Anti-Bribery Efforts Turning to Technology

The Justice Department and the Securities and Exchange Commission released their “Resource Guide to the Foreign Corrupt Practices Act” more than six months ago, and compliance executives have been poring over its 120-plus pages of case studies and “what not to do” advice ever since.

Nowhere in the guide, however, will you find the words “software” or “analytics.”

Still, practical solutions for today's data-centric, globally extended enterprise are what companies need if they are expected to oversee thousands of third parties (or more) and tens of thousands of employees (or more) around the world. So where to begin?

“I would start by asking, ‘What's the state of your compliance program?' Do you have a written policy and procedure?” says Tom Fox, an independent FCPA compliance consultant and lawyer who maintains the FCPA Compliance and Ethics Blog. “If so, then there are four components that can assist you.”

Fox describes four general categories, beginning with process solutions that are the overall control system for any FCPA compliance program. These are typically suites of solutions such as those from ACL or The Network. Others are point solutions for specific functions, including transaction monitoring, third-party continuous monitoring, and e-mail and communications relationship monitoring.

Process solutions set the tone for FCPA compliance, reminding employees continuously that checks are in place. Among the process solutions are The Network's FCPA offering, which integrates its GRC suite with policy management, training, and awareness materials. The Network's policy management functionality acts as a central repository for employees to find and attest to policies—acting as a sort-of Google Docs for FCPA policies, which captures signatures and approvals and manages group interactions. GRC suites also include functions such as reporting, incident management, and workflows for managing investigations from allegation through resolution.

GRC suites are where internal controls typically reside. A company can decide, for example, that the compliance department or another oversight group must approve every gift exceeding $400 or entertainment expense more than $150, and use the GRC suite for submissions and approvals.

NAVEX Global is another suite of solutions and services including case management, policy management, online training, and third-party whistleblower hotlines. Third-party hotlines offer a comfort level to employees who may be reluctant to “raise hell” with managers within the organization. They also provide resources and functionality that most companies would be hard pressed to assemble on their own: NAVEX, for example, offers interpretation and translation in 125 languages, and around-the-clock monitoring.

The purpose of process solutions is not just to enforce FCPA compliance policies, but to automate and simplify them. “I think 99.9 percent of the time, someone doesn't know the right process to follow,” says Jeffrey Spalding, assistant general counsel at Halliburton. “It's not ill intent—although that does happen and those are the people we need to get rid of—but most of the time it's letting employees know our practices and giving them tools to follow them.”

Halliburton is rolling out an automated gift and entertainment control function that requires employees fill out request forms that route through the company's compliance group for approval or denial. Halliburton's policy is that all gifts to non-U.S. government officials require approval by its compliance department (and, as the value rises, by regional management, general counsel, and ultimately by the CEO). Similar procedures exist for bringing non-U.S. government delegations to Halliburton facilities.

“The mantra I preach is, you can have as many policies as you want and automated procedures, but if the employee don't know about them, they are pretty worthless,” Spalding says.

“The mantra I preach is, you can have as many policies as you want and automated procedures—but if the employee doesn't know about it, it's pretty worthless.”

—Jeffrey Spalding,

Assistant General Counsel,

Halliburton

All that said, such systems are worth little if they don't help the company win credit with regulators when a violation does occur. Proving that employees should have been aware of the company's anti-bribery program can mean the difference between a painful FCPA prosecution and a slap on the wrist or less.

Documentation, for example, spared Morgan Stanley from a hefty fine in 2012 when a former managing director pleaded guilty to conspiring to evade Morgan Stanley's internal accounting controls for FCPA compliance. The company proved that it had trained the manager on FCPA seven times from 2002 to 2008, issued him more than 35 reminders about compliance, and required him annually to certify compliance with the company's code of conduct. The robust, tech-laden systems in place at Morgan Stanley aided the company's efforts to recreate a digital trail of compliance efforts with Peterson. 

These Needles Find You

Proving that an employee was trained on anti-bribery policies after the fact is nice; actually finding the behavior and stopping it in its tracks is better. That is where transaction monitoring systems, offering visibility into financial and operational transactions, can enter the picture. They use Big Data analytics to flag items that need attention: say, gifts exceeding $150, uncategorized expenses, or unusual spending patterns in a business unit. With the right parameters, cross-checks, and red flags, instead of finding the proverbial needle in a haystack, the needle finds you.

FCPA BECOMES SOP

It happened quietly, but 2012 was the year that FCPA compliance became standard operating procedure (SOP) for companies worldwide. And it happened before the SEC/Justice Department released their guidelines in November.

In 2012, the Kroll Advisory Services Global Fraud Survey found that the number of senior executives who claimed a thorough assessment of risks arising from U.S. FCPA or the U.K. Bribery Act doubled to more than half of those executives (from 26 percent in 2011 to 52 percent).

More than half of those companies in 2012 had trained their senior managers, vendors and foreign employees in compliance as well (55 percent versus 29 percent in 2011).

Exactly half claimed that when entering a joint venture, making an acquisition or providing financing, their due diligence includes a review of FCPA/U.K. Bribery Act risks, up from 26 percent in 2012.

We are still three months away from reading Kroll's Global Fraud Survey 2013. Our prediction: another spike that closes the gap by another half, such that compliance efforts are commonplace at three quarters of respondent companies.

The Annual Global Fraud Survey was commissioned by Kroll Advisory Solutions and executed by the Economist Intelligence Unit, which polled 839 senior executives worldwide, and from a broad array of industries and functions. Some 53 percent of respondents were C-level, and 52 percent from companies with annual revenues over $500 million.

—Dann Maurno

Source: Kroll.

Among the market leaders is Oversight Systems with its Continuous Transaction Analysis platform, which in turn integrates with major enterprise platforms like SAP and Oracle. Both SAP and Oracle offer transaction monitoring capabilities of their own, but they do not integrate with one another—and most multinational companies will have more than one financial reporting system, as will companies after a merger or acquisition. That gives smaller vendors like Oversight their business opportunity.

Third-party monitoring and vendor screening services help companies check their vendors and partners against, for example, databases of non-U.S. government officials and Transparency International's Corruption Perception Index. World Compliance maintains the NEO service, which daily checks a client's vendor network against the Global Foreign Official List, a database of state-owned companies, foreign officials, known family members of political figures, and companies owned by politicians. NEO acts as a clearinghouse, on which vendors and partners worldwide register for continuous evaluation as the database is maintained. Kroll Advisory and other firms perform similar services as well.

Companies such as Catelas offer e-mail and communications relationship monitoring. Catelas offers what it calls “relationship forensics” to discover automatically who talks to whom, when they connect, and how well they know one another. Global business advisory firm FTI Consulting offers its proprietary Ringtail e-discovery software, designed to simplify e-discovery by looking for “concepts” in documents and correspondence, then putting concepts into visually easy clusters.

As Fox describes, “You may be looking for an employee who sends 10 e-mails to a Gmail account, each with an attachment, and that can be a red flag. Or maybe it's a sales person sending e-mails to someone in the supply chain, when there's no reason for sales to be e-mailing the supply chain. That's relationship monitoring.”

Computer Forensics

Still another set of tools includes Forensic Toolkit and EnCase, which combat destruction of evidence by taking a “snapshot” of a given computer in a forensically sound manner. These tools perform a bit-by-bit image of a hard drive beyond the documents to determine whether the user has deleted items, attached a thumb drive, or reinstalled the operating system.

“The key is, who's operating the tools?” asks Martin Weinstein, a partner at law firm Willkie Farr & Gallagher, and co-author of The Foreign Corrupt Practices Act: Compliance, Investigations, and Enforcement. “You need in FCPA compliance, more than many other areas, extremely experienced people who have seen a lot of different patterns, and who know what to pick up on and what not to. A Harvard degree is no substitute for having the experience to discern between the two. It's an art more than a science.”