On June 20, 2019, the Department of Justice announced that Walmart and its wholly owned Brazilian subsidiary plead guilty and agreed to pay a combined criminal penalty of $137 million to resolve allegations of violations of the Foreign Corrupt Practices Act (“FCPA”). The fines include $728,898 in criminal penalties, $3,694,490 in criminal forfeiture, plus a mandatory Special Assessment, and, for Walmart this was a “rollback” from what the penalties could have been- $25,000,000 or twice the gross monetary gain or gross monetary loss resulting from the offense, whichever is greater. In addition to Walmart’s remedial compliance actions already undertaken, additional remedial actions over the next three years will be required to be implemented to ensure against future violations.
What Did Walmart Do?
During a period of aggressive global expansion, Walmart chose not to take necessary steps to avoid corruption. Walmart’s internal accounting controls related to anti-corruption failed, and payments were made to Third Party Intermediaries (“TPIs”) in Mexico, India, Brazil and China who were making improper payments to government officials in order to obtain store permits and licenses. Walmart employees disguised the payments to TPI’s including using codes on TPI invoices in order to hide improper payments from auditors.
For example, Walmart Brazil hired a TPI who became nicknamed the “sorceress” or “genie” for her ability to obtain licenses and permits from government inspectors through payments – OK, let’s call them what they were – “bribes”. Compounding the issue, Walmart Brazil Management knew they could not hire the TPI directly because of all the “Red Flags” raised, but did so anyway. In China, Walmart’s local subsidiary’s internal audit team flagged numerous weaknesses in internal accounting controls related to anti-corruption at the subsidiary, but these were never addressed.
Where Did Walmart Go Wrong?
According to the plea agreement and the DOJ press release, Walmart had internal accounting controls related to anti-corruption, but they were not effective because elements of those controls were discarded or simply ignored without consequence. The program was also flawed because it failed to institute sufficient due diligence measures that could have prevented or at least identified actions leading to the violations. Compounding the issue was the fact that employees attempted to make management aware of issues, without results.
Don’t Let This Happen to You!
In 2012, the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission published A Resource Guide to the U.S. Foreign Corrupt Practices Act. Within that document were listed “Hallmarks of Effective Compliance Programs”. Those “Hallmarks”, while similar to key elements of other regulatory compliance programs, do have some unique aspects particular to Foreign Corrupt Practices Act. The “Hallmarks” are synopsized below and can be used as an effective tool in compliance with the FCPA:
1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
a) Compliance begins with the board of directors and senior executives who set the proper tone for the rest of the company. Top Down commitment and communication are necessary to an effective compliance program.
b) DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.
c) Compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.
2. Code of Conduct and Compliance Policies and Procedures
a) An effective Code of Conduct should be clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.
b) The Code of Conduct should remain current and effective and should be periodically reviewed and updated.
c) Company policies and procedures should outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures.
d) Company policies and procedures should set forth disciplinary procedures.
e) Review and approval processes should be implemented and documented for transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.
3. Oversight, Autonomy, and Resources
a) DOJ and SEC look to determine if a company has assigned responsibility for oversight and implementation of a compliance program to one or more senior executives.
b) Person(s) assigned these responsibilities must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.
c) To be autonomous, individual(s) assigned these responsibilities should have direct access governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).
d) In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.
4. Risk Assessment
a) In developing a strong compliance program the assessment of risk is essential.
b) The establishment of due diligence requirements should be commensurate with the risks involved. Exerting too much focus on low risk transactions to the detriment of high-risk areas can adversely affect the effectiveness of a compliance program
c) Balancing the level of a compliance commitment with the level of risk is necessary to the effectiveness of the compliance program
5. Training and Continuing Advice
a) DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization (board room to stock room), including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.
6. Incentives and Disciplinary Measures
a) The enforcement of an effective compliance program is fundamental to its effectiveness.
b) DOJ and SEC will thus consider whether a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.
c) DOJ and SEC recognize that positive incentives (e.g., rewards for ethics and compliance leadership, management’s bonuses) also drive compliant behavior.
7. Third-Party Due Diligence and Payments
a) DOJ’s and SEC’s FCPA enforcement actions demonstrate that third parties, including agents, consultants, and distributors, are commonly used to conceal the payment of bribes to foreign officials in international business. Risk-based due diligence is particularly important in DOJ’s and SEC’s assessment of the effectiveness of a company’s compliance program.
b) Risk-based due diligence should include:
i. Understanding the qualifications (business reputation) and associations (relationship with foreign officials) of its third-party partners;
ii. Understand the business rationale (the role of and need) for including the third party in the transaction; as well as the payment terms (are they typical for the services offered in the location provided).
iii. Ongoing monitoring (e.g., updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications) of third-party relationships.
8. Confidential Reporting and Internal Investigation
a) Companies should have a mechanism for the employee reporting (without fear of retaliation), corporate investigating and implementing “lessons learned” from suspected or actual misconduct or violations of the company’s compliance policies.
9. Continuous Improvement: Periodic Testing and Review
a) A good compliance program should constantly evolve as the company evolves.
b) DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.
10. Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration
a) Inadequate due diligence can allow a course of bribery to continue leading to harm to a business’s profitability and reputation, as well as potential civil and criminal liability.
b) DOJ and SEC may elect not to take enforcement action against an acquiring company when the company uncovered the corruption at the company being acquired, ensured that the corruption was voluntarily disclosed to the government, cooperated with the investigation, and incorporated the acquired company into its compliance program.
With respect to #4 above (Risk Assessments), these should also include:
· Internal Risk – this could include deficiencies in employee knowledge, employee training and a lack of internal controls/policies for gifts, entertaining and travel expenses;
· Country risk – assessing the level of corruption. A number of Non-Governmental agencies (such as Transparency International - offer charts on country ratings based upon the level of corruption within that country. Other factors could include the absence of anti-bribery legislation and public awareness targeting corruption and deficiencies in the legal system to punish bribery and corruption;
· Transaction Risk – transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents;
· Partnership risks –involving foreign business partners located in higher-risk jurisdictions and use of Third Party Intermediaries can constitute risks to be assessed and controlled.
Further information on requirements for an effective FCPA compliance program can be found in a guidance offered by the DOJ entitled “Evaluation of Corporate Compliance Programs” which was updated in April of 2019.
If you would like assistance with your trade compliance program, please contact Export Solutions for a free consultation.
Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.