'Red Flags and Iceberg Tips'

Congress and the Department of Justice (DOJ) are driving home an important point: A company's central management is ultimately responsible for any criminal conduct by its business divisions and employees, and must therefore implement policies and procedures to ensure that it promptly discovers and corrects any potential violations.

The Sarbanes-Oxley Act requires 'up-the-ladder' reporting by and within a company's legal department of suspected violations of law, to ensure that central management becomes aware of material violations and remedies them. See Sarbanes-Oxley Act of 2002, ' 307, Pub. L. No. 107-204, 116 Stat. 745, 784. Meanwhile, the DOJ recently issued 'Principles of Federal Prosecution of Business Organizations.' (Available on the U.S. Department of Justice Web site at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/crm00162.htm.)

The DOJ Principles explain that the likelihood a corporation will face criminal prosecution depends upon, among other things, 1) pervasiveness of criminal conduct within the corporation, including the extent to which central management was aware of and/or condoned any wrongdoing; 2) the corporation's history of criminal conduct; 3) the corporation's timely and voluntary and disclosure of wrongdoing and willingness to cooperate; 4) the existence and adequacy of compliance programs; and 5) the corporation's remedial efforts, including discipline of responsible individuals. Taken together, these factors make clear that central management must quickly come to grips with any criminal violation, and that it will ultimately bear the responsibility for the failure to do so.

The increased requirement of centralized accountability created by Sarbanes-Oxley (and further emphasized by the DOJ Principles) presents a particular problem for United States issuers with multi-national units and extensive overseas operations. For such corporations, the combination of widely dispersed, often decentralized operations and variations among the legal and cultural norms in which the corporations do business creates a significant risk that material violations of U.S. laws may not be reported to central management, and may therefore escape remediation.

Multinational businesses are especially vulnerable to violations of certain U.S. laws, such as the Foreign Corrupt Practices Act of 1977 (FCPA), 15 U.S.C. ” 78dd-1, et seq., and laws prohibiting money laundering. If enough such violations go unreported, there may arise the kind of 'pervasive' and unremediated wrongdoing that is almost certain to trigger the wrath of prosecutors and bring serious consequences for the company, its senior management and its attorneys.

Experience tells us that no one solution is right for all companies, but certain guideposts are useful in helping inside counsel evaluate how best to structure their compliance efforts. First, given the DOJ's emphasis on effective compliance programs and the overall importance of 'up-the-ladder' reporting, companies must promulgate written policies designed not only to prevent wrongdoing, but also to ensure that when bad acts occur, they are immediately reported to central management. Such policies must be articulated to employees (through training in their own language) and enforced through periodic audits and consistent discipline when violations occur. Second, once policies and procedures are in place and suspicious activities are detected, central management must play a role, along with outside counsel, in investigating and correcting those activities.

Once a red flag is found, central and local management each will want to supervise the investigation. Resolving competing claims to primary jurisdiction often presents difficult issues, and the 'right' answer may differ from company to company, country to country, and situation to situation. The proper assignment of responsibility depends on the facts of each case, including specific local or regional sensitivities, the propriety and effectiveness of local management's past conduct, and the ability of local management to carry out an 'independent' review, free of real or perceived conflicts of interest.

Important Areas for International Compliance Programs

Here are some practical suggestions, using the FCPA as an example.

• Record-keeping. The SEC has brought many cases involving the distortion of corporate books to conceal bribes in violation of the FCPA's strict record-keeping requirements. Almost invariably, the misreported activity relates to income that rolls up into consolidated financial statements. Such misstatements present a significant issue under U.S. (and often foreign) tax law, for bribes are not deductible business expenses. Even companies that are diligent about overseeing foreign operations often overlook the substantial legal exposure from inaccurate or incomplete record keeping. By issuing and enforcing clear policies, companies can reduce the risk. Such policies must be supplemented and enforced through periodic audits by trained forensic auditors, either internal or outside. They should require prompt, up-the-ladder reporting to the company's central compliance department as soon as any potential violation has been identified, thus permitting central involvement before additional investigative steps are taken.
• Cash generation. Whenever any business generates significant amounts of cash for use overseas, there exists a potential for abuse that a company must address through its policies and procedures. Obviously, ready access to company cash raises the risk that an employee may use it for improper purposes and also the risk that such us will be misdescribed (or not described) in company records.
• Entertainment. Lavish entertainment, particularly in certain parts of Asia, tends to be driven by local custom, but poses a substantive legal risk to U.S. companies and may tarnish their domestic image. Local bribery thresholds are often low in the countries where lavish entertainment is described as 'expected.' Nevertheless, excessive expenditures are not advisable, and sex clubs are naturally not good places to entertain for promotion of U.S. business. The distinction between public and commercial bribery carries little weight with U.S. enforcement authorities and courts. See United States v. Welch, 327 F.3d 1081 (10th Cir. 2003) (Salt Lake City Olympic bribery scandal). Local law and custom may encourage or turn a blind eye to extravagant entertainment (without an explicit quid pro quo) or even outright bribery. Under such circumstances, custom and fear of competitive disadvantage may generate resistance to and evasion of the internal policies or may make it more difficult for local management to punish violations. That is why centralized controls and reporting are essential.
• Sales incentives. A sensible compliance program must recognize that sales people will take risks to promote their business and close a deal. The most effective control structures monitor the use of personal funds as well as corporate funds, particularly in countries where relatively small dollars may bring large rewards. In all effective compliance programs, auditors of books and records should pay special attention to commissions paid to sales people and to any discounts or incentives that these sales people may offer to their customers.
• Sales representatives/distributors. In doing business abroad, many companies make extensive use of third parties, such as agents, consultants, sales representatives, and distributors. It is important to bear in mind that the use of such third parties ' even with an explicit disclaimer of any agency relationship ' does not provide a shield from liability under the FCPA or local law. As a result, doing business through agents, sales representatives, consultants, and distributors requires due diligence in their selection and oversight. Compensation arrangements based on a percentage of the value of a closed deal receive close scrutiny from enforcement agencies and should therefore be reviewed and approved for compliance. All agents should provide representations and warranties that they will adhere to the FCPA, local law, and to company policy, and that they will maintain proper books and records concerning their expenses and allow the company to review those records upon request. Official company policy should prohibit the retention of any agents who are foreign-government officials or who have close ties (particularly familial ties) to a foreign government.

'Red Flags and Iceberg Tips'

What is the best response when a local (foreign) business unit has reason to believe corporate policy and the FCPA/OECD may have been violated? It is prudent to have a mechanism for rapid consultation between local and central management and to use it before launching an investigation from the U.S. Local management, including the local legal team, speaks the language, knows the people, knows the customs, and will have easy access to witnesses and documents, as well as to forensic resources.

On the other hand, a centrally coordinated review may be essential if the suspect payments were large or frequent. Local management may appear to have a 'conflict' in investigating itself. More important, the key question under the FCPA and Sarbanes-Oxley is whether upper U.S. management is involved in the activity. While this question creates a potential conflict too, it also makes clear why central review is so important. The watchword in all of this is independence. Only a truly 'independent' review will satisfy the requirements of Sarbanes-Oxley and the DOJ standards today.

Independence does not mean that the review can only be conducted by outside auditors and/or counsel, but it requires, at a minimum, the active involvement of the central compliance department in determining whether a particular violation is 'material' and therefore worthy of additional investigation and/or reporting. In light of the potential cultural differences between local and central management ' and the resulting differences in the ways in which they may regard certain conduct ' eliminating local discretion will ensure that any required up-the-ladder reporting will be made.

In the most effective reviews, both local and central management ' business, audit, and legal ' work together with outside attorneys experienced in compliance and enforcement. Once the red flag is raised, a balance in approach is critical. Through consultation with experienced counsel, the most efficient use of forensic resources locally and internationally can be applied to maximize the company's ability to take corrective action. In this way, the company can satisfy its internal reporting obligations and also maximize the chances that any violations will be detected and remedied promptly, thereby placing it in the best possible position with respect to the DOJ, SEC, and any other prosecuting authorities.

Congress and the Department of Justice (DOJ) are driving home an important point: A company's central management is ultimately responsible for any criminal conduct by its business divisions and employees, and must therefore implement policies and procedures to ensure that it promptly discovers and corrects any potential violations.

The Sarbanes-Oxley Act requires 'up-the-ladder' reporting by and within a company's legal department of suspected violations of law, to ensure that central management becomes aware of material violations and remedies them. See Sarbanes-Oxley Act of 2002, ' 307, Pub. L. No. 107-204, 116 Stat. 745, 784. Meanwhile, the DOJ recently issued 'Principles of Federal Prosecution of Business Organizations.' (Available on the U.S. Department of Justice Web site at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/crm00162.htm.)

The DOJ Principles explain that the likelihood a corporation will face criminal prosecution depends upon, among other things, 1) pervasiveness of criminal conduct within the corporation, including the extent to which central management was aware of and/or condoned any wrongdoing; 2) the corporation's history of criminal conduct; 3) the corporation's timely and voluntary and disclosure of wrongdoing and willingness to cooperate; 4) the existence and adequacy of compliance programs; and 5) the corporation's remedial efforts, including discipline of responsible individuals. Taken together, these factors make clear that central management must quickly come to grips with any criminal violation, and that it will ultimately bear the responsibility for the failure to do so.

The increased requirement of centralized accountability created by Sarbanes-Oxley (and further emphasized by the DOJ Principles) presents a particular problem for United States issuers with multi-national units and extensive overseas operations. For such corporations, the combination of widely dispersed, often decentralized operations and variations among the legal and cultural norms in which the corporations do business creates a significant risk that material violations of U.S. laws may not be reported to central management, and may therefore escape remediation.

Multinational businesses are especially vulnerable to violations of certain U.S. laws, such as the Foreign Corrupt Practices Act of 1977 (FCPA), 15 U.S.C. ” 78dd-1, et seq., and laws prohibiting money laundering. If enough such violations go unreported, there may arise the kind of 'pervasive' and unremediated wrongdoing that is almost certain to trigger the wrath of prosecutors and bring serious consequences for the company, its senior management and its attorneys.

Experience tells us that no one solution is right for all companies, but certain guideposts are useful in helping inside counsel evaluate how best to structure their compliance efforts. First, given the DOJ's emphasis on effective compliance programs and the overall importance of 'up-the-ladder' reporting, companies must promulgate written policies designed not only to prevent wrongdoing, but also to ensure that when bad acts occur, they are immediately reported to central management. Such policies must be articulated to employees (through training in their own language) and enforced through periodic audits and consistent discipline when violations occur. Second, once policies and procedures are in place and suspicious activities are detected, central management must play a role, along with outside counsel, in investigating and correcting those activities.

Once a red flag is found, central and local management each will want to supervise the investigation. Resolving competing claims to primary jurisdiction often presents difficult issues, and the 'right' answer may differ from company to company, country to country, and situation to situation. The proper assignment of responsibility depends on the facts of each case, including specific local or regional sensitivities, the propriety and effectiveness of local management's past conduct, and the ability of local management to carry out an 'independent' review, free of real or perceived conflicts of interest.

Important Areas for International Compliance Programs

Here are some practical suggestions, using the FCPA as an example.

• Record-keeping. The SEC has brought many cases involving the distortion of corporate books to conceal bribes in violation of the FCPA's strict record-keeping requirements. Almost invariably, the misreported activity relates to income that rolls up into consolidated financial statements. Such misstatements present a significant issue under U.S. (and often foreign) tax law, for bribes are not deductible business expenses. Even companies that are diligent about overseeing foreign operations often overlook the substantial legal exposure from inaccurate or incomplete record keeping. By issuing and enforcing clear policies, companies can reduce the risk. Such policies must be supplemented and enforced through periodic audits by trained forensic auditors, either internal or outside. They should require prompt, up-the-ladder reporting to the company's central compliance department as soon as any potential violation has been identified, thus permitting central involvement before additional investigative steps are taken.
• Cash generation. Whenever any business generates significant amounts of cash for use overseas, there exists a potential for abuse that a company must address through its policies and procedures. Obviously, ready access to company cash raises the risk that an employee may use it for improper purposes and also the risk that such us will be misdescribed (or not described) in company records.
• Entertainment. Lavish entertainment, particularly in certain parts of Asia, tends to be driven by local custom, but poses a substantive legal risk to U.S. companies and may tarnish their domestic image. Local bribery thresholds are often low in the countries where lavish entertainment is described as 'expected.' Nevertheless, excessive expenditures are not advisable, and sex clubs are naturally not good places to entertain for promotion of U.S. business. The distinction between public and commercial bribery carries little weight with U.S. enforcement authorities and courts. See United States v. Welch , 327 F.3d 1081 (10th Cir. 2003) (Salt Lake City Olympic bribery scandal). Local law and custom may encourage or turn a blind eye to extravagant entertainment (without an explicit quid pro quo) or even outright bribery. Under such circumstances, custom and fear of competitive disadvantage may generate resistance to and evasion of the internal policies or may make it more difficult for local management to punish violations. That is why centralized controls and reporting are essential.
• Sales incentives. A sensible compliance program must recognize that sales people will take risks to promote their business and close a deal. The most effective control structures monitor the use of personal funds as well as corporate funds, particularly in countries where relatively small dollars may bring large rewards. In all effective compliance programs, auditors of books and records should pay special attention to commissions paid to sales people and to any discounts or incentives that these sales people may offer to their customers.
• Sales representatives/distributors. In doing business abroad, many companies make extensive use of third parties, such as agents, consultants, sales representatives, and distributors. It is important to bear in mind that the use of such third parties ' even with an explicit disclaimer of any agency relationship ' does not provide a shield from liability under the FCPA or local law. As a result, doing business through agents, sales representatives, consultants, and distributors requires due diligence in their selection and oversight. Compensation arrangements based on a percentage of the value of a closed deal receive close scrutiny from enforcement agencies and should therefore be reviewed and approved for compliance. All agents should provide representations and warranties that they will adhere to the FCPA, local law, and to company policy, and that they will maintain proper books and records concerning their expenses and allow the company to review those records upon request. Official company policy should prohibit the retention of any agents who are foreign-government officials or who have close ties (particularly familial ties) to a foreign government.

'Red Flags and Iceberg Tips'

What is the best response when a local (foreign) business unit has reason to believe corporate policy and the FCPA/OECD may have been violated? It is prudent to have a mechanism for rapid consultation between local and central management and to use it before launching an investigation from the U.S. Local management, including the local legal team, speaks the language, knows the people, knows the customs, and will have easy access to witnesses and documents, as well as to forensic resources.

On the other hand, a centrally coordinated review may be essential if the suspect payments were large or frequent. Local management may appear to have a 'conflict' in investigating itself. More important, the key question under the FCPA and Sarbanes-Oxley is whether upper U.S. management is involved in the activity. While this question creates a potential conflict too, it also makes clear why central review is so important. The watchword in all of this is independence. Only a truly 'independent' review will satisfy the requirements of Sarbanes-Oxley and the DOJ standards today.

Independence does not mean that the review can only be conducted by outside auditors and/or counsel, but it requires, at a minimum, the active involvement of the central compliance department in determining whether a particular violation is 'material' and therefore worthy of additional investigation and/or reporting. In light of the potential cultural differences between local and central management ' and the resulting differences in the ways in which they may regard certain conduct ' eliminating local discretion will ensure that any required up-the-ladder reporting will be made.

In the most effective reviews, both local and central management ' business, audit, and legal ' work together with outside attorneys experienced in compliance and enforcement. Once the red flag is raised, a balance in approach is critical. Through consultation with experienced counsel, the most efficient use of forensic resources locally and internationally can be applied to maximize the company's ability to take corrective action. In this way, the company can satisfy its internal reporting obligations and also maximize the chances that any violations will be detected and remedied promptly, thereby placing it in the best possible position with respect to the DOJ, SEC, and any other prosecuting authorities.