L-R: Adelaida Vasquez Mihu, Sandra D. Gonzalez, Cuneyt A. Akay and Michael X. Marinelli of Greenberg Traurig.Corruption Risk During the COVID-19 Pandemic: A Q&A With Greenberg Traurig's Cuneyt Akay, Sandra Gonzalez, Michael Marinelli and Adelaida Vasquez Mihu
During the COVID-19 pandemic and resulting business slowdown, reduced staffs and increased workloads have presented a challenge for compliance departments.
July 29, 2020 at 07:29 PM
14 minute read
The COVID-19 pandemic has caused business disruptions that vary through each sector, region and country. One such challenge for companies during the business slowdown has been reduced staffs and increased workloads for compliance departments. Texas Lawyer spoke recently with four attorneys at Greenberg Traurig about the opportunities for compliance teams to enhance compliance programs during the crisis.
Can you tell us about what's happening with the compliance teams of businesses that are still operational during the COVID-19 pandemic?
Michael X. Marinelli: One thing we have seen is an increase in requests to relax, postpone or eliminate some compliance requirements. In part, this appears to be driven by the practical impact of working remotely, as even basic processes may take longer to execute, which is a real concern. Compliance teams are having to sort through which requests are legitimately based on operational constraints.
Generally, companies do not seem to be backing away from core controls. However, especially in mature programs, the challenges arising from the COVID-19 pandemic have prompted compliance teams to look for ways to make their processes more efficient. In particular, compliance organizations are accelerating efforts to make their programs less paper-intensive on a permanent basis.
Is this an opportunity or crisis?
Adelaida Vasquez Mihu: The COVID-19 pandemic has provided an opportunity for companies to enhance their compliance programs. This may include managing the program during the crisis or exploring improvements that have been shelved in the past as a result of competing business demands. It may also include conducting a new risk assessment to address the possible change in risk profile of the company as a result of the pandemic.
No matter the reason, reviewing the compliance program during this period is key to maintaining an effective compliance program. In fact, the U.S. Department of Justice (DOJ) may expect it given its updated guidance on Evaluation of Corporate Compliance Programs, issued in June 2020, which focuses significantly on a risk-based approach. Companies should design and enhance their programs based on the circumstances surrounding their current business.
If they already haven't, why do businesses need to assess their risks?
Cuneyt A. Akay: The DOJ and U.S. Securities and Exchange Commission (SEC) have consistently taken the position that assessment of risk is fundamental to developing a strong compliance program and is a factor the government evaluates when assessing a company's compliance program. Crises, such as the current COVID-19 pandemic, generally alter a company's risk profile because: (1) government responses to crises can vary from country to country, (2) external factors, such as supply chain disruptions or changing regulatory environments (e.g. closed borders), create potential new corruption risks; and (3) internal factors, such as increased pressure to meet business expectations, lower demand for services or products, and decreased ability to develop business due to travel restrictions, may lead company employees to disregard compliance policies and procedures.
Due to these changing risks, it is even more important for compliance professionals to assess the company's risk profile and take steps to mitigate those risks. Proactive identification of risks is critical. While in-person interviews will necessarily be delayed, compliance teams may want to consider using videoconferences, telephone calls and questionnaires to help identify the company's changing risk profile. Real-time risk assessments are not always possible but understanding how the business will change and new potential risks is important. In addition, companies may want to consider establishing a system to rank risks and prioritize company resources to help mitigate the riskiest transactions and areas of the business.
What steps should businesses take when analyzing their policies and procedures?
Sandra Gonzalez: In managing the inevitable requests to relax policies and reduce procedural requirements, it may be useful to identify for the business the procedures and controls that go to the heart of preventing and detecting bribery (such as third-party screening and financial controls) and those that are complementary or secondary (such as annual certifications). This may help the compliance team work with the business to evaluate whether requirements can be modified, or deadlines eased to reduce the administrative strain on the organization.
While procedural requirements during the crisis may be temporarily modified, you may also assess them for permanent changes upon the return of business as usual. For example, work with the company's social responsibility team to analyze charitable giving limits and procedures to make it easier to make certain lower-risk types of donations. See if there is opportunity to make the requirements more efficient for the business without sacrificing the effectiveness of the program.
Consider reaching out to the finance department, as financial controls are particularly important in turbulent times. This may be an opportunity for the compliance and finance departments to jointly analyze the procedural requirements and ensure that the company has the right financial controls in place, particularly for when the crisis ends, and business returns to operations.
What role do third parties play and what steps should businesses take in managing them?
Marinelli: Studies of enforcement actions have shown that most bribes are paid through third parties (such as sales agents and customs brokers), so any third party that engages with government officials is a potential risk.
As the DOJ guidance makes clear, the critical first step to managing third parties is understanding the role that a third party is playing and the risk associated with that role. The guidance also points to the need to conduct risk-based due diligence. The scope of the due diligence can vary depending on factors such as the size of the company, the industry involved and country in which the third party will work.
Another step that can help mitigate third-party risk is having a contract that clearly defines the scope of work, acceptable expenses and terms of payment. In addition to setting out the company's expectations, such contracts provide a basis for reviewing invoices prior to payments being made. Out of scope of charges, padded billings and vague descriptions of services or expenses are red flags that may signal that the third party is being used as a vehicle for improper payments.
Anti-corruption training for employees that hire and manage third parties may also help mitigate third-party risk. Similarly, providing training or sending reminders (or both) directly to third parties may reinforce the company's expectations that its vendors will act ethically.
What role does training and communications play?
Mihu: Training and communications are essential in an effective compliance program. They are even more important in a crisis. As compliance teams reassess their company's risks, they should also ensure that existing training materials are accurate and relevant in the current climate.
Further, given the "new normal" of working from home, compliance teams should determine the best mechanism to maintain regular and effective communication with company personnel. This will likely require companies to use resources that will help cut through the noise in order to deliver focused messaging or short communications that are understood by the targeted audience.
Communications should also reflect the fact that these are anxious times for both management and employees. The messages may include confidence that the company will continue to "do the right thing" during the crisis, but also information about what is and is not changing in the program. Companies may also want to use this time to develop and execute trainings on lessons learned and potential ways to address real-life scenarios in the current environment.
How can commitment by senior and middle management help?
Akay: Effective compliance for any organization often begins with the board of directors and senior executives setting the proper tone because middle management and employees take their cues from the corporate leaders. In times of crisis, senior and middle management should consider reinforcing the company's commitment to compliance.
Senior leadership may want to continue reinforcing the integrity and ethics of the company through leading by example and with effective communication. Direct communication from senior leadership to employees and regular communication from middle management to their respective teams are often considered key. As a company's response to the crisis unfolds, management may want to provide regular updates on general business operations, remind employees of their compliance obligations during the current business challenges, and highlight some of the compliance successes.
How can companies evaluate and test whether the confidential reporting structure and investigation process is functioning properly?
Gonzalez: To evaluate the confidential reporting mechanism (hotline), companies should consider (1) testing the mechanism to determine if it meets the company's requirements, and (2) assessing employee knowledge of reporting mechanisms and actual use of the hotline.
First, the company should consider testing all of the compliance reporting mechanisms by calling and emailing the hotline with test reports. Testing should also include whether the hotline has local language capabilities. The company should consider reviewing hotline reports against company policies and procedures and tracking the report from start to finish. If the company's processes are time-bound, assess whether the current time limits remain reasonable, considering any personnel changes.
Second, a confidential reporting mechanism is not effective unless employees know about it. Consider polling employees ranging from low-level to senior management to assess employee knowledge of the hotline. Questions could include: does the employee know about the company's hotline, what should the employee report to the hotline, how would the employee report to the hotline, and does the employee know it is anonymous. Another option is to use benchmarks and historical data for hotline reports. For example, why have the hotline reports increased compared to the typical monthly average for that region? The reasons could run the gamut from operational changes (more employees at the facility) to increased corruption risk.
Why is it important for companies to continuously improve and periodically test and review their compliance programs?
Marinelli: Companies evolve over time. Changes in leadership, operations locations, legal regimes, organizational structure and the internal use of technology are among the many factors that can affect compliance risks and operations. A compliance program that fails to adapt to changes within and external to the company inevitably becomes less effective at preventing and detecting potential misconduct. In fact, the DOJ expects companies to use this time to evaluate and pressure test internal controls. Robert Zink (chief, Fraud Section, Criminal Division, DOJ) alluded to this in comments at the American Conference Institute's Anti-Corruption Global Series: Virtual DOJ, SEC & FBI Town Hall on May 20, 2020.
The DOJ guidance on Evaluation of Corporate Compliance Programs refers repeatedly to companies applying "lessons learned" to revise and update their compliance programs. One of the key sources of such lessons is periodic testing. In addition to uncovering misconduct, testing can reveal gaps and weaknesses in a compliance program, and misunderstandings about application of the program. Responding thoughtfully to findings will typically improve the program. The failure to remediate such findings, on the other hand, is a common theme in enforcement actions, and is cited as evidence of willful blindness that established knowledge under the Foreign Corrupt Practices Act (FCPA).
Which businesses/industries are at high risk for corruption during the COVID-19 pandemic?
Mihu: To be clear, all industries may be at risk during the pandemic. The DOJ has been very clear that their FCPA division continues to initiate investigations and enforce the FCPA. The pandemic may slow down the process, but enforcement actions themselves have not slowed down.
With respect to industries that are likely to have high corruption risk during the COVID-19 pandemic, these include any and all businesses or industries that have a touch point with personal protective equipment (PPE). This includes the medical industry, businesses that manufacture and/or distribute medical devices, the pharmaceutical industry, and the transportation/logistics industries, amongst others.
It also includes any industry that is required to use PPE, which, at this stage of the COVID-19 pandemic, includes almost all businesses and industries. Given the global business effects of COVID-19 and the DOJ's stance on FCPA enforcement, companies should ensure that their compliance programs continue to be appropriately updated and effectively implemented to mitigate any additional risks during the COVID-19 pandemic.
What should companies do if they're having trouble fulfilling their compliance program's requirements?
Akay: Whenever a company is having trouble fulfilling its own compliance program's requirements, it is important to assess whether the issue is with the compliance program's design or with the execution and implementation of the program. The company may want to assess whether the compliance program is properly designed to identify and address the company's risk and whether the design of the program is inhibiting compliance efforts. If the company is having problems executing or implementing the compliance program, the compliance team may want to evaluate if the execution issues are within the compliance organization or due to issues with certain business units, which may be resolved through enhanced communication and training. For example, conducting appropriate pre-acquisition due diligence on a target company may not be feasible during the pandemic. In that scenario, a company should consider documenting the due diligence performed before acquisition and design a robust plan for post-acquisition due diligence and integration. It is important to document what was done to meet the company's compliance program requirements, what wasn't done, and why.
What is the corruption risk of donations during COVID-19?
Gonzalez: While it is counterintuitive, charitable donations carry corruption risk because the donation could be a bribe to a government official. Corruption risk may increase during the COVID-19 pandemic simply because the company's donation activity increases.
To mitigate the risk, companies should conduct due diligence of donation recipients and design controls to prevent misuse of charitable donations. The type of due diligence can vary based on risk, which include the corruption risk of the region, the type of donation, the donation recipient, the amount/value of the donation. Appropriate due diligence will ensure that the company is donating to a bona fide charity that is not affiliated with a government official.
The compliance team should also consider working with the company's social responsibility team to analyze charitable giving limits and procedures to make it easier to make certain lower-risk types of donation. See if there is opportunity to make the requirements more efficient for the business without sacrificing the effectiveness of the program.
Adelaida Vasquez Mihu, a shareholder at Greenberg Traurig, focuses her practice on international compliance matters and counsels companies doing business in international markets. Mihu designs compliance programs and advises on transactional due diligence issues arising out of various government regulations, including the FCPA and U.K. Bribery Act.
Sandra D. Gonzalez, a shareholder at the firm, focuses her practice on international corporate compliance matters and more specifically, the FCPA and the U.K. Bribery Act. Gonzalez has conducted FCPA work in Brazil, the Caribbean, China, India, Japan and South Africa.
Cuneyt A. Akay, a shareholder at the firm, is an anti-corruption lawyer focused on helping clients comply with the FCPA and the U.K. Bribery Act. Akay designs, builds and implements effective compliance programs for clients around the world.
Michael X. Marinelli, a shareholder at the firm, has wide-ranging experience advising clients on developing and implementing corporate compliance programs, with a focus on the FCPA, U.S. export control regulations and economic sanctions regimes. Marinelli served on the U.S. Technical Advisory Group for the ISO Anti-Bribery Management Systems standard, ISO 37001.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
From ‘Deep Sadness’ to Little Concern, Gaetz’s Nomination Draws Sharp Reaction From Lawyers
7 minute read
'Rapidly Closing Window': Progressive Groups Urge Senate Votes on Biden's Judicial Nominees
5 minute readLaw Firms Mentioned
Trending Stories
- 1When Police Destroy Property, Is It a 'Taking'? Maybe So, Say Sotomayor, Gorsuch
- 2New York Top Court Says Clickwrap Assent Binds Plaintiff's Personal-Injury Claim to Arbitration in Uber Case
- 3'You Can’t Do a First Draft of Common Sense': Microsoft GC Jon Palmer Talks AI, Litigation, and Leadership
- 4About the Awards: Southeastern Legal Awards Q&A with Regional Managing Editor Michael Marciano
- 5Private Credit Boom: Miami’s Role as a Financial and Litigation Hub
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
