Now that we’ve had a long weekend to digest the FCPA enforcement action imposed against Cognizant Technologies last week, compliance officers have a lot more consider here. In many ways what happened with Cognizant is an excellent case-study for corporate ethics and compliance done right, with a few points to ponder about potential risks to CCOs, too.
First, a recap of what happened last week. Cognizant, an IT outsourcing firm, agreed to pay $25 million in disgorgement and penalties for bribery in India. In 2014 two former senior executives approved a $2 million bribe to officials in the state of Tamil Nadu, in exchange for necessary permits to build a corporate campus there. The bribe was paid via the construction firm Cognizant hired to build the campus, and the two executives then covered it up by approving fabricated invoices and change orders from the construction firm for work never actually done.
Worse, the two Cognizant executives involved were the company’s then-president, Gordon Coburn; and former chief legal officer Steven Schwartz. According to civil and criminal complaints against both men, not only did they direct that the $2 million bribe be paid; when the construction firm at first told Cognizant to pay the bribe itself, Coburn authorized another $500,000 for the firm’s master contract — so, bribing the construction firm to pay the bribe. Then Coburn held up payments to the construction firm until the bribe was paid and Cognizant’s permit issued.
Ultimately Coburn and Schwartz received criminal indictments from the Justice Department and civil complaints from the SEC. Cognizant agreed to disgorge $19 million in ill-gotten profits and to pay $6 million to the SEC for internal control violations of the FCPA. The Justice Department, however, declined to prosecute Cognizant — which seems strange at first glance, because senior corporate executives were involved in the crime.
After all, the FCPA Corporate Enforcement Policy announced in 2017 specifically cites “involvement by executive management in the misconduct” as an aggravating factor that would typically result in criminal prosecution, even if you have an otherwise strong ethics and compliance program. That was the case here, but still no prosecution. Why?
As I mentioned, at first glance the decision not to prosecute Cognizant looks like what many ethics and compliance officers have feared: the Justice Department ignoring its own principles for FCPA enforcement and not bothering to hold companies accountable any more.
That suspicion isn’t unwarranted. President Trump is no fan of the FCPA, so of course people watch for any whiff of that leadership tone infecting FCPA enforcement. Still, when you consider the extenuating circumstances in Cognizant, you can see how the Justice Department landed where it did.
For example, Cognizant had no prior criminal history, and provided full and extensive cooperation in the Justice Department’s investigation. The company also fired Coburn and Schwartz, and implemented improvements to its internal accounting controls (more on that later). Above all, Cognizant had an existing and effective compliance program before this mess, and Cognizant’s board disclosed the FCPA violation within two weeks of first hearing about it.
That’s a lot of extenuating circumstance. So if prosecutors don’t want to bring criminal charge against the corporation — OK, but typically the next lesser step would be a deferred- or non-prosecution agreement. Yet Cognizant had no prior history of misconduct, and did have a strong commitment to compliance, so those resolutions don’t make much sense. Put a company on probation for the possibility of a future offense that it had no prior history of committing, other than one instance where the individual wrongdoers were sacked? Why?
So if neither DPA nor NPA are a good fit, we’re left with the binary choice of a sanction maximum (criminal charge) or minimum (decline to prosecute). Well, bringing a criminal charge when Cognizant did so much right would tempt more than a few boards in future FCPA predicaments to keep quiet; the opposite of what the DOJ wants to achieve.
Hence the Justice Department landed where it did: declining to prosecute even though senior executives committed the misconduct, an aggravating circumstance that usually would result in corporate prosecution.
Heroes Here: The Board
Another striking element is how swiftly Cognizant’s board decided to report its FCPA trouble to prosecutors: less than two weeks after discovering the trouble.
That answers one question I originally had. How could the Justice Department consider Cognizant’s compliance program effective at the time of the offense, if Coburn and Schwartz — senior executives ostensibly leading that commitment to compliance — were the ones breaking the law? How could both things be true at the same time?
They can both be true if some other locus of power in the corporation also has a strong commitment to ethics and compliance. That other locus was Cognizant’s board. Somehow they heard about the India bribe, and immediately reported to the Justice Department.
So right there, compliance officers could cite this case to their own boards: “This is why you board directors should take ethics and compliance seriously; this is why self-disclosure of misconduct is the right choice. The company can have an ugly mess on its hands and still receive lenient terms, if the board takes its commitment to compliance seriously and behaves the way the Cognizant folks did.”
We should also note who Cognizant’s board directors were. The chairman of Cognizant’s audit committee at the time was Maureen Breakiron-Evans, who spent several years in the 2000s as general auditor of CIGNA. Also on the audit committee was Leo Mackay, head of ethics and internal audit at Lockheed Martin. Both still serve on Cognizant’s board today, and good for them.
I can’t help but assume that their day jobs in ethics, compliance, and audit at other companies guided their thinking in Cognizant’s boardroom. It’s a strong argument in favor of putting more compliance and audit professionals on corporate boards, so they can foster that institutional commitment to ethical conduct that companies need — especially to handle misconduct in the C-suite.
Others have also said Cognizant is a reminder that the compliance function should report directly to the board. Well, yes and no. If your board does truly value ethical business conduct, then yes, you’ll have a great working relationship even if Cognizant-type misconduct occurs.
On the other hand, if your board doesn’t embrace ethical conduct, then you still risk putting a target on your back when you bring allegations to them. Just the other week we were discussing retaliation against CCOs, and several readers then emailed their own horror stories to me; one lost his job because he had to raise allegations about an audit committee member. Reporting directly to the board did that man no good; it won’t do you any good either if your board is unprincipled.
Anyway, that’s not what happened here at Cognizant. This board stepped up and practiced what ethics and compliance is all about. Print out this column and staple it to your own board’s forehead.