Q&A with Kara Brockmeyer: How pandemic has impacted third-party risk

Brockmeyer, currently a partner at Debevoise & Plimpton, spoke with Compliance Week about the heightened risks third parties pose in a pandemic and other topics in the following Q&A in advance of the virtual conference:

Q. Has the pandemic changed the way companies need to monitor third parties? Are there different questions companies need to be asking?

A. I think the pandemic has clearly been a game changer for everyone. All of a sudden some of your third-party suppliers or distributors were either going out of business or just weren’t in a position where they could fill the pipeline because factories were closed. And so the first thing we saw early in the pandemic was a lot of companies trying to figure out what to do when you suddenly need to onboard a bunch of new third parties where you can’t run them through your normal due diligence process.

Secondly, what do you do to monitor your third parties when you can’t do the types of things that you would normally be able to do? For example, you can’t go to the office and talk to your employee, who is the relationship manager for a particular third party. You’re not going to go onsite at the third party and exercise audit rights. There’s a lot more risk associated with just operating in a pandemic where you have rolling lockdowns and people and goods can’t leave. How do you get things through customs? And with that comes a ratcheting up of the risk for there to be improper payments somewhere along the chain.

Q. Would you expect to see a rash of fraud and corruption charges in the wake of this pandemic? And what can companies do now to protect against that?

A. We’re going to continue to see a lot of plain old fraud cases like we did in the wake of, say, Hurricane Katrina. And, you know, [the Department of Justice] is putting people in jail. And for the SEC, a lot of times it’s basically 10b fraud actions against companies that typically make unsubstantiated claims about their ability to, for example, produce mass PPE (personal protective equipment), a vaccine for the virus, whatever. So those are definitely going to continue. And that’s actually keeping the SEC pretty busy looking at those.

From a company perspective, one of the things to be concerned about from a corruption standpoint is that this pandemic is unprecedented. Certainly in our lifetimes we’ve never seen anything like this. And so we know that a lot of companies that have operations in emerging markets that are getting hit by the virus are getting requests, for example, for charitable contributions, for donations of money, donations of goods, donations of food. For a lot of companies, it’s a little hard to navigate that because it doesn’t fit neatly in. You could have a well-planned corporate giving policy that has all these bells and whistles and internal controls about it. And these requests are sort of outside of that. And so I think it is making companies have to think creatively on their feet. How do I do the due diligence that I need to do in order to make sure that, for example, this charitable contribution is truly a charitable contribution and not a disguised way to gain favor with a government official because I want to get a contract for PPE?

Q. The pandemic has changed the way virtually everyone in compliance has done their jobs. Would you expect any of these changes to be permanent?

A. Yeah, I think so. First of all, a lot of us are realizing there are vast parts of our job that we would have thought you can’t do remotely that you actually can. Like you can interview people over Zoom. You can show people documents. You can do third-party due diligence interviews. You can do an internal investigation, talk to your employees. You can show them documents on the screen without being there. It’s not as good, but you can do it.

Another thing we are seeing is that being remote starts driving more data analytics. Because people aren’t in the office, you really need to move things online. Because you can’t, for example, have a process that involves an attorney signing paper copies and sending them around to the office, that doesn’t work anymore. So I think the pandemic is also driving those types of data innovations. And you’re having a lot of events coming together. The DOJ, in its most recent update to its corporate compliance guidance, doubled down on the issue of data analytics and ongoing monitoring. And those are the types of tools that I think in a pandemic world make things easier for compliance people.

Q. Would you expect any leeway from the government when it comes to enforcement actions for any fraud or corruption that might have happened during these unprecedented times?

A. I’d like to think that the government’s going to be reasonable, but the sad fact of it is the government tends to have a short memory, so that a year from now they’re not going to remember that. I think where you see the government being the most reasonable is right now for companies that self-report an issue. … The government does recognize that it’s not business as usual and there will be delays on getting documents, for example. I think what the government will expect and where companies are going to be most successful is doing everything you reasonably can do in the pandemic to move things along.

But I think it’s also important to document. So if, for example, you have to get a new supplier onboarded immediately because your prior supplier went out of business because of the pandemic. Let’s say you’re a pharma company, and you need to add a new supplier. If you have to take shortcuts and you don’t have time to do the full due diligence that you would do to onboard them, you want to make sure that you’re finishing the process, eventually. Even if it means that you have already onboarded them, do enough that you think they’re OK, but then finish your process and document everything so that a year from now or two years from now, if you get questioned by the government, you’re able to demonstrate that you took all reasonable steps you could do at the time.

Q. What is your take on the dramatic increase in whistleblower awards from the SEC over the past 10 months or so? What’s behind such a big uptick?

A. I think it’s a combination of a number of factors. First of all, the whistleblower program has actually not been around all that long. It’s been about nine years since Dodd-Frank, and it takes a long time because you have to have a whistleblower complaint that comes in after that time period that qualifies for an award. First, the complaint has to lead to an investigation. The investigation has to be completed. There has to be a successful resolution either in court or a settlement that you get in over a million dollars. And then there’s this whole process that whistleblowers have to go through to get their claims, their share of that bounty. Those arguments get heard by a very senior group of enforcement officials at the SEC. And so there’s a long process.

We’ve seen it continue to snowball over the past few years for two reasons. First of all, it’s because there are just more cases in the pipeline, more time to finish investigations that were begun with whistleblower complaints. Secondly, I think overall, the quality of the whistleblower complaints that the SEC is getting are better now than they were earlier in the program, because there’s an entire cottage industry of whistleblower attorneys that specialize in this and that actually do a pretty good job of helping a.) weed out whistleblowers and b.) help whistleblowers shape whatever the complaint is that they’re submitting in a way that it makes the SEC decide, ‘Yeah, this is one we should take a look at.’

Q. The DOJ and SEC released the second edition of the FCPA Resource Guide in July, its first update since 2012. What were some of the major changes and what did they mean specifically for compliance?

A. Generally, what the update did was address a few key court decisions that have come out since 2012. So, for example, the U.S. v. Esquenazi decision out of the 11th Circuit, which is the definitive appellate court ruling on what factors you look at to determine whether an entity is considered an instrumentality. At the time the original guide was written in 2012, there were a number of district court decisions on that issue, but it had never been addressed by an appellate court. There wasn’t a change in the law because the Esquenazi decision was consistent with the vast majority of the district court cases. But it allowed them to sort of button that up.

There were a couple of big changes, though, from decisions, particularly from the Supreme Court, that did have a big impact on things. So, for example, the SEC has now had three significant Supreme Court cases come down since 2012 that have limited its ability to get disgorgement and penalties. So the guide dealt with that, updated the fact that in the wake of SEC v. Kokesh, the five-year statute of limitations applies to disgorgement as well as penalties. And they did a quick address of the most recent Supreme Court decision on whether the SEC could get disgorgement of profits at all or whether they can only get them if they can also show they’re going to basically be paid back to harmed investors.

One of the things that the updated guide did is consolidate very concise discussions and summaries of all of the guidance that’s come out from the DOJ, specifically since 2012. So the DOJ’s Evaluation of Corporate Compliance Programs, for example. All of that is now nicely encapsulated into short, bite-sized pieces.

There was also more discussion about internal controls. I think what we’ve seen over time is that the SEC and DOJ both are really focused on internal control violations because those are easier for them to prove than bribe charges, for example.

I think for compliance professionals, the most important thing in the updated guide is they updated all of the case examples. All the way through the guide, whenever they talked about topics, say gifts or entertainment or third-party due diligence, conferences, charitable contributions, they would then do quick summaries of example cases. So it’s a very nice resource for compliance officers. If you needed a charitable contribution case, you could go to the guide and go, ‘OK, here’s three that they talk about.’ They updated all of those because in the eight years since the original guide was published, there’s been a ton of new cases. So that’s sort of a treasure trove of recent cases that people can look at for examples.