Expanding Operations Internationally:
A View from the General Counsel’s office
Corporate Compliance
ABA 2006 Spring Meeting
Waldorf=Astoria, New York, NY
April 6, 2006
Carole Basri
Adjunct Professor University of Pennsylvania Law School
917-822-2447
©Basri 2006
1
WHY IMPLEMENT AN EFFECTIVE CORPORATE
COMPLIANCE PROGRAM?
Old Reasons
 Federal Sentencing Guidelines (Nov. 1991)
 Caremark Decision (Del. Ch. 1996) (personal liability for
directors for oversight of compliance)
 Government Imposed Corporate Integrity Agreements
 Supreme Court employment discrimination decisions
(Boca Raton and Burlington Industry Cases)
 Enron/WorldCom/ Tyco debacles
 Large settlements with government where firm lacked an
effective compliance program:
COMPANY
AMOUNT
Hoffman LaRoche
$500,000,000
BASF
$325,000,000
Dalwa Bank
$340,000,000
Archer Daniels Midland
$126,000,000
Salomon Brothers
$290,000,000
National Med. Enter.
$379,000,000
SmithKline Beecham Clinical
Labs
$325,000,000
LabCorp of America
$182,000,000
Caremark
$161,000,000
2
 Sarbanes-Oxley Act – effective July 30, 2002
Section 406
 SEC must require corporations to adopt codes of ethics
for senior financial officers
 Code of ethics for senior financial officers is a basic
component of any “effective” compliance program
 Every public company should formulate a global code
of ethics (a/k/a code of conduct) in anticipation of
these rules
Section 304
 Public firm CEOs and CFOs must certify, among other
things, in the company’s annual and quarterly report
that:
 He or she has reviewed the reports and they are not
misleading;
 He or she is responsible for establishing and
maintaining internal controls; and
 He or she has evaluated the effectiveness of the
company controls within the 90 days preceding the
report.
 An effective corporate compliance program is
imperative to enable CEO and CFO to attest that
internal controls are adequate
3
Section 301(4)
 Requiring audit committee to establish procedures for
“the confidential, anonymous submission by employees
of [the corporation] regarding questionable accounting
or auditing matters.” (Hotlines, according to the
Association of Certified Fraud Examiners, can lower
amount of fraud by 50%)
Sections 802(a); 1102(c) (Corporate Fraud Accountability
Act of 2002)
 Prohibiting the destruction, alteration or concealment
of any record or document with the “intent to impede,
obstruct or influence the investigation or proper
administration of any matter within the jurisdiction of
any department or agency of the United States….”
 New felony carries a fine and maximum 20-year prison
sentence
 NY Stock Exchange requires listed firms “to adopt and disclose a
code of business conduct and ethics for directors, officers and
employees….”
4
FINAL RULE – DISCLOSURE REQUIRED BY SECTIONS
406 AND 407 OF THE SARBANES-OXLEY ACT OF 2002
Release Nos. 33-8177; 34-47235; File No. S7-40-02 as of Jan. 24, 2003; Effective Date: 30 days
after publication in the Federal Register
Background:
“Companies must comply with the code of ethics disclosure requirements promulgated
under 406 of the Sarbanes-Oxley Act in their annual reports for fiscal year ending on or after
July 15, 2003. They also must comply with the requirements regarding disclosure of
amendments to, and waivers from, their ethics codes on or after the date on which they file their
first annual report in which the code of ethics disclosure is required.”
“Section 406, which directs us to adopt rules requiring a company to disclose whether it
has adopted a code of ethics for its senior financial officers, and if not, the reasons therefor, as
well as any changes to, or waiver of any provisions of, that code of ethics.” “We (the SEC)
believe that the new rules and amendments are in the public interest and consistent with
protection of investors.”
Discussion:
Sec. B. Code of Ethics
1. Code of Ethics Disclosure requirements
“The final rules require a company to disclose whether it has adopted a code of ethics that
applies to the registrant’s principal executive officer, principal financial officer, principal
accounting officer or controller, or persons performing similar functions. If the company has not
adopted such a code of ethics, it must explain why it has not done so.”
C. Final Definition of “Code of Ethics”
“The final rule defines the term “code of ethics” as written standards that are reasonably
designed to deter wrongdoing and to promote:
1. Honest and ethical conduct, including the ethical handling of actual or apparent
conflicts of interest between personal and professional relationships;
2. Full, fair, accurate, timely, and understandable disclosure in reports and documents
that a registrant files with, or submits to, the commission and in other public communications
made by the registrant;
3. Compliance with applicable governmental laws, rules and regulations;
4. The prompt internal reporting to an appropriate person or persons identified in the
code of violations of the code; and
5. Accountability for adherence to the code.”
[“We (the SEC) eliminated the component of the definition requiring the code to promote the
avoidance of conflicts of interest, including disclosure to an appropriate person or persons
5
identified in the code of any material transaction or relationship that reasonably could be
expected to give rise to such a conflict, because the conduct addressed by this component already
is addressed by the first prong of the proposed definition, requiring honest and ethical conduct
and the ethical handling of actual and apparent conflicts of interest.”]
Important Point:
“We [the SEC] continue to believe that ethics codes do, and should, vary from company
to company and that decisions as to the specific provisions of the code, compliance
procedures and disciplinary measures for ethical breaches are best left to the company.
Such an approach is consistent with our disclosure based regulatory scheme. Therefore,
the rules do not specify every detail that the company must address in its code of ethics,
or prescribe any specific language that the code of ethics must include. They further do
not specify the procedures that the company should develop, or the types of sanctions that
the company should impose, to ensure compliance with its code of ethics. We [the SEC]
strongly encourage companies to adopt codes that are broader and more comprehensive
than necessary to meet the new disclosure requirements.”
Further:
“We [the SEC] have added an instruction to the code of ethics disclosure item indicating that a company may have
separate codes of ethics for different types of officers.”
A copy of the code of ethics should be an exhibit to the annual report. Alternatively, post
it on an internet website or set forth in the annual report that the company will send a
copy of the code of ethics on request at no charge.
Any amendment or waiver of an ethics provision of the code of ethics must be disclosed
through Form 8K within five business days or, in the alternative, in the 10K and on its
internet website.
6
New Reasons:
 Federal Sentencing Guidelines, revised as of Nov. 1, 2004,
requiring a “culture” of ethics and a “best practice gaps” analysis
to support the underlining structure of the corporate compliance
program.
 Federal Sentencing Guidelines, under Booker and Fanfan decisions
of January 12, 2005, no longer mandatory. However, the Federal
Sentencing Guidelines are advisory and must be considered by the
Courts.
 Justice Department guidance on the prosecutorial decisions in the
June 1999 Holder Memo and the revised January 2003 Thompson
memo which state that in determining whether to charge a
corporation for the criminal misconduct of its employees,
prosecutors should consider, “the existence and adequacy of the
corporation’s compliance program.”
 Elliot Spitzer, the New York Attorney General, whose
investigations include insurance industry companies (AIG) and
brokers (AON and Marsh) as well as mutual funds.
 NY Stock Exchange Rule 303A.10 requiring NYSE-listed
companies to adopt codes of business conduct and ethics for
directors, officers, and employees which codes are to be posted
publicly. Further, waivers of the code for directors or executives
must be promptly disclosed to shareholders.
 NASDAQ Rule 4350 requires NASDAQ listed companies to adopt
a code of conduct for directors, officers and employees which
codes are to be posted publicly. Further, waivers of the code must
be disclosed on a Form 8-k within five days.
7
WAKE UP CALL FOR CORPORATE COMPLIANCE
An effective corporate compliance program can:
 Help insulate a company, and its officers and
employees, from criminal and civil fines
 Protect its board of directors from personal liability
 Create a culture of “good citizen corporation” (5%
good, 5% not, 90% follow)
A poorly constructed program can:
 Serve a roadmap for prosecutors
 Damage morale (employees view code of conduct as
merely lip service by executives)
 Encourage fraud and unethical conduct to continue
8
Revised U.S. Federal Sentencing Guidelines
Seven Elements of An Effective Corporate Compliance
Program are as follows:
1. Standards and procedures to prevent and detect
criminal conduct;
2. Board must be knowledgeable about and
oversee program; top management must ensure
effectiveness of program; specific individual(s)
within high level personnel must have
responsibility for program;
3. Reasonable efforts not to include within
substantial authority personnel individuals who
organization knew or should known have
engaged in illegal activities or conduct
inconsistent with effective program;
4. Communicate standards and procedures by
teaming directors, employees and, as
appropriate, agents, and by other means;
5. Monitor and audit to detect criminal conduct;
evaluate program periodically; have and
publicize a system for reporting suspected
violations and seeking guidance;
6. Promote and consistently enforce through
appropriate incentives to perform in accordance
with the program and appropriate discipline;
and
7. After criminal conduct is detected, take
reasonable steps to respond appropriately and
prevent further similar criminal conduct,
including necessary modifications to program.
9
First Element
Written Policies and Procedures include the following:







Standards of Conduct; and
Risk areas.
Mission statement;
Letter from CEO;
Code of Conduct of Code of Ethics;
Employee handbook; and
Corporate compliance program guidelines.
General Corporate Risk Areas
 Antitrust
 Competitive Behavior
 Conflicts of Interest
 E-mails
 Employment
 Environmental
 Lobbying, Political Contributions
and other political activities
 New Business “Alliances”
 Procurement of Goods/Services
 Records Management
 Protection Security/Wiretapping
 Export Controls
 Privacy of Communications
 False and Deceptive
Advertising
 Subcontractors and Contract Labor
 Sexual Harassment
 Foreign Corrupt Practices Act
 Tax
 Fraudulent Financial
Reporting
 Workplace Safety
 Gifts and Gratuities
 US Patriot Act
 Government contracting
 Insider Trading
10
Second Element
Board must oversee the compliance program. Top
management should take a leadership role in fostering the
compliance program.
Designate specific “High-Level Personnel” to oversee
compliance such as a compliance officer.
A compliance officer is critical to the success of the
compliance program.
A chief compliance officer should be appointed to
coordinate the activities of individual compliance “officers”
at subsidiaries.
The compliance officer should have the following:

Direct access to CEO and Board of Directors, and

Sufficient funding and staff
The compliance officer’s responsibilities include:

Overseeing and monitoring the implementation of
the compliance program;

Reporting on a regular basis to the CEO and
compliance committee;

Periodically revising the program in light of new
developments;

Developing, coordinating and participating in a
multifaceted educational and training program that focuses
on the elements of the compliance program;

Assisting the financial management in
coordinating internal compliance reviews and monitoring
activities;
 Independently investigating and acting on matters related
to compliance, including the flexibility to design and
coordinate internal investigations; developing policies and
programs that encourage managers and employees to report
suspected fraud and other improprieties without fear of
retaliation.
11
Third Element
Reasonable efforts not to include in the compliance
organization personnel of questionable integrity

Coordinating background checks on employees
involved in compliance administration and coordination
12
Fourth Element
Effective communication of Standards and Procedures

Training should include the following areas:
–
code of conduct;
–
employment issues;
–
competition issues;
–
–

using e-mail, voicemail, newsletters,
memoranda, etc., to aid communications; and
other topics as necessary.
Training should be at the time of hiring as
well as regularly scheduled at least once or twice a year as
necessary.
13
Fifth Element
Developing effective methods of monitoring, auditing
reporting, and publicizing the system.

Creating an anonymous hotline and protecting
whistle blowers; and

Setting up a regular auditing and monitoring
schedule including on-site visits and spot checks.

Publicize results of the compliance program.
14
Sixth Element
Consistent enforcement through corrective actions and
incentives

Written policy on disciplinary standards;

Create incentives system; and

Dissemination of standards to new and existing
employees.
15
Seventh Element
Take reasonable steps to respond to detected criminal
offenses

and

Detecting criminal violations and investigations;
Reporting criminal violations.
16
Self-Policing Corporate Compliance Program
Approach
Phase I
Phase II
High Level
Compliance
Assessment
Develop an
Overall
Corporate
Compliance
Blueprint
Evaluate and
Develop Policies
in Substantive
Areas
Communication,
Training and
Implementation
Continual
Refining of the
Program, SelfAssessment,
Monitoring and
Reporting
o
High Level
Review
o
o
Antitrust
o
o
o
Internal
Controls
E-Mail
Interview
o
o
Internal
Audit
o
o
Best Practices
and Gaps
analysis
o
o
Code of
Conduct
Corporate
Compliance
Program
Guidelines
Phase III
o
Employment
o
Environmental
o
Foreign
Corrupt
Practices
Work Plan
Senior
Management
Meeting
o
Intellectual
Property
o
Securities
o
Other Risk
Areas
Phase IV
o
o
Introduce Code
of Conduct and
Program
Ongoing
Communication
Plan
Training Plan
o
Training
Material/Video
Tapes
o
Training
Schedule
Phase V
o
Incentive
System
o
Publicize
reporting results
17
Phase I
Conducting a High Level Compliance Risk Assessment
During Phase I, you should:





Form a committee;
Interview key officers and employees;
Prepare a report on Best Practices and Gaps;
and
Present the report on Best Practices and Gaps.
The Committee should be composed of at least
the following:
– CEO or President
– General Counsel
– CFO
– Internal Audit Director
The Committee should report to the Audit Committee of
the Board of Directors or directly to the Board of
Directors
Interview key officers and employees of the company
and all subsidiaries including the following:
 President,
 Business Development/Sales Marketing,
 General Counsel/Outside Counsel,
 Chief Financial Officer,
 Human Resources Director,
 Environmental Health and Safety, if any,
 Compliance Officer, if any, and
 Other key officers and employees, as
necessary
18
Based on the interviews, prepare a report on Best
Practices and Areas of Deficiency (gaps) based on the
following questions:
 What are your key risk areas?
 What are the standards and procedures that you
now have in place in these risk areas?
 What are the areas you have successfully
limited risk and how?
 What areas could you improve in the cost to
limit risk and how?
 What is happening in such key areas as
antitrust, environmental, employment,
intellectual property and securities?
 Describe the company culture toward corporate
compliance and limiting risk.
Present the report on Best Practices and Gaps:
 The report should provide a risk assessment for
relevant areas of law.
 The report should be presented to senior
management and the Board of Directors.
 The report should be presented to the officers of
all subsidiaries who were interviewed.
 Buy-in on the report should be encouraged.
 Create a Workplan which includes a timetable
and an action plan.
19
Phase II
Develop an Overall Compliance Blue Print
During Phase II, you should:







Look at other Codes of Conduct;
Use the Committee and Focus Groups to
develop a Code of Conduct;
Customize the Code of Conduct to the
Company culture;
Customize the Code of Conduct so it is suitable
for all employees;
Make sure the Code of Conduct is user friendly
and attractively packaged;
Create a Mission Statement and letter from the
CEO to accompany the Code of Conduct; and
Create Compliance Program Guidelines.
20
Phase III
Evaluate and Develop Policies and Procedures in Substantive
Areas
During Phase III, you should:



Inventory policies and procedures already in
place (e.g., internal controls for
antitrust/competition, sexual harassment policy,
environmental policy, etc.);
Align Policy and Procedures, Code of Conduct
and Employee Handbook; and
Develop Policies and Procedures where Gaps
exist as indicated from the report on Best Practices
and Gaps and borrow best practices, where
necessary from other subsidiaries or outside the
organization (see trade associations, industry
practice groups, law firms, consultants, seminars,
such as Practicing Law Institute (PLI) and the
Association of Corporate Counsel of America
(ACCA)
21
Phase IV
Communication, Training and Implementation
During Phase IV, you should:






Introduce Code of Conduct and Program;
Ongoing Communications Plan;
Training Plan;
Training Plan for Fraud Prevention;
Training Materials/Video Tapes; and
Training Schedule.
22
Phase V
Continual Refinement, Self-assessment, Monitoring and Reporting
During Phase V, you should have:






Management Controls;
Internal Audit System;
Internal Controls;
Incentive System; and
Publicize Reporting Results
An Effective Corporate Compliance Program is
an early warning system for risk control through
the following:
 Risk assessment process;
 Monitoring;
 Reporting (i.e., hotline); and
 Training sessions.
23
Make Your Compliance Rollout Memorable
 Mementos (tombstones, plastic cubes, post-it notes);
 Screen savers;
 Calendars;
 Intranet sites; and
 Formal announcements and invitations to compliance event.
Remember
 This is a marketing campaign!
 Your product is a Compliance Program!
 Your audience is your employees!
24