800 million for Siemens AG in
2008 and $579 million for KBR/Halliburton in 2009.
Top 10 FCPA Settlements
1. Siemens (Germany, 2008): $800 million
2. KBR/Halliburton (USA, 2009): $579 million
3. BAE (UK, 2010): $400 million
2 “Whistleblower Program.” U.S. Securities and Exchange Commission. <http://www.sec.gov/spotlight/dodd-
frank/whistleblower.shtml>; “Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934.” 17 CFR Parts 240 and 249. U.S. Securities and Exchange Commission. <http://www.sec.gov/rules/final/2011/34-64545.pdf> 3 “Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934.” 17 CFR
Parts 240 and 249. U.S. Securities and Exchange Commission. <http://www.sec.gov/rules/final/2011/34-64545.pdf 4 “SEC Adopts Rules to Establish Whistleblower Program.” U.S. Securities and Exchange Commission. 25 May 2011.
<http://www.sec.gov/news/press/2011/2011-116.htm. 5 “ “2011 Enforcement Index.” FCPA Blog. 2 Jan. 2012. <http://www.fcpablog.com/blog/2012/1/2/2011-
enforcement-index.html>.
3
4. Snamprogetti Netherlands B.V./ENI S.p.A (Holland/Italy, 2010): $365 million
5. Technip S.A. (France, 2010): $338 million
6. JGC Corporation (Japan, 2011): $218.8 million
7. Daimler AG (Germany, 2010): $185 million
8. Alcatel-Lucent (France, 2010): $137 million
9. Magyar Telekom/Deutsche Telekom (Hungary/Germany, 2011): $95 million
10. Panalpina (Switzerland, 2010): $81.8 million
Enforcement against individuals has also increased. In 2011, the former president of Terra
Telecommunications Corp. Joel Esquenazi received the longest prison sentence ever for FCPA
violations, a sentence of 15 years in prison for scheming to bribe Haitian officials.6
Additionally, Jeffrey Tesler, a U.K. citizen, would make the Top Ten list of settlements (at
number 8) if it included individuals, as his forfeiture amounts to $149 million.7
10 to 30 percent of some of these settlements amounts are clearly a significant financial incentive
for whistleblowers.
In November of 2011, the SEC submitted its first report on the Whistleblower Program to
Congress, covering the period from August 12 to September 30, 2011. During that time, the
SEC received a total of 13 tips related to potential FCPA violations. Additionally, 32 tips were
received from foreign citizens, though the SEC did not specify the nature of these tips or whether
they were related to FCPA 8 It may be too early to understand the full implications of the
program, but the Chief of the Office of the Whistleblower, Sean McKessey, has publicly stated
on many occasions9 that the quality of the tips received by the SEC has improved.
Furthermore, under U.S. Federal Sentencing Guidelines10
, companies are eligible for reduced
penalties if they have implemented a compliance program or if they have self-reported an FCPA
6 “Executive Sentenced to 15 Years in Prison for Scheme to Bribe Officials at State-Owned Telecommunications
Company in Haiti.” Department of Justice. 25 October 2011. http://www.justice.gov/opa/pr/2011/October/11-crm-1407.html. 7 “Former Chairman and CEO of Kellogg, Brown & Root Inc. Sentenced to 30 Months in Prison for Foreign Bribery
and Kickback Schemes.” Department of Justice. 23 February 2012. http://www.stopfraud.gov/opa/pr/2012/February/12-crm-249.html. 8 “Annual Report on the Dodd-Frank Whistleblower Program, Fiscal Year 2011.” U.S. Securities and Exchange
Commission. http://www.sec.gov/about/offices/owb/whistleblower-annual-report-2011.pdf 9 “Insights from the Chiefs of the SEC and CFTC Whistleblowers Offices.” Interview by Bruce Carton with Sean
McKessy and Vincente Martinez. Securities Docket. 14 Mar. 2012. Webinar.; Michael Smallberg. “Checking In with the Heads of the New SEC and CFTC Whistleblower Offices.” Project on Government Oversight. 15 Mar. 2012. <http://pogoblog.typepad.com/pogo/2012/03/checking-in-with-the-heads-of-the-new-sec-and-cftc-whistleblower-offices.html>. 10 Chapter Eight – Sentencing of Organizations.” U.S. Sentencing Commission
http://www.ussc.gov/Guidelines/2011_guidelines/Manual_HTML/8b2_1.htm
4
violation to the SEC thus creating a so-called “race” to beat the whistleblower. Given the
incentives for whistleblowers to submit their complaints, companies have started reviewing and
assessing their internal FCPA compliance programs in light of current best practices to
encourage internal reporting.
Corporate Compliance Programs
Generally, the mainstream literature – including the OECD “Good Practice Guidance on Internal
Controls, Ethics, and Compliance; the UK Bribery Act Guidance; DOJ and SEC published
DPAs; and the 2010 Federal Sentencing Guidelines – describes the following elements that a
company’s compliance program should include:
1. Company culture and “tone at the top”;
2. Clearly articulated anti-corruption policy;
3. Channels for reporting (hotline) and soliciting guidance ;
4. Risk assessment;
5. Communication and training;
6. Strong anti-corruption controls;
7. Due diligence procedures for mergers and acquisitions;
8. Monitoring of your program.
I have expanded on some of these elements and plus others on how companies and their
executives should prepare for this new, whistleblower-friendly environment, drawing upon real-
life best practices for encouraging whistleblowers to report potential violations internally.
1. Revisit Corporate Culture
Companies may need to reevaluate their corporate culture in regards to compliance to ensure that
company values are being emphasized and an integrated in all of the company’s critical
decisions.
Compliance and ethics cannot be isolated from other business practices; they must be firmly
integrated into business decisions.
Several large FCPA settlements reference corporate cultures where bribery is tolerated and even
rewarded. To encourage internal reporting, all senior management should exhibit a strong
commitment to corporate policy and they should support compliance efforts by all personnel in
the organization. This also means the compliance function should be adequately and
appropriately funded.
5
Ethics should be rewarded, both directly and in consideration of performance reviews and
promotions. By placing value on integrity, companies will show that ethics and compliance are
not merely an isolated part of the organization.
One way that some companies may be able to encourage whistleblowers to report internally is
through internal incentives. For instance, in 2002, Lockheed Martin formalized a program that
recognizes employees who demonstrate actions or behavior that exemplifies the company’s
commitment to ethical conduct, with the winner selected by the Chairman, CEO, President, and
COO to receive the Chairman’s Award for Ethical Conduct.11
Another company, Weatherford,
has also implemented an annual award to the three employees who most contributed to further
the company’s ethical culture.12
Senior management, in particular the Chief Executive, has a responsibility to communicate their
support for corporate values, both verbally and through their actions. However, the tone at the
top may not be sufficient to prevent employees from skipping internal channels. There should be
an adequate and robust tone at the middle. Management support must continue throughout the
organization. According to the 2010-2011 Ethics & Compliance Leadership Survey Report, 45%
of ethics and compliance leaders consider middle management the area of greatest concern in
promoting an ethical culture, as opposed to 22% responding with senior management.13
Additionally, clearly defining authority and appropriately segregating duties will help ensure
compliance, including providing autonomy for executives responsible for the compliance
program, as well as making sure these executives have direct reporting lines to an independent
monitoring body or the audit committee.
Rather than only working with the legal department, ethics and compliance officers should
consider working with other departments that are involved in company culture, including human
resources, corporate communications, or environmental and social responsibility.
In educating employees, compliance officers should try to diversify and improve the educational
experience. Many companies utilize online training, but where possible, in person training may
improve your compliance. Online training can be improved by becoming more interactive or
including activities such as scenarios. Ethics and compliance officers should also continuously
raise awareness of the importance of corporate values.
Lastly, employees must feel their company values integrity because this will encourage internal
whistleblowing. Tone at the top and clear, well communicated, commitment to the protection of
11
“Local Lockheed Martin Employee Employee Earns Corporation’s Highest Ethics Award.” Lockheed Martin. 6 March 2003. http://www.lockheedmartin.com/us/news/press-releases/2003/march/LocalLockheedMartinEmployeeEarnsCor.html. 12
2010 Weatherford Annual Report
http://annualreport.weatherford.com/assets/pdf/Weatherford%20AR2010.pdf 13
“2010-2011 Ethics & Compliance Leadership Survey Report.” LRN Corporation. http://www.lrn.com/leadership-perspectives-whitepapers/2010-2011-essential-ethics-compliance-leadership-survey-report.
6
whistleblowers will encourage employees to report violations to the company, rather than
externally, such as to the SEC.
2. Improve Channels for reporting and asking for guidance.
Companies should ensure that the hotline is available to all, that there are multiple channels for
reporting, and that reporting is possible in local languages for companies with operations in
multiple countries.
An ineffective, unreliable or incomplete internal reporting mechanism can provide an incentive
for employees to report directly to the SEC. Companies need to ensure that their
hotlines/reporting systems provide employees and other business partners with a means of
anonymously communicating concerns about potential code violations, unethical behavior, and
actual or suspected corruption, without fear of retribution and that the complaints are dealt with
in a confidential, professional and timely manner.
3. Companies should also extensively communicate the existence of the hotline and
give assurances as to confidentiality and confirming that there will be no retaliation.
Traditionally, companies have used mechanisms such as posters in break rooms, e-mails from
senior management, and postings on their websites, providing information on all contracts with
business partners, etc. to communicate the existence of the ethics hotline.
However, given what is at stake, companies may need to step up their communications strategies
and customize them for their intended audiences. Any good communication program should
also include descriptions and scenarios of when employees should consider using the programs
and guidance to ensure that complaints contain enough information to allow for proper follow-
up.
With regard to internal communications, management may need to consider the benefits of
communicating important messages about hotlines in smaller groups instead of larger groups.
Many companies have started organizing smaller town hall meetings in several of their higher
risk operations – for example sales forces in China.
A few companies have started posting small 3-4 minute scenario-based video clips on their
intranet sites.14
4. Companies also need to establish channels for asking for information and receiving
guidance.
Now more than ever, it may be important to establish channels for people to be able to
call to receive guidance when faced with an ethical dilemma. Even the OECD’s Good Practice
14
“2009 Corporate Responsibility Report.” Raytheon. <http://media.corporate-ir.net/media_files/irol/84/84193/RTN_CSR_2009/03_features_ethics.html>.
7
Guidance on Internal Controls, Ethics, and Compliance states that a company should consider
“effective measures ….for providing guidance and advice to directors, officers, employees, and,
where appropriate, business partners, on complying with the company's ethics and compliance
programme or measures, including when they need urgent advice on difficult situations in
foreign jurisdictions15
Along with strong and effective reporting channels, companies should consider the option of
establishing ombudsman-like functions, which are proven to provide credible alternatives in
escalating ethics concerns and full-fledged allegations.
5. Enhance Your Risk Assessment
Risk assessment is the first step in developing an anti-corruption compliance program. The
Dodd-Frank Act raises the bar for sufficient compliance, and companies may need to enhance
their risk assessment policies to meet this bar. Companies should tailor their risk assessment to
their company. Risk assessments should focus on nature of the company’s business, the
countries in which the company does business in, the degree of interaction with state-owned
enterprises and government officials (sales, regulatory, customs, imports etc.), the use of agents
and other intermediaries, use of joint venture partners and also the risks posed by mergers and
acquisitions. Identify the controls the company has in place to address the risk and review them
for effectiveness. Identify gaps in the controls and ensure that the program is modified and
enhanced to address these gaps.
Good risk assessments include a review of risks in a comprehensive and recurring manner rather
than in a haphazard manner. Risks should be re-reviewed when circumstances change, such as
new products, new markets, or corporate restructuring. A good risk assessment includes input
from various disciplines and levels of management.
Risks should be assessed at the company wide and business unit level.
Specifically, an anti-corruption risk assessment should consider the following:
At the company level:
What is the size of the company and the nature of its business?
How is the company structured?
Does the company have a history of compliance issues?
Where does the company do business, is it in higher risk areas? Consider indices like
Transparency International’s Corruption Perception Index and the World Bank doing
business index?
What is the nature of the business in each location?
15
OECD’s “Good Practice Guidance on Internal Controls, Ethics, and Compliance http://www.justice.gov/criminal/fraud/fcpa/docs/oecd-good-practice.pdf
8
What sort of exposure to government officials does the company have?
Does the company use sales agents, distributors and do they have standard contracts with
them?
Where are the company’s manufacturing locations?
Who does the company sell to? Does it sell to the government and state owned
enterprises?
What is the company’s compliance structure?
In terms of the business unit:
1. What is the size of the business and the nature of the business?
2. What are the total sales? The sales to government and state owned enterprises?
3. Does the business unit use sales agents and distributors? If yes, do they have standard
contracts with anti-corruption clauses in them?
4. What are the sales through agents and distributors?
5. Is this a joint venture? If yes, does the company have minority or majority interest?
6. Is this a manufacturing location?
7. Do they require licenses and permits?
8. What are points of interaction with the government?
9. Have any control deficiencies been identified in that business unit in the past?
A company should use the results of the risk assessment to help improve the anti-corruption
program elements or to help improve the implementation of the program.
6. Implementing Anti-Corruption Controls
Having strong controls is a good defense against corruption. Management should specifically
focus on increasing financial controls in high-risk countries and for high-risk areas, which have a
significant risk of improper payments or bribes. Control activities include methods such as
approvals, authorizations, verifications, reconciliations, and segregation of duties.
In order to understand the importance of implementing controls, it is necessary to know some
common ways of paying bribes:
1. Using cash/petty cash
2. Gifts or expensive meals for government officials
3. Paying bribes through agents and other intermediaries
4. Paying for expensive trips for government officials to visit resorts under the guise of
training, visiting headquarters, or participating in product demonstration
5. Giving money to charities whose boards include government officials in order to
influence decision making
9
Given these ways of paying bribes, companies should increase controls around bank accounts,
petty cash, approvals and payments to vendors, and high-risk transactions.
Petty cash in particular is generally used to pay small bribes. There should be controls restricting
the use of petty cash such as additional documentation requirements and a stringent review
process for reimbursement. In cases where there is a custom of entertaining government
officials, additional controls and reviews of travel and entertainment accounts should be
undertaken.
Controllers and account payable personnel should be trained to recognize red flags or false
documentations that may indicate bribe payments.
Finally, controls should be audited regularly to ensure they continue to be effective.
It is also worthwhile to note that controls that may be adequate for Sarbanes-Oxley purposes may
not be adequate as corruption controls, since there is not materiality standard for improper
payments. Even small bribes can cause a books and records violation. For instance, in 2010 the
SEC ordered Veraz Networks to pay $300,000 to settle charges of improper payments worth
$40,000 that violated the books and records and internal controls provisions of FCPA, and Veraz
Networks spent an additional $2.5 million to investigate and handle the violation.16
7. Third-party Due Diligence
Due diligence must also extend to third parties and intermediaries of the company. In 2011,
every FCPA enforcement action found that third parties of the companies in question paid
bribes. The FCPA prohibits corrupt payments through intermediaries. It is unlawful to make a
payment to a third party, while knowing that all or a portion of the payment will go directly or
indirectly to a foreign official. The term "knowing" includes conscious disregard and deliberate
ignorance17
In a December 2011 webcast, Deloitte asked more than 1,200 financial services,
consumer and industrial products, technology and other industry professionals to respond to a
poll asking how many partners their company had and on how many of them due diligence was
conducted. The results were surprising: only 13.4% of companies perform due diligence and risk
assessment on 76-100% of third-party business partners. Close to one quarter perform due
diligence on only up to 25% of third parties, and 5% of respondents perform no due diligence at
all. Over 30% of these respondents cited “cost of implementation”18
as the greatest challenge to
16
“Veraz Settles With SEC.” http://www.fcpablog.com/blog/2010/6/29/veraz-settles-with-sec.html; “SEC Charges California Telecommunications Company with FCPA Violations.” Securities and Exchange Commission. 29 June 2010. http://www.sec.gov/news/press/2010/2010-115.htm. 17
“Foreign Corruption Practices Act: Layperson’s Guide.” Department of Justice. http://www.justice.gov/criminal/fraud/fcpa/docs/lay-persons-guide.pdf. 18
Third-Party Business Relationship: Emerging Issues and Regulatory Risks – Dbriefs Poll Responses.” Deloitte Development LLC. 14 Dec. 2011. <http://www.deloitte.com/view/en_US/us/Services/Financial-Advisory-Services/018ccb5ae0b26310VgnVCM1000001956f00aRCRD.htm>.
10
creating a due diligence program, but with the sky-rocketing settlement amounts of FCPA cases,
the potential savings stemming from implementing a compliance program far outweigh costs to
settle a bribery case.
Organizations are at risk of FCPA violations if it can be proven they had either knowledge of
violations or if they did not adequately implement an anti-bribery due diligence program. Hence
CEOs and executives should take note. However, companies that illustrate efforts to combat
bribery through appropriate third-party due diligence programs may be entitled to “credit”
according to the U.S. Federal Sentencing Guidelines if in the future their business partner paid a
bribe despite the company’s diligence.
Third-party due diligence programs should be based on risk assessment. Through risk
assessments, companies can create risk profiles for third parties that will guide due diligence
procedures. Companies should also create a due diligence program that can be implemented
across the entire organization. The program should be coordinated centrally and embedded in
corporate practices, with adequate communication to the entire organization, appropriate
funding, and thorough documentation.
Companies should thoroughly investigate third-party business partners, including reviewing
matters such as:
The third party’s overall reputation
Reputation with the U.S. Embassy in that country
Reputation with local and US business associates
Ties to politically-exposed persons (“PEPs”) or state-owned enterprises (“SEOs”)
Qualifications for performing the task for the company and the necessity of using a third
party
Compensation being paid to the third party, whether such compensation is commensurate
to services provided and market rates, and terms of payment
Composition of their clientele and key relationships
Composition of shareholders
Existing adherence to an anti-corruption/anti-bribery policy, or agreement to follow the
company’s own policy, and training to establish this policy
Enforcement of anti-bribery policies
Cooperation in due diligence investigations
Red flags that companies should be aware of include:
Recommendations to use the third party by government officials
11
Unusual payment patterns, particularly requests to wire directly to the Bank account of an
individual or to bank accounts located abroad
History of violations or bribery by the third party, particularly history of sanctions or
debarments by national government agencies, such as national public procurement
agencies, transparency or anti-corruption agencies, consumer protection agencies,
agencies regulating securities trading and the stock market, as well as international
financial institutions, when applicable. These databases are normally publicly available,
internet accessible and easily searchable.
Existence of legal cases in national courts’ public records
High commissions to agents in excess of market rates
Lack of transparency in expenses and accounting
Companies must also make commitment to the corporate code of conduct and the right to audit
anti-bribery programs part of their requirements for third parties. Companies have a right to
expect third parties to provide full information to determine the risk profile. Furthermore, all
third party contracts should be centrally located and should contain the appropriate warranties
and representations. Many companies have also started claiming audit rights. If companies take
adequate steps and monitor third parties regularly, they will be able to uncover red flags sooner
and take appropriate action.
7a. Due Diligence Procedures for Mergers and Acquisitions
Inadequate due diligence of an acquisition target can be costly. The Department of Justice and
the SEC have made it clear in their enforcement actions that U.S. acquirers will be liable for
successor liability, meaning U.S. acquirers may be criminally liable for the acquired company’s
pre-acquisition bribery, especially if the conduct continued post-acquisition. For example, in
2009, Halliburton paid civil and criminal fines of $579 million, after a former subsidiary, was
found to have paid bribes before and after Halliburton acquired it in 1998.
The acquiring company may be liable for not only the legal consequences, but may also suffer
reputational damage.
Furthermore, corruption charges can erode the value an investment, resulting in companies
overpaying for their acquisitions. After eLandia International Inc paid $2 million for a pre-
acquisition FCPA violation from its purchase Latin Node Inc., it said its purchase price ended up
being $20.6 million over fair value, given the cost of the FCPA investigation, the fines and loss
of business.19
The company ended up writing off the entire investment.
19
“Latin Node Inc., Pleads Guilty to Foreign Corrupt Practices Act Violation and Agrees to Pay $2 Million Criminal Fine.” Office of Public Affairs. Department of Justice. 7 Apr. 2009. <http://www.justice.gov/opa/pr/2009/April/09-crm-318.html>; “Form 10-Q/A: Quarterly Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 For the Quarterly Period Ended June 30, 2007: eLandia International Inc.” U.S. Securities and Exchange Commission. <http://apps.shareholder.com/sec/viewerContent.aspx?companyid=ELAN&docid=6102545>
12
Therefore, companies should consider performing robust pre-acquisition due diligence to help
prevent such liability and reputational issues.
Any potential problems raised by these questions should be addressed, indemnified and, if
necessary, self-reported before the transaction is completed. However, if problems do not
emerge until after the deal closes, self-reporting, combined with a remediation plan, can still
mitigate potential enforcement penalties.
Issues to consider for the pre-acquisition due diligence:
Does the target company operate in a country or industry with high corruption risk? Does the
target company sell to a foreign government?
Is the target company owned or controlled by the Government or by PEPs or their relatives?
Does the target require any foreign government-issued licenses or permits?
Does the target itself have any previous history of bribes or anti-corruption law violations?
What is the state of the target company’s anti-corruption program, training, and internal
controls?
Does the target monitor its program for effectiveness? Is there any documentation of this?
For all mergers, companies must have specific anti-corruption due diligence procedures in place.
Such procedures should include:
Document reviews related to the target company’s anti-corruption compliance program
Transaction testing of compliance sensitive accounts and high risk corruption transactions.
Evaluating a target’s management team for corruption risks if they are going to remain in
place after the acquisition
Incorporating anti-corruption compliance provisions in the agreements
Having a plan to integrate the acquired company
In some cases discovery of FCPA violations can put a stop to merger discussions. A good
example of this is the case of Titan Corp. In 2003, Lockheed Martin entered into merger
discussions with Titan. As a result of their due diligence, Lockheed found potential violations of
FCPA by Titan, though Titan stated in its merger agreement that it had not violated FCPA
provisions, to its knowledge. Because of Titan’s failure to reach a settlement, Lockheed Martin
terminated the merger agreement in 2004. Titan was purchased by L-3 Communications the
following year.
In 2005, the SEC charged Titan with violating anti-bribery, internal controls and books and
records provisions of the FCPA after it paid more than $3.5 million to an agent in Benin between
1999 and 2001. According to the SEC, Titan failed to conduct “meaningful due diligence into the
background of its agent either before his retention or thereafter.”20
The company agreed to pay
20
“Civil Action No. 05-0411 (JR).” Securities and Exchange Commission v. The Titan Corporation. 1 March 2005. <http://www.sec.gov/litigation/complaints/comp19107.pdf>.
13
sanctions of more than $13 million, as well as an additional $13 million criminal fine, to the
DOJ.
8. Monitoring Your Program
Monitoring and assessing your program is one of the necessary steps to ensure your compliance
program is operating effectively. Companies should ideally monitor the program by a set of
procedures designed to test compliance with the company policies, uncover violations, find red
flags, etc.
Compliance audits/assessments can uncover new risks and can contribute to the ongoing risk
assessment. Companies have generally started conducting FCPA and anti-corruption compliance
audits separately from larger internal audit procedures as these tend to require skilled
professionals familiar with FCPA and bribery red flags.
The purpose of these FCPA audits is to assess the existence and effectiveness of policies, as well
as employees’ understanding of the policies and management’s communication of the policies
(i.e. “tone at the top”). The assessments also review previous compliance audits, analyze
financial data, perform transaction testing, and review sales contracts and agreements with third
parties. They also include interviews with management and employees.
The process for an anti-corruption compliance audit is the same as any other internal audit
process and includes risk assessment, data collection, interviews, controls testing, and transaction
testing.
Risk Assessment
Anti-corruption compliance assessments should generally be risk-based, with the
locations of highest risk being assessed first, then lower risk areas; every location should
be periodically assessed. For a detailed explanation of such an assessment, please see the
earlier section on “Risk Assessment.”
Gather Background Information
Before visiting the location, the audit/assessment should gather background information:
Organizational chart
Number of agents; the contracts with the agents if there are standardized contracts
Total sales; breakdown of sales by customer or by sales agents
The percentage of commission and discounts paid, and whether they vary
depending on agent
Questions on whether the business unit monitors the sales to State Owned
Enterprises and to the private sector
Details on requirements and maintenance of licenses
14
Information on local anti-corruption policies
Any training materials and proof of who was trained
Interviews
At the site, consider interviewing people outside of accounting, legal, and compliance
departments such as include sales, operations, and treasury, and also employees who
interact with government officials or with third parties that interact with government
officials.
Controls Testing
On site, the audit team should test controls such as approvals and authorizations limits,
whether the segregation of duties was followed, etc.
Substantive Testing
Test compliance sensitive accounts such as travel, gifts, legal and professional fees,
consulting fees, licenses, permits, miscellaneous fees, sundry expenses, lobbying fees,
facilitation fees, inspection fees, penalties, and/or petty cash expenses.
Once a problem is identified, the team should consider digging deeper and possibly
exploring the consultants involved or transactions of that type. If the audit team finds an
outright violation, it should consult legal counsel before undertaking next steps.
Generally all anti-corruption audits will lead to program improvements and will also send
the right message to all employees that the company does not tolerate bribery.
Real-Time Monitoring
Rather simply auditing after the fact, many companies have moved towards real-time
monitoring as a means of monitoring compliance. While auditing is generally after-the-
fact, real-time monitoring may be more current and identify “red flags” more quickly.
The use of data analytics has also become more popular as a means to identify particular
risk traits for high-risk locations or vendors. Analytics can be used to search risk-risk
payments for red flags using key words etc. However, this is cost intensive and requires
qualified personnel to analyze the exceptions.
Conclusion
As has been discussed, given the increase in FCPA enforcement, companies may need to
reevaluate their anti-corruption compliance programs. Existing policies may not adequately
prevent companies from liabilities if their employees, a subsidiary, or an intermediary bribes a
foreign official. Individuals now have incentives to report directly to the government because of
the Whistleblower Provision of the Dodd-Frank Act. Hence, companies must work to make sure
15
instances of bribery are minimized, or in cases of suspected bribery, that violations are reported
internally, so that the company can investigate and self report if necessary. Having a strong anti-
corruption compliance program may also allow for less severe penalties. Thus companies should
review and revise their programs to ensure they meet the latest standards and good practices as
discussed in this presentation.