Applying Multi-Layer Due Diligence – Is There Such a Thing as Too

Transcription

Applying Multi-Layer Due Diligence – Is There Such a Thing as Too
Applying Multi-Layer Due
Diligence – Is There Such
a Thing as Too Much?
Houston, TX
23 March 2015
Panelists
 William Gordon: Associate General Counsel
and Chief Compliance Officer, Hercules
Offshore, Inc.
 Tom Best: Partner, Steptoe & Johnson LLP
Agenda
 Topics
– “The FCPA and due diligence – interpreting the law and translating its
requirements into your company’s partner investigation strategy”
– “Determining the appropriate degree of due diligence – what
requirements are placed on third parties to investigate their
suppliers?”
– “The link between careful scrutiny of your business partners and
business productivity”
 Discussion
– Enforcement “expectations” with respect to third party
engagement, management
– Best practices in third party and supply chain management
– Business value of third party management from FCPA/anticorruption compliance perspective
Enforcement “Expectations”
Regarding Third Parties
4
Third Parties -- Legal and Enforcement
Framework
 Vicarious liability for acts of third
parties
– Majority of recent FCPA cases
– Responsibility for improper acts of
agents, consultants, contractors,
service providers, distributors, JV and
other business partners:
• Done with knowledge or authorization of
company personnel
• “Knowledge” standard
– Includes willful ignorance – Bourke
(“Head in the sand”)
– Must identify and mitigate “red flags”
• Due diligence
• Contractual safeguards
• Monitoring
Third Parties -- Legal and Enforcement
Framework (cont’d)
 OECD Good Practice Guidance (2010)
 DOJ Deferred Prosecution Agreements (DPAs)
 US Sentencing Guidelines
 International Standards: TI Business Principles, PACI, etc.
 Key Developments:
– November 2012: DOJ-SEC Resource Guide
– May 2012: Morgan Stanley declination/prosecution of
Gerald Peterson
6
Third Parties -- Legal and Enforcement
Framework (cont’d)
 Companies “expected” to adopt and maintain internal
compliance programs designed to:
– Prevent, detect and remedy improper practices; and
– Promote compliance with laws
 Scope of program
– All parts of business, including subsidiaries and foreign
operations where issues may arise
– Risk-based approach
– Focus on third parties
 20/20 hindsight when dealing with enforcement agencies
7
Third Parties -- Legal and Enforcement
Framework (DOJ/SEC Guidance)
 DOJ/SEC Guidance – drafts from existing standards to restate agencies’ positions
 Emphasis:
– A functioning, not “paper” program
– Tailored to each company
– Designed pursuant to a FCPA/anticorruption-focused risk
assessment
– Management commitment to compliance
• “Tone at the top”
• “Tone in the middle”
– Communication and training mechanisms
– Incentives and Discipline
– Continuous Improvement
– Third Parties
8
Third Parties -- Legal and Enforcement
Framework (DOJ DPA/Plea Appendices)
 Clearly articulated written FCPA policy (with strong, visible support from
senior management);
 Promulgate compliance standards, based on an individual risk
assessment, for employees and business partners, governing:
–
–
–
–
–
–
–
–
gifts,
entertainment,
customer travel,
political contributions,
charitable donations,
facilitation payments
solicitation/extortion; and
mergers & acquisitions due diligence and integration program
 Annual review and update of compliance standards;
 Assign responsibility for compliance with a senior, autonomous official
with direct reporting to internal audit, Board and/or Board committees;
 Ensure system of accounting procedures, including internal controls, to
maintain accurate books and records;
9
Third Parties -- Legal and Enforcement
Framework (DOJ DPA/Plea Appendices) (cont’d)
 Periodic training and annual certifications by employees and
business partners;
 Maintain system for urgent compliance advice (hotline) and
confidential reporting of potential violations (whistle-blowing);
 Institute appropriate disciplinary procedures for violations and
reasonable remedial efforts;
 Due diligence procedures for retention of agents, including
compliance education and anticorruption commitments;
 Standard anticorruption contract clauses, including audit and
termination rights; and
 Periodic review and testing of anticorruption code and
procedures.
10
Managing Third Parties – Best
Practices
© 2014, Steptoe & Johnson LLP, All Rights Reserved
www.steptoe.com
11
Managing Third Parties – Best Practices
 Who are third parties?
– Marketing agents/sales representatives/finders
– Consultants and lobbyists
– Distributors, resellers, and brokers
– Partners and consortium members
– Service providers: Customs brokers, tax advisors,
attorneys, accountants
– Contractors and suppliers
12
Third Party Enforcement: Agents and Consultants
 Agents/consultants: sales agents and representatives,
lobbyists, etc.
– Highest risk
• Authorized to act on your behalf
• Use of commissions or success fees
– Best leverage
• Greatest control
 See Alcoa (2014) ($384M), Alcatel (2010) ($137M), many
others
13
Third Party Enforcement: Distributors
 Distributors
– Pure distributors
• Buying and selling for own account
– More complex relationships
• Joint marketing, etc.
– Note: Structuring relationship as distributorship does not
insulate from risk
• Must respond to red flags
 See Pharma / Medical Device Settlements (2011-12)
– Johnson & Johnson ($77M)
– Smith & Nephew ($22M)
– Pfizer/Wyeth ($60.1M)
– Biomet ($22.8M)
– Eli Lilly ($29M)
14
Third Party Enforcement: Business Partners
 Business partners: including joint ventures and consortia
– Risks:
• Potential liability for partners’ actions, but potentially limited
scope for control
• Value of partnership/JV arrangement is source of risk:
– Local knowledge, contacts, industry expertise
• JVs/consortia with state-owned partners
• Issuers:
– Books/records, internal controls liability if consolidated into
parent’s financial statements
 See Allianz SE (2012) (SEC: $12.5M), RAE Systems, Inc.
(2010) (DOJ: $1.7M; SEC: $1.25M), others
15
Third Party Enforcement: Service Providers
 Service Providers:
– Risks:
• Lack of control over providers’ actions
• Reliant on services in-country – often no alternative
– Risks can arise anywhere in companies’ supply chains,
in-country or abroad:
• Logistics providers
• Contractors and sub-contractors
• Professional service providers
16
Enforcement Example: Service Providers
 Tax Advisors
– KPMG-Siddharta, Siddharta & Harsono (SSH) (2001) and Baker Hughes
(2001)
• $75,000 bribe to reduce tax assessment in Indonesia
 Lawyers
– U.S. v. Jeffrey Tesler (2011) (TSKJ Consortium)
– Parker Drilling (2013)
 Customs Brokers/Freight Forwarders
– Panalpina and customers (2010)
• Payments to customs officials in Nigeria and elsewhere; collective penalties
of $236.5 million
 Subcontractors
– Data Systems & Solutions (2012)
• Technology/service subcontractors on power project funneled bribes to
officials; fictitious modifications to contractual scope of work to disguise
additional payments
17
Third Party Risk Management: Best Practices
(1) Risk Assessment
– Range of relationships and risks
– Tiering Option
(2) Policies and Procedures on Engagement
– Due diligence
• Questionnaires/checklists
• Internal sources
• External sources: When to engage?
– Responding to red flags
– Decision-making
– Recordkeeping
18
Third Party Risk Management: Best Practices
(3)
–
–
–
Contractual Safeguards
Define legitimate services
Compliance assurances: reps/warranties, covenants
Accounting requirements and cooperation provisions
• Audit rights?
– Remedies: suspension, termination, clawback, etc.
– Other: e.g.,
• Compliance program
• Manner and place of payment
19
Third Party Risk Management: Best Practices
(4) Training
(5) Certifications
(6) Oversight – e.g.,
– Audits
– Scrutiny of invoices
– Responding to red flags during performance
– Periodic reviews and updates
– Certifications
 “Best practice” has evolved significantly over the past few
years.
20
Third-Party Due Diligence – Outside Resources
Intelligence Databases

Program
Development
List Screening

PEPs

Media

Ownership



Investigation &
Verification
DD Consulting/Investigations
Sanctions, law

enforcement, and other
watch lists
PEPs; aliases; relatives 
and close associates
International, national,
local sources
Searchable; filterable
Legal owners
Sometimes SOEs and
beneficial owners
(incomplete)
Compliance IT platforms
Specialized ABC counsel:
(workflows and approvals;

Risk assessments; policies,
questionnaires and certifications;
procedures, forms, certifications
data analytics; archived reports) 
Best practices; benchmarking

Privileged legal advice
Database search and summaries
Database search and summaries


Database search and summaries
Local language review

Investigations of beneficial
ownership

Regional/local presence,
expertise, and/or language
Analysis of country/region
Business profile
Site visits; in-person interviews;
other local inquiries
Reference checks
Public registries; court records





Outside Legal Advice
Local Law
Anticorruption
Legal Advice
21
Local counsel:

Investigations of beneficial
ownership

Privileged legal advice
Local counsel: May offer some of the
services offered by DD firms
Local counsel: Privileged local law
advice
Specialized ABC counsel:

Analysis of red flags and risks

Advice on safeguards

Privileged legal advice
Business Value of FCPA/AntiCorruption Compliance; Third Party
Management
© 2014, Steptoe & Johnson LLP, All Rights Reserved
www.steptoe.com
22
Positive Business Case for Compliance?
 Current conditions for compliance professionals in the
extractive industries:
– On the one hand:
• Commodity prices low/depressed – budgets are tight
• Continued SEC/DOJ activity in the sector
• FCPA/anti-corruption enforcement no longer a U.S.-only
phenomenon
• Whistleblower epidemic
– On the other:
• Significant U.S. enforcement activity over past 10 years; companies
generally well-attuned to the risks
© 2014, Steptoe & Johnson LLP, All Rights Reserved
www.steptoe.com
23
Positive Business Case for Compliance? (cont’d)
 Is this the only value of a strong compliance program?
© 2014, Steptoe & Johnson LLP, All Rights Reserved
www.steptoe.com
24
Positive Business Case for Compliance? (cont’d)
 Increased attention to quality of company business
relationships = benefits?
 Benefits financial? Other?
 Quantifiable?
© 2014, Steptoe & Johnson LLP, All Rights Reserved
www.steptoe.com
25