By Jeff Dale, 6 January 2025
Positive enforcement outcomes are few and far between, but companies that don’t brush misconduct under the rug and own up to their mistakes should be celebrated.
These compliance wins often go on behind the scenes, without much fanfare. For companies searching for the ethical mensch, here are the top compliance triumphs of 2024.
Ericsson
It’s been a long ‘integrity journey’ for multinational telecommunications giant Ericsson, according to the company’s Head of Compliance Global Affairs Alison Howell. Since settling with the US Department of Justice (DOJ) over Foreign Corrupt Practices Act (FCPA) violations in 2019, the company has gone through a ‘business critical transformation,’ resulting in the end of its compliance monitorship, an accomplishment that should be recognised.
In 2019, the company agreed to pay more than $1 billion [1] to settle violations of the FCPA and entered into a deferred prosecution agreement (DPA) with the DOJ. The settlement included an independent compliance monitor.
In October 2021, it breached its obligations [2] under its DPA by failing to provide certain documents and factual information. In February 2022, Ericsson admitted it found evidence of ‘corruption-related misconduct in Iraq.’[3] A month later, the DOJ determined Ericsson breached the DPA a second time for ‘insufficient’ disclosures.[4]
The monitorship was originally set to run until June 2023 before being extended an additional year.[5]
Ericsson Chief Compliance Officer Becky Rohr was appointed to the post in March,[6] bringing together investigations and compliance. In June, the company announced the monitorship had concluded after the monitor certified its anti-corruption programme.[7]
Howell joined the company in 2020 as Head of Allegation Management and later took on the Head of the Monitor Liaison Office. She brought with her years of experience being a point of contact for a compliance monitor at her previous employer, Amsterdam-based telecommunications company VEON. That monitorship ended in 2019.[8]
She said that in both instances, the monitor took a very collaborative approach, with the most foundational aspects to building an effective compliance programme including CEO and board buy-in, grassroots cultural transformation, robust global allegation management and investigations, and fostering a ‘speak-up culture.’
Ericsson is a matrixed organisation with a presence in more than 180 countries, Howell said, so a ‘business critical transformation’ took place that was led by the CEO and executive team. This included implementing cross-functional teams to strengthen business processes and extensive in-person training and monitoring in more than 20 countries.
‘It’s a drumbeat that doesn’t go away when the monitorship is over,’ she noted. ‘We’re not going to have the same compliance programme forever. It needs to evolve as the business itself evolves.’
A large part of strengthening the company’s allegation management and investigations included building a tailored case management system to assess allegations and investigate, Howell said.
Through the case management system, the company could focus on patterns and trend-spotting, root-cause analysis, and risk visibility, according to Howell.
The company encouraged a ‘speak-up culture,’ Howell said, by training employees on how to speak up and sending a strong message that the company will not tolerate retaliation. Mentorship was also a big driver, with the company’s Compliance Boost Programme offering compliance training to employees with diverse expertise, including those in finance and technology.
Another avenue into driving engagement across the globe was the company’s grassroots Speak-Up Road Shows, which took Howell to places like Saudi Arabia and Guatemala.
‘It was amazing to me how much feedback I got,’ she said, adding that with the company's global presence, it's been a priority to have local compliance officers. ‘Having [a compliance officer] locally, that person is out there to advise the business, is available to people there, and is able to land the messages.’
MilliporeSigma
The Department of Justice (DOJ) has been telling companies for a while that voluntary self-disclosure is the way to receive leniency.
In May, ‘extraordinary cooperation’ earned MilliporeSigma,[9] a Massachusetts-based biochemical company and a subsidiary of Merck, the first-ever corporate declination under the DOJ National Security Division’s voluntary self-disclosure programme.
The company’s prompt disclosure helped the DOJ foil a ‘rogue’ employee’s scheme to procure and ship discounted products to China using falsified export documents.
Assistant Attorney General Matthew Olsen of the DOJ’s National Security Division, said the case ‘reflects the value for companies like MilliporeSigma to quickly self-disclose potential criminal activity and reaffirms our commitment to work in partnership with the private sector to root out conduct that violates the law and jeopardises our national security.’
In August, the Commerce Department’s Bureau of Industry and Security used the case as an example in export control guidance for academic research institutions.[10]
SAP
When a company agrees to pay $220 million [11] in penalties and enters into a three-year deferred prosecution agreement (DPA) over recidivist sanctions and FCPA violations across nine countries, it’s usually not considered a ‘triumph.’
But when the penalty reflects a 40% reduction off the 10th percentile above the low end of the DOJ’s sentencing guidelines, and acknowledges non-compliant employees were disciplined under the agency’s compensation clawback pilot programme,[12] it certainly becomes noteworthy.
The DOJ’s investigation against German-based software company SAP focused on schemes to pay bribes to government officials in South Africa and Indonesia, while the Securities and Exchange Commission (SEC) said SAP employed third-party intermediaries and consultants to pay bribes to government officials across seven countries: Azerbaijan, Ghana, Indonesia, Kenya, Malawi, South Africa, and Tanzania.
Held against the company were its settlements with the DOJ and other agencies in April 2021 for admitted Iran sanctions violations [13] and with the SEC in 2016 over alleged FCPA violations in Panama.[14]
SAP told Compliance Week in January it ‘separated from all responsible parties’ now nearly six years ago and has since ‘significantly enhanced its global compliance programme and related internal controls.’
Acting Assistant Attorney General Nicole Argentieri of the DOJ’s Criminal Division said at the time the case demonstrates how the agency’s corporate enforcement policies ‘incentivise companies to be good corporate citizens’ and remediate criminal misconduct.
Kiromic BioPharma
When allegations came to light from two anonymous complaints filed on Houston-based Kiromic BioPharma’s whistleblower hotline, the company took the allegations seriously.[15] So seriously it led to SEC charges and fines against the company’s chief executive officer and chief financial officer. The company, however, walked away without a fine.
In December, Kiromic self-reported material omissions related to Federal Drug Administration (FDA) holds on two cancer drugs that raised $40 million from investors.
In response to the whistleblower complaints, the company’s board formed a special committee of independent directors and hired outside counsel to investigate. The probe confirmed that the FDA had placed holds on the clinical trials in June of 2021, and that the company had not disclosed that fact to investors.
Following the investigation, the board appointed an interim CEO ‘who received training on appropriate disclosure controls and procedures,’ the SEC said. The board also established a disclosure committee comprised of management and appointed two new independent directors to the board.
Whistleblowers
In February, a significant ruling [16] by the Supreme Court of the United States (SCOTUS) reaffirmed protections for whistleblowers guaranteed under the Sarbanes-Oxley Act.
While there have been other SCOTUS rulings this year that have spurred consternation in compliance circles, namely the Chevron doctrine [17] and SEC in-house tribunals [18] getting nixed, the court decided protecting whistleblowers is a priority.
In the case, Murray v. UBS Securities, the court said whistleblowers don’t have to prove they were terminated because of ‘retaliatory intent’ – a decision expected to set a precedent [19] that impacts all corporate internal reporting cases in favour of whistleblowers.
The Supreme Court argued the appeals court erred by ‘making proof of “retaliatory intent” a requirement.’ Instead, the ‘actionable discrimination’ of a whistleblower was the real burden of proof, in the court’s opinion.
Robert Herbst, Murray’s Lead Trial Attorney and Counsel of Record in the Supreme Court, called the decision ‘a significant victory across the board’ for whistleblower protections, whether it be at the corporate level, governmental, or non-governmental.
Boston Consulting Group
Prompt co-operation is always good, but not always enough to earn a DOJ declination.
For Boston Consulting Group (BCG), the company avoided criminal prosecution for FCPA violations related to $4.3 million given to secure contracts in Angolan [20] by terminating personnel involved in the misconduct with ‘compensation-based penalties.’
This included requiring implicated BCG partners in Portugal to give up their equity in the company, denying financial transition benefits, and withholding bonuses.
The DOJ listed seven other reasons for not prosecuting BCG, including ‘significant improvements to its compliance programme and internal controls,’ along with ‘formalising employee training and vendor/client screening protocols, establishing local and global risk committees that meet regularly, and developing guidelines for opening offices in new and emerging markets,’ a letter by Glenn Leon, Chief of the DOJ’s Fraud Section, to BCG’s attorneys, stated.
BCG has since closed its office in Luanda, Angola, according to a statement,[21] and is committed to strengthening internal controls, scaling up its risk and compliance function, and improving its systems and technology.
This article has been republished with permission from Compliance Week, a US-based information service on corporate governance, risk, and compliance. Compliance Week is a sister company to the International Compliance Association. Both organisations are under the umbrella of Wilmington plc. To read more visit www.complianceweek.com