As you may have already heard, last week the Justice Department nailed French cement manufacturer Lafarge Corp. to the wall for paying protection money to terrorist organizations in Syria in the early 2010s. Don’t let the terrorism angle fool you; there are plenty of lessons here relevant for FCPA compliance professionals.
The basics are as follows. Lafarge pleaded guilty to paying millions to ISIS and the Al-Nusrah in 2013 and 2014, so that Lafarge could keep operating a cement factory the company had opened in northern Syria in 2010 — just before Syria plunged into civil war and ISIS took over a large portion of the country.
Those protection payments soon evolved into a revenue-sharing agreement between Lafarge and ISIS, where the size of the payments to ISIS was based on the amount of cement Lafarge’s Syrian subsidiary was able to sell. As outlined in the statement of facts filed in federal court, Lafarge’s top executives understood perfectly well that they were dealing with terrorists. They also acted with craven economic interest, expressly stating that if ISIS wanted more money from Lafarge, “it’s better for them to stop Turkish cement and Iraqi cement, so that we may increase the price.”
In 2015 Lafarge merged into Swiss cement giant Holcim, which apparently never caught Lafarge’s terrorist dalliances during pre- or post-acquisition due diligence. In 2016 news of the payments came to light, and six years later here we are. Lafarge pleaded guilty to one criminal charge, will pay a $778 million penalty, and will serve three years probation.
Yes, this was terrible conduct committed by the senior executives at Lafarge, several of whom face personal criminal prosecution in France. Still, when you delve into the details of how they conspired with ISIS and Al-Nusrah Front, the lessons here are foremost relevant to FCPA compliance.
Bribes, Due Diligence, and Documentation
First are those details about how Lafarge orchestrated its payments to ISIS. Rather than go into a long analysis of what Lafarge did (that’s in the statement of facts, if you’re curious), let’s just hit the main points:
- Excuses from executives at the beginning about why Lafarge should make the payments (for the safety of its Syrian employees, ostensibly), which soon descended into greed: by keeping its Syrian plant open, Lafarge could pressure its competitors and be ready for growth whenever the war ended.
- Dealing with intermediaries and other third parties to distance Lafarge from any direct, obvious contact with ISIS.
- Payments hidden with fake contracts, falsified invoices, “discounts” offered to customers, and off-system email accounts.
We’ve all heard that many times before in FCPA enforcement cases, and we’ll continue to hear them again. So I’m less interested in the mechanics of how Lafarge funneled $5.92 million to ISIS over two years (in exchange for roughly $70.3 million revenue), and more interested in other details about the case that teach broader lessons.
Poor due diligence from Holcim. Lafarge and Holcim announced a $60 billion “merger of equals” in 2014, and the deal was closed in 2015. Why didn’t Holcim uncover the terrorist connections during due diligence? The Justice Department statement of facts had this to say:
Lafarge’s operations in Syria represented less than 1 percent of the Lafarge Group’s sales at the time the [Syria plant] was evacuated, and Holcim did not inquire specifically about [Lafarge’s] operations in Syria.
Simply put, Holcim didn’t perform risk-based due diligence. Lafarge’s Syria operations may have been an immaterial part of the whole deal; but Syria was already well-known for corruption, and by 2014 the country was riven with war and terrorism. Those are red flags of a deep and brilliant hue. Holcim’s compliance function should have known to investigate those operations regardless of their small financial size; the compliance risk was still huge.
Adverse media reports matter! Holcim finally discovered the Lafarge-ISIS connection in 2016, when a Syrian opposition group published an online article exposing the scheme. That article included images of emails sent to and from Lafarge executives’ email accounts, discussing payments to ISIS.
The article came to the attention of Holcim’s compliance officer, who passed it up the chain of command. Over the next 12 months, Holcim launched a board-level investigation, complete with outside counsel from a U.S. law firm. In April 2017 Holcim’s board disclosed everything in a press release.
The lesson for other compliance officers is never to discount the value of searching for adverse media reports. The Syrian opposition group’s news came too late for the Lafarge deal, which had already closed by that time; but for the rest of us it’s a reminder that diligent digging can turn up insights that might save you incalculable time, money, and stress later on.
Discounts and documentation. To avoid making payments directly to ISIS, Lafarge had its customers make those payments to ISIS. Then Lafarge agreed to discount the price of cement it sold those customers, to reimburse them for the illicit payments.
Discounts to end-use customers! How often have we seen that in FCPA enforcement actions? Everyone from Oracle (sanctioned for tactic scheme just last month), to Juniper Networks, to Microsoft, to so many more. The company offers “discounts” to customers that lack proper documentation and are just vehicles to fund bribes. We could talk about this weakness in internal controls forever, and probably will.
Perils of Working With Terrorists
Plenty of compliance officers might look at the Lafarge case and quietly think, “OK, our company might be dumb enough to violate the FCPA, but we’d never be stupid enough to deliberately work with terrorists.”
Are you sure about that?
One statement from deputy attorney general Lisa Monaco struck me. She described the Lafarge case as “a vivid reminder of how corporate crime can intersect with national security” — and my mind immediately went to ransomware payments.
It’s generally not illegal to pay ransoms to cyber attackers, and under certain circumstances making those payments might even be common sense — say, if the attackers shut down a healthcare system and patient lives were in imminent danger. But companies can’t ignore the potential consequences of making those payments, including the chance that your money is going to terrorists.
In those cases, where your ransoms do end up in the pockets of terrorists or people on sactions watch lists, your company could face legal liability. Hence the Justice Department and other regulators plead with companies so often to report ransomware attacks: so that even if you need to make the payments, at least you’re self-disclosing to law enforcement and they can try to help. You’re acting from a spirit of sincerity and cooperation, and that matters.
On the other hand, if your company just blithely makes a ransomware payment without reporting the attack to law enforcement or trying to determine whether that money ends up in terrorist hands, that’s precisely what Monaco means when she talks about the intersection of corporate misconduct and national security. So tread carefully.