This post highlighted the recent $77 million Foreign Corrupt Practices Act enforcement action against Credit Suisse concerning its internship and hiring practices involving family members of alleged Chinese “foreign officials.” This post continues the analysis by highlighting additional issues to consider.
Credit Suisse’s FCPA scrutiny appears to have begun in late 2013 (see here). Thus from start to finish, its scrutiny lasted approximately 4.5 years.
At the risk of sounding like a broken record to regular readers … if the DOJ/SEC want the public to have confidence in their FCPA enforcement programs, they must resolve instances of FCPA scrutiny much quicker. The validity and credibility of FCPA enforcement depends on this. Having FCPA scrutiny linger for over four years is inexcusable particularly since Credit Suisse, in the words of the DOJ:
“[Made] factual presentations to the Offices, voluntarily [made] foreign-based employees available for interviews in the United States, [produced] documents to the Offices from foreign countries in ways that did not implicate foreign data privacy laws, [provided] translations of foreign language documents, and [collected] and [presented] evidence to the Offices.”
What Is The Difference Between “Proactive” and “Reactive” Cooperation
As a parent, I want my children to clean their room.
The DOJ wants business organizations to cooperate in FCPA inquiries.
The room gets clean regardless of whether the kids react to my command, “please clean your room,” or are proactive and say, “dad would you like me to clean my room.”
Cooperation occurs in FCPA inquiries regardless of whether a business organization reacts to the DOJ’s commands “please do x, y, or z” or is proactive and says “DOJ what would you like us to do.” For a wide variety of reasons, I hope the later is not now what the DOJ is expecting.
All of which means: what the heck did the DOJ mean in the resolution documents when it stated: “the company did not receive full cooperation credit because its cooperation was reactive, instead of proactive”?
I’ve seen several law firm alerts, etc. claim that the Credit Suisse enforcement action marked “the fourth FCPA settlement involving a company’s hiring practices.” True, the Credit Suisse enforcement action is the 4th FCPA enforcement action PRINCIPALLY FOCUSED on intern and hiring practices. (As highlighted in this prior post the others were: (i) BNY Mellon Corp. in August 2015 for $14.8 million (see here and here for prior posts); (ii) Qualcomm in March 2016 for $7.5 million (see here and here for prior posts); and (iii) JPMorgan in November 2016 for $202.6 million (see here, here, and here for prior posts).
However, as highlighted in this post when JPMorgan’s FCPA scrutiny was making headlines in 2013, many FCPA enforcement actions (going back to at least 2007) have included allegations or findings regarding employment practices involving family members of alleged “foreign officials.”
Kudos to the SEC for the Lack of Books and Records Findings
For most of FCPA enforcement history, I would have challenged anyone to find an SEC FCPA enforcement action charging or finding internal controls violations that did not also include books and records charges or findings. To my knowledge such an action did not exist until the internship and hiring practices enforcement actions mentioned above.
For instance, the BNY Mellon enforcement action did not include books and records charges or findings.
But then again, the Qualcomm and JPMorgan enforcement actions did.
And that was wrong because the books and records provisions are intended to address “financial” books and records. The SEC has stated:
“records which are not relevant to accomplishing the objectives specified in the statute for the system of internal controls are not within the purview of the recordkeeping provision.” (emphasis added)
[T]his provision is not an independent and unrestrained mandate to the [SEC] to establish novel or unprecedented corporate recordkeeping standards; it is, rather, an integral part of Congress’ efforts to assure that the business community records transactions and assets in such a way as to maintain adequate control over them. And, this leads to two important conclusions: First, the [FCPA] does not establish any absolute standard of exactitude for corporate records. And, second, records which are not related to internal or external audits or to the four internal control objectives set forth in the [FCPA] are not within the purview of the [FCPA’s] accountingprovisions.” (emphasis added)
Likewise, in the 2012 FCPA Guidance the government stated:
“The FCPA’s accounting provisions operate in tandem with the anti-bribery provisions and prohibit off-the-books accounting. Company management and investors rely on a company’s financial statements and internal accounting controls to ensure transparency in the financial health of the business, the risks undertaken, and the transactions between the company and its customers and business partners. The accounting provisions are designed to ‘‘strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.” (emphasis added)
Notwithstanding the above, in the Qualcomm and JPMorgan enforcement actions, the SEC invoked the books and records provisions. For instance, in the JPMorgan action, according to the SEC, the false and misleading books and records consisted of subsidiary personnel submitting, reviewing, and approving “inaccurate compliance questionnaires” containing false and misleading information which failed to disclose the intended, improper purpose of making certain client referral hires.” Seemingly lost in the enforcement action was that the internal compliance questionnaires had nothing to do with financial reporting.
In short, the above was a rather long way of saying kudos to the SEC for not invoking the books and records provisions in the Credit Suisse enforcement action.
The FCPA’s internal controls provisions state that issuers shall “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that” certain limited financial objectives are met.
In the Credit Suisse enforcement action, the DOJ or SEC stated:
“As early as 2007, Credit Suisse recognized the FCPA risks in hiring the relatives of foreign government officials. Credit Suisse’s Global Anti-Bribery Policy (the “Global Policy”) specified that “[o]ffers of employment, including internships, to Government Officials, their family members, or associates,” could be considered to be “things of value” under the FCPA, and were prohibited if offered “to obtain or retain business, or otherwise secure an improper advantage.” The Global Policy was also reflected in regional policies applicable in APAC that recognized the bribery risks inherent in referral hiring and specified additional restrictions on the practice.
In 2011, the Global Policy was updated to specify that ad hoc training activities and internships for relatives of government officials that were clients both fell within the scope of prohibited employment practices. The updated Global Policy stated that such referrals could only qualify for positions in existing campus or lateral hiring programs with open application processes and that no special treatment could be provided for those referrals in the recruiting process.”
“Credit Suisse’s compliance policies governing the bank’s referral hiring practices highlighted the corruption risks associated with referral hiring, and dictated that Credit Suisse HK could employ government-connected Referral Hires under only very limited circumstances. From at least 2007, the Global Policy prohibited offering a job or internship to any foreign official or relative of a foreign official to obtain or retain business or otherwise for improper purposes.
In light of the corruption risks identified in its own compliance policies, Credit Suisse placed written requirements around the onboarding of Referral Hires.”
If Credit Suisse did not have policies and procedures, training and other controls regarding certain internship and hiring decisions, it seems quite clear that the government would have found Credit Suisse to be in violation of the internal controls provisions.
But Credit Suisse, according to the government, did have these controls. Nevertheless, in the words of the DOJ/SEC
“Credit Suisse managers in APAC instructed subordinate employees to engage in practices to give the appearance that normal hiring processes were being followed for referral hires when they were not. For example, on one occasion a Credit Suisse manager instructed a subordinate employee to draft a resume for a referral hire candidate. On at least one other occasion, Credit Suisse managers instructed subordinate employees to artificially inflate ratings for a referral hire during employment interviews or score individuals highly on hiring forms, regardless of their actual abilities or interview performance.”
“Senior Credit Suisse managers in APAC engaged in sham practices intended to give the appearance of a regular hiring process being followed. Senior Credit Suisse managers in APAC instructed subordinates to conduct interviews of referral candidates and automatically score the candidate highly, regardless of his/her actual performance.”
The end result? According to the government, Credit Suisse violated the internal controls provisions. In the words of the SEC:
“Credit Suisse failed to take adequate steps to mitigate known risks of bribery and corruption in its APAC operations. Credit Suisse HK failed to meaningfully implement or enforce Credit Suisse’s policies until 2013.”
DOJ Once Again Shoots Itself in the Foot
The DOJ has long wanted companies to voluntarily disclose conduct that implicates the FCPA. Why then does the DOJ continually make decisions that should result in any board member, audit committee member, or general counsel informed of current event not making the decision to voluntarily disclose?
The Credit Suisse enforcement action is the latest example.
For starters Credit Suisse did not voluntarily disclose.
Moreover, upon becoming the subject of FCPA scrutiny, Credit Suisse (as discussed above) did not cooperate to the DOJ’s satisfaction. In addition, Credit Suisse did not remediate to the DOJ’s satisfaction as the NPA states: “the Company did not receive full credit for remediation because it did not sufficiency discipline employees who engaged in the misconduct, and instead only recorded policy infractions internally and provided notices of infractions to three employees.”
The end result for a non-disclosing, non-fully cooperative, deficient remediating company?
A non-prosecution agreement with a settlement amount (as stated in the NPA) “15% off of the bottom of the U.S. Sentencing Guidelines fine range.”
If I am a rational board member, audit committee member, or general counsel, I look at this “precedent” (and I use that term loosely and not in the sense of case-law precedent) the DOJ has created in this and several other recent enforcement actions and think to myself:
“Why in the world should we disclose. Let’s thoroughly investigate the issues, promptly implement remedial measures, and effectively revise and enhance compliance policies and procedures – all internally and without disclosing to the enforcement agencies. In the unlikely event the DOJ finds out about the conduct, the DOJ is still likely to offer the company an NPA or DPA and we will still likely be able to resolve the matter for a meaningful reduction off the minimum amount suggested by the guidelines. Sure the “FCPA Corporate Enforcement Policy” may offers bigger “carrots,” but those are discretionary and generally only relate to settlement amounts and not the full range of financial ramifications that often result from FCPA scrutiny. (See here for the article “Grading the DOJ’s FCPA Corporate Enforcement Policy.”)
In short, if the goal of the DOJ is to encourage corporate voluntarily disclosures, it is actually shooting itself in the foot by virtue of its recent decisions.
The message seems to be clear for any board member, audit committee member, or general counsel informed of current events – do not voluntarily disclose.
FCPA Institute - Boston (Oct. 3-4)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.