Winston & Strawn partner Pam Davis has been a monitor in three Foreign Corrupt Practices Act (FCPA) cases.

Which companies were they?

“You are not supposed to disclose the company name unless the company discloses,” Davis told Corporate Crime Reporter in an interview last week. “One of them did disclose my name –  Diebold. The others did not. And the reason they don’t is that monitors are an appointed position. There is no attorney client relationship with the company. Nor is there an attorney client relationship with the government. You are independent and in the middle.” 

“There are confidentiality rules that apply to everything you do. But your work is not privileged. You always have to be concerned that you may do something that harms the company’s privilege. The running theory is that you don’t disclose the name of the company because you don’t want to have a bunch of plaintiffs’ law firms serving a subpoena on you. You can’t claim privilege and now the government and the company have to come in and claim on confidentiality grounds that your work can’t be produced. That’s why we don’t disclose. We don’t disclose the name of the company unless the company discloses.”

How many FCPA monitors have there been?

“I don’t actually know that number. At the time I got my third monitorship in 2017, I was told there were 37. I don’t even know if that number was accurate. There have been many FOIA requests. But someone did a legal analysis and compiled who they thought the monitors were. They did some work to try and find out who the monitor candidates were. But they were not able to get those.”

“Keep in mind, there are different kinds of monitorships. My third monitorship was an SEC independent monitorship. The first two were joint SEC and Department of Justice monitorships. All three were FCPA.”

How does the Justice Department and the SEC determine which company will get a monitorship?

“You can look at the Department of Justice guidance. But how do they actually do it? It boils down to – do they trust that this company has the ability to prevent a future FCPA problem? Has the company put in a compliance program that is effective and secure and that can prevent future violations? Do the members of the board and the senior leadership of the company look at this as something that is critical and important?”

“If you fail those tests – don’t have a strong program, don’t have the proper tone at the top, if you are a repeat offender, then you are likely going to get a monitor because they don’t trust that you are a corporate citizen that can monitor yourself. Companies are expected to monitor their own compliance programs. It’s called self-monitoring.”

“Perhaps some companies have a blip or a rogue employees. They might not have had a great program, but over the three years of the investigation, they put in a great program, they put in great leadership. Those companies will probably get a pass and be allowed to self-report. But for the companies that don’t put all of that together, they are the ones that get a monitor.”

What is the job of an FCPA monitor?

“When the company enters into a settlement the government, there is an addendum that defines the monitor’s mandate. The mandate is that your job is to determine whether there is a compliance program in place that can effectively detect, prevent and remediate if a violation occurs. The monitor’s job is not to investigate. You don’t go in and try and find if there was a violation. You go in and look at the compliance program. You see where the controls are. And the compliance is not just the written policies and procedures. It is the back end financial controls.”

“Your policy can say – we don’t bribe. But to support the policy statement, the company needs to put in controls in the back end. If an invoice comes in, there must be a two way match – invoice to the purchase order for the payment to process. The approval has to come from the department that made the purchase order and then an approval from a different department.”

“The monitor looks at the company policies. And then you go in and test to see if their back end financial controls are sufficient to support those policies, sufficient to prevent potential violations. And then you see if the company has the ability to detect problems if they occur. Is there an invoice that just came in that has something unusual on it? And did the approver on the business side or the approver on the finance side have the understanding and skill sets to detect if there was a problem?”

“And the third thing you test is the company’s ability to remediate. Now you have this individual who violated your policy. You have a policy. You detected it. And now you have to remediate. Does the company have an appropriate process for remediation? Do they know when to hire outside counsel? Do they know when to investigate? Do they have a program in place that can effectively punish the bad actor? What is their termination policy?”

“The monitor is monitoring the effectiveness of the company’s compliance program from the front end to the back end and then remediation. If a company does face a whistleblower complaint during the monitorship, the monitor will sit back and watch and see – how well does this company manage this process? How did they determine whether or not there was a violation? How did they investigate it? How did they fix a gap in their control process that could prevent it in the future?”

“The monitor’s job is to make sure the company is capable of doing all of those things themselves and move into the self-monitoring phase.”

“That’s a long way of saying – a monitor does three things – you look at prevention, detection and remediation.”

Since the monitor is being paid by the company, it must be difficult for the monitor to flunk the company. Has it ever happened?

“Yes.”

You mean where the monitorship gets extended because the company didn’t pass the test?

“Yes. It happens quite a bit. The Department and the SEC vet the potential candidates. The company has to identify up to five. Three of the five have to be deemed qualified. And then one of the qualified candidates is selected. The government and the company decide which of those candidates would be best suited for the potential issues for that company.”

“Yes, the company does pay the monitor’s fees. The monitor and its law firm cannot have worked for that company over a period of years. There is a vetting to make sure there is no potential conflict of interest. And when you sign to be a monitor, you also agree that you and your law firm cannot get hired by that company for a period of years after that monitorship is over. That’s all done to prevent this potential conflict. You want the monitor to be independent. You are not their lawyer. And you can’t be their lawyer when they are done.”

When you were a monitor, did you get an office at the company? Or did you work out of your own office?

“I did not have an office at the company. It wasn’t something that was warranted or needed. Some monitors, depending on what their role is, and what the issues are, they may need to have a space at the company. We had shared work sites where the company could send us the documents we needed. We could work from our own offices. And our forensic auditing team worked the same way. We did what were called field visits. We went to the office. Every quarter you would go visit foreign country locations and sometimes it would be the headquarters. But in my cases, there wasn’t a need to have an office inside the company.”

Do FCPA monitors get together to discuss their work?

“The short answer to that is no. But while I was on my second monitorship, the Department of Justice had a program where they would have the monitors get together telephonically. And we would discuss various issues. It was an opportunity for the monitors to discuss issues and learn from one another. That did happen. That was organized and quite helpful during the period of my second monitorship. It was during the period when Hui Chen was at the office. I can’t tell you if that continued after she left. And it wasn’t just FCPA monitors.”

[For the complete q/a format Interview with Pam Davis, see 34 Corporate Crime Reporter 1(12), January 6, 2020, print edition only.]