Editor: What is the impact of the FCPA, the Dodd-Frank Whistleblower Program, False Claims Act (including the qui tam provisions) and the UK Bribery Act and other current antibribery laws on investigations and audit procedures overall?
Keneally: This is a broad question, and one could probably host an all-day symposium on the subject. That being said, there’s a common thread that runs through these laws and regulations, and that’s in enforcement policy: self-reporting is becoming the norm. On the FCPA front the company that can stay ahead of the government and report its violations will likely obtain a better result than the company that crosses its fingers and prays that it isn’t caught. The same tends to be true in false claims cases. Self-reporting will usually help you avoid trebling of damages.
This reflects the government’s overall view that companies should self-report any wrongdoing. This philosophy extends well beyond the FCPA and FCA arena. The Sentencing Guidelines for organizations takes compliance and reporting into account in determining the fine to be imposed, and obviously self-reporting plays a significant role in the DOJ’s decisions as to whether to prosecute a corporation. Essentially, self-reporting and cooperation have become the default positions for corporations in almost any investigative setting.
Editor: What is the board’s responsibility for assuring that the company has adequate internal procedures designed to uncover fraud and avoid violations of law? To what extent do the SEC’s whistleblower rules undermine such procedures?
Keneally: This requirement extends beyond the board itself. Yes, you need an audit committee, and yes, the board must remain apprised of events as they occur and cause investigations to be undertaken as circumstances warrant. However, the company needs a full-time compliance program. It has to be adequately staffed, and it must be comprehensive. That means it has to establish and publish policies; educate employees; create procedures and safeguards; and provide for a chain of command and reporting that encourages employees to report problems, and protects them from fear of retaliation.
With respect to the SEC’s whistleblower rules, the rules allow for a whistleblower to receive an award as an original source of information if he or she initially reports the information to the company through the company’s established procedures for reporting wrongdoing. So at least in theory, the whistleblower rules should not undermine the company’s established procedures. Now, in practice, things could be different. A given employee might decide that reporting to the company first would prove fruitless, or that he or she would risk not receiving an award because he or she might not be an original source. Or, if as part of its compliance procedures the company assures employees that it will note their status as an original source of information to the SEC in the event the company self-reports a problem, the company could be asking for a flood of trivial complaints from employees. However, the company cannot use these possibilities as rationalizations for not having a state-of-the-art compliance program in effect.
Editor: Are you seeing an increase in investigations and audits relating to potential fraud? How can companies avoid becoming victims of fraud?
Keneally: I think companies accept that as they expand, investigations have to become part of their landscape. This is in keeping with the culture of self-reporting I described.
Additionally, companies have come to realize that they must condition their managers and employees to regard any compliance problem as significant. With this mindset, lower and mid-level employees report more incidents up through the chain of command. This leads the company to initiate more investigations. Senior management and boards are more reluctant to look at a problem and say, “this is a minor, one-of-a-kind incident” without conducting some kind of inquiry first, because they understand that it’s the investigation that you don’t undertake that can bite you.
All this points to companies treating compliance more seriously, meaning making compliance proactive, rather than purely reactive. It is not enough to have a mechanism to respond to government investigators’ inquiries. A company has to constantly audit and update its procedures, to make sure it can prevent problems from occurring, and address issues promptly, without the need for a push from a prosecutor or regulator. Companies have to provide their employees a secure means of owning, and partaking in, this process. This means having hotlines that really respond to employee complaints, ombudsmen to whom employees can turn, and the like.
Editor: Do prosecutors in various countries share information? How does the risk parameter change in these situations?
Keneally: Absolutely, countries share information and conduct parallel and/or joint investigations. This can make things rather tricky. Here’s an easy example. As everyone knows, the FCPA provides an exception for facilitation payments. However, many other countries, such as the UK, don’t have facilitation payment exceptions in their antibribery laws (according to the FCPA Blog, 11 of 39 countries that are signatories to the OECD antibribery convention have facilitation payment exceptions on their books). Thus, a line of defense that might be effective with regard to one jurisdiction can turn into an admission in another.
From a penalty standpoint, multijurisdictional investigations can lead to increased penalties, as well as higher legal and monitoring costs. It can also lead to debarment in multiple countries, which, of course, can be devastating to a company. By the same token, by cooperating in one country’s antibribery investigation, a company can receive credit in another country’s investigation.
Companies also need to remember that more countries are becoming OECD signatories and are actively enforcing their antibribery statutes. Russia joined this year, and there is a push to have China and India sign on, although we don’t know if that will occur. The simple truth is that as companies expand into other countries, life becomes much more complex for them.
Editor: What are the components of defensible investigations and audit procedures that protect confidential information? What are the most effective reporting formats or mechanisms to preserve the attorney-client or work product privilege for auditing and investigative efforts?
Keneally: I’ll address these questions together because they’re interrelated. First, it’s helpful if the engagement letter spells out the scope of counsel’s representation. This makes clear from the start the client’s and counsel’s understandings of the relationship. With respect to U.S. investigations, I have a preference that counsel, or investigators retained by counsel, conduct all witness interviews. Obviously, when you’re interviewing employees, Upjohn warnings are essential. And reports, when written, are best written by counsel to the client that counsel represents. These are all pretty basic ideas. In addition, it’s always good to have in-house counsel involved in the communications process.
All of these practices are useful in controlling attorney-client privilege and confidentiality, and they protect you from having to disclose such information in civil litigation. But you have to bear in mind that there’s a very good chance that at some point the company will have to make the difficult decision to disclose its investigational efforts to the government. This is especially the case when you conduct internal investigations of possible FCPA and FCA violations, since self-disclosure plays such a crucial role in determining sanctions.
Editor: Do U.S. and global regulatory and enforcement agencies adequately take into account the uncertainties that companies face in maintaining global operations?
Keneally: Given the objectives of antibribery laws, I’d have to say yes. There’s a law professor named Andy Spalding who has written extensively about FCPA policy considerations. Among other things, Spalding compares legislating with a “clean hands” approach – avoiding places that are corrupt, and “constructive engagement” – reforming corrupt areas.
The FCPA and other countries’ antibribery laws are of the constructive engagement variety. The OECD’s framework is based on constructive engagement, which is why there is such pressure to have countries such as China and India become signatories. Constructive engagement is a calculated bet that through incremental reform efforts, we can change the business culture of much of the world, and ultimately everyone will be better off.
It’s difficult for constructive engagement laws to gain traction without holding actors to a high standard of behavior and compliance. Governments must tell companies, “Yes, we know that the business culture in much of the world is corrupt, but that doesn’t provide you with an excuse to engage in corruption yourselves, or to lack vigilant compliance structures.”
Editor: What are some techniques for conducting effective interviews with potential offenders and other key players? What intuitive clues, such as the interviewee’s level of stress, should effective interviewers look for?
Keneally: I’m going to go off the beaten path here, because this question presents me with an opportunity to discuss one of the greatest movie scenes of all time. I’m talking about True Romance. The screenplay was written by Quentin Tarantino, and it has an all-star cast. There’s a scene where Christopher Walken, who plays a gangster, is essentially torturing Dennis Hopper to find out where Hopper’s son, played by Christian Slater, is (Slater having made off with a large amount of Walken’s cocaine). At one point during the scene Walken explains why it’s no use for Hopper to lie to him.
“There are 17 different things a guy can do when he lies to give himself away. A guy’s got 17 pantomimes. A woman’s got 20, but a guy’s got 17 ... but, if you know them like you know your own face, they beat lie detectors all to hell. Now, what we got here is a little game of show and tell. You don't wanna show me nothin’, but you're tellin’ me everything.”
I love that scene, and Walken’s lines, but they have nothing to do with conducting an effective interview during an internal investigation. Virtually anyone you interview during an investigation is going to be scared. He (or she) is going to be scared for his job, scared he’s in trouble, scared he’s getting someone else in trouble, scared for myriad reasons. So looking for a “tell” isn’t going to tell you much.
The way you can tell someone is lying is by catching him in a lie, and you do that through preparation. You read every relevant document. Look at every email, especially, the “to,” “from” and “cc” portions. Look at people’s Outlook entries to see where they were on a certain date. Know what the interviewee’s answers should be – if he’s telling the truth – before he answers. That’s how you determine veracity.
Remember, this isn’t a cross examination, and it’s not a TV show. You’re not looking for an “Aha!” moment. You’re not trying to catch someone in a lie. You’re trying to get as much information as possible. So ask questions that will encourage the interviewee to talk. If what he tells you is largely untruthful, there will be ways to deal with that situation afterward.