Compliance Tips from Deferred Prosecution Agreements

One answer to the problem of limited resources is for companies to target their efforts to address those potential weaknesses particular to their businesses. As the Thompson Memorandum puts it, compliance programs should be 'designed to detect the particular types of misconduct most likely to occur in a particular corporation's line of business.' Recent DPAs and non-prosecution agreements (NPAs) provide guidance as to what types of reforms would be best employed by which types of businesses.

For example, KPMG, in the DPA discussed elsewhere in this issue, agreed to adopt a 'permanent educational and training program relating to the laws and ethics governing the work of KPMG's partners and employees, paying particular attention to practice areas that pose high risks, including the determination whether transactions in which KPMG and its clients are involved constitute 'reportable transactions' within the meaning of 26 C.F.R. ' 1.6011-4(b) ' ' If you are devising a training program for an accounting firm, KPMG's DPA can help you focus the curriculum.

Computer Associates, charged with securities fraud offenses involving, among other things, improperly accounting for software license revenue, agreed in its September 2004 DPA to 'implement best practices with respect to the recognition of software license revenue including enhanced quarter-end contract cut-off procedures.' A software company may wish to consider a set of best practices relating to contract cut-off procedures.

In June 2005, Bristol-Myers Squibb (BMS) entered into a DPA in connection with being charged with securities fraud by failing to disclose 'channel stuffing.' Specifically, BMS was alleged to have promised two major wholesalers a guaranteed profit in exchange for purchasing more product from BMS than the wholesalers could sell while including the full amount of the sales as revenue in its financials. The DPA required BMS to monitor and disclose very precise information relating to its distribution of pharmaceuticals from the beginning (wholesalers) to the end (patients). Specifically, the DPA required BMS to include the following information for certain products in its annual report and in its filings with the SEC: 1) wholesale inventory levels; 2) efforts by BMS to control and monitor wholesale inventory levels; and 3) data concerning prescriptions or other measures of end-user demand. Although this type of information is not ordinarily disclosed in financials, a pharmaceutical company could consider pro-actively including such information. The disclosures would provide greater transparency that could head off a successful shareholder suit or SEC investigation.

In NPAs entered into with the Enron Task Force, both the Canadian Imperial Bank of Commerce (CIBC) and Merrill Lynch agreed to establish committees charged with reviewing complex structured finance transactions and signing off on them before the companies undertook them. Speci-fically included are all transactions about which 'a known or believed material objective' is to achieve a particular accounting or tax treatment and any transaction where there is 'material uncertainty' about the legal or regulatory treatment. The CIBC NPA also required that no such transaction be undertaken without approval of 'all of the Heads of group as well as the senior business head(s) proposing the transaction.' 'Heads of group' was defined as the heads of risk management, legal, compliance, accounting, finance, tax and credit. An investment bank designing a compliance program might take a cue from this NPA and establish committees with similar protocols for review of all non-routine structured finance transactions. The company might also include an independent director in such a committee, as was required by the BMS DPA.

DPAs and NPAs are not the only places to look for guidance. SEC settlements can be mined as well. In June 2005, the U.S. Attorney for the Southern District of New York announced that it had decided not to prosecute Royal Dutch Petroleum Company and The Shell Transport and Trading Company PLC (Shell) for Shell's overstatement of its proved hydrocarbon reserves. The decision was based in part on Shell's agreement with the SEC 'to take substantial remedial actions to enhance the accuracy of its reserves reporting and compliance,' including adding several new layers of review of reported reserves, more frequent and detailed audits, and the 'systematic and consistent use of external reserves experts in the audit process.' If you are a general counsel or chief compliance officer for a gas, petroleum or mining company, the reforms required under this consent decree are worth considering.

Recent agreements have also required companies to provide their employees with compliance training specifically addressing high-risk areas particular to their business. Monsanto, which was charged with a violation of the Foreign Corrupt Practices Act (FCPA) in relation to payments made to a senior Indonesian Ministry of Environment official, agreed to provide training regarding the FCPA not just to its officers and employees but also to its 'agents, consultants, or other representatives retained in connection with foreign business, as well as contractors and sub-contractors for projects for foreign governments or public international organizations, or instrumentalities' thereof.

The Merrill Lynch NPA also requires training specific to the industry, including training about 'transactions where there is significant uncertainty with regard to the legal or regulatory treatment of the proposed transaction; transactions with pre-agreed profit/loss sharing or return on equity/return on investment arrangements with the counter-party; transactions known to be effected as a result of or in connection with changes to accounting principles or standards, and transactions with back-to-back (circular) cash flows between ML and the Third Party or its special purpose entity.'

Although global detailed training can be costly, it would be worth the expense if it saves a company from prosecution.

General Compliance Programs Tips

Not all DPA terms are specific to the industry involved. For example, both Symbol Technologies, in its June 2004 NPA, and Computer Associates (CA) in its DPA agreed to establish Disclosure Committees composed of their highest level executives, including their Chief Executive Officers, 'that meet and confer ' prior to significant filings with the SEC and the issuance of significant press releases.' Any company could consider implementing such a committee.

Other general reforms required in the Computer Associates DPA included: 1) establishing a Compliance Committee of the Board of Directors to examine the company's Internal Audit, Legal and Finance Departments; 2) reporting its compliance efforts 'on CA's Web site and in each annual proxy statement mailed to CA shareholders'; and 3) amending CA's senior executive performance-based compensation plans to add a compliance component. Committees modeled on those in the Symbol and CA agreements might head off trouble in the future and, should a problem nevertheless arise, the company would be able to point to the government's imprimatur on its compliance program.

Improved Compliance Reporting Mechanisms

DPAs can also show how to establish effective mechanisms for channeling compliance-related concerns. The Thompson Memo provides that, in evaluating whether a compliance program is designed for 'maximum effectiveness,' the prosecutor must determine whether the corporation's employees are 'adequately informed about the compliance program.' The recent DPAs and NPAs provide guidance about how a company can ensure that its employees understand their compliance-related obligations and know how to spot potential problems. They also show ways to put an effective mechanism in place for channeling employee concerns.

For example, both CIBC and Merrill Lynch agreed in their NPAs to develop Policy and Approval Process Web sites that are interactive, allowing for questions and answers. The Websites articulate company policies about high-risk transactions and the required approval processes. Hotlines for anonymous reporting were also required. BMS, CA, KPMG, and Monsanto (all agreed to establish a confidential e-mail address and/or telephone hotline).

In sum, DPAs and NPAs present a government-approved checklist to ward off trouble or provide potential defenses when trouble strikes.

Jacqueline C. Wolff, a member of this newsletter's Board of Editors, is a former federal prosecutor and of counsel to Covington & Burling. Kate Greenwood is an associate in the Litigation Department of the firm.

In recent years, increasing numbers of large corporations have, in the hope of avoiding a conviction and all the ramifications a conviction entails, entered into Deferred Prosecution Agreements (DPAs) with the Department of Justice (DOJ). Much has been written about the lack of bargaining power companies have in negotiating these deals, and about the onerous nature of some of their terms. In this article, we suggest that companies can use the DPAs entered into by others to their advantage by treating them as guides to assist them in formulating their own compliance programs. Not only should this result in strengthened programs, but should a compliance problem nevertheless arise, having a 'government-issued' program in place could provide a company with a strong argument that it has done the most it can in formulating an effective program and hence should not be subject to prosecution.

Reforms Specific to Industry Sectors

Under the January 2003 DOJ memorandum entitled 'Principles of Federal Prosecution of Business Organizations,' better known as the Thompson Memorandum, one element the DOJ considers when evaluating whether to indict a corporation is whether the corporation's compliance program is 'adequately designed for maximum effectiveness.' How can one determine whether a compliance program is designed for maximum effectiveness? Resources are not unlimited, and a company needs to determine which of the myriad of different compliance mechanisms available should be put into place.

One answer to the problem of limited resources is for companies to target their efforts to address those potential weaknesses particular to their businesses. As the Thompson Memorandum puts it, compliance programs should be 'designed to detect the particular types of misconduct most likely to occur in a particular corporation's line of business.' Recent DPAs and non-prosecution agreements (NPAs) provide guidance as to what types of reforms would be best employed by which types of businesses.

For example, KPMG, in the DPA discussed elsewhere in this issue, agreed to adopt a 'permanent educational and training program relating to the laws and ethics governing the work of KPMG's partners and employees, paying particular attention to practice areas that pose high risks, including the determination whether transactions in which KPMG and its clients are involved constitute 'reportable transactions' within the meaning of 26 C.F.R. ' 1.6011-4(b) ' ' If you are devising a training program for an accounting firm, KPMG's DPA can help you focus the curriculum.

Computer Associates, charged with securities fraud offenses involving, among other things, improperly accounting for software license revenue, agreed in its September 2004 DPA to 'implement best practices with respect to the recognition of software license revenue including enhanced quarter-end contract cut-off procedures.' A software company may wish to consider a set of best practices relating to contract cut-off procedures.

In June 2005, Bristol-Myers Squibb (BMS) entered into a DPA in connection with being charged with securities fraud by failing to disclose 'channel stuffing.' Specifically, BMS was alleged to have promised two major wholesalers a guaranteed profit in exchange for purchasing more product from BMS than the wholesalers could sell while including the full amount of the sales as revenue in its financials. The DPA required BMS to monitor and disclose very precise information relating to its distribution of pharmaceuticals from the beginning (wholesalers) to the end (patients). Specifically, the DPA required BMS to include the following information for certain products in its annual report and in its filings with the SEC: 1) wholesale inventory levels; 2) efforts by BMS to control and monitor wholesale inventory levels; and 3) data concerning prescriptions or other measures of end-user demand. Although this type of information is not ordinarily disclosed in financials, a pharmaceutical company could consider pro-actively including such information. The disclosures would provide greater transparency that could head off a successful shareholder suit or SEC investigation.

In NPAs entered into with the Enron Task Force, both the Canadian Imperial Bank of Commerce (CIBC) and Merrill Lynch agreed to establish committees charged with reviewing complex structured finance transactions and signing off on them before the companies undertook them. Speci-fically included are all transactions about which 'a known or believed material objective' is to achieve a particular accounting or tax treatment and any transaction where there is 'material uncertainty' about the legal or regulatory treatment. The CIBC NPA also required that no such transaction be undertaken without approval of 'all of the Heads of group as well as the senior business head(s) proposing the transaction.' 'Heads of group' was defined as the heads of risk management, legal, compliance, accounting, finance, tax and credit. An investment bank designing a compliance program might take a cue from this NPA and establish committees with similar protocols for review of all non-routine structured finance transactions. The company might also include an independent director in such a committee, as was required by the BMS DPA.

DPAs and NPAs are not the only places to look for guidance. SEC settlements can be mined as well. In June 2005, the U.S. Attorney for the Southern District of New York announced that it had decided not to prosecute Royal Dutch Petroleum Company and The Shell Transport and Trading Company PLC (Shell) for Shell's overstatement of its proved hydrocarbon reserves. The decision was based in part on Shell's agreement with the SEC 'to take substantial remedial actions to enhance the accuracy of its reserves reporting and compliance,' including adding several new layers of review of reported reserves, more frequent and detailed audits, and the 'systematic and consistent use of external reserves experts in the audit process.' If you are a general counsel or chief compliance officer for a gas, petroleum or mining company, the reforms required under this consent decree are worth considering.

Recent agreements have also required companies to provide their employees with compliance training specifically addressing high-risk areas particular to their business. Monsanto, which was charged with a violation of the Foreign Corrupt Practices Act (FCPA) in relation to payments made to a senior Indonesian Ministry of Environment official, agreed to provide training regarding the FCPA not just to its officers and employees but also to its 'agents, consultants, or other representatives retained in connection with foreign business, as well as contractors and sub-contractors for projects for foreign governments or public international organizations, or instrumentalities' thereof.

The Merrill Lynch NPA also requires training specific to the industry, including training about 'transactions where there is significant uncertainty with regard to the legal or regulatory treatment of the proposed transaction; transactions with pre-agreed profit/loss sharing or return on equity/return on investment arrangements with the counter-party; transactions known to be effected as a result of or in connection with changes to accounting principles or standards, and transactions with back-to-back (circular) cash flows between ML and the Third Party or its special purpose entity.'

Although global detailed training can be costly, it would be worth the expense if it saves a company from prosecution.

General Compliance Programs Tips

Not all DPA terms are specific to the industry involved. For example, both Symbol Technologies, in its June 2004 NPA, and Computer Associates (CA) in its DPA agreed to establish Disclosure Committees composed of their highest level executives, including their Chief Executive Officers, 'that meet and confer ' prior to significant filings with the SEC and the issuance of significant press releases.' Any company could consider implementing such a committee.

Other general reforms required in the Computer Associates DPA included: 1) establishing a Compliance Committee of the Board of Directors to examine the company's Internal Audit, Legal and Finance Departments; 2) reporting its compliance efforts 'on CA's Web site and in each annual proxy statement mailed to CA shareholders'; and 3) amending CA's senior executive performance-based compensation plans to add a compliance component. Committees modeled on those in the Symbol and CA agreements might head off trouble in the future and, should a problem nevertheless arise, the company would be able to point to the government's imprimatur on its compliance program.

Improved Compliance Reporting Mechanisms

DPAs can also show how to establish effective mechanisms for channeling compliance-related concerns. The Thompson Memo provides that, in evaluating whether a compliance program is designed for 'maximum effectiveness,' the prosecutor must determine whether the corporation's employees are 'adequately informed about the compliance program.' The recent DPAs and NPAs provide guidance about how a company can ensure that its employees understand their compliance-related obligations and know how to spot potential problems. They also show ways to put an effective mechanism in place for channeling employee concerns.

For example, both CIBC and Merrill Lynch agreed in their NPAs to develop Policy and Approval Process Web sites that are interactive, allowing for questions and answers. The Websites articulate company policies about high-risk transactions and the required approval processes. Hotlines for anonymous reporting were also required. BMS, CA, KPMG, and Monsanto (all agreed to establish a confidential e-mail address and/or telephone hotline).

In sum, DPAs and NPAs present a government-approved checklist to ward off trouble or provide potential defenses when trouble strikes.

Jacqueline C. Wolff, a member of this newsletter's Board of Editors, is a former federal prosecutor and of counsel to Covington & Burling. Kate Greenwood is an associate in the Litigation Department of the firm.