Och-Ziff: Accountability and Internal Controls (Part IV)
There are a number of important lessons from the Och-Ziff enforcement action, some of which are related to the private equity and hedge fund industry and some of which apply across all businesses.
SEC regulations require public companies to design and implement a system of internal controls. As FCPA enforcement has increased, companies have to question how to design and implement an effective system of internal controls without creating substantial risks to the company from government enforcement of such internal controls. It is a bizarre situation that can develop.
A company creates its own internal set of rules and regulations. However, in doing so, they are creating effectively requirements that can be enforced by the Justice Department the SEC. To be more specific, a company and individuals can be prosecuted for circumvention of internal controls. So, companies and individuals are creating their own set of rules and have to hold themselves accountable for compliance with those rules. If they fail to design and implement a set of controls reasonably designed to ensure proper financial accounting and reporting, a company can be prosecuted. In addition, a company and individuals that circumvent these controls can be prosecuted as well.
Och-Ziff is an important reminder of the conundrum that companies face. In 2008, Och-Ziff designed policies and procedures required rigorous due diligence and anti-corruption measures designed to provide reasonable assurances that transactions: (i) were executed in accordance with management’s general or specific authorization; and (ii) were recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets.
As part of these controls, Och-Ziff adopted due diligence policies and requirements applicable to high risk transactions including:
- Obtaining copies of the most recent financial statements for its business partners;
- Identifying all shareholders owning or controlling each business partner, and the nature of that control
- Requesting references from financial institutions that have existing business relationships with business partners and clients;
- Making all payments in the country in which an agent resides;
- Accessing business partner books and records and utilizing a right-to-audit on a periodic basis;
- Re-checking and confirming due diligence for business partners on an ongoing basis;
- Reviewing of all monies paid out by business partners as part of ongoing due diligence;
- Conducting heightened due diligence in business transactions involving government officials or state-owned businesses, where the business partner’s only contribution is influence, or where the partner refuses to put agreements or proof of expenditures in writing; and
- Obtaining annual certifications by the chief financial officer and chief legal officer that all foreign business partners have complied with the firm’s anti-corruption policies and procedures.
- As explained by the SEC, Och-Ziff failed to follow these requirements in connection with its relationships with agents and specific transactions that formed the basis for the enforcement action. As noted by the SEC, Och-Ziff failed to comply with its own procedures or measures to prevent corruption or provide reasonable assurance that the transaction documents accurately reflected the third party’s use of funds.
Och-Ziff failed to meet its own policies and procedures. By doing so, Och-Ziff stands as a prime example of a company guilty of failing to operationalize its paper compliance program. This is a frequent refrain from DOJ and the SEC; prosecutors and regulators have stated repeatedly that companies need to operationalize their compliance program policies and procedures.
Thank you for your good article on Och Ziff. We saw earlier with BHP that the SEC may fine a company for not operating its controls as designed. In the BHP case it concerned controls to prevent a breach of FCPA provisions. ALthough a breach was not established (and the DoJ dropped the investigation), the SEC went ahead and fined BHP $25 million for their omissions.