Fasten your seatbelts, compliance officers—we may just have flown into a vast, uncharted territory of corruption and internal control risk nobody expected.
I speak of the SEC’s recent sanction against United Airlines, where the agency applied the spirit of the Foreign Corrupt Practices Act to a bribe United gave to a domestic government official here in the United States. That violation of United’s internal policies against bribery then became a books-and-records violation of the Securities Act, and presto: a $2.4 million fine against United on Dec. 2.
Compliance officers have lots to consider here. If we see more cases like it—and with the incoming Trump Administration, that’s an open question—this enforcement action will be worth printing out and stapling to your audit committee’s forehead. So let’s begin.
First are the facts of the case. They are the only part of this tale a compliance officer will find familiar.
In early 2011 a new chairman took over the Port Authority of New York and New Jersey, David Samson. One of the airports overseen by the Port Authority is Newark Liberty Airport, a primary hub of United Airlines. At the time of Samson’s arrival, United needed the Port Authority’s blessing to build a repair hangar at Newark. Samson had a second home near Columbia, South Carolina, and wanted a nonstop flight from Newark to Columbia.
Don’t die of shock here, but Samson telegraphed to the airline that unless it opened a flight to South Carolina, he would block the new hangar. Worse, once upon a time United did have a flight from Newark to Columbia, but discontinued the route in 2009 because it was a money-loser. Samson’s minions first passed along his demands quietly, and United’s network planning group told CEO Jeff Smisek that the Columbia route would still lose money. So Smisek didn’t re-open the route—and just before a crucial Port Authority meeting to discuss the new hangar, Samson pulled that discussion from the agenda.
Smisek got the message. In December 2011 he directed United’s operations team to re-open the route. Miraculously the Port Authority approved United’s new hangar the same day that Smisek ordered the route re-opened. The flights operated from September 2012 until early 2014, and lost United $945,000. The new hangar allowed United to expand operations that resulted in an estimate $47.5 million in new efficiency and value.
Everything went south, so to speak, when the New Jersey U.S. attorney’s office investigated and brought up Samson on corruption charges in 2014. Samson resigned early that year, and pleaded guilty earlier this summer. United fired Smisek in 2014, and reached a non-prosecution agreement with the New Jersey feds this summer that carried a $2.25 million fine.
What Matters Most Here
Clearly the shenanigans here were a bribe. If these facts had unfolded with an airport authority in Africa or Asia instead of New Jersey, nobody would even question that they violate the Foreign Corrupt Practices Act. When you read the statement of facts in the SEC complaint, the quid pro quo is so transparent that you wince.
The headache for compliance officers is that this mess did happen in New Jersey, where the FCPA does not apply. So the SEC had to take a set of FCPA-like facts and shoehorn them into a violation of the Securities Exchange Act, which is an investor protection statute.
The shoehorn used was United’s Code of Conduct, along with its internal anti-bribery policies. Follow this logic and tell me whether your toes feel pinched.
First, Smisek violated United’s anti-bribery policies, which prohibited employees from using assets for illicit purposes. He also violated United’s Code of Conduct, which said that anyone seeking to act against the code first had to seek an exception request from the compliance officer or the audit committee—something Smisek did not do.
Because Smisek disguised his bribe to Samson as a money-loser flight to South Carolina, and United’s internal accounting controls didn’t catch it as such, that qualified as a violation of Section 13(b)(2)(B) of the Exchange Act. And because Smisek never asked for an exception request from United’s code to give Samson a bribe, that qualified as a books-and-records violation under Section 13(b)(2)(A) of the act; no record existed of him asking permission.
What happened here is subtle enough that it bears repeating: a violation of United’s Code of Conduct was interpreted as a violation of the books-and-records provisions of federal securities law. The perpetrator didn’t ask permission to violate the code, so no record of his request existed, so ipso facto, the books-and-records provisions were violated.
Now, United did do an admirable job cleaning up Smisek’s mess. It fired him, created a new senior-level role for anti-corruption, and enhanced its Code of Conduct and anti-bribery policies. In short, United did everything you’d want a company to do once it discovers its CEO engaged in a bribery scheme. That’s the good news, and kudos to United’s board for upping its compliance program.
Still, this is the sort of sanction that could tie a compliance program in knots. Applied broadly, it could lead to a vast volume of misconduct triggering securities law trouble. For example, if the CEO harasses a secretary without first asking for an exception from the anti-harassment code—could that be a books-and-records violation? What if the culprit instead is your best sales executive, or the head of bet-the-company new research?
I’m hard-pressed to believe the SEC will apply this standard widely, especially with the Trump Administration likely to take a less aggressive tone with regulatory enforcement across the board. But if the SEC wants prosecutorial discretion, this interpretation of the law (one compliance blogger has already called it the Domestic Corrupt Practices Act) is a nifty weapon to keep in its back pocket.
Compliance officers should also remember the offense that happened here: management override of internal control. United had policies and procedures to prevent the abuse of flight routes; Smisek overruled them. If the SEC wanted to punish United for allowing a system of internal control and compliance where management override could happen so easily, this would be one good way to do it.
Management override is a dangerous threat to compliance programs. It’s difficult to police, and you need to rely heavily on a strong control environment: training of employees, a carefully cultivated speak-up culture, a reporting system that can evade the CEO in case he or she is the problem. Those things seem part of the remediation that United undertook to resolve its problem.
Will this sanction lead companies to self-report violations of their internal code of conduct more often? Only if there’s real enforcement risk, and we won’t know that for many months at least. But the United settlement is a hum-dinger of a case. Compliance officers haven’t seen anything this thought-provoking for quite a while.