Stericycle DOJ and SEC FCPA Settlement: Lessons Learned (Part III of III)
The Stericycle FCPA case is yet another example of a complete culture and compliance breakdown. As I often repeat myself, there is no more important control than an ethical culture. When a culture veers into the unethical and even criminal conduct, there is nothing to stop that train of illegality from continuing.
When you review the facts of Stericycle’s conduct in Brazil, Mexico and Argentina, it is hard to understand how the entire workforce, from executives, to finance, to sales and other administrative employees could go along with this conduct as if it was proper. If no one at any time raised a concern or questioned the conduct, it makes you wonder how this company operated on a day-to-day basis without even more illegal practices. Once you open the door to criminal conduct, the floodgates will fill with a range of illegal behavior such as fraud, antitrust, money laundering and other conduct that can so quickly take over an organization.
Given the overall picture, there are two striking issues. First, DOJ acted properly by imposing an independent compliance monitor. In fact, DOJ should have carefully imposed a three-year term.
Second, it is not clear whether DOJ plans to indict the LATAM executives and senior executives from the individual countries. The indictments may be time barred given the timing of the conduct. If that is so, this is a striking reminder of how DOJ’s investigative delays – when dependent on outsourcing an investigation to a company’s law firm – can undermine its ability to bring individual indictments against wrongdoers. Of course, I readily admit I do not know all the facts and there may be an explanation for the failure to indict individuals.
Turning to the specific lessons learned from this case, there are several important reminders:
Culture, Culture, and Culture: Did I mention that there was a culture breakdown? Stericycle was more than an isolated “rogue” employee or small band of wrongdoers – every aspect of LATAM’s operations was dedicated to executing a bribery scheme. The involvement of senior management, sales and finance employees, along with third parties is an important reminder that a company can quickly lose itself and any semblance of ethics and compliance when more and more actors are involved in executing a comprehensive bribery scheme.
Stericycle did not have a centralized department and did not implement an anti-corruption policy until 2016.
The independent compliance monitor has a tough job ahead – not only does Stericycle have to design and implement an effective compliance program, but it has to turn the organization from a reckless and off-the-rails culture to one that promotes and instills ethical business decision making. That will be a challenge.
Vendor Risk Management: Let’s start with a few of my trite observations – to pay bribes, the bad actors have to steal money from the company first to fund the bribery scheme. In this case, there was a total breakdown on vendor risk management. Invoices were paid willy-nilly without any verification that services were provided, that the vendor is legitimate and that the payments were reasonable under the circumstances. In Mexico, for example, Stericycle maintained a cadre of 45 vendors committee to executing a scheme premised on fake invoices and funding of bribery payments. If you want an example of how bad it can get with your vendors, there is no better than Stericycle in Mexico.
Financial Controls: A part and parcel of the absence of vendor risk management is the complete absence of financial controls. In Brazil for example, finance staff prepared money orders, employees cashed them and bribery payments were then made. How did the finance staff secure authorization for the money orders? Who approved them? How were they entered on the books? I know the answers to these rhetorical questions but this is just so glaring in highlighting a company’s complete failure to implement and enforce any financial controls. I would wager that Stericycle suffered from employee embezzlement and fraud along with its bribery scheme.
Reporting Mechanisms: While not addressed, I am struck by the absence of any acknowledgement or apparent reporting mechanisms that employees had available to report this criminal conduct. If this conduct was carried out in an atmosphere where no one ever questioned the legality of the bribery scheme, then I may be underestimating the full scope of the culture breakdown. I would have expected at least one employee with a conscience to report the bribery scheme – it could be that I am asking too much but it certainly is striking.