Principles of Federal Prosecution of Business Organizations

doj

At last week’s Compliance Week Conference, I saw a paradigm shift in thinking about the factors to be included in a compliance program. Most compliance programs have placed a lot of emphasis on the federal sentencing guidelines. After all, those guidelines give credit for having an effective compliance program. So you want to have an effective compliance program.

But by definition, the sentencing guidelines are only useful once the organization has been indicted and convicted with a crime. We are better off preventing the organization from being indicted in the first place. So, perhaps we are better off looking at the Principles of Federal Prosecution of Business Organizations (.pdf) from the Department of Justice.

The Principles are more nuanced than the Sentencing Guidelines. They take into account the issues of prosecutorial discretion. In contrast, the Sentencing Guidelines are a compromise between prosecutors, the defense bar and the judicial bench.

Enterprise 2.0 at Goodwin Procter

goodwinprocter_logo

Can law firms jump on the Enterprise 2.0 bandwagon? Lawyers are generally seen as conservative users of technology, preferring to use a quill and inkwell over a web-based publishing platform. David Hobbie shares some of the successes he has encountered in the adoption of Enterprise 2.0 at Goodwin Procter (.pdf – page 13) in the June 2009 issue of KM Pro Journal (.pdf)

Goodwin Procter was one of the early adopters of collaboration and knowledge sharing tools and has begun adopting the internal use of blogs and wikis as tools. This is a great article, summarizing some of the theory behind Enterprise 2.0, comparing it to knowledge management, and giving practical uses of these tools in a legal environment.

“More knowledge has been captured and stored because communications have been opened up to more authors and have been moved out of email “silo” and into public spaces. More knowledge transfer has occurred because the Enterprise 2.o tools are built to communicate, whether through alerts of new information, easy browseability through user-created structure, or through better search.”

I had the pleasure of working with David at Goodwin Procter during the initial deployment of the tools. I am happy to see that they continue to grow and succeed. You can read more from David at his blog: Caselines.

FCPA Visualization

fcpa-map

The number of Foreign Corrupt Practices Act charges and the size of the penalties have surged recently. The James Mintz Group pinpointed the location of every bribe that has led to an FCPA case in the last 10 years and illustrated them graphically.

The countries that have generated the most FCPA cases in the last decade are:

  • Nigeria with 11 cases
  • China with 10 cases
  • Iraq with 10 cases

You can see the full-sized map and more details in the June issue of Global Fact Gathering from the James Mintz Group.

Wrap Up of Compliance Week Conference

compliance-week-conference

It was a great few days in Washington D.C. at my first Compliance Week Conference.  The conference was packed with great presentations and discussions over its three days. In particular, it was great to spend time with Bruce Carton, Francine McKenna, Scott Cohen, Matty Kelly and Alex Howard.

Below are links to some stories from the conference:

For Compliance Week subscribers:

Fighting a cold during the conference, I was the guy generating the cacophony of coughs.  But I did manage to keep notes during the sessions I attended:

I am looking forward to Compliance Week 2010.

UPDATED with new links

Conversation with Harvey Pitt

compliance-week-red

This was another “dark session” with about 30 compliance professionals sitting down for an informal discussion with former SEC Chairman Harvey Pitt. I am not going to share detailed notes, just some general issues that were discussed, with no attribution to any individual.

Compliance is really about non-compliance. The only reason compliance is relevant is because someone was non-compliant. The government usually comes in and looks at your compliance program at the opposite end that the organization looks at compliance.

It is better to build a relationship with the SEC before you need something. If you show when you have a problem, you waited too long. The SEC has learned not to tell you that something is not a problem.

It is important to see what is being said about your company, even a “blog written by an imbecile,” to see what is out there. If something is harmful, you need to decide whether to react. The SEC has people who troll the internet looking for information. They certainly will troll for information once they open an investigation.

There was concern about how an already understaffed SEC will be able to regulate an additional 8,000+ companies if hedge funds are going to be regulated by the SEC.

Your Compliance Program and Enforcement

compliance-week-dark-blue

This session at Compliance Week Conference 2009 was another “dark session” so I am not sharing detailed notes, merely a perspective on some issues that were presented. John Roth, an Assistant U.S. Attorney in the Fraud and Corruption Section shared his insights and Bruce Carton did his best Phil Donahue impression by eliciting questions from the audience.

There was a big turnout for this session. The organizers were only expecting 20-30 and ended up with over 100. Anything said by Mr. Roth was his opinion alone and not necessarily those of his office or the Attorney General.

One item was the difference between the Principles of Prosecution in the U.S. Attorney General’s Handbook and the Federal Sentencing Guidelines. The Guidelines only come into play once the organization has been indicted and convicted. The Principles of Prosecution help the Attorney General’s Office decide whether to prosecute in the first place. The Guidelines are a product of compromise between the Attorney General, the defense bar and federal judges. At this point they have also been made discretionary instead of mandatory. It seems that compliance programs should be more focused on the Principles of Prosecution instead of the Federal Sentencing Guidelines.

There was much discussion that it is much easier to identify a bad compliance program (or no compliance program) than a good compliance program. Much of the learning comes from failures of compliance programs instead of the successes.

Prosecution success causes more prosecution in those areas. FCPA prosecutions are increasing because they are being successful. We can expect to see more. The were rumors that the FBI has formed a squad to focus on FCPA criminal investigations.

Compliance Week Keynote from David Ogden

compliance-week-sepia
My notes, live, from the keynote address by David Ogden, the Deputy Attorney General.

As we confront the current financial crisis and try to restore trust and accountability, we have a shared responsibility to make sure justice is done. Responsible corporate behavior must be encouraged and rewarded. There will continue to enforcement action on financial crimes.

The FBI has doubled the number of investigators looking into mortgage fraud. There is also going to be an emphasis on healthcare fraud. They are looking to get better access to financial records and information in the healthcare industry.

With the $4 trillion of TALF funds, there is a potential for fraud in procurement and the use of those funds. (It sounds like there will be a lot of investigations into the recovery efforts.)

The DOJ needs to be relentless in its enforcement activity. They need to ensure the integrity of the financial markets and preserve the public fisc.

He pointed out an emphasis on training the department attorneys on discovery and electronic records.

The new principles that are part of the DOJ handbook emphasizes the importance of the attorney-client privilege. Cooperation is based on sharing information. No longer is waiver of the privilege a requirement to get cooperation credit. Prosecutors may not request that a company deny advancement of attorney fees or hiring attorneys to defend individuals involved in wrong-doing.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Structuring Internal Investigations

compliance-week-dark-blue

My notes, live, from the presentation by Neal Stephens and Bill Freeman of Cooley Godward Kronish on the top ten problems and how to avoid them. The focus of the session was to help companies who must conduct an internal investigation avoid pitfalls that add expense, embarrassment and exposure.

There are many problems that come from internal investigation failures. Cost is a big item. Expenses can get out of control. You could end up with a loss of credibility with the public and the government. You want to avoid re-opening the investigation in response to shareholder attacks.

Failing to Establish the Right Investigative Body

You want to make the investigator is sufficiently independent and has the necessary powers. If it is serious, you will want an impartial committee from the board of directors. For an independent investigation, you may need to pick a new law firm. If the law firm has represented other board members or been involved in the subject transaction, you should not use them.

Failing to Preserve Evidence

You have to immediately notify record custodians. Often the document destruction ends up being a greater offense the original transgression. It is important to document the entire preservation and collection process. The SEC will typically send you a preservation notice before they send a subpoena.

Don’t forget about home computers and mobile devices. If people are doing business on their home computer, you need to preserve the information on them.

Failing to Get Buy-In from the Government and Outside Auditors

You want to make sure the people with the handcuffs agree to the scope, methods, timing and the sharing of information.  You want to make sure you do not have to go back and cover the same information again. That increases costs.

Failing to Supervise Vendors

You want to train your document reviewers. You have to educate the investigators about legal means of obtaining information. Vendors need to be educate on what to reveal to who. Messing up document review is embarrassing and can taint the case as a whole.

Treating Witnesses Differently

Consistency is very important. You can’t treat one group with kid gloves and another with rubber hoses. The way to protect the company is letting the evidence to take you where it goes rather than presuming innocence of a party.

Jumping to Conclusions

You have to follow the evidence. You need to understand the company policies and practices at issue. Consider placing employee on leave during the investigation, instead of termination. The DOJ typically does not care that much. They want you to find the facts and properly punish the offender. You do not have to give the government a head on the platter to appease them. Just do the investigation right.

Mishandling Privilege Issues

You need to advise witnesses of their legal rights. Make sure they realize that the attorney represents the company and may turn the information over to the government. You need to anticipate third party challenges to information shared with the government or auditors.

Give the corporate Miranda. Employees typically still talk to investigators. But you don’t want them to think that the attorney represents the employee.

Mishandling the Flow of Information

Always update the board committee first. Get their approval before revealing information to the government, auditors or senior management.

Failing to Anticipate the Mid-Investigation “Show Stopper”

Something else always pops up or evidence of a cover up appears. At some point a witness realizes they are in trouble and will withhold information. You are also likely to see witness intimidation or collusion.

Failing to Communicate Carefully to Outsiders

Statements in 8K’s will be attacked. Statements to opposing counsel must be considered “on the record.” Statements to the government must be complete and accurate.

Much of the conversation was couched in how these two had just defended Kent Roberts, the former general counsel of McAfee in a stock back-dating case. It was a useful combination of practical advice, war stories, and theory.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Third Party Risks

compliance-week-red

My notes, live, from Third Party Risks with Matt Tanzer of Tyco International and Chris Nowak of Wyndham Worldwide.

For Tyco they have 110,000 employees around the world, most outside the United States.  Their first step was to identify all of the third parties. This was a big task. They went to their master vendor lists and master customer lists. The the broke them into groups based on risks.

Then they conducted a preliminary risk assessment using a few factors, such as geography, types of payments and payment structure.  With all of that information they took the next step of rationalization and consolidation of the third parties. In higher risk areas, they want to reduce the number of third parties they work with. They will conduct enhanced due diligence on high risk third parties.

They have imposed stricter payment procedures. They require a valid tax invoice, wire transfers (no cash), and only to the actual service provider. It is key to look at the underlying contract to verify the payment amount and type of service.

They have a new program for new vendors:

  • Business Sponsor
  • Business Justification
  • FCPA Certification
  • Questionnaire
  • Risk Assessment/DD
  • Written Agreements
  • Training

Not all elements are required for all third parties. If it is a low-risk type of vendor in a low risk country, they will not require all. High risk parties in high risk parties get an enhanced look.

Chris took over to give his perspective. His company is dealing with land owners, hotel owners, time share owners and employees around the world.

Know your third party:

  • Screen the parties against the OFAC’s SDN list
  • Conduct reviews of their financial statements
  • Learn their reputation
  • Investigate litigation
  • Check for current licenses
  • Understand their Culture

Chris offered some mitigation techniques:

  • SAS 70 Certifications
  • Code of Conduct – The are putting together a code specifically for vendors
  • Other Policies – You want to make sure you understand local law
  • Good Behavior Certification – Failure to certify is a warning sign.
  • Training – You need face to face training to get attention, especially as you move up in corporate seniority
  • Contract language
  • Insurance
  • Stay Involved!!! You need to keep emphasizing the importance of good behavior.

Make sure that the questions you ask are questions that you are also willing to answer. Simply things to make sure you could certify if someone asked you.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

McNulty Keynote on a Tale of Two Sectors

compliance-week-green

My notes, live, from former U.S. Deputy Attorney General Paul McNulty Keynote on A Tale of Two Sectors: The Challenges of Corporate Compliance – When Enforcement Increases and the Economy Declines. Mr. McNulty is now a partner at Baker & McKenzie. He is the author of the McNulty Memo on the government’s perspective on prosecuting organizations.

This issue of compliance has changed the corporate landscape. There is a sobering reality with a contrast between the government’s aggressive enforcement of white collar crime while the corporate sector is in a defensive position trying to cut costs and survive the economic downturn.

How can a company survive in this enforcement and economic environment? How can they move into emerging markets with corruption issues?

Enforcement is rising sharply. There is more effort being put into catching and punishing economic crime. FCPA is a hot issue because of a combination of increased disclosure, increased communication, and increased international cooperation. These factors are not unique to FCPA. That is why we are seeing an increase in other financial crime enforcement.

There is a lot of effort of punishing individuals, not just organizations.

How do we respond to this environment? There are several “must haves.”

  • Leadership with a strong tone and strong structure.
  • A risk based strategy, looking at where you are doing business and how you are doing business.
  • Standards and controls to provide evidence that there is commitment and it is translated to specific things
  • Training is essential. You need to get the word out.
  • Monitoring so that you can see what is working and what is not working.

The cost of non-compliance is great. If you think compliance is expensive, try non-compliance.

If you are the target of a government action there are some things you should do. You want to have a thorough and cost effective investigation. You want the government to feel that they do not need to conduct their own investigation. You need to be credible and sufficiently independent. It also needs to be timely. Cost control is an issue. There is some tension between thoroughness and cost. You want to focus on the scope. You don’t want it to be too narrow, but if it is too broad the costs will be excessive. Create an investigation plan at the outset. Keep a close eye on your auditors and attorneys.

You want to get your “compliance credit.” In his memo (and the others) one of the factors is the existence of a strong compliance program. Make sure that if you think you had a strong compliance program that the government sees that there is a strong program.

You want to get your “cooperation credit.” The key is to be able to cooperate without waiving the attorney-client privilege. You want to avoid derivative lawsuits from other non-government parties.

You want to avoid a monitor. The government is looking for a hedge to avoid the risk that there is something more going on inside the organization. That means you need to convince the government that the organization wants to know the whole truth and will immediately take the steps to cure the problem.

Will prosecutors look at a decreased compliance budget as a bad mark? Maybe. You can be more effective with a smaller budget, but it means being more effective and revisiting the structure of your program. The risk increases when there are fewer resources dedicated to the program.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)