Wednesday, September 19, 2012


The Perfect Storm- FCPA (Part II)



Last week, we began a discussion on the application of the whistleblower provision of Dodd-Frank to FCPA violations.  Based on an analysis of the False Claims Act (FCA) amendments in 1986, and the related strengthening of whistleblower provisions, we concluded that enforcement actions will rise dramatically.

The questions today are:
  1. What is the inherent risk of an FCPA violation vs. an FCA violation?
  2. How effective are the relative control environments in their ability to mitigate the risks of violation? 
  3. Is the risk of a whistleblower action greater for violations under the FCPA than the FCA?


The inherent risk of the violation

I am a CPA.  It is ingrained in our DNA that the strength of the control environment needs to be directly proportional to the inherent risk of a violation.  Let’s examine the inherent risk of an FCA violation vs. an FCPA violation.

The submission of a false claim under the FCA usually requires either the intentional or reckless perversion of the claims submission process.  (I say usually because there are other false claims scenarios, such as reverse false claims, or bootstrapping anti-kickback theories.)  The claims submission process usually involves a fairly discreet pool of centrally located individuals with no apparent financial motive to submit a false claim.  In other words, medical coders or accounting personnel are usually not incentivized to overbill the government.  Therefore, the occurrence usually results from improper direction or training.  The false claim typically results in some level of incremental revenue which would benefit senior management or the company, but not necessarily the individual.  This also means the violation typically requires some level of intentional or inadvertent collusion.

An FCPA violation typically occurs when in-country management or the sales function makes, directly or indirectly, a payment to a foreign official in order to obtain business in that country.  Both in-country management and the sales function typically directly benefit from the activity.  Often, the result is not an increase in revenue, but a binary outcome of an all or nothing impact on revenue.  Further, there are often pressures from less scrupulous competitors that can literally leave the perpetrator with the feeling he “has no choice”.

If you view this within the prism of the Fraud Triangle, for a FCPA violation vs. an FCA violation:
  •         The individual motivation is usually higher for the FCPA violation.  (Variably compensated perpetrators.)
  •           The opportunity is greater for the FCPA violation (decentralized operations, less need for collusion).
  •      The rationalization is easier. (My competitors are doing this, what options do I have?  I won’t get the business if I don’t do this.)

In my opinion, this is not a close call.  The inherent risk of an FCPA violation is much greater than the inherent risk of an FCA violation.

The control environment

For the FCA, there are a variety of tried and true controls that can be applied to the claims submission process   Further, there is a body of standards that apply to the contents of the claim.  Is this cost allowable
 under the FAR?  Is this medical claim accurately coded?  One can develop training courses designed to ensure qualified people participate in the process.  There are certifications that evidence competency.  Sampling procedures can facilitate a relatively cost-effective audit.

For the FCPA violation, unless the perpetrator debited bribe and credited cash, it is not so easy.  The bribe can be quantitatively immaterial and, therefore, off the radar screen for traditional internal and external audits.  As a matter of fact, I am not aware of a single circumstance where an external audit has detected an FCPA violation.  In the case of Siemens, an external auditor discovered a 5 million dollar cash transfer, which Siemens disposed of in a one day investigation.  Did that result in a modification or even a delay to the auditor’s report?  No.  If you were to include FCPA violations in the scope of a financial audit, the audit would become cost prohibitive.

A payment that violates the FCPA is typically disguised as an “ordinary course of business” transaction.  If properly disguised, it can be very difficult to detect with traditional audit techniques.  One must invest significant time and effort to determine if payments to third parties exceed the fair market value of the services they rendered.  Often, this can be outside the typical professional knowledge of a CPA.  (For example, reviewing a civil engineers bill regarding services rendered for a potential building site.)  This is particularly true when the auditor is not familiar with rates and business arrangements in the country in question.

In summary, the adequacy of controls to detect a typical FCPA violation is much less than a typical FCA violation.  They primarily boil down to serendipity and whistleblowers.  Now about the whistleblower…

Is the risk of a whistleblower enforcement action greater for violations under the FCPA than the FCA?

First of all, I should disclose a bias that I have.  I believe any whistleblower provision with a monetary reward creates an incentive for the whistleblower to circumvent existing internal compliance controls.  Calling an internal hotline or emailing the compliance officer may get you a pat on the back.  On the other hand, going straight to the government could net you millions.  Do you see my point?

This has always been a problem under the qui tam provision of the FCA, but not an insurmountable one.  According to a study by the Ethics Resource Center, 84% of eventual whistleblowers attempted to use internal channels before going to the government.  (Now, to be fair, we don’t know how many just notified supervisors instead of calling a hotline or alerting the General Counsel or the Compliance Officer.)

This dynamic has been turned on its head under the Dodd Frank whistleblower provision that applies to the FCPA.  In a recent case a judge concluded that the would be whistleblower “did not fit within Dodd-Frank’s definition of a whistleblower”.  The logic was frightening.  Because the whistleblower had reported the matter internally rather than straight to the SEC, the suit was dismissed.  As a compliance professional, this is the worst nightmare.  Not only does a potential whistleblower have the monetary incentive to avoid internal reporting, according to this judge, he now must avoid internal channels to preserve his status.

Conclusion

I believe we are on the crest of an enforcement wave in the area of FCPA that will dwarf all previous corporate enforcement initiatives.  The enforcement will occur irrespective of who wins the election.  There will be SEC and DOJ task forces that teach all offices how to investigate these matters.  Future budgets will contain line items specifically focused on these matters.  It has been said "fraud has no fans."  It is also true that politicians do not like the outsourcing of revenues and jobs that inevitably occur with foreign operations. You ignore FCPA risk at your peril.  




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)