|In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”
While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.
In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.
Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.
In my post yesterday, I suggested penalizing companies that pay bribes where it hurts them the most: in falling stock price and market share — not just civil fines and penalties. But ultimately, it is the internal controls and anti-corruption culture that companies set in place that serve as the most effective deterrent.
While anti-corruption and its correlation with business ethics command a great deal of attention, bribery of foreign public officials and employees of state-owned companies remains an enormous challenge for companies seeking to operate ethically and within the rule of law of each country in which they do business.
In December 2014, the OECD published the Foreign Bribery Report, an analysis of the crime of bribery of foreign public officials. For those unfamiliar with the report, it is a study of 427 prosecutions of bribery offenses that have been brought in countries that are signatories to the OECD Anti-Bribery Convention, enacted in 1999. The report is a very comprehensive analysis of cases involving bribery of foreign officials, and it debunks some widely held beliefs about bribery and corruption. We covered the findings of the report in detail in a blog post back in 2014 – these findings are as relevant as ever, and I highly recommend a read.
Unfortunately, the current state of companies’ abilities to deter, detect, investigate and report fraud and corruption remains discouragingly anemic. Despite the many legal and economic incentives for companies to maintain robust anti-fraud and anti-corruption programs, most companies do not dedicate sufficient resources to adequately manage the risks of their employees and business partners paying bribes to gain unfair business advantages. This was recently confirmed in Protiviti’s 2016 White Collar Crime and Fraud Risk Survey.
For example, despite the fact that the OECD Foreign Bribery Report cited that 75 percent of the foreign bribery cases that they studied involved bribes that were paid by third-party business partners, Protiviti’s survey revealed that only 6 percent of respondents reported a high degree of confidence in their organization’s vendor fraud and corruption risk oversight. More than 35 percent of those surveyed stated that they did not perform any form of due diligence on the third parties acting on their behalf. And an equal number of respondents (35 percent) stated that they were not aware of any efforts to identify foreign government agencies, state-owned companies and public international organizations amongst their customer base.
Our findings also suggested that most companies do not perform sufficient due diligence on the corruption risk and anti-corruption practices of their acquisition targets, which often leads to the unwitting “purchase” of ongoing corruption and bribery schemes that continue, sometimes for many years, after the deal has been closed. Hiring practices is another area that has come into focus due to recent corruption enforcement actions. Here again, our survey revealed that only 34 percent of respondents could say that their organizations attempt to determine whether job candidates are family members or associates of government officials in a position to influence the award of contracts.
In order for anti-corruption efforts to be truly effective and to reduce the human suffering corruption causes, compliance professionals have to do not “just this” or “just that,” but everything: Correct misconceptions about the sources of corruption risk in order to direct resources where they would be most effective; understand where their organizations are most vulnerable in order to apply strong internal controls to these areas; and question the cultural acceptance of kleptocracy and bribery as a way of life. Until there is a highly publicized linkage between the companies that pay bribes, the corrupt regimes that favor bribe payers and the human toll that corruption and kleptocracy take in those countries, anti-corruption efforts will continue to be less than effective.
Tomorrow, December 9, is International Anti-Corruption Day, a United Nations’ observance celebrated not with cake, but with a public awareness campaign to stop crooked officials from carving off a slice of the global relief pie.
There is a common misperception that bribery is a “victimless crime.” That’s simply not true. The news is filled with buildings that collapse that should not have, killing thousands due to use of substandard building materials, inaction on the part of corrupt building inspectors and morally bankrupt construction companies. There is corruption in pharmaceutical drugs, food safety, product safety, environmental pollution. Wherever there is lax government oversight of products and other commercial activity and corruption on the part of government inspectors and the companies responsible for the unsafe products, there is the very real possibility of tragedy.
While there are no direct corruption-related death toll statistics, credible research shows that 83 percent of all deaths from building collapses in earthquakes in the last three decades occurred in countries with high corruption.
UNICEF lists Angola as the number-one country in the world where children die before the age of five — one out of every six. Angola is also considered among the most corrupt countries in the world, ranking 161st out of 174 countries and territories rated by Transparency International’s Corruption Perceptions Index and scoring just 19 out of a possible 100, with 100 being the least corrupt.
Angola is rich with natural resources, including oil and diamonds. Its ruler, President Dos Santos, has ruled for 35 years, and his daughter’s wealth is estimated at $3 billion. Her wealth is widely believed to have been accumulated through the President’s having strong-armed companies that want to do business in Angola into payments to his family through his control over the country’s oil, banking, cement, diamonds and telecom industries. The country with the worst child mortality rate spends three times as much money on its military as it does on public health. There is insufficient food, lack of access to clean water, shortage of medicine or medical treatment, but the political elite, the small group of families who are allied with Dos Santos, accumulate more and more wealth.
Whether it’s buildings that collapse during earthquakes in Haiti, Turkey or Nepal, or relief supplies for natural disasters stolen in full view of the police and the military charged with ensuring they are delivered to the victims, the fact that one out of nine people in the world is starving and many millions of people don’t have access to clean water and lifesaving medical care means one thing: corruption kills.
What do these tragedies have to do with us? Given that the wealth of corrupt public officials is derived from companies seeking to curry favor, companies have an obligation to do careful due diligence to make sure they don’t contribute to the cycle of corruption. Acquisition due diligence, strong anti-corruption compliance programs and hiring practices, continuous oversight of how money in foreign markets is spent, and a tone at the top that promotes ethics and integrity throughout the organization are key.
From a consumer standpoint, much can be done also. We are increasingly seeing boycotts of companies that are revealed to use child or slave labor, or that have irresponsible environmental practices. If similar “consumer penalties,” in addition to fines and criminal penalties, are applied to companies that actively practice or simply turn a blind eye to corruption, and if these companies begin to lose market share and shareholder value as a result, maybe we’ll see the cultural change we as corruption investigators are advocating for, and the refrain “that’s the way business is done here” will become a relic of the past.
International Anti-Corruption Day is this Friday, December 9.
At last week’s ACI FCPA Conference, Paul Abbate, Assistant Director in charge of the FBI’s Washington, DC field office, delivered a keynote address describing the mission of the FBI’s International Corruption Squads. Their mission includes the investigation of international corruption in violation of the Foreign Corrupt Practices Act (FCPA); acts of kleptocracy, in which heads of state steal large sums of money from their country; and money laundering, in which financial transactions are undertaken either in the furtherance of criminal activity – such as the payment of bribes – or to conceal the true origins of money obtained illegally. There is an elegance to the FBI’s international corruption squads’ mission, in that corruption, kleptocracy and money laundering intersect frequently, and the tracing of illicit money will often be the key to proving bribery and kleptocracy cases.
Before we get into how bribery, corruption and money laundering are interrelated, it helps to clarify what each of those terms means.
- Bribery is the offering or giving of something of value in order to induce the recipient to abuse his or her position in some way for the benefit of the bribe payer or the person or entity on whose behalf the bribe is being offered or paid.
- Corruption is the abuse of one’s official position for personal gain. Most often, corruption is the act of receiving a bribe.
- Kleptocracy is corruption on the grandest scale possible. It is when a head of state or someone acting on that person’s behalf steals large sums of money from their country’s treasury for their own personal gain.
- Money laundering is undertaking financial transactions with either the proceeds of unlawful activity or in an effort to conceal the origins of ill-gotten money. There are three stages of money laundering: placement, layering and integration. Placement is the introduction of money earned through criminal activity into the financial system. Layering, typically, is a series of transactions undertaken solely for the purpose of obscuring the origins of the illicit money. Integration is the point at which the layering has had the effect of making the illicit money seem as if it was obtained through legitimate means.
Of the four crimes above, the one that is discussed and enforced most often, through FCPA action, is bribery. We have discussed it here, here, and here. However, the FCPA only criminalizes the supply side of bribery, i.e., when companies offer or pay bribes to foreign officials in exchange for an unfair business advantage. What’s interesting is that in recent months the FBI has begun to give voice to the less-understood “demand” side of bribery – corruption and kleptocracy – an aspect that has traditionally been left to the home countries from where corrupt officials operate.
Specifically, the FBI and the Department of Justice’s (DOJ) Asset Forfeiture and Money Laundering Section have been focusing on kleptocracy through the Kleptocracy Asset Recovery Initiative. Most notably, in July of this year (2016), the DOJ initiated the largest ever kleptocracy-related asset forfeiture action, in which allegations of the looting of billions of dollars from Malaysia’s sovereign wealth fund led to the seizing of $1 billion of assets in the U.S., the UK and Switzerland. The seized assets included luxury hotels in New York City and Beverly Hills, penthouse apartments, a private jet, and an ownership interest in the production company that produced the movie “The Wolf of Wall Street.”
The 1MDB kleptocracy civil asset forfeiture action was brought under the civil money-laundering statute in that the assets were involved in or represented the proceeds of money misappropriated from Malaysia’s sovereign wealth fund. While this is the largest civil forfeiture action to date brought under the Kleptocracy Asset Recovery Initiative, the nexus between corruption, kleptocracy and money laundering is nothing new. In fact, the whole concept of “politically exposed persons,” or PEPs, and their designation as high-risk banking customers, came about as a result of multiple scandals in which heads of state looted their government treasuries and then laundered the money through the traditional banking system. Ferdinand Marcos, Baby Doc Duvalier, Raul Salinas, Suharto, Manuel Noriega, Saddam Hussein – the list seems endless. These corrupt leaders, who famously looted the treasuries of their countries, also set the tone for corruption across their governments. In many instances, their corruption doesn’t just set the tone, but is sanctioned by them, and the bulk of the proceeds of the corrupt payments received benefit the corrupt presidents and their families.
Perhaps no case better illustrates the government’s rationale behind combining its FCPA investigative efforts with the DOJ’s ongoing anti-kleptocracy initiative than the VimpelCom case. In February this year, Dutch telecom company VimpelCom settled a DOJ and SEC investigation by agreeing to pay a combined $795 million to U.S. and Dutch authorities in connection with $114 million in bribes paid to a relative of an Uzbek government official in order for the company to enter and remain in the Uzbek telecommunications market. While the government official in this case is unnamed, the money is traced to Uzbek president Islam Karimov’s eldest daughter, Gulnara Karimova. Karimova, who at the time held control over the country’s telecom assets and the issuance of mobile phone system operating licenses, has been under house arrest for the past two years in connection with corruption allegations that she pocketed more than a $1 billion in bribe payments, including shares in the telecom companies she licensed. In addition to securing the guilty plea and deferred prosecution agreement with VimpelCom and its Uzbek subsidiary, the DOJ has filed civil actions against multiple offshore bank accounts that are alleged to belong to the unnamed Uzbek official and hold a total of $850 million. This was the largest civil forfeiture action in the history of the DOJ’s kleptocracy initiative before the 1MDB suit was filed in July.
The recent integrated approach by the FBI to FCPA, kleptocracy and money-laundering enforcement should be viewed as more than a source of shocking stories about fabulous riches obtained by power-hungry autocratic rulers in far-away countries. It should serve as an important reminder to compliance professionals and corporate executives that greed is a byproduct of human nature, enabled by the right conditions of opportunity, lack of ethics and lack of oversight. Compliance, therefore, should be more than a list of “must do” checkboxes – it should be about the moral obligation of the organization, and each individual within it, to operate ethically and to consider any unethical action holistically, from all sides and all possible consequences, in order to prevent, deter and set a tone against corruption and not contribute to the human suffering that corruption and kleptocracy cause.
As part of our ongoing internal investigations series and in conjunction with Fraud Awareness Week, Protiviti, in partnership with Morrison & Foerster and Robert Half Legal, presented a webinar last week on the strategic use of email in internal investigations, discussing ways companies can undertake email investigations without letting costs get out of hand. My colleagues Robert Hennigan and Marshall Matus recapped the highlights, but I want to share here a few of the questions addressed during the live Q&A session, which I facilitated.
Q: What are the points to consider before accessing email data — including legal rights to open email accounts, legal responsibilities to notify users, and how to avoid alerting users that someone is accessing their email?
Robert Hennigan, Protiviti: Any time you have a question specifically about legal issues, we recommend consulting with counsel to help you make those determinations prior to initiating an email investigation. Generally speaking, there is no reasonable expectation of privacy in the United States for work email — and that extends to personal devices if they are being used to send and receive business email. There is no obligation to notify users of a pending examination of email on a company exchange, although some types of information are protected under HIPAA and laws governing the cross-border transfer of personally identifiable information. Employees are not obligated to divulge passwords for personal devices, but case law has established that biometric account security is not protected.
Q: What should you do to ensure you’re following rules of evidence and maintaining a chain of custody?
James M. Koukios, Morrison & Foerster: Companies wouldn’t invest time and resources in an email investigation unless they have a reason to believe that the investigation will yield important evidence. It is therefore important to ensure that the investigation is conducted in a way that ensures the findings will be admissible in court. Specifically, it is important to freeze the account to prevent alteration or deletion of emails. This may involve taking physical custody of a laptop, device or workstation. Searches must be planned and conducted in a way that ensures the resulting analysis will present a thorough and accurate picture. By the end of the investigation, the party presenting the evidence should be able to demonstrate that the evidence is complete, authentic, and authored or received by the individual or individuals being investigated. The evidence should support what actually happened.
Q: How do you search for information embedded in PDFs and other non-searchable “picture” attachments? Is there technology available to extract text that might not otherwise show up in a standard keyword search?
Marshall Matus, Robert Half Legal: An important part of determining the scope of any email investigation is understanding the allegations, and determining how information was communicated. It is not uncommon for perpetrators to try to bypass traditional keyword search capabilities by scanning documents into PDFs or image files. In such cases, optical character recognition (OCR) software can help extract text from such files.
Q: What if someone in the IT organization is the subject of the allegation?
Marshall Matus: That is a tricky one. That said, the proper response, with few exceptions, is to go up. Most organizations of any size have a chief information officer, or chief information security officer, who can be enlisted to help. If the subject of the investigation is the CISO, CIO or CTO, investigators can reach out to the CFO, General Counsel or CEO for assistance.
Because email investigations can be resource-intensive and costly, it is important for companies to do their homework before they initiate the investigation, to make sure the work will yield maximum results and be accepted into evidence in court. Our audience was interested in many more details of an email investigation, and we cannot cover all of them here — but I do invite you to listen to the archived webinar (the Q&A session is at the end of the recording).
and Marshall Matus, Engagement Manager
Robert Half Legal
When we first started talking about putting together a webinar on the role of email in internal investigations, none of us anticipated the global impact a single email investigation could have. As it turned out, our well-attended November 15 webinar couldn’t have been more timely.
We presented the webinar during International Fraud Awareness Week together with Scott Moritz, the global leader of Protiviti Forensic, and James Koukios, a partner in Morrison & Foerster’s White Collar and Anti-Corruption practice group.
Our goal was to demystify the process of email investigations. In addition to addressing some of the popular misconceptions that might cause organizations to avoid undertaking a forensic email investigation, we wanted to offer some clear and simple strategies for managing the process, based on our years of experience, both as consulting professionals and as special agents of the FBI.
We thought the webinar was necessary because we’ve heard from a lot of people who believe, incorrectly, that:
- Due to high volume, email investigations are cost-prohibitive and overly time-consuming.
- Email investigations are a waste of time because no employee in their right mind would put anything incriminating in an email on a company server.
- Privacy laws give employees the right to refuse employer access to their individual work emails.
To be sure, the email universe is vast, with more than one hundred billion work-related emails sent and received each day around the globe. We’ve read that employees spend about 28 percent of their work week sending and receiving emails at a rate of 122 emails each day.
It’s easy to see how the prospect of an email investigation of, say, 15 or 20 individuals, spanning several years, could be daunting — not only because of the volume, but also because of the need to maintain the integrity of evidence, which involves following established procedures regarding the acquisition, preservation and processing of email evidence. Managing this process effectively involves striking a balance between sufficiency and overkill.
Planning an Investigation
As with most business controls and processes, the time and cost of an email investigation can be carefully managed through planning. In that regard, it is important to start with a clear understanding of what you are looking for. What is the complaint? How many people could potentially be involved? Over what time frame did the alleged activity take place? Where does that data reside? And who were the custodians of that data?
As for the misconception that employees wouldn’t leave anything incriminating on a company server, experience has shown that it happens all the time. Also, if an employee forwards work emails to a personal mobile phone or home computer, those devices are considered to be discoverable for investigative purposes. There is ample case law to establish that work emails are work product owned by the company. Most U.S.-based organizations have electronic communication policies making it clear that users have no expectation of privacy. There are a few notable exceptions that include communications covered by attorney/client confidentiality, but for the most part, electronic communication at work is fair game for investigators.
Nor do investigations have to be confrontational. Often, investigators can obtain all the evidence they need from system backups or the company email server, without having to notify employees.
Companies also have had great success leveraging email review platforms and other forensic technologies to search for keywords indicative of potential malfeasance. Newer versions of email platform tools have significant capabilities built in.
Each of our expert panelists emphasized the criticality of communication between the various players in an investigation — the review team, forensic accountants, and outside counsel — to ensure coordination, avoid redundancies and share knowledge. A good investigation will follow project management best practices, with phases of the project including data collection, data processing, data analysis and review.
There’s an art to this process that involves knowing how to select key words; when to go broad and when to go narrow; how to leverage techniques and theories from related fields, such as information retrieval; and how to use various forensic technologies. All of this was discussed in our webinar at length, and we encourage you to listen to it.
Finally, we had a number of interesting questions from the audience that followed the presentation and speakers. We will summarize some of these questions in an upcoming post. Subscribe to our blog to be sure not to miss it.