EXAMINING THE ATTORNEY-CLIENT PRIVILEGE IN INTERNAL INVESTIGATIONS
In U.S. ex rel. Barko v. Halliburton Co., 1:05-CV-1276 (D.D.C. Mar. 6, 2014), the
District Court for the District of Columbia issued a landmark ruling limiting the scope of the attorney-client privilege and work product doctrine. The court ordered a qui tam defendant to turn over certain documents, including internal investigation reports, finding that the documents were ordinary business records created not to obtain legal advice but rather to comply with corporate policy and federal regulations. Although the D.C. Circuit recently overturned this district court’s ruling, the controversy regarding this case should serve as a warning and provide important guidance to companies seeking to protect their internal investigations from discovery in subsequent litigation.
Harry Barko, a former employee of Halliburton’s former subsidiary Kellogg Brown & Root (“KBR”), filed the qui tam action under the False Claims Act, alleging that KBR had subcontracted work to third parties who submitted inflated invoices for shoddy work, resulting in overcharges to the government. During discovery, Mr. Barko sought documents that KBR had prepared in the course of an internal investigation into the same alleged misconduct. KBR had conducted its investigation pursuant to its Code of Business Conduct (“COBC”) procedures, which are an internal controls system required by Department of Defense contracting regulations. Under KBR’s COBC procedures, investigations were initiated by a dedicated COBC director and conducted by non-attorneys. Only after the investigation was complete did COBC transmit its written reports to the law department. After reviewing the documents in camera, the district court described the investigation as “routine” corporate compliance and held that neither the attorneyclient privilege nor the work product doctrine protected documents connected with the investigation from discovery. The court reasoned that the attorneyclient privilege did not apply because the investigation failed the “but-for” test to determine privilege. Under this test, a communication is privileged only if it would not have been made but for the fact that legal advice was sought. In a unanimous decision authored by Judge Brett Kavanaugh, the D.C. Circuit rejected the district court’s test, explaining that “[s]o long as obtaining or providing legal advice was one of the significant purposes of the internal investigation, the attorney-client privilege applies.” In re Kellogg Brown & Root, Inc., No. 14-5055 (D.C. Cir. June 27, 2014) (emphasis added). The D.C. Circuit further stated that this test applies “regardless of whether an internal investigation was conducted pursuant to a company’s compliance program required by statute or regulation, or was otherwise conducted pursuant to company policy.” The D.C. Circuit’s opinion, which came after the circuit court granted the rare relief of a writ of mandamus, removes the uncertainties created by the district court’s decision and takes an expansive view of the privilege in the context of internal investigations. The opinion also quells the fears of commentators who speculated that, if affirmed, the Barko decision may have the unintended consequences of penalizing companies that conduct thorough investigations and maintain complete records of their findings or incentivizing others to conduct surface-level inquiries and failing to document their results.
However, the controversy over whether the attorney-client privilege applies to KBR’s internal investigation documents highlights the importance of companies taking prudent measures to protect their own internal investigation reports and related documentation. The factors the courts considered in reaching their decisions in the KBR matter offer practical guidance for companies seeking to maintain robust compliance programs by conducting thorough investigations, while limiting the likelihood that investigative material will be discoverable in subsequent proceedings. Attorneys Should Initiate and Oversee the Investigation The district court explained that in contrast to the investigation conducted in Upjohn Co. v. United States, 449 U.S. 383 (1981)—which was conducted only after Upjohn’s legal department conferred with outside counsel—the COBC investigation was a “routine corporate, and apparently ongoing” compliance investigation. The D.C. Circuit found that the privilege applies nevertheless, so long as obtaining or providing legal advice was “one of the significant purposes” of the investigation, noting that as in Upjohn, the investigation was conducted by the company’s legal department, acting in a legal capacity. Given this guidance, companies should ensure that internal investigations are initiated by in-house or outside counsel. Counsel should also be involved in setting the investigation’s objectives and scope and document them in writing, making it clear that a “significant purpose” of the investigation is to assess legal issues and provide legal advice. Counsel should also manage and oversee the investigation throughout its duration. Consider Retaining Outside Counsel The district court also noted that a significant difference between the COBC and the Upjohn investigations was that the latter involved outside counsel. The D.C. Circuit rejected this conclusion, finding that “[i]nside legal counsel to a corporation or similar organization . . . is fully empowered to engage in privileged communications.” Generally speaking, however, investigations and reports prepared by outside counsel are more likely to be protected by the attorney-client privilege and work product doctrine because, unlike in-house counsel, who are sometimes viewed as having a “business” rather than a “legal” role, outside counsel are more clearly retained for legal, not business, advice. While it is not always necessary to retain outside counsel, and doing so does not guarantee that investigation materials will be protected from discovery, it provides an added protection of those materials.
Attorneys Should Conduct or Oversee Interviews The lower court observed that the interviewees would not have been able to tell that the investigation was of a legal nature because the interviewers were not attorneys. The D.C. Circuit noted that “the investigation here was conducted at the direction of the attorneys in [the company]’s Law Department. And communications made by and to non-attorneys serving as agents of attorneys in internal investigations are routinely protected by the attorney-client privilege.” When possible, in-house or outside counsel should be used to gather and review evidence and conduct witness interviews. If non-attorneys are used, the company should ensure and document that these non-attorneys are aware that the investigation is being conducted at the direction and under the supervision of counsel. Inform Interviewees of the Legal Nature of the Investigation Another factor in the Barko court’s decision was that the interviewees were never advised that the purpose of the investigation was to help the company seek legal advice. The D.C. Circuit, however, stated that “nothing in Upjohn requires a company to use magic words to its employees in order to gain the benefit of the privilege for an internal investigation.” But the D.C. Circuit also noted that employees knew that the company’s legal department was conducting an investigation of a sensitive nature and that the information they disclosed would be protected. To ensure protection of privileged materials, at the outset of every interview, the interviewer—whether an attorney or nonattorney— should advise the interviewee that the purpose of the interview is to gather facts that the legal department needs to provide legal advice to the company. This message is typically conveyed in an Upjohn warning. The interviewer should also document that this information was communicated to the interviewee in notes from the interview or in an interview memorandum. Label All Privileged Documents Finally, a company and its counsel should clearly label all documents developed during the course of a privileged investigation as subject to the attorney-client privilege and/or the work product doctrine. Using this guidance, companies can maintain robust compliance programs and conduct thorough internal investigations while limiting the likelihood that the documentation produced during those investigations will be discoverable in subsequent litigation.
INCREASED FCPA SCRUTINY OF HIRING PRACTICES
The government’s ongoing investigations of several financial services firms for their overseas hiring of relatives of foreign officials serve as an important reminder of the FCPA risks inherent in such hiring practices. Securities and Exchange Commission (“SEC”) and Department of Justice (“DOJ”) investigations were first disclosed in a firm’s quarterly filings in August and November 2013, respectively. Also, in November 2013, the press reported that the SEC had issued information requests to several other firms. And, most recently in March 2014, the SEC sent additional requests to at least five prominent financial services firms. The March 2014 inquiries, requesting detailed information on the banks’ recruiting in Asia, suggest the SEC’s probe is still intensifying.
The government’s information requests have focused on whether the targeted firms’ recruiting programs pursue relatives of influential government officials. The investment banks’ practice of hiring children of senior government figures (so-called “princelings” in China), based on their connections with and knowledge of the local financial system is relatively common in Asia. U.S. regulators, however, are concerned that some hires are directly linked to a government benefit derived by the bank—for example, participation in the initial public offerings (“IPOs”) of state-owned entities. This type of quid-pro-quo arrangement could violate the FCPA. Corruption Risks of Hiring Relatives of Government Officials The FCPA applies to the giving, authorization, or offer of “any money” or “anything of value” to a foreign official. Since at least the 1980s, the DOJ has warned companies of the risks of using their hiring practices to obtain benefits from foreign officials. A handful of FCPA Review/Opinion Procedure Releases published in the 1980s and the 1990s address companies’ relationships with relatives of foreign officials and highlight the importance of appropriate checks and balances when entering into such arrangements. More recently, in “A Resource Guide to the U.S. Foreign Corrupt Practices Act” (issued jointly by the SEC and DOJ in November 2012), the U.S. regulators noted that “[c]ompanies also may violate the FCPA if they give payments or gifts to third parties, like an official’s family members, as an indirect way of corruptly influencing a foreign official” (emphasis added). Accordingly, government regulators could view employment provided to a foreign official’s relative as something of value to the foreign official himself or herself for purposes of the FCPA. Even if a hiring decision constitutes something of value to a foreign official, it violates the FCPA only if the decision was made with “corrupt intent.” In other words, a company must have hired the foreign official’s relative intending to improperly influence the official into awarding business or some other business advantage to the company. Although, technically, the contemplated business or advantage need not come to fruition for a hiring decision to violate the FCPA, regulators are especially alert to direct evidence linking a hiring decision to new government business or to another decision affecting the company. At least three recent FCPA settlements involved quidpro- quo hiring arrangements. In these three cases, the companies hired relatives of foreign officials for positions in which they performed no work. These positions were used to conceal the companies’ transfer of money to foreign officials, resulting in business (and an FCPA violation) for the companies. Given that some financial services firms appear to be recruiting relatives of government officials for legitimate positions, the recent SEC inquiries into overseas bank hiring suggest that the regulators’ focus in these investigations may include situations where the government official’s relative is performing actual work for the target company. Minimizing FCPA Exposure for Hiring Decisions Hiring the relatives (either as employees, consultants or interns) of foreign officials is not, in and of itself, illegal. But such practices will attract close scrutiny from U.S. regulators. As a result, companies should approach these arrangements with caution, and robust internal controls should be in place before engaging the relative of a foreign official. Overseas companies or subsidiaries can limit FCPA exposure in this area by ensuring that their employment decisions are legitimate and are not linked to any new government business. For example, companies should be able to demonstrate that the relative is qualified for the position, that the relative satisfactorily performs the duties of his or her position, and that the relative is compensated similarly to others in comparable positions. Ensuring that the position was vacant before the relative was hired (rather than created specifically for the relative) may also limit the perception that the employment decision is a quid-pro-quo arrangement in exchange for government business. Companies also must ensure that their internal controls are sufficient to monitor and evaluate overseas hiring decisions. At a minimum, companies should conduct reasonable due diligence before hiring relatives of government officials and should include anti-corruption provisions in their contracts. And, because many internship decisions are made at a local level, and without corporate oversight, companies should consider folding internship programs into the internal controls governing regular hiring decisions. Based on recent FCPA investigations in the financial services industry, companies should be on the lookout for increased anti-corruption scrutiny in their hiring practices overseas. This increased scrutiny highlights the importance of an effective compliance program that covers both overseas hiring and internships.
RECENT EU DIRECTIVE PAVES THE WAY FOR MORE TRANSPARENCY OVERSEAS
In a move that showcased the European Union’s increased focus on corporate transparency, the European Parliament voted on April 15, 2014 to amend the “EU Accounting Directives” to require large companies to disclose annually certain non-financial information, including performance indicators regarding bribery and corruption. The new Directive applies to all EU-incorporated companies with over 500 employees, including EU-based subsidiaries of multinational corporations and is expected to impact about 6,000 companies. The new Directive amends a law passed just last year that already sought to increase corporate transparency by requiring certain EU companies working in the extractive and logging industries to report annually on payments made to governments in connection with projects in those sectors. The amended Directive is part of a growing EU focus on anti-corruption and other corporate social responsibility measures. In its press release on the new Directive, the European Commission emphasized that this measure was designed to strengthen laws already in place by making information disclosure mandatory on certain key issues. The press release noted that increased transparency was good for investors and companies alike. Citing evidence that companies that are transparent “perform better over time, have lower financing costs, attract and retain talented employees, and are ultimately more successful,” the Commission argued that better transparency means better corporate performance. In addition, the Commission stated that a growing number of key stakeholders (including investors, shareholders and employees) are demanding increased non-financial transparency. Yet under legal disclosure requirements, including the Accounting Directives passed last year, fewer than 10% of the largest EU companies regularly disclose such information. The new Directive is designed to require companies to disclose this information publicly in annual reports, just as they would financial data. Under the new Directive, companies are required to prepare, on an annual basis, a non-financial report with performance indicators related to anti-corruption and bribery issues, among other issues. According to the Directive, subject companies are required to include various details on anti-corruption and bribery issues in these non-financial reports, including (i) a description of the company’s relevant policies and due diligence procedures; (ii) the outcome of those policies and procedures; and (iii) the principal risks identified by the company and how the company manages those risks. Companies are also encouraged to include specific information on the measures they have in place to combat corruption and bribery in their operations. All of this information should be included as part of the company’s annual management report. Companies must either comply with these disclosure requirements or provide a “clear and reasoned explanation” why they are unable to do so. The Directive itself does not specify a prescribed form of reporting, giving companies the option of using international, European, or national guidelines. The Commission is expected to publish a set of non-binding guidelines to aid businesses in complying with the new law, but businesses will likely have considerable flexibility in how they choose to convey the required information. Affected companies, however, are advised not to wait to take a fresh look at their current compliance policies and practices, as well as areas of greatest risk. For companies with less robust compliance programs, this may be an opportunity to make improvements before the reporting requirements go into effect. Companies are urged to seek guidance on current best practices in their home country or in jurisdictions with strong anti-corruption laws, like the United States. While the new Directive does not in itself impose penalties for weak compliance programs, it is likely to raise expectations among governments, investors and shareholders as to whether companies are taking adequate precautions to mitigate risk and act ethically. Both the European Commission and European Parliament have approved the measure, and the Council of the European Union is expected to adopt the law in the coming weeks. It will then come into effect in each EU member state, with full implementation expected within two years. Companies based in the EU or with significant EU operations should take note of this continued focus on transparency, as well as the relatively significant reporting requirements under the new law.
IN THE INTERIM
4/2/2014: Six foreign nationals, including a government official in India, were charged with an alleged racketeering conspiracy to bribe officials in India to win titanium mining rights. The DOJ stated that, starting in 2006, the defendants allegedly conspired to pay $18.5 million in bribes to obtain mining licenses in an Indian coastal state. 4/7/2014: Latvia completed the necessary steps to become a member of the OECD Anti-Bribery Convention, becoming the 41st party to the Convention, effective May 30, 2014. Latvia was invited to join the OECD Working Group on Bribery in September 2013. 4/9/2014: Hewlett Packard’s Russian subsidiary pled guilty to substantive FCPA offenses for its role in a scheme to bribe officials of the Office of the Prosecutor General of the Russian Federation in order to secure a technology contract. The contract was worth over $100 million and was viewed as a “golden key” capable of unlocking many other opportunities with the Russian government. 4/14/2014: Two former employees, Benito Chinea and Joseph DeMeneses, of Direct Access Partners, a New York-based brokerdealer were charged with FCPA violations for allegedly bribing an official at Venezuela’s state-owned economic development bank. 5/8/2014: The SEC asked Quanta Services Inc., an engineering, procurement and construction infrastructure services company, to preserve documentation from its FCPA compliance program. The SEC is specifically looking into the company’s operations in South Africa and the United Arab Emirates, but has not alleged to date any violations by Quanta or its employees. 5/8/2014: PTC Inc., a software company, disclosed in its Form 10-Q that it had received a subpoena from the SEC in connection with an FCPA investigation for payments and expenses by its China business partners and PTC’s Chinese subsidiary’s employees. PTC Inc. had previously stated it was in settlement talks with the DOJ and SEC. 5/9/2014: Joseph Sigelman, former CEO of a South American oil and gas services company, was indicted for bribing an official at Columbia’s state-controlled oil company, Ecopetrol SA, to secure approval for a $39 million oil services contract, and for defrauding the company by taking kickbacks. Sigelman’s co-CEO, Knut Hammarskjold, pled guilty to the same charges in February. 5/19/2014: The U.S. Court of Appeals for the 11th Circuit upheld the convictions of Joel Esquenazi and Carlos Rodriquez, thereby validating the DOJ’s expansive definition of “foreign official” under the FCPA. Esquenazi and Rodriquez’s sentences, at 15 and 7 years, respectively, are the longest prison sentences ever imposed in an FCPA case. For more information on the Esquenazi, please see our prior alert. 6/19/2014: The DOJ issued a declination for Smith & Wesson ending its FCPA investigation of the company, which was launched in 2010 after the indictment of its Vice President of Sales. Smith and Wesson also stated that the SEC civil investigation, also launched in 2010, was nearing a resolution.
* New criminal or civil cases (settled or contested) instituted by year ** Based upon public disclosures of investigations
Corporate FCPA-Related Penalties* (in U.S. millions)
Includes disgorgement; does not include non-U.S. fines ** Includes publicly disclosed reserves for future FCPA settlements
COMPLIANCE CORNER: The Value of Robust Compliance Programs
For many years, government regulators have encouraged companies to develop robust compliance programs to detect and prevent FCPA violations. Recent DOJ and SEC settlements indicate that these agencies are following through on their prior statements by imposing harsher sanctions when a violation is detected for companies that, in the agencies’ view, do not have strong compliance programs in place. Indeed, the strength of a company’s compliance program is an important factor that government regulators consider when making charging decisions, calculating penalties, and deciding whether to require a compliance monitor. Charging Decisions. Since 1999, when then-Deputy Attorney General Eric Holder issued a memorandum addressing the prosecution of business organizations, the DOJ has considered the adequacy of a company’s existing compliance program at the time of the alleged offense as a factor in making charging decisions. The U.S. Attorney’s Manual advises prosecutors that “it may not be appropriate to impose liability” based on the actions of a “rogue employee” if the company already has “a robust compliance program in place” when the conduct occurred. Commentators and practitioners routinely questioned whether the government actually followed this policy. In response, the DOJ and the SEC recently started releasing more details about declination decisions. One common occurrence in many of these declination decisions is that the government found the conduct to be isolated and found that the company already had a robust compliance program in place when the conduct occurred. This trend of the government disclosing its declinations started in 2012 with the DOJ’s decision not to pursue Morgan Stanley for the FCPA violations of a rogue employee who developed a scheme to evade the firm’s internal accounting controls. In 2014, DOJ and/or the SEC announced FCPA declinations for four companies— Merck, Baxter International, SL Industries, and Lyondell—after the companies identified potential violations, conducted internal investigations, and enhanced their existing compliance programs. Based on limited public knowledge, it appears that all four of these companies had strong compliance programs already in existence when the problematic conduct occurred. Conversely, the DOJ and the SEC appear to be acting more aggressively toward those companies found to be lacking an effective compliance program. For example, in one recent case, the DOJ emphasized that the company did not have “an effective compliance and ethics program at the time of the offense” and required the company to enter into a plea agreement, as opposed to a deferred prosecution agreement or nonprosecution agreement. Amount of Penalties. If a company can show evidence that it attempted to protect against FCPA violations by implementing and maintaining a strong compliance program, the government may be convinced to reduce the amount of fines levied upon the company. For example, two foreign subsidiaries of the Hewlett- Packard Company (“HP”) recently paid fines that were approximately 30% below the minimum fine amount recommended by the Sentencing Guidelines. Specifically, the fine range for HP’s Russian subsidiary was $87 to $174 million, but it was only required to pay a $58 million fine. Likewise, the fine range for HP’s Polish subsidiary was $19 to $38 million, but it was only required to pay a $15 million fine. In both instances, the DOJ cited the parent company’s commitment “to maintain and continue enhancing its compliance program and internal accounting controls.” Imposing a Monitor. Companies with effective compliance programs may also avoid the implementation of an independent monitor following an FCPA charging decision. While the DOJ’s decision to impose a monitor depends on the individual circumstances of the company and the pervasiveness of the alleged conduct, a strong compliance program can help a company avoid having a monitor imposed. Based on recent settlements, the government generally requires an independent corporate monitor when the company needs to improve its compliance program. For example, in the October 2013 deferred prosecution agreement with Diebold, Inc., the DOJ acknowledged that the company had “undertaken some remedial measures” to address the deficiencies in its program, but the DOJ nevertheless imposed a monitor because Diebold’s actions were “not sufficient to address and reduce the risk of recurrence.” In contrast, neither HP nor its subsidiaries were required to have a monitor after the company was found to have a robust compliance program in place.
In the end, a robust compliance program will not only help a company prevent and detect potential FCPA violations, but the DOJ and SEC will also consider the design and good faith implementation of the company’s compliance program when deciding what actions to take once a violation has been found to have occurred. Although there is no one-size-fits-all program, companies should, at a minimum, implement the hallmarks of a good program listed in the Resource Guide: (1) commitment from senior management and a clearly articulated policy against corruption; (2) code of conduct and compliance policies and procedures; (3) oversight, autonomy, and resources; (4) risk assessment; (5) training and continuing advice; (6) incentives and disciplinary measures; (7) third-party due diligence and monitoring of payments; (8) confidential reporting and internal investigation; (9) continuous improvements, periodic testing, and review; and (10) M&A pre-acquisition due diligence and post-acquisition integration. By implementing a robust compliance program that reflects these hallmarks, companies could potentially avoid liability, reduce the amount of any fines, and possibly avoid a monitor.
Recent Events Demonstrate Ramped Up Enforcement of Canadian Corruption Law: As previously reported in the 1st Quarter 2014 Anti-Corruption Quarterly, recent amendments and ramped-up enforcement of the Canadian Corruption of Foreign Public Officials Act (“CFPOA”) have increased the risk of liability under the Act for Canadian companies and individuals employed by them. Two subsequent events this spring demonstrate how seriously Canadian law enforcement and courts are taking their mandate under the CFPOA. On May 23, 2014, a justice of the Ontario Superior Court handed down the first jail sentence for a violation of the CFPOA since it was enacted in 1999. Nazir Karigar, an employee of CryptoMetrics Inc., a Canadian company, was sentenced to three years in prison for conspiring to bribe Air India officials in connection with a bid for a security contract. Notably, the government did not prove that Mr. Karigar actually made any illicit payment, and the contract ultimately was not awarded to CryptoMetrics. Following the sentencing of Mr. Karigar, the Royal Canadian Mounted Police charged two Americans, Robert Barra and Dario Bernini, the former CEO and COO of CryptoMetrics, and Shailesh Govindia, a U.K. national and agent of the company, alleging that the three individuals were also part of the conspiracy to bribe Air India officials. With the sentencing of Mr. Karigar and the charging of Messrs. Barra, Bernini and Govinia, Canadian authorities are sending a strong message to the business community that individuals, not just entities, will be held responsible for violations of the CFPOA.