23 rd Annual ACFE Fraud Conference and Exhibition 4F: Compliance Challenges with Dodd-Frank Section 922 Orlando, FL June 17 22, 2012 Presentation by Shruti Shah Senior Policy Director, Transparency International USA
Today s Discussion Dodd-Frank Act Section 922 of the Dodd-Frank Act: The Whistleblower Incentive Provision FCPA Implications How to Encourage Internal Reporting Implications for Corporate Compliance Programs
Transparency International USA: Who Are We? Most known for our Corruption Perception Index We work with: The government and businesses to strengthen anti-corruption laws and ensure enforcement Development agencies to ensure program integrity and encourage broader country reforms The private sector to strengthen standards and practice through tools, benchmarking, and advocacy
Key Points of the Dodd-Frank Act 2008 recession Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) passed into law in July 2010 Most significant changes in financial reform since the Great Depression Requirements for companies in the oil and gas sector to report payments to governments Disclosure and due diligence requirements for companies that use conflict minerals
Section 922: The Whistleblower Provision Incentives for whistleblowers Individuals who provide original information to the SEC might be eligible for an award Awards are possible if enforcement actions lead to monetary sanctions over $1 million Awards may be 10 30 percent of the total monetary sanctions
SEC Proposed Rules SEC proposed rules for the implementation of the whistleblower provision in November 2010 and opened a comment period. Reported more than 240 comment letters and about 1300 form letters during the review period. Most corporate concerns: Incentives will undermine internal reporting. Suggestion: The SEC should require whistleblowers to report violations internally to receive the award.
SEC Final Rules SEC final rules were approved in May 2011 and went into effect in August 2011. Whistleblowers are not required to report violations internally, though final rules attempt to incentivize internal reporting. If whistleblowers report internally and the company reports to the SEC, the individual might still be eligible for an award. Whistleblowers have 120 days after they report internally to report to the SEC and still be treated as having reported earlier. Reporting internally might increase the award.
FCPA Overview Enacted in 1977 as a result of voluntary disclosure by over 400 U.S. companies that they had made questionable payments to foreign officials FCPA has three basic provisions: 1. Anti-bribery provision It is a crime for any U.S. person or company to directly or indirectly pay or promise anything of value to any foreign official to obtain or retain any improper advantage.
2. Accounting requirement FCPA Overview Make and keep books, records, and accounts, which in reasonable detail, accurately reflect the transactions and dispositions of assets. Reasonable Such level of detail that would satisfy prudent officials in the conduct of their affairs. (No financial materiality test.) 3. Internal controls Devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are recorded appropriately and in accordance with rules and regulations.
Top Ten FCPA Settlements of All-Time 1 1. Siemens (Germany, 2008): $800 million 2. KBR/Halliburton (USA, 2009): $579 million 3. BAE (UK, 2010): $400 million 4. Snamprogetti Netherlands B.V./ENI S.p.A (Holland/Italy, 2010): $365 million 5. Technip S.A. (France, 2010): $338 million 6. JGC Corporation (Japan, 2011): $218.8 million 7. Daimler AG (Germany, 2010): $185 million 8. Alcatel-Lucent (France, 2010): $137 million 9. Magyar Telekom/Deutsche Telekom (Hungary/Germany, 2011): $95 million 10. Panalpina (Switzerland, 2010): $81.8 million 1. 2011 Enforcement Index, FCPA Blog, www.fcpablog.com/blog/2012/1/2/2011-enforcement-index.html
Foreign Corrupt Practices Act (FCPA) Implications Companies paid $508.6 million in penalties for FCPA-related charges in 2011. 1 Siemens AG paid $800 million in 2008. KBR/Halliburton paid $579 million in 2009. 10 30 percent of these sanctions would be significant. 1. 2011 Enforcement Index, FCPA Blog, www.fcpablog.com/blog/2012/1/2/2011-enforcement-index.html
Enforcement Against Individuals FCPA enforcement actions against individuals have increased. Joel Esquenazi, former president of Terra Telecommunications Corp., was sentenced to 15 years in prison in October 2011, the longest prison sentence ever for FCPA violations. Jeffrey Tesler, the UK agent who allegedly paid bribes in the TSKJ case, forfeited $149 million in 2011 as part of his plea deal. In 2009, SEC settled enforcement cases against the CEO and CFO of Nature Sunshine on the failure to supervise theory in their capacity as control persons.
SEC Report to Congress The SEC submitted its first report on the Whistleblower Program in Nov. 2011. (See handout.) Report covers period from Aug. 12 Sept. 30, 2011 13 tips related to FCPA 32 tips from foreign persons Sean McKessy, Chief of the Office of the Whistleblower, stated the quality of the tips has improved.
Reducing Penalties Companies are eligible for reduced penalties if they have a compliance program or if they self-report an FCPA violation, according to U.S. Sentencing Guidelines. Morgan Stanley and Garth Peterson, 2012 In April 2012, though the DOJ and SEC charged an individual, Peterson, with FCPA violations, they declined to prosecute or charge his employer, Morgan Stanley, given its strong compliance program. There is now a race to beat the whistleblower. Companies have started reviewing their compliance programs to encourage internal reporting.
How to Encourage Internal Reporting
Corporate Compliance Programs Elements recommended as part of a corporate compliance program: Company culture and tone at the top Clearly articulated anti-corruption policy Channels for reporting (hotline) and asking for guidance Risk assessment Communication and training Strong anti-corruption controls Due diligence procedures for mergers and acquisitions Monitoring of the program
Revisit Corporate Culture Company values should be emphasized and integrated in company decisions. Several FCPA settlements reference corporate cultures that tolerated or even rewarded bribery. Senior management should show strong commitment to corporate policy and support compliance efforts. The compliance function should be adequately and appropriately funded. SIEMENS: settled in 2008; penalties: $800 million SEC complaint: Tone at the top created a corporate culture in which bribery was tolerated and even rewarded at the highest levels of the company.
Revisit Corporate Culture Tone at the middle is equally important: Management support must continue throughout the organization. Provide autonomy for executives responsible for compliance and direct reporting lines to independent monitoring. Ethics and compliance officers should work with other departments besides just legal (i.e., HR, corporate communications, environmental and social responsibility). Ensure employees feel the company values integrity.
Improve Channels for Reporting and Guidance Hotline should be available to all, in local languages if appropriate Multiple channels for reporting open to all, including business partners Anonymous reporting without fear of retribution and complaints dealt with in confidential, professional, timely manner Provide channels to receive guidance when faced with ethical dilemmas
Improve Communication about Reporting Communicate the existence of the hotline and give assurances of confidentiality and non-retaliation Provide descriptions and scenarios of when to use reporting channels Provide guidance to ensure complaints include necessary information Consider communication in smaller groups, such as through small town hall meetings Some companies have started posting 3 4 minute scenario-based video clips on Intranet sites.
Implications for Corporate Compliance Programs
Enhance Your Risk Assessment Risk assessment is the first step in developing an anti-corruption compliance program. Assessments should be tailored to the company. Risk assessments should be reviewed in a comprehensive and recurring manner, and should be re-reviewed when circumstances change. They should include input from various disciplines and levels of management.
Enhance Your Risk Assessment Anti-corruption risk assessments should be undertaken at the company and business unit levels. Risk assessments should focus on: Nature of the business Countries of operation Interaction with government officials and stateowned enterprises (SOEs) Use of agents and intermediaries Sales to the government or SOEs Companies should identify controls in place to address risk, identify the gaps in controls, and address them.
Company Level Risk Assessments What is the size of the company, its structure, and nature of its business? Is there a history of compliance issues? Does the company conduct business in higher risk areas? What is the nature of business in each location? Is the company business exposed to government officials? Does the company use sales agents? Does the company sell to the government or stateowned enterprises? What is the current company compliance structure?
Business Unit Risk Assessments What is the size, nature, and total sales of the business? Does the unit sell to the government or state-owned enterprises? Does the unit use sales agents, and what is the volume of sales through agents? Are there joint ventures present, and does the company have a majority or minority interest? What are the manufacturing locations and licenses/permits associated? What are points of interaction with the government? What control deficiencies have been identified in the past?
Implementing Anti-Corruption Controls Strong controls are a defense against corruption. Controls generally include approvals, authorizations, verifications, reconciliations, segregation of duties, etc. Increase financial controls in high-risk countries and for high-risk areas.
Common Ways of Paying Bribes Using cash/petty cash Gifts or expensive meals for govt. officials DIAGEO: settled 2007; penalties: $16 million Diageo settled with SEC for almost $2.4 million in gifts and bribes given to win business in South Korea, Thailand, and India. In Korea, it included $64,184 in rice cake payments (cash or gift certificates ranging between $100 and $300 per recipient). Paying bribes through agents/intermediaries
Common Ways of Paying Bribes Paying for expensive trips for govt. officials under the guise of training, visiting headquarters, or product demonstration LUCENT: settled 2007; penalties: $2.5 million The Disneyland case settled with the SEC and DOJ for travel and leisure trips for government officials. Giving money to charities whose boards include govt. officials SCHERING PLOUGH: settled 2004; penalties: $500,000 Settled with SEC for donations to charitable foundation run by government official to win business.
Implementing Controls Increase controls around bank accounts, petty cash, approvals, and payments to vendors, high-risk transactions. Petty cash in particular should have controls (i.e., additional documentation requirements and stringent review process for reimbursement). Additional controls should be in place where there is a custom of entertaining govt. officials.
Implementing Controls Controllers and accounts payable personnel should be trained to recognize false flags. Controls should be audited regularly for effectiveness. Controls adequate for Sarbanes-Oxley purposes might not be adequate as corruption controls since there is no materiality requirement for improper payments. Small bribes can lead to books and records violations VERAZ NETWORKS: settled 2010; penalties: $300,000 Total bribes of $40,000 leading to much higher penalties. In addition, Veraz reported paying $2.5 million in investigation costs. SEC claimed Veraz failed to maintain proper internal controls.
Third-Party Due Diligence Every FCPA case in 2011 involved bribes paid through third parties. FCPA prohibits corrupt payments through intermediaries or third parties. ALCATEL: pleaded guilty 2010; penalties: $137 million Pleaded guilty to SEC and DOJ on charges of bribing officials through third parties in Costa Rica, Honduras, Malaysia, and Taiwan. The knowing standard for anti-bribery includes conscious disregard and deliberate ignorance. It is important to know your business partners and conduct thorough due diligence.
Third-Party Due Diligence Organizations are at risk of FCPA violations if it can be proven they had knowledge of the violation or did not implement a duediligence program for their business partners. Organizations may be entitled to credit under Federal Sentencing Guidelines if they have a due diligence program, even if a business partner paid a bribe.
Third-Party Due Diligence Third-party due diligence programs should be based on risk assessment. Companies should create risk profiles for their business partners, and this will guide the due diligence process.
Qualities to Review in Third-Party Business Partners Overall reputation, reputation with U.S. Embassy, and local reputation Ties to politically-exposed persons/state-owned enterprises Qualifications for performing the task and necessity of using a third party Compensation to the third party is commensurate with market rates Composition of their clientele and key relationships Existing adherence to an anti-corruption policy Cooperation in due diligence exercises
Red Flags in Third-Party Due Diligence Recommendations to use the third party by govt. officials Unusual payment patterns, particularly in offshore accounts History of violations or bribery by the third party Existence of legal cases involving the third party High commissions to agents in excess of market rates Lack of transparency in expenses and accounting
Third-Party Due Diligence Contracts with third parties should include audit rights. Third-party contracts should be centrally located and have appropriate warranties and representations. If companies take adequate steps and monitor third parties regularly, they will be able to uncover red flags sooner and take appropriate action.
Due Diligence for Mergers and Acquisitions U.S. acquirers may be liable for successor liability (i.e., for acquired company s pre-acquisition bribery if the conduct continues post-acquisition). HALLIBURTON/KBR: pleaded guilty 2009; penalties: $402 million for KBR + $177 million for both Charged separately by SEC and DOJ. Halliburton acquired KBR in 1998 and spun it off in 2006, but bribes continued post-acquisition. Part of the TSKJ settlements adding up to $1.65 billion in penalties. The acquirer also risks reputational damage. Problems should be addressed, indemnified, and self-reported if necessary.
Due Diligence for Mergers and Acquisitions Companies should perform robust pre-acquisition due diligence. Corruption charges can erode the value in an investment, resulting in overpayment. ELANDIA INTERNATIONAL INC.: subsidiary pleaded guilty 2009; penalties: $2 million Latin Node pleaded guilty to DOJ charges for bribes paid before acquisition by elandia. elandia estimates purchase price for Latin Node was approximately $20.6 million in excess of fair value. Latin Node investment written off in 2009.
Issues to Consider for Pre-Acquisition Due Diligence Are there company operations in countries or industries with high corruption risk? Does the target sell to a foreign government? Is the target company owned or controlled by the govt., by PEPs, or by their relatives? Does the target use foreign government-issued licenses or permits? Is there a history of bribes or violations? What is the state of the target company s anticorruption program, training, and controls? How does the target monitor its program?
Procedures for Pre-Acquisition Due Diligence Document reviews related to target s anticorruption compliance program Transaction testing of compliance-sensitive accounts and high-risk transactions Evaluating the target s management team for corruption risks Incorporating anti-corruption compliance provisions in agreements Plans for integrating the acquired company
Monitoring Your Program Monitoring is one of the necessary steps to ensure a compliance program is operating effectively. Compliance assessments can uncover new risks and contribute to ongoing risk assessment. Companies have started conducting specialized FCPA/anti-corruption compliance audits separately from the internal audits.
Monitoring Your Program Purpose of FCPA compliance assessments is to measure existence and effectiveness of policies, as well as employees understanding and management s communication. Assessments review previous compliance audits, analyze financial data, perform transaction testing, review sales contracts and agreements with third parties, and interview management and employees.
Process for Anti-Corruption Compliance Audit Risk Assessment Should be risk-based, with locations of highest risk being assessed first. Data Collection Gather information before visiting the location such as organizational charts, sales, etc. Interviews At the site, interview employees outside of accounting, legal, and compliance (e.g. sales, operations, treasury).
Process for Anti-Corruption Compliance Audit Controls Testing Test controls such as approvals and authorizations limits, whether the segregation of duties was followed, etc. Transaction Testing Test compliance sensitive accounts such as travel, gifts, petty cash expenses, etc. If a problem is identified, consider digging deeper.
Real-Time Monitoring Companies have moved toward real-time monitoring as means of monitoring compliance. Use of data analytics as a means to identify particular risk traits for high-risk locations or vendors. Analytics can be used to search risky payments for red flags using keywords, etc. Cost-intensive and requires qualified personnel to analyze the exceptions.
Conclusion Increase in FCPA enforcement creates need for reevaluation of anti-corruption compliance programs. Existing policies might not be enough. Whistleblower incentives encourage direct reporting to the govt. Companies must work to prevent bribery or minimize costs of violations. Companies should review and revise their programs.
Thank You Shruti Shah Policy Director Transparency International USA sshah@transparency-usa.org