Hey diddle diddle,

The Cat and the fiddle,

The Cow jumped over the moon.

As my friend and colleague Jay Rosen is want to remind us, he continually learns much about compliance and ethics from his Kindergarten-aged daughters. I submit that you need only look to children’s nursery rhymes in the context of the recent Hewlett-Packard (HP) Foreign Corrupt Practices Act Enforcement (FCPA) to fully appreciate the inanity of the myth of the ‘rogue employee.’ HP has been cited as the prime example of the case where a small group of evil or ‘rogue employees’ purposely mislead their ultimate US corporate parent (HP Co) by engaging in bribery and corruption for which their US corporate parent, who did not engage in the corrupt action, were forced to pay the fines and penalties (and attendant investigative costs, remediation costs and negative publicity). For the purposes of this discussion we will leave out the millions of dollars that HP potentially benefited from via the illegal actions of its alleged ‘rogue employees’; or if there has ever been a case involving ‘rogue employees’ who, intentionally or otherwise, took a company down into FCPA grief.

I. HP-Poland – the Tale of Little Jack Horner – what a good boy I am

Little Jack Horner

Sat in the corner,

Eating a Christmas pie;

He put in his thumb,

And pulled out a plum,

And said ‘What a good boy am I!’

This is the one where commentators are having a Eureka moment. After all, the settlement documents point to one man, HP’s Poland Country Manager, and his John Le Carré-esque meetings. In this bribery scheme, the Country Manager engaged in a multi-year bribery scheme to pay bribes to one Polish government official to secure a large number of contracts. These bribes were paid surreptitiously, using a variety of techniques to evade detection but they all had one thing in common which I will ask you to figure out from the Bribery Box presented below.

HP-Poland Bribery Box Score

For those of you not so quick on the draw the common element, at least until the end of the Box Score, is that all the bribes were paid in cash. For part of my in-house legal career, I did legal work for the energy industry and I have some familiarity in the amount of money that Country Manager’s made, at least the range of their salary and bonus, and it certainly was not enough to fund bribes in the amount of $600,000 in cash over a couple of years.

So let me get this straight, no one else at HP-Poland aided the Country Manager while he helped himself to the kitty? Didn’t anyone even notice, say in 2007, one of our $250,000 was missing? If not, the Country Manager had to have help in siphoning off funds from HP itself to fund these bribes? So my first question is where was HP internal audit? At the country level? At the region level? At the corporate level? Where was HP Co, when HP-Poland landed $60MM in contracts, in determining how these contracts were procured? Where were HP internal controls?

Was the Country Manager like Little Jack Horner? What a good boy I am?

II.   HP-Russia – Yes Sir, Yes Sir, Three Bags Full

Baa, baa, black sheep,

Have you any wool?

Yes, sir, yes, sir,

Three bags full.

HP-Russia seems to confuse commentators the most about the myth of the ‘rogue employee’. Here they point to the coded spreadsheets (the “Encrypted Spreadsheet”), which could only be unlocked and read by the conspirators themselves. And after all, they lied, lied, when they were asked about some of the details of the transaction in questions. I am sure Inspector Renoir is still shocked, shocked, to discover that gambling is still occurring on the premises of Rick’s Café American in Casablanca.

So why three bags full? Well, first of all, if you are from a certain university in central Texas you’ll immediately know what it means. For the less delicate among you, it would mean a large load of Col. Sherman Potter’s horse-hockey; three bags full in fact. This deal had been floating around HP for years, was well-known enough to raise multiple Red Flags inside the company and was simply internally shopped until it slid through by hook, nook or crook; or in this case, three bags full.

The initial deal was inked with the Russian government in June 2001 but as the Russian government could not fund it, they sought another foreign government to fund and that government was the US. However, to do so, it required that at least 85% of all goods and services were of US origin. To meet this requirement, the initial deal was changed to substitute a US intermediary (Intermediary 2) who replaced the Swiss intermediary on the deal (Intermediary 1). HP Co conducted due diligence on Intermediary 2 and then met with Intermediary 2 in the US to conduct additional due diligence. However, Intermediary 2 balked at answering more “pointed questions” about its expertise and financial wherewithal to handle the transaction. HP Co then told HP-Russia that they would not approve the transaction.

Not to be deterred from a good deal, the foreign government financing was switched from the US to Germany. In addition, Intermediary 2 was ditched for a one-man shop, Burwell Consulting Ltd (Burwell). Burwell and others were eventually paid nearly $21MM in bribes for the Russia government contract. There has been much discussion about how HP-Russia tricked HP-Germany’s employees through the use of “encrypted, password protected spreadsheets that tracked the deal’s financial inflows and outflows”. However, what I found more interesting was the discussion about how not only had HP-Russia shopped the deal internally and been told a resounding NO by HP Co for obvious Red Flags present but also the discussion of how HP-Russia internally funded the bribery scheme.

They did so by the classic ‘stuffing the channel’ that every software lawyer, accountant, bookkeeper, auditor, sales rep and anyone else subject to GAAP or IFSR learns on their first day of training on their first job. It goes like this: HP-Russia sold products to a channel partner; who then sold them to Intermediary 3; who then sold them back to HP with a mark-up and voila, you have a big pile of cash with which to bribe.

So what does the HP-Russia deal tell us about HP as a company? As with HP-Poland, you would have to question where was internal controls while this was playing out, at the country level, at the region level, at the anywhere level? But there is far more than simply internal controls going on here. Based on what was publicly announced in the settlement documents, HP Co had actual knowledge that the deal was rife with Red Flags as it was presented. It was so bad they shut it down. Of course, the business guys simply resurrected it in another place, in another guise. What does that say about the overall effectiveness of the compliance function at the time if HP-Russia could bring a Red Flagged deal to HP Co only to have it stopped, then to shove it through HP-Germany due to weak controls? What about the internal controls on how HP-Russia was able to generate $21MM in scammed money to pay the bribes in the first place? Think anyone else might have thought about running that scam through those robust internal controls? After all, its only three bags full…

III.   HP-Mexico – Fool Me Once…

Fool Me Once,

Shame on You;

Fool me twice,

Shame on Me.

The above did not come from George Bush (The Younger) but is purported to be an old Chinese proverb. I like that thought anyway and it certainly informs our look the claim of ‘rogue employee’ in Mexico. Here, for reasons far beyond my comprehension, HP was able to secure a Non-Prosecution Agreement (NPA) from the Department of Justice (DOJ) for the actions of its subsidiary in Mexico in paying a bribe of $1.6MM to facilitate the winning of a contract worth $6MM. But the lesson learned from the ancient Chinese proverb certainly informs our look at the allegation of the ‘rogue employee’ down Mexico way.

HP-Mexico wanted to use a certain agent involving a deal with Pemex because he had a very close relationship with the Pemex official who would be making the decision on the contract. HP-Mexico even signed a contract with this agent where his description of services was an “influencer fee” for which he would receive a 25% commission. This agent could apparently neither meet HP Co’s due diligence requirements, accept HP Co’s mandatory commission rate or both but whatever the reason, they were not approved as an agent on the Pemex deal. But like all good HP business folks (beginning to see a pattern here?) HP-Mexico simply subcontracted this agent to an existing, approved HP channel partner. HP-Mexico then amazingly (or perhaps not) said that they needed to raise the commission rate of this channel partner from 1.5% to 26.5% because this channel partner was now “managing discounts with Pemex” which coincidentally, this channel partner had never done. Because this channel partner was previously approved by compliance, the request for increase in commission rate was never submitted to compliance for approval. Think an internal control or two might have been appropriate in this situation?

What do the nursery rhymes and Chinese proverb tell us about HP and the Myth of the Rogue Employee? All three of the bribery schemes involved showed that there were multiple failures of numerous systems that allowed the schemes to run rampant. But perhaps the thing that they speak to the most is the culture that existed at the company during the time frames in question. While the FCPA Professor and others have noted that some of the conduct in question began in Russia as long ago as 1999, the settlement documents speak to conduct in Poland as recently as 2010. Certainly, the NPA for HP-Mexico’s conduct was for actions in 2009. What was the tone set that not only allowed employees to think that they could get away with subverting the law but that they had to do so. That, perhaps, is the most troubling questions unanswered by the Myth of the Rogue Employee.

Whatever the answer to HP’s culture of compliance may have been at the time of the conduct which led to the enforcement action, the claim that the company does not bear responsibility for either setting that tone, facilitating the conduct by looking the other way when convenient or not having appropriate internal prevention and detection controls in place to prevent massive fraud by its own employees; the reality is that when a employees of a company can evade controls to generate multi-millions of dollars to generate pools of money to pay bribes, there is no ‘rogue employee’ or even small group of rogue employees. Or there is about as much chance as a cow jumping over the moon.