Thank you for that kind introduction. I am honored to be invited to speak with you this afternoon.
As the Principal Deputy Assistant Attorney General for the Justice Department’s Criminal Division in Washington, I have the privilege of helping lead a team of 600 prosecutors who enforce the nation’s criminal laws and engage in training and capacity building abroad. A significant number of those prosecutors are tasked with combating corruption and fraud, here in the United States and across the globe, including within publicly traded companies, international financial institutions, the healthcare industry, and even our own government and military contractors. It is in these cases where we most often interact with corporate compliance programs and departments.
I suspect that everybody in this room is familiar with the Principles of Federal Prosecution of Business Organizations, or the Filip factors, upon which we base our corporate charging and resolution decisions. One of those factors expressly directs us to consider “the existence and effectiveness of the corporation’s pre-existing compliance program” in deciding whether to charge a corporation with a crime.
In fact, one is hard-pressed to find a corporate resolution with the Justice Department that does not contain a prominent reference – positive or negative – to the corporation’s compliance program. The existence of an effective compliance program can make all the difference when a corporation is in the Justice Department’s sights.
Today, I would like to highlight a few primary strengths and weaknesses that we have observed in corporate compliance programs of late. As an overarching theme, the failure to expand compliance programs to meet the needs of growing corporations – particularly global corporations – drives many of the compliance problems we have seen. On the flip side, compliance programs that have widespread prophylactic and training mechanisms – as well as procedures designed to uncover wrongdoing and expose individuals responsible for criminal behavior – are the most effective.
A corporation’s ability to use compliance to uncover misconduct and, just as importantly, identify wrongdoers is central to the Justice Department’s evaluation of a compliance program.
As you know, there is no off-the-rack, one-size-fits-all compliance program. Companies must tailor compliance programs to manage their unique risks. There are, however, characteristics that should be present in each program.
In 2012, the Justice Department and the SEC published the Foreign Corrupt Practices Act, or FCPA, Resource Guide, which contains an entire section entitled, “Hallmarks of Effective Compliance Programs.” While the hallmarks in the FCPA Guide are focused on anti-corruption compliance programs, the principles identified apply universally.
Now, I’m not going to go through all the hallmarks with you today – but I will make a couple of overarching points. First, the Justice Department’s hallmarks are designed to encourage a ‘culture of compliance,’ which begins – but doesn’t end – with ‘a tone from the top,’ and extends to actions throughout a company’s ranks.
So hallmark # 1 is high-level commitment. When employees truly understand that a company’s leadership is committed to compliance – even when it runs up against profits – only then does a company truly have a successful compliance program. The quickest way to check on that commitment is to take a look at corporate structure. If you see compliance executives sitting in true positions of authority at a corporation, reporting directly to independent monitoring bodies, like internal audit committees or boards of directors, you likely are looking at a strong compliance program. Compliance programs also need to be resourced; they need to have teeth and respect. By contrast, for years, Wall Street banks housed their compliance programs across the Hudson River, in New Jersey. They were out of sight, out of mind. Compliance programs need to have appropriate stature within corporations.
Another key hallmark is whether the program grows with the company. Any good compliance program needs to be periodically evaluated, using risk assessment models aimed at the individual circumstances of the company. As companies change over time, so must compliance policies.
A strong compliance program must also involve enforcement and discipline. It is human nature to pay more attention to what people do than to what they say. Compliance must be incentivized; violations disciplined. And the response must be even-handed. Too often we see low-level employees who implemented bad conduct fired, but bosses, who did nothing to stop the conduct – and may even have directed it – left in place without sanction.
Although increasingly rare in this day and age – more than a decade after the passage of the Sarbanes Oxley Act – we are still encountering prominent companies with no real compliance programs. Hard to believe, but true.
Just last year, three subsidiaries of Weatherford International, a Swiss oil services company listed on the New York Stock Exchange, pleaded guilty to FCPA and export control violations. Over a period of many years, Weatherford subsidiaries in Africa, the Middle East, and Iraq paid bribes to foreign officials in exchange for lucrative contracts and inside information about competitors. Some of Weatherford’s international subsidiaries also illegally exported oil and gas drilling equipment to countries under United States sanctions – countries like Cuba, Iran, Sudan, and Syria.
But more important to this audience than Weatherford’s conduct itself may be the admissions it made regarding the state of its compliance programs. Weatherford admitted that prior to 2008, the company did not have a dedicated compliance officer or compliance personnel, did not conduct anti-corruption training, and did not have an effective system for investigating employee reporting of ethics and compliance violations.
The most glaring failures occurred in its overseas offices and subsidiaries. Let me give you a revealing example: Despite its global presence, Weatherford did not even bother to translate its compliance policy into languages other than English. Think about that for a second. Weatherford had subsidiaries and operations in more than 100 countries across the globe. It operated in the high-risk environment that is the oil extraction industry. And yet Weatherford didn’t even bother to make its compliance program intelligible to many of its employees – in languages they could understand.
And there’s more. Though in 2004 it began circulating an ethics questionnaire asking if employees were aware of payments to foreign officials, Weatherford had no process to investigate affirmative responses. Indeed, Weatherford did not conduct any follow-up investigation in response to allegations of corruption.
Put simply, Weatherford’s compliance policy was a program in name only. It wasn’t worth the paper it was written on. Had Weatherford employed even a basic compliance program, it may not have found itself paying over $252 million in penalties and fines.
Now, given that we’re here at an advanced compliance and ethics workshop, I suspect that everyone in this audience is well beyond this point. That said, a compliance program must be more than a pile of papers or an entry on a web site. Policies – however strongly written – are meaningless if not thoughtfully enforced and backed by commitment and resources.
The Weatherford case is also a stark example of a problem that we’re seeing more and more frequently: the failure of a compliance program to bridge the geographic divides and cultural gaps exposed by global corporate expansion.
As I mentioned, although Weatherford had a written compliance policy, the company failed to translate it into any language beyond English. Although translation of the compliance policy into other languages would probably not, by itself, have solved Weatherford’s problems, the failure to do so certainly demonstrated that compliance was not a company priority.
The Orthofix International case also illustrates the failure of a compliance program to grow with the company. Orthofix is a medical device company with facilities in the United States, Europe, Mexico and elsewhere. Between 2003 and 2010, its Mexican subsidiary paid bribes to Mexican officials in return for hospital agreements to purchase millions of dollars of medical equipment. Again, despite its entrance into the market in Mexico, Orthofix failed to translate its compliance policy into Spanish or even implement its compliance policy at the subsidiary. Orthofix also failed to train its personnel or regularly test or audit transactions for illicit payments. Orthofix’s conduct ultimately led to criminal charges, a deferred prosecution agreement, and millions of dollars in criminal and regulatory penalties.
At a minimum, expanding corporations must extend their compliance programs to all of their subsidiaries – even, or perhaps especially, those that were recently acquired – and must ensure that compliance policies are understood and implemented by all employees, no matter what country they work in.
But in our global economic system, it is not enough to simply translate a compliance policy into multiple languages and provide training at overseas offices. In a series of recent criminal cases involving international financial institutions, we saw employees stationed overseas actively circumventing compliance policies even where they understood them. Indeed, in the cases brought against BNP Paribas, Credit Suisse, HSBC, and Standard Chartered, foreign bank personnel made affirmative efforts to circumvent U.S.-based compliance policies and personnel.
For those of you unfamiliar with the specifics of the BNP Paribas case, between 2004 and 2012, BNPP knowingly and surreptitiously moved over $8.8 billion through the U.S. financial system on behalf of Sudanese, Iranian and Cuban sanctioned entities, in blatant violation of U.S. economic sanctions. This happened in the face of repeated warnings expressed by compliance officers. For example, one senior compliance officer wrote an email to other high-level BNPP officials reminding them that certain Sudanese banks with which BNPP dealt “play a pivotal part in the support of the Sudanese government which . . . has hosted Osama Bin Laden and refuses the United Nations intervention in Darfur.” A senior compliance officer further warned that a satellite bank system was being used by BNPP to evade U.S. sanctions, identifying specific violative transactions. The compliance officer sounded warning bells, writing: “This practice effectively means that we are circumventing the US embargo on transactions in USD by Sudan.”
The response to these and other warnings? High-ranking BNPP officials explained that the flagged, illegal transactions had the “full support” of management at BNPP headquarters in Paris. To borrow a phrase, the message from BNPP management was: ‘money talks, compliance walks.’ There could be no more stark statement regarding the ‘tone from the top.’
During the investigation of BNPP, we uncovered emails in which foreign bank branch employees specifically directed others to hide the criminal transactions from U.S. branch employees because of the compliance programs there. They orchestrated the removal of references to Cuba, Iran, and Sudan from transactions, knowing that these references would have raised flags for U.S. compliance employees. And when compliance employees in BNPP’s New York office detected a few of the illegal transactions and raised concerns, rather than complying with the law, BNPP simply executed an end run around the bank’s own New York office. One email from a BNPP executive put it bluntly: “I only see the solution of going through another bank than BNPP NY for all transactions to these destinations.”
The BNPP case is thus not a simple story of a poor compliance policy, but a more complex tale of leadership failure and institutional greed.
Compliance policies existed. The law was understood. Red flags were raised. But in the relentless pursuit of increased profits, the red flags were ignored, and the policies circumvented. Ultimately, BNPP’s willful and pervasive compliance failures cost the company a parent-level guilty plea and record-breaking criminal penalties of $8.9 billion. That’s one record you don’t want to break.
The Credit Suisse tax case involved the same themes of compliance failure and circumvention across international boundaries. For decades, Credit Suisse helped thousands of U.S. customers open undeclared Swiss bank accounts to conceal assets and income from the IRS. Although compliance policies were promulgated to curb this business – such as restrictions governing communications with U.S. residents and travel to the U.S., including policies precluding investment advice in the U.S. – Credit Suisse failed to effectively monitor or test adherence to those policies. Indeed, the policies were so flagrantly and consistently violated that some managers came to believe that a certain degree of non-compliance was part of Credit Suisse’s business plan. Ultimately, the conduct resulted in Credit Suisse entering a parent-level guilty plea and paying $2.6 billion in penalties.
Both the BNPP and Credit Suisse cases reflect failures in global enforcement of compliance programs. But, perhaps more starkly, they illustrate a failure of any ‘culture of compliance’ to extend beyond U.S. borders. In fact, that culture so clearly favored the promotion of profits that compliance policies were viewed as mere speed bumps, rather than barriers to illegal conduct.
I recognize that my remarks today have focused so far on compliance failures. The Justice Department sees fewer compliance success stories, as companies with effective compliance programs garner much less attention from criminal enforcement authorities. Bad actors are rooted out before they commit criminal misconduct, and employees in tough and unfamiliar situations have the guidance they need to avoid the wrong path.
That said, even companies with strong compliance programs can and do detect and report criminal misconduct by employees. Often those reports result in a decision to decline prosecution from the Department of Justice. And while we are looking for ways to better inform the public about such cases, we are often limited by the companies’ understandable desire not to have the world know they were under Department scrutiny.
But I do want to highlight compliance successes that we have seen. An integral part of successful compliance programs is the ability to uncover misconduct and the individuals responsible, even on a global scale.
In this regard, we frequently cite the public Morgan Stanley case, in which Garth Peterson, a managing director for Morgan Stanley’s real estate business in China, pleaded guilty for his efforts to circumvent internal controls in order to corruptly transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official. As you know, Morgan Stanley was not prosecuted, in part due to the company’s robust internal compliance program.
Court documents detail Morgan Stanley’s extensive compliance efforts. For example, the compliance department trained Peterson on anti-corruption matters yearly for seven years; it distributed training materials to Peterson, including 35 separate compliance-related reminders; it required Peterson to certify his compliance in writing on multiple occasions; and a compliance officer had specific discussions with Peterson regarding aspects related to the transaction involved. In sum, Morgan Stanley went to great lengths to ensure that Peterson was aware of the compliance policies and that he understood them.
An equally important lesson from the Morgan Stanley case was that when the prophylactic compliance measures failed, and Peterson’s conduct was uncovered, Morgan Stanley voluntarily disclosed the criminal conduct to the government and cooperated with the government’s investigation of Peterson. As I have mentioned, the prosecution of individuals for their criminal conduct is a high priority for the Justice Department. A compliance program’s ability to uncover wrongdoing and the responsible individuals, coupled with a corporation’s decision to disclose that information to the government, is significant in our evaluation of the compliance program and the company’s overall posture with the government.
By contrast, in the BNP Paribas and Credit Suisse cases, the banks actively hampered the Department’s efforts to prosecute the responsible individual executives and employees for their criminal misconduct. Through parent-level guilty pleas and multi-billion dollar penalties, BNP Paribas and Credit Suisse paid a historic price not only for their criminal conduct, but also for their insulation of culpable corporate employees. The lack of timely and complete cooperation was one of the tipping points that led to the charges, guilty pleas, and landmark monetary penalties in the BNPP and Credit Suisse cases.
While the Justice Department is often the last line of defense against fraud and corruption, all of you who work in compliance are the first. Criminal prosecutions can and do deter future bad behavior, but your work can prevent that conduct before it happens.
The importance of such work cannot be overstated. It serves to protect the integrity of our public markets, the country’s financial systems, our intellectual property, the retirement accounts of our hardworking citizens, and our taxpayer dollars used to fund health care programs and government and military contracts.
Today, I would like to thank you for your work on compliance – and thank the PLI for inviting me to speak with you today to share the Justice Department’s views on this important subject. I would be happy to take any questions you might have.