investigations quarterly – the individual as a target – the next wave of enforcement actions

3 The Individual as a Target

2014 » VOLUME 1 » ISSUE 16

INVESTIGATIONS QUARTERLY

3 The Individual as a Target

The Next Wave of Enforcement Actions

The Next Wave of Enforcement Actions

The Next Wave of EnforcementStories of fraud and white collar crime continue to make national news, and this trend will only increase as the DOJ and other regulatory agencies intensify their efforts to pursue individuals and corporations suspected of misconduct.

In this issue of IQ, our cover story addresses the DOJ’s efforts to go after individual wrongdoers, in addition to the accused entities. This trend of leveraging liability against one, or a few individuals has serious implications for multinational corporations and their executives. Whether this approach will act as an effective deterrent against corpo-rate wrongdoing remains to be seen, and will continue to be hotly debated.

Navigant remains at the forefront of this issue and other legal and regulatory challeng-es impacting fraud and white collar defense. Through IQ, our award winning magazine, and our interactions with clients across the globe, we continue to raise the important questions and keep companies and their legal counsel informed.

We hope you enjoy the articles in this issue, and, as always, welcome your comments and questions.

Complimentary Subscriptions You, your colleagues, and your audit committee and board members can receive com-plimentary subscriptions to IQ Magazine. Please visit navigant.com/iq.

PUBLISHERSJeff Green +1.202.973.2441 [email protected] Zimiles +1.212.554.2602 [email protected]

EDITORSDarcy Healy Alma Angotti

DESIGNElliott Robinson

FEEDBACK AND INQUIRIESInvestigations Quarterly welcomes all letters, comments and inquiries to the authors. Please address all correspondence to:Darcy Healy (U.S.) +1.202.973.3128 [email protected] Cornmell (U.K.) +44.207.015.8816 [email protected] Chan (Asia) +1.852 2233.2500 [email protected] manuscripts on matters dealing with fraud and investigations are welcome and will be considered for publication.

Investigations Quarterly is published by Navigant. Copyright ©2014.

The opinions expressed herein are those of the authors and editors.

Investigations Quarterly (IQ) is not published with the intention of rendering legal, professional or account-ing advice or services.

The media are welcome to quote from the contents if properly attributed. Any substantial reproduction of the content of Investigations Quarterly requires the permission of the publishers and authors of the articles.

Cover illustration by Josh Leipciger

Letter from the publishers Jeff Green, [email protected] Ellen Zimiles, [email protected]

navigant.com


3


» There is a growing trend for individuals to be named in prosecutions and enforcement actions, which will have important implications to financial institutions and their implementation of compliance programs.

» Prosecutors must evaluate the benefits of prosecuting the individual and the implications such prosecutions may have on, for example, attracting qualified board members and compliance personnel.

» The question remains whether going after the individual is the most effective manner of achieving the goals underlying criminal punishment.

The regulatory environment is changing and enforcement actions are on the rise, particularly in the financial industry. Since Operation Casablanca involving the indict-ment of Mexican banks in 1998 to the billion dollar recoveries in 2012 and 2013 involving the largest money-center banks, the U.S. Government has continually increased the regulatory pressure on the financial industry with respect to regula-tory obligations ranging from anti-money laundering to predatory lending. This has extended to other regulatory regimes, such as the Foreign Corrupt Practices Act (FCPA), in other industries such as tex-tiles, manufacturing and public account-ing. While the initial historical target of enforcement actions focused on corporate responsibility, the recent trend is to also focus on individual employees whom may have played a role in the subject activity.

As the Department of Justice (DOJ) has increased enforcement pressure through the use of Deferred Prosecution Agree-ments (DPA) and Non-prosecution Agreements (NPA) (DPA and NPA col-lectively referred to as “Agreements”) during the past decade, there has been a gradual increase of enforcement actions by the DOJ and other regulatory agen-cies including the individuals involved in the subject activity. Whether naming the

individual is an effective deterrent mecha-nism for enforcement will be a function of future enforcement actions. That which is certain today, however, is that individuals will more frequently be named in pros-ecutions and enforcement actions. This trend will have important implications to financial institutions and their implemen-tation of compliance programs.

Desired Impact of Enforcement Actions and the Decision to Name the IndividualThrough the pursuit of enforcement ac-tions, the DOJ, and other regulatory agen-cies, are in essence, if not enacting, then strongly influencing, policy. Regulatory agencies use the Agreements and enforce-ment actions in general to require subjects to implement programs which comply with the regulatory agencies’ interpreta-tion of the law and increase the standards of an effective compliance program. A secondary, and in many respects a more important effect, is the guidance provided to the overall industry through such en-forcement actions. One DPA, for example, may produce changes in the compliance programs of companies throughout the industry and beyond. From one agree-ment to the next, the regulatory agencies are refining their direction regarding the legal requirements and providing needed guidance to the industry.

Proactive corporate governance and com-pliance professionals study enforcement actions in their industry, as well as related industries, and evaluate their own pro-grams against such actions. A recurring argument is that this proactive approach to compliance consumes significant re-sources. As the trend continues and the rise of DPAs/NPAs and other enforcement actions spreads to other enforcement regulators, such as the Securities and Ex-change Commission (SEC), the corpora-tion’s proactive approach may very well

The Individual as a TargetThe Next Wave of Enforcement Actions

ELLEN ZIMILES, [email protected] ROBERT PARGAC, [email protected] SUSANA RODRÍGUEZ, [email protected] MILES HARTER, [email protected]

be the most cost-effective strategy for dealing with the highly regulated envi-ronment and to mitigate the threat of be-coming the target of a prosecution or an enforcement action. With each enforce-ment action, the potential ramifications to the business, and industry, as a whole, grow. Similarly, the probability for further liability imposed on individuals increases. This is the manifestation of the desired deterrent effect. Its effectiveness regarding the individual as target, however, remains a function of the specific enforcement ac-tion and will differ among the primary employee groups: business line staff, compliance and board.

Historically, four primary justifications for criminal punishment have been identi-fied in structuring punishment regimes: (1) retribution, (2) deterrence, (3) inca-pacitation, and (4) rehabilitation. These four primary goals for criminal punish-ment are in line with the basic responsi-bilities of the enforcement branch of the government: (1) making certain that the general purposes of the criminal law are adequately met, while (2) making certain

Illustration by Josh Leipciger


4

that the rights of individuals are scrupu-lously protected.1

The primary justifications for including an employee in an enforcement action are retribution and deterrence. Ultimately, de-terrence is the primary justification where the principal goal of enforcement is the implementation of effective compliance programs on an industry-wide basis.

Including the individual in the enforce-ment action requires the government to have a clear view of the desired deterrent impact and whether the same will actual-ly function to produce the intended effect. An effective enforcement action, naming an individual, therefore, will achieve the primary goal of enforcement stated above, provide guidance to the industry regard-ing regulatory expectations, and serve as a clear deterrent to similar behavior by, both the employee and the corporation.

As the regulatory and enforcement envi-ronment evolves through the continued use of enforcement actions, the govern-ment naturally will continue to look for more effective means of creating deter-rence. The natural evolution, therefore, will focus on the individual. This can be seen clearly in the United States Attor-neys’ Manual, Title 9, Section 9-27.220 Grounds for Commencing or Declining Prosecution:

Charging a corporation, however, does not mean that individual directors, of-ficers, employees, or shareholders should not also be charged. Prosecution of a corporation is not a substitute for the prosecution of criminally culpable indi-viduals within or without the corpo-

ration. Because a corporation can act only through imposition of individual criminal liability may provide the stron-gest deterrent against future corporate wrongdoing. Only rarely should provable individual culpability not be pursued, even in the face of an offer of a corporate guilty plea or some other disposition of the charges against the corporation.2

The DOJ recognizes the individual as possibly the strongest deterrent to cor-porate wrongdoing. The enforcement actions the DOJ publically announced in 2013, related to FCPA violations, tend to support this theory as 12 of the 19 cases were levied against individual defendants: 63 percent.3

Naming the individual employee in an enforcement action however, is a mat-ter of critical importance that requires a thorough analysis. Prosecutors must evaluate the benefits of prosecuting the individual and the implications such prosecutions may have on, for example, attracting qualified board members and compliance personnel.

The principles of Federal prosecution in the United States Attorneys’ Manual, Title 9 (Manual), are an aid, which are in-tended to promote the reasoned exercise of prosecutorial discretion by govern-ment attorneys regarding the spectrum of questions relevant to the prosecution pro-cess ranging from the decision to pros-ecute to sentencing, as well as entering into Agreements.4

When deciding whether to pursue crimi-nal charges, both against an individual and an entity, the prosecutor is directed

to evaluate whether the conduct consti-tutes a Federal offense and whether the admissible evidence will suffice to obtain and sustain a conviction. They must also evaluate if a prosecution should be de-clined, because:

» No substantial Federal interest would be served by prosecution;

» The person is subject to effective prosecution in another jurisdiction; or

» There exists an adequate non-criminal alternative to prosecution, such as debarment.5

The logical question is whether these ba-sic responsibilities are met when the deci-sion is made to prosecute a subject, legal entity or individual, and whether such prosecution will achieve the primary goals of enforcement.

The Enforcement Action Environment – DPAs & NPAs“According to DOJ, DPAs and NPAs can be invaluable tools for fighting corporate cor-ruption and helping to rehabilitate a com-pany…”6 From 1992 through 2013, the DOJ entered into 301 publically dis-closed DPAs and NPAs with corporations; of those, 150 were DPAs and 151 were NPAs.7 Ninety-three percent (93%) of all such Agreements were entered into since 2003. The total amount of penalties and forfeitures prior to 2003 are miniscule in light of the mega-forfeitures of the recent years. In 2013 alone, the total amount of penalties and forfeitures exceeded $2.8 billion.8 2014 is shaping-up to be a record year with penalties and forfeitures already in excess of $2.5 billion.9

1. United States Attorneys’ Manual, Title 9, Section 9-27.110(B) Purpose, available at http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/27mcrm.htm2. United States Attorneys’ Manual, Title 9, Section 9-27.220 Grounds for Commencing or Declining Prosecution available at http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/28mcrm.htm#9-28.2003. Gibson Dunn, 2013 Year-End FCPA Update, (Jan. 6, 2014) available at http://www.gibsondunn.com/publications/Documents/2013-Year-End-FCPA-Update.pdf4. United States Attorneys’ Manual, Title 9, Section 9-27110 Purpose, available at http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/27mcrm.htm5. United States Attorneys’ Manual, Title 9, Section 9-27.220, Grounds for Commencing or Declining Prosecution http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/27mcrm.htm#9-27.1106. GAO Report to Congressional Requesters, Corporate Crime: DOJ Has Taken Steps To Better Track Its Use of Deferred and Non-Deferred Prosecution Agreements, but Should Evaluate Effectiveness (December 2009), pg. 28

available at http://www.gao.gov/new.items/d10110.pdf7. Brandon L. Garrett and Jon Ashley, Federal Organizational Prosecution Agreements, University of Virginia School of Law, at http://lib.law.virginia.edu/Garrett/prosec_new/8. Gibson Dunn, 2013 Year-End Update on Corporate non-Prosecution Agreements (NPAs) and Deferred Prosecution Agreements (DPAs) (Jan. 7, 2014) available at

http://www.gibsondunn.com/publications/Pages/2013-Year-End-Update-Corporate-Non-Prosecution-Agreements-and-Deferred-Prosecution-Agreements.aspx9. OfficeoftheComptrolleroftheCurrency,NR2014-1,January7,2014.

5


The significant increase in DPAs and NPAs coincides with the implementation of the Principles of Federal Prosecution of Business Organizations10 (“Memoran-dum”) revised in 2003, in what is now known as the Thompson Memorandum, and later updated in 200611 by Paul Mc-Nulty. The Memorandum delineates the nine principles to be used as guidance by prosecutors when determining whether to file charges against a business entity. Those nine principles are:

1. Nature and seriousness of the offense;

2. Pervasiveness of wrongdoing within corporation;

3. History of similar misconduct;

4. Disclosure of wrongdoing and willingness to cooperate;

5. Pre-existing compliance program;

6. Remedial actions;

7. Collateral consequences;

8. Prosecution of responsible individuals; and

9. Adequacy of civil or regulatory enforcement actions.

The government evaluates the principles of the Memorandum against law enforce-ment priorities and the contribution of the target to the community. Considering the increase in enforcement actions post-Thompson, many investigations have resulted in DPA Agreements. The positive effect of these actions has been to pun-ish the bad conduct, while providing the corporate entity the opportunity to rectify the same and continue to be an active, contributing member of the community, in addition to serving as an example for peers in the same and corollary industries.

The Manual sets forth the factors to evaluate when determining whether to prosecute an individual. The factors are significantly similar to those espoused in

the Thompson Memorandum related to legal entities and include:

» Federal law enforcement priorities;

» The nature and seriousness of the offense;

» The deterrent effect of prosecution;

» The person’s culpability in connection with the offense;

» The person’s history with respect to criminal activity;

» The person’s willingness to cooperate in the investigation or prosecution of others; and

» The probable sentence or other consequences if the person is convicted.12

In addition to the foregoing, the gov-ernment also analyzes other qualitative criteria that may impact the overall goal of such enforcement actions: ensuring compliance with legal and regulatory re-gimes by the industry as a whole. Clearly, the criteria to evaluate when determining whether to include a legal entity and an individual in an enforcement action are substantially similar and consistent. The question arises, why haven’t more indi-viduals been included in such proceed-ings in the past?

Considering the current trend of nam-ing individuals in enforcement actions not only continues, but becomes more prevalent, the question whether naming individuals is an effective enforcement mechanism merits consideration. Bearing in mind the ultimate goal of enforcement (industry-wide compliance) and the two paramount reasons for criminal punish-ment (retribution and deterrence) this question should be considered, further, in the context of the institution’s principal actors, specifically three groups: 1) busi-ness line staff, 2) compliance personnel,

and 3) the board, and complimented by the question of whether such actors facili-tated the institution in violating the law.

Who Can Be Targeted? Generally, assigning criminal responsibil-ity to individual employees of an institu-tion is a matter of intent of the individual. The willful blindness of employees has typically been used as the standard to prosecute legal entities in the anti-money laundering environment.

When employees are considered for in-clusion in prosecutions and enforcement actions, it is assumed they had actual knowledge of the activity, willfully par-ticipated therein, or failed to perform a clearly assigned duty, that facilitated, or permitted, such unlawful activity. In this environment, knowingly and willful in-tent would be the common standard ap-plicable at the level of the business line staff. These employees form the first line of defense. They are interacting with cli-ents on a daily basis, opening accounts, soliciting new clients and facilitating agreements. Business line staff, similarly, has been subject to prosecution based on their wilful blindness related to their fail-ure to take action to identify and report activity which they should have known, or strongly suspected, was of a criminal na-ture and failed to take appropriate actions to address such activity.

Board members and compliance per-sonnel would more likely be viewed as targets based on their potential, willful blindness, where their activities, or omis-sions, may be subject to a more subjective or qualitative evaluation. Questions such as whether the board and compliance management did enough to promote an effective compliance culture, provided ad-equate resources, and implemented an ef-fective compliance program are inherently

10. Memorandum from Larry D. Thompson, Deputy Attorney General, to Heads of Department Components and United States Attorneys (Jan. 20, 2003), available at http://federalevidence.com/pdf/Corp_Prosec/Thompson_Memo_1-20-03.pdf

11. Memorandum from Paul J. McNulty, Deputy Attorney General, to Heads of Department Components and United States Attorneys (Dec. 16, 2006), available at http://www.justice.gov/dag/speeches/2006/mcnulty_memo.pdf12. United States Attorneys’ Manual Title 9, Section 9-27.230, Initiating and Declining Charges – Substantial Federal interest available at http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/27mcrm.htm#9-27.230


6

tion’s compliance program. Business line staff should understand that their failure to do their job as required or their willing-ness to overlook non-compliance or ethi-cal issues may result in serious criminal implications not just for the institution, but for the employee personally. To fulfill its responsibilities, the institution must ensure there is a strong training program to help provide the business line staff the knowledge they need to effectively exe-cute their responsibilities and help protect the institution from criminal liability.

A strong culture of compliance flows from the top down. To ensure the business line employee, and the organization as a whole, embraces the importance of com-pliance, it is essential to send the correct message from the top that compliance is everyone’s responsibility. What is the mes-sage, and frequency with which it should be broadcasted, top-level management should send to help ensure business line staff understand and embrace the impor-tance of their compliance-related respon-sibilities? How can the employee be a driver of the proactive and robust compli-ance culture? An appropriate compliance culture can help the institution to address many compliance issues before they reach critical mass, as well as drive compliance in a direction such that it is seen as part of the process, rather than a separate and distinct process or requirement.

Communication with compliance per-sonnel and the clear understanding of responsibilities by the business line staff is key for an effective compliance pro-gram. The question is how much train-ing has the business line staff received? What is the nature of their understanding of their compliance responsibilities? In some instances, areas are compartmental-ized with specialists leading their respec-tive areas. Certain knowledge is imparted to business line staff; however, they may not always be able to determine the ap-propriate response to a specific set of cir-cumstances. There must be an open line

qualitative in nature. The subjectivity of the analytical process gives rise to nu-merous additional questions that may be answered differently under a variety of circumstances. The uncertainty of the application of standards to evaluate cul-pability at the board and compliance em-ployee levels presents additional layers of complexity to the questions surrounding the inclusion of these employees in pros-ecutions and enforcement actions.

Business line staff, compliance person-nel, and board members are the three principal employee groups of an insti-tution where criminal culpability may be assigned. Numerous questions arise, however, concerning the ramifications of including such individuals in prosecutions and enforcement actions.

Business line staff

Business line staff are the first line of defense of the institution for ensuring adherence to compliance-related poli-cies and procedures. They are generally the face of the institution to customers. As such, they may be prosecuted and included in enforcement actions to the extent they knowingly and willfully par-ticipated in the activity, such as opening accounts without proper Know Your Cus-tomer (KYC) documentation, and if they are willfully blind to potential criminal activity, i.e. accepting obviously question-able identification documents. Pursuing a business line employee for making a good-faith decision within the purview of the business judgment rule, on the other hand, presents additional complexities in evaluating the appropriateness of naming such individual as a target.

Institutions should ensure a strong first line of defense by training employees to help ensure they clearly understand their responsibilities. Training, as one of the four pillars of an effective compli-ance program required by Section 352 of the USA Patriot Act of 2001 (P.L. 107-56), should already be a part of the institu-

of communication between compliance and the business line staff to help ensure there is appropriate compliance guidance. Through increased communication be-tween business line staff and compliance, the probability of business line staff being included in an enforcement action can be significantly mitigated.

Operational costs may rise due to com-pensate the individual willing to under-take these job responsibilities. Jobs with compliance related responsibilities come in all shapes and sizes. Dependent on the position of the individual named, this may result in the increase in compensation to lower level staff. Would this increased cost structure have significant financial reper-cussions on an institution?

Additionally, naming business line staff in enforcement actions may be beneficial to the business as a whole, as it may em-phasize the need for everyone to follow and comply with their policies and proce-dures and, thus, the law. As the first line of defense, each employee would need to be the expert in compliance as related to their specific job functions. As many of the corporations subject to enforcement actions are large corporations, ensuring this knowledge is imparted could be very costly. Corporations would then need to find a manner of monetizing such exper-tise and industry knowledge. It may be argued, the compliance expertise creates a competitive advantage for the institution that, ultimately, allows it to operate more efficiently from an operational and risk-based perspective.

Compliance personnel

Compliance personnel, while not tradi-tionally prosecuted, except by securities regulators, have always been considered the employees subject to prosecution un-der regulatory regimes, such as the Bank Secrecy Act, because they are respon-sible for overseeing the effective imple-mentation of the compliance program. The prosecution of compliance person-

7


nel, however, presents somewhat of a conundrum. The compliance officer is responsible for ensuring the management of an effective compliance program. The compliance personnel’s ultimate effective-ness, however, will be a function of many variables, such as the support received from the board, executive management, business line personnel, et cetera. Thus, the question is raised: when, and under what circumstances, is it appropriate to pursue compliance personnel? What are they required to do in the event of a per-ceived lack of support from management to avoid liability? What standard of crimi-nal liability would apply?

The introduction to this section asks: Is it appropriate to go after the compliance per-sonnel when they have not been supported by management? The compliance personnel may have limited options, including: (a) continue pressing through, attempting to do their best under the circumstances to implement an effective program; (b) re-sign; and/or (c) become a whistle blower. What benefit is derived for the institution, regulatory authority, or the community from compliance personnel identifying the issue, raising it with the appropri-ate governance body, and, if not rectified, resigning from the institution due to its failure to support the compliance pro-gram? Should compliance personnel be-gin to resign due to the perceived risk of being named in an enforcement action? The impact is unclear what those resigna-tions may have on the specific institution and on the overall industry. One possible impact is that the specific institution’s program may suffer. What would be the effect if this happened on a larger scale?

Similarly, what is the impact on the com-pliance decision making process if com-pliance personnel begin being named as targets in enforcement actions? Would

compliance personnel seek to evade all risk due to the possibility of criminal li-ability, although they undertook their responsibilities in good faith, to the best of their abilities, and in accord with the resources available? This may lead to situ-ations in which the compliance personnel are filing regulatory reports, such as those related to possible suspicious activity, that do not have a high degree of usefulness in assisting law enforcement detect and prevent financial crime. Such an activ-ity may result in excessive filings, thereby creating the proverbial needle in the hay-stack, rather than facilitating law enforce-ment efforts. If this were the case, would this type of risk aversion result in the cre-ation of further obstacles and facilitate the very activity they are charged to monitor and report?

What would be the impact to the cost of compliance? What would be the impact to the number of people willing to serve in a compliance capacity? If the supply of compliance personnel reduced significant-ly due to perceived risk of criminal liability, compliance costs may rise. From a risk-based approach perspective, would this environment result in a reallocation of re-sources from one compliance component of the program to another? Additionally, as enforcement actions continue and indi-viduals are named, would additional num-bers of compliance employees be required to address the enforcement action issues and implement an effective program?

As stated previously, compliance person-nel are considered the employees respon-sible for overseeing the compliance pro-gram. As such, they may also be named in civil cases. Being specifically named in enforcement actions may expose them to civil liability in addition to criminal li-ability. As cases are litigated and enforce-ment actions are used to support those claims, the risks of inclusion in civil cases, increases as well.

As the inclusion of compliance person-nel in prosecutions and enforcement

actions would move the compliance programs to a more conservative para-digm, this risk-based approach may result in excluding certain groups from vari-ous industries such as financial services. The money services business industry, for example, is deemed a high-risk financial industry segment. As the probability for individual liability of compliance person-nel increases, a compliance manager may determine that the pursuit of such busi-ness is too risky, not just for the institu-tion, but also for the compliance manager, herself. The result could be the exit from the line of business. This could also result in increased pricing and a lower level of service, as services becomes limited and consolidation accrues.

Board Members

The Board of Directors (Board) is the ul-timate governing body of institutions and the possibility of extending liability to members of the Board and having them named in enforcement actions raises many questions and implications.

Board members may be viable subjects of an enforcement action, especially in the context of multiple enforcement actions against an institution such as the recent cases involving the large money-center banks and at the financial institutions. Board members’ failure to understand the legal, regulatory and compliance obliga-tions of the institution and, following an initial prosecution or enforcement action, to guide the institution to implement a compliant program may be an area of po-tential culpability.

Of paramount concern regarding board members’ inclusion in prosecution and enforcement actions, despite their good faith belief they acted within the pur-view of the business judgment rule, is that it could lead to the loss of qualified candidates, thereby limiting the pool of individuals who are willing to serve, or even the timeframe for which they will serve, on boards. The reputational risk


8

associated with serving on a board may be deemed too high considering the indi-vidual’s status in society, other commer-cial pursuits, and board positions on other lower-risk boards.

The downstream problem flowing from a lack of qualified candidates is that true cultural change starts at the top with a clear and unwavering message. Cultural change is the first, foundational step of implementing an effective and sustain-able compliance environment. In the ab-sence of qualified and committed board members, who understand the business and regulatory issues, the ultimate goal of enforcement, compliance programs on an industry-wide basis, is in question.

In an environment where board members may be named in prosecutions and en-forcement actions, despite their good faith belief they acted within the purview of the business judgment rule, board mem-bers may become “risk evaders”, as op-posed to risk managers, in their attempt to ensure no appearance of wrongdoing. There may be a trend in such environ-ment where boards become ultra conser-vative in their decision making. This could in turn limit the growth opportunities for the business and might not be in the best interest of the company, employees, and the community.

What would be the consequence of in-cluding board members in prosecutions and enforcement actions from a D&O insurance and board compensation per-spective? Is it possible there would be increases in both D&O insurance pre-miums, as well as board compensation requirements? Board members serving on boards do so to the best of their ability. These board members understand they are responsible for guiding the corpora-tion and making decisions in the best in-terest of the shareholder. The standard for

their decisions is the business judgment rule, which requires the board mem-ber to act on an informed basis, in good faith and in the honest belief that the action taken was in the best interests of the company.13 What is the impact on the board member’s willingness to serve on the board of a highly-regulated institution if their reliance on the business judgment rules is misplaced?

Board members have fiduciary respon-sibilities to the institution’s sharehold-ers and must act in the shareholders’ best interest. Inclusion in enforcement actions may expose board members to civil liabil-ity, not just to shareholders but to their customers, as well. Statements made in connection to enforcement actions may be used by plaintiffs as support in their claim against board members. There are current instances of language from en-forcement actions emerging in litigation claims against corporations.14 As those cases progress, the next logical step may be to use a similar tactic to hold board members accountable.

Questions regarding prosecuting and including board members in enforce-ment actions are numerous. Would such prosecutions result in an increased cost of corporate governance? What would the impact be on the pool of talented and qualified individuals available to serve on boards? Would an environment of ultra-conservative board decision-mak-ing process manifest regarding legal and compliance related issues? Would there be an increase in personal civil liability? The answers to these questions may have a number of impacts on the financial and regulatory health of the institution, the implementation of an effective compli-ance environment, and the maturation of the compliance environment of the indus-try as a whole.

ConclusionThe individual employee is a viable target and may very well be next in line to face the direct pressures of prosecutions and enforcement actions. Who within an or-ganization can be targeted is important to understand, as is the potential impact prosecutions may have on how com-panies approach risk management and identify qualified individuals to fill certain positions. Board members, compliance personnel, and business line staff typically work in good faith to implement an ef-fective compliance program and comply with legal and regulatory requirements. Including these individuals in prosecu-tions and enforcement actions based on inadequate compliance programs, despite the employee’s good-faith intentions and decisions, raises questions regarding the impact of such prosecutions may have on the underlying goal of enforcement: the implementation of effective compliance programs on an industry-wide basis.

13. Sinclair Oil Corp. v. Levien, 280 A.2d 717, 720 (Del. 1971)14. Gibson Dunn, 2013 Year-End Update on Corporate non-Prosecution Agreements (NPAs) and Deferred Prosecution Agreements (DPAs) (Jan. 7, 2014) available at

http://www.gibsondunn.com/publications/Pages/2013-Year-End-Update-Corporate-Non-Prosecution-Agreements-and-Deferred-Prosecution-Agreements.aspx

9


Cyber Security and Data Privacy Q&AWithcybersecurityanddataprivacyrankingasoneofthetopfiverisksforGeneralCounsel, we have asked John Mullen with Lewis, Brisbois, Bisgaard, and Smith and chair of the Data Breach, Cyberlaw and Security Practice to provide his insight. John is regarded as a legal authority on privacy and data security issues by the largest insurance companies and, with his team, works on hundreds of data incident response cases each year.

Cyber security has become the number one risk for many General Counsel. With every-thing on the GCs’ agenda, how did this topic gain so much attention?

Mullen: Cyber security, and events oc-curring as a result of inadequate cyber se-curity, continues to garner much publicity and attention as companies become more forthcoming and state, federal, and inter-national statutes relating to data collec-tion, sharing, and storage develop. Virtu-ally all entities collect and store data that are subject to continuously evolving stat-utes and that, when not efficiently com-plied with, pose great financial and repu-tational risk to entities. With the growth of technology, increased data collection practices, and greater reliance on vendors and mobile devices to collect, store, and use data, as well as the strong interest of regulators and the plaintiffs’ bar in this developing area, adequate cyber security easily moves to the forefront of a General Counsel’s concerns.

Have you seen the Board of Directors get in-volved with cyber security cases? What are the CEO’s top concerns?

Mullen: C-Suite and Board members are becoming increasingly involved in cases we handle. The focus of these executives in many cases is generally on reputational harm to the company, potential litigation exposure, how to not repeat the event again, and the immediate financial impact to the organization.

What are the global implications of data pri-vacy and security?

Mullen: Data security and privacy is an issue of paramount importance for any entity that has clients, customers or part-

ners that are not US residents. While the entity may be US-based, it will still be subject to obligations imposed by foreign laws. Many foreign countries, such as Canada and Australia, actively legislate on data privacy. Other foreign bodies, like the European Union, are increasing their attention on this developing area of law, understanding that it will never go away and that there will always be a risk of harm to its citizens.

A global perspective should be considered when engaging in compliance efforts due to the abundant rules and regulations re-garding data privacy. A compliance officer can easily be overwhelmed in determin-ing what is necessary to comply with data privacy laws:

» What data does the company collect?

» What data does the company solicit?

» Where does the data reside?

» What are the company’s storage policies?

» What are the company’s destruction policies?

» How is the data secured?

» What should someone do if the data becomes subject to unauthorized access or use?

How can the General Counsel feel confident that this risk is being properly addressed by the organization?

Mullen: The General Counsel will only feel confident if he or she is actively in-volved in ensuring adequate cyber secu-rity is in place, including determining that appropriate data collection, use, and stor-age, and identifying steps to be taken if a data incident were to occur.

Illustration by Peter Giesbrecht

Conducting a yearly independent third-party assessment of the organization’s data security program is a great first step. Then, address the recommendations or deficiencies identified in the independent report. I would encourage the organiza-tion to build an incident response plan that includes an internal team that will handle the data security incident. Lastly, the General Counsel, along with the risk management team, should be looking at their insurance coverage to ensure an ap-propriate cyber policy is in place.

When a data incident occurs, how do you provide guidance to the General Counsel and others within the organization?

Mullen: We make ourselves available to the client decision-makers, often the General Counsel. Lawyer-to-lawyer, we understand their immediate concerns and can address them. We assist the General Counsel, and others, throughout the in-vestigatory and analysis process. We en-gage outside forensic consultants to firm up the facts as developed. We immediately overlay the most likely applicable laws to make a legal determination regarding whether a breach occurred and iden-tify what obligations – and the time in which to comply with these obligations – the company may have as a result of the breach. We assist the organization as regu-latory agencies or plaintiffs make inquiries.

We welcome and encourage the partici-pation of the General Counsel, and other decision-makers, in the incident response process. Their participation permits us to develop an appreciation of how the com-pany functions, the manner and tone in which it communicates with its customer and investor base, and whether we should


10

be aware of any other concerns or issues within the organization that may impact the incident response.

With respect to regulations, what is chang-ing and where are you seeing the most active enforcement?

Mullen: The wide variety of laws ranging from (a) individual states; (b) federal laws: Sarbanes Oxley, Graham Leach, HIPAA, FERPA; (c) international laws; and (d) contractually-triggered obligations, such as PCI, makes compliance complex. Vaguely crafted statutes, lacking defini-tions, and developing common law can lead to varying interpretations of a com-pany’s legal duties and compliance efforts. These gray areas continue to expand, as new statutes are being proposed, current statutes are being amended, courts are weighing in on statutory interpretation, and the plaintiffs’ bar becomes more cre-ative in its claims.

From a U.S. perspective, some of the most active enforcement is coming from Health and Human Services (through the Office

for Civil Rights) and the Office of the At-torneys General in California, Indiana, Massachusetts, and Vermont. Several other state statutes impose regulator no-tice obligations, though, other states may not have a regulator reporting require-ment but nevertheless permit the regula-tor – often times the attorney general – to bring a claim for failure to comply with the statute. The point is, there is no way to predict whether a regulator will open an inquiry into an incident, and what ac-tions that regulator will take to ultimate-ly close its file, with or without a fine or some other type of penalty. What we can predict is that regulator attention will only increase as cyber security continues to garner publicity.

When meeting with regulators after a breach, what types of questions are they ask-ing your clients?

Mullen: Regulators often focus on what type of information was involved, the af-fected individuals, where the informa-tion was at the time of the incident, steps taken prior to and after the security in-cident to prevent reoccurrence, whether independent, third-party forensics con-firmed a company’s findings, and how the breach is being handled, including pro-viding notice to the impacted individuals. Regulators focus on points in time – data practices pre-breach, security and poli-cies in place prior to the discovery of the breach, breach response and post-breach measures implemented by the company. The regulators want to understand if the organization is taking the event seriously, if an objective point-of-view was obtained during the incident response, and how a company is handling the impacted popu-lation. From a regulator’s perspective, the more support the impacted population receives, including whether they are being provided notice soon after the incident, access to someone able to answer ques-tions and concerns regarding the incident, and information or tools to protect against identity theft and fraud, the better.

It is important for organizations and counsel to cooperate with regulators. Having an open dialogue regarding the facts and action plans can be beneficial for the organization.

From a risk management perspective, are companies purchasing cyber insurance cover-age? What does this type of insurance nor-mally cover?

Mullen: I’ve seen the percentage of or-ganizations placing cyber insurance grow from less than 1 percent to 20 percent (an estimate recently provided by the leading national brokers), with the vast amount of growth taking place in the last three years. Indications point to growth, and I anticipate the number of companies being covered to continue to rise.

I can see cyber insurance becoming man-datory. It makes sense – entities should be covered. Cyber coverage reacts quickly in the crisis management environment. It generally provides an insured immediate key expert assistance from counsel, foren-sics, public relations, mailing/call center and credit offering specialists.

What recommendations can you provide to the General Counsel and risk managers?

Mullen: I recommend the following steps: 1) undertake a yearly independent, objective security assessment of your company’s network security, systems, data collection practices, and storage and use practices; 2) inform all areas of the company that collect, receive, store, and secure data, as cyber security is just not an IT issue; 3) make sure your policies and procedures are up to date; 4) train and retrain employees, document this training, and enforce these policies and procedures with consequences; 5) create and regularly update an incident response plan; 6) review and update your insurance coverage; and 7) use real specialists, who are experts in the field when preparing for and responding to a data incident.

11


» Since first enacted in 1984, the Federal Sentencing Guidelines have been amended in effect nine times with the most recent amended version of the Guidelines taking effect on November 1, 2012.

» While certain judges have been outspoken regarding the limitations of the Guidelines and have imposed sentences that have varied significantly, others have continued to rigidly adhere to the Guidelines.

» White collar criminal defendants are particularly incented to enter plea agreements because of the draconian penalties resulting from the overemphasis on loss as a component in sentencing.

When thinking about the sentencing guidelines for federal crimes and the vari-ous revisions since they were instituted over two decades ago, what often comes to mind is a phrase lobbed repeatedly from the backseat on many family trips…Are we there yet? Although the sentenc-ing guidelines promulgated by the United States Sentencing Commission (USSC) in 1987 (“the Guidelines”) have continued to change, criticisms of the Guidelines appear to be ongoing, especially in rela-tion to high-loss economic crimes. Un-fortunately, based on the reaction to the USSC’s latest revision of the Guidelines in November 2012, the answer to that re-peated question seems to be an emphat-ic…NOT YET!1

Application of the Guidelines in federal sentencing matters has continued to be a source of confusion, frustration, and dis-agreement since they were implemented in 1987, especially in relation to economic

TODD K. LESTER, [email protected] JEFFREY B. JENSEN, [email protected] P. DIEHR, [email protected]

crimes such as fraud and other non-fraud white-collar crimes involving high-dollar loss amounts. Further, the latest revisions that became effective in November 2012 have not seemed to alleviate many of the prior concerns. Fewer than ten months after the current Guidelines became ef-fective the USSC hosted a symposium on Economic Crime in September 2013 to address the “broken” Guidelines and “vi-sions of change.”2

BackgroundTitle 18, United States Code, § 3553(a)(1) directs sentencing courts to consider, among other things, the “nature and circumstances of the offense and the history and characteristics of the defendant.” Section 3553(a) also requires the courts “to impose a sentence sufficient but not greater than necessary to comply with the purposes” of United States sentencing: (1) retribution, (2) general deterrence, (3) specific deterrence, and (4) rehabilitation.3 However, courts are also directed by § 3553(a) to take into account the Guidelines in fashioning a sentence.4 While no longer mandatory, the Guidelines’ advisory range is critically important to federal judges at sentencing.5

The Guidelines were developed pursu-ant to the Sentencing Reform Act of 1984 (Title II of the Comprehensive Crime Control Act of 1984), which became effec-tive November 1, 1987. Used in conjunc-tion with the USSC’s sentencing tables, the Guidelines form the basis for the recommended number of months of im-prisonment for those convicted of various federal crimes. Since first enacted, the

Guidelines have been amended in effect nine times with the most recent amended version of the Guidelines taking effect on November 1, 2012.

Initially, the Guidelines were intended to be mandatory in nature (i.e., “a sentencing court must select a sentence from within the guideline range”), but certain “depar-tures” were allowed from the guideline range if a case presented atypical fea-tures and reasons for any departure were specified by the court.6 In 2005 however, the Supreme Court ruled the Guidelines were merely advisory in United States v. Booker, 543 U.S. 220 (2005). However, district courts, “while not bound to apply

Illustration by Peter Giesbrecht

Federal Sentencing For Economic Crimes – Are We There Yet?CalculatingLossinSecuritiesFraud–DoestheModifiedRescissoryMethod Fix the Broken Federal Sentencing Guidelines?

1. United States Sentencing Commission, Guidelines Manual, November 1, 2012.2. Transcript – United States Sentencing Commission, Symposium on Economic Crime, September 18-19, 2013.3. 18 U.S.C. § 3553(a)(2)4. 18 U.S.C. § 3553(a)(4)5. See Gall v. United States, 552 U.S. 38, 49 (2007) (“a court should begin all sentencing proceedings by correctly calculating the applicable Guidelines range”).6. 2012 Federal Sentencing Guidelines Manual, Chapter One – Introduction Authority, and General Principles


12

of the actual loss attributable to the change in value of the security or com-modity, the court may consider, among other factors, the extent to which the amount so determined includes sig-nificant changes in value not resulting from the offense (e.g., changes caused by external market forces, such as changed economic circumstances, changed inves-tor expectations, and new industry-spe-cific or firm specific facts, conditions, or events).13

SignificanceofLossinSentencing for Economic CrimesThe Guidelines focus on determination of an “offense level,” which is then used to establish a sentencing guideline pursuant to a set sentencing table.14 For example, the base level offense for fraud as defined in the sentencing Guidelines is a seven (7), which, depending on prior criminal history, equates to a minimum recom-mended sentence of between zero and six months.15 However, there are many other factors (i.e., “specific offense characteris-tics”) that can increase the offense level, and thus the recommended sentence, including factors such as: the number of victims involved, the nature of the of-fense, and whether the person played an “aggravating role” in the offense. How-ever, none of the specific offense char-acteristics has more influence on rec-ommended sentencing in securities and other fraud related matters than the size of the loss.16

the price after the fraud’s disclosure; (2) the modified rescissory method, consid-ering the average price of the security during the fraud period with the average price during a set period after the fraud’s disclosure; (3) the market capitalization method, considering the change in a se-curity’s price during a short period of time immediately before and after the fraud’s disclosure; and (4) the market-adjusted method, borrowing from civil law stan-dards enunciated in Dura Pharmaceuticals, Inc. v. Broudo, 544 U.S. 336 (2005) in an at-tempt to calculate the change in the value of the security while excluding changes in value caused by external market forces.

Effective November 1, 2012, the Guide-lines explicitly endorse the modified re-scissory method for determining actual loss in securities fraud cases.12 Specifically, they provide that:

…there shall be a rebuttable presump-tion that the actual loss attributable to the change in value of the security or commodity is the amount determined by –

(I) calculating the difference between the average price of the security or commodity during the period that the fraud occurred [the “fraud period”] and the average price of the security or commodity during the 90-day period after the fraud was disclosed to the market, and

(II) multiplying the difference in average price by the number of shares outstanding.

In determining whether the amount so determined is a reasonable estimate

the Guidelines, must…take them into ac-count when sentencing.”7

Regardless of their “advisory nature,” the Guidelines continue to drive the sen-tencing in most federal criminal cases, particularly those involving economic crimes. While certain judges have been outspoken regarding the limitations of the Guidelines and have imposed sentences that have varied significantly, others have continued to rigidly adhere to the Guide-lines. Regardless of a judge’s willingness to consider sentencing outside of the Guideline ranges, in reality the vast ma-jority of cases are resolved through plea arrangements where the starting point for negotiations is, in fact, the Guidelines.

Guidelines “Loss” in Securities Fraud CasesThe Guidelines define “loss” as “the greater of actual loss or intended loss.”8 The sentencing judge “need only make a reasonable estimate of the loss.”9 Courts are to use gain as the applicable reference point “only if there is a loss but it reason-ably cannot be determined.”10

In securities fraud cases, reduction in the value of securities and other corporate assets may be considered in the esti-mate of loss.11 Prior to November 2012, the Guidelines did not expressly provide a recommended calculation method for federal judges to make a reasonable esti-mate of loss in securities fraud cases. As a result, courts employed various meth-ods. These have been described as: (1) the rescissory method, considering the price a victim paid for the security with

7. 18 U.S.C. §3553(a)(4), (a)(5), Booker, 543 U.S. at 2648. USSG §2B1.1, comment. (n.3(A))9. USSG §2B1.1, comment. (n.3(C))10. USSG §2B1.1, comment. (n.3(B))11. USSG §2B1.1, comment. (n.3(C)(v))12. USSG §2B1.1, comment. (n.3(F)(ix))13. USSG §2B1.1, comment. (n.3(F)(ix))14. USSC Sentencing Guidelines Manual; November 1, 201215. USSC Sentencing Guidelines Manual; November 1, 2012; §2B1.1, pg. 79-8016. USSC Sentencing Guidelines Manual; November 1, 2012; §2B1.1, pg. 79-83

13


For instance, a defendant facing prosecu-tion for a securities or other fraud-related crime where the estimated loss exceeds $20 million could easily face up to twenty years in prison based on the recommend-ed sentencing pursuant to the Guide-lines. This is illustrated in Figure 1, for a defendant with a Level I Criminal History Category (lowest) facing securities fraud charges involving 250 or more victims, through a sophisticated scheme, where the defendant had an aggravating role in the offense, and the loss was found to be approximately $20 million. This defendant would likely face a Guidelines Offense Level of 39, or up to 27 years in prison.17 (See Figure 1)

While a scheme involving 250 or more victims and a loss estimated at $20 mil-lion may seem significant, in reality most alleged securities fraud violations by their nature involve a large number of poten-tial victims (i.e., shareholders of record) and easily exceed $20 million based on the Guidelines’ current calculation meth-odology.19 For example, the average mar-ket capitalization of a company trading on the New York Stock Exchange (NYSE) is approximately $8.9 billion. A 0.5% loss of market capitalization on the stock market for the average NYSE company – a level of stock price volatility many companies routinely experience – would equate to a “loss” of approximately $44.5 million (i.e., $8.9 billion x 0.005). Often, many securities fraud defendants face an offense level that starts in the 30s and is typically only adjusted upward from there based on the applicability of other specific offense characteristics.

What surprises many is that the above de-fendant – if found responsible for a 0.5%

loss of market capitalization for an aver-age NYSE company, involving more than 250 victims, etc. – could receive a sentence equal to or in excess of average sentences for individuals found guilty of more vio-lent crimes such as murder, kidnapping and sexual assault.20 (See Figure 2)

With so much dependent on the weight of the estimated loss relative to other spe-cific offense characteristics in the Guide-lines, one would hope for at least a more formulaic loss determination method-ology and approach. As indicated, that has proven elusive. Loss determination continues to be a source of disagreement between white-collar defense attorneys and prosecutors (and their respective fi-nancial and economic experts), as well as

the courts. As such, and with so much at stake, it is not surprising that a number of judges have been willing to impose sentences that vary from the Guidelines, sometimes significantly so, in cases where they deemed it warranted.

The problem of continued overemphasis on loss as a sentencing factor is com-pounded by the fact that approximately 95 percent of federal white collar crimi-nal matters continue to be resolved be-fore trial.21 In other words, white collar criminal defendants are particularly in-cented to enter plea agreements because of the draconian penalties resulting from the overemphasis on loss as component in sentencing.

FIGURE 1: EXAMPLE RECOMMENDED SENTENCING PER THE GUIDELINES (FOR THE DESCRIBED OFFENSE)

Section Level

Base Offense Level (Fraud / Non-Fraud White Collar)18 §2B1.1(a) 7

SpecificOffenseCharacteristics » Loss (between $20 and $50 million) §2B1.1(b)(1) +22 » 250 or more victims §2B1.1(b)(2) +6 » Sophisticated means §2B1.1(b)(10)(C) +2 » Role in the offense §3B1.1 +2

Level 39: 262 – 327 months (~21.8 – 27.25 years) 39

FIGURE 2: LENGTH OF IMPRISONMENT BY PRIMARY OFFENSE CATEGORY

Primary Offense Mean Months

Fraud (Guideline Sentence Range – Offense Level 39) 262-327

Murder 252

Kidnapping / Hostage Taking 197

Sexual Abuse 129

Child Pornography 132

17. USSC Sentencing Guidelines Manual Sentencing Table; November 1, 2012; Chapter 5 (part a), pg. 394.18.Part B – Basic Economic Offenses of the USSC Sentencing Guidelines Manual addresses basic forms of property offenses: theft, embezzlement, fraud, forgery, counterfeiting, insider trading, transactions in stolen goods, and

simple property damage or destruction.19. Another recent Guidelines amendment notes the fallacy of enhancing a securities fraud defendant’s sentence on the basis of the number of victims, where the fraud itself was based on the number of victims. See USSG §2B1.1,

comment. (n.20(C)) (noting “a fraudulent statement made publicly to the market may produce an aggregate loss amount that is substantial but diffuse, with relatively small loss amounts suffered by a relatively large number of victims,” and that in such circumstances “a downward departure may be warranted.”

20. United States Sentencing Commission, Statistical Information Packet, Fiscal Year 2012, Table 7 – Length of Imprisonment by Primary Offense Category, Fiscal Year 2012.21. United States Sentencing Commission, Preliminary Quarterly Data Report, September 30, 2013, Table 22.


14

Ongoing Concerns with the Overemphasis on Loss in Federal SentencingAlthough the most recent changes to the Guidelines were intended to standard-ize and lessen the complexity of how loss is calculated, the changes still fall short of addressing the goals of federal sentenc-ing. Most notably, the November 2012 changes place greater emphasis on the sentencing goal of avoiding unwarranted sentencing disparity among defendants with similar records who committed simi-lar offenses than on reducing the impact of loss on sentence length.

As federal criminal practitioners are aware, the Guidelines’ overemphasis on loss in economic crimes has been heav-ily criticized – with respect to loss cal-culation, federal judges have called the Guidelines “patently absurd on their face,” United States v. Adelson, 441 F.Supp.2d 506, 512 (S.D.N.Y. 2006) and “a black stain on common sense.” United States v. Parris, 573 F.Supp.2d 744, 754 (E.D.N.Y. 2008). However, by focusing on the disclosure of the fraud to the market as the triggering event for sentencing purposes, the modi-fied rescissory method leads courts to consider disclosed conduct that was be-yond the scope of any fraudulent activity. The modified rescissory method may even exacerbate the loss overemphasis because of its assumption that all outstanding shares incurred harm, when many inves-tor “victims” may have purchased or sold shares during periods uninfluenced by the fraudulent activity in question.

In addition to the problems inherent in the modified rescissory method – assum-ing all disclosed conduct was relevant offense conduct and that all outstanding shares incurred harm – there exist chal-lenges in its application as well.

For example, the company portrayed in Figure 3 had a period of questionable practices that resulted in alleged fraud

and securities violations. During the ‘fraud period,’ the company, industry, and gen-eral market exhibited significant growth, profitability, and increasing prices. How-ever, pursuant to the identification of questionable accounting / revenue recog-nition practices, the company determined that a restatement was required for cer-tain years. The disclosure of the restate-ment led to a significant drop in the com-pany’s stock price.

At the time however, little evidence of fraud or securities violations had been uncovered by the company or its auditors. It was not until later that the company and its auditors identified a number of accounting irregularities pursuant to the restatement efforts that raised concerns and suspicions, which ultimately led to an investigation and formal charges. The disclosure of the potential fraud along with an expanded disclosure regarding the company’s ongoing efforts to restate its financial statements led to another sig-nificant drop in the company’s stock price. Both “stock drops” occurred during peri-ods when general market conditions and market indices were in full retreat includ-ing some sizable corrections.

In this example:

» What constitutes ‘disclosure’ and the start of the ‘90-day period’?

» Can there be more than one disclosure and, if so, which is more applicable?

» Did “external market forces” or other “facts, conditions or events” impact the company’s average share price during either the fraud period or the 90-day period, and, if so, how?

» How should a loss be apportioned (i.e., for causation) if multiple factors (fraud and non-fraud related) contributed to it (e.g., accounting errors in a restatement vs. fraud?)

» How do you isolate the effects of the fraud from the effects of the declining market, the announced restatement, and other factors that may be influencing the prospects of the business?

» Can the basis of an accounting restatement (i.e., the restated financials) assist in evaluating those losses that are proximately caused by a defendant’s conduct, as opposed to other misleading statements or errors that did not arise from fraud?

FIGURE 3: ABC STOCK PRICE VS. NASDAQ

$10.00

$20.00

$30.00

$40.00

$50.00

$60.00

$70.00

$80.00

500

1,000

1,500

2,000

2,500

3,000

3,500

NASD

AQ C

ompo

site I

ndex

NASDAQ ABC

5/2/20

06

8/2/20

06

11/2/

2006

2/2/20

07

8/2/20

07

11/2/

2007

2/2/20

08

5/2/20

08

8/2/20

08

11/2/

2008

2/2/20

09

5/2/20

09

5/2/20

07

RestatementAnnouncement

FraudDisclosure

ABC

Stoc

k Pric

e

15


» Should an individual’s culpability factor into the loss calculation?

Given the circumstances described on the previous page, is it fair or reasonable to determine the loss without effectively di-vorcing the loss from the relative changes in a company’s stock price due to other non-fraud related factors, and without due consideration of the concept of culpa-bility? And, how do you do this without undertaking the detailed accounting, fi-nancial, and economic analysis necessary to reasonably apportion the loss between the myriad factors that contributed to it without unfairly placing all the blame on a single defendant?

Where Do We Go From HereThe Guidelines’ endorsement of the mod-ified rescissory approach in determin-ing loss in securities fraud matters was an obvious nod to the sentencing goal of avoiding unwarranted sentencing dispar-ity among defendants with similar records who have committed similar offenses. However, it does little to mitigate – and arguably exacerbates – the overemphasis on loss in determining sentence length. Moreover, it seems to raise as many ques-tions as it settles – such as, in the problem posed above, what constitutes the ‘fraud period,’ what is the relevant ‘disclosure,’ and what ‘facts, conditions or [other] events’ are relevant to the court’s determi-nation in light of these ambiguities?

At present, it appears the current Guide-lines may come no closer to provid-ing federal judges guidance in making a reasonable estimate of loss, much less in providing a solution to the overemphasis on loss, or otherwise tailoring the Guide-lines to comply with the statutory goals of federal sentencing. As a result, it is not surprising that courts across the coun-try reflect variances from the Guideline sentencing ranges in fraud and non-fraud

white collar crime cases approximately 50 percent of the time.22 (See Figure 4)

Many similar arguments and ongoing concerns caused the USSC to once again invite comment and evaluation of the sentencing guidelines; and within less than a year of the most recent changes to the Guidelines (November 2012), the USSC held a symposium to address on-going concerns of sentencing related to economic crime (United States Sentenc-ing Commission Symposium on Eco-nomic Crime – September 18, 2013). Of particular interest was a report presented at the symposium by the American Bar Association Task Force on the Reform of Federal Sentencing For Economic Crimes, which recommended changes to the Guidelines to adjust the tables related to the impact of high-loss economic crimes on sentencing to allow for the consid-eration of “culpability” and “victim impact.”

While the latest changes to the Guide-lines were welcomed by some, it is read-ily apparent that shortcomings continue to exist in the Guidelines for individuals

22. United States Sentencing Commission, Preliminary Quarterly Data Report, September 30, 2013, Table 3.

accused of high-loss economic crimes, a factor that received focused attention at the September symposium. Unfortunate-ly, while the participants at the sympo-sium discussed a number of ideas that would address some of the perceived in-equities, there is uncertainty as to wheth-er any additional changes to the Guide-lines will be forthcoming, or when. In reality, white-collar criminal defendants and their attorneys are left to interpret and attempt to reasonably apply the cur-rent Guidelines to their respective cases; to plead out to negotiated lesser charges; or, at times, to put their faith in judges who may, or may not, be willing to depart from the suggested sentencing. In short, the only course in addressing the modi-fied rescissory method under the present Guidelines is to proceed with caution!

FIGURE 4: SENTENCES RELATIVE TO THE GUIDELINE RANGE IN WHITE COLLAR CRIME CATEGORIES

0%5%

10%15%20%25%30%35%40%45%50%

Within GuidelineRange

UpwardDeparture

Below GuidelineRange w/ Plea

DownwardDeparture

Other Non-FraudWhite Collar CrimesFraud


16

Provisions1 FCPA U.K. Bribery Act CFPOA BCCAAnti-Bribery Provisions

The FCPA applies only to bribery of foreign officials. (See 15 U.S.C. §§78dd-1(a) and (f)(1))

The UKBA covers both commercial bribery and bribery of foreign political officials. (See Sections 1, 2 and 6)

The CFPOA applies only to bribery of foreign officials. (See Section 3.(1))

The BCCA applies to bribery of both Brazilian public officials and foreign public officials. (See Chapter I Article 1)

Bribe Recipients

The FCPA does not apply to the receipt of a bribe.2 The commercial bribery provisions of the UKBA (See Sections 1 and 2) apply to both the offer and acceptance of a bribe while those relating to bribery of foreign political officials (See Section 6) apply only to the offer, promise or payment of a bribe.

The CFPOA does not apply to the recipient of a bribe.

The BCCA does not apply to the recipient of a bribe.

Accounting Provisions

The FCPA requires public companies3 to (a) make and keep books and records that accurately and fairly reflect the transactions of the corporation and (b) devise and maintain an adequate system of internal accounting controls. (See 15 U.S.C. § 78m)

The UKBA does not contain accounting provisions. As a result of the Amendments, the CFPOA makes it illegal to hide a bribe to a foreign official by (a) establishing or maintaining accounts which do not appear in any of the books and records that are required to be kept in accordance with applicable accounting standards; (b) making transactions that are not recorded in those books; (c) recording non-existent expenditures in those books; (d) knowingly use false documents; (e) intentionally destroying books and records. (See Section 4.(1))6

The BCCA does not contain accounting provisions.

State of Mind In alleging violations of the bribery provisions of the FCPA, the government must show that the defendant had the requisite state of mind with respect to his actions (i.e., negligence, recklessness, intent). (See 15 U.S.C. § 78dd-1(f)(2))

The UKBA imposes strict liability on a corporation for “failing to prevent bribery” where an associated person bribes another person regardless of whether that person is a foreign political official or not.5 (See Section 7)

The Department of Justice’s Guide to the CFPOA elaborates on Canadian authorities’ interpretation of the CFPOA’s mens rea element: The CFPOA itself does not address the mental state required for a violation. However, in light of its imposition of criminal liability, Canadian courts interpret it as requiring intention and knowledge or willful blindness.

Brazilian law imposes strict liability of infringing companies in the case of all administrative sanctions and judicial sanctions that involve forfeiture of assets, rights, or valuables (see Chapter I Article 2). This means that prosecutors need only to prove that any of the acts set forth in the BCCA took place.

Company employees however are not to be held strictly liable for the illegal acts of the company and are liable only to the extent of their culpability. (See Chapter I Articles 3-4)

Global Anti-Bribery & Corruption Regulation and Enforcement Comparison ChartAs part of our continuing efforts to provide information on anti-bribery and corruption regulatory and enforcement developments, we provide below a comparison chart of the recently enacted Brazilian anti-bribery and corruption legislation known as the Brazil’s Clean Company (BCCA); the U.S. Foreign Corrupt Practices Act (FCPA), the U.K. Bribery Act (UKBA) andtheCanadianCorruptionofForeignPublicOfficialsAct(CFPOA).

To learn more, visit navigant.com/anticorruption.

1. This table does not purport to address every aspect of the FCPA, UKBA, CFPOA or BCCA.2. The government however can and is prosecuting bribe recipients pursuant to other authority including the Travel Act (18 U.S.C. 1952) and Money Laundering regulations (18 U.S.C. 1956, 1957). Additionally, the government is

seeking to recover the proceeds of bribery and corruption through its Kleptocracy Initiative and Asset Forfeiture (18 U.S.C. 981, 982).3. The accounting provisions apply to any company whose securities are listed on a U.S. exchange (including foreign companies who list American Depositary Receipts) or who are subject to the periodic reporting provisions of the

Securities Exchange Act.4. Prior to the amendments, the CFPOA did not contain an accounting provision.5. Section8oftheUKBAdefinesan“associatedperson”asonewhoperformsservicesforthecorporationandnotesthatassociatedpersonsmayincludeemployees(alwayspresumedtobeassociatedpersons),agentsor

subsidiaries. Whether someone is an associated person will be a factual determination and not solely by the nature of the relationship between the person and the corporation.

17


Provisions1 FCPA U.K. Bribery Act CFPOA BCCAAnti-Bribery Provisions

The FCPA applies only to bribery of foreign officials. (See 15 U.S.C. §§78dd-1(a) and (f)(1))

The UKBA covers both commercial bribery and bribery of foreign political officials. (See Sections 1, 2 and 6)

The CFPOA applies only to bribery of foreign officials. (See Section 3.(1))

The BCCA applies to bribery of both Brazilian public officials and foreign public officials. (See Chapter I Article 1)

Bribe Recipients

The FCPA does not apply to the receipt of a bribe.2 The commercial bribery provisions of the UKBA (See Sections 1 and 2) apply to both the offer and acceptance of a bribe while those relating to bribery of foreign political officials (See Section 6) apply only to the offer, promise or payment of a bribe.

The CFPOA does not apply to the recipient of a bribe.

The BCCA does not apply to the recipient of a bribe.

Accounting Provisions

The FCPA requires public companies3 to (a) make and keep books and records that accurately and fairly reflect the transactions of the corporation and (b) devise and maintain an adequate system of internal accounting controls. (See 15 U.S.C. § 78m)

The UKBA does not contain accounting provisions. As a result of the Amendments, the CFPOA makes it illegal to hide a bribe to a foreign official by (a) establishing or maintaining accounts which do not appear in any of the books and records that are required to be kept in accordance with applicable accounting standards; (b) making transactions that are not recorded in those books; (c) recording non-existent expenditures in those books; (d) knowingly use false documents; (e) intentionally destroying books and records. (See Section 4.(1))6

The BCCA does not contain accounting provisions.

State of Mind In alleging violations of the bribery provisions of the FCPA, the government must show that the defendant had the requisite state of mind with respect to his actions (i.e., negligence, recklessness, intent). (See 15 U.S.C. § 78dd-1(f)(2))

The UKBA imposes strict liability on a corporation for “failing to prevent bribery” where an associated person bribes another person regardless of whether that person is a foreign political official or not.5 (See Section 7)

The Department of Justice’s Guide to the CFPOA elaborates on Canadian authorities’ interpretation of the CFPOA’s mens rea element: The CFPOA itself does not address the mental state required for a violation. However, in light of its imposition of criminal liability, Canadian courts interpret it as requiring intention and knowledge or willful blindness.

Brazilian law imposes strict liability of infringing companies in the case of all administrative sanctions and judicial sanctions that involve forfeiture of assets, rights, or valuables (see Chapter I Article 2). This means that prosecutors need only to prove that any of the acts set forth in the BCCA took place.

Company employees however are not to be held strictly liable for the illegal acts of the company and are liable only to the extent of their culpability. (See Chapter I Articles 3-4)

Continued on next page »


18

Provisions FCPA U.K. Bribery Act CFPOA BCCAJurisdiction The bribery provisions of the FCPA apply to:

(a) SEC issuers (U.S. and foreign companies) (See 15 U.S.C §78dd-1(a)); (b) “domestic concerns6” (See 15 U.S.C §78dd-2(h)(1)); (c) U.S. persons acting outside U.S. in furtherance of a prohibited payment (See 15 U.S.C §78dd-1(g)(1)); (d) foreign nationals and entities that commit an act in the U.S. in furtherance of a prohibited payment; (See 15 U.S.C. §78dd-1(a) and (e) U.S. or foreign agents of any of the foregoing. (See 15 U.S.C §78dd-1(g)(1))

The “failure to prevent bribery” provision applies to: (a) U.K. entities that conduct business in the U.K. or elsewhere; and (b) any corporation, wherever formed, which carries on business or part of a business in the U.K. (See Section 7(5))

As a result of the Amendments, the CFPOA applies to activities committed outside of Canada if the person is (a) a Canadian citizen; (b) a permanent resident of Canada; or (c) a public body, corporation, society, firm or partnership that is incorporated or otherwise formed under Canadian law. (See Section 5.(1))7

The BCCA applies to:

(a) Brazilian business organizations and sole proprietorships, whether incorporated or not, regardless of the type of organization or corporate model adopted as well as any foundations, associations or entities of persons;

(b) foreign companies having an office, branch or representation in the Brazilian territory that are organized in fact or by law, even if temporarily.

(See Chapter I Article 1)

AffirmativeDefense and Mitigation – Compliance Program

The Principles of Federal Prosecution of Business Organizations (See Chapter 9-28.000) and the U.S. Sentencing Guidelines (See Chapter 8) as well as the SEC’s Cooperation Guidelines contain the framework for mitigation of charges and sanctions based on the effectiveness of an organization’s compliance program and the voluntary disclosure and cooperation by companies and individuals.

The UKBA permits companies that have allegedly failed to prevent bribery to assert an affirmative defense that they had adequate procedures in place to prevent the bribe.8 (See Section 7(2))

While not specifically included in the CFPOA, it appears that the Canadian government will consider the effectiveness of an organization’s compliance program and its remedial efforts, including voluntary disclosure of potentially violative conduct. (See Griffiths Energy International, January 14, 2013)

The BCCA provides a leniency program for companies that first disclose wrongdoing and cease involvement in the unlawful practice. It additionally includes a provision to encourage the cooperation of the legal entity with the investigation of the violations, including by voluntary reporting them to the authorities, as well as the disclosure of information during the course of the investigations (see Chapter V Article 16)

In addition, “the existence of mechanisms and internal integrity procedures, audit and incentive denunciation of irregularities in applying the code of conduct and ethics within the legal entity” will be taken into consideration when applying sanctions (See Chapter III Article 7)

AffirmativeDefense – Local Law

The FCPA provides an affirmative defense for payments that are permissible under written local law. (See 15 U.S.C. §78dd-1(c)(1))

The UKBA provides the same affirmative defense – but only with respect to payments made to foreign political officials. (See Sections 6(3) and 6(7))

On the other hand, with respect to “commercial bribery,” written local law can be considered only as a mitigating factor in determining what a reasonable payor or payee in the U.K. would expect in return for the payment. (See Section 5(2))

The CFPOA states that no person shall be deemed to have committed an offense if a payment is permitted or required under a foreign law or the law relating to the organization for which the foreign official works. (See Section 3.(3)(a))

The BCCA does not provide an affirmative defense for local law.

AffirmativeDefense – Promotional Expenditures

The FCPA provides an affirmative defense for payments that are reasonable and bona fide business expenses that are directly related to the promotion, demonstration or explanation of products or services, or the execution or performance of a contract with a foreign government or agency. (See 15 U.S.C. §78dd-1(c)(2))

The UKBA does not provide an affirmative defense for bona fide business expenses.

The CFPOA states that no person shall be deemed to have committed an offense if a payment for the reasonable expenses incurred by a foreign official that are directly related to the promotion, demonstration or explanation of products or services, or the execution or performance of a contract with a foreign government or agency. (See Section 3.(3)(b))

The BCCA does not provide an affirmative defense for bona fide business expenses.

Facilitation Payments

The FCPA permits facilitation payments for low-level payments for certain routine government actions. (See 15 U.S.C. §78dd-1(b) and §78dd-1(f)(3))

The UKBA does not permit an exception for facilitation payments.

Pursuant to the Amendments, the exception for facilitation payments will be phased out at a date to be determined by the Federal Cabinet.

There is no exception for facilitating payments in the BCCA.

6. U.S.C.§78dd-2(h)(1)defines“domesticconcern”asmeansanyindividualwhoisacitizenorresidentoftheUnitedStatesand/oranycorporation,partnershiporbusinessentitywhichisorganizedunderthelawsofaStateoftheUnited States or which has its principal place of business in the United States

7. Prior to the amendment, the CFPOA applied only where there was a “real and substantial link” between the offense and Canada. This meant that a substantial portion of the foreign bribe or corrupt payment had to be linked to Canada.

8. On September 22, 2010, the U.K. Ministry of Justice, as required by Section 9 of the UKBA published guidance regarding the nature and scope of the adequate procedures defense. See our Alert entitled, The U.K. Bribery Act – What Are Adequate Procedures (http://www.navigant.com/insights/library/disputes_and_investigations/2011/uk-bribery-act/).

19


Provisions FCPA U.K. Bribery Act CFPOA BCCAJurisdiction The bribery provisions of the FCPA apply to:

(a) SEC issuers (U.S. and foreign companies) (See 15 U.S.C §78dd-1(a)); (b) “domestic concerns6” (See 15 U.S.C §78dd-2(h)(1)); (c) U.S. persons acting outside U.S. in furtherance of a prohibited payment (See 15 U.S.C §78dd-1(g)(1)); (d) foreign nationals and entities that commit an act in the U.S. in furtherance of a prohibited payment; (See 15 U.S.C. §78dd-1(a) and (e) U.S. or foreign agents of any of the foregoing. (See 15 U.S.C §78dd-1(g)(1))

The “failure to prevent bribery” provision applies to: (a) U.K. entities that conduct business in the U.K. or elsewhere; and (b) any corporation, wherever formed, which carries on business or part of a business in the U.K. (See Section 7(5))

As a result of the Amendments, the CFPOA applies to activities committed outside of Canada if the person is (a) a Canadian citizen; (b) a permanent resident of Canada; or (c) a public body, corporation, society, firm or partnership that is incorporated or otherwise formed under Canadian law. (See Section 5.(1))7

The BCCA applies to:

(a) Brazilian business organizations and sole proprietorships, whether incorporated or not, regardless of the type of organization or corporate model adopted as well as any foundations, associations or entities of persons;

(b) foreign companies having an office, branch or representation in the Brazilian territory that are organized in fact or by law, even if temporarily.

(See Chapter I Article 1)

AffirmativeDefense and Mitigation – Compliance Program

The Principles of Federal Prosecution of Business Organizations (See Chapter 9-28.000) and the U.S. Sentencing Guidelines (See Chapter 8) as well as the SEC’s Cooperation Guidelines contain the framework for mitigation of charges and sanctions based on the effectiveness of an organization’s compliance program and the voluntary disclosure and cooperation by companies and individuals.

The UKBA permits companies that have allegedly failed to prevent bribery to assert an affirmative defense that they had adequate procedures in place to prevent the bribe.8 (See Section 7(2))

While not specifically included in the CFPOA, it appears that the Canadian government will consider the effectiveness of an organization’s compliance program and its remedial efforts, including voluntary disclosure of potentially violative conduct. (See Griffiths Energy International, January 14, 2013)

The BCCA provides a leniency program for companies that first disclose wrongdoing and cease involvement in the unlawful practice. It additionally includes a provision to encourage the cooperation of the legal entity with the investigation of the violations, including by voluntary reporting them to the authorities, as well as the disclosure of information during the course of the investigations (see Chapter V Article 16)

In addition, “the existence of mechanisms and internal integrity procedures, audit and incentive denunciation of irregularities in applying the code of conduct and ethics within the legal entity” will be taken into consideration when applying sanctions (See Chapter III Article 7)

AffirmativeDefense – Local Law

The FCPA provides an affirmative defense for payments that are permissible under written local law. (See 15 U.S.C. §78dd-1(c)(1))

The UKBA provides the same affirmative defense – but only with respect to payments made to foreign political officials. (See Sections 6(3) and 6(7))

On the other hand, with respect to “commercial bribery,” written local law can be considered only as a mitigating factor in determining what a reasonable payor or payee in the U.K. would expect in return for the payment. (See Section 5(2))

The CFPOA states that no person shall be deemed to have committed an offense if a payment is permitted or required under a foreign law or the law relating to the organization for which the foreign official works. (See Section 3.(3)(a))

The BCCA does not provide an affirmative defense for local law.

AffirmativeDefense – Promotional Expenditures

The FCPA provides an affirmative defense for payments that are reasonable and bona fide business expenses that are directly related to the promotion, demonstration or explanation of products or services, or the execution or performance of a contract with a foreign government or agency. (See 15 U.S.C. §78dd-1(c)(2))

The UKBA does not provide an affirmative defense for bona fide business expenses.

The CFPOA states that no person shall be deemed to have committed an offense if a payment for the reasonable expenses incurred by a foreign official that are directly related to the promotion, demonstration or explanation of products or services, or the execution or performance of a contract with a foreign government or agency. (See Section 3.(3)(b))

The BCCA does not provide an affirmative defense for bona fide business expenses.

Facilitation Payments

The FCPA permits facilitation payments for low-level payments for certain routine government actions. (See 15 U.S.C. §78dd-1(b) and §78dd-1(f)(3))

The UKBA does not permit an exception for facilitation payments.

Pursuant to the Amendments, the exception for facilitation payments will be phased out at a date to be determined by the Federal Cabinet.

There is no exception for facilitating payments in the BCCA.


20

FULL SPEED AHEAD.Advancing white collar matters with precision, speed and clarity.

©2014NavigantConsulting,Inc.Allrightsreserved.NavigantConsultingisnotacertifiedpublicaccountingfirmanddoesnotprovideaudit,attest,orpublicaccountingservices.Seenavigant.com/licensing for a complete listing of private investigator licenses.

navigant.com