We continue our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement action involving Panasonic Avionics Corporation (PAC) and its parent Panasonic Corporation (Panasonic). Today, I want to conclude with some of the key lessons learned for the compliance professional.

As previously discussed the penalty assessed was approximately $280 million broken down into a $137 million payment by the company’s US unit, PAC, in criminal penalties to the Department of Justice (DOJ). The Japanese parent, Panasonic, agreed to pay disgorgement of $126,900,000 and prejudgment interest of $16,299,018.93, for a total payment of $143,199,018.93 to the Securities and Exchange Commission (SEC). The DOJ resolution documents included a Deferred Prosecution Agreement(DPA) and a Criminal Information(the Information). The SEC issued a Cease and Desist Order(the SEC Order). Both the DOJand SECalso issued Press Releases.

Due Diligence

Due diligence took it on the chin in this enforcement action, with the facts demonstrating why it is not the quality of the due diligence or some type of certification that is the key step in the third-party risk management process. While due diligence is an important step and one a company must utilize; it is the management of the relationship after the contract is signed which is the key step. As Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company, continually reminds us all, it is execution of your compliance program which separates the best practices from paper programs. The same is true around due diligence.

Here the due diligence fell apart because PAC required TRACE International Certification of its third-parties. These third-parties and the PAC employees using them, knew they could not pass due diligence muster. As stated in the Information, “Certain PAC employees, however, sought secretly to rehire these agents in contravention of Company policy by rehiring them as “sub-agents” of PAC Sales Agent 2, a sales agent that had obtained TRACE certification.” Of course, there was no additional certification performed on the entity that held the certification.

Alexandra Wrage, TRACE International’s president, said, in a Wall Street Journal (WSJ) Risk & Corruption Journal article, due diligence “is a process, not an event.” Put another way, it is a step but it is only one step in process of the lifecycle of risk management for third-parties. The fifth, final and most important step, the management of the relationship is on the company. The company must monitor all third-party agents for material changes in ownership, structure, sub-agent, commission rates and total commissions. Further, there should be internal controls in place that identify changes beyond simply relying on your third-parties to disclose said changes, always remember to ‘Trust but Verify’.

There is a five-step process in the lifecycle of third-party risk management. They are: (1) Business Justification; (2) Questionnaire; (3) Due Diligence; (4) Contract; and (5) Management of the Relationship. Each step builds on the one(s) before it and if there is a failure in one it puts more pressure on the other. But the step with the most pressure and most responsibility is managing the relationship after the contact is signed. If you cannot demonstrate you are managing the relationship after the contract is signed, you are admitting you have no idea if your third-party is following your contractual requirement and you certainly have no idea if they are violating the FCPA.

Failures of Internal Controls

Obviously there was a complete, total and utter failure of internal controls at PAC. Even with the subterfuge in the Asia-Pac business unit to bury corrupt agents under the umbrella of previously approved agents to avoid due diligence, there was apparently no control in place which detected the increase in commission payments to previously approved third-parties. There was an increase in commission rates to approved third-parties who took on the corrupt third-parties unable to pass due diligence muster. Additionally, there was a significant increase in the raw dollar amounts paid to approved third-parties, one such approved third-party, between 2008 and 2010, received $3,780,198.65 to pay to one corrupt third-party. At another point, the same approved third-party represented some 47 customers, through 13 corrupt third-party sub-agents who received over $7 million in illicit fees as commissions and to pay bribes.

Like I said  a complete, total and utter failure of internal controls at PAC.

But there was more than just the complete, total and utter failure of internal controls, there was management over-ride of existing controls. This was seen in the bribe payments made out of a discretionary fund designated as “Office of the President Budget” which was controlled by un-named PAC Executive 1. This money was solely and completely at PAC Executive 1’s discretion and it was “neither reviewed nor approved by any Panasonic personnel.” This budget exceeded several hundred thousand dollars annually and was “booked on PAC’s general ledger in various categories, including travel, payroll, and consultant payments”. For over seven years, PAC Executive 1 “used the Office of the President Budget to make payments to multiple individuals, including consultants that performed limited or no work for PAC with little to no supervision by anyone at PAC.”

As early as two years into the use of the President’s Fund, PAC’s internal audit department flagged that services providers where (1) hired without following procurement department processes; (2) contracted with no oversight; and (3) paid without delivering anything tangible to PAC. Yet even with this explicit finding of the violation of PAC’s internal controls the “Office of the President Budget” continued along its merry path of bribery and corruption.

The 20% Discount

While it is not clear how the government became aware of PAC’s conduct or why it sent a subpoena, it is clear that neither PAC nor Panasonic self-disclosed their illegal conduct. This is in the face of actual knowledge by PAC’s internal audit function as early as 2009. Further, there was C-Suite involvement in the bribery scheme, only identified as PAC Executives 1-4 in the settlement documents. Some of these senior executives were even seconded to PAC from the parent entity Panasonic. This would seem to invoke the egregious conduct standard laid out in the FCPA Corporate Enforcement Policy. Panasonic earned over $126,000,000 from the bribery and corruption of its US subsidiary.

Yet even with all the above and bribery schemes that lasted 13 years the company received a 20% discount off the minimum range of the US Sentencing Guidelines. If there was ever a glowing endorsement for a company cooperating with the government and extensively remediating, this enforcement action is it. When you review this enforcement action with the recently delivered Dun & Bradstreet Inc. declination you see the full power and effect of the new FCPA Enforcement Policy. Companies are now fully incentivized to step forward and self-disclose. However, if you are like PAC and have corrupt senior executives not only approving and engaging in the bribery scheme and they do not want to admit their own criminal liability, you can still make a comeback if you cooperate and remediate. PAC saved itself over $34MM by meeting requirements two and three of the FCPA Corporate Enforcement Policy. At the end of the day, that may be the most significant lesson learned by compliance professionals and perhaps the most lasting lesson from this enforcement action for company’s who find themselves in FCPA hot water.

A special shout out to you Star Wars fans out there. Today is our day so May the 4th Be With You.

[View source.]