International Client Advisory up Close with the SEC and DOJ: Tackling the Most Pertinent Anti-Corruption Compliance Questions

International Client Advisory Up Close with the SEC and DOJ: Tackling the Most Pertinent Anti-Corruption Compliance Questions

03.26.14

On March 20, 2014, Miller & Chevalier's Dave Resnicoff moderated an interactive panel with Jeffrey Knox, Chief of the Fraud Section for the U.S. Department of Justice (DOJ), and Charles Cain, Assistant Director, Foreign Corrupt Practices Act (FCPA) Unit, at the U.S. Securities and Exchange Commission (SEC). The panel was part of Momentum's Global Anti-Corruption Conference at the Monaco Hotel in Washington, DC. Though informal, the discussion was frank and wide-ranging, and we thought it would be helpful to our clients and friends for us to share it. Below is a summary of the panel exchange based on our notes of the discussion.

I. PROGRAM & POLICY ISSUES

Experience with the FCPA Resource Guide. Now more than a year since publication, what are your views on the impact of the Guide, both internally and externally? In practice, have you received any negative feedback or suggestions for enhancement? Are there plans in this regard? Is there a "Keeper" of the Guide?

Mr. Cain:

• I think it has been a positive development, both internally and externally.

• Externally, anecdotally, I constantly hear from professionals that they find it to be a useful tool in developing their compliance programs, the explanations, hypotheticals and otherwise. It is a useful window into what the government is thinking. It helps them to focus on the critical issues.

• Internally, the Guide has been useful as well, particularly for prosecutors with less FCPA-related experience.

• I don't expect to see a revision of the Guide anytime soon. I like to think we've covered that ground. And as great a relationship as we have with the DOJ, co-authoring the Guide was a once-in-a- lifetime event. For now we will use speeches and platforms like this conference to supplement the Guide and help get issues out or address new issues. Perhaps we could release a new edition of the Guide in five to ten years.

• There is not a keeper of the Guide -- there were two to three of us that worked closely to draft it.

Mr. Knox:

• There is no keeper of the Guide at the DOJ either. The Guide came out in 2012. Since then, we have had the opportunity to meet with CEOs, CCOs, and other business leaders, etc. By and large, the response has been overwhelmingly positive. From my perspective, the Guide has several

1. To provide a detailed, comprehensive description of law;

2. To articulate what our priorities are and what they are not; and

3. To give the general public and business community a better sense of how we make charging decisions -- how we exercise our discretion.

• In the lead-up to the Guide, there was lot of bad information out there and false impressions given on how we do what we do and what we focus on (e.g., taxi rides to the airport, a cup of coffee). We never did that, and practitioners knew that, but there nevertheless appeared to be a good faith misimpression out there. The Guide helped to dispel that. By and large, it has been very well- received.

• The one exception is criticism in the area of declinations. There is a desire among counsel and companies for the DOJ to give greater insight on the number and types of declination decisions it makes and specifics on how. In the past, we have said that we've declined dozens of cases, and in the Guide we gave six examples. But there seems to be a yearning for more. When we have the opportunity to announce declinations, we do, but there is a longstanding policy that we do not proactively publicize declination decisions absent the consent of the companies involved. And 99 times out of 100, companies, unless the issues were somehow publicly disclosed, do not want the discovery of criminal conduct publicized, so it is not something we do.

• In terms of disclosing the number of declinations, how many we provide, I personally don't think that number is significant. Sometimes we decline cases because there was no criminal conduct. Other times, it is in recognition of a strong compliance program and cooperation. The number of declination decisions alone isn't really that informative. What you really need are specifics on cases. For that, anonymized discussions can help, but they are fact specific. I think companies would be better off consulting the principles of federal prosecution of business organizations and the factors we rely on in making charging decisions. That is the best you are going to get. Generalized statements will not help much.

SEC Whistleblower Program. Upon establishment of the SEC's whistleblower program many Chief Compliance Officers were concerned that the program would undermine the internal reporting and investigation programs that are so central to the functioning of their compliance programs. Now, more than a year down the road, do you see signs that their fear has materialized? Are you seeing complaints not getting raised internally? Have you given thought to keeping metrics on the extent to which SEC whistleblowers have previously reported internally?

Mr. Cain:

• I have not seen this. In the FCPA context, the tips that have come in thus far have pretty uniformly been raised with the company first. Typically, notifying the SEC is almost the last thing a whistleblower does. Most whistleblowers are not motivated by the payout, they just don't feel their concerns are being taken seriously or do not think the actions taken in response were proper. That is why they bring these issues forward. This may not prove to be the case over time, but that is my experience. I can't think of a situation where a company has said, "We wish they'd come to us first, we hadn't heard of that issue."

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com • [Regarding keeping metrics on this issue], it is not something we have thought about, but it is something we could consider. To this point, there have been no payouts to a whistleblower in connection with an FCPA matter. We'll have to think about how to keep formal track of such metrics.

Regional Offices. In the past few years we've seen greater involvement in FCPA prosecutions by U.S. Attorney's Offices and the SEC Regional Offices. Should we expect that trend to continue? Will we see U.S. Attorney's Offices taking the lead on these cases?

Mr. Knox:

• I don't see the Assistant U.S. Attorneys (AUSAs) taking the lead. In most cases, we will team up with AUSAs in the most sensible manner. We have a fair number of prosecutors in the Fraud Section's FCPA unit, but it is always great to tap into the resources of the AUSAs and their experience. I've found that the optimal model is to have the Fraud Section prosecutor team up with the relevant AUSA and pursue the case together. As a general matter, we do not farm out FCPA cases, but we often have an equal partnership.

• [Whether a partnership is established at inception] is based on a case-by-case assessment. There are times when you have no natural or obvious AUSA partner at the conception of an investigation. In that case, the Fraud Section may hang on to it and collaborate instead with the Federal Bureau of Investigation (FBI) and SEC and, possibly, foreign authorities. If at some point it makes sense to bring an AUSA into the case, we will. It is not likely that we will pursue a case ourselves and then, at the one-yard line, call the AUSA and ask if we can bring the case in his or her district. This rarely happens. Whether we bring the AUSA in on day one or day 90, however, depends on the circumstances.

Mr. Cain:

• We have been utilizing our regional offices and are going to continue. We have a different model from the DOJ. The DOJ is literally everywhere, whereas we have only six regional offices. Each of those offices, however, has relationships with the local AUSAs in their regions. There is a natural synergy to reach out to the local AUSA they have been working with on other matters through a confluence of events. I think you are going to see a greater partnership between the SEC and AUSAs.

II. COMPLIANCE ISSUES

Board Involvement. What are your views on the degree to which Board and Audit Committee members should involve themselves in the compliance program?

Mr. Cain:

• [Proper level of Board involvement] is a complicated question. My personal view is formed from what I've seen in investigations. Some of the companies I've seen with the most successful compliance programs have a Chief Compliance Officer (CCO) who reports to the head of audit committee and an audit committee that is actively interested and engaged. They are not involved in

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com all compliance decisions, but in terms of tone-setting and culture, they help lead to success.

• No examples readily come to mind [in terms of deficient Board involvement]. There have been instances where, after an internal audit or an investigation identified red flags, no (or insufficient) action was taken, but I would not want to read too much into specific situations.

Mr. Knox:

• One well-known example that comes to mind is Siemens. We actually charged a Board member. The indictment includes page after page of failures at the Board and Audit Committee level. First, failure to implement a compliance program, and then, after the program was implemented, failure to enforce. There was evidence of massive corruption worldwide and when it surfaced at the Board and Audit level, management swept it under the rug. They were more concerned with the reputation of the company than the prevention of the misconduct.

• The FCPA Guide and Sentencing Guidelines make clear that the Board and Audit Committee should have a role in compliance -- at least an oversight role. High-level executives should be responsible for managing the compliance program, and, at the day-to-day level, the program should be administered by employees with autonomy from local management and with a direct reporting line to senior management and then to the audit committee. This is standard and is set forth in both the FCPA Guide and the Sentencing Guidelines.

• Most examples [of effective Board involvement] that are coming to mind are matters that we have declined and haven't spoken publicly about. Morgan Stanley, however, is an example of a good compliance program and positive top-down tone -- not just "check the box." We want to see a compliance officer really trying to understand and to get to the bottom of issues, even if it results in the loss of business.

Small-Cap, Mid-Cap Budget Issues. Many small- and mid-cap companies have substantial international operations, operating through perhaps scores of agents and distributors, but have none of the resources of larger companies for training, monitoring, and auditing. What have you seen in the way of best practices among smaller companies to create effective global compliance programs? How do you suggest they approach this conundrum?

Mr. Cain:

• We made a pretty clear distinction in the Guide. There are hallmarks of a good compliance program, but we also recognize that companies are different sizes with different resources. But they still need to find ways to manage risk. There are small and mid-size companies that do it successfully.

• I can't give specific examples how, but it generally involves the creative use of existing resources. While not the same as big companies, they are addressing the same risks and need to be creative. They need to make it a standard part of business. If compliance is part of the culture, the compliance program overlay doesn't need to be as big.

Mr. Knox:

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com • I would bet that in the overwhelming majority of cases where we have pursued actions against small companies, setting aside the prosecution of individuals and focusing only whether we take action against the smaller companies themselves, in the overwhelming majority of cases there was senior level involvement. It is very rare to have low-level employees of a small company engaging in bribery that senior management was unaware of or did not turn blind eye to. As a general matter, we tend not to pursue small companies absent senior management involvement. That is not to say we wouldn't ever -- it is always a fact-specific determination -- but smaller companies generally do not have the same resources and the compliance program expectations are different. Applying the nine factors from the principles of federal prosecution, we take into account the size of a company, the resources available, and assess whether, based on that: Were the actions taken reasonable? Was there management involvement? Was the misconduct pervasive? What is the culture of the company?

• As for practical advice on how small companies can manage 300-400 distributors -- it is a bit out of my lane to give advice here -- but I would say the same thing that I say to large companies: ask compliance-focused questions of the distributor. For instance, is the distributor qualified? Is distributor involved at the request of an official or otherwise connected to an official? Is it a high-risk market? Are there offshore payments? Is it an offshore company? The more boxes you check off, the more risk you are taking on. These are signs you should dig deeper.

Role of Internal Audit. Please comment on the degree to which you see the performance of internal audit factor into ultimate prosecutorial decisions by the government.

Mr. Knox:

• From my perspective, internal audit can be a huge help or, if it is not doing its job, can open a company up to major exposure. If internal audit is asleep at the switch, isolated conduct on day one can become pervasive over time because internal audit is not responding to risks year in and year out.

• For example, an enforcement action from a couple of years ago, Biomet, is a story of failed internal audit controls. The case involved payments to doctors, surgeons, and healthcare professionals in Argentina, Brazil, and China. The head of internal audit first learned of issues in Brazil in 2001. The audit report submitted to management mentioned that many payments to doctors looked like kickbacks. Nothing happened, however. There was another report the next year, and again nothing happened. There were similar reports coming out of Argentina in 2004, and again nothing happened. And then in China, and again nothing happened. It wasn't until 2007 or 2008 that outside counsel was brought in and the conduct stopped. Because of these internal audit failures, potentially isolated conduct in 2001 -- conduct that I suspect we would not have been interested in pursuing -- became a larger issue that we could not ignore because it was pervasive and justified action (e.g., pervasive conduct, no remediation, no voluntary disclosure, etc.). If it had been a situation where internal audit was more competent, put its foot down, and made its findings known more widely, we may never have brought that case.

Mr. Cain:

• In my experience, compliance programs that seem to leverage internal audit well are most effective. It is all too easy for internal audit to view findings in isolation -- for example travel and expenses (T&E) that are not fully documented -- and see them as less material. But if internal audit is aware of and sensitive to compliance issues, it can identify anomalies like these as potential pay

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com to play, flagging them not only as control issues but as compliance issues. However, it takes specific training to make this happen.

Hospitality. With the World Cup on the horizon in Brazil, I noticed that the U.K. Bribery Act guidance contemplates that big ticket entertainment, such as Wimbledon tickets, may be acceptable. The U.S. Guide doesn't explicitly go that far. Is it conceivable that tickets to the Super Bowl or the World Cup would be viewed as reasonable hospitality?

Mr. Knox:

• I think that is so fact specific that it would be tough to draw a line as to what an appropriate sporting event would be. If you are a taking client to a Wizards or Nationals game or even a Super Bowl that happens to be in town, that is different from flying someone from Africa to the World Cup and paying for their travel and accommodations.

• I don't know where that line is. I would direct companies to the Guide and the hypotheticals we provided. The core question is whether there is corrupt intent and whether it is reasonable. We could walk through various scenarios, and I could give you my sense of whether a proposed expense is appropriate or close to the line. However, it is not my role to dictate to companies what to permit and not to permit.

• I would challenge you though to find a case where all we prosecuted was taking an official to a sporting event. Where we have brought travel and entertainment cases, the conduct tends to be pervasive, over course of years, and it generally goes along with other corrupt conduct. You may take an official to the World Cup and also wire funds to the official's account.

Mr. Cain:

• I would agree with Jeff. The only thing I would add is the safe harbor of the specific amount involved. When you start suggesting Wimbledon and the World Cup, the possibility that there is corrupt intent increases. But you have to look at the specific fact pattern in and of itself -- it is a case-by-case determination.

III. INVESTIGATIONS

"Industry Sweeps." Please discuss your thoughts on the usefulness and efficiencies of "Industry Sweeps." Are we going to see them continue?

Mr. Cain:

• I think "industry sweeps" are a useful exercise. Everything needs to have a name, and "industry sweep" is as good as anything. But generally, this term is used to describe two different activities:

1. "Hub and spoke" or specific misconduct that encompasses part of an industry that may look like an industry sweep, but actually stems from specific misconduct.

2. Generalized inquiries of companies -- these are not investigations, but inquiries into risks and problems in a particular industry. These "industry sweeps" can be successful. We try to

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com be thoughtful with the requests we make when reaching out to companies short of an investigation.

Mr. Knox:

• On the criminal side, we do not do "industry sweeps." It may appear that we do, but here is how it generally happens: We find evidence of misconduct and follow it where it leads. In course of the investigation, we may learn that other companies are doing the same thing or that companies are using the same problematic intermediary. As any good prosecutor, you follow leads. You start by investigating one company, and you learn that other competitors engaged in similar conduct. You learn even more about others engaged in certain practices. You learn that this could be an issue that is expansive throughout the industry. At the end of the day, you end up with five, six, or seven resolutions. But they all began with one -- the rest were a natural outgrowth of that first one.

Requests to Disclose Issues. In the course of "industry sweeps," and other investigations, there have been requests to disclose issues that have emerged through company hotlines in particular regions and discussion of company responses and results. The questions are generally posed like this: "Are there other issues you've handled? How have you resolved these?" What is your reaction to company concerns that its investigation programs not be turned into evidence generation exercises for the government? Are requests like these disincentives to establish such programs?

Mr. Cain:

• This is a concern that has certainly been raised and I can certainly understand the sensitivities. Usually these requests arise at an appropriate moment. One is the resolution of a matter. You want to establish what will be covered by that resolution and to confirm whether there is anything else that the settlement ought to cover. Another situation is in determining whether there should even be a resolution. If a company wants to impress upon us that its compliance program works in practice, we need to ask these questions and they need to provide examples. I have never seen this done as a wholesale "gotcha moment," with the disclosures then used as ammunition against the company. It is used to facilitate real dialogue about whether the compliance program is working as well as the company says or believes that it is. We need real-life examples.

Mr. Knox:

• In my experience, it is far more likely in the real world, for companies to bring these other issues up to us. Companies typically want to use this information offensively: "Look at how strong our compliance program and remediation is. Look at our commitment to compliance and our culture. Look at our hotline, which fields hundreds of calls and has addressed issues raised in this way."

• This dialogue ends up being a huge benefit to the company when you tick through the principles of federal prosecution of business organizations: the effectiveness of a company's compliance program, the company's culture, the pervasiveness of the conduct, etc. It is rare for companies to sit on that information -- usually they only do this if it is a big problem that they are sitting on. That's fine, but the company won't get credit for this. One way or another, we are likely to find out about it, and the company won't get any credit. There is a real incentive for companies to have strong program that identifies, stops and remediates misconduct.

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com Voluntary Disclosure. On several occasions SEC and DOJ representatives have stated that they do not expect all potential issues to be disclosed to SEC and DOJ, and that there is some universe of issues that companies can presumably handle and remediate without disclosure and without penalty for not disclosing. How would you articulate your views? Where is the line on the continuum of problems? Does it vary with the size of the company? If a company does not disclose, what steps do you expect it to take nonetheless?

Mr. Cain:

• This is a hard question to give precision to. It is the corollary to "we understand there is no perfect compliance program." We understand that compliance programs will evolve and change to address new issues, and appropriately so. That part of life we do not expect to be the subject of voluntary disclosures. But significant problems a company encounters -- those beyond what you would normally expect -- that is what we would expect you to disclose -- problems you would anticipate being the subject of an enforcement action.

Mr. Knox:

• It would be foolish of me to draw a line. I think company's counsel, this is what they do, but they would be well advised to think "if you were the prosecutor, is this something you would be interested in hearing about?" If so, the chances are we would want to hear about it. But if the conduct is isolated, or much too vague, or for some other reason the company is not receptive to disclosure -- we understand there are some circumstances that don't warrant disclosure.

• My advice in that situation would be to be thoughtful, to document the investigation and remediation in the event that something comes up down the road -- so that if we are in a meeting and we ask you about the issue you will have it documented. If the explanation is reasonable, a company will get credit for that. It doesn't mean the company will get voluntary disclosure credit, but it will get some credit if it appears reasonable and is not merely an attempt to sweep the issue under the rug.

Timing of Disclosure. What about the timing of disclosure? Often information is received through whistleblowers or other channels that is troubling but not corroborated, and it takes time to gear up an investigation and unearth the facts. Do you expect disclosure to occur upon receipt of an allegation of an issue?

Mr. Knox:

• This is highly fact specific. It is a common practice, however, for companies to inform us of allegations that, if true, would absolutely be something they would otherwise disclose. What happens in these situations is that we will get a phone call from counsel to inform us of the allegation, noting that they don't know whether there is something to the allegation or whether it is just a disgruntled employee, and telling us to stand by and that they will get back to us. The company then investigates and learns if there is something there or otherwise substantiates. They will then call and tell us what they found. It is often the case that we simply thank them and that is the end of it. It is not always the case that these disclosures become global investigations. If you have a good compliance program in place, retain reputable counsel, and effectively handle the situation, that will be the end of it.

• Sometimes, however, we are already investigating the company on the matter. In that case, we may not say, "Thanks but no thanks," but even still, an early voluntary disclosure won't end up

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com harming the company. If you do not voluntarily disclose, as long as the decision is reasonable, and you remediated, if it is documented and reasonable, then the company will get appropriate credit.

Mr. Cain:

• I think it always benefits company to come in early. In Jeff's example, a company comes in before it has its arms around an issue. The thing you already know about that company is that it would disclose an issue if there was something there. When you come in early, we understand what you are doing, and we can provide our thoughts at the outset. If you come in later, we may a lot of have questions about how you handled things. It is always better to come in early and establish that you have properly covered the issue.

International Double Jeopardy. From the Serious Fraud Office to the Korea Fair Trade Commission, international prosecutions are on the rise. To what extent and how do you think about the issues of international double jeopardy?

Mr. Knox:

• First, I should clarify that, legally speaking, this is not double jeopardy -- both European and the U.S. can prosecute the same conduct. Still, in practice, this seems like double jeopardy.

• We are sensitive to the fact that companies can be pulled in different directions and we seek to ensure they are not faced with inconsistent demands and requests -- to make it an efficient process. When entering into resolutions, we do factor in what law enforcement overseas is doing. This doesn't mean that if Germany is pursuing an action we won't or that we will fully offset the foreign penalties imposed. It's not that bright of a line. But, if you read the pleadings and releases, you will see that we do give credit. It is often the case that we will coordinate to pursue one line of conduct while a foreign agency will pursue another, so that the company is not being pursued for the exact same conduct. I think we have a good track record.

Mr. Cain:

• Yes, we are sensitive to concerns of double jeopardy. We try to work cooperatively and collaboratively with our foreign partners. The proof is in the pudding though. Not all foreign partners are as effective or work as well collaboratively as others. Companies may find themselves in situations where they are being pulled in two different directions.

For more information, please contact:

David Resnicoff, [email protected], 202-626-5833

Marc Bohn, [email protected], 202-626-5559

© Miller & Chevalier Chartered 655 Fifteenth Street, N.W., Suite 900 • Washington, D.C. 20005-5701 • 202-626-5800 • 202-626-5801 FAX • millerchevalier.com The information contained in this newsletter is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information about these issues, please contact the author(s) of this newsletter or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing. This newsletter is protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this newsletter without prior written consent of the copyright holder.