FCPA Due Diligence

Caveat Emptor

Forget the emmys or that little election in November.  The event that we are all awaiting with bated breath is the DOJ issuance of FCPA guidance.  Noted FCPA expert Michael Volkov is making predictions on what the guidance will contain.  Among the predictions, Michael predicts a kinder, gentler DOJ approach to companies that acquire an FCPA problem as long as the target company is integrated into the acquirer’s compliance program.

So does that mean you can exclude FCPA from your due diligence checklist? As we say in the south, does a chicken have lips? Why do you think a public company’s stock drops when an FCPA investigation is announced.  The direct costs of defense?  Usually a pittance.  The management distraction factor?  Oh, it is bad, but companies adapt.  The looming DPA?  As burdensome and ineffective as a government mandated compliance program may be, it doesn’t account for the drop in value.  What is it then? 

Let’s dive into some finance fundamentals.  Value is derived from discounted cash flows.  The higher the discount rate, the lower the value.  What causes the discount rate to rise?  Uncertainty.  The higher the uncertainty that cash flows won’t occur as forecasted, the higher the discount rate.  Uncertainty can stem from government regulation, product obsolescence or competition.  If you have a product that will cure cancer, there is very little uncertainty as to the demand and the lack of competitors.  That will create enormous value with a given cash flow.  The same cash flow applied to a commoditized product will lead to significantly lesser value.

That brings us to our FCPA conundrum.  Do you think that sales people or management will be required to pay bribes to generate sales for the cure for cancer?  Not likely.  On the other hand, if you have a commoditized product with multiple competitors, all the participants might be tempted to engage in corruption. 

The reason you perform due diligence, irrespective of any DOJ enforcement forbearance, is you want to know if that revenue stream you are purchasing is at risk!  If it is, then you will either reduce your price or walk away from the deal.

The Perfect Storm- FCPA (Part II)

Last week, we began a discussion on the application of the whistleblower provision of Dodd-Frank to FCPA violations.  Based on an analysis of the False Claims Act (FCA) amendments in 1986, and the related strengthening of whistleblower provisions, we concluded that enforcement actions will rise dramatically.

The questions today are:

1. What is the inherent risk of an FCPA violation vs. an FCA violation?
2. How effective are the relative control environments in their ability to mitigate the risks of violation? 
3. Is the risk of a whistleblower action greater for violations under the FCPA than the FCA?

The inherent risk of the violation

I am a CPA.  It is ingrained in our DNA that the strength of the control environment needs to be directly proportional to the inherent risk of a violation.  Let’s examine the inherent risk of an FCA violation vs. an FCPA violation.

The submission of a false claim under the FCA usually requires either the intentional or reckless perversion of the claims submission process.  (I say usually because there are other false claims scenarios, such as reverse false claims, or bootstrapping anti-kickback theories.)  The claims submission process usually involves a fairly discreet pool of centrally located individuals with no apparent financial motive to submit a false claim.  In other words, medical coders or accounting personnel are usually not incentivized to overbill the government.  Therefore, the occurrence usually results from improper direction or training.  The false claim typically results in some level of incremental revenue which would benefit senior management or the company, but not necessarily the individual.  This also means the violation typically requires some level of intentional or inadvertent collusion.

An FCPA violation typically occurs when in-country management or the sales function makes, directly or indirectly, a payment to a foreign official in order to obtain business in that country.  Both in-country management and the sales function typically directly benefit from the activity.  Often, the result is not an increase in revenue, but a binary outcome of an all or nothing impact on revenue.  Further, there are often pressures from less scrupulous competitors that can literally leave the perpetrator with the feeling he “has no choice”.

If you view this within the prism of the Fraud Triangle, for a FCPA violation vs. an FCA violation:

•         The individual motivation is usually higher for the FCPA violation.  (Variably compensated perpetrators.)
•           The opportunity is greater for the FCPA violation (decentralized operations, less need for collusion).
•      The rationalization is easier. (My competitors are doing this, what options do I have?  I won’t get the business if I don’t do this.)

In my opinion, this is not a close call.  The inherent risk of an FCPA violation is much greater than the inherent risk of an FCA violation.

The control environment

For the FCA, there are a variety of tried and true controls that can be applied to the claims submission process   Further, there is a body of standards that apply to the contents of the claim.  Is this cost allowable

 under the FAR?  Is this medical claim accurately coded?  One can develop training courses designed to ensure qualified people participate in the process.  There are certifications that evidence competency.  Sampling procedures can facilitate a relatively cost-effective audit.

For the FCPA violation, unless the perpetrator debited bribe and credited cash, it is not so easy.  The bribe can be quantitatively immaterial and, therefore, off the radar screen for traditional internal and external audits.  As a matter of fact, I am not aware of a single circumstance where an external audit has detected an FCPA violation.  In the case of Siemens, an external auditor discovered a 5 million dollar cash transfer, which Siemens disposed of in a one day investigation.  Did that result in a modification or even a delay to the auditor’s report?  No.  If you were to include FCPA violations in the scope of a financial audit, the audit would become cost prohibitive.

A payment that violates the FCPA is typically disguised as an “ordinary course of business” transaction.  If properly disguised, it can be very difficult to detect with traditional audit techniques.  One must invest significant time and effort to determine if payments to third parties exceed the fair market value of the services they rendered.  Often, this can be outside the typical professional knowledge of a CPA.  (For example, reviewing a civil engineers bill regarding services rendered for a potential building site.)  This is particularly true when the auditor is not familiar with rates and business arrangements in the country in question.

In summary, the adequacy of controls to detect a typical FCPA violation is much less than a typical FCA violation.  They primarily boil down to serendipity and whistleblowers.  Now about the whistleblower…

Is the risk of a whistleblower enforcement action greater for violations under the FCPA than the FCA?

First of all, I should disclose a bias that I have.  I believe any whistleblower provision with a monetary reward creates an incentive for the whistleblower to circumvent existing internal compliance controls.  Calling an internal hotline or emailing the compliance officer may get you a pat on the back.  On the other hand, going straight to the government could net you millions.  Do you see my point?

This has always been a problem under the qui tam provision of the FCA, but not an insurmountable one.  According to a study by the Ethics Resource Center, 84% of eventual whistleblowers attempted to use internal channels before going to the government.  (Now, to be fair, we don’t know how many just notified supervisors instead of calling a hotline or alerting the General Counsel or the Compliance Officer.)

This dynamic has been turned on its head under the Dodd Frank whistleblower provision that applies to the FCPA.  In a recent case a judge concluded that the would be whistleblower “did not fit within Dodd-Frank’s definition of a whistleblower”.  The logic was frightening.  Because the whistleblower had reported the matter internally rather than straight to the SEC, the suit was dismissed.  As a compliance professional, this is the worst nightmare.  Not only does a potential whistleblower have the monetary incentive to avoid internal reporting, according to this judge, he now must avoid internal channels to preserve his status.

Conclusion

I believe we are on the crest of an enforcement wave in the area of FCPA that will dwarf all previous corporate enforcement initiatives.  The enforcement will occur irrespective of who wins the election.  There will be SEC and DOJ task forces that teach all offices how to investigate these matters.  Future budgets will contain line items specifically focused on these matters.  It has been said "fraud has no fans."  It is also true that politicians do not like the outsourcing of revenues and jobs that inevitably occur with foreign operations. You ignore FCPA risk at your peril.  

The Perfect Storm- FCPA

The Perfect Storm was a movie depicting the 1991 confluence of unusual meterological events that caused a storm resulting in damages of over 200 million dollars and the loss of 13 lives.  Although I wouldn’t expect much loss of life resulting from applying the whistleblower provisions of Dodd Frank to the Foreign Corrupt Practices Act (FCPA), 200 million dollars will be a pittance.  Book it.

I believe this based on what happened to the False Claims Act (FCA) enforcement environment after passage of the 1986 act which strengthened the whistleblower protections, among other things.  Look at the growth curve:

As you can see, the growth curve was exponential before leveling off in 1997 through today (although the last couple of years have seen another  jump).

Although the number of cases leveled off after 1998, the dollar value of settlements has skyrocketed.

Wouldn't you like to have invested in that income stream?  Well, I have some news for you.  If you are a shareholder, you have a chance to invest again right now, just like in 1987.  The only problem is the government is buying this stock.  You are shorting it.


This average dollar per settlement increase is largely due to a shift from relatively small health care providers to large pharma/med device companies.  One could infer, however, that it is also due to an increase in the sophistication of the government, relators and relator attorneys.  Oh, I forgot to mention relator attorneys.

Do a Google search on FCPA violations.  What is the first item that appears?

You see, back in 1987, when the qui tam provisions of the FCA were enhanced, Al Gore was in the senate and the internet had not yet become a part of our lives.  This lack of access of potential whistleblowers to qui tam attorneys created an elongated “ramp up” in cases.  As you can see, this is no longer a barrier to growth.

If I haven’t worried you already, let me go further.  FCA violations typically occur primarily in two industries- government contractors and health care.  That is a fairly discreet and small pool of potential violators.  As a matter of fact, while health care and defense contractors only comprise 13% of the S&P 500 (by market cap) the revenues associated with foreign operations are over 46% of the S&P 500 revenues.  I know market cap and revenues are a little apples and oranges, but directionally the pool of potential violators is much bigger.

I haven’t yet touched on a comparison of the inherent risk of a violation between FCA and FCPA.  Nor have I addressed the relative strength of control environments designed to address those risks.  Nor have I touched on the risk that a violation will not be detected.  All of these are factors articulated in the principles of corporate prosecution articulated by the DOJ in this link.

http://www.justice.gov/opa/documents/corp-charging-guidelines.pdf

That fun will be for another day.  I will give you a hint though.  The perfect storm is about to become a perfect tsunami.

What Background Makes the Best CCO?

I have always found this to be an interesting topic. Attorneys believe they understand the law and therefore should be compliance officers. CPAs believe they understand auditing and processes and controls and therefore make the best compliance officers. Operational people believe they understand the workings of the business and can communicate most effectively and therefore make the best compliance officers. HR people believe that compliance is basically a people function and therefore, they are best suited. Who is right?

 

Obviously, the CPA is. (Full disclosure, I am a CPA.) Actually, they all are, but this is not a cop out article. I actually have a proposed solution. Each discipline (and a few more) adds an important perspective to the compliance solution for an organization. Before settling on an answer, I would ask yourself two questions.

1.      What are your organization's most important risks? Name the top five risks that could imperil your organization from an enterprise value or legal risk perspective. Don't just focus on the risks that you understand, are easiest to control or are focused on employee theft or misbehavior. I find it hilarious how many significant compliance efforts are expended on employees that expose the organization to relatively little risk of non-compliance. (I also find it hilarious how many people use the phrase "compliance risk". Really? The risk is created by complying? You better try a new plan, then!)

2.      What are your organization's strengths and weaknesses? Are you a strong sales organization? If so, I bet your regulatory and legal function is weak. Are you a strong HR organization? You could be operationally challenged. Strong accounting and finance function? Weak sales organization. The most important word I ever learned in economics was TANSTAAFL. This was taught to me in macroeconomics by a professor by the name of Tony Spiva. It means "there ain't no such thing as a free lunch". Organizational strengths in one area typically lead to weaknesses in another.

The compliance officer's background should be directed at your organization's most important risks and fill the gap created by your organization's weaknesses. That is the simple first step- but not the only one. You see, all the aforementioned backgrounds are important to the compliance function. So it is important for the compliance officer to be surrounded by complementary skillsets. Have you ever done a DISC profile? This is a personality study that classifies you as a D (dominant), I (inducement), S (Submission), and C (Compliance). The point of the exercise is that you are more effective in accomplishing tasks when you have a diverse team of personalities working together as opposed to people who think just like you. The same thing is true on a compliance team. Surround yourself with people who have the skills that you don't.

Now I am not going to kid you. I think that the marriage of legal and auditing skills are critical to compliance success. If you try that combination in a sales-oriented culture without some sales-oriented compliance professionals, you will surely have a tough time delivering the message. The tree will fall in the forest, but nobody will be there to hear it!

To recap, in choosing your CCO,

· Assess organizational risks

· Assess organizational strengths and weaknesses

· Supplement the CCO with a diverse team.