CCO and CLO “Authority”: A Fundamental Requirement
A basic compliance program control, which is often overlooked (or assumed to exist), is the requirement that a chief compliance officer and/or chief legal officer have the authority to stop a specific contract or business transaction. To simplify this statement, compliance and legal have to approve certain business transactions before they can proceed.
If a compliance officer or legal officer is consulted just for “advice,” the company’s ability to ensure compliance with laws and its code of conduct is jeopardized. A company’s internal controls have to include (a must) the requirement that legal and/or compliance sign off on specific, high-risk or questionable transactions.
FCPA enforcement is replete with examples demonstrating my point. In the sanctions context, which I am not addressing here, the major enforcement actions against global banks include instances where compliance officers raised concerns, objected to transactions and relationships, and wewre basically ignored by senior bank officers.
Let’s start with last year’s FCPA settlement with United Technologies in which United Technologies agreed to pay $13.9 million for bribes paid by its elevator and aircraft engine businesses in Azerbaijan and China.
In Azerbiajan, Otis Elevator, a United Technologies subsidiary, hired third-party agents without conducting any due diligence. They hired agents who had no local experience or history in the elevator industry. One of the agents was not even registered until after participating in the transactions.
In one scheme, Otis Elevator hired Liftremont, the state-owned entity responsible for purchasing elevators for municipal facilities in the city of Baku, as a distributor of its elevators to other areas outside Baku in order as a way to funnel bribes to government officials. In the summer of 2014, a Liftremont senior official instructed Otis to replace one intermediary with a new intermediary. The head of the Otis Russia Legal Department initially refused to approve the contract, and elevated the issue to his supervisor, the head of Otis’s Regional Legal Department (“Regional lawyer”), who contacted the CFO of Otis Russia to express his opposition and request additional information. After the Liftremont senior official provided a prefunctory explanation for the change in intermediaries, the regional lawyer eventually approved the contract but discovered that the contract had been executed four months earlier in August 2014, before Otis Legal even raised the issue.
In the Société Générale enforcement action under which the global bank paid $585 million for FCPA violations, compliance officers raised concerns about the payments to the Libyan intermediary and questioned the absence of a justification for such large payments. These concerns were ignored or addressed by minor non-substantive changes to the relationship.
In another case, Elbit Imaging agreed to a $500,000 civil penalty for deficiencies in its internal controls, citing a series of agreements with two consultants, a sales agent and sub-agent that created significant risks of bribery. In reaching the settlement, the SEC specifically cited “the legal department’s limited involvement and supervision of the contracts.”
These are just examples to prove my point. In the absence of a firm control and requirement for legal and/or compliance approval, companies are certain to take unreasonable risks, which can result in FCPA (and sanctions) violations.