Earlier this week Swiss commodities trading giant Glencore gave the compliance community a doozy of a corporate corruption settlement, agreeing to pay more than $1 billion to regulators around the world for bribery and market manipulation that lasted more than a decade. I’ve been sifting through the settlement documents since then and we have several lessons to ponder here.
We should begin with a review of the misconduct itself — which, to a compliance officer’s sensibilities, was both egregious and pedestrian at the same time. The misconduct was egregious because it was so far-reaching and pervasive. As described by the Justice Department, Glencore executives funneled more than $100 million in bribes to government officials in Nigeria, Venezuela, Brazil, the Ivory Coast, and other countries. Those bribes paved the way for Glencore to win lucrative purchase agreements with the countries’ state-owned oil companies. The scheme involved senior Glencore executives, and ran from at least 2007 into 2018.
That was just the FCPA misconduct; we also have a market manipulation scheme to consider. Throughout the 2010s, executives at Glencore’s U.S. subsidiary conspired to manipulate two benchmark price assessments (maintained by S&P Global Platts) for fuel oil products. By manipulating those benchmark prices, Glencore was manipulating the prices it paid to buy and sell fuel oil with other parties.
So we have multiple, long-running schemes to violate the law, executed either by or with the knowledge of senior Glencore executives. That’s the egregious part.
On the other hand, the mechanics of how Glencore executed these schemes is nothing that compliance professionals haven’t seen before. The criminal information against Glencore reads like a bingo card of bad practices, complete with sham agreements with intermediaries, inflated prices on invoices, poor controls over cash, cryptic email messages, and so forth.
One fun nugget: in email communications, Glencore executives referred to bribes as “newspapers” or “pages.” In one exchange, a Glencore employee told a fixer in West Africa that a payment was “the amount needed to cover newspaper reading material.” The fixer later replied, “The newspapers will be delivered.” One assumes this form of coded communication is now extinct because nobody reads newspapers any more.
Lessons on Outcomes
The most notable fact about the Glencore settlement is its sheer severity. Total penalties and disgorgement paid by Glencore and its U.S. subsidiary, Glencore Ltd., are more than $1.1 billion. Moreover, Glencore and Glencore Ltd. will each get an independent compliance monitor for three years. (Fun fact: one of the lawyers representing Glencore, Erin Sloane at WilmerHale, is the compliance monitor for Fresenius Medical Care.) Both businesses also had to plead guilty, rather than win a deferred-prosecution agreement.
So how did the Justice Department reach that conclusion? What compliance reforms has Glencore implemented so far, and what improvements remain incomplete?
Let’s begin with the reforms Glencore has implemented, which the company was quick to stress in a press release about the resolution. Those reforms include:
- Strengthening the Code of Conduct and launching a global awareness and training campaign;
- Establishing a centralized, independent compliance function and hiring a new head of compliance to run it (that would be Daniel Silver, hired in 2020);
- Instituting a business partner management program, including significant cutbacks in the use of third-party intermediaries and using end-to-end controls to oversee engagements;
- Implementing monitoring and testing mechanisms, including the use of data analytics, to assess whether controls are effective.
On the other hand, Glencore didn’t voluntarily self-report its misconduct, so no credit there; and it received only partial credit for cooperating with the Justice Department’s investigation.
What caught my eye the most, however, was the tempered praise that Glencore received for implementing all those anti-corruption controls we just outlined above. Consider this paragraph from the settlement agreement:
Because certain of the defendant’s compliance enhancements are new and have not been fully implemented or tested to demonstrate that they would prevent and detect similar misconduct in the future, the imposition of a monitor is necessary to reduce the risk of recurrence of misconduct…
Hmmm. Compliance program improvements that “have not been fully implemented or tested” — where have we heard that before?
Oh, yes: assistant attorney general Kenneth Polite, who spoke just last week at a compliance industry conference in Washington, and talked at length about the importance of testing your compliance program. In that speech he cited the example of Stericycle, which settled FCPA charges earlier this year and ended up with a compliance monitor for two years. Polite expressly said Stericycle received a monitor “because the controls were so new and because they had not been fully implemented or tested by the time of the resolution.”
If there’s any inference compliance officers can draw from the Glencore settlement, it’s about the importance of testing. If you don’t have any specific FCPA trouble in your life right now, you should be testing your controls rigorously and regularly anyway, if only to have that evidence at hand if specific FCPA trouble ever does arrive. Or if you are in talks with the Justice Department about a specific matter, your diligence in testing (and subsequent remediation) will be a critical point as prosecutors decide whether you need a monitor.
And CCO Certification
Polite’s other big point in his recent speech was that the Justice Department will require chief compliance officers to certify the effectiveness of their compliance programs as part of resolutions. Well, that requirement is included in the Glencore case too.
Specifically, Glencore’s CEO and CCO will both need to certify the effectiveness of the compliance program 30 days before the expiration of the plea agreement, which would be May 2025. Glencore will also need to make annual progress reports to the Justice Department assuring that the compliance program improvements continue and that discovery of any new misconduct is disclosed promptly.
I still have questions about how such certifications work in practice. For example, what if Silver, Glencore’s head of compliance today, isn’t with the company by 2025? How comfortable would a successor chief compliance officer be, certifying a program that he or she didn’t play a role in building? Would a new CCO want to conduct a sweeping review of that previous work? What if he or she sees something that they would have done differently?
My beefs with CCO certification are not new, and we can revisit them another day. For now, however — Polite said CCO certification was coming; and here it is.