This week I am considering the recent spate of Foreign Corrupt Practices Act (FCPA) enforcement actions brought by the Securities and Exchange Commission (SEC) at the close of its fiscal year. Last week saw several interesting FCPA enforcement actions with some significant lessons to be garnered by the compliance professional and this week we are looking at them in some depth. Today we consider the enforcement actions Barclays PLC (Barclays). The matter was resolved via a Cease and Desist Order (Order). In it, the company agreed to pay disgorgement of $3,824,686, prejudgment interest of $984,040, and a civil money penalty in the amount of $1,500,000, for a total payment of $6,308,726 to the SEC.
Barclays is well known to readers of this blog for its prior regulatory stumbles in the banking sector and in the actions of its Chief Executive Officer (CEO) to unmask an anonymous whistleblower. Barclays came to FCPA grief for the actions of its Asia Pacific Region, involving the bank’s subsidiaries, which, according to the SEC Press Release, “provided valuable employment to the relatives, friends, and associates of government officials to obtain or retain business or other benefits. Many of these “Relationship Hires” were made through an unofficial intern program, but some were also hired through Barclays’ formal intern program, its graduate program, or as candidates for permanent positions.”
While there have been multiple ‘sons & daughters hiring’ FCPA enforcement actions, the Barclays case does have important lessons for the compliance professional. Even if they seem basic, they still bear revisiting as the basics of compliance form the basis of any best practices compliance program.
From approximately 2009 to 2013 Barclays had variously named hiring programs which targeted intern candidates which would benefit the bank’s customer relationships with both state-owned enterprises and foreign governments directly. According to the Order, it began in 2009 with “an “unofficial intern” program for Barclays Korea that was separate from Barclays’ formal internship program. The stated purpose of the program was to provide work experience opportunities for Korean college students and “on occasion to provide positions for ‘relationship’ requests for qualified students.”” The key metric “was what business the client could deliver to the bank.” Other important considerations included “whether the client was important, whether the hire would enhance the business relationship, and whether hiring the candidate would “open doors” or otherwise help the bank win business.” This “unofficial intern” program was so successful it was expanded throughout APAC.
The “unofficial intern” program morphed into the “work experience program” in 2011. On paper this new program met the basic compliance requirements by mandating “limits on the number of candidates for each jurisdiction” and requiring corporate compliance function “approval for any candidates referred by a government official or non-government client. The business unit seeking authority to offer employment through the work experience program was required to disclose on a candidate application form whether the candidate had been referred for hiring by a client and to explain the business rationale for the hire.” However, these paper requirements were routinely disregarded, overridden or simply ignored as “APAC personnel continued to make relationship hires in violation of Barclays’ anti-bribery and corruption policies.”
In 2012, seemingly dropping all pretense of complying with its own internal requirements, the APAC region initiated the “Strategic Hiring” program which targeted the sons and daughters of foreign officials or employees of state-owned enterprises. Shortly after this specifically targeted hiring program was initiated, “Barclays updated its policy guidance to reiterate a “zero tolerance” policy regarding bribery and reaffirming that the policy applied to all business dealings with state-owned entities as well as private clients. The policy emphasized that the prohibition on offering anything of value to a public official in order to obtain business included offers of employment to family members or associates.” However, as the Order somewhat dryly noted, “the new policy had little impact on hiring practices within APAC” and there were some half-dozen hires made under the Strategic Hiring program in direct contravention of the corporate policy of “zero tolerance”.
Finally in 2013, Barclays shut down all these illegal hiring programs after news reports regarding investigations into relationship hiring practices at other financial institutions in APAC became common knowledge in the press. Thereafter, Barclays has enhanced its internal controls related to hiring and employment opportunities through a series of policy, governance, and training initiatives. These initiatives include enhancements to the anti-bribery and corruption policy and a specific “Anti-Bribery & Corruption Employment & Work Opportunity Standard,” which sets out the control requirements for hiring practices risk, provides for targeted training, and establishes electronic resources to communicate the new policies, processes, and emerging risks. In addition, Barclays introduced regional help desks to streamline the escalation of issues, implemented a system to track anti-bribery and corruption-related requests, and adopted independent testing and assurance initiatives.”
The Barclays’ FCPA enforcement action points out the need for some of the very basics of any best practices compliance program.
Training
In several instances, the Order cited examples of senior executives who were not only unaware of the basic anti-corruption prohibits of the FCPA but the specific prohibitions of hiring relatives of foreign officials to “secure a benefit”. This lack of training on the very basics of not only the FCPA but also anti-bribery/anti-corruption compliance is something that every compliance professional needs to be reminded about. Training is a foundational component which simply cannot be ignored.
The Department of Justice (DOJ) reminded us in the Evaluation of Corporate Compliance Programs, 2019 Guidance, that training must be “effective”. While it may seem that the very basics of awareness of FCPA application are beyond the need for testing, the Barclays FCPA enforcement action makes clear that you must still train on the basics and test that training to make sure the message is getting through.
Gatekeepers
The Barclays (paper) compliance program, required compliance oversight. Yet the APAC (and home office) compliance function seemed blissfully unaware of their role in oversight as gatekeepers for the hiring of high-risk individuals. The compliance function only reviewed such hirings for potential conflicts of interest. The Order noted, “APAC compliance officers stated that they were unaware of this aspect of the policy.” Rather amazingly one “senior APAC compliance executive said that he had never read the 2009 anti-bribery and corruption policy.”
This led to the anomalous situation that the “senior compliance officer responsible for reviewing referral hires, acknowledged that, in evaluating hiring requests, he never reviewed information relating to pending business with Barclays’ clients even though he had access to that information. Moreover, even though Barclays’ policy required “compliance monitoring” in the hiring process, the same compliance officer could not explain what that requirement was or how it was conducted.” [emphasis supplied] When gatekeepers do not bother to read the gate requirements they are charged to enforce, you have very large recipe for illegal actions moving through the gate. At Barclays, this is what occurred. When the compliance function operates as a gatekeeper, it must understand its role and exercise that role.
The Barclays enforcement action presents some very (back to the) basics lessons for the compliance professional. First, how are you testing the effectiveness of your compliance programs. Secondly, for the gatekeeper roles that your compliance function performs, when was the last time you tested to see if they were actually being done; done correctly and if those gatekeepers knew what was required of them? Maybe it’s time to start asking some questions.
[View source.]
