One of the strangest news stories over the past couple of months has been the Manti Te’o story. For those few people who have not heard the story, Te’o was fooled (or not) into believing that he was in an online relationship with a non-existent woman named Lennay Kekua, who was falsely reported as dying of leukemia. Te’o, who says he was the victim of a “sick joke” repeatedly played along with the story in the weeks between when he says he learned Kekua was not real and when the story broke. Later, on Dr. Phil, Ronaiah Tuiasosopo, an alleged friend of Teo, claimed that he was the mastermind behind the entire scam so as to profess his love for Te’o.
One of the things that reporters who interviewed Te’o on his relationship with Kekua asked was if Te’o had ever met her in person? Te’o admitted that he had not. After Te’o announced to the world that she had died of leukemia, reporters asked if they could talk to her family, Te’o responded that they wanted to maintain their privacy.
In other words, there was never any validation of the Te’o/Kekua relationship, either by the primary party, Te’o, reporters who worked on the story or anyone else. My wife is a process analyst. She recently said something that struck me as one of the keys to a robust compliance program. She said that you need a ‘second set of eyes’. I asked her what she meant and she responded that if you do not put a second set of eyes on a process, you do not have validation of that process. I thought about that in the context of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program and realized having a ‘second set of eyes’ on your process is critical.
I. Oversight Committee
This concept of a ‘second set of eyes’ has found favor with the Department of Justice (DOJ), through its use in a Deferred Prosecution Agreement (DPA) with the Monsanto Corporation. In the Monsanto DPA, the DOJ agreed, after the initial due diligence and appropriate review were completed on Foreign Business Partners, for Monsanto to implement certain post contract execution procedures. These requirements can be used as guidelines as to what the DOJ will look for from other US companies who have entered into relationships with Foreign Business Partners; especially in the area of ongoing monitoring of the Foreign Business Partner.
In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or an Oversight Committee. It should be noted that Monsanto successfully completed the terms of its DPA and was discharged from further obligations under it in 2008.
The scope of this Oversight Committee is not fleshed out in the DPA. I would suggest that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with the Foreign Business Partner. While this oversight would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.
a. Who Should be on the Oversight Committee?
The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Oversight Committee. It would also indicate that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.
b. What Should the Oversight Committee Review?
The Oversight Committee should review all documents relating to the full panoply of a Foreign Business Partner’s relationship with the company. This would begin with a review of any initial requests to engage a new Foreign Business Partner. The information presented to the Oversight Committee would include the Business Unit’s request to engage the Foreign Business Partner, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective Foreign Business Partner.
The Oversight Committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with the partner. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the Foreign Business Partner or Business Unit. The Oversight Committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.
After the commercial relationship has begun the Oversight Committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the Foreign Business Partner with at least a minimum of a Level One Due Diligence and higher levels of due diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the Foreign Business Partners. All FCPA compliance training should be reviewed and certifications confirmed. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document, Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.
In addition to the above remedial review, the Oversight Committee should review all payments requested by the Foreign Business Partner to assure such payments are within the company guidelines and is warranted by the contractual relationship with the Foreign Business Partner. Lastly, the Oversight Committee should review any request to provide the Foreign Business Partner any type of non-monetary compensation and, as appropriate, approve such requests.
The oversight of Foreign Business Partners is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.
An Oversight Committee is a literally a ‘second set of eyes’ which can be utilized by a company to manage its relationships. An Oversight Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all activities with a Foreign Business Partner. It should be employed by companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.
Another way to think about a ‘second set of eyes’ is through ongoing monitoring of a compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from a particular country, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet, or communicate, as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.
The Manti Te’o story provides some significant lessons for the compliance practitioner. Putting a ‘second set of eyes’ on any process, including compliance is the only way to validate the process. If any reporters had been able validate any of the Te’o story before it was revealed to be a hoax it might have led to a very different ending, rather than the one that Te’o maintained all through his senior year at Notre Dame, when he was a candidate for the Heisman Trophy. To sum it all up, I go back to President Ronald Reagan, as he told Mikhail Gorbachev, “Trust, but verify”. A ‘second set of eyes’ will not only help to validate your compliance process but go a long way to keeping your compliance program out of hot FCPA or Bribery Act water.