Month: September 2018

On September 27, the Brazilian state-owned and state-controlled oil and gas company Petróleo Brasileiro S.A. – Petrobras (Petrobras) entered into agreements with the United States Department of Justice, the Securities and Exchange Commission (SEC), and Brazilian authorities, under which Petrobras agreed to pay a combined total of more than $1.78 billion to resolve two foreign-bribery investigations: (1) the U.S. investigation into violations of the Foreign Corrupt Practices Act (FCPA) in connection with Petrobras’s role in facilitating payments to politicians and political parties in Brazil; and (2) a related Brazilian investigation.  According to the Department’s Assistant Attorney General for the Criminal Division Brian Benczkowski, “Executives at the highest levels of Petrobras—including members of its Executive Board and Board of Directors—facilitated the payment of hundreds of millions of dollars in bribes to Brazilian politicians and political parties and then cooked the books to conceal the bribe payments from investors and regulators.”

The Department’s press release summarized the admissions that Petrobras made in connection with the resolution:

[W]hile the company’s American Depository Shares traded on the New York Stock Exchange, members of the Petrobras Executive Board were involved in facilitating and directing millions of dollars in corrupt payments to politicians and political parties in Brazil, and members of Petrobras’s Board of Directors were also involved in facilitating bribes that a major Petrobras contractor was paying to Brazilian politicians.  During this period, for example, a Petrobras executive directed the payment of illicit funds to stop a parliamentary inquiry into Petrobras contracts, and the executive also directed payments received from Petrobras contractors to be corruptly used to pay millions of dollars to the campaign of a Brazilian politician who had oversight over the location where one of Petrobras’s refineries was being built.

Petrobras admitted that it failed to make and keep books, records and accounts that accurately and fairly reflected the company’s capitalization of property, plant and equipment as a result of the bribes being generated by the company’s contractors with the cooperation of certain Petrobras executives, and that certain Petrobras executives signed false Sarbanes-Oxley (SOX) 302 sub-certifications while they were involved in, and were aware that other executives at Petrobras were involved in, obtaining and facilitating the payment of millions of dollars in bribes to Brazilian politicians, to Brazilian political parties and to themselves.  Petrobras also admitted that certain executives failed to implement internal financial and accounting controls in order to continue to facilitate bribe payments to Brazilian politicians and Brazilian political parties.

The resolution consists of three agreements:

• Petrobras entered into a non-prosecution agreement (NPA) with the Department. Under that agreement, Petrobras agreed to pay an $853.2 million criminal penalty to be divided as follows: (1) the Department and the SEC would each receive 10 percent of the total penalty (i.e., $85,320,000 each); and (2)  Brazil would receive the remaining 80 percent ($682,560,000).   In addition, Petrobras “agreed to continue to cooperate with the Department in any ongoing investigations and prosecutions relating to the conduct, including of individuals, to enhance its compliance program and to report to the Department on the implementation of its enhanced compliance program.”
• Petrobras entered into an agreement with the SEC based on Petrobras’s misleading U.S. investors by filing false financial statements that concealed a massive bribery and bid-rigging scheme at Petrobras. Under that agreement, Petrobras agreed to pay the SEC disgorgement and prejudgment interest totaling $933,473,797.  That amount is to be reduced by the amount of any payment that Petrobras makes to the class action Settlement Fund in the matter of a civil case pending in the Southern District of New York.
• Petrobras agreed to reach a settlement with the Ministerio Publico Federal in Brazil, whose terms are covered above.

Note: This tripartite resolution is another significant milestone, after the 2016 guilty pleas of Odebrecht and Braskem, in the multinational enforcement efforts to root out the pervasive political and commercial corruption that has plagued Brazil.  Because Petrobras played a central role in that corruption, it is worthwhile to compare the Petrobras resolution with the Odebrecht and Braskem resolutions:

1. Justice Department Three-Part Standard for Resolution

Since the Department established its FCPA Pilot Program in 2016, it has applied a three-part standard for resolving corporate FCPA investigations: i.e., the company must (1) voluntarily self-disclose FCPA-related misconduct, (2) fully cooperate with the Department (specifically the Criminal Division’s Fraud Section); and (3) where appropriate, remediate flaws in its controls and compliance programs.  The FCPA Corporate Enforcement Policy retained that standard in modified form, stating that a company is entitled to a presumption of declination without a criminal resolution if it has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, unless the Department finds aggravating circumstances that may warrant a criminal resolution such as (1) involvement by the company’s executive management in the misconduct; (2) a significant profit to the company from the misconduct; (3) pervasiveness of the misconduct within the company; and (4) criminal recidivism.

1. Voluntary Self-Disclosure: Petrobras, Odebrecht, and Braskem did not voluntarily self-disclose.
2. Full Cooperation: The Department credited Petrobras with “notify[ing] the government of its intent to fully cooperate after learning of the allegations of misconduct” and full cooperation in the investigation.  It added that the cooperation including, according to the “conducting a thorough internal investigation, proactively sharing in real time facts discovered during the internal investigation and sharing information that would not have been otherwise available to the Department, making regular factual presentations to the Department, facilitating interviews of and information from foreign witnesses, and voluntarily collecting, analyzing and organizing voluminous evidence and information for the Department in response to requests, including translating key documents.”  In contrast, the Department credited Odebrecht with full cooperation, and Braskem with partial cooperation, without elaboration.
3. Timely and Appropriate Remediation: The Department stated that Petrobras “also took extensive remedial measures, including replacing the Board of Directors and the Executive Board (the company’s high-level managers) and implementing governance reforms, as well as disciplining employees and ensuring that the company no longer employs or is affiliated with any of the individuals known to the company to be implicated in the conduct at issue in the case.” It stated that Odebrecht and Braskem “also engaged in remedial measures, including terminating and disciplining individuals who participated in the misconduct, adopting heightened controls and anti-corruption compliance protocols and significantly increasing the resources devoted to compliance.”
4. Aggravating Circumstances: Although the Odebrecht and Braskem resolutions occurred before the adoption of the Corporate Enforcement Policy, several aggravating circumstances can be compared and contrasted:
   1. Involvement by Executive Management: For Petrobras, the Department stated that executives “at the highest levels . . . including members of its Executive Board and Board of Directors” facilitated the payment of hundreds of millions of dollars in bribes and falsified corporate books and records to conceal the misconduct from investors and regulators. For Odebrecht and Braskem, the Department stated that the offenses “involved the highest levels of the companies.”
   2. Profit to Company: For Petrobras, the Department did not list a single bottom-line total of profit that the company obtained through its misconduct. That may well have been due to the sheer volume of contracts associated with the misconduct.  For example, the Petrobras NPA’s Statement of Facts stated that a refinery-completion project that Petrobras intended to complete “generated more than 300 contracts and more than 950 amendments.”  For Odebrecht and Braskem, the Department stated that Odebrecht’s “corrupt payments and/or profits total[ed] approximately $3.336 billion” and Braskem’s “corrupt payments and/or profits totaling approximately $465 million.”
   3. Pervasiveness of Intracorporate Misconduct: Although the Corporate Enforcement Policy does not define “pervasiveness of the misconduct,” it is reasonable to assume that the term includes the duration and geographic scope of the misconduct as well as the number and amounts of bribes paid.  By that test, all three companies engaged in pervasive misconduct.  Petrobras’s misconduct, which extended from at least 2004 to 2012, involved company executives and managers facilitating “massive bid-rigging and bribery schemes.”  Odebrecht’s “massive and unparalleled bribery and bid-rigging scheme” began in at least 2001 and lasted for more than a decade, and during that time involved payment of “approximately $788 million in bribes to government officials, their representatives and political parties in a number of countries.” So elaborate was the extent of Odebrecht’s bribery that it established a “Division of Structured Operations”, “which effectively functioned as a stand-alone bribe department within Odebrecht and its related entities.”  Braskem “acknowledged admitted to engaging in a wide-ranging bribery scheme and acknowledged the pervasiveness of its conduct,” which included, between 2006 and 2014, Braskem‘s payment of approximately $250 million into Odebrecht’s “secret, off-book bribe payment system.” Braskem used that system to authorize “the payment of bribes to politicians and political parties in Brazil.”
   4. Criminal Recidivism: If “recidivism” under the Corporate Enforcement Policy means the commission of one or more FCPA offenses after the prior commission of an FCPA offense, none of the three companies engaged in recidivist conduct, though all three certainly involved vast numbers of bribe payments.
   5. Other Factors: In Petrobras, the Department stated that the resolution was “based on a number of unique factors presented by this case, including that Petrobras is a Brazilian-owned company that entered into a resolution with Brazilian authorities and is subject to oversight by Brazilian authorities, and that, in addition to the significant misconduct engaged in by Petrobras, a number of executives of the company engaged in an embezzlement scheme that victimized the company and its shareholders.”  The first factor, as it is worded, is not unique when one considers the Odebrecht and Braskem  Odebrecht is a Brazil-based conglomerate and Braskem a Brazilian company, and both entered into separate resolutions with Brazilian authorities.  In addition, for all three companies Brazil was to receive the majority of the criminal financial penalty: 80 percent for Petrobras and Odebrecht, and 70 percent for Braskem.  The second factor, embezzlement by corporate executives, is a unique factor for Petrobras, though the Department’s statements do not
5. Discount from Sentencing Guidelines: Consistent with the Corporate Enforcement Policy, both Petrobras and Odebrecht received a 25 percent discount off the low end of the Sentencing Guidelines fine range for their cooperation and remediation, while Braskem received only a 15 percent discount because of its partial cooperation.

Ultimately, the Petrobras resolution is important for at least two reasons.  First, it represents continuing progress in the long-running pursuit of high-level corruption in Brazil.  Second, it continues to signal to foreign law enforcement authorities that U.S. authorities are prepared to cede the lion’s share of FCPA-related penalties to foreign authorities, in cases in which the level of engagement (including human and fiscal resources) and “sweat equity” that those foreign authorities have invested in the investigations make such a distribution fair and equitable.

On September 14, the Australian Federal Police (AFP) announced that on September 13, they arrested a director in the Sydney-based Radiance International group of companies, Mozammil Gulamabbas Bhojani, on a charge of conspiring to bribe foreign officials in Nauru.  Bhojani’s arrest stemmed from “Operation Regatta,” which the AFP began in 2015 to investigate allegations that Radiance International and its related group of companies, which specialize in trading rock phosphate, conspired to pay bribes to Nauruan public officials.

Bhojani allegedly was involved in making five payments totaling more than AU$100,000 to the officials. According to ABC News, court documents show that Bhojani “operates a multinational business with a network of international contacts,” and has “appears to have extensive business interests on Nauru” and “has access to large quantities of cash.”  Subsequently, ABC News reported that Radiance International had also received a AU$2.5 million contract from the Australian Department of Home Affairs for refugee accommodation structures on Nauru.

Note: This case is a reflection of the increasing sophistication in Australian law enforcement’s pursuit of foreign bribery over the last five years.  Since 2013, the AFP has not only provided cooperation in other countries’ foreign-bribery investigations such as Alcoa and Unaoil, but also been a participant in the four-nation International Foreign Bribery Taskforce (IFBT) with the Federal Bureau of Investigation, the Royal Canadian Mounted Police, and the United Kingdom National Crime Agency.

Historically, Australian authorities were criticized for pursuing only a very few foreign-bribery cases.  Last September, in just the second foreign-bribery prosecution in Australia, the New South Wales Supreme Court in Regina v. Jousif imposed sentences of imprisonment on three individual defendants.  But the December 2017 OECD Working Group on Bribery’s Phase 4 Report credited Australia with “significantly” increased enforcement since 2014, noting that the AFP had 19 active investigations and three further case referrals to the Commonwealth Director of Public Prosecutions.

Since the Phase 4 Report, the Bhojani case is the second foreign-bribery case that the AFP has brought in 2018.  Previously, Australian-based consulting firm SKM was charged with allegedly bribing Vietnamese officials between 2006 and 2011 and Philippine officials between 2000 and mid-2005.

Moreover, public information about the Bhojani case contains some indications of its complexity.  Evidence amassed to date includes telephone intercepts and bank records, as well as “a large number of documents and electronic records” seized in a series of raids on Bhojani’s home and the Brisbane office of Ronphos, Nauru’s state-owned phosphate corporation that supplies rock phosphate to customers internationally.  If the experience of other countries in complex foreign-bribery cases is any guide, the Bhojani prosecution is likely to be the first, but not the last, prosecution in Operation Regatta.

On September 18, the Japanese cryptocurrency exchange Zaif confirmed that it was the target of a September 14 cyberattack that yielded an estimated $60 million (¥6.7 billion), in the form of 5,966 Bitcoins and an unknown quantity of other cryptocurrency assets. The points of attack reportedly were Zaif customers’ “hot wallets,” the online digital wallets that customers use to store cryptocurrency assets.

Tech Bureau, the Osaka-based cryptocurrency exchange that operates Zaif, stated that it had reported the theft to the Japanese Financial Services Agency (FSA) and law enforcement authorities.  Tech Bureau plans to raise the funds to compensate customers for their losses by selling a majority of its shares to a group company under the Japan-based financial services provider Fisco.  Fisco’s group company is expected to provide ¥5 billion to Tech Bureau as both companies “work to complete an agreement by the end of the month.”

Note:  The Zaif hack is not the first cyberattack against Japanese cryptocurrency exchanges this year.  In January, Tokyo-based cryptocurrency exchange Coincheck Inc suffered a “hot wallet” cyberattack that stole approximately $532.6 million (¥58 billion).  These two attacks – combined with the fact that the FSA had previously ordered Tech Bureau twice this year “to improve its operations, including its response to system failures” – demonstrate the urgency with which the cryptocurrency-exchange community needs to commit to installing and maintaining robust cybersecurity and data-protection measures.

Explanations like “technical difficulties and a shortage of staff” will not satisfy regulators in Japan or other countries who have seen multiple large-scale cryptocurrency hacks; indeed, an FSA official has already said that the Zaif hack “will likely have an impact on future screenings” for newly registered exchanges.  Although cryptocurrency-related market capitalization may have increased vastly since 2014 – when the bitcoin exchange Mt. Gox lost an estimated $473 million – neither consumer confidence nor regulatory patience can remain infinitely elastic.

One indication that the cryptocurrency sector recognizes that fact is the August 2018 application by the Japanese Virtual Currency Exchange Association (JVCEA) for certification by the FSA.  The JVCEA reportedly “plans to work with the government on drafting and overseeing legislation that will allow the Japanese crypto exchange industry to become self-regulating,” and to that end submitted to the FSA a detailed 100-page document containing its proposed self-regulatory measures.  In the end, some combination of self-regulatory and government regulatory measures will likely be necessary to impress on the industry the importance of adopting and implementing meaningful cybersecurity defenses and other internal controls and compliance measures.

On September 24, Sky News reported that the United Kingdom Financial Conduct Authority (FCA) is seeking a fine of more than £30 million against Tesco Bank relating to the 2016 cyberattack on the bank’s online services.  At the time of the attack, the bank’s then-Chief Executive Officer, Benny Higgins, stated that “a systematic, sophisticated attack” had taken money from about 20,000 customer accounts.  Tesco Bank shortly thereafter refunded £2.5 million to about 9,000 customers, and is now contesting the proposed FCA fine.

Note: This action is only the latest in a series of enforcement actions that United Kingdom authorities have brought against various companies and entities in 2018 for data breaches or inadequate data protection:

• September 2018: The United Kingdom Information Commissioner’s Office (ICO) imposed a £500,000 fine on Equifax Ltd. for “failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.”
• July 2018: The ICO stated its intent to fine Facebook the maximum of £500,000 for two violations of the Data Protection Act 1998, stemming from Facebook’s alleged failure to protect Facebook users’ personal data that Cambridge Analytica harvested for political purposes.
• June 2018: The ICO imposed a £250,000 fine on Yahoo! for a 2014 data breach that resulted in the theft of at least 500 million records.
• May 2018: The ICO imposed a £120,000 fine on the University of Greenwich for a security breach in which 19,500 students’ personal data were placed online.

This particular report, however, is a timely reminder – as reports of other significant United Kingdom-related data breaches at British Airways, Dixons Carphone, and Ticketmaster have come to light in recent months — that companies doing business in the United Kingdom need to see that their data-security compliance programs focus not only on the General Data Protection Regulation (GDPR), but on other laws and regulatory regimes that mandate effective protection against data breaches.

On September 11, five of the leading U.S. financial regulatory agencies — the Federal Reserve Board, the Bureau of Consumer Financial Protection, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency – issued a joint interagency statement explaining the role of supervisory guidance for regulated institutions.  The agencies stated that they were issuing this statement “to explain the role of supervisory guidance and to describe the agencies’ approach to supervisory guidance.”

First, the interagency statement explained the difference between supervisory guidance and laws or regulations:

The agencies issue various types of supervisory guidance, including interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions, to their respective supervised institutions. A law or regulation has the force and effect of law.1  Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area. (Citation omitted.)

On this point it added, that “[s]upervisory guidance often provides examples of practices that the agencies generally consider consistent with safety-and-soundness standards or other applicable laws and regulations, including those designed to protect consumers.”

Second, the statement declared that the agencies “are clarifying” five policies and practices related to supervisory guidance.  The key points for those five policies and practices are as follows:

• Numerical Thresholds: “The agencies intend to limit the use of numerical thresholds or other ‘bright-lines’ in describing expectations in supervisory guidance. Where numerical thresholds are used, the agencies intend to clarify that the thresholds are exemplary only and not suggestive of requirements. The agencies will continue to use numerical thresholds to tailor, and otherwise make clear, the applicability of supervisory guidance or programs to supervised institutions, and as required by statute.”
• Violations: “Examiners will not criticize a supervised financial institution for a ‘violation’ of supervisory guidance. Rather, any citations will be for violations of law, regulation, or non-compliance with enforcement orders or other enforceable conditions. During examinations and other supervisory activities, examiners may identify unsafe or unsound practices or other deficiencies in risk management, including compliance risk management, or other areas that do not constitute violations of law or regulation. In some situations, examiners may reference (including in writing) supervisory guidance to provide examples of safe and sound conduct, appropriate consumer protection and risk management practices, and other actions for addressing compliance with laws or regulations.”
• Public Comment: “The agencies also have at times sought, and may continue to seek, public comment on supervisory guidance. Seeking public comment on supervisory guidance does not mean that the guidance is intended to be a regulation or have the force and effect of law.”
• Multiple Documents: “The agencies will aim to reduce the issuance of multiple supervisory guidance documents on the same topic and will generally limit such multiple issuances going forward.”
• Future Guidance: “The agencies will continue efforts to make the role of supervisory guidance clear in their communications to examiners and to supervised financial institutions, and encourage supervised institutions with questions about this statement or any applicable supervisory guidance to discuss the questions with their appropriate agency contact.”

Note: In general, the interagency statement can be considered a welcome reminder of the broad principles in the Administrative Procedure Act (APA).  Subsection 553(b) of the APA generally requires that federal agencies must follow the formal notice-and-comment process for substantive rulemaking, but makes an exception for “interpretative rules [or] general statements of policy.”  In practice, the line between substantive rules and interpretative rules or policy statements has been not only imprecise but subject to varying degrees of erosion.  As indicated in a recent post in the Regulatory Review, for a federal agency that has designs on expanding its power and influence, it is an understandable temptation to set standards that it wishes to enforce by issuing “guidance” documents that can be issued or revised on the agency’s timetable, rather than by submitting to the more time-consuming and cumbersome APA notice-and-comment process.

To the extent that the statement reminds both the participating agencies and regulated entities about the APA’s substantive-interpretative distinction, and reflects those agencies’ aspirational promises about maintaining the line between substantive and interpretative rules, it certainly does no harm and may do some good for the financial sector.  At the same time, financial-firm compliance officers should expect that in the short term, regulatory agencies are not likely to revise their existing compliance-related guidance in any substantial respect, and will continue to expect firms to hew closely to such guidance.

In addition, a leading law firm recently noted that financial regulators may able to use their “guidance” as the basis for finding “safety and soundness” violations without calling that guidance a “rule”:

[A]lthough examination staff may no longer state a finding that a bank “violated” guidance or interpretive rule, they are not precluded from finding that a bank violated the governing statute or interpretive rule, and citing to the guidance to detail what the agency believes a statute or rule requires. Failure to follow agency guidance is not in and of itself a violation of law, but for an industry such as the banking industry, which is governed by amorphous “safety and soundness” obligations, departing from agency guidance may nevertheless pose a risk of being deemed an unsafe or unsound banking practice.

That risk is not limited to civil enforcement.  A prime example of this is the FCPA Corporate Enforcement Policy that the U.S. Department of Justice issued in November 2017.  As Deputy Attorney General Rod Rosenstein stated last November, the Policy “specifies some of the hallmarks of an effective compliance and ethics program.  Examples include fostering a culture of compliance; dedicating sufficient resources to compliance activities; and ensuring that experienced compliance personnel have appropriate access to management and to the board.”  Rosenstein added that “companies are free to choose not to comply with the FCPA Corporate Enforcement Policy.  A company needs to adhere to the policy only if it wants the Department’s prosecutors to follow the policy’s guidelines.”

That statement is too clever by half.  A declaration that a company is “free” not to comply with the Policy, at the risk of facing potentially massive FCPA criminal penalties and other enforcement measures, sounds remarkably like “guidance” that in fact establishes substantive conduct requirements, even if those requirements are vague and amorphous (e.g., “fostering a culture of compliance”).  Nonetheless, compliance officers can expect that the interagency statement will have no effect on the Department’s application of the FCPA Corporate Enforcement Policy, which is now being applied in a much broader range of white-collar crime matters.