In 2007, we listed ten elements of an effective compliance program. Several elements made it clear that high-level oversight is always critical. In IBM’s case, that oversight was missing.
On Friday, the company paid $10 million to settle civil FCPA charges brought by the SEC for violations in Korea and China.
In China, IBM landed in trouble for using training trips to make illegal payments to government officials. The abuse involved two key local managers who planned and approved the trips, and more than 100 local employees. In other words, the non-compliant behavior was systematic and reached a huge scale. How could that happen?
There’s always more risk of FCPA violations when local managers and employees have independent approval authority for decisions that might cause compliance problems. That’s not a knock against local managers or employees, but a familiar warning about making compliance programs work overseas. The reason is simple: it’s harder for local employees to say no to local bigwigs who make improper demands.
The policies and procedures can look perfect on paper. But unless someone in a senior position, and preferably back home, is part of the decision-making process, there’s a real danger of non-compliance.
According to the SEC, that’s what happened in China with IBM. Decisions were made locally and weren’t reviewed by higher-ups outside the region.
Here’s the short version:
The local subsidiary, IBM-China, signed contracts with government-owned or controlled customers for hardware, software, and other services. The contracts required IBM-China to provide training to the employees of the customers.
IBM sometimes held the training offsite and required the customers to travel. Before any training trips, IBM-China employees were required to submit a Delegation Trip Request (“DTR”) detailing the business purpose of the trip, all planned sightseeing or entertainment activities, and anticipated expenses. The DTRs required approval by IBM-China managers.
IBM-China’s policies required customers to pay for side-trips and stopovers unrelated to the training. But for five years starting in 2004, IBM’s internal controls failed to detect at least 114 instances in which (1) IBM-China employees and its local travel agency worked together to create fake invoices to match approved DTRs; (2) trips were not connected to any DTRs; (3) trips involved unapproved sightseeing itineraries for Chinese government employees; (4) trips had little or no business content; (5) trips involved one or more deviations from the approved DTR; and (6) trips where per diem payments and gifts were provided to Chinese government officials.
IBM-China personnel also used the company’s official travel agency in China to funnel money that was approved for legitimate business trips to fund unapproved trips. IBM-China personnel utilized the company’s procurement process to designate its preferred travel agents as “authorized training providers.” IBM-China personnel then submitted fraudulent purchase requests for “training services” from these “authorized training providers” and caused IBM-China to pay these vendors. The money paid to these vendors was used to pay for unapproved trips by Chinese government employees.
The misconduct in China involved two key IBM-China managers, who planned the customer trips, and more than 100 IBM-China employees.
Download the SEC’s March 18, 2011 civil complaint against IBM here.