Editor: Please describe the business purpose of Daylight Forensic & Advisory.
Hughes: As the name implies, our main services are twofold: (1) we provide investigatory forensics, which involves going back through records and interviews to determine what happened either financially or otherwise; (2) we also provide advisory services - largely advisory services to regulated entities or public sector advisory services, which are more akin to monitoring services, such as when an entity has been ordered by a public authority to have an independent monitor come in to oversee a problem.
Editor: Please give our readers a snapshot of your background.
Hughes: A lawyer by training, I began my career in a small private law firm in Baltimore and then went to the Maryland Attorney General's Office as an Assistant Attorney General for several years before I went to the District of Maryland U.S. Attorney's Office where, over the course of 16 years, I held a number of supervisory posts in the Criminal Division and investigated and tried different types of criminal cases.
From there, I went to the Board of Governors of the Federal Reserve System where I was Special Counsel for Special Investigations and Enforcement, which included overseeing the anti-money laundering policy for the Federal Reserve System. Shortly after my arrival, the USA PATRIOT Act was passed and we were in the middle of drafting regulations and examination procedures to implement the new anti-money laundering provisions. I was also the Fed's representative to the Financial Action Task Force and the Basel Committee Cross-Border Banking Group where there were a number of international anti-money laundering standards that were being revised. After that I was a principal in KPMG's forensic practice in the Washington D.C. office where I continued to work in the anti-money laundering and investigations area. I have been with Daylight Forensic as head of the Washington D.C. office since it opened in June of 2006.
Editor: Several years ago SOX was the newest compliance regulatory tool. Is it still foremost in the thinking of corporations today? Why has the focus changed?
Hughes: When SOX was enacted, there was a great deal of concern with compliance, especially 404 compliance, requiring a thorough independent review of a company's internal controls along with a certification process by senior management. Now that most companies have reporting procedures in place, they are now accustomed to what has to be done. Other enforcement actions taken by the government have overshadowed SOX as a concern, particularly for multi-national companies. In the last year, during this economic downturn, financial services firms and, others as well, have been examining their risk management processes and considering whether their troubles are related to failures in their risk management program. I think that enterprise-wide risk management, global risk management, the Foreign Corrupt Practices Act and other bribery and corruption laws in other countries have overshadowed SOX.
Editor: What are the biggest challenges today? Please mention the challenges in each of the areas you describe.
Hughes: Much depends on what your business is as to what the challenges are today. Aside from the financial challenges that everyone is facing in an economic downturn, there are a number of regulatory challenges that are difficult for companies to get their arms around. If a company is located in the U.S., has significant interest in the U.S. or stock is traded on any of the U.S. exchanges, it is subject to the restrictions of the Foreign Corrupt Practices Act. The essence of the violation is the act of providing money to a government official in a foreign country in exchange for favorable business treatment. One loophole in the Foreign Corrupt Practices Act is "facilitation payments." Facilitation payments are payments made for performance of ministerial-type functions, such as payments for permits or licenses required to carry out a construction assignment. If you pay someone extra money to expedite the process, as long as it is not illegal in the country where the money is being paid, then that can be justified as a facilitation payment so long as the company's books accurately account for the expenditure.
If there are payments that were being paid to third parties that ultimately made their way into a government official's pocket and if they were mischaracterized in a company's books and records, a company can be held accountable under the FCPA. It becomes the basis for a civil liability that the Securities and Exchange Commission would enforce. For many companies, this is truly a big challenge because they have relationships with thousands of third parties. If a company is paying money to a third party on a regular basis, it's very difficult to understand where the money winds up, whether it is payment for services rendered that were billed or for money billed to pay a bribe.
If a company has a good compliance program in place, if it has done appropriate due diligence, if it can show that it has no direct knowledge on the part of anybody at the company - this will go a long way in meeting the U.S. Sentencing Guidelines and could lead to a mitigated fine or sentence. If, on the other hand, DOJ asks to see your compliance program and you don't have one or asks to see what type of due diligence you did on a particular agent and you haven't done any, then the company is in a much worse position in terms of prosecution, fines, debarment and the like.
Editor: Besides corporate fines assessed under the FCPA, what kinds of liability may individuals be subject to?
Hughes: Individuals have recently been the focus of actions brought both by the DOJ and the SEC, depending upon their level of culpability, i.e., what their level of knowledge is, whether it's a matter of willful blindness versus actively participating. Individuals can be fined, they can be imprisoned if it's a criminal matter, and in some cases, barred from an industry. The SEC's head of enforcement announced that he was putting together a special unit just to deal with FCPA issues, and the Justice Department has long had its unit - the Fraud Section - that deals with FCPA issues. Just a few weeks ago, a case came down that for the first time used Section 20 of the Securities Act to apply liability to individuals under a "control person" theory. Under this theory of liability, control persons are responsible for what the company does. I believe the CEO and CFO were assessed fines as part of a settled enforcement action.
Editor: What tools are available to a corporation either to prevent a government action alleging FCPA liability or once a government investigation begins?
Hughes: There are two things that a company needs to do: it needs to have a good compliance program in place, and that applies whether you believe that you have an issue or not. Under the U.S. Sentencing Guidelines, having a good compliance program that contains all of the requirements of the guidelines will go a long way towards mitigating a fine. The compliance program has to be real; it can't just be something that you have on paper that no one pays any attention to. A compliance culture embodying tone at the top is vital. A CEO who is responsible for the financial safety of the company must also champion the need for adherence to law, a spirit that filters down through the ranks.
While many companies complacently claim they have tone at the top, they are not always concerned when their payments are going out to third party agents or to anyone who's involved in helping facilitate business overseas. The Justice Department has said that companies may use a risk-based approach in conducting due diligence on third-party payees. For a company with 50,000 third-party relationships, i.e., agents, this is a daunting task. Many companies understand that they have a big responsibility under the FCPA and they're doing more and more in dealing with new relationships but the real problem lies with existing relationships - even though there have been no red flags, do you really know where your money is going? To help companies, we've developed a tool to enable companies to understand their FCPA risk. It considers a variety of risk factors and provides a risk-scored analysis of third party-payees. For those high-risk relationships, a company may decide to do more due diligence or a site visit or it may decide to exit the relationship. This is an effective risk-based assessment tool for FCPA violations.
Editor: Tell our readers also about the firm's activity in helping companies cope with money laundering.
Hughes: We've been very involved in the money-laundering arena, primarily in the financial services area, but we've also done investigations for companies that may have been the victims of money laundering. There are several recommendations emphasized by financial sector regulators. One is to have in place a good compliance program, after first identifying risks. Again, we have utilized our electronic tool called STAR to help us perform large transaction reviews for companies as a result of an order from a regulator. For example, a regulator performs an examination, and in testing some transactions notes some suspicious activity on which a company failed to file a suspicious activity report. Since the company's system did not pick up the activity, the regulator will require the company to go back historically and look over transactions over a period of time. For financial institutions with millions of transactions we devised an electronic tool that allows us to take all that data and run it against risk assessments indicative of money laundering, with the end result being a number of cases for investigation with common parties that enables us to group together transactions for review rather then looking at a million of them separately. The program allows us to see patterns and the most egregious violations. The tool is a really wonderful case management system that enables us to track every aspect of the investigation and escalation process.
Editor: How can Daylight help in areas of fraud risk assessment?
Hughes: Fraud risk really depends on the type of business. We've done many kinds of fraud risk assessments in the financial services area. For instance, we do internal control reviews, often after a company has been victimized by a crime. At that point, it becomes a forensic activity inasmuch as we are looking to see where the fraud occurred, how it occurred, how it was possible for it to occur. Companies are much better off if they do an assessment before a mishap has occurred where someone can review the internal controls, look at training, look at who occupies what positions, and determine where there are weaknesses or vulnerabilities. While many companies don't want to spend the money before there is an emergency, it is money well spent as a pound of prevention. For the chief financial officer's peace of mind there needs to be an assessment of risks and due diligence, and our firm can place his mind at ease. After we do our assessment, there is an investigative due diligence group who do further investigations of certain individuals whom we have earmarked.
Editor: What other ways can Daylight's cadre of professionals be helpful to corporations, and specifically the legal department?
Hughes: We are often hired by the general counsel in a variety of different settings and sometimes by outside counsel, depending on the status of the matter. We provide litigation support, for instance, when there's a need for an expert witness, or when someone is needed to perform financial analysis for a litigation, we can supply our experts. We are often hired by audit committees and general counsel to do internal investigations when there have been allegations of misbehavior, misappropriation of funds, embezzlement, etc. If there's been a whistleblower allegation, we are often hired as a third party to explore the allegation, particularly if there are any implications that could involve the government or if it might impact a company's financial statement. We serve corporations in a lot of different capacities, usually at the instigation of the general counsel.