Written by Richard Wegrzyn on Tuesday 9 May, 2017
Historically, there hasn’t been a large number of high profile enforcement actions in relation to bribery. The low numbers could be taken as a sign that regulators are not focusing on this risk or conversely that firms have improved systems and controls so much that bribery is a thing of the past.
In reality, bribery and corruption incidents can be difficult to identify and extremely complicated to investigate and so there’s a high chance that a number of significant investigations are underway. As to whether firms’ systems and controls have improved to the extent that no breaches are occurring – ongoing scandals suggest this is unlikely to be the case.
The enforcement actions we do see highlight a number of themes, including the:
- Different ways bribery manifests itself
- Challenges of developing effective systems and controls
- Impact a firm's culture has on staff acting dishonestly
We will use a case study to illustrate these three points in more detail.
In late 2016, JP Morgan reached a settlement with the US Securities and Exchange Commission (SEC) and other regulators to settle charges of violating the Foreign Corrupt Practices Act (FCPA). The bank paid $264 million after facing charges of corruptly influencing government officials in the Asia Pacific region, by giving jobs and internships to their relatives and friends.
The firm’s subsidiary in Asia was found to have engaged in a ‘systematic bribery scheme’ by hiring the children of government officials and other clients (who were typically unqualified for the positions on their own merit), in exchange for lucrative business rewards and new deals. JP Morgan’s internal controls were found to be so weak that not one Referral Hire request was denied.
1. How bribery manifests itself:
The view of bribery being about the passing of envelopes of cash is clearly old fashioned. The case study shows how a client Referral Hire programme for the ‘sons and daughters’ of actual or potential clients was used to influence decisions, ultimately securing lucrative financial returns for the firm. The programme was deliberately designed to operate outside of the usual graduate/intern recruitment programmes and the enforcement noted that ‘the primary goal of client referral hiring was to generate revenue for JPMorgan APAC by extending personal favors to client executives and government officials through hiring their relatives and friends’.
The case study reinforces the need for firms to think broadly and creatively about the risks that they face. Risk assessments need to consider all areas where someone may be induced, or induce another, to act improperly. This might cover the giving/receiving of gifts and hospitality, but also extends into the use of third parties, procurement processes and, as highlighted, recruitment.
2. The challenges of developing effective systems and controls
It was well documented within the bank that recruitment programmes could lead to bribery risks. The group’s Anti-Corruption Policy stated ‘it is improper for a person to offer or give anything to a public official, either directly or through an intermediary, in an effort to secure an advantage that would not have been granted if the offer or gift had not been made,’ noting that ‘”value” can include such things as the offer of internships or training for relatives of a public official.’
These policy requirements were reinforced through training which was rolled out to all staff across the region. This means all employees were aware of the risks associated with recruiting children of clients.
In recognition of the risk, legal and compliance developed a process for screening prospective Referral Hires. Under the process as it was intended to work, each requesting banker was required to fill out the questionnaire for each specific hire, and then submit that questionnaire to the bank’s regional legal and compliance staff for review and approval.
Additionally, the bank imposed restrictions on what confidential information Referral Hires were able to access. This was designed to prevent conflicts of interest and the sharing of sensitive, confidential information regarding JP Morgan’s clients, or the competitors of those clients, with the relatives and friends of senior officials with those same clients. In cases in which the referring person was employed by a government ministry, Referral Hires were supposed to be walled off from transactions involving that ministry.
On the face of things, it may appear that the control design put in place was adequate. They covered a range of governance, people and process approaches to mitigate an identified risk. And yet in spite of the controls in place, there was continued misconduct of both investment banking and legal and compliance staff regarding the Referral Hire programme.
Of particular note:
- Investment bankers did not demonstrate understanding of the risks; in many cases they completed the questionnaire honestly, for instance ‘It will strengthen our relationship with [client] and solidifying [sic] our position as an advisor to him and the IPOs of his companies (expected to be >$500mm in offering size’. This brings into question the effectiveness of policy requirements and training activity.
- Legal and compliance support staff challenged such submissions, explaining that such recruitment would not be allowed. Responses to probing questions would provide a radically different answer obfuscating any risk and these were then escalated by the support staff with no mention of the original insight and no follow-up challenge from legal and compliance staff. This suggests ineffective process, training and segregation of duties. It also suggests challenges with culture, level of seniority/authority or understanding of their purpose.
- It doesn’t appear that sufficient independent investigation was carried out into the accuracy of information contained in the questionnaires. Independent checks may have uncovered the fact that the forms were not being completed accurately, exposing the improper behaviour much earlier on.
- The business deliberately defined contract dates and durations in order not to appear on the year-end headcount figures (e.g. 11.5 month contracts from January to mid-December), again hiding the true numbers of people being employed. This brings into question the effectiveness of management information protocols as well as HR oversight and challenge.
3. The impact a firm's culture has on staff acting dishonestly
Fundamentally the failings in this case, as in so many others, appear to come down to cultural issues. Despite the presence of numerous directive controls a sufficient number of staff felt that their own agenda was more important than the firm's stated position.
This is exemplified through:
- a focus on the financial benefit seemingly at any cost
- lack of challenge from legal and compliance support staff
- wilful provision of false information in formal records
- continued and extensive use of a prohibited approach to recruitment.
Firms need to ensure that staff are actively encouraged to do the right thing, in line with policy requirements. They need to feel supported when they take actions to prevent risks even when this is to the detriment of influential colleagues. Whilst culture must be driven from the very top of the firm through the way they incentivise, target and challenge senior management, it can be driven from the middle or locally too.
As the case study highlights, the Referral Hire process was effectively ended when:
a compliance officer in a newly-created position was tasked with reviewing and approving client Referral Hire questionnaires. In denying a request to hire a Referral Hire, he stated that hiring Referral Hires at the request of clients and outside of the normal hiring system was impermissible under JPMorgan’s compliance and anti-corruption policies.
This demonstrates how an individual with the courage and conviction to do the right thing, or for that matter the wrong thing, can have far reaching effects across even the largest organisations.
The case study focuses very much on a formal arrangement for improper use of recruitment activity. This formal nature makes it very easy to see where improper behaviour was occurring. However, everyday individuals within firms are making decisions which could well involve actual impropriety (or could well be perceived to be improper by an ordinary person).
By working through the case study it was clear that despite awareness of the risk, a range of controls failures were still able to occur. So what can firms do to protect themselves?
All of the ‘typical’ controls need to be in place, as they were in the case study – risk assessment, policies, procedures, training and reporting are all critical parts of the control framework. Firms need to independently critically assess the effectiveness of these controls to try and understand if the controls are functioning as intended through their design.
Additionally, firms should also consider the following.
- Culture: To be fully effective this has to come from the very top, and that means that senior management have to genuinely want to do the right thing. It should be driven locally by senior and middle management by way of leading by example. It should be played out in the way they direct the activities of the institution, the way success is rewarded and the way unacceptable behaviour is dealt with. It can be difficult to influence this type of culture but making senior management aware of the risks and consequences is an important first step.
- Escalation procedures: Staff need to be encouraged to raise concerns and be confident they can do so without recrimination. This doesn’t need to be via a formal whistle-blowing process it could just be a suggestion box. Heavily linked to culture, often staff will be aware of problems but may not report it for various reasons: knowledge of how to report, fear of reporting or expectation that little will change as a result of their escalation.
- Monitoring and independent checking: Whilst a process to complete a questionnaire was a sensible step in the case study, without independent validation of the information provided, even on a sample basis, the process was always open to being abused. Compliance staff and senior management need to have insight into what is really happening on the frontline – independent review, re-performance of controls or validation of information on a risk sensitive sample basis may make the difference in the level of insight.
Richard Wegrzyn is a Managing Consultant in the Financial Crime Advisory team at Bovill Limited. All views expressed are those of the author and should not be considered as advice.
Find out more about the ICA Certificate in Anti-Corruption today.