Shop Talk: Best Practices on Fraud Risks

On Dec. 3, 2008, Compliance Week and the law firm of White & Case hosted an Editorial Roundtable on fraud risks in emerging markets at the Ritz-Carlton Battery Park Hotel in New York City. Eleven legal and compliance officers were invited to discuss how their companies address global fraud issues. The Roundtable was moderated by Compliance Week Editor-in-Chief Matt Kelly, and featured White & Case partners Bob Bittman and George Terwilliger, who heads the firm’s white-collar defense practice and who was formerly deputy attorney general at the Justice Department. The article below explores some of the issues discussed.

THE PANELISTS

The following compliance executives participated in the Dec. 3 fraud roundtable convened by Compliance Week and the law firm of White & Case:

Stacey Babson-Smith,

Chief Ethics, Compliance Officer,

Terex Corp.

Wayne Brody,

Chief Compliance Officer,

Arrow Electronics

David Frishkorn,

Chief Compliance Officer,

Comverse Technologies

Roger Louis,

Chief Compliance Officer,

Genzyme

Mark McCormick,

General Counsel,

SunCoke Energy

Vincent O’Connor,

VP of FCPA Compliance,

L3 Communications

Rick Sanchez,

VP of Internal Audit,

AllianceBernstein

Patrick Sheller,

Chief Compliance Officer,

Eastman Kodak

Mary Beth Taylor,

Assistant General Counsel, Compliance,

U.S. Steel

K.C. Turan,

Chief Compliance Officer,

Dun & Bradstreet

Marcus Wendehog,

Assistant Counsel, NY Office,

DnB NOR Bank

George Terwilliger, Partner and White-Collar Defense Practice Leader,

White & Case

Robert Bittman,

Counsel,

White & Case

When it comes to managing fraud risk, compliance and internal audit executives say the toughest challenge isn’t winning support from the board or top management; it’s winning over everyone else in the company.

That was one of the top concerns among an expert panel convened Dec. 3 by Compliance Week and the law firm White & Case to discuss fraud risk in emerging markets. The wide-ranging discussion covered compliance with the Foreign Corrupt Practices Act, how to handle government investigations, assessing fraud and bribery risks generally, and how to manage corporate compliance as revenues fall and budgets get cut.

Topping all other concerns, however, was how to develop respect and enthusiasm for corporate codes of conduct, especially among workers in foreign markets who might give little thought to the expectations of U.S. executives worried about U.S. laws and regulation.

“Getting out and working with your people around the world and giving them the right information, tools, and training is critical to delivering the message,” said Stacey Babson-Smith, chief ethics and compliance officer at Terex Corp.

That cultural divide often boils down to understanding the Foreign Corrupt Practices Act, which prohibits U.S. companies—or anyone affiliated with them, such as subsidiaries, contractors, or other third parties—from bribing foreign officials to win business. K.C. Turan, chief compliance officer and chief privacy officer at Dun & Bradstreet, said the challenge is getting those groups “to understand that it’s more than just a U.S.-centric law and that it directly impacts our operations abroad. Doing so requires a combination of preventive and detective controls that encompass policies, procedures, training, communications, awareness, monitoring, and reporting.”

The group said mergers and acquisitions pose some of their greatest antifraud compliance challenges. Nearly 70 percent of employees at Eastman Kodak today, for example, weren’t with the company in 2003—and many of those new hires hailed from overseas or privately held companies, with markedly different attitudes about compliance.

“We essentially have a new company and that means we have a new culture,” said Patrick Sheller, Eastman Kodak’s chief compliance officer. “Our challenge has been to educate the new employees about the Kodak compliance program and to set the right tone at the top without dampening the entrepreneurial spirit of some of the companies we’ve acquired.”

Complacency is also a concern. David Frishkorn, former director of ethics and compliance at Xerox (now at Comverse Technologies), said, after settling an SEC enforcement action charging the company with fraud in 2002, getting attention for compliance wasn’t a problem. But now, years after the offense, making sure people don’t forget the consequences of non-compliance is a concern.

“We put in all of the bells and whistles and a very robust program, including FCPA training and compliance activities, but memories are short,” said Frishkorn, now chief compliance officer at Comverse Technology.

Local Wisdom

Panelists shared a number of strategies for coping with their common challenges. Above all, they said, nothing is as effective as visits to the field to meet local managers and employees.

“The most effective way of knowing what’s going on is to talk to the people who are doing the business,” Babson-Smith said. “I can sit in my office and speculate … but I won’t know what my sales people are dealing with unless I talk to them.”

The connections forged by in-person visits can also help with pushing responsibility for compliance out to local employees. Roger Louis, chief compliance officer at Genzyme, said local ownership of compliance and antifraud efforts is crucial; he tries to push that onto the controller or a regulatory person in each of Genzyme’s many locations.

AllianceBernstein VP Internal Audit Rick Sanchez (left) takes in the comments of Genzyme Chief Compliance Officer Roger Louis.

Eastman Kodak Chief Compliance Officer Patrick Sheller adds to the conversation.

L3 Communications VP FCPA Compliance Vincent O'Connor (center) adds some levity to the conversation with Terex Chief Ethics and Compliance Officer Stacey Babson-Smith

and Comverse Technologies CCO David Frishkorn.

Mark McCormick,

SVP and General Counsel of Sunoco division SunCoke Energy.

Marcus Wendehog, a compliance leader at Norwegian banking giant DnB NOR ASA, emphasizes a point. At his right is

Arrow Electronics Chief Compliance Officer Wayne Brody.

George Terwilliger, former deputy attorney general and now partner at White & Case, provides context to the discussion.

Dun & Bradstreet Chief Compliance Officer K.C. Turan (left) listens to Terex Chief Ethics and Compliance Officer Stacey Babson-Smith. In the background is Compliance Week publisher Scott Cohen.

U.S. Steel Assistant General Counsel Mary Beth Taylor adds to the conversation on fraud risk in emerging markets.

Former Deputy Attorney General George Terwilliger, now head of the white-collar defense practice at the law firm White & Case, agreed. “Unless you go out and talk to folks on the ground, you’re only looking at half the picture,” he said. “The audit work done on the front end is often a pointer to the people you need talk to or the transactions you need to look at.”

Mary Beth Taylor, assistant general counsel for compliance at U.S. Steel, said it’s a challenge to integrate the firm’s ethics and compliance programs in its overseas locations and to make them “relevant and meaningful … with local sensibilities.”

Vince O’Connor, vice president of FCPA compliance at defense contractor L3 Communications, voiced a common complaint: that overseas employees view the FCPA as a U.S. law they can ignore. His solution when he visits the field is to bring a local lawyer along, “to stress that this is an anticorruption problem, not just an FCPA problem.”

Likewise, Marcus Wendehog, assistant counsel in the New York office of DnB NOR Bank, said in-country ownership with local expertise is key. “Otherwise, it’s viewed as someone else’s problem, or as a ‘head office’ problem,” he said.

Budget Blues

For better or worse, all the compliance executives at the Dec. 3 forum agreed on another point: They will be forced to do more with fewer resources in the coming year. None plan to cut their FCPA or fraud risk training outright, but many do expect to get more creative about it in 2009.

Taylor, for example, said U.S. Steel plans to use more online training next year in lieu of some live in-person training. Wayne Brody, chief compliance officer at Arrow Electronics, wants to leverage recent investments in people and IT to increase the company’s ability to identify fraud and other risks as they arise. Those investments include tele-conferencing technology, a global security executive committee, and regional corporate audit teams to vet issues locally, he said.

Overdose on Training

Terwilliger said the government expects companies making foreign acquisitions to do thorough due diligence on such issues upfront. “You have precious little time to fix any problems without them coming down on you,” he warned. “If you don’t, or worse, you see indication in the due diligence and don’t do anything about it, they will crucify you.”

When vetting third parties, Mark McCormick, general counsel at SunCoke Energy, said his first step in compliance is to “thoroughly understand whom you’re doing business with.”

Some of the more vexing challenges about FCPA compliance are understanding exactly when payments in a foreign country might not violate the law here (such as the mystery of “facilitating payments,” which technically don’t violate the FCPA but often are hard to recognize), and what to do about bribing private citizens in another country—a practice that doesn’t violate the FCPA specifically.

Bob Bittman, another White & Case partner, advocated a simple approach: Ban all sorts of payments to all parties, period. “Invariably around the world, it’s illegal to bribe private individuals as well as government officials, so your compliance program should prohibit bribery period, not just the bribery of a government official,” he said. “Just prohibit them,” he said.

Similarly, Rick Sanchez, vice president of internal audit at Alliance Bernstein, said his firm has taken the approach “of training, not just specific to FCPA, but to fraud awareness overall and training our employees to be able to identify what is a red flag.”

“No matter how good your compliance program is, if you’re not dealing with counterparties that are committed to following your compliance program, you’re going to get into trouble,” he said.

Handling Regulators

The panel also heard advice on how to structure their compliance programs and deal with regulators. Most participants said their companies have established internal disclosure committees to review thorny issues related to self-reporting FCPA violations. At Xerox, for example, a seven-person committee reviewed problems, and each person had one minute to decide whether a concern should be reported to regulators or not.

“If a committee of seven can’t decide after seven minutes that something is or is not disclosable, then there’s enough concern and it goes to the board and the board decides,” Frishkorn said.

Terwilliger, meanwhile, said disclosure “isn‘t a philosophical issue, it’s a strategic issue.”

His advice: “Where it makes sense to make a disclosure or to respond affirmatively to the government’s suggestion that you look into something, put all of the facts on the table, then argue like hell about what those facts mean in terms of an outcome.”

Terwilliger urged companies to focus their antifraud efforts on where the risk is the greatest. Taking a methodological approach to assessing where the risk is the greatest “really gives you the best bang for the buck,” he said. “It also sets you up, should you have a problem, to say ‘We weren’t just looking on the top of the floor and the furniture to see if it was dusted, we were picking up the rug.‘”

His last word: “If all you do is go out and train, get a signature, and go home, and you get in trouble, the government is going to say you weren’t even trying.”

The article above explores topics discussed at an Editorial Roundtable, hosted Dec. 3, 2008, at the Ritz-Carlton Battery Park Hotel with the law firm of White & Case. For more information on Compliance Week Editorial Roundtables, contact publisher Scott Cohen via email or at 888-519-9200.