Last week the Securities and Exchange Commission (SEC) concluded a Foreign Corrupt Practices Act (FPCA) enforcement action against Qualcomm Inc. for violations on the Accounting Provisions of the FCPA, including both the books and records and internal controls provisions. The enforcement action presented an interesting mix of clear FPCA violations of not having proper internal controls in place, a demonstration of the growing trend towards strict liability for violations of the Accounting Provisions and, finally, one head scratcher which would seem to point towards internal controls which did work. Taken together there are several important lessons to be learned for the compliance practitioner.

Hiring and Internal Controls Violations

In the Princeling enforcement category, first seen the Bank of New York Mellon FCPA enforcement action from 2014, we see how widely Qualcomm varied from its standard hiring protocols to hire the sons and daughters of officials of a state owned enterprise in China. Consider these business justifications for hiring a daughter of an official, as set out in the SEC Cease and Desist Order (Order):

• “We received a request from the GM of [the telecom company’s subsidiary] to help find an internship position for her daughter (currently studying in the U.S.) within QC. I discussed this with [high level official] and determined that it would be important for us to support given our cooperation with [the subsidiary].”
• Qualcomm employees understood that the daughter’s “parents are [SOE 2 subsidiary] Dept. GM level and gave us great help for Q.C. new business development.” Because “[the regional branch] is our strategic partner in China and plays an important role in leading all [the telecom company] adopting Qualcomm’s technologies,”
• Qualcomm employees believed that the internship “would be important for us to support given our cooperation with [the subsidiary].” Specifically, the internship “would be good because we are doing quite a bit with [the subsidiary]”.

In another instance, the company provided the following for a son of an official:

• support from a $75,000 research grant to an American university where he was studying, allowing him to retain his position in a PhD program and renew his student visa;
• a Qualcomm internship;
• subsequent permanent employment despite interviewers concluding that he did not meet Qualcomm’s hiring standards for the position; and
• a business trip to China followed by leave to visit his parents over the Chinese New Year, despite other employees expressing concern regarding his qualifications for the assignment. The EVP also personally provided this employee with a $70,000 loan to buy a home.

What is even more amazing about the hiring of the son is that after the initial hiring interview he was rated as a “No Hire” because not only was he not a “skill match” for the company but he did not even “meet the minimum requirements for moving forward with an offer”. Finally, among the Qualcomm team involved in the interview process, “there was an agreement that he would be a drain (not even neutral) on teams he would join.” Yet he was offered a job as a “special favor”. [Emphasis supplied]. If someone is so unqualified that employing them will negatively impact the company, there must be another very good reason to hire them, such as providing a benefit to their father, who is an official under the FCPA.

Both of these instances demonstrate clear violations of internal controls around the company’s hiring process. If a candidate does not make it out of the initial interview with anything more that a “No Hire” rating that should be the end of the decision making process around compliance, full stop. Do not pass Go, do not Collect $200. As the Order succinctly noted, “FCPA compliance, however, was not considered in Qualcomm’s hiring process.” A fine and penalty for this transgression was clearly warranted, as it was a clear violation of internal controls around the company’s hiring process.

Books and Records and Strict Liability

In summary fashion, the Order states “when it provided things of value and engaged in transactions that caused the company to fail to make and keep books, records, and accounts, which, in reasonable detail accurately and fairly reflected the transactions and disposition of assets of the company.” The recordation was done in a “generic and non-descript manner that obscured their purpose.” The items and other things of value included un-named and undesignated gifts, travel and entertainment, with the specific notation that “meals, gifts and entertainments were repeatedly noted as missing from Qualcomm’s gift logs.”

This portion of the Qualcomm enforcement action points towards a growing trend of a strict liability standard in FCPA enforcement under the Accounting Provisions. While there may well be wide disagreement as to whether such a standard is warranted under the FCPA, I think it is coming and it is something every Chief Compliance Officer (CCO) and compliance practitioner needs to be ready to address if and when the day comes that your company is under the shadow of a FCPA investigation.

This means if your books and records comes under investigation, you will have to demonstrate that it meets some minimum standard that satisfies the SEC. The FCPA Guidance states, “under the “books and records” pro­vision, issuers must make and keep books, records, and accounts that, in reasonable detail, accurately and fairly reflect an issuer’s transactions and dispositions of an issu­er’s assets.” Moreover, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. Obviously, the question is what is ‘reasonable detail’? This enforcement action does not provide much guidance.

The Head-Scratcher

There was one instance of the alleged failure of internal controls that seems so anomalous that it needs to be explored. I quote in full from the Order:

35. For example, Qualcomm offered at least 15 foreign officials lavish hospitality packages worth approximately $95,000 per couple for the 2008 Beijing Olympics. Then, in mid to late-July 2008, a member of Qualcomm’s finance department raised FCPA issues related to the Olympics with Qualcomm counsel. In August 2008, just days before the Olympics began, Qualcomm rescinded the five hospitality invitations that had been accepted due to Qualcomm’s FCPA-related concerns. The disinvited guests were from three Chinese state-owned enterprises.

Why does this seem so anomalous? It is because the company’s internal controls stopped this seeming violation. The internal controls did what they were supposed to do, detect a potential violation and even prevent it before it happened. Even if the local business folks started down this road, it is clear that the corporate office stopped it. If a compliance program is now going to be criticized in the form of an enforcement action for doing what it is supposed to do, detecting and then preventing FCPA violations, it may be will nigh impossible for any company to be in compliance with the FCPA.

Of course, this Order was the product of negotiations between the SEC and Qualcomm so there may be additional facts around this, questionable at best, hospitality play by Qualcomm. However, if there was more to this story, the SEC needs to use those facts to educate and inform companies on their obligations and not hold them liable for actually stopping bribery and corruption.

The Qualcomm FCPA enforcement action reinforces the need for robust internal controls around the hiring process. It should be studied by both the compliance function and your company’s Human Resources (HR) function. The lessons you can learn from this enforcement action can help you to forestall a similar fate for your company.

[View source.]