On February18th, Compliance Week held a webinar presented by Oversight’s CEO, Patrick Taylor. In excess of 700 corporate compliance executives registered to learn more about an important and timely topic with respect to FCPA compliance as it relates to monitoring travel and entertainment and purchasing transactions.
The title of the webinar was Yates Memo & Foreign Corrupt Practices Act Enforcement in 2016: The Positive Impact of Technology Advances on Risk Management. You can view the webinar in its entirety here:
There were some great questions posed during the webinar that have been compiled along with the answers below.
Will you go back over Yates Memo and how it relates to current DOJ enforcement activities?
The Yates memo essentially states that the DOJ will focus on making individuals accountable for FCPA violations through both civil and criminal prosecutions. Further, the best if not only way for the company to escape prosecution is by self-reporting any violations and turning over all evidence about the activities of individuals in the company. The folks at Broadcat have a nice infographic on the Yates memo:
In my view the DOJ wants to change the calculus around self-reporting. In the pre-Yates memo environment companies would often receive counsel to not report a violation to the DOJ and to just remediate the problem internally. In the event they were ever caught by the DOJ they could then fully cooperate and hopefully secure a non-prosecution agreement (NPA) or a deferred prosecution agreement (DPA). The DOJ wants to do everything they can to drive companies to instead choose to self-report. Whereas pre-Yates the company carried the risk of fines and often the individuals involved remained free of prosecution, now there’s an emphasis on individual accountability with the hope that the real threat of jail time will drive appropriate behavior.
If an organization already has a strong compliance program in place including many of the elements that you addressed, is there much more that they need to do to demonstrate a good faith compliance effort with regard to FCPA?
In our view and the view of others such as Tom Fox at www.tfoxlaw.com, it is important that an organization is actively trying to detect non-compliance - the basic “Prevent, Detect, Remediate” concept. Further in the guidance issued by the SEC and DOJ in the Fall of 2014 there’s the concept of continually improving compliance programs. Training, policies and a whistleblower hotline only may not be considered a robust compliance program.
Does the DOJ look at a company and its compliance program in relation to its industry and risk profile? For example, if we are in the software industry and we believe it has a low risk of bribery and corruption therefore our compliance program may have fewer people and may not have an automated transaction monitoring system.
Yes, risk absolutely matters and risk is industry and geography dependent. Now, I’d be remiss if I didn’t mention that other more operationally oriented benefits are available through transaction monitoring such as reduced waste and fraud. For software companies we’ve seen risks around excessive discounting on the sales side and we are developing a solution for that.
Can you provide any expectations from the DOJ/SEC on due diligence a company can perform on third parties acting on behalf of the company to sell their products [i.e. reseller, referrals, etc.]
Fundamentally you’re responsible for their actions. Obviously they are even harder to control than your own employees but nonetheless you do need to put forth effort to control their activity. Common practices we see include:
- Vetting before bringing them on board as partners, particularly those operating in high risk environments/countries.
- Contractual clauses that require them to have their own “FCPA” programs and some kind of evidence that they do in fact have the programs in place.
- Maintaining a watchful eye for anomalous activities.
The last point is where transaction monitoring can play a role. We’re currently engaged with a customer to co-develop an Insights On Demand offering for Order-to-Cash. The kind of issues we’re looking for include excessive discounts given to resellers or unusual patterns of sales credits – think of it as places where your company is effectively giving them increased margins/sales credits so they can afford to pay bribes.
This is definitely an area where it is essentially impossible to perfectly prevent problems. Instead think of the things you can practically do to identify inappropriate behavior. Be able to demonstrate that you were trying.
Do you have any advice on an entity with limited foreign operations and foreign vendors?
Essentially your risk is limited by your limited foreign exposure and you could likely handle the transaction monitoring manually. I will take the opportunity to mention that in addition to our FCPA offerings we have solutions for T&E, Procure-to-Pay, and Purchase Cards that drive operationally oriented ROI.
Does your system help to identify potential duplicate payments as well (with fuzzy matching capabilities)?
Yes, we do identify duplicate payments as well as potential fraud and payments to inappropriate persons such as on the terrorist watch list (OFAC list). As you surmised, in the process of looking for illicit transactions you’ll find lots of other interesting items as well.
I have heard that in some Asian countries, restaurant owners collide with customers and issue fake receipts to conceal corruption. For example, a restaurant owner may issue a meal receipt of $1,000 when the meal, in fact, only cost $500. The employee pays $1,000 with a credit card and the restaurant owner then records a $500 credit for the customer in an offline system. The employee gets reimbursed for $1,000 and have a $500 credit to be used towards future meals. What would you recommend as a means of catching these types of transactions?
As I mentioned in the webinar that’s a challenging scenario as is anything that happens “off the books”. Frankly this would be hard to find as a singular event; however, if they “go back to the well” then the pattern detection algorithms would increase the odds of detection. In theory the restaurants in question would appear to be twice as expensive as their peers in Shanghai or wherever.
Many of the techniques you summarized use statistically based sampling algorithms. If a problem is found, and the prosecutorial agencies you referenced in the beginning become involved, may I assume you then have to do a 100% sample analysis.
I can answer that question from a “how Insights On Demand (IOD) works” perspective. Our algorithms analyze 100% of the transactions and use statistical techniques (along with other analytics) to identify the transactions/employees/vendors with the highest number of risk indicators. So while our users are only looking at a subset of the overall population, IOD evaluates all of the transactions. For IOD everything is based on the 100% sample you mentioned.
If a prosecutorial agency becomes involved one thing they will do is look very closely at all the activities of the perpetrator and those around him/her. From that investigation they may identify new “risk indicators” and then mine the larger population for other areas with the same risk elements. Or put another way now that a specific problem has been identified let’s go look for that same problem in other places.
When implementing a program, is there a specific order of accounts i.e. T & E, donations, that you would suggest to focus on to effectively build a strong program?
The standard answer would be start with the area that represents the most risk. It’s my observation that most people consider T&E as a smart starting point. Generally, it’s considered an area with a lower level of control over the spend and also the place where it’s easier to conceal illicit activity.