Japan Society
Search
 

Article

Email  |  Print

Compliance Considerations: Potential Pitfalls for Foreign Companies Operating in the U.S.


May 9, 2008

SPEAKERS
Philippa Girling, Director, Global Co-Head of Operational Risk Management, Nomura Holdings America
Marian Ladner, Member of the Firm, Head of International Trade Practice, Epstein Becker Green Wickliff & Hall
Michael Levine, Member of the Firm, Head of CSR/Sustainability Practice, Epstein Becker & Green P.C.
Hajime Matsuura, U.S. Correspondent, NIKKEI

A distinguished panel of attorneys and business leaders met at Japan Society to discuss a variety of legal risks that confront foreign companies operating in the United States.

"Compliance is the type of thing that can cause you to lose sleep, and frankly nightmares can be the least of your problems if it's not attended to properly," said Michael Levine of Epstein Becker & Green in his introductory remarks.

Marian Ladner, also of Epstein Becker & Green, observed that one of the biggest sources of potential compliance problems is the federal anti-bribery statute known as the Foreign Corrupt Practices Act. The FCPA not only prohibits the act of bribery itself, but also requires companies to keep accurate books and records of all transactions. With the advent of Sarbanes-Oxley, U.S. authorities are turning to the books and records provision "to go after major corporations for not booking a payment that was really a bribe as a bribe."

"If you didn't write bribe on your financial statements--which I just haven't seen yet, and I've been doing this for 20 years," Ms. Ladner said wryly--"then I, as an investor, can't really rely on" what is set out in those statements. For the SEC or the Department of Justice, proof is a simple matter: "You had a consultant, he really didn't do anything and you paid him $100,000, because he is the nephew or the brother-in-law of the foreign government official, or he himself works for a national oil company, or something else, and you didn't book that as a payoff, as a bribe. Gotcha."

Under the FCPA, "a company can be held responsible for its agents and intermediaries," she noted, and "this is really where most companies drop the ball--you don't really look at the people that you've subcontracted with or the people that are agents or consultants that are on your payroll."

Other jurisdictions, from the OECD and the UN to Europe and the African Union, have a variety of anti-bribery rules, she said. The level of enforcement varies, with the Netherlands and France more aggressive than the UK and Japan. U.S. law is more lenient in certain respects than that of other jurisdictions. Under the FCPA, for example, expediting payments, payments to get something done more quickly that would have taken place eventually, are not illegal. However, she said, "We actually have more prosecutions."

The FCPA has an extraterritorial reach, and the costs of a bribery prosecution can be huge, Ms. Ladner said. Siemens, which is said to have doled out $1.3 billion in bribes, spent over $500 million on its internal investigation and has paid penalties of $290 million to Germany. At least six other countries are pursuing the company, including Italy, France and the U.S.; American authorities will seek disgorgement of profits "and the amounts of those payments--that's in excess of a billion dollars."

A second area of special concern for foreign companies doing business in the U.S. is anti-boycott regulations, she concluded. Here, the issue is not so much Commerce Department penalties, which are small, but the power of the IRS, which can deny foreign tax credits to companies that agree in their letters of credit or contracts to refrain from doing business with Israel, for example, or to state that their goods weren't made in Israel. There are reporting requirements as well, and so "just as in banking where they have automated screening processes, you really have to have a process" that includes audits and reviews.

Prosecutions for bribery have been sparse both in the U.S. and in Japan since the Lockheed scandal of 30 years ago, but the atmosphere is changing and Japanese media are taking notice, said panelist Hajime Matsuura of Nikkei.

The U.S. Department of Justice is currently investigating some 100 companies for possible charges under the Foreign Corrupt Practices Act, including Japanese companies in both the manufacturing and non-manufacturing sectors, he said. According to the DOJ, one-third of the pending investigations stem from information provided under the Sarbanes-Oxley Act. With J-SOX, Japan's counterpart to U.S. SOX, going into effect this spring, he predicted that Japan's Department of Justice will step up its efforts in this area.

Interest is growing in the investor community as well, Mr. Matsuura concluded. The International Corporate Governance Network, an alliance of institutional investors whose companies collectively manage over $10 trillion in assets, expects to issue investor guidance on anti-corruption practices.

Basel II defines operational risk as the risk of loss "from failed or inadequate people, processes, systems or external events," Philippa Girling of Nomura explained. "It's a horrible definition. It's one of those committee definitions. But we get the point: If something goes wrong with your people, your processes, your systems, or you get hit with a hurricane, an external event, then how are you managing that?" Thus as global co-head of operational risk at Nomura, she is responsible for looking at "all possible ways that we could breach a compliance requirement, as well as anything that could possibly go wrong that is not market- or credit-risk related."

The first driver of operational risk management is regulation, Ms. Girling said: banks like Nomura are obliged by law to comply with Basel II. The second is good business sense: companies are constantly exposed to these risks, and it's only sensible to manage them proactively. And finally, "the rating agencies care": When Société Générale fell victim recently to an alleged fraud by one of its traders, its operational risk management was labeled deficient and its ratings were immediately downgraded.

At issue is not just the immediate financial impact of an event of this kind, but also longer-term consequences, including loss of reputation, loss of a client or group of clients, or loss of the market for an entire product line, she said. There may be ongoing costs for mitigation, and "somebody in your organization for five years monitoring everything that you do."

Basel II puts operational risks into seven categories, Ms. Girling continued:

  • internal fraud;
  • external fraud;
  • employment practice and workplace safety;
  • clients, products and business practices, which is probably where bribery would fit in;
  • damage to physical assets;
  • business disruption and system failures--"quite a few regulators now require you to demonstrate you have robust business continuity planning. Do you have a replica of your current environment offsite? And they require that. Do you have a way to respond to a possible pandemic flu?"; and
  • execution delivery and process management, which includes things like systems breaking down or someone making a mistake in the course of processing a trade.

Basel II requires firms to show how they identify, assess, control and mitigate any risks that occur, she noted. The first element of Nomura's framework for accomplishing this is governance and organization. Next come culture and awareness--"over and over again we see that the people who are at the ground level are not necessarily educated in what they can and cannot do"--and then policies and procedures: "What do you need to write down? What do you need to be able to demonstrate that you wrote down?" Here, there is "a big overlap with SOX, because SOX has some entity-level requirements where you need to be able to show that you have, for example, a fraud risk assessment at the corporate level."

Given these basics, the operational risk management team must gather data on losses, both internal ("bad things that happen to you") and external ("bad things that happen to everyone else"). Nomura looked very carefully at Société Générale's example, Ms. Girling said. "What could we learn about Mr. Kerviel? How did he do it? Could he do it here? What are the regulators telling us we should be looking at?" The team then performs a risk and control self assessment, which involves formal face-to-face evaluations of controls, mitigation efforts and residual exposure in every department; a scenario analysis, which calculates what might be lost in the worst possible case; and a study of key risk indicators, which are metrics that "show us whether we're getting riskier or less risky." Like many companies, Nomura does more detailed assessments in selected areas that are critical in its lines of business, including fraud, anti-money-laundering rules and know-your-customer rules, she noted.

"Those four pieces of work: loss data, RCSA, KRIs and scenario analysis form the bedrock of an operational risk program, and all feed into your measurement and modeling and your reporting to senior management, and then it's all held together by the risk appetite of your organization. So, at some point senior management needs to decide how much risk are we comfortable taking, and then the framework needs to respond to that," she concluded.

Standards and risk-control programs are very important, said Michael Levine of Epstein Becker & Green; but "to understand and manage these risks correctly, you really have to have seen them first-hand." There are many examples of textiles and consumer goods firms whose well-intentioned compliance programs have in fact failed to adequately consider and respond to the business risks they face. Traveling to factories around the world, Mr. Levine said, has enabled him to understand the challenges in realistic detail.

"Each of us here in addressing compliance challenges is trying to protect the good name and the brand value of companies. And once it's damaged, dinged up, banged up in the age of the Internet, it's very hard to repair it," he reflected. When tabloid newspapers in the UK published stories about child labor in factories that made clothes for Gap, "these photos were all over the Internet. There was video footage of the children working in the factories."

Major media outlets picked up the story, and Gap executives scrambled to respond. The company, which already had an 80-person in-house supply chain compliance team, canceled orders and promised to be sweatshop free, to use external monitors and to donate $200,000 to improve working conditions. "But you can bet it cost a lot more than canceling these orders and responding to this crisis--the lost executive time, the cost for PR firms, the cost for legal," he said. It would be hard to put a value on the reputational injury that may have been sustained.

Factories that are inspected over and over again by many different inspectors may become overwhelmed, Mr. Levine pointed out, and "audit fatigue" is a very real problem. But businesses who try to avoid this by joining together to share information face other risks, including possible antitrust violations and civil conspiracy claims. Similarly, companies that try to help factories improve conditions have to be careful about how they act so that they are not subject to claims that they have become joint employers of the factory workers who make their products, opening up another avenue of legal exposure.

It isn't only apparel firms that run into problems, he noted. When Yahoo China received government subpoenas and handed over information on activists' Internet use to Chinese authorities, some of its customers whose data were revealed were detained and allegedly tortured. Yahoo executives were sued in an American court under the Alien Tort Statute, a case that was later settled; they were called before Congress and lambasted by a lawmaker as "moral pygmies" for complying with the subpoenas.

How to get real buy-in on compliance issues from top executives and decision-makers? Mr. Levine asked. "It really has to be part of their job descriptions, and they should be evaluated against it--penalized for not doing well, rewarded for doing well." A mere paper program won't be of much help in fending off shareholder resolutions on CSR issues or gaining leniency if the company is investigated for or convicted of a regulatory violation.

"If you look at Japanese firms, a lot of times their social compliance focus begins with the environment," he said. This "is of historic importance in a resource-challenged area, but it's not just enough to be "green." These other issues (social, labor and governance) have been around for a long time. There are well-known risks and you can't just focus on one risk and manage it well to the exclusion of others. You have a very big vulnerability. They may just start by having an internal CSR department, and that's not enough. It's probably due in some respects to the absence in the past of stakeholder pressure through non-governmental organizations or unions, but the future increased investor pressure, stakeholder action campaigns and possibly being 'TIONed'" --hit by investigation, prosecution, litigation and legislation.

A recent survey of major multinationals by John Ruggie, a UN Special Representative for Business and Human Rights, came up with some interesting findings about certain Japanese companies, Mr. Levine said. "First, they were the least likely of those responding to the survey to include their countries in which they operate in their human rights policies"; Second, they were less likely than companies in other countries to consult with stakeholders about compliance matters, and third, they were "the least likely to report externally or internally about their compliance policies." By the same token, he added, "there are legal risks that what you disclose to engage some stakeholders could become the basis of a lawsuit against the company what other stakeholders perceive to be illegal or substandard conduct. So, failing to respond, and responding, to demands for transparency about business operations may effectively place companies between a rock and a hard place."


***

When companies pay fines in the U.S., where does the money go?

It depends on where the prosecution is handled, and in cases where federal and state authorities bring joint actions, it may be split between the U.S. Treasury's general fund and state coffers, Ms. Ladner replied. "It doesn't go back to the people or the shareholders."

"I'm a former prosecutor and Marian also worked at Treasury," Mr. Levine added. "It's a motivating factor for increased enforcement, the fact that you can report these tremendous fines and penalties." If the Democrats win the White House this fall, "it's possible that there will be increased enforcement of laws applicable to compliance programs, perhaps a return to the days, for example, under Robert Reich," Secretary of Labor during the Clinton administration, "who had a very aggressive program of embarrassing and goading companies into compliance." And "even under this administration's enforcement of the FCPA, as we've heard, is ramping up substantially. So it's not compliance enforcement is not likely to decrease in the near future."

What should companies be thinking about in terms of prevention and detection of these problems?

Companies have to examine the controls they have in place and how well they're working, "and you have to do that across your organization," Ms. Girling responded. "You need to be very broad with how you address risks to ensure that [with] every area, you thought ahead to how that particular group might breach their compliance requirements, so that you are putting up the walls, not just shutting the gate after the horse has bolted."

"What I do in my practice actually is all the preventative health care, is how I like to refer to it," Ms. Ladner said. Better to have an annual checkup and take steps to address any problem and avoid getting sick than "going to the doctor and then having the doctor tell you that you've got stage IV cancer."

In her view, computer-based training on compliance issues, though popular, is only one piece of what's necessary because it doesn't generate the real engagement that face-to-face training provides. Hotlines do work, however, and ought to be more widely used, she said. "You see a reluctance to have a hotline anywhere but in the U.S., where our legal system has really shoved that down the throats, made it mandatory, for most corporations." With an anonymous hotline, that vast majority of employees who are loyal to the company can alert managers to what's not going right, so the compliance team can be sent in to monitor what's really happening. "Because sometimes bad things happen to good people. The people are trying to do it right. They just don't realize that they've had some flaw that crept into their process or some flaw that's always been in their process."

One thing to be aware of, Mr. Levine commented, is the risk that companies may have to disclose the results of their internal monitoring programs or work with consultants during subsequent litigation. Thus if companies work with consultants and "ignore the advice of these good consultants on a point that goes to knowledge or intent, those materials may be discoverable, and there is a strong argument then that can be made for retention of counsel so that companies may be in a position to argue that certain communications are privileged."

Do smaller and medium-sized companies from abroad, companies with small operations in the U.S., really have to implement a whole host of compliance strategies?

"I think the bottom line is understand what your risk is," Ms. Ladner answered. "If you're a billion-dollar company but your unit in the U.S. is only $1 million or $100 million or $500 million, you still have a big problem," because "any of those risks can lead to litigation in the U.S. and they will have no trouble trying to reach the corporate parent." And even for a small company, a basic compliance program isn't that expensive.

"It costs a lot less up front to get good advice than it does to come for help when you're in trouble," Mr. Levine added. If it's too late in the game when you first go to get help then this may be a cost that your business cannot survive.

Ms. Girling said that when she gave a seminar recently on how to do risk and control self assessments, she expected 80 percent of the attendees to be financial services businesses required to comply with Basel II, but it turned out that only five of 45 people in the audience were from Basel II organizations. "The rest were doing it because they decided they needed to, which I think is very interesting, because if that's the mood, then you need to be part of that mood, otherwise your shareholders can criticize you for not being."

Yahoo China is 51 percent owned by a Chinese firm called Alibaba. How do you manage risks when you're not necessarily in charge? Is there a point when you can really distance yourself from what may happen in a joint venture overseas?

Ms. Ladner responded, "Just because one person has more percentage at the table, at the bargaining table, that doesn't mean they are more powerful."

What's essential, she added, "is you have to have it in writing," especially when it comes to audit rights. "We drive through in our contracts that we have the right to audit not only you, but any subcontractors on our behalf or your behalf, and that's critical. You have to be able to get to whoever they're doing business with and whoever that person's [doing business with]--they'll tell two friends and then two friends, so you have to be able to drive that through and then mandate any subcontracts that they may have that this language and your rights are within those contracts as well."

"China, like other countries, however, is increasingly focusing on things like CSR," Mr. Levine observed, with banks for example turning down would-be borrowers with environmental or labor violations.

"It's critical that you have a very robust new business approval process within your organization," a process that engages "the people who understand the risks" and will ask questions: "Have we considered whether the operations can function, have we thought of the legal, the compliance, the tax consequences of what we're doing?" Ms. Girling cautioned. "Because if you're only thinking along the business lines, everything will get pushed through."

How are companies deciding what is the right amount and the right kind of compliance? Gap had 80 or 90 inspectors, yet it turned out that some of its subcontractors were using child labor. Financial institutions, presumably people were trying to manage risk, yet we've had this subprime crisis blow up on all the balance sheets.

Mr. Levine answered, "It's really not ultimately about the audit forms that people use, or as people press for joint initiatives, the sharing of data or software, how the data is housed. It's really about who's looking at the data and making decisions. And then once the bad data comes in, are people acting upon it and do they have the courage and the strength to drive through a response to it?"

-Katherine Hyde
Topics:  Business, Policy

Related Content

Article

Secretary-General Ban Ki-moon Addresses UN Global Initiatives & Contributions from Northeast Asia

June 26, 2008

Japan Society joined with The Korea Society to welcome UN Secretary-General Ban Ki-moon, the first Secretary-General from Northeast Asia, in a celebration of Japan Society's 100th anniversary and The Korea Society's 50th anniversary.

Article

United States-East Asia Policy Under the Next President

June 25, 2008

Matthew Goodman of Stonebridge International and Michael Green of CSIS and Georgetown University, advisers, respectively, to Barack Obama and John McCain, joined The Wall Street Journal's John Bussey at Japan Society to discuss the presidential candidates' East Asia strategies and their implications for U.S. business relations with the region.

Article

Controlling the Rising Costs of Electronic Discovery in the U.S.

June 3, 2008

A distinguished panel of litigation specialists shared their expertise on dealing with the costs of electronic discovery, including the challenges of e-discovery for companies operating in a multinational and multilingual context.