A recent panel hosted by Corporate Board Member and FTI Consulting took a deep dive beneath the turbulent seas of global regulatory compliance and asked what a good compliance program really looks like for businesses, large and small, operating in a variety of jurisdictions. Global risk and compliance experts discussed the wild world of international regulation, the increasing prosecutorial bent of regulatory agencies, the difficulties of vetting overseas business partners, and what a good compliance program really looks like. There’s no magic wand that will ensure your company’s safety, but there are best practices that can substantially reduce your risks.
Erica Salmon Byrne: What are some characteristics that define a good compliance program?
Philip Boulton: That’s a big question. As someone in a company that provides help and support to general counsel, boards and heads of government relations in businesses that are taking the issues of bribery, corruption, political connections, legality and reputational risk very seriously, the scale of those businesses and the sectors they’re in often determine the measure of risk and, perhaps, also the level of regulatory interest.
For example, if we’re talking about major oil companies, it’s likely those companies are going to be looked at not only by regulators but also by the international community, non-governmental organizations, the media and, indeed, by the host governments on whose patch those companies are operating.
If we are discussing major oil companies, it’s likely there will be a mature system in place but one which possibly is hampered by the size of the company, too. Some of the leaders involved in managing risk and reputation struggle to have their voices heard in a crowd of senior players. Thus, it’s important that there is alignment between the business at the most senior level and those parts of the organization that advise on the entire company’s reputation or compliance issues.
Always, it starts with tone at the top.
At the other end of the spectrum, small companies moving into this environment need to be able to let the regulators and the international community know that they take the compliance issue very seriously. They need to be able to state from day one, perhaps in a mission statement, that they’re taking a zero-tolerance approach to bribery and corruption and that they’re going to be transparent, perhaps publishing what they pay out in those environments where the connection between revenue flow and the perception of corruption is something with which we’re all familiar.
So you put it up there in lights. But be sure that if someone asks what zero-tolerance actually means, you’re able to say more than, “Well, it means we have a zero-tolerance approach.” You must be able to show you’re looking at the issues, you’re thinking about the risks, and you’re asking the right questions and holding people accountable for the way monies are paid out.
Thus, messaging from the top is critical: Openness and transparency. A good connection between the advisors inside the company and the board decision makers. Good relationships among internal advisors, general counsel and external advisors. Research that leads to finding the right type of help to ensure that when somebody asks a question, the answer, “Well, we didn’t know what to do. We thought we knew the answer. But we did try,” isn’t good enough because there’s a whole range of firms available to help.
Erica Salmon Byrne: One of the things we’ve heard a lot about is matching the compliance program to risk profile. Obviously, if you’re going to do that, you’ll have to educate the regulators as to what your risks look like.
John Dye: For a company like Western Union, which is voraciously entrepreneurial, it’s very challenging to operate in the financial services zero-tolerance environment. One thing we have done — and I think it’s very successful, particularly overseas — is to engage in a regulatory outreach program.
We operate in 200 countries, and, of course, we can’t go to each one. We identify key nations — there probably are a dozen of them — where we visit regulators on a regular basis. In fact, tomorrow I will visit with the Central Bank of Ireland, our primary regulator in the European Union, to make sure everyone understands our business.
I was in Europe with a regulator who said, “I’m assuming that every transfer in excess of $1,000 is fraudulent.” Well, it’s a failure on my part for not educating him to the fact that, for example, 30 percent of our payments are used for education disbursements to people abroad; 20 percent or so are made for medical expenses. For example, if you need to have surgery in India, you have to take cash to the hospital.
The one thing I point out to regulators is that success for them and success for us should be identical. I think when you do that, it’s incredibly disarming. I want to be compliant. I want to create a regulatory environment where we can operate safely and protect the system. That success should look exactly the same as the success regulators are seeking.
Richard Smith: I agree. With the globalization of prosecutorial resources and with the U.S. Department of Justice and the Securities and Exchange Commission [SEC] exporting their prosecutorial approach globally, multinationals must have a robust compliance program as the first line of defense. That’s a lot cheaper than having someone like me on the back end cleaning up a problem.
You want a compliance program that’s easy for employees to follow, a program upon which all employees have been trained. You want to have the ability to document that training. You want a program that allows you to audit your risk factors.
It’s not one size fits all. Getting a program off the bookshelf typically will get companies in trouble. You need a system tailored to your organization, to the risk factors in the countries where you’re doing business.
That becomes a great story to tell somebody at Justice or the SEC: “We trained our employees; we had the right warranties in our contracts; we had the correct companies in our agreements. It’s just that this bad actor here chose to ignore company policies and views.
John Dye: Right. And I think one of the biggest challenges we face, again operating in 200 countries, is driving home the message that we’re a U.S.-based company, and everybody has to operate under U.S. principles and practices.
If I had a dollar for every time someone told me, “Well, this is the way it’s done in China,” I wouldn’t need my bonus. It’s the old shampoo instructions: wash, rinse and repeat. You do it over and over and over again. You document. You have a uniform curriculum. You get out and make sure that everybody in all those remote regions, where customs and practices may be different, follows U.S. standards.
Erica Salmon Byrne: We just said a good compliance program is a lot cheaper than the aftermath. But those of us who have tried to make an argument for more budget for a compliance program don’t always succeed. How does one do it?
John Dye: Well, a picture is worth a thousand words. I’ve been fortunate enough to have attended board meetings after virtually every major announcement of a large regulatory action last year — Wal-Mart, HSBC and JPMorgan Chase. When people see the repercussions in real life, it gets pretty easy to understand what the downside of not having a robust compliance program is.
Following up on what Philip said before — establishing tone at the top — I aim high. I start with the board. Once you get the hearts and minds of the board, management will follow. But you’re right: Dollars are hard to get because people don’t see an immediate return. It’s the old Midas commercial: ”You can pay me now or pay me later.” But if you pay later, it will cost five or 10 times more.
Richard Smith: Exactly. And as someone who sits on the board of a publicly traded company, I can make sure there are appropriate resources available now so the compliance function/legal department can do the job right. Otherwise, I can pay a lot more later to perform the following: First, outside counsel would be hired to conduct an internal investigation. Next, an attempt to negotiate a resolution with the regulators would be made. After that, damage to the company’s reputation in the media would have to be dealt with along with the civil losses that tag along.
Philip Boulton: I work with a lot of general counsels who have the right access and status, and some who feel they don’t. Business decisions often are made when somebody senior says out of the blue to a general counsel, “This looks like a great opportunity, and I think we should go for it.” And then the company ends up reverse engineering a response to issues.
I think the challenge for the general counsels is to get a voice at the table and to make sure decision making is sequenced in the right way so a senior board member will say at the outset, “The board is thinking about doing X, but I’m putting it into your hands to evaluate properly and to address early enough to give people an opportunity to tell us whether there really are any problems before we go too far down this road.”
John Dye: It’s having a seat at the grownups’ table. If they bring you in at the end, you have one of two answers: yes or no. If it’s no, that does not increase your Q Score at the company. Then people generally tend to use legal advisors less. But if you get involved early in the process, you have the ability to shape the outcome.
Erica Salmon Byrne: How do you handle vetting third parties in a variety of jurisdictions?
Philip Boulton: Step #1 is using common sense. How did we hear about the situation? Did we learn about it from what we consider to be a reliable intermediary? Then consider those questions against the backdrop of what you see in a country that you may not understand very well or in a sector that is going to attract the interest of governments operating in a private way and, shall we say, enriching themselves.
That’s the point when a business looks outside to see what help it can get. There are firms with excellent research departments that can take a company far, but can they take the organization all the way?
I think you’re looking for somebody who is able to say, “Take that guy down there in Western Sahara whose business looks compliant in every way. Well, he’s a first cousin of the interior minister and was caught up in some scandal three or four years ago. That is going to come back to bite this individual and, of course, any business associated with him.”
So there’s open source material on the one hand, and then there’s this private, discreet information that can be extremely powerful but also has certain limitations.
Erica Salmon Byrne: One of the things companies are grappling with now is how to deal with legal conflicts across jurisdictions. For example, facilitation payments no longer are allowed under the new Brazilian Clean Companies Act.
Richard Smith: Well, I haven’t found a country anywhere in the world that lets you bribe anyone in the government, and a lot of nations have commercial bribery statues as well. But you have to look at local standard practices.
A good example is Indonesia. I went with a client to conduct some interviews. We arrived at the hotel, and I said, “We’re here to do our interviews. Where’s the room?” And the hotel personnel said, “Well, someone else paid more money for the room so you don’t have it anymore.” So we had to pay more money to get the room back. We finished the interview and tried to leave the country. We went to the airport, and the ticket agent said, “Your tickets have been canceled.” I said, “Fine. Just sell us two more tickets, and we can leave.” He said, “Your credit card doesn’t work here.” I asked, “What does work here?” He said “Cash.” I asked, “How much cash?” He said, “Five million rupiah,” which is $5,000. My client worriedly asked, “What are we going to do?” I said, “Where’s the nearest ATM machine?”
John Dye: You should have gone to Western Union!
Richard Smith: I ask my clients, “If it takes this just to get out of the country, what do you think companies are facing trying to bring in personnel, equipment and product?”
What we’re doing now is getting industry groups to band together and let folks know we’re not paying bribes. Once you start paying, you pay forever.
The problem is the U.S. government takes a broad view of what constitutes a foreign official in other jurisdictions. If the airports or the hospitals or the organizations are quasi-governmental, you run the risk that every time you do business in a country where the state has a lot of control over the private sector, it could be interpreted as making bribery payments.
Philip Boulton: There’s no magic wand, but there are certain things that can be done. One is a closer engagement with the government. If your business is important to the host country, you need to let the powers that be know it’s important that you’re given proper treatment upon arrival and departure and everywhere in between. Of course, this doesn’t preclude the possibility that some junior official might pop up and have a go at seeing what he can get away with, but setting the stage early on puts you on the right track.
Erica Salmon Byrne: Okay, so the regulators come knocking. Do you all agree that the earlier you talk with board members and the more you discuss with them, the better off you are?
Richard Smith: The last thing a board wants is to be surprised. I sit on the audit committee, and our compliance officers understand that we’d rather hear about a potential problem and learn what the plan is to deal with it before they run off and do something that might get us into the press.
Then we ask if this is an event that requires disclosure. If we’re going to have to make a disclosure, what is our process to manage the media fallout and possible drop in stock price? If it’s a real bad problem, is it going to provoke shareholder litigation? You want to make sure the company has thought through the situation. Then you have to ask yourself if this event is one we should let management handle internally or will we have more credibility with the regulators if an outside law firm is brought in.
Erica Salmon Byrne: Philip, let’s say the investigation is in Indonesia. Can you run the right kind of internal investigation from corporate headquarters or do you have to be in-country?
Philip Boulton: It has to be a mixture. We look at information as it comes in to wherever we’re based, but we use people on the ground to gather the data.
It may be that this is a whistleblower situation so you need someone from within the company to look at the data. But you also probably will need people on the outside checking the information and putting it into context. That’s really our role: to ensure that we have a whole array of people who can help. Some might be members of our own company who can go in officially. Others could be based in various countries and can access data you can’t find sitting in London or New York. The Internet runs cold after a while.
Others will be higher level, more discreet contacts who are able to explain to you what this information really means. You absolutely have to have the networks in place, and not every organization can supply networks to the same depth and level of capability everywhere. No company can claim to do that. Each has strengths in certain places and weaknesses elsewhere.
Richard Smith: You also have to be concerned about privacy issues when you’re investigating. Can you just go in and gather this evidence or do you have to get the employees’ consent? In a lot of countries, if you don’t do it correctly, you could be exposing the company and the people collecting the evidence to criminal offenses. What disclosure issues are involved? What are the people’s rights under the employment laws? And do you have the right language in your employment contracts to allow you to seize someone’s laptop or BlackBerry to look for data?
Erica Salmon Byrne: That’s a really good example of the ways in which the risk profile for so many organizations is changing on a regular basis. Thank you all. ￼