Driver: I’d like to start by introducing our distinguished panel, all of whom are partners with Clifford Chance and formerly served as federal prosecutors. They have deep experience with international compliance regimes and the investigations that accompany them. Today’s panelists are Wendy Wysong, David Raskin, Chris Morvillo and Ed O'Callaghan, and my special thanks go to Wendy for joining us from Hong Kong.
At the U.S. Attorney’s Office for the District of Columbia, Wendy handled matters concerning arms export control, economic sanctions, terrorism, hijacking, environmental crimes, public corruption and government fraud. While serving as deputy – and then acting – assistant secretary for export enforcement at the Department of Commerce's Bureau of Industry & Security, she oversaw export control enforcement of sensitive dual-use items, services and technology.
David, Chris and Ed all served as assistant U.S. attorneys in the Southern District of New York. David’s experience includes serving as chief of the Terrorism & National Security Unit. He handled many of most important criminal investigations and trials brought by the U.S. government during the past decade, including those involving key players in the September 11, 2001 terrorist attacks. He also has been involved in high-profile Foreign Corrupt Practices Act (FCPA) investigations.
As an assistant U.S. attorney, Chris investigated and tried a wide variety of criminal cases involving fraud, money laundering, obstruction of justice, narcotics and counterterrorism. He has extensive experience in matters concerned with insider trading, corporate espionage and securities fraud, and he received the Attorney General’s Award for Exceptional Service for his prominent role in prosecuting the notorious defense attorney Lynne Stewart and her co-conspirators.
Ed has represented some of the world’s largest financial institutions, plus individuals and other entities, in regulatory enforcement investigations and proceedings, including those involving claims of insider trading, securities fraud, export control violations and FCPA violations. As an assistant U.S. attorney, he served with David as co-chief of the Terrorism & National Security Unit and was lead prosecutor on the international financial fraud investigation and prosecutions related to corruption in the United Nations Oil-for-Food program.
Now let’s turn to the substantive discussion.
* * * *
Driver: Wendy, you lead the firm’s anti-corruption team in the Asia-Pacific region, advising Asian companies about U.S. operations and U.S. companies about operations in Asia. What are the top compliance issues in your view?
Wysong: Thank you, Al. I relocated to Hong Kong to address client concerns about the effect of U.S. regulations on Asia-Pacific operations. Of particular concern was the extra-territorial effect of U.S. export sanctions, export controls and the Foreign Corrupt Practices Act (FCPA). Our clients wanted realistic advice about sanctioned activities and the extent of allowable action, both within applicable laws and in the context of traditional business practices and cultural courtesies that must be recognized when doing business in Asia.
One example involves the FCPA. With relative ease, U.S. companies might issue a blanket rule against gifts and hospitality, but a Chinese company bears the additional burden of explaining such restriction on a traditional business culture that likely includes a long history of gift giving on important holidays. Otherwise, the restriction would be ignored as an imposition of Western sensibilities on conduct that, in reality, is not intended to influence a particular business decision.
Driver: Have you identified any country- or industry-specific trends in advising companies about compliance with U.S. laws and regulations?
Wysong: Importantly, over half of all 2011 FCPA investigations involved an Asian country, including Japan, China, Malaysia, Thailand, Indonesia, Vietnam, Myanmar, South Korea and Taiwan. Companies here recognize that their business practices give rise to a particular risk, and it’s no secret that the United States prosecutors find these cases pretty easy to make in Asia.
Moreover, when the United States announces that it will target a particular industry, such as pharmaceutical, mining or infrastructure, it really rattles everyone over here because they know that Asian companies in those industry sectors will also be targeted. Increasingly, companies in the financial sector are examining their compliance and liability risk, not only with respect to the Office of Foreign Assets Control (OFAC) but also with respect to the FCPA and the UK Bribery Act.
Another trend involves the overlap in regulatory regimes, such as FCPA investigations that very often lead to export issues. We saw this with Innospec when a corruption investigation also uncovered violations of OFAC, as well as with several other important cases.
Driver: What are the most important components of compliance programs for companies based in Asia?
Wysong: Whether compliance programs relate to export controls, corruption or other matters, the first key component is commitment. It is critical that a genuine commitment from management be demonstrated every day to employees because lip service is just as ineffective in Asia as in the United States.
Next, I advise setting realistic guidelines that respect Asian business culture and the practical issues U.S. companies face in establishing operations here. Imposing total restrictions on the use of third parties, for instance, is impractical because companies often need local assistance with understanding cultural traditions and practices. The better solution is to provide guidance on the appropriate use of third parties.
Finally, companies must thoroughly train compliance staff and ensure their credibility with management. The compliance staff must be empowered to communicate with authority and to implement the company’s export or anti-corruption compliance programs.
Driver: You also serve as Special Compliance Officer (SCO) for International Traffic in Arms Regulations (ITAR) compliance of Academi (formerly known as Xe Services LLC and before that, as Blackwater). In fact, we understand that you and Ed both have experience in dealing with the ITAR, as former prosecutors of export control cases and, in your case, also as a former regulator at the Commerce Department. Please talk about the SCO’s role and the compliance and risk management issues that companies now face under export control laws.
Wysong: When Ed and I started out, ITAR cases were not really at the forefront of prosecution priorities. After the September 11 attacks, however, these issues escalated beyond the scope of ordinary regulatory offenses and were treated as matters of national security. They became an integral part of the anti-terrorism effort, which requires paying close attention to items being exported and to their recipients. So, we became very involved in prosecuting these cases as part of the counter-terrorism program.
I was appointed as the SCO of Xe Services, now known as Academi, pursuant to its consent agreement with the U.S. Department of State's Directorate of Defense Trade Controls (DDTC). For a period of three years, I will serve as the eyes and ears of the State Department, overseeing Academi’s compliance effort with respect to ITAR and the consent agreement, including its reporting requirements. After three years, Academi can emerge with a clean bill of health, having both demonstrated a commitment to compliance and maintained the terms of the consent agreement.
SCOs often oversee compliance efforts in ITAR prosecutions and FCPA cases. In many ways, SCOs make the compliance director’s job easier because we are familiar with State Department and Justice Department requirements and can back up the director’s decisions. SCOs face challenges in establishing a solid relationship with the company; understanding its pressures, the relevant industry sector and associated regulations; and clearly defining the scope of our responsibilities.
One unique aspect of being an SCO is that the attorney-client privilege does not apply. In fact, we have an obligation to report what the company says and does to the State Department. We’re a communication link in that respect, which can work in both directions when, for example, a company or industry sector needs clarification about regulatory provisions. Here, the SCO can identify these issues and get guidance from the agency. We’re also there to provide insights to regulators as to industry needs and company concerns.
O’Callaghan: I want to amplify Wendy’s point about considering export control laws and regulations to be issues of national security. SCOs should emphasize to companies – many of which are trying sincerely to comply – that regulators are operating on a much deeper level, and the scrutiny is more intense. As a result, check-the-box compliance measures are insufficient.
Driver: Thanks, Ed. Our next question is for David, Chris and Ed. As former federal prosecutors, you are well aware of the consequences when compliance efforts fail. Since your arrival at Clifford Chance last November, you have met with clients and regulators all over the world to discuss compliance-related matters. What are the broad takeaways from these discussions?
Raskin: Thanks, Al. It truly was a world tour, including visits in London, Beijing, Hong Kong and Singapore, to name a few. In talking with many of the firm’s key clients, new partners and regulators in numerous jurisdictions, my biggest takeaway is that global regulators are far more coordinated than I had expected on issues relating to the financial sector.
In the immediate wake of the September 11 attacks, there was a natural spike in global coordination among the law enforcement and intelligence communities regarding national and international security. Similar action occurred in the financial sector after the 2008 crisis, leading to an unprecedented level of coordination among regulators and prosecutors across the globe. As a result, we’ve made substantial efforts to communicate with our clients about this new environment. Obviously, when regulators are coordinated, companies must be extra vigilant in their compliance efforts.
Morvillo: I would add that regulators across the globe are looking at other jurisdictions and have taken great interest in our experiences in the United States with deferred prosecution agreements. While this concept is not yet widely implemented on a global scale, we can report that it’s under serious consideration in most all countries. Our clients were very interested to hear about what these agreements entail and how they are enforced and regulated.
Each category of client is different, so our discussions were tailored accordingly. Fund managers were interested in insider trading law and enforcement, while international organizations, such as those engaged in emerging markets, were very concerned with FCPA issues. The main theme here is that all eyes are on the United States.
O’Callaghan: In conversations with clients, particularly those in Asia, I was struck by their acute awareness of the ripple effect caused by large investigations and settlements associated with U.S. regulators, sometimes in concert with their foreign counterparts and other times acting alone. Entering into a large settlement, and even embarking on an investigation under SEC or DOJ review, will affect a public company’s market cap and the share price – with continuing effect on investment decisions globally.
Discussing these issues gave me a real appreciation for our clients’ concerns, which is invaluable in helping with their global compliance programs. So the takeaway here is to understand the potential for a global ripple effect of issues that, at first, may appear isolated within a U.S. enforcement action.
Driver: David, should U.S. companies endeavor to maintain good relationships with global regulators?
Raskin: The answer is yes and no. In a perfect world, companies are very happy to avoid any and all contact with regulators. They would like to go about their business, seek to meet all ethical and legal standards on their own, and never have to deal with regulators, much less prosecutors. But that is a rare situation these days. As I mentioned, regulators are better coordinated and have stepped-up vigilance after the global financial crisis, particularly as pertains to the financial sector itself.
Increasingly, companies are forging relationships with regulators on a proactive basis in order to build good will and a reputation for compliance. When regulatory problems arise, the company’s credibility is at stake, and regulators and prosecutors will assess the sincerity of the company’s compliance efforts, over and above the problem at hand. Thus, a pre-existing positive relationship can greatly facilitate issue resolution.
Driver: Upon discovering a compliance failure, under what circumstances should a company decide to self-report? Does the particular jurisdiction involved play a big role?
Raskin: The decision to self-report involves a fact-specific inquiry, with factors including the type of business, the nature of the violation and, absolutely, the nature of the jurisdiction. A good example involves a matter we’ve been handling in Germany. Because there is no attorney-client privilege in Germany, prosecutors and regulators are not interested in the company’s voluntary disclosure; they simply want all the documents. Obviously, these circumstances would be very different if the matter were being handled in the United States and other jurisdictions, where the privilege can be asserted.
While jurisdiction is a big issue, the most important factor in a decision to self-report is doing a cost-benefit analysis that weighs the scope of the violation against the potential benefits of coming forward and, as we say, “getting ahead” of the problem.
Wysong: Because our clients are dealing with cross-border violations and multiple jurisdictions, we counsel them to think beyond the understandable impulse to self-report to U.S. authorities to get ahead of the problem – as David says – because the United States spells out the benefits and provides clear guidance for self-reporting, which is not necessarily the case for other jurisdictions in which the company may have acted. Disclosure to U.S. authorities may warrant simultaneous disclosure in other countries. We’ve seen cases like this, such as with Siemens, where an investigation conducted in Munich quickly triggered the need to make disclosures to the U.S. and to handle both jurisdictions simultaneously.
So it’s sort of a ballet, and you have to have good choreography. When our clients are analyzing a potential decision to self-report, we counsel them to consider how those disclosures will be treated by other jurisdictions that may be involved.
Driver: Ed, what is the overall trend with regulatory bodies worldwide, and what accounts for today’s increased enforcement activity?
O’Callaghan: The clear trend is that regulators are working in a more coordinated fashion globally. In the financial industry, coordinated efforts among U.S. authorities have resulted in announcements of joint settlements with values reaching into the hundreds of millions of dollars. Increased enforcement, certainly in the United States, is attributable to the fact that new legislation provides regulators with expanded investigative authority. This provides regulators with a public mandate to exercise that authority with respect to companies and financial institutions to a new and greater extent.
Specifically, the SEC completely reorganized its enforcement division post the financial crisis, including implementation of DOJ programs that encourage the financial services industry to cooperate and gain a benefit toward the ultimate resolution of investigations. As a result, the SEC is operating more nimbly.
The SEC also is getting savvier about methods of investigation. For example, the regional administrator in Philadelphia, Daniel M. Hawke, was appointed to head the market-abuse unit within the reorganized SEC enforcement division. That unit uses computer programs to track and crunch trading patterns, and if they see an unusual pattern coming out of an investment advisor or a division within a larger financial institution, they can initiate an SEC enforcement investigation on that basis.
Previously, a formal order to launch an SEC investigation required a vote by the Commission, but now that authority has been delegated to regional administrators, and further, to unit heads within enforcement divisions. Now, enforcement attorneys can get subpoena power literally within minutes. This is a game changer in the SEC’s approach to investigations.
The SEC’s counterpart in Hong Kong reported to us that similar investigative techniques are being implemented in Asia and coordinated worldwide. Further, they are expecting companies to follow suit and respond to inquiries in a coordinated fashion. Thus, situations where, in the normal course, we would have provided information to the SEC, the CFTC and the DOJ will now demand expanded productions, such as to the Financial Services Administration in London and to the Hong Kong regulators, depending on the nature of the compliance failure. The key for us is to maximize the potency of our efforts through efficient coordination.
Wysong: Further, and not as obviously, the United States is teaching these investigative methods to foreign jurisdictions. As a result, where the United States could have jurisdiction in a matter, it will instead defer to foreign prosecutors who are building their own capacity. This deference is very encouraging to local regulators who are fighting corruption in their own countries. In supporting homegrown prosecutions, the United States is strengthening the worldwide effort and moving away from its role as the global police force.
Driver: Wendy, in what countries are regulatory schemes most onerous?
Wysong: That’s an interesting question, Al, because no country gives free rein anymore. As a prosecutor years ago, I remember speaking with the president of a developing country who casually mused that his country might need to enact a fraud law. He recognized that there was a growing threat of corruption as foreign companies moved in and that the country’s regulatory structure was not as strong as it should be. While that sounds naïve from today’s perspective, it highlights just how important regulatory measures have become.
Some countries are now enacting very broad regulatory schemes based on the OECD guidelines or what they see in the United States and UK. While these schemes may seem onerous on their face, our experience is that they are not always enforced. On the other hand, other countries adopt very simple regulations – China’s foreign corruption law is one sentence long – but if you violate these deceptively simple laws, the death penalty has been imposed.
Contrary to perceptions that China allows bribery to run rampant, the local newspapers regularly publish stories about officials being punished for accepting bribes. So it’s important to look beyond the statutory language and assess the level of enforcement, which is the more critical, real-world issue.
Driver: How do global companies cope with differences in the legal or regulatory schemes of various countries?
Wysong: That comes up a lot because there are inconsistencies in regulatory schemes. A company’s actions may be perfectly compliant in one country; however, if the company establishes new operations in another country with stricter laws, its compliance plan must be adjusted to address the tougher restrictions. A common strategy is to conform a broad company policy to the requirements of the strictest constituent country and then apply it across the board. We’ve also helped clients develop a global compliance plan, from which we’ve adapted individual plans for each country. The latter strategy is very difficult to manage, but for some companies, it’s the only realistic way to get the job done.
The key is to recognize that local laws have to be addressed and that blanket compliance plans can be unrealistic and place the company at risk. Moreover, complying with data requests from U.S. authorities in violation of EU data privacy laws, or restricting trade with Cuba in violation of the blocking statutes of any number of countries, has brought huge compliance headaches until there is a careful weighing and measuring of the risks. Clifford Chance has offices in many different countries with experts who have knowledge and experience in the local laws; thus, we can ensure that our compliance plans comprehend local laws and regulatory requirements. For a company facing enforcement action in Asia, the defense should never be “well, I complied with the UK law.”
Driver: Chris, how can companies protect their directors and officers from criminal and civil liability in today’s complex global environment?
Morvillo: Obviously, every company’s risk exposure and risk tolerance is different, but I can offer some broad guidelines. First and foremost is risk recognition, which involves focusing on how regulators might scrutinize company conduct. Entities doing business in emerging or non-U.S. markets need a vigorous anti-corruption policy that focuses on FCPA; trading houses or fund managers need rigorous insider-trading policies; and technology companies, among many others, have to protect their basic technological assets from corporate espionage by employees moving to another company.
Once companies identify risks – for example, through peer group analysis or conversations with outside counsel about experiences with other clients – then they can adopt compliance policies that specifically address those risks. Once adopted, the policies must be the subject of clear and comprehensive training about what the policies mean and how they are implemented.
Finally, companies need appropriate D&O liability insurance. Given the increase in actions against senior management, it is critical to provide coverage that allows them to retain counsel and defend themselves. You would be surprised to learn how many companies don’t have up-to-date policies or even any policies at all.
Driver: What are your suggestions for compliance programs that ward off regulatory and liability issues, which otherwise might lead to costly litigation or other dispute resolution proceedings?
Morvillo: Again, it depends on the industry. In broad terms, compliance programs are fundamentally engineered to spot and prevent potential problems before they arise. Companies are well served by establishing a culture of compliance, which starts by designating one employee as compliance officer. Managing compliance can be a full-time position routinely found at larger institutions, or at a smaller institution may be among numerous responsibilities for that employee. Compliance officers should have the seniority required to ensure that their directions are heeded.
In addition to a compliance officer’s responsibility for creating and implementing policies, I cannot overemphasize the importance of regularly scheduled training programs for all employees, and particularly for new hires. Options include inviting outside counsel to talk about legal and regulatory trends and relevant liability issues. Clifford Chance offers online training for our clients, where employees answer a series of questions in order to demonstrate their understanding of the substance and operation of compliance policies and procedures. Again, the key is to create a culture of compliance, and the critical sub-component is a rigorous employee training program.
Driver: Thanks, Chris. Finally, I would like to thank all the panelists for their participation in this discussion, which covered so many of the important issues corporate counsel are facing with their global compliance efforts. My compliments go to each of you for your insightful comments.
Published August 23, 2012.