Corporate Compliance
Third-Party Vendors
Business Partners o The FCPA applies to anyone seeking to advance the company's economic interests—whether formally or informally. ♣ Accordingly, a company may be held liable for actions taken by third parties that it has engaged. ♣ The company may not pay third parties if it knows (or believes) that any portion of the payment will go to a foreign official. ♣ Conscious disregard of red flags, willful blindness or deliberate ignorance can be the basis for liability.
Privilege and Purpose of Investigation
USS v ISS Marine ♣ To be privileged, a communication must be "for the purpose of securing primarily either (i) an opinion on law or (ii) legal services or (iii) assistance in some legal proceeding
Whistleblower
Volunteer who has personal knowledge of misconduct within an organization and comes forward on her own
Privilege and Internal Investigations
Wultz v Bank of China - ♣ Judge in NY forced Bank of China to turn over documents relating to internal investigation overseen by Chinese in-house counsel - not isolated issue ♣ If US legal exposure, consider if US lawyers should be directing investigations
Publicly traded firms
a. -- §404(a) of the Sarbones-Oxley Act (result of enron) i. Requires that a reporting company's annual report must contain an "internal control report" which states "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting" ii. Also, "contain an assessment ... of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
CFO
a. Ensures that financial information is compiled, processed, and presented to appropriate people b. Responsible for monitoring company's financial condition and identifying when key items present a risk of moving outside accepted tolerances c. Also manages treasury function, investing, and making sure the firm has liquidity on hand
CEO
a. Senior-most official in a firm b. §302 (public companies): requires CEO and chief financial officer to certify in each report that the report does not contain any untrue state of material fact or omit a material fact necessary in order to make the statements made not misleading c. §906: issuer's periodic reports to the SEC be "accompanied" by a written statement of the CEO an CFO i. subject to criminal penalties (18 U.S.C. §1350)
FCPA Accounting Requirements
o Books and records must be accurate and reasonably detailed. o Devise and maintain internal accounting controls sufficient to provide assurances that: ♣ Transactions are executed with management's authorization (either general or specific); ♣ Transactions are recorded. ♣ Access to assets is limited and controlled. o Records are maintained and regularly audited. o NOTE: The FCPA does not specify the procedures businesses must use in maintaining their books and records, nor does it define the internal controls necessary to pass muster under the Act. Instead, it allows for a "reasonableness" standard for assessing the adequacy of issuers' practices related to accounting and recordkeeping.
Business Courtesies
o Business Courtesies may include gifts, meals, entertainment and travel. o Many companies allow payment or reimbursement of reasonable and bona fide expenses that are: ♣ Directly related to the marketing, promotion, demonstration or explanation of the company's products and services. ♣ Directly related to the performance of a contract. o Approval is necessary before making any payment or reimbursement. o Many companies will create maximum limits for gifts or courtesies involving non-Government Officials.
Business Courtesies (Govt. Officials)
o Business courtesies involving government should be extremely limited. o Typically companies will heavily restrict, or altogether ban, any such gifts. o In addition, companies will often rely on robust approvals process.
Historical Evolution
o Compliance departments emerged in the 1960s in securities firms ♣ Goal = internally guide traders, protect investors and satisfy securities regs o The concept spread to other sectors when the importance of compliance programs was recognized by the Department of Justice in the United States Sentencing Guidelines on 1991. o In 1996, In re Caremark Int'l Deriv. Litig. ♣ Holding --- directors and officers must ensure that their company employed an effective compliance program to satisfy their fiduciary duties. o Big scandals- WorldCom, Enron o In 2002, §404 of the Sarbanes-Oxley --required public companies to certify that sufficient internal controls were in place for financial reporting. o In 2012, the DOJ issued guidance on the Hallmarks of an Effective Compliance Program
Drafting a Code
o Consideration for Drafting a Code ♣ Audience ♣ Goals ♣ Organization Specific Content ♣ Practicability and Usability ♣ Application Across an Organization, ♣ Business Function Participation ♣ Enforcement ♣ Employee Discipline o Example - audiences differ based on educational levels ♣ Based on workforce and theme of org. as well • If employee doesn't under - doesn't matter ♣ Ask - if violation happens, can you point to specific section?
Upjohn Warnings
o Counsel represents the corporation - not the witness personally o Communications are privileged, but the privilege belongs to the corporation o Corporation may waive privilege and share info with 3rd parties, including government agencies o To maintain privilege, interviewees must not discuss the interview with others ♣ Unless approached by government agency
Fair Dealing
o Each employee, officer and director should endeavor to deal fairly with the listed company's customers, suppliers, competitors and employees. o None should take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts, or any other unfair-dealing practice. o Listed companies may write their codes in a manner that does not alter existing legal rights and obligations of companies and their employees, such as "at will" employment arrangements.
Corporate opportunities. (similar to 'duty of loyalty')
o Employees, officers and directors should be prohibited from ♣ (a) taking for themselves personally opportunities that are discovered through the use of corporate property, information or position; ♣ (b) using corporate property, information, or position for personal gain; and ♣ (c) competing with the company. Employees, officers and directors owe a duty to the company to advance its legitimate interests when the opportunity to do so arises.
Maintaining a Consistent Discipline Process
o Enforcement of a compliance program is fundamental to its effectiveness o Violations of a compliance program should result in swifts and consistent disciplinary action o Publicizing disciplinary actions internally, where allowed by law, may have an important deterrent effect. o Positive incentives, such as personnel evaluations and promotions, and rewards for ethics and compliance leadership, can also drive compliant behavior. o Be cautious of local law restrictions and implementation requirements. o What does the government say about this? ♣ "DOJ and SEC will . . . consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation."
Enterprise Risk Management
o Enterprise Risk management ("ERM") is a "process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." o The ERM function is an enterprise-wide tool for: ♣ defining common standards, ♣ coordinating assessments across business units, and ♣ facilitating analysis of risk interactions.
Work Product Doctrine
o Federal Rule of Civil Procedure 26(b)(3): "Ordinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative..."
Risk Factors on Form 10-K
o Form 10-K is an annual report that public companies must files with the SEC. o The filing provides a summary of the company's financial performance and includes information on executive compensation, financial statements, and company organizational structure. o The purpose of the form 10-K and other required SEC filings is to provide shareholders and potential shareholders with basic investment information about the company. o Item 1A of the 10-K sets out risk factors that the company could fact in the coming year. o The purpose of item 1A is to warn investors and potential investors of certain risks to the company's performance. o Every 10-K must include Item 1A, which provides for risk factors. This section includes anything that could go wrong, likely external effects, possible future failures to meet obligations, and other risks disclosed to adequately warn investors and potential investors.
Who Gets the report?
o General Counsel o Chief Compliance Officer o Audit Committee o Board of Directors o Special Committee o Subject (some jurisdictions)
Training and Performance Management
o Hiring and training ♣ Personnel screening ♣ Training (has to be effective!) • What employees and regions? • Which agents? • Certifications/Tracking ♣ Periodic communication of compliance standards and procedures o Disciplinary measures and incentives ♣ Enforce policy violations ♣ Consistent discipline ♣ Reward ethical behavior o Is compliance assessing compensation schemes? ♣ What incentives are placed on compensations?
Report
o Identify who needs to know what and when o Qualitative and quantitative reporting o Develop reports and reporting capabilities that allow stakeholders to follow the progress of compliance efforts and outcomes of compliance issues o Install reporting systems, audits
Maintaining A/C Privilege
o In the corporate setting, the privilege affords protection when ♣ (1) counsel is acting in a legal capacity, ♣ (2) the communication was understood to be confidential when made, and ♣ (3) the communication is disclosed only to essential corporate employees.
What to look for - red flags
o Increase the likelihood that a transaction or market presents corruption risks: ♣ Payment is requested in cash. ♣ A party involved in the transaction is state-owned or is heavily regulated by government officials. ♣ The business and/or governments at issue lack a "culture of transparency." ♣ Intermediaries will be used to obtain required government approvals. ♣ The country or market has a reputation as a corrupt environment for business. ♣ A government official asks you to hire a particular consultant.
Communication, Education & Awareness
o Inform associates about their responsibilities and instruct them on steps they can follow to stay in compliance o Use and reinforce your code of conduct and SME training, compliance calendars, and annual training
Identifying "Foreign Officials"
o It can be difficult to identify foreign officials, particularly in countries where it is unclear if an entity is owned or controlled by the state. o A government official or employee can be anyone who participates in official decisions or who has decision-making power. Examples: ♣ Customs officials. ♣ State-owned media and its employees. ♣ State-owned utilities. ♣ Tax, health or other government inspectors. ♣ Persons appointed by a government official.
Hallmarks of an Effective Third-Party Due Diligence Program
o Know Your Vendors ♣ Who are they? Literally. ♣ What is the business rationale? ♣ Are they equipped to provide the services? o Identify Your "High-Risk" Vendors ♣ Conduct appropriate risk assessments. o Due Diligence Protocol ♣ Use questionnaires and background checks. ♣ Stress the importance of your commitment to ethical and lawful business practices. o Button-up Your Contacts o Consistent Auditioning & Monitoring o Document everything
Risk Methodology in Action
o Legal & Regulatory Assessments ♣ Aligns with ERM Process ♣ Provides data for use in formulating risk factors ♣ Assists with prioritization of work within compliance and legal ♣ Provides a method to translate legal and regulatory concepts for your business partners o Geographic Market Assessments ♣ Provides data to enable effective utilization of compliance resources ♣ Informs training programs ♣ Prioritizes markets for annual monitoring and auditing programs ♣ Identifies markets that require increased management oversight
Legal & Regulatory Compliance Risks
o Legal and compliance risks are risks associated with either unintentional or willful noncompliance with government, industry, or internal laws, standards, policies, or changes. o Risks ♣ Corruption ♣ Antitrust/Monopolization ♣ Recall Procedures ♣ Hazardous Materials Disposal ♣ Employment Discrimination ♣ Copyright Infringement
EU Protections
o Most EU countries recognize some form of AC privilege, commonly referred to as 'legal professional privilege (LLP) o In some countries communications between in-house counsel and the business NOT protected o Privilege in EU matters does not automatically protect in-house advice. NO privilege recognized between EU in-house counsel and staff with respect to EU competition investigations o Counsel NOT qualified to practice in the EU also may not benefit from privilege o Communications between US outside counsel and overseas companies MAY NOT be protected o Outside EU, concepts of privilege may vary even more o Exercise Caution - may be obliged to disclosure a document in one jurisdiction while benefiting from privilege in another
Political Contributions & Charities
o Political Contributions ♣ Employees, third parties and business partners may not make political contributions on behalf of the Company. • This includes making individual contributions to candidates in order to gain a benefit for the Company. o Charities ♣ Employees, third parties and business partners may make charitable donations directly or indirectly on behalf of the Company in accordance with the Global Anti-Corruption Policy, the Company's Procurement manual, and other company procedures. • Donations should not be made if they are intended to benefit a Government Official or Government Service Client.
Why is risk assessment important?
o Risk assessment is an efficient risk management device as well as an effective tool for fostering communication between legal/compliance and other internal groups. o Government tells us risk assessment is important ♣ FCPA Guidance ♣ Sentencing Guidelines ♣ Form 10-K (Safe Harbor) ♣ Sarbanes-Oxley Act ♣ Bank Secrecy Act
Risk Assessment
o Risk assessment is the identification and evaluation of the level of risks involved in a given situation; the comparison of those risks against benchmarks or standards; and the determination of an acceptable level of risk. o In performing risks assessments, the degree of appropriate due diligence is fact specific and should vary based on industry, country, size, nature of the transaction, and the method and amount of third-party compensation. Factors to consider include risks presented by: ♣ the country and industry sector ♣ the business opportunity ♣ potential business partners ♣ level of involvement with governments ♣ amount of government oversight ♣ exposure to customs and immigration
Documenting the Investigation Results: What Goes in the Report?
o Summary of Issues raised o Relevant Facts and Documents o Scope of the Investigation o Key Findings o Methodology Used o Recommendations ♣ Discipline ♣ Control enhancements ♣ Reporting/notification requirements ♣ Preemptive action in a civil matter
Monitor & Investigate
o Take proactive steps to monitor compliance o Identify potentially risky situations before they turn into problems o Investigate issues when needed and install regular monitoring and audit programs o Need to answer the question: Are we accomplishing what we set out to do? o Proactively process, identify and address gaps and misalignment in the compliance and governance program. o Process should be documented and performed on a regular and consistent basis. o A compliance program cannot be strong only on paper; it must be followed and enforced in good faith across the business.
UK Bribery Act (Enforcement)
o The Bribery Act applies to any company that conducts business - or part of a business - in the UK o "Foreign corporates...that continue to use bribery to undercut good ethical UK businesses should be under no illusion...finding them and taking vigorous action will be a high priority for us" o - Former Director of the SFO, Richard Alderman o In order to instigate prosecutions, Mr Alderman invited companies to act as whistle-blowers on their rivals: ♣ "I am prepared to take courageous action dealing with foreign corporations, but please help me with evidence. Tip me off and tell me there was corruption."
Anti-Bribery Provisions
o The FCPA Anti-bribery provisions prohibit paying or offering anything of value to a foreign official for the purpose of influencing the official to secure an improper business advantage. o The FCPA prohibits payments that may even indirectly assist with obtaining business or maintaining business operations. o Practically speaking, everything a corporation does could be seen as furthering a business interest. Therefore, what is being given, and who is receiving it, is a particular focus.
Identifying a "Thing of Value"
o The FCPA prohibits bribing a foreign official with a "thing of value" ♣ A "thing of Value" may be: • Cash or cash equivalent • Charitable donations • Travel expenses • Services Loans • Entertainment unrelated to customary entertainment connected with a particular deal or contract o In most circumstances, an item is not considered a "thing of value" if it is: ♣ Nominal in value ♣ Not cash ♣ Customary in type and value in host country ♣ Permitted under local law ♣ Made as a courtesy or token of regard or esteem ♣ Given openly Accurately recorded
FCPA Accounting Provisions
o The FCPA's accounting provisions apply to publicly held U.S. companies considered "issuers" under the Exchange Act of 1934 (the "Exchange Act"). o To qualify as an issuer under the FCPA, an entity either must be required to file reports with the SEC under § 15(d) of the Exchange Act or must have securities registered with the SEC under § 12 of the Exchange Act. o The definition of "issuers" is broad and covers corporations with bonds or American Depository Receipts traded on U.S. markets or stock exchanges. o Unlike the antibribery provisions, the accounting provisions do not apply to "domestic concerns" that are not issuers. o Most non-U.S. operations of domestic businesses also are covered. o The accounting provisions apply to all majority-owned subsidiaries (domestic and foreign) of U.S. issuers.
FCPA: Fundamentals
o The Foreign Corrupt Practices Act (FCPA) imposes standards of conduct to insure that US companies do not commit bribery in foreign countries. o Specifically, it is illegal for any US person or company—or anyone acting on their behalf—to bribe a foreign official or foreign political party in order to gain or retain business.
Federal Sentencing Guidelines
o To have an effective corporate compliance program, as defined in the U.S. Sentencing Guidelines' Chapter Eight, Sentencing of Organizations, Section 8B2.1 Effective Compliance and Ethics Programs, an organization must: ♣ (1) exercise due diligence to prevent and detect violations, and; ♣ (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Exposure Risk and Third- Party Exposure
o Under the FCPA, the UK Bribery Act and other anti-corruption laws, a company can be liable not only for the corrupt actions of its employees, but also for a third party's actions when that third party is acting on the company's behalf. o A company may be liable for the actions of its agents, provided the agent was acting within the scope of its authority and one of its motives was to benefit the company. United States v. Potter, 463 F.3d 9, 25 (1st Cir. 2006) o It has been reported that 60% of the SEC's cases in the last two years involved third parties. o Where is the exposure? ♣ Agency Relationships ♣ Distributors ♣ Franchisees ♣ Commercial Contracts ♣ Acquisition Targets ♣ Joint Venture Partners
A/C Privilege
o Upjohn Co. v. U.S., 449 U.S. 383 (1981): "The attorney-client privilege is the oldest of the privileges for confidential communications known to the common law. Its purpose is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice. The privilege recognizes that sound legal advice or advocacy depends upon the lawyer's being fully informed by the client."
Perform Assessment of Compliance Risks
o Use of a scoring environment to take into account probability severity, and control environment ♣ Probability: remote, unlikely, likely, almost certain? ♣ Severity: insignificant, moderate, extreme ♣ Control environment: no controls in place, partially effective controls, sophisticated controls?
Code of Conduct/Ethics/Conflicts of Interest
o What is the code of conduct? ♣ Broad principles that employees, officers and directors agree to live by ♣ A framework for corporate decision making ♣ A basis for discipline for wrongful conduct • However—cannot account for every possible fact scenario o Just putting together a framework for applying to issue + discipline o Broad vs. specific balance ♣ Differences between lawyers/compliance prof. • Also, based on company ♣ Code = has to be part of personality of company • Has to be, otherwise seen as outside of company
Gauging the Risk
o Who, where and how the product is being sold can also significantly influence FCPA risk. Questions to ask: ♣ Who is the customer? • If government is the primary customer, then the risk is higher. ♣ Where is it being sold? • Countries with higher levels of corruption require greater due diligence. ♣ How is it being sold? • Agents or joint venture partners increase the risk.
Procedures and Risk Assessment
o Written Procedures to help ensure compliance with policies ♣ Non-Retaliation and Whistleblower Procedures ♣ Internal Investigations Review Procedures ♣ Escalation Protocols ♣ Caveat Emptor/Due Diligence o Risk Assessment ♣ What are the greatest risks facing our company? ♣ What policies, procedures and controls do we really need? ♣ Are there gaps in the controls? ♣ How do we plug those gaps? ♣ Testing
Conflicts of Interest
o occurs when an individual's private interest interferes in any way - or even appears to interfere - with the interests of the corporation as a whole. ♣ takes actions or has interests that may make it difficult to perform his or her company work objectively and effectively. ♣ receives improper personal benefits as a result of his or her position in the company. ♣ Loans to, or guarantees of obligations of, such persons are of special concern. • The listed company should have a policy prohibiting such conflicts of interest, and providing a means for employees, officers and directors to communicate potential conflicts to the listed company.
Confidentiality.
o should maintain the confidentiality of information entrusted to them by the listed company or its customers, ♣ except when disclosure is authorized or legally mandated o Confidential information includes all non-public information that might be of use to competitors, or harmful to the company or its customers, if disclosed.
Sarbanes Oxley; SEC. 406. CODE OF ETHICS FOR SENIOR FINANCIAL OFFICERS.
♣ (a) CODE OF ETHICS DISCLOSURE. —The Commission shall issue rules to require each issuer, together with periodic reports required pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934, to disclose whether or not, and if not, the reason therefor, such issuer has adopted a code of ethics for senior financial officers, applicable to its principal financial officer and comptroller or principal accounting officer, or persons performing similar functions. ♣ (c) DEFINITION.—In this section, the term ''code of ethics'' means such standards as are reasonably necessary to promote— (1) honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships; (2) full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer; and (3) compliance with applicable governmental rules and regulations.
Policies and Procedures
*policy - statement of principles *procedure - implementation of policy terms/principles o Implement formal policies that codify responsibilities concerning risk o Instill business processes that support compliance o Additive to the Code of Conduct with specific guidance regarding suitable conduct and practices o Encourage employee actions consistent with the business needs and risk tolerance ♣ But - only works if consistent with business needs o What effects the risk tolerance? ♣ Big v. small ♣ Public traded companies v. private equity company ♣ Type of business itself ♣ Capital
Executives
- Board and committees are charged in law and policy with the task of overseeing management of the organization, including managing risk and ensuring that the firm complies with all applicable laws and regulations - Board can also decide issues of broad strategy and oversee operations of the company at a general level, but rely on company's senior employees to carry out the practical tasks of management.
Compliance Program Framework
- Risk assessment - Policies & procedures - Communication, Education & Awareness - Monitor & Investigate - Report
Anti-Corruption Compliance
The FCPA - Prohibits bribing public officials - requires maintaining books and records in reasonable detail - requires companies to maintain a system of internal controls to ensure transactions are properly authorized and recorded The UK Bribery Act - Prohibits (1) bribing any person or entity to induce or reward improper behavior (2) accepting a bribe - Prohibits bribing a foreign public official in order to influence them - Creates new offenses for (1) companies that fail to prevent bribery by their associated persons and senior officers who allow bribes to be paid by the company
4 strategies are commonly observed to encourage people to come forward
Tone at the top 1. Most employees are deterred from coming forward for 2 reasons a. Complaints will not be heard b. Suffer retaliation 2. Protection for Whistleblowers a. Numerous state and federal statutes protect whistleblowers against retaliation by employers for actions informing the authorities of potential misconduct b. Remedies for proven violations include reinstatements, back pay, and compensation for any special damages 3. Rewards a. Organization may reward the whistleblower financially, by offering bonuses or bounties for information or by promoting the person within the company i. Most organizations have not gone this far b. Also available in Off-label marketing cases c. IRS also operates a whistleblower bounty program for tax compliance i. Generally been restricted to cases of fraud ii. Commentators and law reform advocates have discussed the utility of bounty programs for a variety of other possible contexts 4. Mandatory Reporting a. Failure to report a known violation is in itself a violation i. Rule 8.3 1. Current version of the rule does not require that attorney's report all violations - only those which raise a "substantial question" 2. "Knowingly" element creates a loophole a. actual knowledge which may be inferred
Internal Audit
i. Function of monitoring the actions of employees, processes, and systems to verify their effectiveness and compliance with internal or external norms ii. At the board level—CAE reports to audit committee at every meeting iii. Needs a degree of independence but must be a balance - not an external audit
DOJ Guidelines - Third Party Due Diligence and Payments
o "Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company's compliance program." o Recognizes that the "appropriate level of due diligence may vary based upon industry, country, size and nature of the transaction, and historical relationships with the third-party...." o That said, "some guiding principles always apply": ♣ "Understand qualifications and associations of third parties" ♣ "The degree of scrutiny should increase as red flags surface" ♣ "Understanding of the business rationale" for hiring the third party ♣ "Undertake some form of monitoring" ♣ Inform third parties of "commitment to ethical and lawful business practices"
Section 7 of the UK Bribery Act: Failure to Prevent Bribery
o A company commits an offense if an "associated person" bribes someone else to obtain or retain business for the company ♣ An associated person is anyone who "performs services for or on behalf of the company" ♣ The bribe can be paid anywhere in the world ♣ It is irrelevant that the Company had no knowledge of the bribe o But it is a defense for the company to prove that it had in place "adequate procedures" that were designed to bribery
Protection and proper use of listed company assets
o All employees, officers and directors should protect the listed company's assets and ensure their efficient use. ♣ Theft, carelessness and waste have a direct impact on the listed company's profitability. ♣ All listed company assets should be used for legitimate business purposes.
What is Acting "Corruptly"
o An act is "corrupt" for purposes of the FCPA if it is intended to induce a government official to misuse his or her official position by, for example: ♣ Wrongfully directing business to a person paying a bribe; ♣ Granting preferential treatment as a result of the bribe; or ♣ Refraining from taking official action against the person paying the bribe.
What is Acting "willfully"?
o An individual acts "willfully" for purposes of the FCPA if he or she: ♣ Has actual knowledge of a bribe; ♣ Has a suspicion that a transaction involves a bribe; or ♣ Deliberately avoided knowledge of bribery through willful blindness.
Risk Assessment Program Steps
o Anticipate—Mindset o Identify/Inventory - What are the Risks? o Categorized - Organized Risk Inventory o Assess - Objective Ranking ♣ Probability • Likelihood of risk occurring? ♣ Severity • How bad is it going to be? ♣ Control environment • What is the control? • Where is the compliance program in relation tor isk? o What do the controls look like? o Implement - Create accountability o Prioritize - What is the focus? ♣ Where control score comes into play o Align/RACI/Report - Buy-in & Commitment
NYSE Listed Company Manuel
♣ 303A.10 Code of Business conduct and Ethics • Listed companies must adopt and disclose a code of business conduct and ethics for directors, officers and employees, and promptly disclose any waivers of the code for directors or executive officers. • Commentary: No code of business conduct and ethics can replace the thoughtful behavior of an ethical director, officer or employee. However, such a code can focus the board and management on areas of ethical risk, provide guidance to personnel to help them recognize and deal with ethical issues, provide mechanisms to report unethical conduct, and help to foster a culture of honesty and accountability. ♣ Each code conduct or ethics must require ... • Any waiver of the code for executive officers or directors may be made only by the board or a board committee. • compliance standards and procedures that will facilitate the effective operation of the code. o ensure the prompt + consistent action against violations *All protecting shareholders * Always look towards the purpose of the entity implementing the code *Expands governance structure expectations to non-US companies
Federal Acquisition Regulations (FAR)
♣ 48 CFR 52.203-13 - Contractor Code of Business Ethics and Conduct (b) Code of business ethics and conduct. (1) Within 30 days after contract award, unless the Contracting Officer establishes a longer time period, the Contractor shall— (i) Have a written code of business ethics and conduct; (ii) Make a copy of the code available to each employee engaged in performance of the contract.
Identifying Conflicts of Interest
♣ Best Interests test: • Ask -- is this in the best interests of the organization? o This test invokes the duties of loyalty and care and requires the answer to one specific question. o Can you act honestly and in good faith and make a decision in the best interests of the Company in the situation? ♣ Reasonable Persons test: • More legalist--- asks what a reasonably prudent person would do in similar circumstances. o coincides with the duty of care. ♣ Peer standards test: • Would it be commonly acceptable in your industry or business sector to participate in the decision? o In essence, how would your peers handle a similar situation? ♣ "Smell" test: • Does it just not feel right? o If it doesn't, then it probably isn't. • Ask yourself how a key stakeholder, the public, or the media might react if they found out about it? • How would it affect the credibility of the Company if it was reported in the news?
Baseline Compliance Expectations
♣ Clear, concise and accessible Code of Conduct ♣ Commitment from senior management ("tone at the top") ♣ Clear management and oversight of compliance program ("tone at the middle") ♣ Autonomy from management (direct access to governing authority) and sufficient resources ♣ Risk assessments (the DOJ/SEC will give meaningful credit to a company that implements a comprehensive, risk-based compliance program) ♣ Training and continuing advice ♣ Incentives and disciplinary measures ♣ Risk-based due diligence ♣ Confidential reporting and internal investigation (hotline) ♣ Continuous improvement: "a good compliance program should constantly evolve"
Reporting and Disclosure
♣ FCPA • No disclosure requirement • DOJ and SEC may give meaningful credit to companies that self-report • May be evidence of management's diligence ♣ Government Contracts • Mandatory disclosure rule requires disclosure when a company has "credible evidence" of: o A violation of certain procurement related laws or o A violation of the False Claims Act
When Screening a Third Party
♣ Gain an understanding of the third party and its background; ♣ Analyze the third party's business capabilities, reputation and risk areas; ♣ Inquire about the third party's anti-corruption compliance record as well as any relevant policies and procedures; ♣ Understand how the third party uses agents, subcontractors, intermediaries and/or business partners; ♣ Consider how the third party will be interacting with the government on the Company's behalf; ♣ Weigh any geographic risk factors.
Risk Management Program
♣ Looks at all potential risks and asks how to address each ♣ Broader perspective from regular compliance ♣ Financial, compliance etc.
Company Culture
♣ What the actual fabric of the company looks like ♣ One of the most important things—often lost sight of ♣ Multidimensional
Geographic Risk Assessments
♣ What type of business is it? • Marketing, Retail, Government Contracting ♣ Where is it? • Different countries may pose higher or lower risks, even when engaging in the same type of business or transaction. • Be aware of your own subjective biases concerning risks associated with certain countries. ♣ What are your financial metrics in each market? • Revenue by market • Year over year change in revenue
