November 1, 2012
In April 2012, a former Morgan Stanley managing director responsible for the expansion of the firm’s China real estate portfolio pleaded guilty for his role in a conspiracy to evade the company’s internal accounting controls. An American citizen living in Singapore and described as a “rising star” in the Morgan Stanley organization, the executive conspired to assist a Chinese official and a Canadian lawyer in secretly buying a stake, at a discounted price worth more than $5 million, in a Shanghai property owned by a Morgan Stanley fund. In exchange for this “finder’s fee,” the Chinese official agreed to help steer lucrative real estate investment opportunities to Morgan Stanley in the China real estate market as well as obtain necessary licenses and approvals for real estate investments. In August, the executive was sentenced to nine months in prison, agreed to never again work in the securities industry and relinquished his share (more than $3 million) in the duplicitous real estate deal.
The significance of this violation of the Foreign Corrupt Practices Act (FCPA) is that the U.S. Department of Justice (DoJ) declined to bring any enforcement action against Morgan Stanley related to the executive’s conduct.
The DoJ’s Rationale for Declining to Prosecute
According to court documents, the executive conspired with others to circumvent Morgan Stanley’s internal controls in order to transfer a multimillion dollar ownership interest in a Shanghai building to himself and the Chinese public official with whom he had a personal friendship. The executive falsely represented to others within Morgan Stanley that a Chinese state-owned and state-controlled entity was purchasing the real-estate interest, when in fact the executive knew the interest would be conveyed to a shell company controlled by him, the Chinese public official and the Canadian attorney. After the sale, the executive and his co- conspirators continued to claim falsely that the state-owned and state-controlled entity owned the shell company. In the years since the executive and his co-conspirators gained control of the real-estate interest, all of them have periodically accepted equity distributions and the real- estate interest has appreciated in value.
The DoJ’s release regarding this matter provided the department’s rationale in declining to prosecute Morgan Stanley. The release stated (see here):
After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to [the employee’s] conduct. The company voluntarily disclosed this matter and has cooperated throughout the department’s investigation.
The DoJ’s decision not to bring an enforcement action against the executive’s employer provides useful insights to in-house counsel and executives of other companies who seek to create an effective FCPA compliance policy and process for their companies. What is so unusual about this case is the DoJ has issued comparatively few opinion letters regarding its enforcement of FCPA matters since the legislation was passed in 1977. For example, there have been only two FCPA-related opinion releases during the last year. Because there is relatively little case law related to the FCPA due to the propensity of the accused to settle, the DoJ’s enforcement history must be examined in order to gain insights into the department’s reasoning in corruption cases.
What Did Morgan Stanley Do?
When the executive’s conduct was discovered in 2008, Morgan Stanley acted quickly. With the help of outside counsel, it conducted an intensive nine-month internal investigation, fired the executive, and voluntarily disclosed its findings to the DoJ and the Securities and Exchange Commission (SEC). Morgan Stanley also notified its shareholders, cooperated fully with the government’s investigation of the executive, and undertook additional measures to reinforce and enhance its compliance program.1
According to court documents, there were several key points made by the DoJ that led it to its decision not to prosecute Morgan Stanley:
- Instituted appropriate policies – Morgan Stanley’s policies prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment.
- Maintained a robust system of internal controls – The firm’s controls were intended to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials.
- Provided strong oversight of compliance – The DoJ acknowledged Morgan Stanley’s many legal and compliance employees who were located in domestic and international offices. Morgan Stanley’s compliance department included anti-corruption experts in various high-risk areas where the company operated, including China. Compliance personnel regularly monitored transactions; randomly audited particular employees, partners, transactions and business units; and tested transactions to identify illicit payments. The program’s inclusion of transaction monitoring provided a sure sign that the company understood that the need for diligence is ongoing.
- Frequently trained employees on internal policies and anti-corruption laws – The firm trained various groups of Asia-based personnel on anti-corruption policies 54 times over the six-year period during which the FCPA violations occurred. During the same period, the firm trained the executive in question on the requirements of FCPA seven times. In addition, the company’s compliance officer warned the executive that he was dealing with a foreign official, and reminders of the company’s code of conduct prohibiting bribery of foreign officials and requiring FCPA compliance were sent to the executive at least 35 times during the six-year period.
- Updated its internal policies frequently for change – The firm updated its policies on a frequent basis to reflect new regulatory developments and specific emerging risks.
- Conducted due diligence on, and imposed controls over payments to, business partners – Extensive due diligence was carried out on all new business partners and stringent controls were imposed on payments made to business partners.
It is reported that Morgan Stanley responded to the investigation by cooperating with the DoJ and providing “exhaustive detail” on (a) the compliance training it delivered to the employee, and (b) documentation of the warnings and reminders the employee received. Bottom line, the breadth of the information Morgan Stanley provided to the DoJ substantiated a compelling case that the executive in question was duplicitous, as he acted on his own and circumvented his employer’s policies and internal controls.2
Implications for the Compliance Process
For decades, it has been generally accepted that a robust system of internal controls provides reasonable assurance – not absolute assurance – that relevant objectives are met. This underlying principle asserts that established controls do not constitute a guarantee that violations of policies, laws and regulations will not occur. Collusion can circumvent established controls, and the DoJ satisfied itself that that is exactly what occurred in the Morgan Stanley case.
With respect to the objective that employees are complying with anti-corruption laws and regulations, it has been difficult to ascertain the DoJ’s threshold for assessing what constitutes “reasonable assurance.” The DoJ’s public acknowledgement that it “declined to bring any enforcement action against Morgan Stanley” sent a powerful message that Morgan Stanley was a company that attained the “reasonable assurance” threshold.
Issue 10 of Protiviti’s The Bulletin focuses on issues around compliance, its current state, true cost and value proposition, as well as its organizational structure, and offers suggestions on ways it can be improved.3 In exploring lessons learned from the Morgan Stanley case, we avoid repeating or elaborating on points explained in that issue of The Bulletin. Following are 10 lessons learned from Morgan Stanley’s compliance process:
- Lead with a strong tone at the top – Management sets the “tone at the top” when it comes to compliance. In addition to “walking the talk” by conducting business ethically, upper and middle management should consistently and frequently communicate the necessity for adhering to the organization’s values. Zero tolerance for corruption must come from the top down. Compliance procedures must be articulated clearly up, down and across the organization and followed by all officers, directors, employees, partners, agents, consultants and representatives, among others. Policies must be communicated effectively, in writing (and online, if practicable), which may include translating policies into the native languages of markets in which the company does business.
- Maintain strong administration and oversight of compliance – Individual employees should be given specific responsibilities and accountability. Enforcers of the company’s compliance plan should be designated. Compliance officers should oversee and manage compliance issues and they should be provided with a clear reporting structure. A strong oversight of compliance by the board of directors should be in place.
- Conduct a comprehensive risk assessment – Only through an effective risk assessment can management understand the bribery and corruption risks inherent in its global operations. The risk assessment process provides direction and focus to compliance oversight through an understanding of where the firm is operating and the local risks that should be taken into consideration.
- Refresh for change – Make sure your compliance program evolves with new regulatory developments and industry guidance. Don’t allow compliance processes to become stale. Continue to invest in compliance. Take into account any lessons learned from past violations.
- Understand the players in the countries in which the organization does business – Until the DoJ defines clearly what a “foreign official” is with specific rules and/or guidelines, apply the term broadly and require executives dealing with such officials to report their dealings. If third-party agents are used, the compliance program should focus on understanding the contractual provisions, what the third-party agent is really doing for the company, how the agent is being paid and the business motivation for using the agent. It is important to recognize that this is not a one-time assessment. It is important to ensure that conditions have not changed during the ongoing business relationship.
- Ensure that compliance training and certification is robust – Training should spell out the company’s expectations for compliance with its corporate policies and procedures, as well as anti-corruption or anti-bribery laws and regulations. Retraining should occur periodically, and all employees and third parties should certify that they comply with the company’s compliance policies. Whenever policies and procedures are updated, the updated information should be recirculated to employees, and employees should be retrained with emphasis on the updated information. Training sessions should be well documented, and records of when employees received training, as well as the corresponding materials, should be kept in employees’ personnel files.
- Ensure that effective auditing and monitoring capabilities are in place – The auditing and monitoring processes should evaluate the compliance program’s effectiveness. The audit committee should regularly receive and review audit reports, as well as notification about complaints or investigations of noncompliance with corporate policies designed to prevent or detect bribery and corruption risk.
- Notification – When compliance issues arise, the organization needs to become aware of them as soon as possible. Therefore, there should be a system in which employees can report wrongdoing and notify the company of suspected violations of the company’s policies and applicable anti-corruption laws and regulations. Employees should be provided with the names and contact information of compliance and legal officers. An anonymous, confidential hotline should be provided and employees should be encouraged to use the available reporting mechanisms.
- Act decisively – Upon receipt of any allegations, the proper individuals within the organization should take immediate action, including seeking advice from appropriate experts (including outside counsel), investigating the allegations, disciplining or terminating employees participating in illegal acts, notifying the appropriate authorities, and disclosing the matter to shareholders. According to the DoJ, this is exactly what Morgan Stanley did.
- Maintain adequate documentation – Track the date, time and location of each training session conducted and compliance communication delivered. Archive and store a copy of each training program each employee attends and each compliance policy communication sent to the employee. Although listed last, this lesson could very well be the most important aspect of the program, and certainly had an impact on the DoJ’s determination to not pursue prosecution of the executive’s employer.
The Morgan Stanley case proves that the DoJ and SEC will credit companies when they demonstrate a consistent, deliberate and clear commitment to compliance in addition to strong support from the top.
An effective compliance program can not only help prevent compliance violations, but can also
— as demonstrated by the Morgan Stanley case — help mitigate the fallout from a serious violation such as one involving the FCPA. With this example as a benchmark, companies in all industries can now focus on taking practical steps to improve their compliance processes to reduce the risk of prosecution. Because no large company can ever protect itself entirely from the actions of rogue employees who engage in collusion, these steps can soften the blow if corruption occurs.
The DoJ’s enforcement of the FCPA statute has been criticized for a lack of transparency regarding how much a company benefits from (a) its compliance program during the period in which a compliance violation is perpetrated, and (b) cooperating with an investigation.4 Not only does the DoJ’s decision not to prosecute Morgan Stanley provide insight into the DoJ’s thinking, but it also delivers a clear message that there is a benefit to full cooperation. As regulatory bodies around the world become more sophisticated and cross-border enforcement continues to increase, companies can expect the DoJ to collaborate with other countries to take on anti- corruption initiatives. This unprecedented level of collaboration increases the risks. Therefore, it is imperative that companies elevate their compliance game to a higher level to deal with the risk of rogue employees.