Allstate Binder

Table of Contents
Tab 1. Focus Area Foundational Elements Tab A. B. Topics Federal Sentencing Guidelines Securities and Exchange Commission (SEC) Requirements Regarding Ethics and Compliance Program Structure Roles, Reporting and Relationships with the Board, its Committees and Senior Management; Potential Conflicts Faced by the CECO with other Senior Leaders Program Structure Relationships with Peers (Accountants, Auditors, Legal and Risk Officers) What is the Role of The Office What is the Day to Day Work of a CECO; How Do You Operationalize Ethics and Compliance? The ROI of Ethics and Compliance: Morgan Stanley & Other Examples Applicable Laws (Materials to be distributed during meeting) What An Effective Program Looks Like; Dont Just Do Compliance Demonstrable Impact of Ethical Culture on Business Outcomes Tone at the Top and Tone in the Middle Enlisting Managers to Create Tone in the Middle; Challenges and Case Studies Speaking Up and Encouraging Dialogue Incorporating Values-Based Concepts into Annual Reviews/Performance Management Driving Metrics Approved by Board and Senior Management to Produce Desired Major Changes in Employee Behavior Connecting the Companys Mission, Purpose and Values to a Roadmap that Drives the Business Forward The Role and Special Responsibilities of Leaders in Elevating Behaviors How to Promote a Deeper, Shared Understanding of Allstates Mission and How it is Expressed, Interpreted and Made Resonant for Each Employee (including making clear what Allstate stands for, and against) Connecting Culture Assessment with Evaluation of the Effectiveness of the E&C Program 2011-2012 Ethics & Compliance Leadership Survey Report Ethics & Compliance Alliance Risk Forecast Report 2013
C. April 11th The What
D.
E.
F. G. 2. 3. Doing Business in India Creating a Program that Achieves Compliance and Advances the Business through Mission and Values-Driven Behaviors A. B. C.
D. E. 4. April 12th The HOW Mission, Values and the Role of Culture A.
B.
C. D.
E.
5.
LRN Reports
A. B.
Ch. 8
GUIDELINES MANUAL
November 1, 2012
CHAPTER EIGHT - SENTENCING OF ORGANIZATIONS

Introductory Commentary The guidelines and policy statements in this chapter apply when the convicted defendant is an organization. Organizations can act only through agents and, under federal criminal law, generally are vicariously liable for offenses committed by their agents. At the same time, individual agents are responsible for their own criminal conduct. Federal prosecutions of organizations therefore frequently involve individual and organizational co-defendants. Convicted individual agents of organizations are sentenced in accordance with the guidelines and policy statements in the preceding chapters. This chapter is designed so that the sanctions imposed upon organizations and their agents, taken together, will provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct. This chapter reflects the following general principles: First, the court must, whenever practicable, order the organization to remedy any harm caused by the offense. The resources expended to remedy the harm should not be viewed as punishment, but rather as a means of making victims whole for the harm caused. Second, if the organization operated primarily for a criminal purpose or primarily by criminal means, the fine should be set sufficiently high to divest the organization of all its assets. Third, the fine range for any other organization should be based on the seriousness of the offense and the culpability of the organization. The seriousness of the offense generally will be reflected by the greatest of the pecuniary gain, the pecuniary loss, or the amount in a guideline offense level fine table. Culpability generally will be determined by six factors that the sentencing court must consider. The four factors that increase the ultimate punishment of an organization are: (i) the involvement in or tolerance of criminal activity; (ii) the prior history of the organization; (iii) the violation of an order; and (iv) the obstruction of justice. The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility. Fourth, probation is an appropriate sentence for an organizational defendant when needed to ensure that another sanction will be fully implemented, or to ensure that steps will be taken within the organization to reduce the likelihood of future criminal conduct. These guidelines offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program. The prevention and detection of criminal conduct, as facilitated by an effective compliance and ethics program, will assist an organization in encouraging ethical conduct and in complying fully with all applicable laws.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422). Amended effective November 1, 2004 (see Appendix C, amendment 673).
488
November 1, 2012
GUIDELINES MANUAL
8A1.2
PART A - GENERAL APPLICATION PRINCIPLES
8A1.1.
Applicability of Chapter Eight This chapter applies to the sentencing of all organizations for felony and Class A misdemeanor offenses. Commentary
Application Notes: 1. "Organization" means "a person other than an individual." 18 U.S.C. 18. The term includes corporations, partnerships, associations, joint-stock companies, unions, trusts, pension funds, unincorporated organizations, governments and political subdivisions thereof, and non-profit organizations. The fine guidelines in 8C2.2 through 8C2.9 apply only to specified types of offenses. The other provisions of this chapter apply to the sentencing of all organizations for all felony and Class A misdemeanor offenses. For example, the restitution and probation provisions in Parts B and D of this chapter apply to the sentencing of an organization, even if the fine guidelines in 8C2.2 through 8C2.9 do not apply.
2.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).
8A1.2.
Application Instructions - Organizations (a) Determine from Part B, Subpart 1 (Remedying Harm from Criminal Conduct) the sentencing requirements and options relating to restitution, remedial orders, community service, and notice to victims. Determine from Part C (Fines) the sentencing requirements and options relating to fines: (1) If the organization operated primarily for a criminal purpose or primarily by criminal means, apply 8C1.1 (Determining the Fine - Criminal Purpose Organizations). Otherwise, apply 8C2.1 (Applicability of Fine Guidelines) to identify the counts for which the provisions of 8C2.2 through 8C2.9 apply. For such counts: (A) Refer to 8C2.2 (Preliminary Determination of Inability to Pay Fine) to determine whether an abbreviated determination of the guideline fine range may be warranted. (B) Apply 8C2.3 (Offense Level) to determine the offense level from Chapter Two (Offense Conduct) and Chapter Three, Part D (Multiple Counts). 489
(b)
(2)
8A1.2
GUIDELINES MANUAL
November 1, 2012
(C) Apply 8C2.4 (Base Fine) to determine the base fine. (D) Apply 8C2.5 (Culpability Score) to determine the culpability score. To determine whether the organization had an effective compliance and ethics program for purposes of 8C2.5(f), apply 8B2.1 (Effective Compliance and Ethics Program). (E) Apply 8C2.6 (Minimum and Maximum Multipliers) to determine the minimum and maximum multipliers corresponding to the culpability score. Apply 8C2.7 (Guideline Fine Range - Organizations) to determine the minimum and maximum of the guideline fine range.
(F)
(G) Refer to 8C2.8 (Determining the Fine Within the Range) to determine the amount of the fine within the applicable guideline range. (H) Apply 8C2.9 (Disgorgement) to determine whether an increase to the fine is required. For any count or counts not covered under 8C2.1 (Applicability of Fine Guidelines), apply 8C2.10 (Determining the Fine for Other Counts). (3) Apply the provisions relating to the implementation of the sentence of a fine in Part C, Subpart 3 (Implementing the Sentence of a Fine). For grounds for departure from the applicable guideline fine range, refer to Part C, Subpart 4 (Departures from the Guideline Fine Range).
(4)
(c)
Determine from Part D (Organizational Probation) the sentencing requirements and options relating to probation. Determine from Part E (Special Assessments, Forfeitures, and Costs) the sentencing requirements relating to special assessments, forfeitures, and costs.
(d)
Commentary Application Notes: 1. Determinations under this chapter are to be based upon the facts and information specified in the applicable guideline. Determinations that reference other chapters are to be made under the standards applicable to determinations under those chapters. The definitions in the Commentary to 1B1.1 (Application Instructions) and the guidelines and commentary in 1B1.2 through 1B1.8 apply to determinations under this chapter unless otherwise specified. The adjustments in Chapter Three, Parts A (Victim-Related Adjustments), B (Role in the Offense), C (Obstruction and Related Adjustments), and E (Acceptance of Responsibility) do not apply. The provisions of Chapter Six (Sentencing Procedures, Plea Agreements, and Crime Victims Rights) apply to proceedings in which the defendant is an organization. Guidelines and policy statements not referenced in this chapter, directly or 490
2.
November 1, 2012
GUIDELINES MANUAL
8A1.2
indirectly, do not apply when the defendant is an organization; e.g., the policy statements in Chapter Seven (Violations of Probation and Supervised Release) do not apply to organizations. 3. The following are definitions of terms used frequently in this chapter: (A) "Offense" means the offense of conviction and all relevant conduct under 1B1.3 (Relevant Conduct) unless a different meaning is specified or is otherwise clear from the context. The term "instant" is used in connection with "offense," "federal offense," or "offense of conviction," as the case may be, to distinguish the violation for which the defendant is being sentenced from a prior or subsequent offense, or from an offense before another court (e.g., an offense before a state court involving the same underlying conduct). "High-level personnel of the organization" means individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization. The term includes: a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest. "High-level personnel of a unit of the organization" is defined in the Commentary to 8C2.5 (Culpability Score).
(B)
(C) "Substantial authority personnel" means individuals who within the scope of their authority exercise a substantial measure of discretion in acting on behalf of an organization. The term includes high-level personnel of the organization, individuals who exercise substantial supervisory authority (e.g., a plant manager, a sales manager), and any other individuals who, although not a part of an organizations management, nevertheless exercise substantial discretion when acting within the scope of their authority (e.g., an individual with authority in an organization to negotiate or set price levels or an individual authorized to negotiate or approve significant contracts). Whether an individual falls within this category must be determined on a case-by-case basis. (D) "Agent" means any individual, including a director, an officer, an employee, or an independent contractor, authorized to act on behalf of the organization. (E) An individual "condoned" an offense if the individual knew of the offense and did not take reasonable steps to prevent or terminate the offense. "Similar misconduct" means prior conduct that is similar in nature to the conduct underlying the instant offense, without regard to whether or not such conduct violated the same statutory provision. For example, prior Medicare fraud would be misconduct similar to an instant offense involving another type of fraud.
(F)
(G) "Prior criminal adjudication" means conviction by trial, plea of guilty (including an Alford plea), or plea of nolo contendere. (H) "Pecuniary gain" is derived from 18 U.S.C. 3571(d) and means the additional beforetax profit to the defendant resulting from the relevant conduct of the offense. Gain can result from either additional revenue or cost savings. For example, an offense involving 491
8A1.2
GUIDELINES MANUAL
November 1, 2012
odometer tampering can produce additional revenue. In such a case, the pecuniary gain is the additional revenue received because the automobiles appeared to have less mileage, i.e., the difference between the price received or expected for the automobiles with the apparent mileage and the fair market value of the automobiles with the actual mileage. An offense involving defense procurement fraud related to defective product testing can produce pecuniary gain resulting from cost savings. In such a case, the pecuniary gain is the amount saved because the product was not tested in the required manner. (I) "Pecuniary loss" is derived from 18 U.S.C. 3571(d) and is equivalent to the term "loss" as used in Chapter Two (Offense Conduct). See Commentary to 2B1.1 (Theft, Property Destruction, and Fraud), and definitions of "tax loss" in Chapter Two, Part T (Offenses Involving Taxation). An individual was "willfully ignorant of the offense" if the individual did not investigate the possible occurrence of unlawful conduct despite knowledge of circumstances that would lead a reasonable person to investigate whether unlawful conduct had occurred.
(J)
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422); November 1, 1997 (see Appendix C, amendment 546); November 1, 2001 (see Appendix C, amendment 617); November 1, 2004 (see Appendix C, amendment 673); November 1, 2010 (see Appendix C, amendment 747); November 1, 2011 (see Appendix C, amendment 758).
492
November 1, 2012
GUIDELINES MANUAL
8B1.1
PART B - REMEDYING HARM FROM CRIMINAL CONDUCT, AND EFFECTIVE COMPLIANCE AND ETHICS PROGRAM
1.
REMEDYING HARM FROM CRIMINAL CONDUCT
Introductory Commentary As a general principle, the court should require that the organization take all appropriate steps to provide compensation to victims and otherwise remedy the harm caused or threatened by the offense. A restitution order or an order of probation requiring restitution can be used to compensate identifiable victims of the offense. A remedial order or an order of probation requiring community service can be used to reduce or eliminate the harm threatened, or to repair the harm caused by the offense, when that harm or threatened harm would otherwise not be remedied. An order of notice to victims can be used to notify unidentified victims of the offense.
8B1.1.
Restitution - Organizations (a) In the case of an identifiable victim, the court shall -(1) enter a restitution order for the full amount of the victims loss, if such order is authorized under 18 U.S.C. 2248, 2259, 2264, 2327, 3663, or 3663A; or impose a term of probation or supervised release with a condition requiring restitution for the full amount of the victims loss, if the offense is not an offense for which restitution is authorized under 18 U.S.C. 3663(a)(1) but otherwise meets the criteria for an order of restitution under that section.
(2)
(b)
Provided, that the provisions of subsection (a) do not apply -(1) (2) when full restitution has been made; or in the case of a restitution order under 3663; a restitution order under 18 U.S.C. 3663A that pertains to an offense against property described in 18 U.S.C. 3663A(c)(1)(A)(ii); or a condition of restitution imposed pursuant to subsection (a)(2) above, to the extent the court finds, from facts on the record, that (A) the number of identifiable victims is so large as to make restitution impracticable; or (B) determining complex issues of fact related to the cause or amount of the victims losses would complicate or 493
8B1.1
GUIDELINES MANUAL
November 1, 2012
prolong the sentencing process to a degree that the need to provide restitution to any victim is outweighed by the burden on the sentencing process. (c) If a defendant is ordered to make restitution to an identifiable victim and to pay a fine, the court shall order that any money paid by the defendant shall first be applied to satisfy the order of restitution. A restitution order may direct the defendant to make a single, lump sum payment, partial payments at specified intervals, in-kind payments, or a combination of payments at specified intervals and in-kind payments. See 18 U.S.C. 3664(f)(3)(A). An in-kind payment may be in the form of (1) return of property; (2) replacement of property; or (3) if the victim agrees, services rendered to the victim or to a person or organization other than the victim. See 18 U.S.C. 3664(f)(4). A restitution order may direct the defendant to make nominal periodic payments if the court finds from facts on the record that the economic circumstances of the defendant do not allow the payment of any amount of a restitution order, and do not allow for the payment of the full amount of a restitution order in the foreseeable future under any reasonable schedule of payments. Special Instruction (1) This guideline applies only to a defendant convicted of an offense committed on or after November 1, 1997. Notwithstanding the provisions of 1B1.11 (Use of Guidelines Manual in Effect on Date of Sentencing), use the former 8B1.1 (set forth in Appendix C, amendment 571) in lieu of this guideline in any other case.
(d)
(e)
(f)
Commentary Background: Section 3553(a)(7) of Title 18, United States Code, requires the court, "in determining the particular sentence to be imposed," to consider "the need to provide restitution to any victims of the offense." Orders of restitution are authorized under 18 U.S.C. 2248, 2259, 2264, 2327, 3663, and 3663A. For offenses for which an order of restitution is not authorized, restitution may be imposed as a condition of probation.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422); November 1, 1997 (see Appendix C, amendment 571).
8B1.2.
Remedial Orders - Organizations (Policy Statement) (a) To the extent not addressed under 8B1.1 (Restitution - Organizations), a remedial order imposed as a condition of probation may require the organization to remedy the harm caused by the offense and to eliminate or reduce the risk that the instant offense will cause future harm. If the magnitude of expected future harm can be reasonably estimated, the court 494
(b)
November 1, 2012
GUIDELINES MANUAL
8B1.4
may require the organization to create a trust fund sufficient to address that expected harm. Commentary Background: The purposes of a remedial order are to remedy harm that has already occurred and to prevent future harm. A remedial order requiring corrective action by the organization may be necessary to prevent future injury from the instant offense, e.g., a product recall for a food and drug violation or a clean-up order for an environmental violation. In some cases in which a remedial order potentially may be appropriate, a governmental regulatory agency, e.g., the Environmental Protection Agency or the Food and Drug Administration, may have authority to order remedial measures. In such cases, a remedial order by the court may not be necessary. If a remedial order is entered, it should be coordinated with any administrative or civil actions taken by the appropriate governmental regulatory agency.
8B1.3.
Community Service - Organizations (Policy Statement) Community service may be ordered as a condition of probation where such community service is reasonably designed to repair the harm caused by the offense.
Commentary Background: An organization can perform community service only by employing its resources or paying its employees or others to do so. Consequently, an order that an organization perform community service is essentially an indirect monetary sanction, and therefore generally less desirable than a direct monetary sanction. However, where the convicted organization possesses knowledge, facilities, or skills that uniquely qualify it to repair damage caused by the offense, community service directed at repairing damage may provide an efficient means of remedying harm caused. In the past, some forms of community service imposed on organizations have not been related to the purposes of sentencing. Requiring a defendant to endow a chair at a university or to contribute to a local charity would not be consistent with this section unless such community service provided a means for preventive or corrective action directly related to the offense and therefore served one of the purposes of sentencing set forth in 18 U.S.C. 3553(a).
8B1.4.
Order of Notice to Victims - Organizations Apply 5F1.4 (Order of Notice to Victims).
495
8B2.1
2.
GUIDELINES MANUAL
November 1, 2012
EFFECTIVE COMPLIANCE AND ETHICS PROGRAM
8B2.1.
Effective Compliance and Ethics Program (a) To have an effective compliance and ethics program, for purposes of subsection (f) of 8C2.5 (Culpability Score) and subsection (b)(1) of 8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall (1) (2) exercise due diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct. (b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following: (1) The organization shall establish standards and procedures to prevent and detect criminal conduct. (A) The organizations governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program. (B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program. (C) Specific individual(s) within the organization shall be delegated day-today operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
(2)
496
November 1, 2012
GUIDELINES MANUAL
8B2.1
(3)
The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program. (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals respective roles and responsibilities. (B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organizations employees, and, as appropriate, the organizations agents.
(4)
(5)
The organization shall take reasonable steps (A) to ensure that the organizations compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; (B) to evaluate periodically the effectiveness of the organizations compliance and ethics program; and (C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
(6)
The organizations compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organizations compliance and ethics program.
(7)
(c)
In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
497
8B2.1
GUIDELINES MANUAL
November 1, 2012
Commentary Application Notes: 1. Definitions.For purposes of this guideline: "Compliance and ethics program" means a program designed to prevent and detect criminal conduct. "Governing authority" means the (A) the Board of Directors; or (B) if the organization does not have a Board of Directors, the highest-level governing body of the organization. "High-level personnel of the organization" and "substantial authority personnel" have the meaning given those terms in the Commentary to 8A1.2 (Application Instructions Organizations). "Standards and procedures" means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct. 2. Factors to Consider in Meeting Requirements of this Guideline. (A) In General.Each of the requirements set forth in this guideline shall be met by an organization; however, in determining what specific actions are necessary to meet those requirements, factors that shall be considered include: (i) applicable industry practice or the standards called for by any applicable governmental regulation; (ii) the size of the organization; and (iii) similar misconduct. Applicable Governmental Regulation and Industry Practice.An organizations failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective compliance and ethics program.
(B)
(C) The Size of the Organization. (i) In General.The formality and scope of actions that an organization shall take to meet the requirements of this guideline, including the necessary features of the organizations standards and procedures, depend on the size of the organization. Large Organizations.A large organization generally shall devote more formal operations and greater resources in meeting the requirements of this guideline than shall a small organization. As appropriate, a large organization should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.
(ii)
(iii) Small Organizations.In meeting the requirements of this guideline, small organizations shall demonstrate the same degree of commitment to ethical conduct and compliance with the law as large organizations. However, a small organization may meet the requirements of this guideline with less formality and fewer resources than would be expected of large organizations. In appropriate 498
November 1, 2012
GUIDELINES MANUAL
8B2.1
circumstances, reliance on existing resources and simple systems can demonstrate a degree of commitment that, for a large organization, would only be demonstrated through more formally planned and implemented systems. Examples of the informality and use of fewer resources with which a small organization may meet the requirements of this guideline include the following: (I) the governing authoritys discharge of its responsibility for oversight of the compliance and ethics program by directly managing the organizations compliance and ethics efforts; (II) training employees through informal staff meetings, and monitoring through regular "walk-arounds" or continuous observation while managing the organization; (III) using available personnel, rather than employing separate staff, to carry out the compliance and ethics program; and (IV) modeling its own compliance and ethics program on existing, well-regarded compliance and ethics programs and best practices of other similar organizations. (D) Recurrence of Similar Misconduct.Recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to meet the requirements of this guideline. For purposes of this subparagraph, "similar misconduct" has the meaning given that term in the Commentary to 8A1.2 (Application Instructions Organizations). 3. Application of Subsection (b)(2).High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program, shall perform their assigned duties consistent with the exercise of due diligence, and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. If the specific individual(s) assigned overall responsibility for the compliance and ethics program does not have day-to-day operational responsibility for the program, then the individual(s) with day-to-day operational responsibility for the program typically should, no less than annually, give the governing authority or an appropriate subgroup thereof information on the implementation and effectiveness of the compliance and ethics program. 4. Application of Subsection (b)(3). (A) Consistency with Other Law.Nothing in subsection (b)(3) is intended to require conduct inconsistent with any Federal, State, or local law, including any law governing employment or hiring practices. Implementation.In implementing subsection (b)(3), the organization shall hire and promote individuals so as to ensure that all individuals within the high-level personnel and substantial authority personnel of the organization will perform their assigned duties in a manner consistent with the exercise of due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law under subsection (a). With respect to the hiring or promotion of such individuals, an organization shall consider the relatedness of the individuals illegal activities and other misconduct (i.e., other conduct inconsistent with an effective compliance and ethics program) to the specific responsibilities the individual is anticipated to be assigned and other factors such as: (i) the recency of the individuals 499
(B)
8B2.1
GUIDELINES MANUAL
November 1, 2012
illegal activities and other misconduct; and (ii) whether the individual has engaged in other such illegal activities and other such misconduct. 5. Application of Subsection (b)(6).Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate will be case specific. Application of Subsection (b)(7).Subsection (b)(7) has two aspects. First, the organization should respond appropriately to the criminal conduct. The organization should take reasonable steps, as warranted under the circumstances, to remedy the harm resulting from the criminal conduct. These steps may include, where appropriate, providing restitution to identifiable victims, as well as other forms of remediation. Other reasonable steps to respond appropriately to the criminal conduct may include self-reporting and cooperation with authorities. Second, the organization should act appropriately to prevent further similar criminal conduct, including assessing the compliance and ethics program and making modifications necessary to ensure the program is effective. The steps taken should be consistent with subsections (b)(5) and (c) and may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications. 7. Application of Subsection (c).To meet the requirements of subsection (c), an organization shall: (A) Assess periodically the risk that criminal conduct will occur, including assessing the following: (i) (ii) The nature and seriousness of such criminal conduct. The likelihood that certain criminal conduct may occur because of the nature of the organizations business. If, because of the nature of an organizations business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.
6.
(iii) The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect. (B) Prioritize periodically, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b), in order to focus on preventing and detecting the criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.
(C) Modify, as appropriate, the actions taken pursuant to any requirement set forth in 500
November 1, 2012
GUIDELINES MANUAL
8B2.1
subsection (b) to reduce the risk of criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur. Background: This section sets forth the requirements for an effective compliance and ethics program. This section responds to section 805(a)(2)(5) of the Sarbanes-Oxley Act of 2002, Public Law 107204, which directed the Commission to review and amend, as appropriate, the guidelines and related policy statements to ensure that the guidelines that apply to organizations in this chapter "are sufficient to deter and punish organizational criminal misconduct." The requirements set forth in this guideline are intended to achieve reasonable prevention and detection of criminal conduct for which the organization would be vicariously liable. The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.
Historical Note: Effective November 1, 2004 (see Appendix C, amendment 673). Amended effective November 1, 2010 (see Appendix C, amendment 744); November 1, 2011 (see Appendix C, amendment 758).
501
8C1.1
GUIDELINES MANUAL
November 1, 2012
PART C - FINES
1.
DETERMINING THE FINE - CRIMINAL PURPOSE ORGANIZATIONS
8C1.1.
Determining the Fine - Criminal Purpose Organizations If, upon consideration of the nature and circumstances of the offense and the history and characteristics of the organization, the court determines that the organization operated primarily for a criminal purpose or primarily by criminal means, the fine shall be set at an amount (subject to the statutory maximum) sufficient to divest the organization of all its net assets. When this section applies, Subpart 2 (Determining the Fine - Other Organizations) and 8C3.4 (Fines Paid by Owners of Closely Held Organizations) do not apply. Commentary
Application Note: 1. "Net assets," as used in this section, means the assets remaining after payment of all legitimate claims against assets by known innocent bona fide creditors.
Background: This guideline addresses the case in which the court, based upon an examination of the nature and circumstances of the offense and the history and characteristics of the organization, determines that the organization was operated primarily for a criminal purpose (e.g., a front for a scheme that was designed to commit fraud; an organization established to participate in the illegal manufacture, importation, or distribution of a controlled substance) or operated primarily by criminal means (e.g., a hazardous waste disposal business that had no legitimate means of disposing of hazardous waste). In such a case, the fine shall be set at an amount sufficient to remove all of the organizations net assets. If the extent of the assets of the organization is unknown, the maximum fine authorized by statute should be imposed, absent innocent bona fide creditors.
* * * * *
2.
DETERMINING THE FINE - OTHER ORGANIZATIONS
8C2.1.
Applicability of Fine Guidelines The provisions of 8C2.2 through 8C2.9 apply to each count for which the applicable guideline offense level is determined under: (a) 2B1.1, 2B1.4, 2B2.3, 2B4.1, 2B5.3, 2B6.1; 2C1.1, 2C1.2, 2C1.6; 2D1.7, 2D3.1, 2D3.2; 2E3.1, 2E4.1, 2E5.1, 2E5.3; 502
November 1, 2012
GUIDELINES MANUAL
8C2.2
2G3.1; 2K1.1, 2K2.1; 2L1.1; 2N3.1; 2R1.1; 2S1.1, 2S1.3; 2T1.1, 2T1.4, 2T1.6, 2T1.7, 2T1.8, 2T1.9, 2T2.1, 2T2.2, 2T3.1; or (b) 2E1.1, 2X1.1, 2X2.1, 2X3.1, 2X4.1, with respect to cases in which the offense level for the underlying offense is determined under one of the guideline sections listed in subsection (a) above.
Commentary Application Notes: 1. If the Chapter Two offense guideline for a count is listed in subsection (a) or (b) above, and the applicable guideline results in the determination of the offense level by use of one of the listed guidelines, apply the provisions of 8C2.2 through 8C2.9 to that count. For example, 8C2.2 through 8C2.9 apply to an offense under 2K2.1 (an offense guideline listed in subsection (a)), unless the cross reference in that guideline requires the offense level to be determined under an offense guideline section not listed in subsection (a). If the Chapter Two offense guideline for a count is not listed in subsection (a) or (b) above, but the applicable guideline results in the determination of the offense level by use of a listed guideline, apply the provisions of 8C2.2 through 8C2.9 to that count. For example, where the conduct set forth in a count of conviction ordinarily referenced to 2N2.1 (an offense guideline not listed in subsection (a)) establishes 2B1.1 (Theft, Property Destruction, and Fraud) as the applicable offense guideline (an offense guideline listed in subsection (a)), 8C2.2 through 8C2.9 would apply because the actual offense level is determined under 2B1.1 (Theft, Property Destruction, and Fraud).
2.
Background: The fine guidelines of this subpart apply only to offenses covered by the guideline sections set forth in subsection (a) above. For example, the provisions of 8C2.2 through 8C2.9 do not apply to counts for which the applicable guideline offense level is determined under Chapter Two, Part Q (Offenses Involving the Environment). For such cases, 8C2.10 (Determining the Fine for Other Counts) is applicable.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422). Amended effective November 1, 1992 (see Appendix C, amendment 453); November 1, 1993 (see Appendix C, amendment 496); November 1, 2001 (see Appendix C, amendments 617, 619, and 634); November 1, 2005 (see Appendix C, amendment 679).
8C2.2.
Preliminary Determination of Inability to Pay Fine (a) Where it is readily ascertainable that the organization cannot and is not likely to become able (even on an installment schedule) to pay restitution required under 8B1.1 (Restitution - Organizations), a determination of the guideline fine range is unnecessary because, pursuant to 8C3.3(a), no fine would be imposed.
503
8C2.2
(b)
GUIDELINES MANUAL
November 1, 2012
Where it is readily ascertainable through a preliminary determination of the minimum of the guideline fine range (see 8C2.3 through 8C2.7) that the organization cannot and is not likely to become able (even on an installment schedule) to pay such minimum guideline fine, a further determination of the guideline fine range is unnecessary. Instead, the court may use the preliminary determination and impose the fine that would result from the application of 8C3.3 (Reduction of Fine Based on Inability to Pay).
Commentary Application Notes: 1. In a case of a determination under subsection (a), a statement that "the guideline fine range was not determined because it is readily ascertainable that the defendant cannot and is not likely to become able to pay restitution" is recommended. In a case of a determination under subsection (b), a statement that "no precise determination of the guideline fine range is required because it is readily ascertainable that the defendant cannot and is not likely to become able to pay the minimum of the guideline fine range" is recommended.
2.
Background: Many organizational defendants lack the ability to pay restitution. In addition, many organizational defendants who may be able to pay restitution lack the ability to pay the minimum fine called for by 8C2.7(a). In such cases, a complete determination of the guideline fine range may be a needless exercise. This section provides for an abbreviated determination of the guideline fine range that can be applied where it is readily ascertainable that the fine within the guideline fine range determined under 8C2.7 (Guideline Fine Range - Organizations) would be reduced under 8C3.3 (Reduction of Fine Based on Inability to Pay).
8C2.3.
Offense Level (a) For each count covered by 8C2.1 (Applicability of Fine Guidelines), use the applicable Chapter Two guideline to determine the base offense level and apply, in the order listed, any appropriate adjustments contained in that guideline. Where there is more than one such count, apply Chapter Three, Part D (Multiple Counts) to determine the combined offense level.
(b)
Commentary Application Notes: 1. In determining the offense level under this section, "defendant," as used in Chapter Two, includes any agent of the organization for whose conduct the organization is criminally responsible.
504
November 1, 2012
GUIDELINES MANUAL
8C2.4
2.
In determining the offense level under this section, apply the provisions of 1B1.2 through 1B1.8. Do not apply the adjustments in Chapter Three, Parts A (Victim-Related Adjustments), B (Role in the Offense), C (Obstruction and Related Adjustments), and E (Acceptance of Responsibility).
8C2.4.
Base Fine (a) The base fine is the greatest of: (1) the amount from the table in subsection (d) below corresponding to the offense level determined under 8C2.3 (Offense Level); or the pecuniary gain to the organization from the offense; or the pecuniary loss from the offense caused by the organization, to the extent the loss was caused intentionally, knowingly, or recklessly.
(2) (3)
(b)
Provided, that if the applicable offense guideline in Chapter Two includes a special instruction for organizational fines, that special instruction shall be applied, as appropriate. Provided, further, that to the extent the calculation of either pecuniary gain or pecuniary loss would unduly complicate or prolong the sentencing process, that amount, i.e., gain or loss as appropriate, shall not be used for the determination of the base fine. Offense Level Fine Table Offense Level 6 or less 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Amount $5,000 $7,500 $10,000 $15,000 $20,000 $30,000 $40,000 $60,000 $85,000 $125,000 $175,000 $250,000 $350,000 $500,000 $650,000 $910,000 505
(c)
(d)
8C2.4
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 or more
GUIDELINES MANUAL
November 1, 2012
$1,200,000 $1,600,000 $2,100,000 $2,800,000 $3,700,000 $4,800,000 $6,300,000 $8,100,000 $10,500,000 $13,500,000 $17,500,000 $22,000,000 $28,500,000 $36,000,000 $45,500,000 $57,500,000 $72,500,000.
Commentary Application Notes: 1. "Pecuniary gain," "pecuniary loss," and "offense" are defined in the Commentary to 8A1.2 (Application Instructions - Organizations). Note that subsections (a)(2) and (a)(3) contain certain limitations as to the use of pecuniary gain and pecuniary loss in determining the base fine. Under subsection (a)(2), the pecuniary gain used to determine the base fine is the pecuniary gain to the organization from the offense. Under subsection (a)(3), the pecuniary loss used to determine the base fine is the pecuniary loss from the offense caused by the organization, to the extent that such loss was caused intentionally, knowingly, or recklessly. Under 18 U.S.C. 3571(d), the court is not required to calculate pecuniary loss or pecuniary gain to the extent that determination of loss or gain would unduly complicate or prolong the sentencing process. Nevertheless, the court may need to approximate loss in order to calculate offense levels under Chapter Two. See Commentary to 2B1.1 (Theft, Property Destruction, and Fraud). If loss is approximated for purposes of determining the applicable offense level, the court should use that approximation as the starting point for calculating pecuniary loss under this section. In a case of an attempted offense or a conspiracy to commit an offense, pecuniary loss and pecuniary gain are to be determined in accordance with the principles stated in 2X1.1 (Attempt, Solicitation, or Conspiracy). In a case involving multiple participants (i.e., multiple organizations, or the organization and individual(s) unassociated with the organization), the applicable offense level is to be determined without regard to apportionment of the gain from or loss caused by the offense. See 1B1.3 (Relevant Conduct). However, if the base fine is determined under subsections (a)(2) or (a)(3), the court may, as appropriate, apportion gain or loss considering the defendants relative culpability and other pertinent factors. Note also that under 2R1.1(d)(1), the volume of commerce, which is used in determining a proxy for loss under 8C2.4(a)(3), is limited to the volume of commerce attributable to the defendant. 506
2.
3.
4.
November 1, 2012
GUIDELINES MANUAL
8C2.5
5.
Special instructions regarding the determination of the base fine are contained in 2B4.1 (Bribery in Procurement of Bank Loan and Other Commercial Bribery); 2C1.1 (Offering, Giving, Soliciting, or Receiving a Bribe; Extortion Under Color of Official Right; Fraud Involving the Deprivation of the Intangible Right to Honest Services of Public Officials; Conspiracy to Defraud by Interference with Governmental Functions); 2C1.2 (Offering, Giving, Soliciting, or Receiving a Gratuity); 2E5.1 (Offering, Accepting, or Soliciting a Bribe or Gratuity Affecting the Operation of an Employee Welfare or Pension Benefit Plan; Prohibited Payments or Lending of Money by Employer or Agent to Employees, Representatives, or Labor Organizations); and 2R1.1 (Bid-Rigging, Price-Fixing or Market-Allocation Agreements Among Competitors).
Background: Under this section, the base fine is determined in one of three ways: (1) by the amount, based on the offense level, from the table in subsection (d); (2) by the pecuniary gain to the organization from the offense; and (3) by the pecuniary loss caused by the organization, to the extent that such loss was caused intentionally, knowingly, or recklessly. In certain cases, special instructions for determining the loss or offense level amount apply. As a general rule, the base fine measures the seriousness of the offense. The determinants of the base fine are selected so that, in conjunction with the multipliers derived from the culpability score in 8C2.5 (Culpability Score), they will result in guideline fine ranges appropriate to deter organizational criminal conduct and to provide incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct. In order to deter organizations from seeking to obtain financial reward through criminal conduct, this section provides that, when greatest, pecuniary gain to the organization is used to determine the base fine. In order to ensure that organizations will seek to prevent losses intentionally, knowingly, or recklessly caused by their agents, this section provides that, when greatest, pecuniary loss is used to determine the base fine in such circumstances. Chapter Two provides special instructions for fines that include specific rules for determining the base fine in connection with certain types of offenses in which the calculation of loss or gain is difficult, e.g., price-fixing. For these offenses, the special instructions tailor the base fine to circumstances that occur in connection with such offenses and that generally relate to the magnitude of loss or gain resulting from such offenses.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422). Amended effective November 1, 1993 (see Appendix C, amendment 496); November 1, 1995 (see Appendix C, amendment 534); November 1, 2001 (see Appendix C, amendment 634); November 1, 2004 (see Appendix C, amendments 666 and 673).
8C2.5.
Culpability Score (a) (b) Start with 5 points and apply subsections (b) through (g) below. Involvement in or Tolerance of Criminal Activity If more than one applies, use the greatest: (1) If -(A) the organization had 5,000 or more employees and (i) an individual within high-level personnel of the organization participated in, condoned, or was willfully ignorant of the 507
8C2.5
GUIDELINES MANUAL
November 1, 2012
offense; or (ii) tolerance of the offense by substantial authority personnel was pervasive throughout the organization; or
(B) the unit of the organization within which the offense was committed had 5,000 or more employees and (i) an individual within high-level personnel of the unit participated in, condoned, or was willfully ignorant of the offense; or tolerance of the offense by substantial authority personnel was pervasive throughout such unit,
(ii)
add 5 points; or (2) If -(A) the organization had 1,000 or more employees and (i) an individual within high-level personnel of the organization participated in, condoned, or was willfully ignorant of the offense; or tolerance of the offense by substantial authority personnel was pervasive throughout the organization; or
(ii)
(B) the unit of the organization within which the offense was committed had 1,000 or more employees and (i) an individual within high-level personnel of the unit participated in, condoned, or was willfully ignorant of the offense; or tolerance of the offense by substantial authority personnel was pervasive throughout such unit,
(ii)
add 4 points; or (3) If -(A) the organization had 200 or more employees and (i) an individual within high-level personnel of the organization participated in, condoned, or was willfully ignorant of the offense; or tolerance of the offense by substantial authority personnel was pervasive throughout the organization; or
(ii)
(B) the unit of the organization within which the offense was committed 508
November 1, 2012
GUIDELINES MANUAL
8C2.5
had 200 or more employees and (i) an individual within high-level personnel of the unit participated in, condoned, or was willfully ignorant of the offense; or tolerance of the offense by substantial authority personnel was pervasive throughout such unit,
(ii)
add 3 points; or (4) If the organization had 50 or more employees and an individual within substantial authority personnel participated in, condoned, or was willfully ignorant of the offense, add 2 points; or If the organization had 10 or more employees and an individual within substantial authority personnel participated in, condoned, or was willfully ignorant of the offense, add 1 point.
(5)
(c)
Prior History If more than one applies, use the greater: (1) If the organization (or separately managed line of business) committed any part of the instant offense less than 10 years after (A) a criminal adjudication based on similar misconduct; or (B) civil or administrative adjudication(s) based on two or more separate instances of similar misconduct, add 1 point; or If the organization (or separately managed line of business) committed any part of the instant offense less than 5 years after (A) a criminal adjudication based on similar misconduct; or (B) civil or administrative adjudication(s) based on two or more separate instances of similar misconduct, add 2 points.
(2)
(d)
Violation of an Order If more than one applies, use the greater: (1) (A) If the commission of the instant offense violated a judicial order or injunction, other than a violation of a condition of probation; or (B) if the organization (or separately managed line of business) violated a condition of probation by engaging in similar misconduct, i.e., misconduct similar to that for which it was placed on probation, add 2 points; or If the commission of the instant offense violated a condition of probation, add 1 point.
(2)
(e)
Obstruction of Justice If the organization willfully obstructed or impeded, attempted to obstruct or impede, or aided, abetted, or encouraged obstruction of justice during the 509
8C2.5
GUIDELINES MANUAL
November 1, 2012
investigation, prosecution, or sentencing of the instant offense, or, with knowledge thereof, failed to take reasonable steps to prevent such obstruction or impedance or attempted obstruction or impedance, add 3 points. (f) Effective Compliance and Ethics Program (1) If the offense occurred even though the organization had in place at the time of the offense an effective compliance and ethics program, as provided in 8B2.1 (Effective Compliance and Ethics Program), subtract 3 points. Subsection (f)(1) shall not apply if, after becoming aware of an offense, the organization unreasonably delayed reporting the offense to appropriate governmental authorities. (A) Except as provided in subparagraphs (B) and (C), subsection (f)(1) shall not apply if an individual within high-level personnel of the organization, a person within high-level personnel of the unit of the organization within which the offense was committed where the unit had 200 or more employees, or an individual described in 8B2.1(b)(2)(B) or (C), participated in, condoned, or was willfully ignorant of the offense. (B) There is a rebuttable presumption, for purposes of subsection (f)(1), that the organization did not have an effective compliance and ethics program if an individual (i) (ii) within high-level personnel of a small organization; or within substantial authority personnel, but not within high-level personnel, of any organization,
(2)
(3)
participated in, condoned, or was willfully ignorant of, the offense. (C) Subparagraphs (A) and (B) shall not apply if (i) the individual or individuals with operational responsibility for the compliance and ethics program (see 8B2.1(b)(2)(C)) have direct reporting obligations to the governing authority or an appropriate subgroup thereof (e.g., an audit committee of the board of directors); the compliance and ethics program detected the offense before discovery outside the organization or before such discovery was reasonably likely;
(ii)
(iii) the organization promptly reported the offense to appropriate governmental authorities; and (iv) no individual with operational responsibility for the compliance and ethics program participated in, condoned, or was willfully 510
November 1, 2012
GUIDELINES MANUAL
8C2.5
ignorant of the offense. (g) Self-Reporting, Cooperation, and Acceptance of Responsibility If more than one applies, use the greatest: (1) If the organization (A) prior to an imminent threat of disclosure or government investigation; and (B) within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 5 points; or If the organization fully cooperated in the investigation and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 2 points; or If the organization clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 1 point.
(2)
(3)
Commentary Application Notes: 1. Definitions.For purposes of this guideline, "condoned", "prior criminal adjudication", "similar misconduct", "substantial authority personnel", and "willfully ignorant of the offense" have the meaning given those terms in Application Note 3 of the Commentary to 8A1.2 (Application Instructions - Organizations). "Small Organization", for purposes of subsection (f)(3), means an organization that, at the time of the instant offense, had fewer than 200 employees. 2. For purposes of subsection (b), "unit of the organization" means any reasonably distinct operational component of the organization. For example, a large organization may have several large units such as divisions or subsidiaries, as well as many smaller units such as specialized manufacturing, marketing, or accounting operations within these larger units. For purposes of this definition, all of these types of units are encompassed within the term "unit of the organization." "High-level personnel of the organization" is defined in the Commentary to 8A1.2 (Application Instructions - Organizations). With respect to a unit with 200 or more employees, "high-level personnel of a unit of the organization" means agents within the unit who set the policy for or control that unit. For example, if the managing agent of a unit with 200 employees participated in an offense, three points would be added under subsection (b)(3); if that organization had 1,000 employees and the managing agent of the unit with 200 employees were also within high-level personnel of the organization in its entirety, four points (rather than three) would be added under subsection (b)(2). Pervasiveness under subsection (b) will be case specific and depend on the number, and degree of responsibility, of individuals within substantial authority personnel who participated 511
3.
4.
8C2.5
GUIDELINES MANUAL
November 1, 2012
in, condoned, or were willfully ignorant of the offense. Fewer individuals need to be involved for a finding of pervasiveness if those individuals exercised a relatively high degree of authority. Pervasiveness can occur either within an organization as a whole or within a unit of an organization. For example, if an offense were committed in an organization with 1,000 employees but the tolerance of the offense was pervasive only within a unit of the organization with 200 employees (and no high-level personnel of the organization participated in, condoned, or was willfully ignorant of the offense), three points would be added under subsection (b)(3). If, in the same organization, tolerance of the offense was pervasive throughout the organization as a whole, or an individual within high-level personnel of the organization participated in the offense, four points (rather than three) would be added under subsection (b)(2). 5. A "separately managed line of business," as used in subsections (c) and (d), is a subpart of a for-profit organization that has its own management, has a high degree of autonomy from higher managerial authority, and maintains its own separate books of account. Corporate subsidiaries and divisions frequently are separately managed lines of business. Under subsection (c), in determining the prior history of an organization with separately managed lines of business, only the prior conduct or criminal record of the separately managed line of business involved in the instant offense is to be used. Under subsection (d), in the context of an organization with separately managed lines of business, in making the determination whether a violation of a condition of probation involved engaging in similar misconduct, only the prior misconduct of the separately managed line of business involved in the instant offense is to be considered. Under subsection (c), in determining the prior history of an organization or separately managed line of business, the conduct of the underlying economic entity shall be considered without regard to its legal structure or ownership. For example, if two companies merged and became separate divisions and separately managed lines of business within the merged company, each division would retain the prior history of its predecessor company. If a company reorganized and became a new legal entity, the new company would retain the prior history of the predecessor company. In contrast, if one company purchased the physical assets but not the ongoing business of another company, the prior history of the company selling the physical assets would not be transferred to the company purchasing the assets. However, if an organization is acquired by another organization in response to solicitations by appropriate federal government officials, the prior history of the acquired organization shall not be attributed to the acquiring organization. Under subsections (c)(1)(B) and (c)(2)(B), the civil or administrative adjudication(s) must have occurred within the specified period (ten or five years) of the instant offense. Adjust the culpability score for the factors listed in subsection (e) whether or not the offense guideline incorporates that factor, or that factor is inherent in the offense. Subsection (e) applies where the obstruction is committed on behalf of the organization; it does not apply where an individual or individuals have attempted to conceal their misconduct from the organization. The Commentary to 3C1.1 (Obstructing or Impeding the Administration of Justice) provides guidance regarding the types of conduct that constitute obstruction. Subsection (f)(2) contemplates that the organization will be allowed a reasonable period of time to conduct an internal investigation. In addition, no reporting is required by subsection 512
6.
7.
8.
9.
10.
November 1, 2012
GUIDELINES MANUAL
8C2.5
(f)(2) or (f)(3)(C)(iii) if the organization reasonably concluded, based on the information then available, that no offense had been committed. 11. For purposes of subsection (f)(3)(C)(i), an individual has "direct reporting obligations" to the governing authority or an appropriate subgroup thereof if the individual has express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program. "Appropriate governmental authorities," as used in subsections (f) and (g)(1), means the federal or state law enforcement, regulatory, or program officials having jurisdiction over such matter. To qualify for a reduction under subsection (g)(1), the report to appropriate governmental authorities must be made under the direction of the organization. To qualify for a reduction under subsection (g)(1) or (g)(2), cooperation must be both timely and thorough. To be timely, the cooperation must begin essentially at the same time as the organization is officially notified of a criminal investigation. To be thorough, the cooperation should include the disclosure of all pertinent information known by the organization. A prime test of whether the organization has disclosed all pertinent information is whether the information is sufficient for law enforcement personnel to identify the nature and extent of the offense and the individual(s) responsible for the criminal conduct. However, the cooperation to be measured is the cooperation of the organization itself, not the cooperation of individuals within the organization. If, because of the lack of cooperation of particular individual(s), neither the organization nor law enforcement personnel are able to identify the culpable individual(s) within the organization despite the organizations efforts to cooperate fully, the organization may still be given credit for full cooperation. Entry of a plea of guilty prior to the commencement of trial combined with truthful admission of involvement in the offense and related conduct ordinarily will constitute significant evidence of affirmative acceptance of responsibility under subsection (g), unless outweighed by conduct of the organization that is inconsistent with such acceptance of responsibility. This adjustment is not intended to apply to an organization that puts the government to its burden of proof at trial by denying the essential factual elements of guilt, is convicted, and only then admits guilt and expresses remorse. Conviction by trial, however, does not automatically preclude an organization from consideration for such a reduction. In rare situations, an organization may clearly demonstrate an acceptance of responsibility for its criminal conduct even though it exercises its constitutional right to a trial. This may occur, for example, where an organization goes to trial to assert and preserve issues that do not relate to factual guilt (e.g., to make a constitutional challenge to a statute or a challenge to the applicability of a statute to its conduct). In each such instance, however, a determination that an organization has accepted responsibility will be based primarily upon pretrial statements and conduct. In making a determination with respect to subsection (g), the court may determine that the chief executive officer or highest ranking employee of an organization should appear at sentencing in order to signify that the organization has clearly demonstrated recognition and affirmative acceptance of responsibility.
12.
13.
14.
15.
Background: The increased culpability scores under subsection (b) are based on three interrelated principles. First, an organization is more culpable when individuals who manage the organization 513
8C2.5
GUIDELINES MANUAL
November 1, 2012
or who have substantial discretion in acting for the organization participate in, condone, or are willfully ignorant of criminal conduct. Second, as organizations become larger and their managements become more professional, participation in, condonation of, or willful ignorance of criminal conduct by such management is increasingly a breach of trust or abuse of position. Third, as organizations increase in size, the risk of criminal conduct beyond that reflected in the instant offense also increases whenever managements tolerance of that offense is pervasive. Because of the continuum of sizes of organizations and professionalization of management, subsection (b) gradually increases the culpability score based upon the size of the organization and the level and extent of the substantial authority personnel involvement.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422). Amended effective November 1, 2004 (see Appendix C, amendment 673); November 1, 2006 (see Appendix C, amendment 695); November 1, 2010 (see Appendix C, amendment 744).
8C2.6.
Minimum and Maximum Multipliers Using the culpability score from 8C2.5 (Culpability Score) and applying any applicable special instruction for fines in Chapter Two, determine the applicable minimum and maximum fine multipliers from the table below.
Culpability Score 10 or more 9 8 7 6 5 4 3 2 1 0 or less
Minimum Multiplier 2.00 1.80 1.60 1.40 1.20 1.00 0.80 0.60 0.40 0.20 0.05
Maximum Multiplier 4.00 3.60 3.20 2.80 2.40 2.00 1.60 1.20 0.80 0.40 0.20.
Commentary Application Note: 1. A special instruction for fines in 2R1.1 (Bid-Rigging, Price-Fixing or Market-Allocation Agreements Among Competitors) sets a floor for minimum and maximum multipliers in cases covered by that guideline.
514
November 1, 2012
GUIDELINES MANUAL
8C2.8
8C2.7.
Guideline Fine Range - Organizations (a) The minimum of the guideline fine range is determined by multiplying the base fine determined under 8C2.4 (Base Fine) by the applicable minimum multiplier determined under 8C2.6 (Minimum and Maximum Multipliers). The maximum of the guideline fine range is determined by multiplying the base fine determined under 8C2.4 (Base Fine) by the applicable maximum multiplier determined under 8C2.6 (Minimum and Maximum Multipliers).
(b)
8C2.8.
Determining the Fine Within the Range (Policy Statement) (a) In determining the amount of the fine within the applicable guideline range, the court should consider: (1) the need for the sentence to reflect the seriousness of the offense, promote respect for the law, provide just punishment, afford adequate deterrence, and protect the public from further crimes of the organization; the organizations role in the offense; any collateral consequences of conviction, including civil obligations arising from the organizations conduct; any nonpecuniary loss caused or threatened by the offense; whether the offense involved a vulnerable victim; any prior criminal record of an individual within high-level personnel of the organization or high-level personnel of a unit of the organization who participated in, condoned, or was willfully ignorant of the criminal conduct; any prior civil or criminal misconduct by the organization other than that counted under 8C2.5(c); any culpability score under 8C2.5 (Culpability Score) higher than 10 or lower than 0; partial but incomplete satisfaction of the conditions for one or more of the mitigating or aggravating factors set forth in 8C2.5 (Culpability Score);
(2) (3)
(4) (5) (6)
(7)
(8)
(9)
(10) any factor listed in 18 U.S.C. 3572(a); and (11) whether the organization failed to have, at the time of the instant offense, an effective compliance and ethics program within the meaning of 8B2.1 (Effective Compliance and Ethics Program). 515
8C2.8
(b)
GUIDELINES MANUAL
November 1, 2012
In addition, the court may consider the relative importance of any factor used to determine the range, including the pecuniary loss caused by the offense, the pecuniary gain from the offense, any specific offense characteristic used to determine the offense level, and any aggravating or mitigating factor used to determine the culpability score.
Commentary Application Notes: 1. Subsection (a)(2) provides that the court, in setting the fine within the guideline fine range, should consider the organizations role in the offense. This consideration is particularly appropriate if the guideline fine range does not take the organizations role in the offense into account. For example, the guideline fine range in an antitrust case does not take into consideration whether the organization was an organizer or leader of the conspiracy. A higher fine within the guideline fine range ordinarily will be appropriate for an organization that takes a leading role in such an offense. Subsection (a)(3) provides that the court, in setting the fine within the guideline fine range, should consider any collateral consequences of conviction, including civil obligations arising from the organizations conduct. As a general rule, collateral consequences that merely make victims whole provide no basis for reducing the fine within the guideline range. If criminal and civil sanctions are unlikely to make victims whole, this may provide a basis for a higher fine within the guideline fine range. If punitive collateral sanctions have been or will be imposed on the organization, this may provide a basis for a lower fine within the guideline fine range. Subsection (a)(4) provides that the court, in setting the fine within the guideline fine range, should consider any nonpecuniary loss caused or threatened by the offense. To the extent that nonpecuniary loss caused or threatened (e.g., loss of or threat to human life; psychological injury; threat to national security) by the offense is not adequately considered in setting the guideline fine range, this factor provides a basis for a higher fine within the range. This factor is more likely to be applicable where the guideline fine range is determined by pecuniary loss or gain, rather than by offense level, because the Chapter Two offense levels frequently take actual or threatened nonpecuniary loss into account. Subsection (a)(6) provides that the court, in setting the fine within the guideline fine range, should consider any prior criminal record of an individual within high-level personnel of the organization or within high-level personnel of a unit of the organization. Since an individual within high-level personnel either exercises substantial control over the organization or a unit of the organization or has a substantial role in the making of policy within the organization or a unit of the organization, any prior criminal misconduct of such an individual may be relevant to the determination of the appropriate fine for the organization. Subsection (a)(7) provides that the court, in setting the fine within the guideline fine range, should consider any prior civil or criminal misconduct by the organization other than that counted under 8C2.5(c). The civil and criminal misconduct counted under 8C2.5(c) increases the guideline fine range. Civil or criminal misconduct other than that counted under 8C2.5(c) may provide a basis for a higher fine within the range. In a case involving a pattern of illegality, an upward departure may be warranted. 516
2.
3.
4.
5.
November 1, 2012
GUIDELINES MANUAL
8C2.9
6.
Subsection (a)(8) provides that the court, in setting the fine within the guideline fine range, should consider any culpability score higher than ten or lower than zero. As the culpability score increases above ten, this may provide a basis for a higher fine within the range. Similarly, as the culpability score decreases below zero, this may provide a basis for a lower fine within the range. Under subsection (b), the court, in determining the fine within the range, may consider any factor that it considered in determining the range. This allows for courts to differentiate between cases that have the same offense level but differ in seriousness (e.g., two fraud cases at offense level 12, one resulting in a loss of $21,000, the other $40,000). Similarly, this allows for courts to differentiate between two cases that have the same aggravating factors, but in which those factors vary in their intensity (e.g., two cases with upward adjustments to the culpability score under 8C2.5(c)(2) (prior criminal adjudications within 5 years of the commencement of the instant offense, one involving a single conviction, the other involving two or more convictions).
7.
Background: Subsection (a) includes factors that the court is required to consider under 18 U.S.C. 3553(a) and 3572(a) as well as additional factors that the Commission has determined may be relevant in a particular case. A number of factors required for consideration under 18 U.S.C. 3572(a) (e.g., pecuniary loss, the size of the organization) are used under the fine guidelines in this subpart to determine the fine range, and therefore are not specifically set out again in subsection (a) of this guideline. In unusual cases, factors listed in this section may provide a basis for departure.
8C2.9.
Disgorgement The court shall add to the fine determined under 8C2.8 (Determining the Fine Within the Range) any gain to the organization from the offense that has not and will not be paid as restitution or by way of other remedial measures.
Commentary Application Note: 1. This section is designed to ensure that the amount of any gain that has not and will not be taken from the organization for remedial purposes will be added to the fine. This section typically will apply in cases in which the organization has received gain from an offense but restitution or remedial efforts will not be required because the offense did not result in harm to identifiable victims, e.g., money laundering, obscenity, and regulatory reporting offenses. Money spent or to be spent to remedy the adverse effects of the offense, e.g., the cost to retrofit defective products, should be considered as disgorged gain. If the cost of remedial efforts made or to be made by the organization equals or exceeds the gain from the offense, this section will not apply.
517
8C2.10
GUIDELINES MANUAL
November 1, 2012
8C2.10. Determining the Fine for Other Counts For any count or counts not covered under 8C2.1 (Applicability of Fine Guidelines), the court should determine an appropriate fine by applying the provisions of 18 U.S.C. 3553 and 3572. The court should determine the appropriate fine amount, if any, to be imposed in addition to any fine determined under 8C2.8 (Determining the Fine Within the Range) and 8C2.9 (Disgorgement).
Commentary Background: The Commission has not promulgated guidelines governing the setting of fines for counts not covered by 8C2.1 (Applicability of Fine Guidelines). For such counts, the court should determine the appropriate fine based on the general statutory provisions governing sentencing. In cases that have a count or counts not covered by the guidelines in addition to a count or counts covered by the guidelines, the court shall apply the fine guidelines for the count(s) covered by the guidelines, and add any additional amount to the fine, as appropriate, for the count(s) not covered by the guidelines.
* * * * *
3.
IMPLEMENTING THE SENTENCE OF A FINE
8C3.1.
Imposing a Fine (a) Except to the extent restricted by the maximum fine authorized by statute or any minimum fine required by statute, the fine or fine range shall be that determined under 8C1.1 (Determining the Fine - Criminal Purpose Organizations); 8C2.7 (Guideline Fine Range - Organizations) and 8C2.9 (Disgorgement); or 8C2.10 (Determining the Fine for Other Counts), as appropriate. Where the minimum guideline fine is greater than the maximum fine authorized by statute, the maximum fine authorized by statute shall be the guideline fine. Where the maximum guideline fine is less than a minimum fine required by statute, the minimum fine required by statute shall be the guideline fine.
(b)
(c)
Commentary Background: This section sets forth the interaction of the fines or fine ranges determined under this chapter with the maximum fine authorized by statute and any minimum fine required by statute for the count or counts of conviction. The general statutory provisions governing a sentence of a fine are set forth in 18 U.S.C. 3571.
518
November 1, 2012
GUIDELINES MANUAL
8C3.3
When the organization is convicted of multiple counts, the maximum fine authorized by statute may increase. For example, in the case of an organization convicted of three felony counts related to a $200,000 fraud, the maximum fine authorized by statute will be $500,000 on each count, for an aggregate maximum authorized fine of $1,500,000.
8C3.2.
Payment of the Fine - Organizations (a) If the defendant operated primarily for a criminal purpose or primarily by criminal means, immediate payment of the fine shall be required. In any other case, immediate payment of the fine shall be required unless the court finds that the organization is financially unable to make immediate payment or that such payment would pose an undue burden on the organization. If the court permits other than immediate payment, it shall require full payment at the earliest possible date, either by requiring payment on a date certain or by establishing an installment schedule.
(b)
Commentary Application Note: 1. When the court permits other than immediate payment, the period provided for payment shall in no event exceed five years. 18 U.S.C. 3572(d).
8C3.3.
Reduction of Fine Based on Inability to Pay (a) The court shall reduce the fine below that otherwise required by 8C1.1 (Determining the Fine - Criminal Purpose Organizations), or 8C2.7 (Guideline Fine Range Organizations) and 8C2.9 (Disgorgement), to the extent that imposition of such fine would impair its ability to make restitution to victims. The court may impose a fine below that otherwise required by 8C2.7 (Guideline Fine Range - Organizations) and 8C2.9 (Disgorgement) if the court finds that the organization is not able and, even with the use of a reasonable installment schedule, is not likely to become able to pay the minimum fine required by 8C2.7 (Guideline Fine Range - Organizations) and 8C2.9 (Disgorgement). Provided, that the reduction under this subsection shall not be more than necessary to avoid substantially jeopardizing the continued viability of the organization.
(b)
519
8C3.3
GUIDELINES MANUAL
November 1, 2012
Commentary Application Note: 1. For purposes of this section, an organization is not able to pay the minimum fine if, even with an installment schedule under 8C3.2 (Payment of the Fine - Organizations), the payment of that fine would substantially jeopardize the continued existence of the organization.
Background: Subsection (a) carries out the requirement in 18 U.S.C. 3572(b) that the court impose a fine or other monetary penalty only to the extent that such fine or penalty will not impair the ability of the organization to make restitution for the offense; however, this section does not authorize a criminal purpose organization to remain in business in order to pay restitution.
8C3.4.
Fines Paid by Owners of Closely Held Organizations The court may offset the fine imposed upon a closely held organization when one or more individuals, each of whom owns at least a 5 percent interest in the organization, has been fined in a federal criminal proceeding for the same offense conduct for which the organization is being sentenced. The amount of such offset shall not exceed the amount resulting from multiplying the total fines imposed on those individuals by those individuals total percentage interest in the organization.
Commentary Application Notes: 1. For purposes of this section, an organization is closely held, regardless of its size, when relatively few individuals own it. In order for an organization to be closely held, ownership and management need not completely overlap. This section does not apply to a fine imposed upon an individual that arises out of offense conduct different from that for which the organization is being sentenced.
2.
Background: For practical purposes, most closely held organizations are the alter egos of their owner-managers. In the case of criminal conduct by a closely held corporation, the organization and the culpable individual(s) both may be convicted. As a general rule in such cases, appropriate punishment may be achieved by offsetting the fine imposed upon the organization by an amount that reflects the percentage ownership interest of the sentenced individuals and the magnitude of the fines imposed upon those individuals. For example, an organization is owned by five individuals, each of whom has a twenty percent interest; three of the individuals are convicted; and the combined fines imposed on those three equals $100,000. In this example, the fine imposed upon the organization may be offset by up to 60 percent of their combined fine amounts, i.e., by $60,000.
* * * * * 520
November 1, 2012
GUIDELINES MANUAL
8C4.1
4.
DEPARTURES FROM THE GUIDELINE FINE RANGE
Introductory Commentary The statutory provisions governing departures are set forth in 18 U.S.C. 3553(b). Departure may be warranted if the court finds "that there exists an aggravating or mitigating circumstance of a kind, or to a degree, not adequately taken into consideration by the Sentencing Commission in formulating the guidelines that should result in a sentence different from that described." This subpart sets forth certain factors that, in connection with certain offenses, may not have been adequately taken into consideration by the guidelines. In deciding whether departure is warranted, the court should consider the extent to which that factor is adequately taken into consideration by the guidelines and the relative importance or substantiality of that factor in the particular case. To the extent that any policy statement from Chapter Five, Part K (Departures) is relevant to the organization, a departure from the applicable guideline fine range may be warranted. Some factors listed in Chapter Five, Part K that are particularly applicable to organizations are listed in this subpart. Other factors listed in Chapter Five, Part K may be applicable in particular cases. While this subpart lists factors that the Commission believes may constitute grounds for departure, the list is not exhaustive.
8C4.1.
Substantial Assistance to Authorities - Organizations (Policy Statement) (a) Upon motion of the government stating that the defendant has provided substantial assistance in the investigation or prosecution of another organization that has committed an offense, or in the investigation or prosecution of an individual not directly affiliated with the defendant who has committed an offense, the court may depart from the guidelines. The appropriate reduction shall be determined by the court for reasons stated on the record that may include, but are not limited to, consideration of the following: (1) the courts evaluation of the significance and usefulness of the organizations assistance, taking into consideration the governments evaluation of the assistance rendered; the nature and extent of the organizations assistance; and the timeliness of the organizations assistance.
(b)
(2) (3)
Commentary Application Note: 1. Departure under this section is intended for cases in which substantial assistance is provided in the investigation or prosecution of crimes committed by individuals not directly affiliated 521
8C4.1
GUIDELINES MANUAL
November 1, 2012
with the organization or by other organizations. It is not intended for assistance in the investigation or prosecution of the agents of the organization responsible for the offense for which the organization is being sentenced.
8C4.2.
Risk of Death or Bodily Injury (Policy Statement) If the offense resulted in death or bodily injury, or involved a foreseeable risk of death or bodily injury, an upward departure may be warranted. The extent of any such departure should depend, among other factors, on the nature of the harm and the extent to which the harm was intended or knowingly risked, and the extent to which such harm or risk is taken into account within the applicable guideline fine range.
8C4.3.
Threat to National Security (Policy Statement) If the offense constituted a threat to national security, an upward departure may be warranted.
8C4.4.
Threat to the Environment (Policy Statement) If the offense presented a threat to the environment, an upward departure may be warranted.
8C4.5.
Threat to a Market (Policy Statement) If the offense presented a risk to the integrity or continued existence of a market, an upward departure may be warranted. This section is applicable to both private markets (e.g., a financial market, a commodities market, or a market for consumer goods) and public markets (e.g., government contracting).
522
November 1, 2012
GUIDELINES MANUAL
8C4.9
8C4.6.
Official Corruption (Policy Statement) If the organization, in connection with the offense, bribed or unlawfully gave a gratuity to a public official, or attempted or conspired to bribe or unlawfully give a gratuity to a public official, an upward departure may be warranted.
8C4.7.
Public Entity (Policy Statement) If the organization is a public entity, a downward departure may be warranted.
8C4.8.
Members or Beneficiaries of the Organization as Victims (Policy Statement) If the members or beneficiaries, other than shareholders, of the organization are direct victims of the offense, a downward departure may be warranted. If the members or beneficiaries of an organization are direct victims of the offense, imposing a fine upon the organization may increase the burden upon the victims of the offense without achieving a deterrent effect. In such cases, a fine may not be appropriate. For example, departure may be appropriate if a labor union is convicted of embezzlement of pension funds.
8C4.9.
Remedial Costs that Greatly Exceed Gain (Policy Statement) If the organization has paid or has agreed to pay remedial costs arising from the offense that greatly exceed the gain that the organization received from the offense, a downward departure may be warranted. In such a case, a substantial fine may not be necessary in order to achieve adequate punishment and deterrence. In deciding whether departure is appropriate, the court should consider the level and extent of substantial authority personnel involvement in the offense and the degree to which the loss exceeds the gain. If an individual within high-level personnel was involved in the offense, a departure would not be appropriate under this section. The lower the level and the more limited the extent of substantial authority personnel involvement in the offense, and the greater the degree to which remedial costs exceeded or will exceed gain, the less will be the need for a substantial fine to achieve adequate punishment and deterrence.
523
8C4.10
GUIDELINES MANUAL
November 1, 2012
8C4.10. Mandatory Programs to Prevent and Detect Violations of Law (Policy Statement) If the organizations culpability score is reduced under 8C2.5(f) (Effective Compliance and Ethics Program) and the organization had implemented its program in response to a court order or administrative order specifically directed at the organization, an upward departure may be warranted to offset, in part or in whole, such reduction. Similarly, if, at the time of the instant offense, the organization was required by law to have an effective compliance and ethics program, but the organization did not have such a program, an upward departure may be warranted.
8C4.11. Exceptional Organizational Culpability (Policy Statement) If the organizations culpability score is greater than 10, an upward departure may be appropriate. If no individual within substantial authority personnel participated in, condoned, or was willfully ignorant of the offense; the organization at the time of the offense had an effective program to prevent and detect violations of law; and the base fine is determined under 8C2.4(a)(1), 8C2.4(a)(3), or a special instruction for fines in Chapter Two (Offense Conduct), a downward departure may be warranted. In a case meeting these criteria, the court may find that the organization had exceptionally low culpability and therefore a fine based on loss, offense level, or a special Chapter Two instruction results in a guideline fine range higher than necessary to achieve the purposes of sentencing. Nevertheless, such fine should not be lower than if determined under 8C2.4(a)(2).
524
November 1, 2012
GUIDELINES MANUAL
8D1.1
PART D - ORGANIZATIONAL PROBATION
Introductory Commentary Section 8D1.1 sets forth the circumstances under which a sentence to a term of probation is required. Sections 8D1.2 through 8D1.4, and 8F1.1, address the length of the probation term, conditions of probation, and violations of probation conditions.
8D1.1.
Imposition of Probation - Organizations (a) The court shall order a term of probation: (1) if such sentence is necessary to secure payment of restitution (8B1.1), enforce a remedial order (8B1.2), or ensure completion of community service (8B1.3); if the organization is sentenced to pay a monetary penalty (e.g., restitution, fine, or special assessment), the penalty is not paid in full at the time of sentencing, and restrictions are necessary to safeguard the organizations ability to make payments; if, at the time of sentencing, (A) the organization (i) has 50 or more employees, or (ii) was otherwise required under law to have an effective compliance and ethics program; and (B) the organization does not have such a program; if the organization within five years prior to sentencing engaged in similar misconduct, as determined by a prior criminal adjudication, and any part of the misconduct underlying the instant offense occurred after that adjudication; if an individual within high-level personnel of the organization or the unit of the organization within which the instant offense was committed participated in the misconduct underlying the instant offense and that individual within five years prior to sentencing engaged in similar misconduct, as determined by a prior criminal adjudication, and any part of the misconduct underlying the instant offense occurred after that adjudication; if such sentence is necessary to ensure that changes are made within the organization to reduce the likelihood of future criminal conduct; if the sentence imposed upon the organization does not include a fine; or if necessary to accomplish one or more of the purposes of sentencing set forth in 18 U.S.C. 3553(a)(2). 525
(2)
(3)
(4)
(5)
(6)
(7) (8)
8D1.2
GUIDELINES MANUAL
November 1, 2012
Commentary Background: Under 18 U.S.C. 3561(a), an organization may be sentenced to a term of probation. Under 18 U.S.C. 3551(c), imposition of a term of probation is required if the sentence imposed upon the organization does not include a fine.
8D1.2.
Term of Probation - Organizations (a) When a sentence of probation is imposed -(1) In the case of a felony, the term of probation shall be at least one year but not more than five years. In any other case, the term of probation shall be not more than five years.
(2)
Commentary Application Note: 1. Within the limits set by the guidelines, the term of probation should be sufficient, but not more than necessary, to accomplish the courts specific objectives in imposing the term of probation. The terms of probation set forth in this section are those provided in 18 U.S.C. 3561(b).
8D1.3.
Conditions of Probation - Organizations (a) Pursuant to 18 U.S.C. 3563(a)(1), any sentence of probation shall include the condition that the organization not commit another federal, state, or local crime during the term of probation. Pursuant to 18 U.S.C. 3563(a)(2), if a sentence of probation is imposed for a felony, the court shall impose as a condition of probation at least one of the following: (1) restitution or (2) community service, unless the court has imposed a fine, or unless the court finds on the record that extraordinary circumstances exist that would make such condition plainly unreasonable, in which event the court shall impose one or more other conditions set forth in 18 U.S.C. 3563(b). The court may impose other conditions that (1) are reasonably related to the nature and circumstances of the offense or the history and characteristics of the organization; and (2) involve only such deprivations of liberty or property as are necessary to effect the purposes of sentencing.
(b)
(c)
526
November 1, 2012
GUIDELINES MANUAL
8D1.4
8D1.4.
Recommended Conditions of Probation - Organizations (Policy Statement) (a) The court may order the organization, at its expense and in the format and media specified by the court, to publicize the nature of the offense committed, the fact of conviction, the nature of the punishment imposed, and the steps that will be taken to prevent the recurrence of similar offenses. If probation is imposed under 8D1.1, the following conditions may be appropriate: (1) The organization shall develop and submit to the court an effective compliance and ethics program consistent with 8B2.1 (Effective Compliance and Ethics Program). The organization shall include in its submission a schedule for implementation of the compliance and ethics program. Upon approval by the court of a program referred to in paragraph (1), the organization shall notify its employees and shareholders of its criminal behavior and its program referred to in paragraph (1). Such notice shall be in a form prescribed by the court. The organization shall make periodic submissions to the court or probation officer, at intervals specified by the court, (A) reporting on the organizations financial condition and results of business operations, and accounting for the disposition of all funds received, and (B) reporting on the organizations progress in implementing the program referred to in paragraph (1). Among other things, reports under subparagraph (B) shall disclose any criminal prosecution, civil litigation, or administrative proceeding commenced against the organization, or any investigation or formal inquiry by governmental authorities of which the organization learned since its last report. The organization shall notify the court or probation officer immediately upon learning of (A) any material adverse change in its business or financial condition or prospects, or (B) the commencement of any bankruptcy proceeding, major civil litigation, criminal prosecution, or administrative proceeding against the organization, or any investigation or formal inquiry by governmental authorities regarding the organization. The organization shall submit to: (A) a reasonable number of regular or unannounced examinations of its books and records at appropriate business premises by the probation officer or experts engaged by the court; and (B) interrogation of knowledgeable individuals within the organization. Compensation to and costs of any experts engaged by the court shall be paid by the organization. The organization shall make periodic payments, as specified by the court, in the following priority: (A) restitution; (B) fine; and (C) any other monetary sanction.
(b)
(2)
(3)
(4)
(5)
(6)
527
8D1.4
GUIDELINES MANUAL
November 1, 2012
Commentary Application Note: 1. In determining the conditions to be imposed when probation is ordered under 8D1.1, the court should consider the views of any governmental regulatory body that oversees conduct of the organization relating to the instant offense. To assess the efficacy of a compliance and ethics program submitted by the organization, the court may employ appropriate experts who shall be afforded access to all material possessed by the organization that is necessary for a comprehensive assessment of the proposed program. The court should approve any program that appears reasonably calculated to prevent and detect criminal conduct, as long as it is consistent with 8B2.1 (Effective Compliance and Ethics Program), and any applicable statutory and regulatory requirements. Periodic reports submitted in accordance with subsection (b)(3) should be provided to any governmental regulatory body that oversees conduct of the organization relating to the instant offense.
8D1.5. [Deleted]
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422); was moved to 8F1.1 effective November 1, 2004 (see Appendix C, amendment 673).
528
November 1, 2012
GUIDELINES MANUAL
8E1.1
PART E - SPECIAL ASSESSMENTS, FORFEITURES, AND COSTS
8E1.1.
Special Assessments - Organizations A special assessment must be imposed on an organization in the amount prescribed by statute. Commentary
Application Notes: 1. This guideline applies if the defendant is an organization. It does not apply if the defendant is an individual. See 5E1.3 for special assessments applicable to individuals. The following special assessments are provided by statute (see 18 U.S.C. 3013): For Offenses Committed By Organizations On Or After April 24, 1996: (A) (B) (C) (D) $400, if convicted of a felony; $125, if convicted of a Class A misdemeanor; $50, if convicted of a Class B misdemeanor; or $25, if convicted of a Class C misdemeanor or an infraction.
2.
For Offenses Committed By Organizations On Or After November 18, 1988 But Prior To April 24, 1996: (E) (F) (G) (H) $200, if convicted of a felony; $125, if convicted of a Class A misdemeanor; $50, if convicted of a Class B misdemeanor; or $25, if convicted of a Class C misdemeanor or an infraction.
For Offenses Committed By Organizations Prior To November 18, 1988: (I) (J) 3. $200, if convicted of a felony; $100, if convicted of a misdemeanor.
A special assessment is required by statute for each count of conviction.
Background: Section 3013 of Title 18, United States Code, added by The Victims of Crimes Act of 1984, Pub. L. No. 98-473, Title II, Chap. XIV, requires courts to impose special assessments on convicted defendants for the purpose of funding the Crime Victims Fund established by the same legislation.
Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422); November 1, 1997 (see Appendix C, amendment 573).
529
8E1.2
8E1.2.
GUIDELINES MANUAL
November 1, 2012
Forfeiture - Organizations Apply 5E1.4 (Forfeiture).
8E1.3.
Assessment of Costs - Organizations As provided in 28 U.S.C. 1918, the court may order the organization to pay the costs of prosecution. In addition, specific statutory provisions mandate assessment of costs.
530
November 1, 2012
GUIDELINES MANUAL
8F1.1
PART F - VIOLATIONS OF PROBATION - ORGANIZATIONS

8F1.1.
Violations of Conditions of Probation - Organizations (Policy Statement) Upon a finding of a violation of a condition of probation, the court may extend the term of probation, impose more restrictive conditions of probation, or revoke probation and resentence the organization.
Commentary Application Notes: 1. Appointment of Master or Trustee.In the event of repeated violations of conditions of probation, the appointment of a master or trustee may be appropriate to ensure compliance with court orders. Conditions of Probation.Mandatory and recommended conditions of probation are specified in 8D1.3 (Conditions of Probation - Organizations) and 8D1.4 (Recommended Conditions of Probation - Organizations).
2.
531
Better Class Of Board Ethics Education

A
By W. Michael HotTman, Dawn-Marie Driscoll and Mark Rowe
Directors are not typically accustomed to being told what to think. Indeed, a rigorous intellect and an independent spirit of inquiry have never been considered handicaps in the thought-intensive business of corporate governance. However, the last four years have produced some startling examples of boards either unencum bered by such qualities or at least unwilling to parlay' them into demonstrations of effective ethical leadership and oversight. While such boards appear to be in a small minority--especially now that shareholders, regulators and the public have such high expectations-we think many boards would appreciate assistance in navigating a course through the ethical reefs on which other companies have foundered. This involves educating them in
,merldati()ns! r , 4eYf! q.]Jil'l$ . tp} , d .fq9Uitf4,tin ;b a.

. ...
,
," Ten eyrf!COrrl- ,
education iin ':'i ,."
how
(rather than
what)
itliics; '
,:,'
\,
"
, '::.
to think about the ethics and
compliance issues that will confront their companies and them personally. In our earlier article, "Effective Ethics Education of the Board"
(Ethikos,
January/
. i
February 2005, Vol. 18, No.4), we presented some ideas for setting the stage. In this article, we are largely concerned with the perfonnance itself: how to organize and facilitate board ethics sessions.
Education versus training

In the board context we will continue to use the tenn "education" (in preference to "training"), even though the amended Federal Sentencing Guidelines for Organi zations (FSGOs) refer to the need to conduct effective training programs in which an organization's governing authority must participate. The reasoning bears repetition. Directors should perceive activities in this area as being part of their continuing education responsibilities. Moreover, use of the term education will reinforce the board's sense of an opportunity to extend, refine and practice its thinking-and therefore improve its decision-making-rather than merely an exercise in receiving presentations. We make recommendations in 10 key areas for developing and facilitating board education in ethics.
W. Michael Hoffman is the founding
executive director of the Center for Business Ethics (CBE) at Bentley College, Waltham, Massachusetts, a business ethics consulting fIrm (www.ethicstrust.com).Dawn-Marie Driscoll is a CBE executive fellow and president of Driscoll Associates, She is also independent chairman of the board of The Scudder Funds. search associate and a partner in Hoffman Rowe. Mark Rowe is the CBE's senior re and senior partner of Hoffman Rowe,
1. Design a goals-oriented curriculum

When putting together a curriculum for board ethics education, be guided by educational goals--even as basic as having directors talk about ethics and values. But the ultimate objective (however achieved) is to ensure directors can recognize and deal effectively with any ethical issues that may arise. , Different boards have reached different stages of ethical development, so first establish where your board stands. Is it still coming to grips with ethical awareness or has it acquired sophisticated ethical reasoning skills? Does the board have the
ETHIKOS
MarchiApril2005 / 5
I I
I:I I /1
!; il
first.yoiJ(1rt11:s1. esiablishwh re. your , '" . ' . . .. .. ':' . : ' S? : nd st d bob.r :,.} . >::_/:.,}':;,:'-'o" ': ::_;:>" ;::,, ::":::;'<; :"
" .. " '> .... . . . :."
,_ _
. rtt i'ake.(oJ.e hiC;jl d,e; (4 dpn;,;(iiit)So:

. .
.
viff e'riiit . bo(jrds have re4chedd iff ei .

. ...
3. Put on your director's hat

It helps to understand what directors worry about before you begin. Directors know that theirs is an oversight and not a management role, but when they hear about ethical problems occurring under their noses-or even another board's noses-they worry that they should be asking more questions and getting more information. Where is the balance between the board's oversight role and the desire for detailed information? Directors worry about the integrity of top execu tives-particularly those in finance-who, naturally, are on best behavior when they come to board meetings. With directors flying in and out, their experience of the corporate culture is usually limited to what they may discern in the elevator or the boardroom. Renewed . emphasis on the importance of corporate culture-in the FSGOs, for instance-makes the board's under standing of it a live issue. Directors may find they never have enough time to discuss ethical issues. If they don't talk to each other or have private conference calls in between board meet ings, there is generally a gap, during which they may feel out of touch. Having a director as an ally is the best way to get an appreciation of the board's concerns so that these might be addressed in ethics education.
::,
;-
' :_;>." ;
confidence and tools to put decisions about ethically sensitive issues into action effectively? Is the board familiar and comfortable with the concept of ethical leadership and does it demonstrate this in practice? Does the board demand the same of management? One or two directors might already be ethical leaders but will need help in moving their peers to the same level of understanding. Perhaps you need to sharpen the board's appreciation for FSGO obligations and industry' best practices. In any event, answering these questions is critical to shaping an effective board education strategy. Here are some possible board education goals:
Address board responsibilities under the amended Increase the board's comfort and candor with Achieve board consensus around what is "ethi Address ethical issues affecting the board, com Consider board 'best practices'; Raise individual directors' ethical awareness.
FSGOs;
ethics;
cal;"
pany and industry;

4. Take cues from the corporate climate

If your company or industry has been in trouble, the ethical issues to be addressed may be obvious and' pressing. Good times can also be risky, however, be cause ethical complacency can creep in. A board edu cation program should recognize and respond to the current corporate climate in order that directors are equipped to handle prevailing ethical considerations.
2. Relate to four main areas of board's ethical

oversight When thinking about goals and content, consider the board's responsibility for the oversight of ethics in four areas: i. The integrity of management and of financial disclosures; ii. Ethics and compliance programs; iii. Ethical issues relating to corporate responsibility or public investor expectations (e.g. proxy resolutions, community issues, the environment and doing business overseas); iv. Ethical issues of the board itself (e.g. conflicts of interest and other issues of director independence, etc.). Then, depending on the goals of the program, your company and industry, you can focus more attention or less attention on any of these.
A new CEO or new board members will also affect

the way board education is handled.
5. Understand board dynamics

Effective board education requires a keen apprecia tion of board dynamics. Is your board polite or adversarial in conducting its business? Are PowerPoint and other visual aids regarded as helpful or distracting? What is the board's approach to action points and follow-up? What is the board's attitude toward outside experts? Does the board prefer pre-session reading to provoke discussion?
6/ ETHIKOS
March/April 2005
6. Decide who should lead the sessions

Some directors may prefer that the facilitating be done by an outsider (carefully screened, and of the stature and caliber of your board members). Bear in mind that with regard to ethical issues at the board level, an outside resource might have more credibility than someone in-house. The issue of candor is also important so the directors may recommend that at least part of the discussion be held in executive session.
!i : : :;:;: Jqr .
" ','
iri:Stance makesihe
;n
,"""
'de sandirig :ofit ;':zive issu.::' , " :' "
tf1ts . board:: u.T!"''
,.\:
' ;
;,;
7. Decide how much time to allot

If asked, say that an education session could be done in however much time the board allows. (Of course a very short time might not meet the "due diligence" test, but shorter sessions more often can also work.) If your board has an annual retreat, this would be the ideal time and place to hold ethics education. If, by now, the ethics and compliance function is at least a tab in every board book, continuing education can be achieved with regular articles, news stories, memos and the like.
8. Don't try to cover a wide range of goals in one

session
they faced. Consider Enron, Holl inger, United Way of America, Boston University, Cendant, Hea lthSouth, Putnam, Disney and the New York Stock Exchange as Legal cases are also effective because directors are nervous about being sued, having their depositions possible examples.
Stories are effective because most directors want to know how other boards got in trouble and wha t liability
are retrospective only. They must look forward to tomorrow's risks. Director independence has also be come a key issue that needs addressing, and standards of due diligence and loyalty from the board a re higher.
board responsibility identified in (2) above. Dir e ctors know that the certifications required by Sarb anes-Oxley
understanding of the ethics and values of the c orpora tion, particularly as they relate to the four main areas of
derstand that in an environment of significantly to ugher regulation and intense public scrutiny, mere compli ance is insufficient. What is required now is a proactive
It may be
ing on formal board education-that the goal is simply to try to get everyone comfortable talking about ethics and coming to an agreement about what they should discuss at the board level. That's not a bad place to start. Perhaps the board might be more comfortable limiting the discussion to real-life issues that have arisen in their own industry or at competitors. Are there ethical issues with regard to the board itself? What's the status of the board's best practices for governance? Does the board do a self-evaluation, and has that raised any sensitive issues? Are there ethical issues with respect to a particular director? It helps to know before you start, as these are the toughest to navigate.
specially for companies just embark
9. Create custom content

cation sessions requires considerable investment of thought and time but this is likely to be well rewarded. tors appreciate being kept up to date with a discussion of current issues, but they will also be better able to perform their oversight function. Directors should unFirst, make the content timely. Not only will direc Planning and preparing content for the board edu
"Red flags" are also good, particularly if tbey are customized for your organizati on or industry. It helps directors think about the que stions they shoul d be gr am asking, not only of compliance and ethics pro . executives, but also of line managers.
a particular boa rd.
of over 50 of these real-life problems, which are useful to stimulate brief discussions about ethical iss ue s, al though the most effective are those expressly written for
ing-off point. One technique is to divide the board into small groups, have them discuss a very short hypotheti cal issue and then share their answers. We have a l ibrary
taken and having their personal reputations questio ned. (A headhunter, who was retained by a board to fi nd a new director, recently called a senior executive in the financial services industry. When asked his view o n the most important skill a director needed today, the e xe cu tive answered, "One word: deposability.") Consider using hypothetical problems as a jump
Continued on page 14
ETHIKOS
March/April 2005/ 7
Board Education.
. Continued from page 7
10. Assign homework

We recommend pre-session reading as this will encourage discussion that is informed and reflective. In keeping with our suggestions at reading may also be useful. Ethics education for the board is finally being taken seriously in corporations. There is a range of different approaches and techniques that can be used, depending on the particular organization, but all share one objec tive: to get directors into conversations about ethics and to keep them talking for as long and as often as possible.
Finally. end every session with specific ideas about how directors can continue their ethics education. Sug gest opportunities for directors to make themselves visible, such as participating in the company's ethics training. Let them listen in to the ethics helpline. Invite them to come to the next Ethics Officer Association confer ence. Put them on an ethics mailing list or subscribe to
a publication. Suggest outside guest speakers for certain
(9) above, follow-up
board committees.
When this happens, it is impossible for board members not to gain a better insight into their role as ethical leaders. individually and as a group, This is the second of a two-part article. The first
part, "Effective Ethics Education of the Board," ran in issue of ethikos. 0 the January/February 2005 .
Footnote:
I
Effective
as
of November 1, 2004.
ethilfos
Effective Ethics Education of the Board
and Corporate Conduct Quarterly

JANUARYIFEBRUARY 2005 VOL. 18, NO.4
EXAMINING ETHICAL AND COMPLIANCE ISSUES IN BUSINESS
By W. Michael Hoffman, Dawn-Marie Driscoll and Mark Rowe

Directors must
direct.
Imagine
The Godfather
if Francis Ford Coppola had let Collaboration and
Brando decide one day that they should tone down all that gangster stuff. Or what if Scorsese had De Niro insisting that he play
Raging Bull for laughs?
Most companies
discussion are healthy but directors must insist on doing their job, no matter how big the star. So it should be with corporations. The rise of the superstar CEO in the 1990s upset the balance of power between management and the board, the extreme consequences of which were exemplified by Enron, WorldCom, Tyco and others. Richard Breeden, the court-appointed corporate monitor investigating the mas sive fraud at WorldCom, noted in his report that "the board did not act like it was in control of the Company's overall direction."1 Indeed, investigations into a number of major corporate scandals have concluded that the relevant boards of directors failed to ask the tough questions of management before approving their schemes. As Breeden also wryly observes, "While not in most descriptions of director qualifica tions, 'backbone' and 'fortitude' may be the most important qualities needed by a director of a public company."2 Ethics and compliance training for the board can serve to develop such fortitude in the form of moral courage, allowing directors to show ethical leadership in developing the appropriate corporate culture.
do not yet deliver systematic ongo ing ethics train ing to their boards of direc
tors.
W. Michael Hoffman isthe founding exec uti ve director of the Center for Business Ethics (CBE) at Bentley College, Waltham, Massachusetts, and senior partner of Hoffman Rowe, a business ethics consulting firm (www.ethicstrust.com). Dawn-Marie Driscoll is a CBE executive fellow and president of Driscoll Associates. She is also independent chainnan of the board of The Scudder Funds. Mark Rowe is the CBE's senior re search associate and a partner in Hoffman Rowe.
A level of engagement is required

The current regulatory pressure on corporations and their boards to review their governance systems requires no explanation here. No doubt many companies have gone to considerable lengths and expense to ensure that their boards comply with the applicable rules and follow the necessary procedures. It is also fair to assume that the majority of directors take their responsibilities seriously. However, good governance requires more than diligence in adhering to checklists of rules and recommended best ' practices. It is a complex equation that is dependent on the attitudes and actions of the people involved. From the board, it demands a certain critical level of engagement
In This Issue:
How MemorialHealth University Medical
EffectiveEthics Educ ation Of The
Board Of Directors .
Packaging An Ethics Code: Altria Learns That One Size Does Not Fit All
....... 1
Center Measure s The Ethics Peformance Of Its Senior Managers
.. 8
.
...'..... 4
South Africa Puts Ethics And Social Responsibility On The Business Agenda
..
. 11
.
ETHIKOS
January/February 2005/1
As Breeden wryly observed, 'While not in most descriptions of director qualifications, "backbone" and "for titude" may be the most important qualities needed by a director of a public company.'
in the affairs of the company, which means that indi vidual directors must have the necessary knowledge, interest and skills to maintain effective oversight. This is where education and training come in. For some time, many boards have relied on continu ing education programs in order to remain up to date and to acquire or refresh skills in key governance areas. Although there would now appear to be consensus that ethics and compliance are two such areas, there is evidence that most companies do not yet deliver sys tematic ongoing ethics training to their boards of direc tors. We conducted a survey of participants in a board ethics training discussion we facilitated at the Ethics Officer Association annual conference. Out respondents, only
on the board to be "knowledgeable about the content and operation of the compliance and ethics program" and to exercise reasonable oversight of it. Secondly. the following sub-section expressly re compliance and ethics program.'
The organization shall take reasonable steps to com municate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to [the Board and others I by conducting effective training programs and otherwise disseminating information appropri ate to such individuals' respective roles and respon sibilities.4
quires the board to participate in training related to the
These provisions (and the amended Guidelines generally) have understandably attracted attention, es pecially from ethics officers and corporate counsel. There will be considerable discussion about their inter-
ethilfos
Co-Editor and Publisher:
Co-Editor:
Co-Publisher/Exec. Editor: Andrew W. Singer Joseph E. Murphy Jeffrey M. Kaplan
29 (42
2004 of 69
percent) said that their organi
zations provide ethics and compliance training for the board of directors. Twenty percent said they plan to introduce such training "within the next 6 months" and a further
Book Review Editor: Business Manager:
Loren Singer
Victoria Theodore
Contributing
Editors:
17
percent "within the next year."
Walter Schanbacher, Jay A. Sigler,

Winthro p
Karl Groskaufmanis,
However,
12
percent said their organizations had
Sw nson,
Rebecca S.Walker.
no current plans to do so. Just over a year previously, the Conference Board conducted a similar survey of attend ees at its
Internet: http://EthikosJourna!:com
ethikos(IS.SN 0895-5026) is published bimonthly, Copyright 2005 by Ethics Partners, Inc., 154 East Boston Post Road, Mamaroneck. New YOrk 10543. Editorial comments, questions, article. proposals, and reprint requests should bedirected to the editors: Andrew W. Singer at (914) 381-74750rJosephE. Murphy at(856}429-5355. Unsolicited manuscriptsshould'be accompanied by a self-addressed stamped envelope, Otherwise they may not be returned. . . The annual subscription toethikos is$175; themte for universities and government agencies is $115. Ac;ld$1O for Canada and $20 for Europe and elsewhere. Multiple subscription rates are available; also reprints. To order a subscription fill out the insert order cardin this publication or call (914) 381-7475 orfax iUo(914) 381-6947. Copies of past issuesofethikos are available for $30 each. AIistof backissuescanbefound on the thikos Web Site; http:// www.EthikosJournal;com. Authorization to-photocopy items for personal or internal use; or the intemalorpersonaI useof specitkcliellts. must be obtained from Ethikos Inc.
2003
Ethics Conference. That survey found
that al though 81 percent have conducted ethics and compliance training among their employees, only
27
percent have held any training sessions for their direc tors. Significantly, 55 percent of those surveyed be lieved their boards were "not engaged enough" in major ethical issues involving the company. But a major development has occurred since the above statistics were gathered: the amendments to the federal Sentencing Guidelines for Organizations ("Guidelines"). Since to show the necessary Guidelines' minimum requirements for an organization ovember 1.
'
2004,
among ,the
due
diligence and to promote an
ethical and legally compliant culture, is the obligation
21 ETHIKOS
January/February 2005
pretation. For example, one might be tempted to inter pret quite narrowly the phrase "and otherwise dissemi nating information," to mean that the main purpose of the training is to
Directors should be encouraged to
inform
the participants.
On the contrary, we believe the provision should be read in a much broader sense to encompass an explora tion of ethical issues pertaining to the company, its industry and even ethical issues of the board itself. Merely briefing the board on the ethics and compliance program is unlikely to satisfy the requirement that the directors be trained; and we suspect future best practices will dictate otherwise. This is why, in place of 'training: we would encourage the use of the term 'education: the Latin root of which is quite fittingly lead. "5 It is understandable if ethics officers are feeling challenged in getting the board to participate in educa tion or training that relates to their company's standards and procedures and its compliance and ethics program; directors are already inundated with additional work created by Sarbanes-Oxley and associated regulations. Here are six suggestions that may help ethics officers to get the directors "on board," as it were.
think about the importance offinding ways to show ethical leadership at a time when the ethical credentials of boards are under intense scrutiny.
the board in the process would be to brainstorm the educational objectives with several directors, an appro priate board committee, or perhaps your director-ally and several company executives. Get the group to think about their conceptions of the board's roles and respon . sibiiities-especially in relation to ethics and compli ance-and obtain consensus on particular challenges and routes to overcome them. You might wish to propose as possible objectives the creation of opportu nities for raising the board's level of ethical awareness and discovering individual directors' positions on spe cific ethical issues. Bear in mind that legitimate ethical disagreement is healthy and in its deliberations the board should never sacrifice truth in the interests of unity. The directors should be encouraged to think about the importance of finding ways to show ethical leadership at a time when the ethical credentials of boards are under intense scrutiny. It is possible to present all of these things as opportunities for the board to discharge its functions more effectively.
ducere,
meaning "to
1. Get an 'angel' on board

One of the ways to meet the challenge is to find and cultivate at least one ally on the board who is prepared to champion ethics-related initiatives among fellow board members. His or her fellow directors will listen to a peer's suggestion' that the board should find a way to include ethics and compliance within its continuing education program, especially if there is new legislatio that requires it. Having such an advocate on your side will dramati cally increase the chances of an education program being allocated the necessary time, priority and re sources. You can present the education as an opportu nity for the directors to have all the assistance they need. in identifying, understanding and discussing the ethical issues that come within their governance purview. Accordingly, you need to have an insight into the board's specific issues and needs. Having a 'guardian angel' on the board can give you this.
3. Think curriculum, not session

It is also useful to get the board thinking long-term about ethics and compliance education. It should cer tainly not be a one-off event. The importance of an ongoing ethical dialogue should be emphasized, as should the ability of the education sessions to help facilitate this. Accordingly, the board should be encour aged to view educational activities as a curriculum, rather than as just one or even a limited number of sessions. Isolated sessions will not be as effective because ethical development is an ongoing process that uses essential building blocks and linkages.
2. Plot the course

Once you have established that the board is at least receptive to the idea of ethics education, you need to involve it in the planning. The best way to start engaging
4. Emphasize participation, not presentation

Any ethics education program should aim to be as interactive and as participatory as possible. The hoard
Continued on page 16
ETHIKOS
January/February 2005/3
a new product.
thusiastic and supportive . .. . all." His group shepherded it along, but the real drivers were the local operating groups. 0
It was all done in a "collaborative spirit," he adds:
The works councils in places like Germany were "en-
appreciate its vital role in promoting the success of that
Recent scandals suggest ethics prac

titioners have been less successful in moving ethics up tnto the board
rooms
program but it will make the program itself more coherent.
6. Go public
Obviously the directors need to know when ethics education sessions are happening, but it is equally important for the rest of the company to be aware that the board is doing this.It sends a strong positive signal to employees that the board takes its ethical obligations seriously and endorses the idea of ethics education. In fact, we believe that this information should be shared with all of the company's key stakeholders, since it helps to demonstrate the commitment to ethics and compliance throughout the entire organization. It would be a mistake to view the amendments to the federal Sentencing Guidelines for Organizations as merely one more piece of legislation with which orga nizations should comply,as a list of items to be checked off.It would be far more constructive to view them in the non-confining spirit which motivated their review and revision: As an opportunity to improve the ethical health of our organizations to ensure l o n g-term sustainability and success. In order to make the best of this opportunity-as well as mitigating substantial risks-boards and man agement teams need to give the necessary priority to ethics education, especially because of its power to influence culture and to allow us to see the world in more ethically sensitive ways.After all,isn't this the real reason for ethics education generally?
and executive suites.
Educating the Board ...Continued Jrom page 3

may be accustomed to receiving presentations but that approach will not work here. A presentation format would not engage individual directors in a sufficiently probing inquiry of their attitudes, understanding and knowledge where ethics and compliance are concerned. Nor would it create an opportunity to acknowledge the value of legitimate ethical disagreement. Furthermore, as has already been noted, merely briefing the board without getting their active participation may not satisfy the requirement of the Guidelines.
5. Get with the program

Over the past 10 or 15 years, corporations have done a reasonably good job of pushing ethics down through their organizations so that employees become familiar and comfortable with the standards,procedures and systems to ensure ethical business practices. Recent scandals suggest ethics practitioners have been much less successful in moving ethics up into the boardrooms and executive suites. This may have been because certain incorrect assumptions were made about the need for this, or companies simply overestimated the ability of senior executives and directors to be ethically sensitive and effective.There might even have been resistance to educational efforts from senior people who resented the inference, in their minds, that they were unethical. However, the amended Guidelines reinforce the message that education in ethical awareness and deci sion-making must be undertaken effectively at all levels of our organizations. When it comes to the board, it is critical that the education has-and is widely perceived to have-a strong connection to the ethics and compliance program.In that way,not only will the board better
This is the first oj a two-part series. The upcoming segment will provide some practical guidance Jor deliv ering ethics training to board members. 0
Footnotes:
I
Breeden, Richard c., Restoring Trust, Report to the Hon. Jed S. Rakoff
of the United States District Court for the Southern District of New York on Corporate Governance for the Future ofMCI, Inc, August Ibid., p. 30.
J 4 5
2003; p. 33.
2004 Federal Sentencing Guidelines for Organizations, 8B2.1 (b Ibid., 8B2.1(b)(4)(A),
)(2)(A) .
Interestingly, when the authors presented at the 2004 Ethics Officer
Association conference, there was an overwhelming endorsement of 'education' rather than 'training,' which many participants said would be off-putting to their boards. 0
16/ ETHIKOS
January/February 2005
When Should a Board Find out About a Compliance Issue?

Consider having a formal process for notifying the board, or a committee of the
Board (e.g., the Audit Committee or the Governance & Nominating Committee). Set out what types of allegations require the Compliance Officer to make a notification. Consider making the fact that such allegations must go to the board public within the
company.
Board should know what the process is when the compliance function receives a
contact (helpline, email, telephone call, or hallway conversation). For example, the helpline. When someone does speak up by choosing to call a helpline, does the board know: Who answers the call, who employs that person, and where is he/she sitting when the
call is answered? That the helpline uses no caller-ID and no GPS tracking technology? How calls are classified or routed, who gets notified for what types of calls, and then how the investigative process may be divided among various functions (if the case)? Whether or not those with investigative authority also have disciplinary authority? .
Confidential 1
Is 2013 the Year of the Whistleblower?

The SEC can pay financial awards to whistleblowers who provide high-quality, original
information about a possible securities law violation that leads to a successful SEC enforcement action with more than $1 million in monetary sanctions.
The SEC is authorized to pay the whistleblower between 10% and 30% of the sanctions
collected.
3001 tips came in during the first full year of the program. They came from all 50 states
(California had the most) and 49 other countries (the U.K. had the most) resulting in143 enforcement judgments and orders that potentially qualify as eligible for a whistleblower award. Calls picked up after the first award was made in August 2012 reportedly to a whistleblower who helped
the SEC stop a multimillion dollar fraud scheme.
Dont look now, but there might be another federal whistleblower program born in 2013 related
to criminal anti-trust cases. Originally introduced by Senators Leahy and Grassley in July 2012, The Criminal Antitrust Anti-Retaliation Act was reintroduced on January 22, 2013. Creates a process through the Department of Labor for a whistleblower to seek reinstatement, back pay, and
damages if he or she was discharged for being a whistleblower with regard to horizontal conspiracy violations (i.e., concerted actions among companies in actual or potential competition with one another).
.
Confidential 2
Dodd-Frank Whistleblower: You Need to Present a Cogent Mitigation Strategy to the Board
A Helpline helps, but if no one calls, dont think that everything is going along swimmingly.
For a Helpline (or any other modality of contacting the compliance function) to be successful, the culture needs to embrace speaking up/out. The very nature of translating speaking up/out must be done thoughtfully and carefully. In some
languages, the translation is problematic as its perceived as a pejorative. Understanding the history of speaking up, the perceived degree of fear and of retaliation in each particular culture across a companys footprint is crucial. Focus on middle management, imploring them to find targets of opportunity for learning moments about speaking up, retaliation, and ethics. Use all conceivable communication channels to make vivid concrete examples of employees, vendors, visitors, suppliers, and customers who may have spoken up, and the attendant benefits to the business that resulted. Use those same channels to illustrate what has happened to anyone who has been found to have retaliated against someone speaking up in good faith. Senior management must explicitly support and communicate strongly about speaking up and speaking out. Speaking openly about how values drove a particular decision would be meaningful. Make certain to emphasize that the Helpline is encouraged, but serves as a last resort as (hopefully) the company provides many other means by which speaking up can be accomplished See Slide 1 for tips on making public details of precisely how the Helpline functions Personification may be helpful.
Confidential
Using Incentives in Your Compliance and Ethics Program

Joseph E. Murphy, JD, CCEP
6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States +1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org
Society of Corporate Compliance and Ethics: published November 2011.
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Scope of this Paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Objections to Using Incentives . . . . . . . . . . . . . . . . . . . . . . . 4 Reasons for Using Incentives. . . . . . . . . . . . . . . . . . . . . . . . 10 Personnel Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Input on Promotions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Compliance and Ethics Input in All Incentive/Reward Systems. . . . . . . . . . . . . . . . . . 25 Rewards and Recognition. . . . . . . . . . . . . . . . . . . . . . . . . . 27 Rewards and Recognition for Compliance and Ethics Staff . . . . . . . . . . . . . . . . . 32 What about Whistleblowers?. . . . . . . . . . . . . . . . . . . . . . . . 33 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Credits and Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Appendix 1: Evaluation Form. . . . . . . . . . . . . . . . . . . . . . . . 46 Appendix 2: Recognition Letter . . . . . . . . . . . . . . . . . . . . . . 48 Appendix 3: Ideas for Using Incentives in Compliance and Ethics Programs . . . . . . . . . . . . . 49 Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Introduction
Daniel R. Roach, VP Compliance & Internal Audit, Catholic Healthcare West; Co-chair, Society of Corporate Compliance and Ethics
Incentives help drive behavior! While incentives are common in businesses, homes, schools and other contexts, the use of incentives in the context of compliance and ethics programs has been slow to catch on. This has been true because many compliance and ethics officers dont understand that appropriate incentives are a required element of an effective compliance and ethics program as articulated under the Federal Sentencing Guidelines and because too many in management and on boards believe that most employees will naturally do the right thing. Unfortunately, the evidence suggests just the opposite. Without adequate controls and incentives, most of us will (at least occasionally) do the wrong thing. With the growing distrust of business and the increasing levels of misconduct, it will become critically important for businesses and other organizations to do a better job of using incentives as a tool to drive the kind of behavior they expect of employees. By developing appropriate compliance and ethics incentives, management and boards can demonstrate their commitment to compliant and ethical conduct in the organization; they can significantly reduce the risk of illegal or unethical conduct; and they can fulfill their fiduciary obligations to ensure that the organization has an effective compliance and ethics program. Mr. Murphys paper on aligning incentives provides a road map for organizations which understand the incentive imperative but have been struggling with execution. It is a must read for every compliance and ethics officer, as well as for board members and management who
www.corporatecompliance.org
are concerned about the impact of non-compliance. I have heard many board members and managers tell me that they are serious about compliance and ethics. The adoption of some of the incentives described in this paper will give those board members and leaders a chance to prove that commitment!

Joseph E. Murphy, JD, CCEP
Scope of this Paper

For those with compliance and ethics program responsibility, or for those called upon to assess these programs, one of the questions to be addressed is the role of incentives in the program. This issue was highlighted by the 2004 revisions to the Federal Sentencing Guidelines standards, which require, in item 6 of the 7 standards: (6) The organizations compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program.1 What does this mean, and what is the appropriate role of incentives in a program? Item 6 of the Guidelines goes on to address discipline separately, so it is clear that this means something other than negative incentives. In other words, the simple proposition, you get to keep your job if you dont break the rules will not be enough. Although incentives are an essential element of compliance and ethics programs, surprisingly little attention has been paid to this topic, as compared to other elements such as codes of conduct, helplines, training, and risk assessment.2 In this SCCE white paper it is our objective to help compliance and ethics professionals address this important topic.
The scope of this paper includes a variety of approaches to the topic. We start with likely objections to using incentives, and then discuss the reasons for including an incentive-based approach. We then analyze the different aspects of using incentives: personnel evaluations; considering compliance and ethics in promotions; compliance and ethics input in developing and assessing all incentive and reward systems; rewards and recognition for those employees and managers who show compliance and ethics leadership; rewards and recognition for the compliance and ethics staff; and the most controversial issue, rewards for whistleblowers (an increasingly sensitive issue, as a result of the whistleblower provisions in Dodd Frank). In this paper, we may at times refer to incentives to include all of these elements. Throughout, we refer to compliance and ethics as a term of art to incorporate the full range of activities in this field, whether they are described as compliance programs, ethics and integrity, business practices, specific risk areas such as privacy, or similar nomenclature. At the end we provide a list of credits for those who have assisted in this project, a bibliography and an appendix of examples and materials for use by the practitioner.
Objections to Using Incentives

Those who do compliance and ethics work can usually expect to encounter objections to their activities, and this is certainly true in dealing with incentives and rewards. Here, you are venturing into an area that draws attention and can actually affect the culture of an organization. You can expect to see serious resistance, including that of those who consider the setting of goals and determination of rewards and promotions to be their own domain. Here are some of the objections most frequently raised in this area.
People Should Not Be Rewarded for Doing Their Jobs

This is a very common objection to the idea of considering compliance and ethics in evaluations and rewards. The view is that people are supposed to do the right thing; if anyone is not ethical, they should just be fired. From this perspective, it is not appropriate to reward people for what they are already supposed to do. There are two good answers to this concern. The first is that, in fact, incentive systems in companies do typically reward people for doing their jobs. For example, sales people are supposed to sell, yet they are frequently given commissions and other rewards for selling. CEOs are supposed to lead, yet have been given rewards and incentive packages that have drawn newspaper headlines. In fact, all employees are compensated for doing their jobs and often given more for doing more; that is how the system works. But the strongest answer is that the incentives we are discussing are not just rewards for avoiding trouble. Rather, the recognition is for outstanding performance and leadership in the area of compliance and ethics. One easy example of when this can work is for subordinates who complete compliance training. While they are all expected to take the training, a company could rationally offer an incentive to the first work group to complete the training. Recognition could also be offered for managers who show leadership in their commitment to the compliance and ethics program and to doing the right thing. We provide more examples in other parts of this discussion.
It is Impossible To Evaluate Employees Virtue or Ethics

People will often misunderstand the meaning of the Sentencing Guidelines language and what the purpose is. They will object that it is not really possible to evaluate and thus reward employees virtue.
If this were, in fact, the objective of the Sentencing Guidelines, the point would be well taken.3 But the focus is not on testing employees internal ethics, but on evaluating what they do on the job. For example, in evaluating a supervisor, the process would not attempt to divine what the persons moral beliefs were. Rather, the question would be what type of leadership did this person demonstrate? Did the supervisor encourage subordinates to raise difficult questions openly, use the code of conduct as a guide, and complete compliance training on time? The recognition is not for what the supervisors thought or believed, but what they said and did as managers to promote the code of conduct and encourage an ethical environment. Finally, to those who say this is impossible, the simple and complete answer is that companies are already doing it, as the examples and references in this paper make clear. It is certainly impossible to argue that something is impossible when others are already doing it.
This Area Is too Subjective, Unlike Sales or Production

Resistance to this effort can also come in the related objection that, unlike sales or production, evaluating compliance and ethics is too subjective. Because the subject matter is not just a matter of counting numbers, evaluating it is not really feasible. This objection has a surface plausibility, but it does not hold up to actual experience. One response is that even measures that appear strictly objective are often influenced by less objective factors requiring judgment. In the words of one expert, all performance reviews are subjective. Just because its hard doesnt mean you cant do it.4 Assessments based on sales may be subject to re-evaluation based on factors outside of the sales forces control, such as natural disasters and demographic shifts. Disputes may arise over who really made the sale,
how should the sale be measured, was the real value of the sale accurately calculated, etc. Production numbers may appear objective, but be subject to closer analysis based on issues of quality and cost. Thus, even superficially objective measures may not be easy to translate when it comes to assessing employees performance. Moreover, a cursory review of a small sample of employee evaluation forms will reveal more than a few judgmental elements. For example, these management characteristics, which had to be assessed, are from actual company evaluation forms: Leadership Innovation Developing subordinates Embracing change Encouraging teamwork Communicating effectively Team commitment Treating co-workers with respect and dignity Taking accountability for professional growth.
These management assessment factors are certainly no more quantifiable than promotes the code of conduct or encourages open communication, which are factors that could be used in assessing a managers commitment to compliance and ethics. Even if the task may be difficult, merely requiring hard work should not stand in the way of implementing effective approaches. Specific behaviors that promote compliance and ethics can be used as employee performance objectives and form part of the basis for the evaluation;5 supervisors can be trained on what these mean and how to address them in evaluations.
Risk of Use Against Company in Litigation

To a trial lawyer, the question may arise about what might happen if an employees evaluation shows an ethical weakness, and then that employee later breaks the law? This circumstance could be used as evidence against the company. The argument would be that the company knew this person was a bad actor but continued to retain him or her. This concern does not, however, take away from the value of the process. After all, if an employee is a bad actor, there may already be other evidence of that fact available elsewhere. Moreover, this concern exists regarding any step taken to evaluate a companys compliance and ethics profile. The best way to address this concern is not to abandon the effort to improve conduct, but to ensure that appropriate action is taken any time a deficiency is found. If an employees assessment shows a weakness in this area, the company should take steps to strengthen that employees performance. Not only is this the safest legal course, but it is the one most in the companys interest.
OSHAs Concerns
There are concerns about reward systems beyond the ones raised internally by those unfamiliar with the use of incentives in this area. Specifically, the Occupational Safety and Health Administration (OSHA) has questioned the use of rewards tied to a decline in reports of injuries and violations.6 The concern expressed by the agency is that rewarding the absence of reported injuries will lead to pressure not to report actual injuries or violations. This concern is premised on the observation that people tend to look for the shortest route to obtain rewards. While making the workplace safer is the ideal, employees who want to game the system could just refuse to report incidents in order to obtain the reward.
OSHAs concern recognizes a factor that must be considered in all reward and incentive systems: the stronger the incentives are, the stronger the controls and checks need to be. It is likely that every incentive system can be gamed if it is not monitored and controlled. The lesson here is not that incentives are improper, but that they need to be developed, implemented and monitored carefully, with strict accountability. For example, when a work unit claims perfect results, there should be some type of on-sight checking. When an instance occurs of someone gaming the system, there should be strong discipline and the example (with identities omitted) publicized to others as a warning.
Compliance and Ethics People Should Stick to Their Own Business

In response to proposals that compliance and ethics staff should have a role in promotions, evaluations and rewards, you may get pushback along the lines that the compliance and ethics people should not try to run the whole business. They should keep to what relates to their subject, such as codes, training, and helplines. Compliance and ethics people may be accused of empire building and of intruding on the domain of the human resources department. There may also be a specific objection to having compliance and ethics included in the personnel evaluation form, in these terms: If everything someone thought was important was made part of the evaluation form, there would be too many things covered and it would not be practical. We cannot cover everything. From an internal political perspective, it is important for compliance and ethics staff to work cooperatively with their colleagues in HR and elsewhere. Rather than springing a full-blown plan on them by surprise, it may be more effective to work with them from the beginning to gain their support. The compliance and ethics people need
to help other managers realize how substantial an undertaking it is to have an effective, best practices program, and that it will affect those things people value in a company, including pay and advancement. In reality, these objections reflect the point that incentives, evaluations and rewards really do drive behavior and are an important element of power. People do not typically voluntarily yield power, and the control of rewards and assessments is a clear element of power. The answer to these objections goes to the core of what compliance and ethics is about. Compliance and ethics is not just a corporate decoration, some frivolous public relations step to make the company look good. As the Sentencing Guidelines make clear, companies must focus on the corporate culture, affecting how employees think and act. If we intend a compliance and ethics program to be successful and actually to change culture and affect employees behavior, then the process must be genuinely intrusive. As for the objection about the need to avoid overloading the personnel evaluation form, this is a test of the companys actual commitment to compliance and ethics. While it is easy for senior management to talk the talk of ethics, having it affect pay and recognition is a true test of commitment. If it is not important enough to be part of the rewards and evaluations, then the company may lack a real commitment to its professed values.
Reasons for Using Incentives

Now that we have considered the objections to using incentives in the program, we should discuss the reasons for using them. No matter what the objections may be, these reasons are really what will drive companies to incorporate incentives as part of their programs.
10
U.S. Governments Standards

As noted above, the Federal Sentencing Guidelines 2004 amendments make it clear that incentives must be part of a compliance program if it is to receive credit in sentencing. As the Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines concluded, a culture of compliance can be promoted where organizational actors are judged by, and rewarded for, their positive compliance performance.7 And, as history has also made clear, other agencies and enforcement personnel tend to follow these same standards in making enforcement decisions. While the Sentencing Guidelines had previously referred only to discipline and not to incentives, an argument could have been made, even under the 1991 version, that incentives needed to be considered in programs.8 First, the Guidelines have always required due diligence, and required companies to be at least as good as industry practice. Given that incentives are key drivers in organizational behavior, they could be read into the diligence standard. Also, because their use was widespread in at least some industries (specifically in the defense industry and in environmental compliance), they might also have been seen as a necessary element, and certainly part of best practices. But in any event, it is clearly required today under the revised Sentencing Guidelines. Incentives had been a part of governmental standards even before 2004. For example, the Department of Justices criminal environmental enforcement unit issued a letter in July 1991 stating that it would consider companies environmental compliance efforts. The government listed the questions it would ask: Was environmental compliance a standard by which employee and corporate departmen-
11
tal performance was judged?9 The Environmental Protection Agency, in its definition of environmental management systems entitled to favorable consideration by the government, included the existence of appropriate incentives to managers and employees to perform in accordance with the compliance policies, standards and procedures.10 The Department of Health and Human Services, Office of Inspector General (OIG) has provided guidance to the health care and pharmaceutical industry on what it expects to see in compliance programs. In 2003, focusing on the pharmaceutical industry, the OIG included elements of incentive systems.11 In describing the minimum expected elements the office referred to: written policies, procedures and protocols that verbalize the companys commitment to compliance (e.g., by including adherence to the compliance program as an element in evaluating management and employees). Elsewhere the Guidance explains that adherence to the training requirements as well as other provisions of the compliance program should be a factor in the annual evaluation of each employee. It even went so far as to suggest that pharmaceutical manufacturers may also consider rewarding employees for appropriate use of established reporting systems as a way to encourage the use of such systems. The Federal Energy Regulatory Commission, in its Policy Statement on Compliance, listed nine suggested steps for company compliance programs, including action to Tie regulatory compliance to personnel assessments and compensation, including compensation of management.12 References to incentive systems have also appeared in settlement agreements reached by government with companies.13 For example, in the 2006 deferred prosecution agreement with Mellon Bank, the U.S.
12
Attorneys Office for the Western District of Pennsylvania included this provision: Performance evaluation criteria and compensation should also be linked to specific steps taken by [substantial authority] personnel to support the compliance and ethics program (e.g., briefing direct reports on the codes application and the importance of raising compliance and ethics issues; ensuring that direct reports have completed required training).14 One odd exception to this trend occurred in 2008 when the Federal Acquisition Regulation was amended to require certain government contractors to implement compliance and ethics programs.15 Although the FAR Councils ostensibly sought to follow the Sentencing Guidelines model, they substantially diluted the standards by omitting reference to incentives. In an attempt to explain the omission, the Councils first mismatched the concept of carrot and stick for programs (as opposed to employee incentives) in referring to the use of an incentive system in compliance programs that encourages and rewards companies for implementing effective programs when in fact the issue was incentives for employee performance. Then, with no further explanation, the Councils stated that that they did not want to require incentives for employees because this is within companies discretion.16 Of course, the structured flexibility within the Guidelines standards leaves details of all program elements generally within companies discretion, so this concern appears not to distinguish incentives from discipline or any other essential element of a compliance and ethics program. This weakening of the program standards is even more inexplicable given that the defense industry, the prototypical government contract community, was one of the originators of the use of incentives in compliance programs.17
13
Other Standards
In addition to standards established by the U.S. government, others have carried this approach forward. In 2010, the Working Group on Bribery of the Organization for Economic Cooperation and Development, representing 38 nations committed to fighting corruption, issued the first international guidance on compliance programs (specifically anti-corruption programs), the Good Practice Guidance. This standard listed 12 elements, including the following: 9. appropriate measures to encourage and provide positive support for the observance of ethics and compliance programmes or measures against foreign bribery, at all levels of the company;18 While the standard does not literally use the word incentives, the direction to encourage and provide positive support would take programs in a very similar direction to the Sentencing Guidelines language. The U.K. Office of Fair Trading, which is the principal enforcer of competition law in that country, issued a guidance document on compliance programs indicating that such programs may be taken into account when assessing penalties. In describing the things that could be included in a creditworthy program, the OFT stated: A business is likely to benefit if it links its scheme of incentives and disincentives to its compliance objectives.19 It also listed as a positive step, rewarding employees who proactively take appropriate steps to raise competition law compliance concerns. In one of the case study examples in the guidance document, it included as an example of creditworthy conduct the promotion of an employee who reported a concern to the companys hotline, noting
14
that this hypothetical company effectively linked internal incentives/ disincentives to competition law compliance.20 The Competition Bureau Canada, in its Information Bulletin on compliance programs, notes how incentives tie in with corporate culture: Providing appropriate incentives (for instance, compliance could be considered for the purposes of employee evaluations, promotions and bonuses) for performing in accordance with the compliance program can play an important role in fostering a culture of compliance. Incentives can work as effective tools for a business that wishes to promote compliance by employing concrete actions. For this Canadian competition law enforcement agency, the existence of an effective compliance program, including the use of incentives, is a factor that is taken into account in its determination of how to proceed against companies in enforcement actions.21 In Australia, the national standards organization, Standards Australia, has promulgated standards for compliance programs in AS 38062006.22 This detailed standard recognizes the role of incentives in several passages. Section 4.1.4(i) charges managers with responsibility for including compliance performance in evaluations. 4.3.2 notes that culture is affected by personnel evaluations that include compliance behavior and meeting compliance obligations; it also calls for rewarding such behavior in a way that is highly visible. 5.2.3(d) specifies that incentives and managing for performance should be tied to compliance. Finally, under 6.1.2(c) companies are called upon to recognize this behavior for teams, work units and individuals.
15
Reitaku University in Japan, under the guidance of noted Professor Iwao Taka, has issued an Ethics Compliance Management System Standard for use by companies serious about compliance and ethics. In the Guidance Document issued to offer advice on the application of the standards, companies are told to cover the evaluation of departments and individuals who are actively embracing the purpose and spirit of ethical-legal compliance. The Guidance observes that if this evaluation is integrated with the personnel evaluation and reward system within the organization it would surely have a strong positive effect. In the sample materials included in the Guidance, there is reference to HR as responsible for the System of awards for achievement & contribution in ethical legal compliance.23 In the U.S. defense industry, the major companies have joined and subscribed to the standards of the Defense Industry Initiative on Business Ethics and Conduct (DII). The DII was the forerunner of industry compliance practices groups, and one of the initial sources for the Sentencing Guidelines standards. Members must agree to six broad principles, and then respond to a questionnaire enumerating specific points expected to be in a program.24 Question 14 asks: Is implementation of the codes provisions one of the standards by which all levels of supervision are expected to be measured in their performance? As a result, the DII members routinely include code performance in their management assessment systems a commitment that dates back to the formation of DII in the late 1980s.
Practical Reasons
Whatever the government or other bodies may advise, however, the ultimate question for any compliance and ethics initiative is whether it actually works. Does it help in preventing misconduct and leading
16
employees to act ethically and legally? To this point the late management expert, Peter Drucker, offers a succinct answer: [C]hanging habits and behavior requires changing recognitions and rewards. People in organizations, we have known for a century, tend to act in response to being recognized and rewarded everything else is preaching. . . . The moment they realize that the organization rewards for the right behavior they will accept it.25 This conclusion was also well expressed by Stephen Cutler, Director, Division of Enforcement of the SEC, in advising companies on how to set the right tone at the top: [M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that doing the right thing is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is shortterm profitability, and that cutting ethical corners is an acceptable way of getting there, theyll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but hell know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record.26 The point is a simple one that is intuitive. People tend to do what gets rewarded. This is how organizations communicate what management
17
values most highly. Employees look to see who gets promoted and who gets passed over, who gets the bonus and who is ignored. The use of rewards is one of an organizations most effective communications tools. The stories of who are the heroes and what conduct leads to advancement become part of the culture of an organization. Indeed, given the prevalence of reward, evaluation and incentive systems in organizations, it would be difficult to conclude that this was anything other than an essential tool. If bad actors or those with questionable ethics are rewarded and promoted, the tone at the top of the organization and the culture throughout the organization will likely lead to similar behavior at all levels of the organization. By contrast, if those who champion compliance and ethics are selected as leaders and are seen by other employees as being rewarded and recognized, that then becomes the model for success in that organization.
Personnel Evaluations
Thus far we have addressed the reasons for using incentives in programs. Next we consider what are the ways incentives become part of the compliance and ethics program? The first one we examine here is the inclusion of compliance and ethics performance in employees assessments and evaluations. In this process the employees performance evaluation includes elements related to compliance and ethics. Because most major companies use written evaluation forms, this would mean inclusion of this point in these forms. For those companies that use other forms of assessment and feedback to employees throughout the year, this same analysis would apply. What is it that would be assessed? As noted above in addressing objections to the use of incentives, this assessment does not usually attempt to measure ones intrinsic virtue or personal sense of values. Instead it
18
measures the employees leadership actions in promoting the company code of conduct and ethical business practices. The process involves measuring the application of management skills to achieve an objective, i.e., promoting the code and the compliance and ethics program. In Appendix 1, we include a list of these factors. Examples include: ___ U ses the code of conduct and encourages subordinates to do the same ___ A ctively takes steps to implement the compliance program and the code of conduct ___ A ttends appropriate compliance training, and makes sure subordinates get appropriate training and know the rules that apply for their jobs ___ I s willing to challenge questionable conduct or proposals Note that this evaluation can address performance related to the compliance and ethics program in general, and/or the program as it deals with specific risk areas, such as FCPA, environmental compliance or safety.27 Once a company has decided to include this point in assessments, there are a variety of ways to proceed.28 The simplest is a check-off item on the form. An example would be: Has this employee supported the code of conduct and acted ethically in business decisions? ___ Yes ___ No This has the advantage of covering the point and making the process fairly easy for the supervisor. It may serve to remind employees that compliance and ethics is an important point in the company. But this simplicity may also tend to make the process rather perfunctory, a
19
tick and flick exercise in which the supervisor ticks the yes answer and quickly flicks the page to the next item. If this occurs, it may breed skepticism among employees. One way to limit this risk is to require that the evaluator identify something specific that is the basis for the score. This helps ensure that the evaluator is more engaged, and makes the assessment more reviewable.29 A more nuanced approach would include specific factors and require a rating drawn from a range of scores, perhaps 15, with 1 being poor and 5 outstanding. Taking this a considerable step further, the form could include specific management objectives as part of the rating. For example, a manager might have goals that include having all subordinates complete the compliance training, and achieving a high score regarding ethics and compliance in 360 reviews. The use of 360 reviews, in which an employees colleagues above, below and at peer level are surveyed about that employee, is one way to cover the less quantifiable aspects of these evaluations. Setting specific compliance and ethics goals for business managers has substantial advantages. It can lead managers to think more realistically about the importance of management leadership in promoting the code of conduct and the compliance and ethics program. It can provide specific objectives for management to focus on, rather than using just vague or undefined terms. It also acknowledges the direction of the Sentencing Guidelines that high-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program . . .30 Promotion of the program is not a function that can simply be delegated to one compliance and ethics officer. Of course, even with such specific goals the managers should still also be evaluated on how they achieve their other goals, i.e., ethically or by improperly cutting corners.
20
Once the detail on this step is set, the next question is the rating or value to be assigned; how important is this element in the employees overall evaluation? The simplest is the check the box approach, with no special value assigned. It is on the form but left up to the supervisors discretion how to count it. In companies that want to emphasize the priority of this area, however, they may set the compliance and ethics rating as a threshold for achieving ones bonus, or as a percentage gateway. For example, the employees who receive 5 get 120% of bonus, those with 4 get 100%, and so on. It could also be assigned a percentage value, perhaps representing 20% of the employees total evaluation.31 At Catholic Healthcare West, business unit leaders are rated on 2530 elements tied to the Sentencing Guidelines standards for effective compliance and ethics programs. Their rating in these categories acts as a threshold for determining eligibility to participate in the incentive program each year. However, rather than setting a minimum, it has evolved into a competitive element, with those who are subject to the rating trying to surpass one another.32 Whatever approach is adopted, there are some important cautions to consider in this effort. One should never assume that attempts to alter the evaluation process will go smoothly or that supervisors will approach this evaluation the way intended. For many supervisors, assessment of subordinates is considered one of the more difficult parts of their jobs. If there is a way to ease the process and get it done more quickly, there will be a strong temptation to find a shortcut. It is necessary, therefore, to check how these assessments are being done, including auditing, testing and monitoring the process. Part of executives and managers responsibilities should include monitoring how well subordinate supervisors are doing such assessments.
21
For example, if the CEO wants to take an active role in the compliance and ethics program, he or she could start this process at the executive level, and then discuss with the other officers how they will rate their direct subordinates. Each supervisor down the ladder could then be charged with the same monitoring responsibility. In fact, the evaluation of any supervisor should take into account how well that supervisor, in turn, used the evaluation of subordinates to promote the compliance and ethics program. As part of the monitoring process, it should be made clear to all supervisors that it is unacceptable to simply give every subordinate the same perfect rating. Since all employees typically do not perform all tasks at the same level, it is highly unlikely that all would show the same level of commitment and leadership in the compliance and ethics program (i.e., everybody cannot be above average). But expect resistance on this matter; there will be some supervisors who insist all their subordinates are ethical and therefore deserve perfect ratings. This misses the point. The employees are not measured on their personal values, but on how they exercise leadership in creating an ethical work environment. To facilitate this evaluation process, there should be training and reminders for supervisors, and modeling of the proper way to conduct these assessments by senior managers. Once supervisors have been won over, there should then be occasions where employees ratings reflect weakness in compliance and ethics leadership. At this point we should recall the lawyers objections raised above; there needs to be follow up on all negative compliance assessments. The assessment system should require remediation plans for those with weaknesses in this area. For example, such plans would be mandatory for those with ratings below a certain level. Of course, the fact that such plans are required and will thus require more work by the supervisor will create a perverse incentive never to give a poor
22
rating; management will have to take a strong position and supervise the process in detail to prevent this outcome.
Input on Promotions
One of the purposes of employee evaluation systems is to identify candidates for promotion to positions of increasing authority. This touches on another aspect of the Sentencing Guidelines 2004 revisions that may prove difficult for companies to apply. Item 3 of the 7 standards states: (3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.33 The Sentencing Guidelines commentary for item 3, goes on to state that companies need to avoid promoting people who have engaged . . . in conduct inconsistent with an effective compliance and ethics program.34 Combining this with the Sentencing Guidelines item 6 focus on incentives sends the message that companies need to consider employees compliance and ethics performance in determining their eligibility for promotion. This step not only helps to meet the legal standards and convince government skeptics that a company is committed to ethics and compliance, but it also sends a strong message to employees at all levels that advancement in the company requires serious attention to doing the right thing and setting a positive example.
23
One way for companies to follow this path is to set a minimum standard for the compliance and ethics part of an employees assessment in order to be considered for promotion. For example, if compliance and ethics has a 1 to 5 scale on employees evaluation forms, perhaps only those scoring a 3 or above would be eligible for any promotion. Companies can also go the next step beyond this and make compliance and ethics an explicit factor in determining promotions. While satisfactory ratings could still be a threshold, the overall evaluation of those eligible for advancement would include a thoroughgoing review of the candidates record as a leader in compliance and ethics. Companies wanting to ensure that this approach moves beyond form into substance, and also seeking to fully empower the compliance and ethics function, can set a requirement that the compliance and ethics office have input into the companys promotions. This would certainly be an indication of due diligence in determining promotions. In one companys case, this requirement came about as a result of an unfortunate incident involving a promotion. A relatively senior manager was promoted in the company, but shortly thereafter was terminated for violations of the code of conduct. It turned out that at the time of the promotion the manager had been under investigation by the compliance and ethics office, but no one had consulted them regarding the promotion. The companys board of directors made it clear that this was not to happen again, and that the compliance and ethics office was to be consulted. While this consultation could be just a simple check for investigation and disciplinary matters, the review could be much broader, seeking input on whether a manager was fully committed to the companys code of conduct and its compliance and ethics program.
24
Requiring that the compliance and ethics office have a say in promotions ties in with the general advice that compliance and ethics needs a seat at the table for major decisions. It would clearly be a sign of empowerment, and send a strong signal to the government and to the employees. This is another area to anticipate strong resistance, especially if the compliance officer is really a junior level person, and officers are not comfortable with this person being involved in or having advance knowledge of promotions. Any objections along these lines are a red flag that compliance and ethics people are positioned too low in the organization. While preventing the promotion of bad actors is an important objective, there is an additional step a company can take to promote ethics and compliance as part of its culture. Some companies engage in succession planning or the identification of high potential employees. They use various processes to identify and encourage employees considered to be likely candidates for future leadership positions. If in fact compliance and ethics is an important value to the company, then that element should be included in this process. Those interested in being selected for this special treatment should know that a strong compliance and ethics record and commitment are positive factors that will be considered.35
Compliance and Ethics Input in All Incentive/Reward Systems

In considering compliance and ethics programs, it can sometimes be easy to get caught up in the details and the exact language of the Sentencing Guidelines and to lose sight of the ultimate purpose. These
25
programs exist to prevent and detect violations. To prevent misconduct it is essential to understand the power of reward and incentive systems. People do what gets rewarded, and tend to take the most direct path to the reward. It is also fair to assume that the stronger the incentive, the more likely it is to affect behavior. If enormous rewards and recognition are offered to those who achieve X, it is highly likely that many will try to reach this goal. And experience also teaches that they will look for the fastest, most direct route to the goal. This understanding leads to the recognition that misaligned incentive systems can encourage unethical or illegal conduct. For example, it is rational for a company to reward sales; sales are essential to a companys success. But if the goals are too high, the rewards enormously rich, and meeting the goals becomes the singular focus of the organization to the exclusion of other considerations, will this not lure employees in a potentially dangerous direction? The Sears brake repair story illustrates this phenomenon.36 Sears had reportedly decided to increase revenue in its auto service centers by providing incentives to its service employees. A significant portion of the employees pay was tied to the ability to achieve results such as the sales of new brake systems. Apparently those designing this system did not think about how this would work in practice in an environment where the store employee has all the knowledge and the customer must rely on that employees honesty. As alleged by enforcement officials, this incentive system resulted in what appeared to be a pattern of fraud by Sears auto repair operations, and a serious detriment to the companys reputation. Consider also the impact of the shift of senior executive compensation to stock options. Senior executives whose options were in the money stood to reap millions in personal gains. Yet these same executives were often
26
in control of the pricing mechanisms for these options. The result was a plethora of allegations involving the top management of major companies and the improper pricing and reporting of options for these executives.37 One lesson from these cases is the importance of setting realistic goals and reasonable rewards. If there is too much at stake, this in itself can drive employees in questionable directions. On the other hand, it is not necessary to conclude that strong incentives are corrupt or even undesirable. The key is that companies need to exercise care in setting these incentives. This leads to a basic proposition: the stronger the incentives, the stronger the checks and controls need to be. There is nothing wrong with offering handsome rewards for results, but there also need to be appropriate controls. How can this balance be achieved? How can controls be imposed when the very people setting the rewards may stand to benefit from them? One step to help add a control perspective is to ensure that the compliance and ethics officer is there when the incentive plans are considered. Compliance and ethics would be there to act as the devils advocate, and to ask the questions what could go wrong and how would this look in the newspapers?38 The compliance and ethics person can make other managers step back and examine their proposals from a more realistic perspective, and can escalate to the board any plan that is likely to drive employees to unethical conduct. This step is very similar to the idea of requiring compliance and ethics review for promotions, and ties in with the need for a compliance and ethics person to be involved in major decisions. It is also clearly a sign of compliance and ethics empowerment that sends a strong signal to the government and to the employees. As was true for review of promotions, winning support from human resources may be a challenge, since this is terrain that has traditionally belonged to that department.
27
Rewards and Recognition

In addition to paying employees for doing their assigned tasks and providing the usual annual reviews and bonuses, companies frequently offer employees special types of rewards and recognition. These may include rewards such as travel, cash prizes, small tokens or letters of appreciation. These rewards and recognition help make up the culture of a company; employees frequently mold their behavior based on who gets rewarded and who does not. As Deal and Kennedy observed in their groundbreaking work on corporate cultures, Culture-shaping managers . . . seek ways to provide frequent and visible praise or other recognition for even modest contributions to the service of important values.39 Those who are recognized can become the heroes and part of the stories of the companys history. How should rewards be integrated into the compliance and ethics program? In many companies there is an existing system of rewards. A company may have a high-profile chairmans award for special contributions to the company. The sales organization may fly the top performers to Hawaii for the annual sales conference. Compliance and ethics can be integrated into existing rewards by adding compliancerelated factors into the criteria for these rewards. This helps remind employees that compliance and ethics is valued, and that it is a part of everything that matters in the company. Rewards may also be provided specifically for contributions to the compliance program, and for those who show leadership in promoting the code of conduct. It is best if these rewards are at least on a par with other rewards. Thus, if the top sales people go to Hawaii and the top production person gets a thousand dollar check, the top compliance and ethics performer should get something more than a solo lunch at the local bistro. In the corporate world appearances always matter.
28
Rewards and recognition are powerful tools. Even in companies that have not otherwise offered these, it is worth considering them to promote the compliance and ethics program. Employees are likely to remember the fact that meaningful recognition was given for leadership in this area. If an employee is ever asked by the government about the companys compliance and ethics program and its code, the person is very likely to respond with the story about the awards dinner. Such outstanding recognition will be part of the stories employees recount to new employees at the company. When done right, it can be one of the surest ways to affect the culture in an organization. Often the field of compliance and ethics involves activities like investigations, audits and discipline that are not always well received. Even requiring employees to attend training may not be a happy experience. But the area of rewards and recognition is one that can be positive and benefit from imaginative approaches. There are numerous ways to provide recognition in this field. Perhaps the easiest and least expensive is the recognition letter from a senior executive, such as the CEO or the compliance officer. In one company, for example, a marketing manager received in the mail an unmarked envelope with her name on it. When she opened the envelope she realized it contained a competitors proprietary planning information. She quickly closed the envelope and contacted the legal department. For this ethical act the manager received a glowing letter from the chief compliance officer, with a copy to her supervisor. A speaker from Boeing has recounted a similar story, with the hero also being written up in a company newsletter. In yet another example, a company CEO is reported to have charged his officers to bring him specific examples of employees who demonstrated model behavior; he, in turn, sent these employees personal commendation notes.40 We have attached in Appendix 2 an example of a recognition letter.
29
Perhaps an even more powerful variant on this method is to personally deliver the letter and read it to the employee. This approach, which has been described as a gratitude visit, can have an impact on both the recipient and the person delivering the message.41 Lockheed-Martin provides two excellent examples that were reported in ethikos.42 The company staged a contest inviting employees to develop their own videos to promote ethics in the workplace. Employees submitted two-minute videos produced on their own time and using their own resources. There were twenty videos submitted from all areas of the business, with three finalists selected and invited to the annual meeting for the companys ethics officers, in Orlando. This event, called the Ethics Film Festival, celebrated all those who participated, and awarded statuettes to the top three. Portions of the top three videos were included in the companys ethics training video. Lockheed Martin also instituted an annual Chairmans Award for actions or behavior that exemplifies the companys ethics commitment. Any employee can submit nominations; each business unit can submit one finalist. The winner is selected by the CEO and the president and presented with a crystal bowl at the companys annual senior management meeting. Award recipients are written up in the companys newspaper. What other awards and recognition can be given? One starting point is to consider anything that is used in the company for recognition for any purpose cash, certificates, time off, lunches, etc. But beyond this, the possibilities are endless. For example, Appendix 3 includes a list of ideas taken from training sessions for compliance professionals; within 15 minutes, working in teams, they were able to come up with numerous clever ideas. For those who would like a source of ideas to get the thinking process started, there is an entire book, 1001 Ways to
30
Reward Employees, which can help with this process.43 It is important to remember, too, that when it comes to recognition, even very small rewards can have a big impact. For example, immediate recognition, or spot rewards even involving small amounts, given on the spot for positive compliance performance, can be a useful addition to the methods used to promote the program.44 One other variant to consider for giving rewards is the recognition of entire work groups. This has the benefit of demonstrating that the company values compliance and ethics, but with an added kick it can harness the enormous power of peer pressure. For example, if the company offers a free lunch to the work group that completes the code training first, this can make it almost impossible for one employee to hold out, lest he or she cause the entire group to miss out. This result can be achieved with even very small rewards for the groups members. In one business that used this approach, small rewards for entire work groups caused a dramatic decline in injuries in the workplace.45 The value of rewarding groups was recognized, for example, in the Australian Standards for compliance programs, section 6.1.2(c), which calls for recognizing compliance performance by teams, work units and individuals.46 On this point, though, it is worth reiterating the concern expressed by OSHA; because of the power of peer pressure the company needs to be very sensitive to the risk of groups taking short cuts to achieve the reward. The same group that pressures colleagues to work safely could also pressure a co-worker not to report an injury, lest the entire group lose out on a reward. As is true with other elements of incentive systems, strong forces need comparably strong controls. In designing these reward programs, it is also wise to remember the words of the Australian Standards which refer to Highly visible rewarding of the behavior being encouraged. Except in special cases
31
such as recognition of a whistleblower who wishes to remain confidential, there is great value in praising outstanding compliance and ethics behavior in front of the entire company. This is part of the process of molding the companys culture.
Rewards and Recognition for Compliance and Ethics Staff

As noted above, employees trying to determine what a companys priorities and values really are will look to see who gets rewarded and who gets passed by. Who are the heroes and who are the goats? In this landscape they will observe what happens to those who are part of the companys compliance and ethics program. How are the champions of compliance and ethics treated? What is their record when it comes to salary, bonus treatment, promotion and other recognition? Is the compliance and ethics office where almost-retired loyal workers are put quietly out to pasture, or is this a function that really matters? How the compliance and ethics staff members are treated will be read by employees as an essential sign of their importance.47 The message here is that the company should treat its compliance and ethics staff well. If the company is serious when it talks about integrity being its first value, if it intends to follow the gold standard for its program, if all of this is more than mere lip service, then its money should be behind its words. The financial treatment of the compliance and ethics officer and staff should communicate clearly that this is an important function that the company values highly. Words alone will not do this; actions will. On the other hand, there should be some caution exercised in determining how to reward the compliance and ethics staff; it is best if incentives are de-coupled from objectives and benchmarks that would call into question the compliance and ethics staffs objectivity.48
32
Companies should also consider whether compliance and ethics is a path for promotion in the company. If compliance and ethics really does matter, then service in that area should be considered a positive factor in selecting people for promotion. A stint in the compliance and ethics program would become a ticket that needs to be punched for those who want to get ahead in the company. Companies may also consider establishing a career path for those who do compliance and control-related work. A route for advancement, combining paths in HR, internal audit, environment, health and safety, legal, compliance headquarters, compliance field work and related functions could be mapped out for those who are interested.49 Boeing Corp. has reportedly started this process for its compliance and ethics staff. Companies can also focus on the achievements of the compliance and ethics staff, singling out the top performers for special recognition. For example, in one major financial services company, the person who developed their privacy program was recognized throughout the company, including mention in the companys annual report. In another company, the compliance and ethics unit received the highest rating of any unit in the entire company.
What about Whistleblowers?

The last question we consider in this paper is whether companies should provide rewards for whistleblowers. We are treating this separately from all the other aspects of this field because the topic is highly controversial. While the ideas covered above are all things that can add to the effectiveness of a compliance and ethics program, there is a concern that rewarding whistleblowers may not necessarily have a positive effect.
33
The idea behind rewarding whistleblowers is that companies need to have employees be alert to compliance and ethics issues and to raise questions and concerns when they see something that is not right. Employees who witness harassment or consumer fraud or price fixing activity should report this to management or the companys helpline. However it is well known that many people witness misconduct but do not report it, whether from fear of retaliation, indifference, or the belief that nothing will be done. Yet those who do raise issues may benefit their employers enormously by interdicting potentially disastrous misconduct. Therefore, in order to reach employees and incent them to report issues, why not offer them a reward? A reward system would follow the model of the highly successful (for the government) U.S. False Claims Act, which offers whistleblowers a large percentage of any damages the government recovers as a result of a whistleblowers reporting fraud in government contracting. It might also be considered as a way of avoiding having employees call the SEC under the whistleblower provisions of the Dodd Frank Act,50 which follows the False Claims Act model in offering enormous rewards for whistleblowers. One example of this type of approach came from Bear Stearns, which pursued such a policy, going so far as to inform employees: We want people at Bear Stearns to cry wolf. If the doubt is justified, the reporter will be handsomely rewarded.51 The company went on to inform employees how two administrative assistants reported another employees submission of false taxi vouchers and as a result received an immediate cash award. Cash was the incentive for people to report violations by their colleagues. In another company that reported success with this reward system, rewards were only given on condition that reporting employees provide their identities, to reduce the risk of false allegations.52
34
Perhaps not quite so direct is the language from the Office of Inspector General of HHS in its guidance on pharmaceutical compliance programs. OIG suggested: Pharmaceutical manufacturers may also consider rewarding employees for appropriate use of established reporting systems as a way to encourage the use of such systems.53 What is the concern about such systems? Note first that we are not talking about rewarding people for good ideas, or for suggesting improvements in the compliance program, or positively considering in an employees annual evaluation the fact that the employee raised a compliance issue; rather, the concern is about rewards for turning in fellow workers for money. The fear is that this will have a distinctly negative impact on employee morale, conjuring up the image of bounty-hunters. Will employees be looking over their shoulders to see who is watching them? Will they work secretively and avoid sharing anything with others who may be waiting to pounce at the first opportunity? If the rewards are high enough, will employees even be driven to frame fellow employees or unpopular supervisors to earn the cash?54 Is there also the risk that converting what most employees see as a matter of right and wrong, into merely a financial proposition, might actually cause employees to be less inclined to report issues internally?55 Of the issues involved in incentive programs, this is certainly one that has the potential for triggering strong negative reactions. Unionized work groups may be outspoken in their resistance, possibly tainting their approach to the entire program. For multinational companies, there may be an even greater obstacle in places that have shown resistance to any type of hotline operation, such as France. This is not to say that the desire to have employees raise issues is wrong. Companies should certainly be active in their steps to prevent retaliation. When employees call to report concerns, the company
35
should make it very clear that it appreciates the employees courage in raising the issues. Those who try to do the right thing should be supported, and celebrated.56 These steps need to be part of a companys approach to whistleblowing. But when it comes to handing out cash rewards or other rewards of value, there appears to be a significant difference. On this point I would at minimum caution any company considering such rewards to take steps to learn employees reactions in advance. Know whether your companys culture will support such steps, or whether there is a serious risk that this will be viewed as bounty hunting and possibly undermine the program. Perhaps one way to employ rewards and incentives that promote use of the reporting system is to reward those who report issues that relate to systems and processes, rather than reporting violations by individual co-workers. For example, an employee who uses the reporting system to ask for advice on a difficult compliance question, identify a vulnerability in a compliance control system, or suggest a way to improve compliance training, could receive significant and highlyvisible rewards. This could send the message that the company favors those who utilize the reporting system, but without the possible negative aspect of paying those who report on colleagues.
Conclusion
For a compliance and ethics program to be effective, it needs to affect the behavior of those acting for the company. Rewards and incentives clearly do this, and need to be included in any program. This paper has outlined ways to take this step. In a practical world, compliance and ethics programs also must exist to help the company in times of crises when outside skeptics believe the company has done something wrong. A strong compliance and ethics
36
program should demonstrate the companys good faith. But to do this, it must meet the legal standards that would apply; these also require the use of incentives. Again, looking at things in a practical sense, this also means that the company should be careful to document all aspects of its program, including the use of incentives. The simple recognition letters and the forms used for employee evaluations, the fact that the compliance officer attends the management sessions where incentive programs are developed, the recognition dinner for the field compliance staff all of this needs to be documented as part of the compliance programs files. Not only are incentives necessary in a program, but they also help put a more positive face on the program. Compliance and ethics should not only be about enforcing laws and rules. It should also include positive appeals to the best in human nature, and recognition that people in companies do good and even heroic things, and that they should be recognized for showing ethical leadership.
Joseph E. Murphy, JD, CCEP is Director of Public Policy for SCCE, Editor-in-Chief for the Compliance and Ethics Professional, and a member of the SCCE Advisory Board. In addition, he is of counsel to the law firm Compliance Systems Legal Group, and co-founder of Integrity Interactive Corp. He can be reached at Jemurphy@voicenet.com.
37
Credits and Bibliography

Credits
Sincere thanks to the following people and organizations who contributed to this paper: 1. The class of the Health Care Compliance Association Advanced Academy, in Las Vegas October 23, 2006 and subsequent HCCA and SCCE Academy classes for Appendix 3. 2. Compliance Systems Legal Group, for the Evaluation form, Appendix 1. 3. Dan Roach, Compliance Officer for Catholic Healthcare West, for the example of rating officers compliance performance. 4. Martha Ries, VP , Ethics and Business Conduct, The Boeing Company, for the examples of a positive compliance performance being written up in a company newsletter and the establishment of a career path system for compliance professionals. 5. Joan Dubinsky, Ethics Officer, International Monetary Fund, for suggestions on employee assessments and succession planning. 6. Paul McGreal, Professor of Law, Southern Illinois University School of Law, for the suggestion for providing specific bases for employee evaluations, and recommending the New York Times article on gratitude visits. 7. Donna Boehme, Principal, Compliance Strategists, for several suggestions, including pointing out the risk that offering cash for employees turning in fellow workers might convert what should be a moral imperative into a mere financial decision, thus undercutting reporting.
38
8. Adam Turteltaub for the Pret a Manger group incentives story. 9. Jeremy West, who caught several points that needed to be fixed. 10. Matt Kelly, for a sharp editors eye for the logic of the arguments and how best to present them. 11. Jeff Kaplan for the incentives lesson from the 2008 financial meltdown.
U.S. Government Sources

1. Ad Hoc Advisory Group on the Organizational Sentencing Guidelines, Report 91 (Oct. 10, 2003), http://www. corporatecompliance.org/StaticContent/AdHocAdvisory.pdf. 2. Cutler, Director, Division of Enforcement, SEC, Tone at the Top: Getting It Right, Second Annual General Counsel Roundtable (Dec. 3, 2004), http://www.sec.gov/news/speech/ spch120304smc.htm. 3. Department of Health and Human Services, Office of Inspector General, Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg. 23731 (May 5, 2003), http://www. corporatecompliance.org/Content/NavigationMenu/Resources/ IssuesAnswers/050503FRCPGPharmac.pdf . 4. Environmental Protection Agency, Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations; Notice, 60 Fed. Reg. 66711 (Dec. 22, 1995). 5. Environmental Protection Agency, Incentives for Self-policing: Discovery, Disclosure, Correction and Prevention of Violations, 65 Fed. Reg. 19,618, section IIB, definition of Compliance Management System (Apr. 11, 2000).
39
6. Federal Energy Regulatory Commission, Policy Statement on Compliance, 125 FERC para. 61,058, fns. 9 & 26 (Oct. 16, 2008), http://www.balch.com/files/upload/FERC_Policy_Stmt_ on_Comp_Oct_16_08.pdf 7. Richards, Director, Office of Compliance Inspections and Examinations, SEC, Incentivizing Good Compliance, 2008 Willamette Securities Regulation Conference, Willamette University College of Law (Oct. 30, 2008), http://ftp.sec.gov/ news/speech/2008/spch103008lar.htm. 8. Settlement Agreement with Mellon Bank, N.A., Appendix A, Para 6.c) (Aug. 14, 2006), http://www.corporatecompliance. org/Content/NavigationMenu/Resources/IssuesAnswers/ LetterUSAttorney_MellonBank.pdf. 9. United States v. C.R. Bard Inc., CV93-10276-T, plea agreement (D. Mass; Oct. 14, 1993). 10. U.S. Department of Justice, Factors in Decisions on Criminal Prosecutions for Environmental Violations in the Context of Significant Voluntary Compliance or Disclosure Efforts by the Violator (July 1, 1991), http://www.justice.gov/enrd/3058.htm. 11. USSG sections 8B1.2(b)(2), (3) & (6), and Commentary note 4(B).
Other Standards
1. Australian Standards 3806-2006. 2. Competition Bureau Canada, Information Bulletin: Corporate Compliance Programs 1213 (2010), http:// www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/vwapj/ CorporateCompliancePrograms-sept-2010-e.pdf/$FILE/ CorporateCompliancePrograms-sept-2010-e.pdf .
40
3. Defense Industry Initiative Questionnaire, in Kaplan & Murphy, Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability, Appendix 19A (Thomson/West; 1993 & Ann. Supp). 4. Office of Fair Trading (UK), How Your Business Can Achieve Compliance with Competition Law (June 2011), http://www. oft.gov.uk/shared_oft/ca-and-cartels/competition-awarenesscompliance/oft1341.pdf. 5. Organization for Economic Cooperation and Development, Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions, Appendix II, item 9, http://www.oecd.org/ dataoecd/11/40/44176910.pdf. 6. Reitaku University, Business Ethics & Compliance Research Center, Guidance Document for the Implementation of the Ethics Compliance Standard 2000, 42, 93, 94 (2001), at http:// www.consumer.go.jp/seisaku/shingikai/iinkai2/ecsguide(i).pdf.
Books, Articles and Blogs

1. Banks & Banks, Corporate Legal Compliance Handbook, section 16:03, The Carrot and the Stick (Incentives and Discipline) (Aspen, 2d ed., 2010). 2. Beil, How Memorial Health Measures the Ethics Performance of its Senior Managers, 18 ethikos 8 (Jan./Feb. 2005). 3. Bennett, Are Ethics Awards the Best Form of Incentives? Global Compliance Blog (Apr. 19, 2100), http://www.globalcompliance. com/Resources/Blog/Global-Compliance-Blog/Are-EthicsAwards-the-Best-Form-of-Incentives.aspx.
41
4. Biegelman & Biegelman, Building a World-Class Compliance Program 100, 20708, 229, 275 (John Wiley & Sons, Inc.; 2008). 5. BNA/ACCA, Compliance Manual Ch. 4, section C-3; Ch. 10, section C-2; Ch. 12, Doc. 12 [XIV] (BNA; updated periodically). 6. Braithwaite & Murphy, Clout and Internal Compliance Systems, 2 Corporate Conduct Quarterly (now ethikos) 52, 62 (Spring 1993). 7. Clifford, Would You Like a Smile With That? New York Times (Aug. 6, 2011), http://www.nytimes.com/2011/08/07/business/ pret-a-manger-with-new-fast-food-ideas-gains-a-foothold-inunited-states.html?_r=2&pagewanted=all. 8. Compensation, Performance, Compliance and Ethics, A survey by the Health Care Compliance Association and the Society of Corporate Compliance and Ethics (May 2009), http:// www.corporatecompliance.org/staticcontent/09IncentivesSurv ey_report.pdf. 9. Conference Report: Business Ethics 2000, Prevention of Corporate Liability (BNA) Current Report 55 (June 19, 2000). 10. Dalton, Meaningful Compliance and Ethics Incentives, SAI Global Compliance, Our Viewpoint blog (June 30, 2100), http://compliance.saiglobal.com/viewpoint/2011/06/ meaningful-compliance-and-ethics-incentives. 11. Deal & Kennedy, Corporate Cultures 169 (Addison-Wesley Pub; 1982). 12. Drucker, Dont Change Corporate Culture Use It!, Wall Street Journal A14 (Mar. 28, 1991).
42
13. Falcione, Fostering an Ethical Culture Through Performance Reviews and KPIs, SAI Global Compliance, Our Viewpoint Blog (Dec. 15, 2010), http://compliance.saiglobal.com/viewpoint/2010/12/ fostering-an-ethical-culture-through-performance-reviews-andkpis. 14. Forelle & Bandler, As Companies Probe Backdating, More Top Officials Take a Fall, Wall Street Journal A1, Col. 5 (Oct. 12, 2006). 15. Fox, The Role of Human Resources in FCPA Compliance Part 1, Corporate Compliance Insights blog (May 11, 2010), http://tfoxlaw.wordpress.com/2010/05/11/ the-role-of-human-resources-in-fcpa-compliance. 16. Jideani, Anti-corruption compliance: Do incentives work, Nigerian Pilot (May 27, 2011). 17. Jordan & Murphy, Compliance Programs: What the Government Really Wants, 14 ACCA Docket 10, 22 (July/Aug. 1996). 18. Kaplan, The First Word On Compliance Incentives, The FCPA Blog (Jan. 19, 2011), http://www.fcpablog.com/ blog/2011/1/19/the-first-word-on-compliance-incentives.html. 19. Kaplan & Murphy, Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability sections 16:29-32, 19:57 (Thomson/West; 1993 & Ann. Supp.). 20. McGonegle, How to Reward Ethical Behavior, Sustainable Business Forum blog (Feb. 13, 2011), http:// sustainablebusinessforum.com/richard-murphy/49071/ how-reward-ethical-behavior.
43
21. Murphy & Leet, Working for Integrity: Finding the Perfect Job in the Rapidly-Growing Compliance and Ethics Field, Ch. XVIII Advice for Companies: Finding the Right Person for Your Compliance Positions (SCCE; 2006). 22. Murphy & Vigale, The Role of Incentives in Compliance Programs, 18 ethikos 8 (May/June 2005). 23. Murphy, 501 Ideas for Your Compliance and Ethics Program 6670 (SCCE; 2008). 24. Murphy, Evaluations, Incentives and Rewards in Compliance Programs, 3 Corporate Conduct Quarterly (now ethikos) 40 (1994). 25. Murphy, How the CEO Can Make the Difference in Compliance and Ethics, 20 ethikos 9, 1011 (May/June 2007). 26. Nelson, 1001 Ways to Reward Employees (Workman Pub; 2005). 27. Pink, Gratitude Visits, New York Times (Dec. 14, 2003), at http://query.nytimes.com/gst/fullpage.html?sec=health&res=9D0 7E4DF163CF937A25751C1A9659C8B63. 28. Richter, Employee Incentive Programs: A VPP Perspective, The Leader 12 (Winter 1999; VPPPA). 29. Sears, Lights! Camera! Action! Lockheed Martins Ethics Film Festival, 17 ethikos 8 (Jan/Feb 2004). 30. Sigler & Murphy, Interactive Corporate Compliance: An Alternative to Regulatory Compulsion 83, 86, 90 (Quorum Books; 1988). 31. Singer, A Computer Software Giant Takes Time Out for Compliance, 21 ethikos 5, 7 (Sept./Oct. 2007). 32. Singer, Fannie Mae Rates Managers on Integrity and Honesty, 17 ethikos 4 (July/Aug. 2003).
44
33. Singer, TAP Pharma Isnt Afraid To Show A Little Levity, 19 ethikos 16, 18 (Mar./Apr. 2006). 34. Trevino & Nelson, Managing Business Ethics, 3rd Ed., 170, 186 89, 24347, 251, 30405 (Wiley; 2004). 35. Troklus & Warner, Compliance 101, 2nd Ed., 36 (HCCA; 2006). 36. Webb, Ottenbergs: A Recipe for Rewarding Safety: Bakerys Incentive Program Cuts Costs, Improves Productivity, Washington Post F11 (Feb. 19, 1990).
Examples and Forms

1. Evaluation Form, Appendix 1. 2. Recognition Letter, Appendix 2. 3. Ideas for Using Incentives in Compliance and Ethics Programs (from SCCE and HCCA Academies), Appendix 3.
45
Appendix 1
Evaluation Form
Integrity Leadership: Encourages and rewards ethical conduct. Conducts business according to our code of conduct. Inspires subordinates to do the right thing. Expectations: ___ Uses the code of conduct and encourages subordinates to do the same ___ Actively takes steps to implement the compliance program and the code of conduct ___ Attends appropriate compliance training, and makes sure subordinates get appropriate training and know the rules that apply for their jobs ___ Takes ongoing steps to renew and refresh the message from subordinates compliance and ethics training ___ Is willing to challenge questionable conduct or proposals ___ Encourages openness and subordinates raising issues and concerns ___ Has an active management style, knows what his/her subordinates are doing, and coaches them on meeting objectives while acting with integrity ___ Promotes safe and environmentally sound work practices ___ Evaluates subordinates on their commitment to the code of conduct ___ Shows commitment to workplace diversity ___ Includes compliance issues in business plans ___ Places the health and safety of our customers above any sales or production objectives
46
Specific examples supporting this rating: __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________ __________________________________________________________
NB: A managers overall performance rating for the year is not permitted to exceed the rating achieved for this competency. A rating of Did Not Achieve in this category must be addressed in a developmental plan.
47
Appendix 2
Recognition Letter
William Employee Distant sales office Any location
Dear Mr. Employee: Mary Integrity of the Compliance & Ethics Department has informed me of your recent actions that reflected a strong commitment to our companys values and code of conduct. As explained to me by Mary, you recently received anonymously, through the mail, an unmarked envelope containing sensitive information about a competitor. Under the circumstances you rightly determined that this appeared to be suspicious. Rather than seek any potential short term advantage from this information you immediately contacted the Compliance & Ethics Department for advice on doing the right thing. As explained to our office, you did this as soon as you recognized the nature of the information, and immediately stopped reading any further. You have provided the materials to our office for further action. You are to be commended for your alertness in the face of a potentially dangerous circumstance, and your willingness to take the right steps. I believe your actions exemplify our companys core values and commitment to integrity. On behalf of this company, our management and all of our employees, thank you for having the courage of your convictions and doing the right thing.
Sincerely, Chief Compliance & Ethics Officer cc: CEO Mr. Employees supervisor
48
Appendix 3
Ideas for Using Incentives in Compliance and Ethics Programs
These are ideas from the Health Care Compliance Association and Society of Corporate Compliance and Ethics Academies classes on Building Incentives in Your Compliance & Ethics Program. The classes were divided into 4 teams, with each team asked to develop its best ideas related to incentives, evaluations and rewards. The other teams then judged each presentation. Some editing has been added, including changing industry-specific references so that they apply more generally. It is hoped that this list will inspire more ideas from readers. While listing these does not mean we endorse them all, any particular idea might inspire the reader to develop an approach that will be perfect for his or her own circumstances. Departments would nominate people who exemplify the integrity program; a board level committee would select the best and give the winner free, preferential parking for a year. Provide as a reward a pin or other visible emblem. When the employee accumulates enough points, they can turn in the emblem for gifts or time off. Rewards could include two season basketball tickets or free lunch passes. Have a dinner with the CEO as recognition. Have the annual compliance and ethics award winner flown in to the shareholders annual meeting with the award presented there.
49
Audit findings should include positive findings regarding compliance & ethics activities; these could be shared in a newsletter. The compliance committee could select the department or work group that best exemplifies compliance & ethics. Measures could include such things as completing training on time, code of conduct attestations done on time, best personnel evaluations, etc. The reward could be a lunch for the department. Those managers with the best compliance & ethics records could be awarded free tuition and expenses to attend a compliance academy and/or to get certified in compliance & ethics. Make compliance & ethics certification (CHC, CCEP) a condition for promotion to senior management positions. Reward employees for making recommendations and suggestions to improve the compliance & ethics program. This also brings in new, creative ideas. Provide rewards and recognition for those who conduct self-audits and share the findings and lessons learned. Require a compliance comprehension test as an adjunct to regular annual evaluations. A 100% score would be an added 1% pay increase on top of the usual incentives. 80% = .8, 70% = .7, less would equal zero.
50
Provide an incentive for reports to the helpline or otherwise to the compliance and ethics office that help avoid noncompliance or identify actual problems that are system errors. This would only be for reports about systems, but not about people, to avoid a bounty-hunter environment. Make attendance at compliance training a condition for being in any responsible position. Award organization-wide recognition if the compliance & ethics program overall gets a high score, e.g., time off for all employees. Provide an incentive for all division and unit compliance and ethics officers to get training and certification (CHC, CCEP). Performance indicators could be linked to a compliance plan. This could include timely submissions of required regulatory filings, on-time completion of compliance training, etc. Provide on-the-spot recognition by peers/ supervisors with certificates (compliance bucks) for behavior promoting compliance and ethics that can be redeemed for company merchandise. Give $50 for any submissions to the company newsletter relating to compliance and ethics that are published. Have a compliance and ethics courage award, e.g., for turning down a choice vacation trip from a vendor.
51
Have a system for compliance & ethics points or presidents points in small incremental amounts awarded based on performance during the month, quarter or year. The points would be totaled for each time period, with recognition for those receiving a certain number of reward points. Senior leaders ask employees compliance and ethics questions on the spot; those who answer correctly get free movie tickets.
52
Endnotes
1 USSG section 8B1.2 (b)(6). 2 See Dalton, Meaningful Compliance and Ethics Incentives SAI Global Compliance blog, http://compliance.saiglobal.com/viewpoint/2011/06/ meaningful-compliance-and-ethics-incentives (incentives are an area where we see perhaps the greatest gaps within compliance and ethics programs, even for the most dynamic and robust programs.); Compensation, Performance, Compliance and Ethics, A survey by the Health Care Compliance Association and the Society of Corporate Compliance and Ethics 1 (May 2009) http://www. corporatecompliance.org/staticcontent/09IncentivesSurvey_report.pdf (when it comes to compliance and ethics metrics, very little has been done to incent ethical behavior). 3 Although even in this area some have tried such assessments. See Beil, How Memorial Health Measures the Ethics Performance of its Senior Managers, 18 ethikos 8 (Jan./Feb. 2005). 4 Interview with Joan Dubinsky, Ethics Officer, International Monetary Fund, Dec. 14, 2006. 5 These compliance and ethics leadership steps could even be included in job and position descriptions. 6 Richter, Employee Incentive Programs: A VPP Perspective, The Leader 12 (Winter 1999; VPPPA). See also Federal Energy Regulatory Commission, Policy Statement on Compliance, 125 FERC para. 61,058, fn. 26 (Oct. 16, 2008), http://www.balch.com/files/upload/FERC_Policy_Stmt_on_Comp_Oct_16_08. pdf (noting risk that too great an emphasis on compliance in compensation may actually discourage employees or senior management from acknowledging and reporting violations). 7 Ad Hoc Advisory Group on the Organizational Sentencing Guidelines, Report 91 (Oct. 10, 2003), at http://www.corporatecompliance.org/StaticContent/ AdHocAdvisory.pdf. 8 Murphy, Evaluations, Incentives and Rewards in Compliance Programs, 3 Corporate Conduct Quarterly (now ethikos) 40 (1994). 9 U.S. Department of Justice, Factors in Decisions on Criminal Prosecutions for Environmental Violations in the Context of Significant Voluntary Compliance or Disclosure Efforts by the Violator (July 1, 1991) http://www.justice.gov/enrd/3058.htm.
53
10 Environmental Protection Agency, Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations; Notice (Dec. 22, 1995); Environmental Protection Agency, Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations, 65 Fed. Reg. 19,618, section IIB, definition of Compliance Management System (Apr. 11, 2000). 11 Department of Health and Human Services, Office of Inspector General, Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg. 23731 (May 5, 2003) at http://www.corporatecompliance.org/resources/ documents/050503FRCPGPharmac.pdf. 12 Federal Energy Regulatory Commission, Policy Statement on Compliance, 125 FERC para. 61,058, fn. 9 (Oct. 16, 2008), http://www.balch.com/files/upload/ FERC_Policy_Stmt_on_Comp_Oct_16_08.pdf. 13 See Jordan & Murphy, Compliance Programs: What the Government Really Wants, 14 ACCA Docket 10, 22 (July/Aug. 1996). 14 Settlement Agreement with Mellon Bank, N.A., Appendix A, Para 6.c) (Aug. 14, 2006), at http://www.corporatecompliance.org/Content/NavigationMenu/ Resources/IssuesAnswers/LetterUSAttorney_MellonBank.pdf. 15 Federal Acquisition Regulation, Contractor Business Ethics Compliance Program and Disclosure Requirements, 73 Fed. Reg. 67064, 6709192 (Nov. 12, 2008). 16 Federal Acquisition Regulation, Contractor Business Ethics Compliance Program and Disclosure Requirements, 73 Fed. Reg. 67064, 67068 (Nov. 12, 2008). 17 See page 16, in the paragraph beginning In the U.S. defense industry, infra. 18 OECD, Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions, Appendix II, http://www.oecd.org/dataoecd/11/40/44176910.pdf. 19 Office of Fair Trading (UK), How Your Business Can Achieve Compliance with Competition Law 26 (June 2011), http://www.oft.gov.uk/shared_oft/ca-andcartels/competition-awareness-compliance/oft1341.pdf . 20 Office of Fair Trading (UK), How Your Business Can Achieve Compliance with Competition Law 2829 (June 2011), http://www.oft.gov.uk/shared_oft/ca-andcartels/competition-awareness-compliance/oft1341.pdf. 21 Competition Bureau Canada, Information Bulletin: Corporate Compliance Programs 1213 (2010), http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/vwapj/CorporateCompliancePrograms-sept-2010-e.pdf/$FILE/CorporateCompliancePrograms-sept-2010-e.pdf
54
22 Australian Standards 3806-2006. 23 Reitaku University, Business Ethics & Compliance Research Center, Guidance Document for the Implementation of the Ethics Compliance Standard 2000, 42, 93, 94 (2001), http://www.consumer.go.jp/seisaku/shingikai/iinkai2/ecsguide(i).pdf. 24 Kaplan & Murphy, Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability, Appendix 19A (Thomson/West; 1993 & Ann. Supp.). 25 Drucker, Dont Change Corporate Culture Use It! Wall Street Journal A14 (Mar. 28, 1991). 26 Cutler, Director, Division of Enforcement, SEC, Tone at the Top: Getting It Right, Second Annual General Counsel Roundtable (Dec. 3, 2004) at http:// www.sec.gov/news/speech/spch120304smc.htm. 27 See Kaplan, The First Word On Compliance Incentives, The FCPA Blog (Jan. 19, 2011), http://www.fcpablog.com/blog/2011/1/19/the-first-word-on-compliance-incentives.html. 28 For other examples of factors considered in performance appraisals regarding compliance and ethics, see Kaplan & Murphy, Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability section 19:57 (Thomson/West; 1993 & Ann. Supp.). 29 Emailed comment from Professor Paul McGreal, Southern Illinois University, Dec. 31, 2006. 30 USSG section 8B1.2 (b)(2); see Competition Bureau Canada, Information Bulletin: Corporate Compliance Programs (2010) (similar emphasis), http:// www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/vwapj/CorporateCompliance Programs-sept-2010-e.pdf/$FILE/CorporateCompliancePrograms-sept-2010-e.pdf. 31 See Biegelman & Biegelman, Building a World-Class Compliance Program 100 (John Wiley & Sons, Inc.; 2008) (At CA, up to 10% of executive compensation was based on how they handled compliance requirements.). 32 Presentation by D. Roach, SCCE Corporate Compliance Workshop, Dec. 2, 2005, Houston, TX. 33 USSG section 8B1.2 (b)(3). 34 USSG section 8B1.2 (b) Commentary, note 4(B).
55
35 Interview with Joan Dubinsky, Ethics Officer, International Monetary Fund, Dec. 14, 2006. 36 See Trevino & Nelson, Managing Business Ethics 18689 (Wiley; 2004 3rd Ed). 37 See, e.g., Forelle & Bandler, As Companies Probe Backdating, More Top Officials Take a Fall, Wall Street Journal A1, Col. 5 (Oct. 12, 2006). 38 It would also make sense to include the incentive systems in the risk assessment process. See Richards, Director, Office of Compliance Inspections and Examinations, SEC, Incentivizing Good Compliance, 2008 Willamette Securities Regulation Conference, Willamette University College of Law (Oct. 30, 2008) at http://ftp.sec.gov/news/speech/2008/spch103008lar.htm, at p. 7. 39 Deal & Kennedy, Corporate Cultures 169 (Addison-Wesley Pub; 1982). 40 Trevino & Nelson, Managing Business Ethics 251 (Wiley; 2004 3rd Ed). 41 Pink, Gratitude Visits, New York Times (Dec. 14, 2003) at http://query.nytimes.com/ gst/fullpage.html?sec=health&res=9D07E4DF163CF937A25751C1A9659C8B63. 42 Sears, Lights! Camera! Action! Lockheed Martins Ethics Film Festival, 17 ethikos 8 (Jan/Feb 2004). 43 Nelson, 1001 Ways to Reward Employees (Workman Pub; 2005). 44 McGonegle, How to Reward Ethical Behavior, Sustainable Business Forum blog (Feb. 13, 2011), http://sustainablebusinessforum.com/richard-murphy/49071/ how-reward-ethical-behavior; Murphy, 501 Ideas for Your Compliance and Ethics Program 70 (SCCE; 2008). 45 Webb, Ottenbergs: A Recipe for Rewarding Safety: Bakerys Incentive Program Cuts Costs, Improves Productivity, Washington Post F11 (Feb. 19, 1990); See Clifford, Would You Like a Smile With That? New York Times (Aug. 6, 2011), http://www.nytimes.com/2011/08/07/business/pret-a-manger-with-new-fastfood-ideas-gains-a-foothold-in-united-states.html?_r=2&pagewanted=all for an example of how group awards can drive employee morale and performance, even in a fast-food environment. 46 Australian Standards 3806-2006. 47 Braithwaite & Murphy, Clout and Internal Compliance Systems, 2 Corporate Conduct Quarterly (now ethikos) 52, 62 (Spring 1993).
56
48 See United States v. C.R. Bard Inc., CV93-10276-T, plea agreement (D. Mass; Oct. 14, 1993); Sigler & Murphy, Interactive Corporate Compliance: An Alternative to Regulatory Compulsion 83 (Quorum Books; 1988). 49 Murphy & Leet, Working for Integrity: Finding the Perfect Job in the RapidlyGrowing Compliance and Ethics Field, Ch. XVIII. Advice for Companies: Finding the Right Person for Your Compliance Positions (SCCE; 2006). 50 The Dodd-Frank Wall Street Reform and Consumer Protection Act section 922, 15 USC 78u-6. 51 Trevino & Nelson, Managing Business Ethics 246 (Wiley; 2004 3rd Ed). 52 Biegelman & Biegelman, Building a World-Class Compliance Program 20708 (John Wiley & Sons, Inc.; 2008). 53 Department of Health and Human Services, Office of Inspector General, Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg. 23731 (May 5, 2003), http://www.corporatecompliance.org/Content/Navigation Menu/Resources/IssuesAnswers/050503FRCPGPharmac.pdf. 54 Note that while lying in a whistleblower report to the government might be a crime, doing so only in an internal report has much less risk. 55 Emailed comments from Donna Boehme, Compliance Strategists, July 2930, 2011. 56 Banks & Banks, Corporate Legal Compliance Handbook, section 16:03, The Carrot and the Stick (Incentives and Discipline) (Aspen, 2d ed., 2010).
57
SCCEs
Mission
SCCE exists to champion ethical practice and compliance standards in all organizations and to provide the necessary resources for compliance professionals and others who share these principles.
Society of Corporate Compliance and Ethics
6500 Barrie Road, Suite 250 Minneapolis, MN 55435, United States +1 952 933 4977 or 888 277 4977 (p) +1 952 988 0146 (f) helpteam@corporatecompliance.org www.corporatecompliance.org
Securities and Exchange Commission Requirements regarding Ethics and Compliance, Effective Compliance Programs, and the Morgan Stanley Declination
April 11-12, 2013
CONFIDENTIAL
2013 LRN Corporation. All Rights Reserved.
What Does it Mean to Have an Effective Compliance Program?

An effective program does not mean that a company is expected to be able to detect and stop
every single violation, but it does require a thoughtful and substantial commitment
The November 14, 2012, joint DOJ/SEC FCPA guidance does provide a new compilation of
hallmarks of such a program from prior settlements and statements: Commitment from senior management along with a clear anti-corruption policy Code of Conduct with associated policies and procedures Appropriate oversight, autonomy, and resources Risk assessment-driven program Ongoing training and advice Incentives for self-policing, reporting of potential violations, and contributing to a culture of compliance, as
well as appropriate and effective sanctions for compliance violations and lapses
Due diligence of third-parties including monitoring of third-party payments Confidential reporting and internal investigations Continuous improvement along with periodic testing and review Pre-M&A due diligence of an ethics and compliance program with associated post-M&A integration A secure and anonymous channel for reporting concerns
The program should apply from the boardroom to the supply room no one should be beyond
its reach
Confidential 2
How Do You Tell if You Have An Effective Compliance Program?

Best practice for a compliance program requires a third-party check on the
effectiveness of the program, but even such an acknowledgment will not function as an affirmative defense.
It will, however, be a significant factor in determining whether a settlement is reached,

a non-prosecution or a deferred prosecution agreement is possible, any fine will be reduced, and whether an independent monitor will be imposed.
The Federal Sentencing Guidelines state that an organization shall take reasonable
steps . . . to evaluate periodically the effectiveness of the organizations compliance and ethics program. The joint DOJ/SEC FCPA guidance states that An assessment of a companys compliance
program, including its design and good faith implementation and enforcement, is an important part of the governments assessment of whether a violation occurred, and if so, what action should be taken. The recent joint guidance notes that many companies are doing so by undertaking proactive evaluations through the use of employee surveys that measure compliance culture, the strength of internal controls, identify best practices, and detect new risk areas.
.
Confidential 3
Some Implications of an Effective Compliance Program

Many federal agencies and bodies have enforcement programs that are consistent with the
Department of Justices Federal Sentencing Guidelines and, therefore, consistent with portions of the November 14, 2012, joint DOJ/SEC FCPA guidance relating to hallmarks of an effective compliance program: Securities and Exchange Commission Environmental Protection Agency Department of Commerce Department of Health and Human Services Food and Drug Administration
Many other federal and state agencies and bodies have separate programs, but in an
investigation, all are almost certain to seek all available information and data concerning a compliance programs, design, implementation, and oversight, as well as whether it works
What we can learn from the 2012 Morgan Stanley Non-Prosecution Agreement that found its
program effective? Proportionality Not everyone can replicate the Morgan Stanley program, but its all about proportionality Assess risks and update your program accordingly Train often and thoughtfully, and document, document, document Send reminders and be persistent Conduct due diligence
Confidential 4
More on the Morgan Stanley Declination

Training occurred at least once per year via different modalities (i.e., online, in-person, telephonic) Written training materials were distributed to be kept in offices There was at least some occasional personal contact between the compliance function and those it
sought to guide, based on risk Multiple reminders to complete a required task (e.g., training) were sent each year There was an annual certification process for anti-bribery/anti-corruption training There was an annual certification process for the Code of Conduct There was an annual requirement to disclose any outside business interests A documented policy existed to diligence foreign business partners A documented policy existed to review and approve any payments to foreign business partners
Regarding Morgan Stanleys internal control structure: It maintained a system of Section 404 internal controls; It had documented gift and entertainment policies as well as documented anti-bribery and corruption
policies; Trained its highest-risk geographical employees on internal controls and anti-bribery and corruption much more than other lower-risk geographical employees Appeared to have a close connection with Internal Audit such that certain employees, transactions and business units were randomly audited and tested.
Confidential 5
An LRN Thought Leadership Report
Risk Forecast Report 2013

Focus Area: SEC Enforcement
Ethics & Compliance Alliance
ECA Risk Forecast Report 2012 Ethics & Compliance Alliance Risk Forecast Report 2013
SEC Enforcement Hot Topics and Trends

Bradley J. Bondi ECA Expert Panelist Bradley J. Bondi brings a strong background and expertise to our LRN community in areas of SEC compliance and enforcement, insider trading compliance programs, and internal investigations on a global scale. Brad is a partner at the Law Firm of Cadwalader, Wickersham & Taft, LLP, where he focuses on securities, corporate, and financial laws, and enforcement cases. Prior to joining Cadwalader, Brad was a member of the executive staff of the Securities and Exchange Commission where he served as Counsel to key SEC Commissioners advising on enforcement actions and regulatory rulemaking.
Review of 2012 and Outlook for 2013

Current Enforcement Activity
The Enforcement Division of the U.S. Securities and Exchange Commission (SEC) continues to aggressively pursue violations of federal securities laws by corporations, financial institutions, and individuals. Compliance and legal personnel must be proactive to ensure that appropriate controls and policies are in place to prevent or catch misconduct. The SEC has been active this year with high-profile enforcement actions and investigations. According to its annual report, the SEC brought 734 enforcement actions this past year, the second highest number ever filed in a fiscal year (and one less than the 735 filed the prior year). Of these actions, 150 were filed in investigations designated as National Priority Cases, representing the Divisions most important and complex mattersan approximately 30 percent increase over 2011. During 2012, the SEC obtained for $3.1 billion in penalties and disgorgement. Much of these enforcement actions relate to conduct preceding or during the financial crisis. For example, during the past year, the SEC initiated enforcement cases relating to the financial crisis against top executives of the two largest government-sponsored entities for allegedly making misleading statements regarding the extent of each companys holdings of subprime mortgage loans; against former investment bankers and traders at a financial institution for allegedly overstating the prices of subprime bonds during the financial crisis; against former executives of a commercial bank for allegedly misleading investors about the size of the banks loan losses during the financial crisis; and against former executives of a bank for allegedly participating in a scheme to understate millions of dollars in losses and mislead investors and Federal regulators during the financial crisis. In addition, the SEC remains active in investigating and bringing actions for insider trading, violations by asset management firms, accounting misconduct, and violations of the Foreign Corrupt Practices Act (FCPA). The current enforcement focus of the SEC is a manifestation of the five specialized enforcement groups that SEC Enforcement Director Robert Khuzami established in late 2009: Asset Management, Market Abuse, Structured and New Products, Foreign Corrupt Practices, Municipal Securities and Pension Funds. With specialized enforcement groups focused on these areas, there undoubtedly will be further investigations and enforcement actions in these areas.
The SEC remains active in investigating and bringing actions for insider trading, violations by asset management firms, accounting misconduct, and violations of the Foreign Corrupt Practices Act (FCPA).
72
Ethics & Compliance Alliance Risk Forecast Report 2013 In addition to having personnel and resources allocated to them, these specialized enforcement groups are armed with new tools under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank or the Act), namely, the ability to offer whistleblowers, who provide original information that leads to an enforcement action, between 10 to 30 percent of the SECs recovery. The year 2012 marked the first ever payout by the SEC to a whistleblower under the Dodd-Frank whistleblower bounty program. This program has the potential to change the landscape of the SECs enforcement efforts.
Emerging Enforcement Trends

Certain trends in SEC enforcement likely will emerge over the next year that will determine the cases the SEC chooses to investigate and bring as enforcement actions. Monitoring these trends will be important as companies strive to remain compliant with federal securities regulations.
Increased Importance of Whistleblowers
The year 2012 marked the first ever payout by the SEC to a whistleblower under the Dodd-Frank whistleblower bounty program. This program has the potential to change the landscape of the SECs enforcement efforts.
As part of Dodd-Frank, Congress created powerful incentives to encourage persons to report (i) potential violations of the federal securities laws to the SEC and (ii) potential violations of the Commodity Exchange Act (CEA) to the Commodity Futures Trading Commission (CFTC). While the Sarbanes-Oxley Act (SOX) encouraged up-the-ladder reporting by employees and allowed for self-policing and self-reporting by companies of potential violations, the Dodd-Frank whistleblower provisions create incentives for external reporting to regulators, thus hindering a companys self-policing efforts. The SECs rules to implement those provisions of the Act that are within the SECs authority raise serious challenges for public corporations, financial services firms, and other companies that are subject to the federal securities laws. Companies can expect an increase in the number of complaints that circumvent internal reporting mechanisms, and that instead, go directly or through plaintiffs lawyers to the government. Under Dodd-Frank and rules passed thereunder, the SEC may award a cash bounty of 10 to 30 percent of recovery to any individual whistleblower who voluntarily provides the SEC with original information derived through independent knowledge of a possible violation of any federal securities law. The information must lead to a successful enforcement action resulting in monetary sanctions exceeding $1 million in order for the bounty to be awarded. While certain legal, compliance, and audit professionals are generally excluded from qualifying as whistleblowers, current and former employees, competitors, vendors, customers, and even wrongdoers (provided the wrongdoer is not convicted of a related crime) all may qualify as whistleblowers under the rule. The SEC has formed the Whistleblower Office in the Division of Enforcement to handle the inflow of tips from whistleblowers, and the agency is actively searching for whistleblowers in certain cases. (The CFTC also passed similar rules for its whistleblower bounty program and took similar actions in establishing a whistleblower office). The SEC estimates that it will receive approximately 30,000 tips, complaints, and referrals submissions each year pursuant to the Dodd-Frank whistleblower provisions.
73
Ethics & Compliance Alliance Risk Forecast Report 2013 Importantly, the SECs whistleblower bounty program specifically allows and incentivizes individuals to utilize internal reporting channels before going to the SEC. The SECs rules seek to accomplish internal reporting in three ways. First, the SEC rules provide that an internal whistleblower may be eligible for an award where the company reports to the SEC information received from the whistleblower or the results of an investigation initiated in response to the whistleblowers information. In those circumstances, all the information reported by the company will be deemed attributable to the internal whistleblower. Second, a whistleblower is deemed to have reported directly to the SEC at the same time he or she has reported internally, so long as the whistleblower voluntarily reports original, independent information to the SEC within 120 days of having first reported the information internally to the company. Third, the SEC will consider whether and to what extent an individual made use of internal compliance procedures when assessing the amount of the bounty. On November 15, 2012, the SEC issued its Second Annual Report on the Dodd-Frank Whistleblower Program (the Report), covering the period between October 1, 2011 and September 31, 2012. The Report, which satisfies congressional reporting obligations found in sections 922(a) and 924(d) of the Dodd-Frank Act, provides insight into the effectiveness of the Commissions whistleblower bounty program,1 the activities of the office charged with administering the program, and the Investor Protection Fund from which bounty payments are made. The issuance of the Report offers an opportunity for companies to understand the focus of the Commissions whistleblower program and to reevaluate their own compliance and internal reporting systems. The SEC made its first whistleblower award in fiscal year 2012. According to the Report, the whistleblower received the maximum award of 30 percent for helping the Commission stop an ongoing multi-million dollar fraud.2 The Report indicates that fines in the judicial action already exceed $1 million, with further judgments and sanctions possible.3 Because the government collected approximately $150,000 by the end of the fiscal year, the Commission was able to pay nearly $50,000 to the whistleblower.4 While the percentage awarded was the maximum of 30 percent, the total dollar amount is relatively modest considering that most securities cases involve hundreds of millions of dollars in fines and penalties, and thus the potential remains for far greater awards than the one discussed in the Report.5 Because few details about the whistleblower, the fraudulent activity involved, or the company have been provided due to confidentiality provisions in the Dodd-Frank Act,6 the larger
Importantly, the SECs whistleblower bounty program specifically allows and incentivizes individuals to utilize internal reporting channels before going to the SEC.
1 For more information on the SECs whistleblower bounty program and best practices for companies dealing with whistleblowers, please see Bradley J. Bondi, Jodi Avergun, Thomas Kuczajda & Steven D. Lofchie, Cadwalader, Wickersham & Taft LLP, The Dodd-Frank Whistleblower Provisions: Considerations for Effectively Preparing for and Responding to Whistleblowers, BUSINESS FRAUD ALERT, May 26, 2011, http://www.cadwalader.com/ PDFs/newsletters/201105263321_BusinessFraudAlert_May_26.pdf. 2 U.S. SEC. & EXCH. COMMN, ANNUAL REPORT ON THE DODD-FRANK WHISTLEBLOWER PROGRAM FISCAL YEAR 2012 8 (2012) [hereinafter ANNUAL REPORT]. 3 Id. 4 Id. 5 Indeed, the amount pales in comparison to the whistleblower award of $104 million announced by the Internal Revenue Service (IRS) on September 11, 2012, in connection with the governments investigation of tax evasion by a Swiss bank. See David Kocieniewski, Whistle-Blower Awarded $104 Million by I.R.S., N.Y. TIMES, Sept. 11, 2012, available at http://www.nytimes.com/2012/09/12/business/whistle-blower-awarded-104-millionby-irs.html. The whistleblower, who was involved in that offense and who served two and a half years in prison, assisted the IRS in collecting over $780 million in fines and penalties from the bank. Id. By contrast, the SECs whistleblower bounty rules do not permit a whistleblower to recover a bounty where the whistleblower was convicted of a related crime. 6 15 U.S.C. 78u-6(h)(2).
74
Ethics & Compliance Alliance Risk Forecast Report 2013 significance of the award is hard to ascertain.7 Interestingly, the SEC also denied another tipper in the same matter an award, reportedly because that persons information did not contribute significantly to the SECs investigation. The Report also provided information on the number of whistleblower tips, complaints, and referrals (TCRs) made during fiscal year 2012. According to the Report, 3,001 TCRs were received by the SECs Office of the Whistleblower during the reporting period.8 Nearly 50% of those TCRs fell within three complaint categories: Corporate Disclosures (18.2%), Offering Fraud (15.5%), and Manipulation (15.2%).9 The 3,001 TCRs came from not only the United States (including all fifty states, the District of Columbia, and Puerto Rico), but forty-nine other countries as well.10 With respect to domestic TCRs, of which there were 2,507, nearly 50% came from six states: California (17.4%), Florida (8.1%), New Jersey (4.1%), New York (9.8%), Texas (6.3%), and Washington (4.1%).11 As for foreign TCRs, nearly 60% of the 324 came from Commonwealth countries,12 with another 8.0% from the Peoples Republic of China.13 Although only one award was paid out in fiscal year 2012, the SECs Office of the Whistleblower posted 143 Notices of Covered Actionnotices of enforcement judgments and orders that imposed monetary sanctions of $1 million or more.14 According to the Report, the Office of the Whistleblower continues to review and process applications for whistleblower awards based on those notices received during fiscal year 2012.15 In response to the new whistleblower bounty program, potentially affected companies should undertake a critical review of internal policies, procedures, and training to determine whether changes should be made. Educating employees on the SEC rules and the important fact that the employee may qualify as a whistleblower even after reporting the information through internal compliance channels are key. Compliance procedures must be clear and easy for employees to understand. Companies should implement an overall risk system that integrates compliance, legal, human resources, internal audit, and external audit to create a risk-
Educating employees on the SEC rules and the important fact that the employee may qualify as a whistleblower even after reporting the information through internal compliance channels are key.
7 ANNUAL REPORT at 8. 8 Id. at 4. 9 Id. at 45. 10 Id. at 5. One hundred and seventy (170) TCRs received in Fiscal Year 2012, representing 5.7% of the total received, were submitted without any geographical information provided. Annual Report at Appendix B: Whistleblower Tips Received by Location United States and its Territories Fiscal Year 2012. 11 Id. at Appendix B: Whistleblower Tips Received by Location United States and its Territories Fiscal Year 2012. 12 While the relatively high percentage of TCRs from Commonwealth countries may suggest a common culture that encourages whistleblowing activity, the number probably reflects the more mundane fact that residents of those countries are more likely to speak English, the language in which Form TCR and the Commission website are written. 13 The relatively high percentage of TCRs from China may be due to the SECs significant focus on issuers from China, and in particular Chinese reverse merger companies listed on U.S. exchanges. See, e.g., Press Release, U.S. Sec. & Exch. Commn, SEC Charges N.Y.-Based Fund Manager and Others With Securities Laws Violations Related to Chinese Reverse Merger Company (July 30, 2012), available at http://www.sec.gov/news/ press/2012/2012-146.htm; Press Release, U.S. Sec. & Exch. Commn, SEC Charges China-Based Company and Others with Stock Manipulation (Apr. 11, 2012), available at http://www.sec.gov/news/press/2012/2012-59.htm; Press Release, U.S. Sec. & Exch. Commn, SEC Approves New Rules to Toughen Listing Standards for Reverse Merger Companies (Nov. 9, 2011), available at http://www.sec.gov/news/press/2011/2011-235.htm; Luis A. Aguilar, Commr, U.S. Sec. & Exch. Commn, Facilitating Real Capital Formation (Apr. 4, 2011), available at http:// www.sec.gov/news/speech/2011/spch040411laa.htm; Scott Eden, China Reverse Mergers Continue Wild Ride, THE STREET, June 23, 2011, http://www.thestreet.com/story/11083003/1/china-reverse-mergers-continue-wildride.html. 14 ANNUAL REPORT at 6, 89. Individuals have 90 days to apply for an award based on the posted notices of covered action. 15 Id. at 9.
75
Ethics & Compliance Alliance Risk Forecast Report 2013 based approach to preventing, detecting, and responding promptly to potential violations. As part of such a system, user-friendly internal reporting mechanisms are essential to encourage employees, agents, and others to bring any potential wrongdoing to the attention of the company. For example, companies should consider: Hotlines. Anonymous and confidential hotlines for employees, contractors, vendors, and customers to report potential securities law violations and other misconduct; Audit. An independent and robust internal audit function and an audit committee with active oversight and involvement in the audit function; Prioritization. Processes and procedures that ensure that internal complaints are prioritized and evaluated quickly, and thoroughly investigated based on risk factors. Results and trends from such complaints should be integrated into the companys assessment of its compliance risks and financial reporting controls; Internal Reporting Requirements. Internal rules that require employees to report any suspected wrongdoing to legal or compliance personnel; and Training. Training programs that credibly reiterate an institutional commitment to integrity and fair dealing, and that clearly set out internal complaint procedures.
Insider Trading
The SECs Market Abuse unit in the Division of Enforcement likely will remain heavily focused on investigations and enforcement actions for insider trading. In 2012, the SEC filed 58 insider trading actions with a focus on financial professionals, hedge fund managers, and corporate insiders. Some of these insider trading actions involved high-profile individuals such as the former global head of McKinsey and Co. The SECs Enforcement Division remains focused on employees and agents (including lawyers and consultants) of public companies who trade on material, nonpublic information gained from their work relationship. Employees are prohibited by law from trading on material, nonpublic information gained from their employment. Similarly, agents and contractors may be liable for insider trading if they violate their confidentiality to the source of the information by trading on material, nonpublic information or providing it to someone else who trades. The SEC remains active in bringing cases where employees and agents illegally capitalize based on their relationship with a company. In addition, the Department of Justice (DOJ) has increased efforts to prosecute inside trading as a crime. The DOJ possesses law enforcement tools such as the use of wiretaps, trap-and-trace devices, confidential informants, search warrants, and grand juries to gather information where the SEC is unable. Of course, the SEC ultimately may use much of this information following a criminal trial. With the presence of criminal prosecutors and federal agents, the stakes could not be higher for companies, financial services firms, and individuals. Companies and financial services firms must establish compliance policies and procedures to address insider trading and interactions with potential tippers, including outside consultants, agents, and expert networks. Effective
Companies and financial services firms must establish compliance policies and procedures to address insider trading and interactions with potential tippers, including outside consultants, agents, and expert networks.
76
Ethics & Compliance Alliance Risk Forecast Report 2013 policies and procedures should address, as applicable: (1) the prevention of selective release of information in violation of Regulation FD (Fair Disclosure); (2) protecting the release of material, nonpublic information, including the use of social networks; (3) the implementation of information barriers between the firms public and private sides; (4) the interaction with expert networks and experts; (5) rules for trading by employees; and (5) the monitoring, surveillance, and supervision of employees with material, nonpublic information. All employees at the company should be trained thoroughly on the laws governing insider trading and the firms policies and procedures. A culture should be created to encourage employees to report to compliance or legal personnel any unusual or problematic activity. Companies should document both the processes implemented and the steps personnel take in compliance with these processes, thereby creating a detailed record of the firms efforts to meet its legal and regulatory obligations.
Foreign Corrupt Practice Act

The SEC, together with the DOJ, continues to be aggressive in pursuing violations of the Foreign Corrupt Practice Act. The DOJ and SEC settled several high profile FCPA matters, and according to news reports, initiated several new investigations. During 2013, the DOJ and SEC are likely to be involved in more investigations stemming from the topple of governments. The recent wave of Arab Spring upheavals that continue to ripple across the southern and eastern shores of the Mediterranean may present the threats common to foreign businesses caught in the midst of revolution, including extortion, nationalization, expropriation, and physical violence against executives and employees. These modern revolutions also pose new challenges to international firms, as evidence or allegations that they engaged in corrupt behavior may be made public through documents in a ransacked government ministry building, or through an incarcerated former official, an enterprising journalist or prosecutor in the new regime, or a whistleblower within the foreign company itself. If such allegations come to the attention of U.S. authorities or other governments, the company could face severe criminal and civil penalties for violations of the Foreign Corrupt Practices Act, among other laws.
During 2013, the DOJ and SEC are likely to be involved in more investigations stemming from the topple of governments. Threats common to foreign businesses caught in the midst of revolution include extortion, nationalization, expropriation, and physical violence against executives and employees.
Corporate Accounting and Internal Controls

In the aftermath of the financial crisis, companies both in the United States and around the globe have struggled to meet investor expectations and remain competitive on the international stage. Faced with challenging financial conditions, companies have focused efforts on essential costcutting measures, while also exploring opportunities in emerging markets and developing new products and services for this decade and beyond. During challenging times, some employees may become tempted to cut corners and engage in fraud. At the same time, regulators, faced with increased scrutiny for their apparent shortcomings prior to and during the financial crisis, have increased investigative and enforcement efforts to combat a perceived growth in corporate fraud. The SEC, in particular, will continue to focus on corporate accounting involving significant accounting judgment such as revenue recognition, capitalization of costs, valuation, and percentage-of-completion accounting.
77
Ethics & Compliance Alliance Risk Forecast Report 2013 For example, in 2012, the SEC charged a financial services firm and three of its senior executives for allegedly participating in an accounting scheme involving life settlements. According to the SEC, the company overstated the value of assets held on the companys books and created the appearance of a steady stream of earnings from brokering life settlement transactions.
The best global companies of today and the future must make corporate integrity and ethics the centerpiece of their culturepermeating every level of the organization, from the board and senior management down to entry level employees in foreign subsidiaries.
Against this backdrop, companies must remain focused on building and maintaining a strong fraud prevention and compliance program. The best global companies of today and the future must make corporate integrity and ethics the centerpiece of their culturepermeating every level of the organization, from the board and senior management down to entry level employees in foreign subsidiaries. Focus must be placed not only on compliance with the law, but compliance with the tenets of honesty, ethics, and the highest levels of integrity. Creating such a culture is not easy, but must become a reality for any organization that hopes to compete on the global stage. A strong anti-fraud program is not only an essential business requirement in todays modern world, it is a crucial factor for regulators when determining sanctions after problems arise. The United States Department of Justice and the Securities and Exchange Commission have written policies that allow for leniency when sanctioning companies that have established and maintained robust compliance programs and internal controls.
Conclusion
This year likely will see an increase in enforcement actions by the SEC. The SEC enters 2013 with the nomination as agency Chairman of Mary Jo White, a former U.S. Attorney with a strong reputation in law enforcement. The SECs Division of Enforcement also is likely to see the benefits of the whistleblower bounty program. The SEC is likely to bring fewer cases this upcoming year relating to the financial crisis and more cases in the area of insider trading, accounting misconduct, and investment management. With this in mind, legal and compliance personnel should be proactive in assessing compliance programs, internal controls, and anti-fraud programs to ensure that proper policies and procedures are in place.
78
The LRN Ethics & Compliance Alliance (ECA) is an online community of thought leaders and practitioners that provides unique resources and support to enhance enterprise-wide knowledge, mitigate risk, support collaboration with experts and peers, and implement program components. Encompassing practical and leading-edge resources, tools and content across 15 key ethics and compliance risk areas, the ECA is an invaluable partner resource for ethics and compliance program design, implementation and management strategies and provides important insights and tools to effectively mitigate and manage risk. Among other valuable subscriber benefits, the ECA provides a unique opportunity to interact and collaborate with leading subject-matter experts across all the major ethics and compliance risk areas and provides an extensive library of handson resources and tools to include model policies and program materials, risk assessment procedures, legal research, analyses of recent legal developments, and educational materials such as the ECA Risk Forecast Report. The ECA Risk Forecast Report is an annual publication of the most significant risks facing organizations today, as reported upon and analyzed by 11 leading ethics and compliance experts. These individualsleading specialists whose articles are featured in the body of the Reportprovide insight into the regulatory and compliance challenges we face in 2013 and the developments that are likely to result. NOTE: The specific focus area and expert perspective covered in this resource is an excerpt from our full ECA Risk Forecast Report and is representative of other major focus and risk areas covered and presented. The full, 72-page Report is available on the LRN Ethics & Compliance Alliance member site. If you are an ECA subscriber, please log onto the ECA web site to download the complete version. If you are not currently an ECA partner subscriber and would like to receive a copy of the full Report and learn more about our LRN ECA Solution, please email us at ContactUs@lrn.com.
The views and opinions expressed in the ECA Risk Forecast Report: (a) are for informational purposes only and are intended to represent only educated forecasts, not predictions of future events; and (b) are not presented for the purpose of providing legal advice. You should contact your legal counsel to obtain advice with respect to any particular legal or regulatory issue. In the case of opinions in this Report presented by a named author, those opinions are held by the individual author and do not necessarily reflect the opinions of that authors employer or firm.
About LRN: Inspiring Principled Performance

Since 1994, LRN has helped over 20 million people at more than 700 companies worldwide simultaneously navigate complex legal and regulatory environments and foster ethical cultures. LRNs combination of practical tools, education, and strategic advice helps companies translate their values into concrete corporate practices and leadership behaviors that create sustainable competitive advantage. In partnership with LRN, companies need not choose between living principles and maximizing profits, or between enhancing reputation and growing revenue: all are a product of principled performance. LRN works with organizations in more than 100 countries and has offices in Los Angeles, New York, London, and Mumbai. For more information, visit www.LRN.com, join our community on Facebook at facebook.com/howistheanswer, or call: 800 529 6366 or 646 862 2040.
Copyright LRN Corporation. All rights reserved. L1044-0113-01-NY
Roles, Reporting, & Relationships with the Board
April 11-12, 2013
CONFIDENTIAL
Lets Start with the Basics Delaware Law Considerations

Fiduciary Obligations of the Board of Directors The Board is charged with managing and directing the affairs of the
company. Delaware Law imposes fiduciary duties on directors (and officers) of corporations, but doesnt dictate with specificity how the board should carry out its mandate. The primary fiduciary duties are: The duty of care, which requires that a boards actions and conduct be
informed and considered and that decisions made must be with requisite care. So, a board should (1) inform itself of all material information reasonably available to it; (2) carefully consider that information and all reasonable alternatives, and (3) act with requisite care in discharging its duties. The duty of loyalty, which requires a board to act in good faith, in a manner it reasonably believes to be in the best interests of the corporation, and to place the interests of the corporation and the shareholders above any personal interest.
Confidential 2
Board Decision Making

Decisions made by a Board of Directors are generally protected by the business
judgment rule (BJR), which presumes that in making a decision, a board acted in an informed basis, in good faith, and in the honest belief that the action taken was in the best interests of the company and its shareholders.
BJR protections can be lost if a boards action was found to have been tainted with
fraud, a lack of good faith, a failure to act or exercise judgment, self-dealing, recklessness, or improper director interest in the decision.
Generally, fiduciary duties are owed to the corporation and its shareholders only;
no such duties are owed to creditors of a solvent corporation as such parties are protected by and rely on their contractual rights.
If a corporation is insolvent, then a board has a duty to maximize the value of the
corporation to serve the interests of all stakeholders even though the boards substantive fiduciary obligations and the application of the BJR to those obligations are generally the same. The difference is that upon insolvency, the corporations creditors take the place of the shareholders as the residual beneficiaries of the corporations value.
Confidential 3
Boards Can Choose to Have Companies Focus onWhatever They Want

Is the board at liberty to focus on one aspect of its business, perhaps enhancing corporate
culture, rather than on strictly maximizing shareholder value? Interestingly, the two are by no means mutually exclusive quite the contrary but the short answer is, absolutely.
Corporations have the choice to focus on long-term, value-building strategies over short-term
initiatives.
Beyond their fiduciary obligations, broadly speaking, only the companys charter constrains the
choices boards and management can make on how to conduct the companys business.
Normally, the charter contains no more than a generic statement that the corporation can do whatever
it decides to do, as long as its legal. And since there is typically nothing in the charter directing a focus exclusively on quarterly profits, maximizing shareholder value, or increasing revenue or operating margins, a corporations board can consider its mission, and how it chooses to fulfill it, both broadly and carefully.
In referring to a corporations assets and earnings, Professor Lynn Stout notes in her book, The
Shareholder Value Myth How Putting Shareholders First Harms Investors, Corporations, and the Public, that as long as a board does not take those assets for themselves, they can give them to charity; spend them on raises and health care for employees; refuse to pay dividends so as to build up a cash cushion that benefits creditors; and pursue low-profit projects that benefit the community, society, or the environment. They can do all these things even if the result is to decrease not increase shareholder value.
Confidential 4
Boards of Directors Have Been Called Out on Compliance

The Federal Sentencing Guidelines (FSG) say that ,with respect to such governing authorities,
they shall: [B]e knowledgeable about the content and operation of the program to prevent and detect violations of the
law
Periodically receive information on the implementation and effectiveness of the program [E]xercise reasonable oversight with respect to the implementation and effectiveness of the program Periodically receive training on the program and on its responsibilities
In the 1996 decision in the case of In re Caremark Inc. Derivative Litigation by the Delaware
Chancery Court, the court noted, with respect to the criteria for compliance programs in the FSG, that any rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development and the enhanced penalties and the opportunities for reduced sanctions that it offers.
In two 2006 Delaware Supreme Court decisions (In re Walt Disney Company Derivative
Litigation and Stone v. Ritter), that court noted that boards may be liable for a failure to exercise oversight if they completely failed to implement any reporting system or controls. Further, even if such a system or set of controls is in place, liability might still arise for a conscious failure to monitor such programs thereby hindering themselves from becoming informed of risks and problems.
Confidential 5
When Should a Board Find out About a Compliance Issue?

Consider having a formal process for notifying the board, or a committee of the
Board (e.g., the Audit Committee or the Governance & Nominating Committee). Set out what types of allegations require the Compliance Officer to make a notification. Consider making the fact that such allegations must go to the board public within the
company.
Board should know what the process is when the compliance function receives a
contact (helpline, email, telephone call, or hallway conversation). For example, the helpline. When someone does speak up by choosing to call a helpline, does the board know: Who answers the call, who employs that person, and where is he/she sitting when the
call is answered? That the helpline uses no caller-ID and no GPS tracking technology? How calls are classified or routed, who gets notified for what types of calls, and then how the investigative process may be divided among various functions (if the case)? Whether or not those with investigative authority also have disciplinary authority? .
Confidential 6
Preface
This is a presentation used at the first meeting of the Altria Compliance Leadership Team, a group composed of all the peer functions of the chief compliance officer audit, human resources, legal, communications, finance, etc and with key representatives of the operating companies. The task was to create a consensus and build an operating approach that all functions and all operating units were invested in. It is a good background to bring out the issues inherent in leading compliance and risk via influence rather than via top down control. David Greenberg
Why are we here?
Reflecting high standards that help us meet our legal obligations and our commitments to stakeholders and society The Chief Compliance Officer will be responsible for making sure that appropriate policies and programs, reflecting high standards of conduct, are established which allows us to fully comply with all applicable laws, regulations and significant corporate commitments.
Via world class compliance practice The CCO will work with PM Companies and the operating companies to make sure that such policies and programs are implemented through best practices in the areas of communications, training, monitoring and enforcement.
What do we want to accomplish?
Develop a forward strategy for the enterprise on integrity and compliance Draft corporate standards that reach the critical corporate integrity and compliance issue
Discuss and share best practices on those elements that, together, will produce world class compliance programs for PM Companies and the operating companies Examine how to integrate learnings from our experience and that of other companies into the systems and processes our companies use to drive our businesses
What do we want to accomplish?
Define how we can best work together Develop a realistic way of driving a coordinated strategy, sharing resources and information, and giving the Corporate CCO the ability to assure the Board of Directors that PM Companies Inc is meeting its compliance and integrity obligations
What is my current point of view?
We will know we are successful when every employee makes decisions with the help of the compliance trinity Is it the right thing to do? Is it legal? What will others think?
What is my current point of view?
We are not there yet because We lack a systematic, high level, collaborative, process for thinking about risk, reputation and high standards of conduct We have not integrated integrity and compliance into how we manage our businesses in particular, the corporation does not sufficiently engage the operating companies on this topic We do not broadly reach out to our employees on issues of integrity and compliance; technology now makes it possible to do so; and the Federal Sentencing Guidelines require us to do so We have not had a focal point for driving such an effort, but we do now its in this room today
What are the big questions we should try to answer?
Overall What is the essence of the task of compliance and compliance officers? How do we move the corporation and the operating companies toward a strong culture of integrity and compliance? How do we get better at anticipating and minimizing legal and reputational risks? How do we leverage existing processes so that compliance does not remain the province of compliance officers?
Risk Assessment How do we move risk assessment up the food chain of key considerations in running our businesses and functions? What tools are available to help us? How do we connect risk assessment to key budget, planning and reporting events and processes? Who is already involved in evaluating legal and reputational risks and how can they help us? What are each of our key priority risk areas, and why?
Compliance Management How do we drive compliance and integrity into the business? How do we develop a clear plan and clear accountability for compliance and integrity? What is the process for ensuring that the plan is executed?
Compliance Management Continued

Do we have fail safe outlets for employee questions and concerns about integrity and legality? Do we have a consistent and fair process for investigating and sanctioning legal and ethical violations? Do we have a learning loop to incorporate our successes and failures in managing compliance and integrity?
Communications and Training Are we reaching our people with powerful messages about the importance of integrity and compliance? Are we reaching them with the specific training they need to deal with the risk areas they confront in their work? Are we engaging them on integrity and compliance or just preaching to them? Do we know whether our training works?
Auditing and Evaluating How do we know if our compliance and integrity efforts are effective? How do we leverage the reach and expertise built into our audit network?
Structure and Coordination Which aspects of our efforts are so central to our corporate integrity and compliance that they need to be uniform across the enterprise? What tasks/projects add sufficient value across operating companies that they should be done from the corporate center? What is the impact of corporate separateness on our programs and practices?
Structure and Coordination Continued What kind of review and reporting process will allow the operating companies to get on with their integrity and compliance programs but give corporate the assurance it needs for the Board? What task forces are needed to build/share best practices? What communications tools will facilitate our work together? What is the role of the corporate functions (law, HR, IS, corporate affairs, finance) in our overall integrity and compliance effort?
QUESTIONS FOR STRATEGIC AND OPERATIONAL OVERSIGHT

Do we have the right model for the program?
How do we benchmark our program with those of other leading companies? How have we ascertained whether our program is consistent with key external (e.g., governmental) standards by which our program could be judged?
Are we identifying and prioritizing the Companys compliance risks?

How do we get input from businesses and functions to be sure our assessment of the Companys compliance risks is realistic and current? How do we ensure that compliance risks are taken into account and managed when we: Launch new products? Enter into collaborative relationships with third parties? Launch business initiatives in new geographies? Initiate new management strategies and business models (cost-cutting, new performance metrics, etc.)?
1

Are our compliance standards (e.g., code of conduct), procedures and internal controls linked to the results of our prioritized compliance risk assessments? How are we communicating to employees about (A) their job-related compliance risks and (B) the importance of Compliance/Integrity generally at the Company?
Are communications and training calibrated to compliance risk assessments? How do make sure employees meet their compliance training requirements? How do we assess the effectiveness of compliance training and other communications? How do we know if the code is understood and accepted throughout the Company? Is the Board receiving appropriate training with respect to its compliance program oversight responsibilities and its own compliance risks? Have we assured that we have a code that appropriately covers risk associated with Board membership (NYSE requirement)?
2

How do we use performance management tools - compensation, bonuses, promotion, and discipline - to help ensure that Company personnel - especially managers - take compliance/integrity seriously?
Are compliance performance and commitment to the compliance program made part of objectives and evaluations of:
Employees? Managers? Senior Management?
How do we know that those conducting performance evaluations are taking the compliance-related elements seriously? What do we do to make discipline for code of conduct violations consistent across the Company? Is discipline even-handed so that higher-ups do not get a break when lower level employees would not?

How does the board know that management is appropriately vetting new hires and promotions to avoid placing potential wrongdoers in positions of authority?
Are there appropriate safeguards when the company retains agents and other third parties?
Do we have the right systems (including the HelpLine) to ensure that (A) observed compliance violations and (B) compliance questions/concerns are surfaced and brought to the attention of appropriate personnel at the Company?
How does the HelpLine work and what information of value do we gain from the data gathered? What policies and procedures do we have to protect whistleblowers? How do we know if employees trust our systems for advice and reporting? How do we monitor the operation of the HelpLine and the appropriate treatment of HelpLine calls? Is any of the data gathered useful outside the compliance area, e.g., in areas of general management?

What mechanisms are in place to assure that important compliance/integrity issues reach the Chief Compliance Officer?
How is the policy that requires elevation of key compliance issues to the Chief Compliance Officer working? Does the Chief Compliance Officer receive regular, appropriately detailed reports on the implementation and effectiveness of the compliance program from around the Company?
Do we audit compliance risk areas?

How do we determine what risk areas, business areas, etc. get audited with respect to compliance and integrity? How do we assure that auditors are independent yet fully qualified to do these specialized audits? How do we audit for risks that are not easily measured, such as antitrust or overseas bribery? How do we assure that audit findings are appropriately responded to and followed up? Are there any areas where the compliance office is not satisfied with managements response to audit findings? Are we auditing for actual violations, or just to see if processes are in place?

What other monitoring of the program and of compliance do we do?
What types of internal control systems do we use to prevent violations?
What other ways do we evaluate the effectiveness of the program to gauge whether it is reasonably effective? Are we responding appropriately to identified compliance allegations and issues?
How do we assure that investigations are conducted professionally and in a way that would stand up to outside scrutiny? Do we have any policies or procedures on disclosing violations to the government? Do we have appropriate policies and procedures to assure the preservation of relevant documents and information when there are allegations of misconduct? When we conduct investigations, is there any system that looks at root cause of violations and how the systems can be improved or changed to prevent recurrence?
6

Does the company have the right resources and personnel to oversee, manage and implement the program?
Does the program have the right level of resources?
How has management determined the right level of resources? Do compliance officers (Chief Compliance Officer, Operating Company Compliance Officers, any other compliance personnel) have the resources, support and autonomy needed to do the job?
In addition to Chief Compliance Officers at Corporate and OpCos, how well do the following functions support the program:
Law Department? HR? Audit? IT? Finance? Corporate Affairs? How is this assessed?
7

In addition to chief compliance officers at Corporate and OpCos, are there adequate personnel to champion and manage the compliance/integrity program at the local level? How do we assure that compliance subject matter experts remain directly involved in compliance planning and execution?
How do these experts communicate compliance requirements to other personnel with compliance responsibilities? How do we assure that our subject matter experts remain current with developing risks in their areas?
How do we manage change in the compliance area?

Personnel? Law, regulation?
QUESTIONS FOR STRATEGIC AND OPERATIOAL OVERSIGHT

Does senior management at the Corporate and OpCo level support the compliance program in terms of:
Program needs (personnel, resources)? Personal actions regarding compliance?
Are there committees established which meet regularly to discuss current issues?
Are these HQ, Company level, or both? Are the members of these committees people who really know what is going on?
Are compliance reports regularly submitted by key field compliance personnel (environmental, FDA, legal, etc.)? Do we receive annual certifications from Company managers about whether they are aware of any compliance failures?

Are the Board and Senior Management receiving the information they need to provide a reasonable degree of oversight of the compliance and integrity program?
Does the Board learn in a timely way about:
Compliance violations? Important investigations into possible compliance violations? Progress in implementing new compliance initiatives? Ongoing information relating to the effectiveness of the program? New areas of risk?
How does our Board compare to Boards of other companies in its approach to compliance program oversight?
Does the Board have the resources it needs? Does the Board have the processes it needs?
10

Has the Board sufficiently documented its role in the compliance program and its level of commitment? Does the compliance information provided the Board adequately cover operations in all parts of the globe? Are there any areas of disagreement between the compliance office and management?
If so, how does the Board learn about these?
How does the Board know that the compliance system is comprehensive?
Is there anything carved out from the official compliance program? Are corporate governance, environment, Sarbanes-Oxley, HR compliance issues, matters in the legal department all consolidated in what the Board hears from the compliance officer, or are there any gaps?
How does the Board assess the compliance program other than by relying on what the compliance officer reports on the program?
The E&C Industry Continues to Grow, Though Somewhat More Slowly

KEY INSIGHTS
Budgets are mostly stagnant,

although 39% of E&C leaders project their budgets will increase this year, a 6% decrease compared to last year.
Education and communication

top the list of non-staff expenses
15% 9%
CONFIDENTIAL
21
Overall, Staffing Levels Continue to See Slow Growth

KEY INSIGHTS
E&C staffing levels are

projected to remain largely unchanged for 2013, continuing the 2012 and 2011 trend.
Planned increases (35%) far

outweigh planned decreases (5%).
E&C Employees per Thousand FTEs

15% 9%
Regulated Industries
2.33
Less Regulated Industries
0.89
Overall
1.54
CONFIDENTIAL
22
Highly Regulated Firms Keep Spending and Doing More Than Their Less Regulated Counterparts
E&C Budget Adjustments
(Highly Regulated Firms)
Decrease 16% Increase 49% No Change 34% Increase 29%
E&C Budget Adjustments

(Less Regulated Firms)
Decrease 15%
69% 69%
No Change 56%
E&C Headcount Adjustments

(Highly Regulated Firms)
Decrease 6% Increase 40% No Change 54%
15% 9%
E&C Headcount Adjustments

(Less Regulated Firms)
Decrease 3% Increase 31%
No Change 66%
CONFIDENTIAL
23
Home Topics Accounting and Auditing Compliance and Technology Enforcement & Litigation Enterprise Risk Management Executive Compensation GRC Illustrated International, Global Issues Internal Controls, SOX 404 More: D&O, XBRL, C...
Succeeding With External Compliance Monitors
Jaclyn Jaeger June 02, 2010
Any compliance officers out there who believe they have a hard time working with a government-appointed compliance monitor, be quiet. United Launch Alliance has a story that tops yours.
The aerospace concern, a joint venture between Boeing and Lockheed Martin to build rockets and send satellites into orbit for the U.S. government, had to accept three compliance monitors simply to start business in late 2006. That was primarily driven by pre-existing compliance demands placed upon its parent companies, plus the need to integrate the companies different processes from Day 1 of ULAs existence. Then there was the small fact that as a defense contractor itself, ULA would be subject to its own thicket of compliance rules.
Corrigan
ULAs head of internal governance, Cindy Corrigan, explained how the company navigated such a complex monitoring structure at the Compliance Week 2010 conference. She also brought along Leslie Kenne, a retired U.S. Air Force lieutenant general and one of ULAs monitors, and Steven Shaw, the Air Forces deputy general counsel for contractor responsibility, to give their thoughts on how best to work with monitors. One of ULAs first challenges was that it had to figure out who its monitors would be. To begin business, ULA had to accept the obligations of an administrative agreement previously struck by Boeing and the U.S. Air Force. That agreement did allow ULA to choose its own external special compliance officer to oversee compliance with the agreement, but that monitor needed Air Force approval. Of course, not all companies can choose their compliance monitorbut if you can, then hiring the right person is essential. Kenne stressed that employees generally act more positively if they believe they are being treated fairly and can have their day in court. That means an auditor, whose primary role is to find wrongdoing, might not be the ideal person for the job, she said. Still, she added, the interests of the monitor should remain with the government, not the company. Corrigan said she also worked hard to get clarity around the language of ULAs agreement with the government, to have a common understanding of exactly what the Air Forces expectations were. Building a relationship of mutual trust and respect, and open honest communication with both the compliance monitor and the government was essential, she said. Shaw agreed. The governments goal, he stressed, is to minimize the risk of future misconduct. Were not doing this just by putting people in jail; were trying to be proactive, he said. An ongoing dialogue of trust benefits both sides.
Still, Corrigan added, the process was much easier said than done. It took quite a bit of talks back and forth to ensure things were aligned, she said.
Leslie Kenne, a compliance monitor for ULA appointed by the U.S. Air Force, talks about her job at Compliance Week 2010.
This is where a compliance monitor can play a significant role. For example, Kenne said she defines ensuring compliance and enforcing compliance as two separate matters. Ensuring compliance means looking at how the company obeys government requirements; enforcing it is about how the company punishes wrongdoers. Clarifying those distinctions is essential, she said, because not all companies see them as separate issues. As part of ULAs administrative agreement, individuals also were assigned responsibility for implementing the compliance program. That was really fundamental, Kenne said, because if specific people arent assigned to the task, the compliance program can flop. As a final step, a series of reviews were also performed. These involved weekly internal reviews, and monthly external reviews with the compliance monitor. Punishments When deciding whether to bar a company from working with the government, Shaw said he first assesses the evidence to determine whether
any misconduct did indeed happen. If it did, the burden of proof then falls to the contractor, which must demonstrate that the appropriate processes were existing and operating to try to prevent the misconduct.
Source
DOJ MONITOR MEMO
Department of Justice (March 7, 2008).
If the company can indeed show that it was making a good-faith effort to fight fraud or other misbehavior, Ill probably just ignore the case and put it in my file, Shaw said. On the other hand, if those practices werent present and the company has no immediate hope of implementing any, then debarment from government business is likely and usually lasts three years, he said. Shaw admitted that sometimes his decisions can be a close call. Gray areas arise when a company might need help overseeing a process; Shaw compared it to a criminal defendant being sentenced to probation. In those situations, companies usually must report to the Air Force quarterly, sometimes monthly. At those meetings they must explain whats being done to improve their compliance programs. In addition, the government insists on two outside verifications: one performed by the compliance monitor, and another by a separate ethics consultant. The consultants role is to review the programs and report those findings to the federal government, so that I dont have to take the word of the company, Shaw said. The compliance monitor, meanwhile, reviews the companys compliance with its administrative agreements to see how the company is performing. Above all, the government wants to know that a company takes its compliance program seriously, Kenne said. Its just as important for [companies] to be able to find their own problems, then take the actions to fix them, she said. Thats really what we want to see. In contrast, she said, the government does not want to see the company start slashing budgets and minimizing the importance of a compliance program
immediately after an administrative agreement ends. This is where mutual trust and communication, again, come into play, Kenne said. Really, what you want when its all over is for the company to have a robust, compliance program and for the government to be able to trust that company to stay in compliance, she said. Thats a win-win, and you dont win-win by hiding things from each other. And that mutual respect should reside on all levels. Using her position as an example, Kenne said: Ive worked with Steve [Shaw]s staff frequently, letting him know how things are going, calling him if I have questions, she said. When in doubt, communicate. As often said, tone at the top is paramount. Compliance monitors need to see the full involvement of the chief compliance officer and the CEO, Kenne said. Theyve got to have that upper-level involvement if they are going to be successful.
Seal of the United States Department of Justice U.S. Department of Justice Office of the Deputy Attorney General
The Deputy Attorney General
Washington, D.C. 20530
March 7, 2008
MEMORANDUM FOR HEADS OF DEPARTMENT COMPONENTS UNITED STATES ATTORNEYS FROM: SUBJECT: I. Craig S. Morford Acting Deputy Attorney General Initial of Craig S. Morford Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations'
INTRODUCTION
The Department of Justice's commitment to deterring and preventing corporate crime remains a high priority. The Principles of Federal Prosecution of Business Organizations set forth guidance to federal prosecutors regarding charges against corporations. A careful consideration of those principles and the facts in a given case may result in a decision to negotiate an agreement to resolve a criminal case against a corporation without a formal conviction - either a deferred prosecution agreement or a non-prosecution agreement.2 As part of some negotiated corporate agreements, there have been provisions pertaining to an independent corporate monitor.3 The corporation benefits from expertise in the area of corporate compliance
1
As used in these Principles, the terms "corporate" and "corporation" refer to all types of business organizations, including partnerships, sole proprietorships, government entities, and unincorporated associations. The terms "deferred prosecution agreement" and "non-prosecution agreement" have often been used loosely by prosecutors, defense counsel, courts and commentators. As the terms are used in these Principles, a deferred prosecution agreement is typically predicated upon the filing of a formal charging document by the government, and the agreement is filed with the appropriate court. In the non-prosecution agreement context, formal charges are not filed and the agreement is maintained by the parties rather than being filed with a court. Clear and consistent use of these terms will enable the Department to more effectively identify and share best practices and to track the use of such agreements. These Principles do not apply to plea agreements, which involve the formal conviction of a corporation in a court proceeding. Agreements use a variety of terms to describe the role referred to herein as "monitor," including consultants, experts, and others.
2
Memorandum for Heads of Department Components and United States Attorneys Subject: Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations
Page 2
from an independent third party. The corporation, its shareholders, employees and the public at large then benefit from reduced recidivism of corporate crime and the protection of the integrity of the marketplace. The purpose of this memorandum is to present a series of principles for drafting provisions pertaining to the use of monitors in connection with deferred prosecution and nonprosecution agreements (hereafter referred to collectively as "agreements") with corporations.4 Given the varying facts and circumstances of each case - where different industries, corporate size and structure, and other considerations may be at issue - any guidance regarding monitors must be practical and flexible. This guidance is limited to monitors, and does not apply to third parties, whatever their titles, retained to act as receivers, trustees, or perform other functions. A monitor's primary responsibility is to assess and monitor a corporation's compliance with the terms of the agreement specifically designed to address and reduce the risk of recurrence of the corporation's misconduct, and not to further punitive goals. A monitor should only be used where appropriate given the facts and circumstances of a particular matter. For example, it may be appropriate to use a monitor where a company does not have an effective internal compliance program, or where it needs to establish necessary internal controls. Conversely, in a situation where a company has ceased operations in the area where the criminal misconduct occurred, a monitor may not be necessary. In negotiating agreements with corporations, prosecutors should be mindful of both: (1) the potential benefits that employing a monitor may have for the corporation and the public, and (2) the cost of a monitor and its impact on the operations of a corporation. Prosecutors shall, at a minimum, notify the appropriate United States Attorney or Department Component Head prior to the execution of an agreement that includes a corporate monitor. The appropriate United States Attorney or Department Component Head shall, in turn, provide a copy of the agreement to the Assistant Attorney General for the Criminal Division at a reasonable time after it has been executed. The Assistant Attorney General for the Criminal Division shall maintain a record of all such agreements. This memorandum does not address all provisions concerning monitors that have been included or could appropriately be included in agreements. Rather this memorandum sets forth nine basic principles in the areas of selection, scope of duties, and duration. This memorandum provides only internal Department of Justice guidance. In addition, this memorandum applies only to criminal matters and does not apply to agencies other than the In the case of deferred prosecution agreements filed with a court, these Principles must be applied with due regard for the appropriate role of the court and/or the probation office.
4
Page 3
Department of Justice. It is not intended to, does not, and may not be relied upon to create any rights, substantive or procedural, enforceable at law by any party in any matter civil or criminal. Nor are any limitations hereby placed on otherwise lawful litigative prerogatives of the Department of Justice. II. SELECTION
1. Principle: Before beginning the process of selecting a monitor in connection with deferred prosecution agreements and non-prosecution agreements, the corporation and the Government should discuss the necessary qualifications for a monitor based on the facts and circumstances of the case. The monitor must be selected based on the merits. The selection process must, at a minimum, be designed to: (1) select a highly qualified and respected person or entity based on suitability for the assignment and all of the circumstances; (2) avoid potential and actual conflicts of interests, and (3) otherwise instill public confidence by implementing the steps set forth in this Principle. To avoid a conflict, first, Government attorneys who participate in the process of selecting a monitor shall be mindful of their obligation to comply with the conflict-of interest guidelines set forth in 18 U.S.C. 208 and 5 C.F.R. Part 2635. Second, the Government shall create a standing or ad hoc committee in the Department component or office where the case originated to consider monitor candidates. United States Attorneys and Assistant Attorneys General may not make, accept, or veto the selection of monitor candidates unilaterally. Third, the Office of the Deputy Attorney General must approve the monitor. Fourth, the Government should decline to accept a monitor if he or she has an interest in, or relationship with, the corporation or its employees, officers or directors that would cause a reasonable person to question the monitor's impartiality. Finally, the Government should obtain a commitment from the corporation that it will not employ or be affiliated with the monitor for a period of not less than one year from the date the monitorship is terminated. Comment: Because a monitor's role may vary based on the facts of each case and the entity involved, there is no one method of selection that should necessarily be used in every instance. For example, the corporation may select a monitor candidate, with the Government reserving the right to veto the proposed choice if the monitor is unacceptable. In other cases, the facts may require the Government to play a greater role in selecting the monitor. Whatever method is used, the Government should determine what selection process is most effective as early in the negotiations as possible, and endeavor to ensure that the process is designed to produce a high-quality and conflict-free monitor and to instill public confidence. If the Government determines that participation in the selection process by any Government personnel creates, or appears to create, a potential or actual conflict in violation of 18 U.S.C. 208 and 5
Page 4
C.F.R. Part 2635, the Government must proceed as in other matters where recusal issues arise. In all cases, the Government must submit the proposed monitor to the Office of the Deputy Attorney General for review and approval before the monitorship is established. Ordinarily, the Government and the corporation should discuss what role the monitor will play and what qualities, expertise, and skills the monitor should have. While attorneys, including but not limited to former Government attorneys, may have certain skills that qualify them to function effectively as a monitor, other individuals, such as accountants, technical or scientific experts, and compliance experts, may have skills that are more appropriate to the tasks contemplated in a given agreement. Subsequent employment or retention of the monitor by the corporation after the monitorship period concludes may raise concerns about both the appearance of a conflict of interest and the effectiveness of the monitor during the monitorship, particularly with regard to the disclosure of possible new misconduct. Such employment includes both direct and indirect, or subcontracted, relationships. Each United States Attorney's Office and Department component shall create a standing or ad hoc committee ("Committee") of prosecutors to consider the selection or veto, as appropriate, of monitor candidates. The Committee should, at a minimum, include the office ethics advisor, the Criminal Chief of the United States Attorney's Office or relevant Section Chief of the Department component, and at least one other experienced prosecutor. Where practicable, the corporation, the Government, or both parties, depending on the selection process being used, should consider a pool of at least three qualified monitor candidates. Where the selection process calls for the corporation to choose the monitor at the outset, the corporation should submit its choice from among the pool of candidates to the Government. Where the selection process calls for the Government to play a greater role in selecting the monitor, the Government should, where practicable, identify at least three acceptable monitors from the pool of candidates, and the corporation shall choose from that list. HI. SCOPE OF DUTIES A. INDEPENDENCE
2. Principle: A monitor is an independent third-party, not an employee or agent of the corporation or of the Government. Comment: A monitor by definition is distinct and independent from the directors, officers, employees, and other representatives of the corporation. The monitor is not the
Page 5
corporation's attorney. Accordingly, the corporation may not seek to obtain or obtain legal advice from the monitor. Conversely, a monitor also is not an agent or employee of the Government. While a monitor is independent both from the corporation and the Government, there should be open dialogue among the corporation, the Government and the monitor throughout the duration of the agreement. B. MONITORING COMPLIANCE WITH THE AGREEMENT
3. Principle: A monitor's primary responsibility should be to assess and monitor a corporation's compliance with those terms of the agreement that are specifically designed to address and reduce the risk of recurrence of the corporation's misconduct, including, in most cases, evaluating (and where appropriate proposing) internal controls and corporate ethics and compliance programs. Comment: At the corporate level, there may be a variety of causes of criminal misconduct, including but not limited to the failure of internal controls or ethics and compliance programs to prevent, detect, and respond to such misconduct. A monitor's primary role is to evaluate whether a corporation has both adopted and effectively implemented ethics and compliance programs to address and reduce the risk of recurrence of the corporation's misconduct. A well-designed ethics and compliance program that is not effectively implemented will fail to lower the risk of recidivism. A monitor is not responsible to the corporation's shareholders. Therefore, from a corporate governance standpoint, responsibility for designing an ethics and compliance program that will prevent misconduct should remain with the corporation, subject to the monitor's input, evaluation and recommendations. 4. Principle: In carrying out his or her duties, a monitor will often need to understand the full scope of the corporation's misconduct covered by the agreement, but the monitor's responsibilities should be no broader than necessary to address and reduce the risk of recurrence of the corporation's misconduct. Comment: The scope of a monitor's duties should be tailored to the facts of each case to address and reduce the risk of recurrence of the corporation's misconduct. Among other things, focusing the monitor's duties on these tasks may serve to calibrate the expense of the monitorship to the failure that gave rise to the misconduct the agreement covers. Neither the corporation nor the public benefits from employing a monitor whose role is too narrowly defined (and, therefore, prevents the monitor from effectively evaluating the
Page 6
reforms intended by the parties) or too broadly defined (and, therefore, results in the monitor engaging in activities that fail to facilitate the corporation's implementation of the reforms intended by the parties). The monitor's mandate is not to investigate historical misconduct. Nevertheless, in appropriate circumstances, an understanding of historical misconduct may inform a monitor's evaluation of the effectiveness of the corporation's compliance with the agreement. C. COMMUNICATIONS AND RECOMMENDATIONS BY THE MONITOR
5. Principle: Communication among the Government, the corporation and the monitor is in the interest of all the parties. Depending on the facts and circumstances, it may be appropriate for the monitor to make periodic written reports to both the Government and the corporation. Comment: A monitor generally works closely with a corporation and communicates with a corporation on a regular basis in the course of his or her duties. The monitor must also have the discretion to communicate with the Government as he or she deems appropriate. For example, a monitor should be free to discuss with the Government the progress of, as well as issues arising from, the drafting and implementation of an ethics and compliance program. Depending on the facts and circumstances, it may be appropriate for the monitor to make periodic written reports to both the Government and the corporation regarding, among other things: (1) the monitor's activities; (2) whether the corporation is complying with the terms of the agreement; and (3) any changes that are necessary to foster the corporation's compliance with the terms of the agreement. 6. Principle: If the corporation chooses not to adopt recommendations made by the monitor within a reasonable time, either the monitor or the corporation, or both, should report that fact to the Government, along with the corporation's reasons. The Government may consider this conduct when evaluating whether the corporation has fulfilled its obligations under the agreement. Comment: The corporation and its officers and directors are ultimately responsible for the ethical and legal operations of the corporation. Therefore, the corporation should evaluate whether to adopt recommendations made by the monitor. If the corporation declines to adopt a recommendation by the monitor, the Government should consider both the monitor's recommendation and the corporation's reasons in determining whether the corporation is complying with the agreement. A flexible timetable should be established to ensure that both a monitor's recommendations and the corporation's decision to adopt or reject them are made well before the expiration of the agreement.
Memorandum for Heads of Department Components and United States Attorneys Subject: Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations D. REPORTING OF PREVIOUSLY UNDISCLOSED
OR NEW MISCONDUCT
Page 7
7. Principle: The agreement should clearly identify any types of previously undisclosed or new misconduct that the monitor will be required to report directly to the Government. The agreement should also provide that as to evidence of other such misconduct, the monitor will have the discretion to report this misconduct to the Government or the corporation or both. Comment: As a general rule, timely and open communication between and among the corporation, the Government and the monitor regarding allegations of misconduct will facilitate the review of the misconduct and formulation of an appropriate response to it. The agreement may set forth certain types of previously undisclosed or new misconduct that the monitor will be required to report directly to the Government. Additionally, in some instances, the monitor should immediately report other such misconduct directly to the Government and not to the corporation. The presence of any of the following factors militates in favor of reporting such misconduct directly to the Government and not to the corporation, namely, where the misconduct: (1) poses a risk to public health or safety or the environment; (2) involves senior management of the corporation; (3) involves obstruction of justice; (4) involves criminal activity which the Government has the opportunity to investigate proactively and/or covertly; or (5) otherwise poses a substantial risk of harm. On the other hand, in instances where the allegations of such misconduct are not credible or involve actions of individuals outside the scope of the corporation's business, the monitor may decide, in the exercise of his or her discretion, that the allegations need not be reported directly to the Government. IV. DURATION
8. Principle: The duration of the agreement should be tailored to the problems that have been found to exist and the types of remedial measures needed for the monitor to satisfy his or her mandate. Comment: The following criteria should be considered when negotiating duration of the agreement (not necessarily in this order): (1) the nature and seriousness of the underlying misconduct; (2) the pervasiveness and duration of misconduct within the corporation, including the complicity or involvement of senior management; (3) the corporation's history of similar misconduct; (4) the nature of the corporate culture; (5) the scale and complexity of any remedial measures contemplated by the agreement, including the size of the entity or business unit at issue; and (6) the stage of design and implementation of remedial measures when the monitorship commences. It is reasonable to forecast that completing an assessment of more extensive and/or complex remedial measures will require a longer period of time than completing
Page 8
an assessment of less extensive and/or less complex ones. Similarly, it is reasonable to forecast that a monitor who is assigned responsibility to assess a compliance program that has not been designed or implemented may take longer to complete that assignment than one who is assigned responsibility to assess a compliance program that has already been designed and implemented. 9. Principle; In most cases, an agreement should provide for an extension of the monitor provision(s) at the discretion of the Government in the event that the corporation has not successfully satisfied its obligations under the agreement. Conversely, in most cases, an agreement should provide for early termination if the corporation can demonstrate to the Government that there exists a change in circumstances sufficient to eliminate the need for a monitor. Comment: If the corporation has not satisfied its obligations under the terms of the agreement at the time the monitorship ends, the corresponding risk of recidivism will not have been reduced and an extension of the monitor provision(s) may be appropriate. On the other hand, there are a number of changes in circumstances that could justify early termination of an agreement. For example, if a corporation ceased operations in the area that was the subject of the agreement, a monitor may no longer be necessary. Similarly, if a corporation is purchased by or merges with another entity that has an effective ethics and compliance program, it may be prudent to terminate a monitorship.
CLIENT MEMORANDUM
IMPOSITION OF COMPLIANCE MONITORS IN FCPA SETTLEMENTS IS DOWN, BUT RECENT COURT RULING INCREASES THE RISK OF PUBLIC ACCESS TO MONITOR REPORTS The government is imposing compliance monitors less frequently in FCPA settlements, but a recent ruling by a federal court in Washington, D.C. compounds the risks associated with having a monitor. An analysis performed by Willkie Farr & Gallagher LLP indicates that the imposition of independent compliance monitors and consultants as part of Foreign Corrupt Practices Act (FCPA) settlements with the Department of Justice (the DOJ) and the Securities and Exchange Commission (the SEC) has declined markedly since 2010. But companies that do receive monitors must now be concerned that their reports may be publicly disclosed. From 2004 to 2009, every FCPA settlement that resulted in sanctions greater than $3 million included the imposition of an independent compliance monitor or consultant. The burdens associated with such monitors are well known. Companies have long been troubled by the opaque process by which monitors traditionally were selected, the uncertainty or inability to contain the scope of monitors work, the potential to undermine existing compliance systems and personnel, and the virtually unchecked and often excessive cost of monitors. Opposition to monitors galvanized in early 2008, when former U.S. Attorney General John Ashcroft estimated that eighteen months of his work as a monitor would cost between $28 million and $52 million. Congress subsequently convened hearings into potential problems and abuses in the use of monitors, and in March 2008, the DOJ issued guidance called the Memorandum on the Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations, commonly known as the Morford Memo, after then-Acting Deputy Attorney General Craig S. Morford. Although the Morford Memo did not address the circumstances under which a monitor will be imposed, the use of corporate compliance monitors in FCPA settlements has declined markedly. Since 2010, monitors have been imposed in approximately one out of every three FCPA settlements with sanctions greater than $3 million; in 2011, only one of twelve such FCPA settlements included a monitor. This is not to say that enforcement authorities will cease to use monitors altogetherso far in 2012 three of the four corporate FCPA settlements have included a monitorbut it appears that the DOJ and SEC are making more judicious use of monitors as a settlement tool. Regulators will still consider the same factors in assessing whether monitors are appropriate, including the gravity and scope of the misconduct, the involvement or acquiescence by senior management in the misconduct, the nature of any compliance or internal controls deficiencies, and any remedial measures taken by the company of its own accord. However, they appear to be doing so with a more exacting standard.
NEW YORK WASHINGTON PARIS LONDON MILAN ROME FRANKFURT BRUSSELS in alliance with Dickson Minto W.S., London and Edinburgh
Although the use of monitors may be on the decline, a recent ruling by the United States District Court for the District of Columbia has increased the risk that, when a monitor is imposed, his or her reports to the government may be publicly disclosed. On April 16, 2012, in SEC v. Am. Intl Group, Inc., No. 04-2070 (D.D.C. Apr. 16, 2012), U.S. District Judge Gladys Kessler granted the motion of a news reporter and ordered the release of corporate monitor reports concerning transactions entered into by AIG leading up to the financial crisis of 2008.1 AIG agreed to retain an independent compliance consultant as part of its settlement of alleged federal securities law violations in December 2004. The independent compliance consultant was to review certain transactions to determine if any were designed to violate generally accepted accounting principles (GAAP) or SEC rules. The consultant was required to provide reports on his or her findings to the SEC, the DOJ, and AIGs audit committee. In ordering the release of the reports to the public, Judge Kessler held that the public had a common law right of access to the reports. Applying the D.C. Circuits two-step test for the common law right of access to judicial records, Judge Kessler first concluded that the reports constituted judicial records. She then balanced the interests of the SEC and AIG in maintaining the confidentiality of the reports against the publics interest in their disclosure, concluding that the publics interest in favor of disclosure of [the monitor reports] . . . is overwhelming. In reaching this conclusion, Judge Kessler cited: (1) the absence of a confidentiality provision in the SECs original consent order (the consent order was amended after the entry of a final judgment to include a confidentiality provision limiting dissemination of the monitors reports to the entities designated in the consent order); and (2) the prominence of AIG in the financial crisis of 2008. Notably, Judge Kessler rejected the reporters argument that the First Amendment right of access to judicial proceedings mandated disclosure of the monitors reports. In doing so, she noted that the D.C. Circuit has limited the First Amendment right of access to judicial proceedings to criminal proceedingsnot civil proceedings such as the SECs action against AIGthereby leaving the door open for an additional argument that the First Amendment would mandate public disclosure of corporate monitor reports in the context of a criminal settlement. The decline in the use of monitors in FCPA settlements is good news for companies that may face investigations or enforcement actions brought by the DOJ and SEC. But companies will want to take steps to ensure that, should a monitor be imposed as part of a settlement, the monitors reports will remain confidential. At a minimum, companies should seek to include confidentiality provisions to this effect in settlement documents. The failure to keep such sensitive reports confidential could expose companies to follow-on civil litigation as well as additional potential commercial and reputational damage.
The opinion is available online at: http://pdfserver.amlaw.com/cc/KesslerFOI_opinion.pdf.
-2-
*************** If you have any questions concerning the foregoing or would like additional information, please contact Martin J. Weinstein (202-303-1122, mweinstein@willkie.com), Robert J. Meyer (202303-1123, rmeyer@willkie.com), Jeffrey D. Clark (202-303-1139, jdclark@willkie.com), or the Willkie attorney with whom you regularly work. Willkie Farr & Gallagher LLP is headquartered at 787 Seventh Avenue, New York, NY 100196099 and has an office located at 1875 K Street, NW, Washington, DC 20006-1238. Our New York telephone number is (212) 728-8000 and our facsimile number is (212) 728-8111. Our Washington, DC telephone number is (202) 303-1000 and our facsimile number is (202) 3032000. Our website is located at www.willkie.com. April 20, 2012
Copyright 2012 by Willkie Farr & Gallagher LLP. All Rights Reserved. This memorandum may not be reproduced or disseminated in any form without the express permission of Willkie Farr & Gallagher LLP. This memorandum is provided for news and information purposes only and does not constitute legal advice or an invitation to an attorney-client relationship. While every effort has been made to ensure the accuracy of the information contained herein, Willkie Farr & Gallagher LLP does not guarantee such accuracy and cannot be held liable for any errors in or any reliance upon this information. Under New Yorks Code of Professional Responsibility, this material may constitute attorney advertising. Prior results do not guarantee a similar outcome.
-3-
Has Anybody Got It Right? Key Trends and Developments in Ethics & Compliance
Findings from LRNs 2012/2013 E&C Leadership Survey Report
March 20, 2013
CONFIDENTIAL
Developing LRNs Program Effectiveness Index (PEI)

Five survey questions speak to impact on employees:
How do you perceive the effectiveness of the E&C program as an

Overseer (e.g., focusing on controls, risk management and investigations)?
How do you perceive the effectiveness of the E&C program as a

Business Enabler (e.g., providing advice/counsel, enabling better decision making)?
How do you perceive the effectiveness of the E&C program as a

Corporate Conscience (e.g., promoting an ethical culture through education and addressing employee concerns)?
To what extent do you believe your employees apply their understanding

of the Code of Conduct on the job?
What impact does your current E&C education have on employee

behavior and decision-making?
CONFIDENTIAL
Responses to all five questions were consolidated into a single index score for each respondent
25
20
15
RESPONSES
10
0 0.22 0.24 0.26 0.28 0.32 0.34 0.36 0.38 0.42 0.44 0.46 0.48 0.52 0.54 0.56 0.58 0.62 0.64 0.66 0.68 0.72 0.74 0.76 0.78 0.82 0.84 0.86 0.88 0.92 0.94 0.96 0.98 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 8
-5
PEI
CONFIDENTIAL 2013 LRN Corporation. All Rights Reserved.
How Much and How Many Dont Seem to Matter: Size Doesnt Matter
Company Size
6
More than 50,000 employees 15,000 - 50,000 employees 7,500 - 15,000 employees 2,500 - 7,500 employees Under 2,500 employees
0 0.2 0.4 0.6 PEI 0.8 1 1.2
CONFIDENTIAL
Spend Doesn't Matter
E&C Budget per Thousand Employees

$350,000 $300,000 $250,000 $200,000 $150,000 $100,000 $50,000 $0 0 0.2 0.4 0.6 PEI 0.8 1 1.2
CONFIDENTIAL
10
Headcount Doesn't Matter
Dedicated E&C Headcount Per Thousand Employees

5.00 4.50 4.00 Headcount/Thousand 3.50 3.00 2.50 2.00 1.50 1.00 0.50 0.00 0.2 0.3 0.4 0.5 0.6 PEI 0.7 0.8 0.9 1 1.1
CONFIDENTIAL
11
What Does Matter? How Matters

The orientation and purpose of the program The orientation and purpose of the code of conduct Whether the company formally evaluates behavior The use of blended learning Theme-based E&C campaigns Measuring organizational impact More spending on education; less on consultants
CONFIDENTIAL
12
Program Mandate
Two-thirds of E&C programs see as their primary mandate ensuring ethical behavior and alignment of decision making and conduct with core values
Average PEI score of .74

One-third of E&C programs see their primary mandate as ensuring compliance with rules and regulations
Average PEI score of .63
CONFIDENTIAL
13
Looking at Value vs. Rules, and at Behaviors vs. Outcomes: Synchronicity Appears to Be the Key
Code of Conduct Orientation

0.760
Emphasis in Performance Evaluations

0.75
0.740 0.720 0.700
Orientation Values only Values, supported by rules Values and rules equally Rules, supported by values Rules only
PEI 0.71 0.71 0.72 0.69 0.56
Percentage 4% 44% 24% 24% 4%
0.70 0.67
0.680 0.660 0.640 0.620
Behaviors > Business Outcomes
Behaviors = Business Outcomes
Behaviors < Business Outcomes
CONFIDENTIAL
14
Blended Learning Makes a Difference
Virtually everyone uses online learning average PEI score .71 Most do classroom teaching as well PEI .72, but those who don't have an average PEI of .65 More than half use experiential techniques PEI .74, while those who don't average .66 Trendsetters (14%) using mobile devices average .76 compared to .69 for those who do not.
0.62
Methods of Learning
0.76 0.74 0.71 0.72 0.69 0.66
0.65
Yes
No
Yes
No
Yes
No
Yes
No
Online
Classroom
Experiential Learning
Mobile Devices
CONFIDENTIAL
15
More Effective Programs Go Beyond Annual Campaigns
Programs implementing theme-based campaigns at least quarterly sport average PEI scores of .76 Those which do not roll out theme-based campaigns at all average .59
Theme-based Campaign Rollout 0.76
0.59
Quarterly
Never
CONFIDENTIAL
16
More Impactful Programs Focus Their Resources Differently Than Do Less Impactful Programs
29.1 24.3 19.9

Percentage Allocated
15.2 7.8
14.4 10.9 5.2 10.7 6.3
Highly Less Highly Less Highly Less Highly Less Highly Less Effective Effective Effective Effective Effective Effective Effective Effective Effective Effective Education & Communications Administration Consultants Budget Item Risk Management Investigations
CONFIDENTIAL
17
How Programs Measure Their Effectivenes Makes a Difference
Most programs measure completion rates, test results, and employee feedback without more, they hover around average PEI scores. However, programs not tracking employee feedback seem to underperform (PEI score .67)
PEI vs. Effectiveness Measures

0.75 0.73 0.73
0.69 0.67
0.69
Excellent programs also track employee behaviors (PEI .73) and organizational impact (PEI .75)
Yes
No
Yes
No
Yes
No
Employee feedback
Employee behaviors
Organizational Impact
CONFIDENTIAL
18
What Else Matters?
PEI scores are higher, on average, for those programs which include a relatively broader range than other programs of:
Training goals Risk inputs Communication channels
CONFIDENTIAL
19
Starting with Defense then Focusing on Offense in 2013

KEY INSIGHTS Playing Defense
The top 2013 priority is

69% meeting 69%
all regulatory requirements for effective E&C programs. indicates the growing importance of for improving risk management capabilities.
A 3-year increasing trend
Playing Offense
Four of the top five E&C

15% 9%
program goals strive for a more sustained impact on culture.
CONFIDENTIAL
24
Data Privacy is the Most Critical Ethics & Compliance Risk

KEY INSIGHTS
74% of E&C leaders indicate

69%
that Data Privacy is the most critical E&C risk 69% Social Media as a top risk, a year-to-year increase in importance starting in 2010
41% of E&C leaders indicate
The top 2012 E&C risks were: - Conflicts of Interest (67%) - Bribery and Corruption (65%) - Gifts and Entertainment (65%)
15% 9%
- Data Privacy (63%) - Data Protection (62%)
CONFIDENTIAL
25
Understanding Our Risk Blind Spots

KEY INSIGHTS
Looking in the rearview mirror:

most E&C leaders seem to rely mostly on backward looking data in their risk analysis.
Only a minority of respondents

considers the dynamic nature of business and connects directly with relevant populations, such as local management, suppliers and customers, to learn about emerging risks.
15% 9%
CONFIDENTIAL
26
Losing Your Audience

KEY INSIGHTS
E&C leaders continue to

struggle with making education applicable to daily work and online education fatigue, similar to challenges from the previous two years.
Only 4% of E&C leaders believe

that their education programs have a high impact on employee behaviors.
Moreover, on average they have

a very small window to affect employee awareness, as 46% of companies only deliver 2-3 hours of online E&C education per year.
15% 9%
CONFIDENTIAL
27
Reinforce, Remind and Frame

KEY INSIGHTS
The Intranet continues to

be the top channel.
Web-enabled Codes are

replacing the static version (e.g., PDF) with celerity, in use by only 7% of respondents in 2010, 22% in 2011, and 33% last year.
One out of 10 E&C leaders

used social media as a communication medium in 2012, compared to just 6% the year before and almost no one in 2010.
9%
15%
Also dramatically on the

upswing is the use of team meetings, a tool used by 38% of respondents in 2010, 46% in 2011, and 54% last year.
CONFIDENTIAL
28
Boeing Ethics Advisors Career Description

Ethics Advisors Ethics Advisors are Boeing employees who serve as independent counselors. They have access to top management and are well versed in Boeing values and the Boeing Ethical Business Conduct policy and related procedures. They are responsible for advising Boeing employees on matters of ethical concern and for helping them to resolve ethical dilemmas. Names and telephone numbers of Ethics Advisors are listed on the internal Boeing Web.
Ethics Advisor 3 Security Clearance Required? No Security Clearance Required Position Description Takes a proactive approach in coaching and educating business partners to ensure all ethics sponsored initiatives and strategies are implemented within the business. Drives individual responsibility and accountability for ethical decision making to mitigate business risks through the use and promotion of ethical decision making models, processes and tools. Identifies issues arising within the local business and assists in developing valued processes and procedures applicable for conducting business in their location. Manages the application of company ethics and business conduct policy to reported issues. Determines the ethics component, researches and interprets applicable company policies or values and identifies established precedents and international issues, if applicable. Provides advice and counsel for appropriate solutions to the concerned parties. Initiates and coordinates investigations, as required, by identifying appropriate investigative agency (e.g., Audit, Human Resources, Legal, Management, Security, etc.). Monitors progress and provides status and feedback to concerned parties. Coordinates with appropriate organization(s) to determine corrective action, if warranted. Documents all reported inquiries, conflict of interest (COI) determinations and formal cases into the ethics database in accordance with established protocol. Maintains objectivity and professional distance. Uses a variety of multimedia resources to teach, coach and share information about ethics and business conduct guidelines internally. Confronts and addresses difficult issues with appropriate levels of management for remedial action. Provides advice, counsel and interpretation of ethics and business conduct guidelines in order to promote an ethical culture. Influences leadership to take ownership for integrating ethics into their organization while leading by example. Researches best practices in ethics and recommends incorporating them into company operations. Develops an internal and external learning network with subject matter experts to enhance ethics programs and initiatives. Develops and presents ethics metrics to assist business unit leaders in managing the business. Assists in analyzing trend data and conducting root-cause analysis to identify areas of risk. Participates in the development of ethics training programs and materials that are effective in domestic and international business environments. Benchmarks effective training programs for the development of world class programs. Coordinates and delivers training as appropriate. Competencies General Adaptability Understands changes in own and others' work and situations; may be asked to explain the logic or basis for change to less experienced employees; actively seeks information about changes affecting own and fellow employees' jobs. Treats changes and new situations as opportunities for learning or growth; focuses on the beneficial aspects of change; speaks positively about the change to fellow interorganizational employees and occasionally to external customers. Quickly modifies behavior to deal effectively with changes in the work environment; readily tries new approaches appropriate for new or changed situations; does not persist with ineffective behaviors.
Building Trust Demonstrates honesty; keeps commitments; behaves in a consistent manner. Shares thoughts, feelings, and rationale so that fellow work group members, other internal employees and customers understand personal positions. Listens to others and objectively considers others' ideas and opinions, even when they conflict with one's own. Treats people with dignity, respect, and fairness; gives proper credit to others; stands up for deserving others and their ideas even in the face of resistance or challenge. Communication Clarifies purpose and importance; stresses major points; follows a logical sequence. Keeps the audience engaged through use of techniques such as analogies, illustrations, humor, an appealing style, body language, and voice inflection. Frames the message in line with audience experience, background, and expectations; uses terms, examples, and analogies that are meaningful to the audience. Seeks input from audience; checks understanding; presents message in different ways to enhance understanding. Uses syntax, pace, volume, diction, and mechanics appropriate to the media being used. Accurately interprets messages from others and responds appropriately. Customer Focus Makes customers and their needs a primary focus of one's actions; develops and sustains productive customer relationships; uses information to understand customers' circumstances, problems, expectations, and needs; periodically becomes involved in sharing information with customers to build their understanding of issues and capabilities; considers how actions or plans will affect customers; responds quickly to meet customer needs and resolve problems; assists higher graded employees and/or project team leaders in implementing ways to monitor and evaluate customer concerns, issues, and satisfaction and to anticipate customer needs. Technical Analytical Skills Skill and ability to: collect, organize, synthesize, and analyze data; summarize findings; develop conclusions and recommendations from appropriate data sources at the department level. Basic Qualifications for Consideration Do you have experience bringing recommendations forward to senior management? Do you have investigative interviewing experience? Typical Education/Experience Bachelor's and typically 6 or more years' related work experience, a Master's degree and typically 4 or more years' related work experience or an equivalent combination of education and experience. Other Job related information Certified Compliance and Ethics Professional (CCEP) preferred.
UNDERSTANDING THE FOREIGN CORRUPT PRACTICES ACT

INTRODUCTION
The United States has long frowned on the use of bribery to obtain international business. Aside from the fact that bribery is generally considered immoral, U.S. policy against international bribery is based on a belief that it undermines fair competition and tends to frustrate international commerce and development. Before 1977, the United States Department of Justice (DOJ) attempted to combat international bribery by enforcing laws such as federal mail and wire fraud statutes, false claims statutes, and currency control laws. Although these laws touched on activities related to foreign bribery, they were not specifically designed to address the problem. In the late 1970s following the Watergate scandal, the Securities and Exchange Commission (SEC) learned that an increasing number of U.S. companies maintained "slush funds" used to bribe foreign officials. As a result, Congress passed the Foreign Corrupt Practices Act (FCPA), which has two primary parts -- (1) antibribery provisions -and (2) accounting provisions that support the antibribery provisions by making it illegal to obscure improper payments. The FCPA became effective December 19, 1977. From the outset, compliance with the FCPA presented two distinct challenges for U.S. companies. First, the FCPA is complex and sometimes ambiguous. In response, Congress amended the FCPA in 1988 to make the law clearer, although not all gray areas were eliminated. The second challenge has taken longer to address. As originally enacted, the FCPA placed U.S. companies at a competitive disadvantage with respect to some of their foreign competitors. This is because the law governed the conduct of U.S. companies and individuals, but for the most part did not cover foreign companies and individuals. Most foreign countries did not have laws against foreign bribery, even if they had laws prohibiting bribes at home. To make matters worse, certain countries seemed to encourage foreign bribes by making them tax deductible. For many years, the United States attempted to persuade its allies to enact legislation similar to the FCPA. In December 1997, the Organization for Economic Cooperation and Development (OECD), which includes 29 of the world's largest industrialized countries, agreed to a treaty outlawing the bribery of foreign government officials. In essence, the OECD treaty requires member countries to enact antibribery laws similar to the FCPA. On November 10, 1998, Congress enacted the International Anti-Bribery and Fair Competition Act, amending the FCPA to implement the OECD treaty and to broaden the reach of the law. The FCPA now prohibits foreign bribery by companies and individuals previously covered by the act even if all the bribery-related activity takes place outside the United States. The old requirement that there be use of the mails or some other form of interstate commerce (like telephones or wire transfers) has been abolished. The FCPA now also applies to the acts of foreign companies and individuals if any of their acts in furtherance of foreign bribery take place in the United States or use a form of interstate commerce. The penalties for violating the FCPA are severe, and the importance of complying with the FCPA is correspondingly great. For each violation, a company can be fined up to
$2,000,000 or twice the gross gain from the violation, whichever is greater. An individual can be fined up to $250,000 or twice the gross gain from the violation, whichever is greater, and imprisoned for up to five years. An individual's company may not directly or indirectly pay or reimburse the individual's fine. This Handbook focuses primarily on the antibribery provisions of the FCPA, as amended by the International Anti-Bribery and Fair Competition Act, although we will also address the accounting provisions briefly. This Handbook gives special attention to the issues surrounding the use of foreign sales representatives. You should note that the FCPA is complex and involves a number of complicated issues that cannot be fully addressed in a brief treatment of this kind. This Handbook provides only a general overview of some of the basic concepts of the Foreign Corrupt Practices Act. It is not intended to provide advice or guidance regarding how you should act in a particular situation involving potential corrupt practices issues. You should always consult your company's law department with respect to any such situation. You should also be aware that many foreign countries have their own laws prohibiting bribery of government officials and other corrupt practices. Therefore, even if the FCPA does not apply to a particular transaction, foreign law may prohibit it. Consult your company's law department and policies if you have any questions regarding the applicability or effect of such laws. In addition, many companies have their own policies regarding dealings with foreign officials that are even stricter than the law. You should be sure to read and comply with any such policies put in place by your company.
THE FCPA ANTIBRIBERY PROVISIONS

I.
What Does The FCPA Prohibit?

The FCPA makes it illegal to bribe a foreign government official or political party to gain a business advantage. This prohibition applies not only to corrupt payments made to obtain or retain business, but to secure any improper business advantage from a foreign government official. A.
Corrupt payments or offers

For purposes of the FCPA, to make or offer to make a payment "corruptly" means that the offer, payment, promise, or gift is intended to induce the person who receives it to misuse his official position to wrongfully benefit the payer or his client or employer - for example, by directing business to them. A payment can be corrupt even if it is intended to induce the person who receives it to make a sound business decision. An offer or payment is corrupt under the FCPA if it is intended to influence an official's act or decision in order to secure any improper advantage, including payments to induce an official to do something he should not do or to induce an official not to do something he should do. Example 1: A company pays money to a foreign procurement official so the official will award the company a contract. This is a corrupt payment within the meaning of the FCPA because it is intended to influence the official to do something in order to direct business to the company wrongfully.
Example 2: A company has a one-year contract for aircraft spare parts with a foreign procuring agency. The company pays money to a foreign procurement official to induce the official not to solicit bids for the next year, as required by the country's procurement regulations. If bids are not solicited on time, the company will receive orders beyond the period called for under the existing contract. This is a corrupt payment within the meaning of the FCPA because it is intended to direct business to the company wrongfully by influencing the official not to do something he should do. Example 3: A company is in the third year of a five-year contract to supply aircraft maintenance services. The contract is going well and the company is confident that the customer is satisfied. The company invites the head of the foreign procurement agency and his family to use the company CEO's timeshare in Aspen for a one-week vacation, at no cost. The CEO understands that in two years the maintenance services contract will be rebid. The head of the procurement agency will not personally conduct the competition but act as the immediate supervisor of the procurement official who will conduct the competion. This is probably a corrupt payment within the meaning of the FCPA. Although it is not clear that the gift was offered in order to induce a foreign official to do (or not to do) something specific, it appears that the gift was offered to secure an improper advantage in connection with the award of future business. Example 4: Global Corporation produces spare parts for its contract with a foreign government at a manufacturing plant in a foreign country. Under the local law, Global is entitled to a 20% tax rebate on certain products produced for export. Global believes the total amount currently owed by the government is $2 million. Global has filed the required application with the foreign government tax authority but nothing is happening. A local official promises to get this taken care of if Global will give him a 10% "facilitation" commission. If Global were to pay the local official, it would be making a "corrupt" payment under the FCPA. Under the FCPA, a payment that is intended to secure business or any other improper advantage is a "corrupt" payment. Even though Global has a legal right to the tax rebate, it still has to follow proper legal procedures. Corrupt payments and offers include a variety of things in addition to what we might ordinarily think of as a "payment." Here are just a few examples of conduct that can get companies into trouble under the FCPA - A payment or offer to pay money Providing or offering to provide gifts of any value Providing or offering entertainment beyond what would ordinarily be provided to a customer Providing or offering personal discounts on products or services not available to the public generally Providing or offering company stock Providing or offering employment or consulting positions Providing payments for bogus "services" Providing free access to company or company-employee property when such access is not normally provided for free (for example, the company president's vacation home)
Making charitable contributions at the request or on behalf of a government official Paying foreign officials to obtain construction permits and other similar regulatory approvals Paying foreign officials to change business regulations or to expedite payment of a tax rebate, even when there is a legal right to the rebate
B.
To foreign officials and foreign political parties

The FCPA prohibits payments or offers to a foreign official or foreign political party in order to obtain or retain business or to secure any other improper business advantage. The term "foreign official" includes any officer or employee of a foreign government, department, or agency; a government-owned entity; or a public international organization such as NATO. It also includes any other person acting on behalf of such an entity. Examples might include a procurement officer who works for a foreign defense ministry or a doctor who evaluates medical equipment for a foreign health ministry or government-owned hospital. Example 5: A company seeking a contract to sell jet fuel to NATO pays money to the NATO procurement official who will make the award decision. The NATO procurement official is a U.S. citizen. Because NATO is a public international organization within the meaning of the FCPA and the procurement official is a NATO employee, the procurement official is a "foreign official" within the meaning of the FCPA, notwithstanding her U.S. citizenship. The FCPA prohibits corrupt payments to foreign political parties, foreign political party officials, and candidates for foreign political office. Thus, a payment for an improper purpose made to a private foreign citizen running for foreign political office would violate the FCPA. Example 6: A company seeks a contract to sell aircraft parts to a foreign private aircraft manufacturer. The company considers making a payment to the CEO of the foreign manufacturer, who is also, as it happens, running for mayor of the foreign city in which he lives. Such a payment could violate the FCPA.
C.
Payments and offers made directly or indirectly

The FCPA prohibits corrupt payments whether they are made directly or indirectly. The basic principle is that a U.S. company cannot avoid FCPA's antibribery prohibitions simply because it did not directly make an improper payment. Indirect payments are payments made through another person acting on behalf of the company - for example, a foreign affiliate, sales agent, or joint venture partner. This is a particular concern when a company works through a foreign sales representative, but the prohibition applies to any individual or entity acting on the company's behalf. The FCPA's antibribery provisions are not limited to bribes that a company knows will be made, but is an issue any time a company has good reason to suspect that a bribe may occur. You as an individual, as well as your company, can be held responsible for an agent's bribes -
even if the agent, as a foreign national, is not covered by the law or has ignored your company's explicit instructions. Example 7: A company retains a sales representative to market its products in a country that is known to have a corrupt business climate. The company typically pays its sales representatives commissions of five percent for the products being sold, but the company agrees to pay this sales representative a commission of ten percent. Company employees are aware that the sales representative intends to pay a foreign government employee, who works in the acquisition office and is responsible for purchasing cash amounts equal to approximately onehalf of the total commissions. The company is then awarded a contract to sell its products to the foreign government. Despite the fact that the only payments actually made by the company are made to the sales representative, this situation likely violates the FCPA's ban on "indirect" bribes. The FCPA requires that companies take special steps to ensure that their foreign sales representatives do not do anything that the company itself cannot do directly. D.
Actual knowledge of payment of a bribe is not required

A person can be liable for violating the FCPA not only if he actually knows what is going on, but also if the person has a firm belief that a particular circumstance exists or that a particular result is substantially likely to occur. It is enough for liability under the FCPA if a person is aware of a high probability that money will be used to bribe a foreign official, yet disregards it. An individual or a company can violate the FCPA even without knowing for sure that a bribe has actually been offered or paid. This concept has been defined in different ways, such as conscious disregard, willful blindness, and deliberate ignorance. However the standard is worded, it is not safe for a person who becomes aware of suspicious circumstances to "keep his head in the sand." Example 8: A company retains a sales representative to market its products to a country that is known to have a corrupt business climate. The industry is also one that is known to have a history of corruption. Although the company typically pays its sales representatives commissions of five percent for these particular products, the company agrees to pay this sales representative a commission of ten percent. The company pays the higher commission rate based on the representative's claims that the foreign country's market is difficult to break into, therefore warranting higher commissions. Although no company employee is actually aware of it, the sales representative pays a foreign government employee, who works in the acquisition office and is responsible for purchasing the products, cash amounts equal to approximately one-half of the total commissions. The company is then awarded a contract to sell its products to the foreign government. Assuming the sales representative is a person covered by the FCPA, clearly the sales representative has violated the law. Also, the company can be prosecuted under the FCPA even if it has no actual knowledge that the foreign sales representative will pay a bribe. These facts are enough to have put the company on notice that corrupt payments might be made and appropriate precautions should be taken.
In short, it is important that you be sensitive to suspicious situations. "I'd rather not know the details" is not an appropriate response under the FCPA. E.
A payment may be anything of value

The FCPA prohibits payments and offers to pay not only money, but anything of value. Example 9: A company retains a sales representative to market its products to a country that is known to have a corrupt business climate. The industry is also one that is known to have a history of corruption. The company agrees to give the sales representative an expense account twice as large as the company typically gives sales representatives for this product. The company agrees to the larger expense account based on the representative's claims that the foreign country's market is difficult to break into, therefore requiring greater upfront expenditures. The sales representative arranges for the foreign official who is responsible for procurement to spend a holiday weekend with his family at a fancy island resort. The sales representative tells the procurement official that the company knows how to take care of its friends and that the weekend is a sample of what he can expect if the company is awarded the contract. The company is then awarded a contract to sell its products to the foreign government. The result here is no different than in the prior example. The vacation is a thing of value and covered by the FCPA just like a cash payment. There is no minimum value that an item must have to trigger a violation. Although it is unlikely that the provision of a truly nominal item, such as a baseball cap with the company's logo, would trigger an investigation, gifts of relatively low value may be unlawful, depending on the overall circumstances.
F.
Employment of friends and relatives of government officials

Employment or the offer of employment to a foreign official or foreign official's relative or friend is something of value. Even if the official, relative, or friend is otherwise qualified for the job, an offer of employment made in a context where a company is seeking business looks suspicious and could violate the FCPA. Although having some relationship to a foreign official is not necessarily disqualifying, it is a "red flag" (discussed later) and will always warrant a very close look at the facts. It is best to be cautious and seek the advice of legal counsel before hiring such a person, regardless of her qualifications. Example 10: A U.S. company has bid on a contract to install tollbooths on a foreign highway system. The U.S. company's director of contracts learns from an employee of the foreign highway administration that the U.S. company is the low bidder and will receive the contract, but there is one wrinkle. The foreign administrator's son is very interested in a summer job with a U.S. company before starting college. The foreign administrator would appreciate any assistance that the U.S. company can provide - a job at the U.S. company would be perfect. The director of contracts checks into the possibilities and learns that there is no money
in the budget for summer employees, but that an unpaid internship could be arranged. She contacts the foreign administrator directly and informs him of the availability of the internship. The U.S. company gets the contract. The U.S. company has made a "payment" under the FCPA by offering something of value to a foreign official in order to direct the award of business to the company. The FCPA applies to anything of value given to a foreign official. The gift does not have to involve money, but can be an in-kind benefit - for example, the internship opportunity here. However, determining whether this payment violates the FCPA is fact specific and can be very complex. Therefore, it is always a good idea to discuss activities involving foreign officials or their friends and families with the company's lawyer before engaging in them. G.
Employment of government officials as sales representatives

It is always risky to hire a foreign official to be a sales representative. Hiring such a person involves paying a foreign official to help secure business or other benefits for your company - which is exactly what the FCPA targets. In some rare cases, there may be a legitimate business reason for using a foreign official to advance a company's interests. If the official abuses or misuses her official authority, however, a violation of the FCPA almost always will be found. Example 11: Global Corporation wants to sell its telephone systems to a foreign government and begins looking for a foreign sales representative. Global hears about Pierre, who works at the Ministry of Communications but is interested in working as a sales representative on the side. Global, believing that Pierre must have terrific connections, offers to use him as Global's sales representative while he is still working at the Ministry. Global's in danger of getting into trouble under the FCPA. Retaining a current foreign official like Pierre as a sales representative would be very risky. Global almost certainly would be held accountable if, during Pierre's remaining time in government, he used his official authority to make it easier for Global to get a contract (for example, by altering the project specifications to match Global's product better). In addition, offering to employ Pierre after he retired from the Ministry could also raise problems under the FCPA if the offer was made while he was still a Ministry employee. One exception to this rule has been recognized when written foreign law requires a vendor to hire a "consultant" who happens to be a foreign official. As a practical matter, the safest course is not to hire a current foreign official. The FCPA does not prohibit hiring a former foreign official. However, the FCPA does prohibit making a job offer to a current foreign official contingent upon his leaving his government position to accept the position with the company, if the offer is made to secure business. In any event, you should consult your company's law department before making such an offer to a government official.
H.
DOJ And SEC Red Flags 7
The DOJ and the SEC have identified circumstances they regard as indicating possible FCPA violations, known as "red flags." These are discussed further below. Employees should be made familiar with these "red flags" so they can spot them when they arise. II.
Who Is Covered By The FCPA?

The FCPA antibribery provisions cover virtually everyone who could possibly be involved in foreign business dealings. In a particular situation, individuals, companies, or both may be liable. However, the rules for U.S. citizens, U.S. companies, and companies with securities registered with the SEC (SEC reporting companies) and their employees are slightly different from the rules for foreign companies and foreign individuals who are not connected to any U.S. company or with an SEC reporting company. The FCPA applies to the following categories of persons even if all the acts in question occur outside the United States and no form of interstate commerce is used - U.S. citizens, nationals, and residents; SEC reporting companies, their officers, directors, employees and agents, and stockholders acting on behalf of the company; and corporations, partnerships, and other businesses organized under the laws of the United States or having their principal place of business in the United States, as well as their officers, directors, employees and agents, and stockholders acting on behalf of the company.
Although foreign individuals and companies generally are not covered directly by the FCPA, there are some important points to keep in mind. First, the FCPA's accounting rules apply to foreign companies that are subject to SEC reporting requirements. Second, the FCPA applies to foreign individuals and companies if they act in the United States or use a form of commerce (for example, mail, telephone, and so forth) that puts them in U.S. commerce. Third, U.S. companies may be liable for violations by their foreign employees and agents. Example 12: U.S. Corporation, headquartered in Chicago, has a wholly owned subsidiary, Eurocorp, based in Paris and incorporated under French law. Eurocorp's vice president for marketing is an American citizen living and working in Paris. To obtain business from a government in the Middle East, the vice president hires a sales representative who is a citizen and resident of the Middle Eastern country to serve as the company's sales representative. The sales representative subsequently bribes a local official to obtain a contract for U.S. Corporation. Nothing related to this transaction takes place in the United States, and U.S. Corporation learns nothing of what happened except that Eurocorp won an important contract. Because it is a French company, Eurocorp could not be prosecuted under the FCPA unless there was some activity in some way physically connected to the
United States. However, Eurocorp might have a problem under French law or in the Middle Eastern country. (Although foreign law is not discussed in this handbook, keep in mind that conduct that does not violate the FCPA solely because all acts took place outside the United States may still violate applicable foreign law.) Also, if Eurocorp was separately listed on a U.S. stock exchange, this fact alone would be enough to make it subject to the FCPA's accounting rules. The vice president of marketing, as a U.S. citizen, carries the FCPA with her wherever she goes. She would therefore be subject to prosecution under the FCPA. It does not matter whether she is employed in the United States or abroad, or by a U.S. or foreign company. She might also have a problem under French law. U.S. Corporation may face prosecution as well. The FCPA restrictions apply to all "U.S. persons," which includes U.S. companies wherever located. Global can be prosecuted under the FCPA whether it acts in the United States or abroad, and whether the actions are taken by the company directly or through an affiliate or other agent. In this example, there is no evidence that U.S. Corporation had any involvement in the corrupt payment. Even so, it could be held responsible if the payments were made on its behalf. Finally, the foreign sales representative is not a U.S. national and, on these facts, does not appear to have had any other connection with the United States. Although U.S. Corporation, the vice president of marketing, and possibly Eurocorp could be held responsible under the FCPA for the sales representative's actions, U.S. law would not reach him directly. (Again, he could have a problem under the law in his home country or possibly France.) III.
What Payments Are Permitted By The FCPA? Routine governmental action A.

The FCPA specifically exempts certain payments that are made to a foreign official or foreign political party in order to facilitate or expedite the performance of "routine governmental action." "Routine" has a very specific and narrow meaning in the FCPA. It refers to a limited category of activities such as clearing customs and securing police service where there is a legal right and no real discretion on the part of the foreign official. The purpose of the "facilitation" payment is basically to move a set ministerial process along. If the action sought from a foreign official involves the exercise of any discretion, it is not routine governmental action for purposes of this exemption. You also need to understand that "routine" refers to the governmental action sought, not whether paying a bribe or "facilitating" payment is common. Facilitating payments that are commonly made but involve discretionary action are not covered by this exemption. These so-called "grease" payments are permitted for routine governmental actions such as the following - obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country; processing governmental papers such as visas and work orders;
providing police protection, mail pickup and delivery, or scheduling inspections associated with contract performance or inspections related to transit of goods across country; or providing phone service, power and water supply, loading and unloading cargo, or protecting perishable products or commodities from deterioration.
Example 13: A U.S. company retains a sales representative to market its products to a foreign country and to provide sales support. The sales representative informs the company that it must pay a processing fee of $200 along with its response to the government's request for quotations. The fee is payable to the government's procurement office and would be tendered to a clerical employee who is responsible for receiving the vendor quotes. The company is planning to submit a $5-million quote. As long as payment of the processing fee is in fact a routine requirement for submitting quotes of this nature, such a payment would likely not violate the FCPA. The relatively modest amount of the fee and the fact that it is tendered to a clerical employee and given to an agency rather than an individual tends to indicate that it is in fact a routine requirement. However, the company should satisfy itself that this is the case. If there are any doubts whatsoever, the company should obtain advice from legal counsel. Example 14: Same facts as in Example 13, except that the processing fee is $20,000 and the quote is $1 million. When the company asks the sales representative who will receive the payment and to provide the rules or regulations that supposedly require the payment, the sales representative says, "Don't worry about that, just send me the money and I will take care of it." This is far more problematic. The amount of the payment and the representative's inability or unwillingness to provide specific information to show its legitimacy suggest that the "routine governmental action" exemption would not apply and that a payment might well violate the FCPA. A sales representative's characterization of a payment as a "processing fee" will not protect a company if the circumstances suggest that the requested payment is really something else. Example 15: A company has a contract to supply the government of a foreign country with all of its requirements for computer workstations for the current year. The government holds an option to extend the contract for an additional year. The government contracting officer who signed the contract advises the company that he is planning to exercise the option for the additional year rather than solicit new bids, but that he needs the company to pay an "option fee" of $10,000 in order for him to do so. The contract does not say anything about "option fees," but the company believes that the $10,000 fee is a "drop in the bucket" compared to the profits it could make during the additional year. The company is relieved and somewhat surprised that the government decides to exercise the option, since computer prices have dropped and the government could probably save money by putting a new contract out for bid. The company should not be relieved, but rather should be concerned that the payment would violate the FCPA. There are several reasons
10
why the payment would probably not fall within the "routine governmental action" exemption. First, payment is being solicited by a foreign government official who has discretion to determine whether, or on what terms the government will continue to do business with the company. This factor alone negates the routine governmental action exemption. Second, there does not appear to be any indication that the "option fee" is a routinely required payment. Third, although the amount is relatively small in comparison to the revenues that the company can earn if the option is exercised, the amount is not insignificant. Finally, the totality of the circumstances clearly suggests that the payment would be a bribe. The contracting officer is requesting a payment to do something that does not seem to make good business sense for his employer. Why would the contracting officer not wish to solicit new bids or at least negotiate lower prices than are contained in the option, if market prices have dropped significantly? Although this last factor would strengthen a prosecutor's FCPA case against the company, it would not be necessary for a finding of FCPA liability. Even if a business decision otherwise seems to make sense for all parties, the payment of something of value to a foreign official who has the discretion to direct business to a company as a condition for the official doing so, violates the FCPA. B.
Payments expressly permitted by foreign law

A payment to a foreign official that might otherwise violate the FCPA will not be a violation if the payment is lawful under the written laws of the foreign official's country. This requirement is rarely satisfied. First, most countries have laws that prohibit bribery of government officials, even if those laws have not always been rigorously enforced. Second, the country's laws or regulations must affirmatively permit, in writing, the type of payment in question. The absence of written laws expressly prohibiting the payment is not enough. It is also not enough to get a legal opinion from a local lawyer in the country. Although U.S. enforcement authorities would look at the opinion, they would decide for themselves whether a payment is in fact expressly authorized by the foreign law. Example 16: A company plans to sell products to the government of a foreign country. That country has a written statute requiring sellers of products to the government to pay an assessment of one percent of total sales to the local government procurement office within 30 days after the sales contract is signed. The company pays the assessment. The payment in all likelihood is covered by the FCPA's "written law" exception because it is lawful and, in fact, required under applicable written foreign law. However, this kind of situation is extremely rare. Example 17: A company plans to sell products to the government of a foreign country. A foreign government procurement official requests the company to pay an assessment of one percent of total sales. No written foreign law addresses such assessments.
11
Such a payment would be very risky. The payment is not exempt under the foreign law exemption because it is not expressly permitted by the country's laws or regulations, and the absence of a prohibition against such payments is not enough. It is possible that the payment may fall within the "routine governmental action" exemption discussed above, but more facts would be needed to determine this. No payments should be made or agreed to in these circumstances without the advice of legal counsel. Example 18: A company plans to do business for the first time in a thirdworld country that is developing a free-market economy after years of Communist rule. The country has no written laws prohibiting bribery of its government officials, and it is well known that it is difficult to conduct business in the country without providing "favors" to government officials. The company pays a 20% commission to its sales representative to obtain a $10-million sale, which is a substantially higher rate than the company has paid sales representatives to market the same product to other international customers. Although these facts alone may not establish a violation of the FCPA, the company is certainly in danger of having violated the statute. The fact that the foreign country has no written laws prohibiting bribery will not be enough to insure that the company has not violated the FCPA. In fact, the lack of a written foreign antibribery statute in the context of a business culture of corruption should alert the company to be especially careful to avoid improper payments. C.
Certain reasonable expenditures

Certain reasonable expenditures are also exempt under the FCPA. These include reasonable travel or lodging expenses, incurred by or on behalf of a foreign official and directly related to - the promotion, demonstration, or explanation of products or services, or the execution or performance of a contract with a foreign government.
Example 19: A company has previously sold automobiles to a foreign government's defense department. The company knows that the customer was not fully satisfied with the reliability of the automobiles. However, the company has recently improved its quality control and believes that it can retain the customer by demonstrating these new procedures to it. The company convinces the customer to visit its U.S. plant, pays for the customer's airfare and hotel, and treats the customer to dinner at a nice restaurant after the plant tour. The customer's airfare, hotel, and dinner appear to be "reasonable expenditures" by the company in connection with the in-plant demonstration of the company's product. The facts do not seem likely to give rise to a violation of the FCPA. However, reliance upon FCPA exemptions when making any payments to or on behalf of foreign officials is a very tricky area -- even slight factual variations can make all the difference in determining whether a violation has occurred. For this
12
reason, it is important to obtain legal advice before making such payments. Example 20: Same facts as Example 19, except the company invites the customer to bring his spouse on the trip and pays for the spouse's airfare and hotel. Following the plant tour, the couple spends a long weekend in the United States at a resort, paid for by the company. In this situation, it is not at all clear that these are reasonable expenditures exempt from the FCPA. The expenses for the spouse and the resort do not appear to be directly related to demonstration of the company's product. If the payments are not exempt, there may be a violation of the FCPA. Advice of legal counsel is important before making such payments to determine whether they are lawful. Example 21: Same facts as in Example 19. Two months after the visit, the company wins the contract for the next fiscal year's requirements. The company was second low bidder. Its competitor, another U.S. automobile manufacturer, was the low bidder. The circumstances surrounding the contract award increase the likelihood that an enforcement official would view the trip reimbursement as a violation of the FCPA. It should be noted that DOJ is more likely to prosecute possible FCPA violations when it believes that the violation may have directly prejudiced another U.S. company, as in this situation. However, there still may be a violation of the FCPA even without commercial harm to another U.S. company. IV.
Penalties For Violating The Antibribery Provisions

The penalties for violation of the FCPA antibribery provisions are severe. For each violation, a company can be forced to pay a criminal fine of up to $2,000,000 or twice the gross gain from the violation, whichever is greater. An individual can be fined up to $250,000 or twice the gross gain from the violation, whichever is greater, and imprisoned for up to five years. The court can also impose a civil penalty of up to $10,000 per violation. The FCPA expressly provides that when an individual is fined for violating the FCPA antibribery provisions, the company with which the individual is affiliated as an officer, director, employee, agent, or stockholder may not pay the fine on behalf of the individual -- or reimburse the individual for the fine -- directly or indirectly. This rule is designed to provide leverage to prosecutors who conduct FCPA investigations against companies suspected of violating the act. DOJ believes that company employees are more likely to cooperate with prosecutors if they personally have more at stake and therefore have more reason to seek immunity from prosecution.
THE FCPA ACCOUNTING PROVISIONS

In addition to the explicit antibribery provisions, the FCPA includes accounting provisions that apply to all SEC reporting companies. The accounting provisions apply independently of the antibribery provisions. In fact, they do not even mention bribes or foreign payments. However, the accounting provisions supplement the antibribery
13
provisions to ensure that any bribes or other improper payments are not concealed in the company's books. There are substantial criminal and civil fines for violating the FCPA accounting provisions. The FCPA does not require that a company use any particular accounting system or controls. However, the FCPA does require public companies to maintain accurate books and records that fairly reflect transactions in reasonable detail and to maintain an adequate system of internal accounting controls sufficient to ensure that financial statements are prepared in conformity with generally accepted accounting principles. Specifically, the FCPA requires public companies to -o o o o o o make and keep books, records, and accounts that accurately reflect the company's transactions and disposition of assets, and maintain accounting controls to ensure that -transactions are executed in accordance with management's authorization; transactions are properly recorded; access to assets is permitted only in accordance with management's authorization; and accounting records are checked against existing assets at reasonable intervals, and appropriate action is taken to resolve any discrepancies.
One significant purpose of the FCPA accounting provisions is to make it extremely difficult to "get away" with foreign bribery by concealing questionable transactions in the company books. In fact, the FCPA accounting provisions make it virtually impossible for a company covered by the provisions to do so lawfully. These cases also are much easier for enforcement authorities to prosecute. The FCPA accounting provisions not only require SEC reporting companies to maintain accurate books and adequate controls, but also to ensure that their U.S. and foreign subsidiaries do so as well. This rule applies whenever the SEC reporting company owns more than 50% of another company. If the SEC reporting company owns a minority interest in another company, the SEC reporting company is required to make a good-faith effort to ensure that the company complies with the FCPA accounting provisions. Example 22: U.S. Corporation, headquartered in Chicago, has a wholly owned subsidiary, Eurocorp, based in Paris and incorporated under French law. Eurocorp's vice president of marketing is an American citizen living and working in Paris. To obtain business from a government in the Middle East, she hires a foreign sales representative who is a citizen and resident of the Middle Eastern country. The sales representative subsequently bribes a local official to obtain a contract for U.S. Corporation. The vice president of marketing learns about the payment after it happens and that the foreign sales representative made the payment from his commission fee for making the sale. Eurocorp records list the payment to the foreign sales representative as a commission, with no reference to the bribe payment. The FCPA requires U.S. Corporation to maintain accurate accounting records and also to make sure that Eurocorp maintains accurate accounting records. Because Eurocorp has deliberately falsified its books, it has caused U.S. Corporation to violate the FCPA accounting provisions, even though U.S. Corporation has not violated the antibribery provisions. If the inaccuracy in Eurocorp's books caused U.S. Corporation's own accounting records to be inaccurate, this would be a separate basis for concluding that U.S. Corporation violated the FCPA accounting provisions.
U.S. DEPARTMENT OF JUSTICE BUSINESS REVIEW PROCEDURE
14
According to the DOJ, to avoid being found liable for a violation of the FCPA, companies are encouraged to exercise "due diligence" and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives. The DOJ generally expects such due diligence to include, at a minimum, investigating potential foreign representatives and joint venture partners to determine if they are in fact qualified for the position; whether they have professional or personal ties to the government; the number and reputation of their clientele; and their reputation with the U.S. Embassy or Consulate and with local bankers, clients, and other business associates. The DOJ recommends that companies seek the advice of counsel and consider utilizing the DOJ business review procedure just described if there is any doubt regarding whether a particular transaction might violate the FCPA. The DOJ has established a procedure for pre-transaction business reviews addressing FCPA compliance. Although in most situations it will be appropriate and sufficient for a company planning a particular transaction to resolve any FCPA issues by consulting with in-house or outside legal counsel, DOJ business reviews can be helpful in ensuring compliance with the FCPA. The review procedure permits companies to obtain an opinion from the attorney general -- in advance -- as to whether certain actions, if taken, will comply with or violate the FCPA. Although the opinion procedure is limited to proposed conduct, the DOJ will not review purely hypothetical or incidental inquiries. Under this procedure, a company covered by the FCPA may submit the details of a proposed transaction to the DOJ. Within 30 days of receiving a request, the DOJ sends the party an opinion letter stating whether or not the specified conduct violates the FCPA under its present enforcement policy. Absent a perceived FCPA violation, the DOJ will indicate that no enforcement action is intended. If the DOJ later brings an action against a party based on conduct alleged to violate the FCPA, and the party has an opinion letter from DOJ stating that the action would not violate the FCPA, the party will not be liable, unless the actual facts of the transaction differ from what was stated to the DOJ. (The opinion letter does not bind or obligate another agency, or create rights for parties other than those who submitted the request.) Any opinion as to DOJ's likely enforcement conduct is limited to the specific facts presented. Therefore, it is critical that the conduct in question be fully disclosed to DOJ in the opinion request. Although no precise form or language is required in a DOJ opinion request letter, the letter must meet certain requirements -o o The request must be in writing. The request must be signed by a senior officer who has operational responsibility for the proposed conduct and who has been designated by the chief executive officer to sign the opinion request. The officer who signs the request must certify that the request contains a timely, correct, and complete disclosure regarding the proposed conduct. The request must contain "all relevant and material information bearing on the conduct for which review is requested and on the circumstances of the proposed conduct."
o o
15
The last requirement is absolutely crucial. The requesting party may rely upon a written FCPA opinion letter only to the extent that the disclosure in the request letter was complete and accurate. Even if the disclosure was complete and accurate when made, the requesting party will not be able to rely on a DOJ opinion if the facts change. Example 23: A U.S. company wishes to sell night-vision goggles to the army of a foreign country. That country's procurement regulations require successful bidders to pay the head of the procurement office a "vendor fee" of two percent of the contract amount upon contract award. The U.S. company plans to submit a bid for $3 million and wants to ensure that it can lawfully pay the $60,000 fee if it gets the award. At the suggestion of its counsel, the company requests a DOJ business review opinion to make sure that the "foreign written law" exemption applies. The company sends a properly signed and certified opinion request letter to DOJ, which explains all these facts and includes a copy of the foreign country's regulation. The company receives a DOJ opinion letter stating that under current enforcement standards, no enforcement action is intended. Three months later, the U.S. company wins the contract. When reviewing the award package containing the full contract document, the U.S. company's contract administrator notices that in the index of applicable regulations, the entry for "Vendor Fee Requirements" has been crossed out, and the notation "REPEALED" has been stamped next to where it appeared. The contract administrator then gets a call from the chief procurement officer of the foreign country's army, who explains that the regulation was indeed repealed one week before the contract award. However, the army official requests that the U.S. company pay him $60,000, notwithstanding the change in regulations. The U.S. company, having already budgeted the $60,000, makes the payment. When the DOJ begins an enforcement investigation, the U.S. company's attempt to use the DOJ letter to prove that the transaction complied with the FCPA will be rejected, because the actual transaction turned out to be different from what was represented in the opinion request letter. Even though the request letter was completely accurate when provided to the DOJ, the U.S. company could no longer rely on the DOJ opinion because the foreign army's vendor fee regulation changed. DOJ opinion requests are considered exempt from disclosure under the Freedom of Information Act. However, DOJ does publish redacted versions of its responses.
COMPLIANCE WITH THE FCPA

According to the DOJ, to avoid being found liable for a violation of the FCPA, companies are encouraged to exercise "due diligence" and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives. The DOJ has suggested that such due diligence may include investigating potential foreign representatives and joint venture partners to determine if they are in fact qualified for the position, whether they have professional or personal ties to the government, the number and reputation of their clientele, and their reputation with the U.S. Embassy or Consulate and with local bankers, clients and other business associates. The DOJ recommends that companies seek the advice of counsel and consider utilizing the DOJ Business Review Procedure described above if there is any doubt regarding whether a particular transaction might violate the FCPA. I.
DOJ And SEC Red Flags
16
The DOJ has chief enforcement responsibility for the antibribery provisions of the FCPA, while the SEC has chief enforcement responsibility for the accounting provisions. These agencies have identified circumstances they regard as indicating possible FCPA violations. Some of the circumstances are very general and do not in themselves mean that a violation has occurred or will occur, but that special precautions should be taken. The company is selling to a country known to have had widespread corruption. The industry is known to have a history of corruption. The company has recently been audited for improper payments.
Other circumstances more obviously signal a problem that, if not investigated, could lead a prosecutor to conclude that a company is willfully disregarding signs of bribery. The sales representative refuses to sign a written agreement promising to comply with the FCPA. The sales representative has family or business ties with government officials. The sales representative has a bad reputation or is new to the business so that his reputation cannot be verified. The sales representative asks that his identity not be disclosed. The potential foreign customer recommends the sales representative. The sales representative lacks the facilities and/or staff necessary to perform the required marketing activities. The sales representative makes odd or irregular requests, such as alteration of invoices, over-invoicing, checks to be made out to "cash" or "bearer," payments to be made in cash, unusually large credit lines or advance payments, and so forth. The sales representative requests payment of a commission that seems too high for the particular product and country. The sales representative requests payment through convoluted means or in a third country that has no apparent legitimate connection with the transaction.
Example 24: U.S. Corporation is interested in selling police bikes in a foreign country where bribery is known to be prevalent and where it has not previously conducted business. U.S. Corporation interviews prospective in-country sales representatives. In negotiations with a prospective Sales Rep who claims to have excellent contacts with the chief of police, U.S. Corporation informs Rep that he will need to agree to a provision that requires him to comply with the FCPA. Rep initially states that he is unwilling to agree to such a provision, because the FCPA is an American law that does not cover foreign citizens. U.S. Corporation responds that the law was amended in 1998 and does apply to foreign citizens. Rep says that he will agree to the provision, but he still thinks that it does not apply to him and that U.S. Corporation should "get real" about what is necessary to obtain sales in this country. U.S. Corporation believes that Rep will be effective and retains him, notwithstanding his initial unwillingness to agree to the FCPA compliance provision and his casual attitude toward the FCPA. U.S. Corporation obtains sales, and Rep requests that his first commission installment be wired to a bank account in Geneva, rather than to his office in the foreign country. U.S. Corporation complies with this request. The funds wired to Geneva are eventually paid to the chief of police, who is responsible for the purchase.
17
U.S. Corporation has ignored several red flags that should have signaled an FCPA compliance problem. First, this country is one where bribery is known to be prevalent. Although this alone should not keep a company from doing business there, care should be taken. Rep's initial refusal to agree to the FCPA compliance provision and his ambivalent attitude once he did agree were obvious signs of trouble. Aside from the fact that the FCPA would cover Rep in many circumstances, the very fact that he was unwilling to agree to an FCPA compliance provision, as well as his comments about what it takes to make sales, were serious danger signals. Finally, the request for payment to be made in a third country with no apparent connection to the sale made it apparent that there was more than a potential problem here -- there was a clear signal that bribery would take place. U.S. enforcement authorities would likely conclude that the company "knew" about the bribe within the meaning of the FCPA. As explained above, actual knowledge of a bribe has never been a prerequisite for FCPA liability. II.
Selection Of Foreign Sales Representatives

As noted above, one way that a company might seek to avoid trouble is to take steps to ensure that its foreign sales representatives are competent and reputable. If the process is conducted and documented effectively, the chances of engaging a sales representative who will violate the FCPA may be reduced. You should consult your company's law department and any company policies if you have any questions regarding your company's procedures for selecting and screening its foreign representatives.
III.
Foreign Sales Representative Agreements

One possible way to prevent misunderstandings with foreign sales representatives is through a written representative's agreement. An agreement of this kind can be used to define the company's relationship with the representative and spell out the type of conduct that is and is not authorized by the company. This can increase the chances of avoiding trouble by encouraging the sales representative to act properly, or by helping the company to screen out potential problems if a prospective sales representative takes issue with certain terms. Again, you should consult your company's law department and any company polices regarding when and how sales representative agreements should be used and what they should contain.
18
Coordinating UK Bribery Act & FCPA Compliance
An Analysis by Michael Fine1 April 2011 The UK Bribery Act will take effect 1 July 2011, putting into place a new and expanded scheme of bribery offenses for domestic and international business activities.2 Although broadly comparable to the US Foreign Corrupt Practices Act (FCPA), there are important differences that may require changes to some corporate compliance programs. This white paper is designed to help organizations subject to both laws better align their compliance policies and practices.3
OVERVIEW
The Bribery Act represents a significant change in UK law, replacing a patchwork of common law and statutory offenses widely seen as antiquated. The new law, which applies to any commercial organization that is registered or otherwise conducts business in the United Kingdom, prohibits bribery of government officials or in commercial dealings anywhere in the world. Bribery is broadly defined, and there are no express exceptions or defenses (as under the FCPA) for legitimate promotional expenditures or small facilitation payments to expedite routine government actions. The Bribery Act replaces previous offenses with four new ones. Sections 1 and 2 of the Act contain general offenses that prohibit the giving and taking of bribes in the public and private sectors. Section 6 creates an additional discrete offense relating to bribery of foreign government officials. And Section 7 establishes a new corporate offense for failing to prevent
1
Michael Fine is the Principal of NXG Global Law & Compliance. He has extensive experience working with international businesses to design and implement comprehensive legal compliance programs, with a particular focus on the U.S. Foreign Corrupt Practices Act and global counterparts. Mr. Fine is the author of a comprehensive study on program design practices at major multinational firms. He also provided legal and drafting support to the World Economic Forum task force that developed the PACI Principles for Countering Bribery, and has been an expert consultant to Transparency International. The Bribery Act received Royal Assent, the final step before a bill can become law, on April 8, 2010, and will enter into force on 1 July 2011. Full text of the Act and Explanatory Notes are available on the UK Ministry of Justice website (http://www.legislation.gov.uk/ukpga/2010/23/contents). This white paper focuses on UK and US foreign bribery laws, but similar laws also are in place elsewhere and may warrant program adjustments. In addition to the UK and US, 36 countries have enacted comprehensive foreign bribery laws in line with the 1997 OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. The OECD website lists signatory countries, along with monitoring reports on country implementation and other related information.
2011 LRN Corporation. All Rights Reserved. Not for Redistribution.
The Bribery Act replaces previous offenses with four new ones, including a novel corporate offense of failing to prevent bribery by employees or others on a companys behalf.
bribery committed on a companys behalf, unless the company can show it had adequate procedures in place to prevent it. Another provision extends liability to an organizations senior officers if the bribery occurred with their consent or connivance. Jurisdiction under the Bribery Act is far-reaching. The general and discrete offenses apply to acts that occur in whole or part in the United Kingdom or that occur elsewhere if undertaken by a UK nationalembodying the same territorial and nationality concepts found in the FCPA. In addition, the corporate offense of failing to prevent bribery would apply to any company that carries on a business or part of a business in the UK irrespective of whether the acts or omissions which form part of the offense take place in the United Kingdom or elsewhere. Although it is not yet clear how this jurisdictional provision will be interpreted, its extraterritorial reach may be even broader than under the FCPA. Most early attention has focused on novel aspects of the Bribery Actin particular, its expansive extraterritorial reach, express prohibition of commercial bribery, and different treatment of liability exceptions. For many companies, though, the compliance challenges will not be that different than under the FCPA. Both laws contain expansive territorial and nationality jurisdiction, define prohibited conduct broadly, and hold companies accountable for bribery by an employee or agent. And although the Bribery Act does not track the FCPA exceptions for promotional expenses and facilitation payments, actual practice in most respects may not greatly differ. Conversely, while US law does not expressly require companies to have a reasonable compliance program, such programs are strongly encouraged through the Federal Sentencing Guidelines framework and are a significant factor in prosecutorial decisions. FCPA books and records requirements also are a control on commercial bribery, as are commercial bribery prohibitions under state law. To be sure, global compliance programs must take into account several important differences between the UK and US laws. But companies with substantial anti-bribery policies and compliance practices considered effective in one jurisdiction should be able to rely on these with relatively minor adjustments in the other.4 For program design purposes, the most significant differences relate to: Scope. The Bribery Act combines in a single statute prohibitions found in multiple US laws and traditionally addressed separately in compliance programs. Separate treatment for ordinary commercial practice and dealings with governments will still make sense for most companies, but may require closer alignment. Legal standards. The Bribery Act has its own legal standards for finding an offense, which although broadly comparable to the FCPA differ in form and some applications. Adjustments may be necessary, for example, to reflect differences in approach to criminal intent and coverage terms such as who is an agent or associated person.
4
Although some early commentators speculated that the Bribery Act might set a new standard for foreign bribery laws, surpassing the FCPA model and requiring wholesale revisions to FCPA-oriented compliance programs, other assessments have been more reserved. The chair of the OECD working group responsible for assessing Bribery Act conformity to OECD convention standards, for example, has described the Act as middle of the road and comparable to what most other OECD states have put in place. As will be seen below, US and UK anti-bribery legal prohibitions are broadly comparable in most areas if US legal authority beyond the FCPA is taken into account and are also already part of most comprehensive global compliance programs.

Corporate liability. Both laws hold corporates liable for bribery by an employee or agent, but in different ways. FCPA liability is direct based on the legal doctrine of respondeat superior, while in most cases Bribery Act exposure would be primarily through the new corporate offense of failing to prevent bribery. Defenses and exceptions. Statutory limits on liability are comparable, with two important exceptions. First, the Bribery Act provides a defense to corporate liability not found in the FCPA for companies that can show adequate procedures were in place to prevent bribery.5 Second, the Bribery Act does not recognize a facilitation payments exception and programs that include this FCPA exception may not qualify for the adequate procedures defense. Responsibility for affiliates. Another key difference is in the treatment of bribery by subsidiaries and other related companies. Liability under the Bribery Act is limited to conduct by others for an organizations benefit, but under the FCPA can also reach selfserving bribery by affiliates. Enforcement tools. The FCPA contains separate books and records requirements not found in the Bribery Act, although other UK laws may be used to fill this gap. US prosecutors also have lesser civil penalty options not available under the Bribery Act. Adequate procedures. Standards for an effective anti-bribery program are comparable, but with differences in some areas that may require adjustments. For example, US guidelines for high-level responsibility and board reporting are more detailed and prescriptive but do not address external communications practices highlighted by UK authorities. Jurisdiction. Finally, although both statutes contain extremely broad grants of extraterritorial jurisdiction, differences on the margins could be important to some companies. For example, listing on a public exchange would trigger jurisdiction under the FCPA but not the Bribery Act. On the other hand, depending on how it is interpreted conducting business jurisdiction under the Bribery Acts corporate offense could reach more foreign companies than the comparable FCPA coverage.
COMPARISON OF KEY PROVISIONS

In the discussion that follows, we compare and contrast key provisions of the Bribery Act and FCPA with an eye toward changes that may be needed to align FCPA-oriented compliance programs with the new UK bribery law.6 We use the FCPA as a baseline because most
As we explain below, the corporate offense of failing to prevent bribery was added in response to past difficulties holding corporates directly accountable for bribery by an employee. This legal constraint has not changed, so that in most cases the practical effect of the adequate procedures defense would be to insulate an organization entirely from Bribery Act liability. Interpretative sources used for this report include, in addition to the Bribery Act and Explanatory Notes, guidance issued 30 March 2011 by the Ministry of Justice for commercial organizations on the adequate procedures defense (MOJ Adequate Procedures Guidance) and guidelines for Bribery Act prosecutions also dated 30 March issued by the Directors of Public Prosecution and the Serious Fraud Office (Joint Guidance for Prosecutors). The MOJ Adequate Procedures Guidance and Joint Guidance for Prosecutors are available, respectively, at http://www.justice.gov.uk/guidance/making-and-reviewing-the-law/bribery.htm and http://www.sfo. gov.uk/media/167348/bribery act joint prosecution guidance.pdf.
Although broadly comparable, the Bribery Act and FCPA reflect the different historical circumstances in which they were enacted. Reviews to align global compliance need to reach the full range of related US and UK laws.
companies with global programs are familiar with the Act and have structured policies and practices to comport with US requirements. However, the analysis can easily be adapted for companies with Bribery Act-based programs to bring them into alignment with the FCPA. 1. Differences in scope and structure The UK Bribery Act covers a much broader range of conduct than the FCPA, making point-by-point comparison difficult in some areas. While the FCPA is largely (although not entirely) limited to bribery of foreign public officials, the Bribery Act also targets bribery between companies and both public and commercial bribery in the UK itself. These additional areas are also addressed under US law, but not through the FCPA bribery prohibition and for this reason tend to be covered in separate categories in compliance programs. The FCPA and Bribery Act reflect the historical circumstances in which they were enacted. The FCPA was part of a broader set of reforms adopted in the 1970s in the wake of the Watergate political scandal, designed to close a specific gap in the federal criminal law involving illicit corporate contributions made from secret slush funds. Other laws were already in place for corrupt payments to government officials at home, covering both active (giving) and passive (receiving) forms of bribery, and these have continued to evolve separately from the FCPA. The UK Bribery Act, by contrast, represents a single comprehensive overhaul of the countrys anti-bribery laws, both domestic and foreign. Accordingly, companies with FCPA-oriented programs will need to determine whether corporate policies on commercial bribery and for operations in the UK also meet Bribery Act requirements. Conversely, those with programs based on the Bribery Act will need to consider the FCPAs additional accounting requirements as well as antibribery restrictions under other US laws. In addition, gap reviews should not overlook other rules and requirements (such as for money laundering or various forms of political activity) that although not mentioned in either the Bribery Act or FCPA are part of any comprehensive compliance program. Take-Away: Program reviews to align Bribery Act and FCPA compliance should be broad enough to cover the full range of prohibitions and requirements under these and related UK and US laws. 2. Bribery of foreign public officials The FCPA and Bribery Act prohibitions on foreign public bribery provide a useful starting point for comparison. Both criminalize bribery of a foreign public official for business advantage. a. Prohibited conduct The FCPA makes it a crime for any US company and its employees or agents to offer, promise, pay or authorize the payment of anything of value to any foreign official in order to help the company obtain or keep business or secure some other improper business advantage. An improper business advantage may involve efforts to obtain or retain business, as in the awarding of a government contract, but can also involve regulatory actions such as licensing or approvals.

The FCPA prohibition applies whether an improper payment is actually made or only offered or promised, and whether or not it achieves the desired result. It also does not matter whether the bribe was voluntarily offered or was suggested or demanded by an official.
Bribery Act provision

The Bribery Act discrete offense largely parallels the FCPA, criminalizing bribery of a foreign public official with intent to obtain or retain business, or an advantage in the conduct of business.7 Business advantage is not defined, but as under the FCPA appears to encompass licensing and other regulatory advantages as well as securing business.8 The prohibition likewise covers payments made directly or through a third party, and whether an advantage benefits the official or another person at the officials request or with his or her assent or acquiescence. The Bribery Act general offenses are even broader, prohibiting bribery of any person (not limited to a public official) with intent to induce improper performance of a relevant duty. Although the general offenses collapse the distinction between foreign public and commercial bribery, heightened attention to public corruption for training and other compliance activities will still make sense for most companies because of the enforcement priority in this area. Take-Away: FCPA and Bribery Act prohibitions on foreign public bribery are comparable, but with differences in language and some details that may warrant program adjustments. As in the Bribery Act itself, separate treatment of public sector corruption risks and prophylactic measures will still make sense for most companies. b. Covered officials A foreign official under the FCPA can be essentially anyone who exercises governmental authority. Foreign official is broadly defined to include any officer or employee of a foreign government department or agency, whether in the executive, legislative or judicial branch of government, and whether at the national, state or local level. Officials and employees of government-owned or controlled enterprises also are covered, as are private citizens who act in an official governmental capacity. The FCPA prohibition also applies to political parties, party officials and candidates, and to officials and employees of public international organizations such as the United Nations.

The Bribery Act contains a similarly expansive definition for foreign public official, covering any individual, whether elected or appointed, who holds a legislative,
7 8
UK Bribery Act 6(2). Notes accompanying the Act prepared by the government explain that the discrete offense closely follows the OECD anti-bribery convention, which defines prohibited bribery to include payments to induce an official to act or refrain from acting in relation to the performance of official duties. See Explanatory Notes, supra note 1 at 34; OECD Convention Art. 1(1). Elsewhere in the Act, bribery is defined expansively to include attempting to induce improper performance of any function of a public nature, which would include licensing and other regulatory functions. Bribery Act 3(2)(a); see also Joint Prosecution Guidance, supra n. 6 at 4.
The Bribery Act discrete offense closely parallels the FCPA, prohibiting bribery in any form (not just cash payments) involving essentially any foreign public official.
administrative or judicial position of any kind of a country or territory outside the United Kingdom, including any subdivision thereof.9 The statutory definition also includes anyone who is an official or agent of a public international organization or who exercises a public function for or on behalf of a foreign government, public agency or public enterprise. As under the FCPA, coverage would extend to professionals working for public health agencies and officers exercising public functions in state-owned enterprises.10 This coverage appears essentially comparable to the FCPAs, although differences could surface in a few areas. For example, while the FCPA definition explicitly includes political parties and candidates, their status as public officials under the Bribery Act is less certain. (US efforts over the years to make this coverage explicit in the OECD Convention have not been successful.) Similarly, UK authorities may not be as quick to apply foreign official status to personnel at state-owned commercial enterprisesif only because such bribery would still be subject to the Bribery Act prohibition on commercial bribery.11 Take-Away: Foreign official coverage is essentially similar. Programs should make clear that bribery is not acceptable under any circumstances, whether involving a public official or between companies. c. Form of payment Bribery under the FCPA can take any form. The statute makes it a crime to offer, promise or give anything of value to a foreign official to gain an improper business advantage. This would include, among other things of value, cash payments, gifts and entertainment, offers of employment, political or charitable contributions, and equity interests or other business opportunities.

The Bribery Act contains similar language, proscribing the offer, promise or giving of any financial or other advantage to a foreign public official for business advantage. While most things of value barred by the FCPA are likely to be covered, this has not yet been spelled out by UK authorities and may require further guidance in the future.12 Again, some differences could surface on the marginsfor example, in the treatment of political and charitable contributions or some promotional activities. Take-Away: Programs should explain that bribery can take many forms and is not limited to cash payments. FCPA practice can offer useful guidance pending further direction from UK authorities.
9 10 11
UK Bribery Act 6(5). MOJ Adequate Procedures Guidance, supra n. 6 22. Application of foreign official status to officials and employees of state-owned commercial enterprises (such as public hospitals and national extractive or manufacturing companies) has been controversial under the FCPA, generating a recent legislative proposal to more narrowly define coverage of public instrumentalities. This coverage distinction, however, would be less meaningful under the Bribery Act because of the added prohibition on commercial bribery. See Joint Prosecution Guidance, supra n. 6 at 5 (explaining that advantage is to be determined as a matter of common sense by the courts, based on its normal, everyday meaning).
12

d. Corrupt intent Only offers or payments made with corrupt intent violate the FCPA bribery prohibition. Prosecutors must be able to show that a person making or authorizing payment to a foreign official had a corrupt intent and meant to induce the official to misuse his or her official position for business advantage.13 Illustrative examples include payments intended to influence an official act or decision, induce a public official to violate a lawful duty, or otherwise gain an improper business advantage. An explicit quid pro quo typically is involved, but not always. Corrupt intent is not a requirement, however, for enforcement action taken pursuant to the FCPAs civil accounting provisions, addressed separately below (at 17). These provisions make a company strictly liable for accounting and control failures.

The Bribery Act contains two separate intent requirements, both potentially broader than the FCPA but in different ways. The discrete offense conditions prosecution on an intent to influence a foreign official with respect to a business advantage, but without explicitly requiring (as in the FCPA) a corrupt motive. According to the Joint Parliamentary Committee that considered the bill, this limiting term was left out to give prosecutors more discretion in dealing with defenses based on asserted cultural norms.14 At the same time, the government has made clear that there is no intention to prosecute individuals or companies for legitimate business expenditures.15 (We discuss this interpretative guidance in more detail below, in the section on statutory exceptions and defenses.) The Acts general offense sets a more explicit fault standard, conditioning prosecution on an intention to induce improper performance of anothers duties. Improper performance is performance which amounts to a breach of an expectation that a person will act in good faith, impartially, or in a position of trust.16 Requisite intent would be present if, by paying a bribe, the recipient would be expected to act contrary to these expectations. This second standard is similar to the FCPA intent requirement, but potentially broader in several respects. First, the general offense does not have an explicit business nexus requirement, as under the FCPA and also Bribery Act discrete
13
This requirement is summarized in a Lay Persons Guide to the FCPA at 3, available on the US Department of Justice website. Corrupt intent is not defined in the statute, but was described in report language accompanying the FCPA as connot[ing] an evil motive or purpose, an intent to wrongfully influence the recipient. S. Rep. No. 95114, at 10 (1977). Joint Committee on the Draft Bribery Bill, First Report, 2008-09, 146-47 (available at http://www.publications. parliament.uk/pa/jt200809/jtselect/jtbribe/115/11510.htm#a27). MOJ Adequate Procedures Guidance, supra n. 6 at 23 (explaining that Section 6 violations are likely to involve conduct which amounts to improper performance and that it is not the Governments intention to criminalise behaviour where no such mischief occurs). MOJ Adequate Procedures Guidance, supra n. 6 at 18.
14
15
16
Bribery Act jurisdiction over corporates is potentially broader than the FCPA in some respects but narrower in others.
offense, and so in theory could reach a broader range of conduct.17 Second, improper performance may be a less burdensome standard for the government to meet in some cases. For example, it is doubtful that US authorities could base a successful bribery prosecution solely on a breach of general expectations of good faith performance. 18 Take-Away: Differences in this area may be significant in the event of litigation but should not affect prophylactic compliance measures. e. Jurisdiction FCPA jurisdiction is far-reaching, embodying both territorial and nationality principles. The FCPA applies to issuers and domestic concerns, terms from US securities law that include anyone who is a US citizen or resident, all US companies, and any foreign company listed on a US stock exchange.19 Issuers and domestic concerns can be prosecuted for bribery anywhere in the world, whether or not any part of an offense takes place in the US. In addition, foreign companies not listed on a US exchange can be prosecuted for foreign bribery that has a connection to the US. The threshold for this territorial jurisdiction is very low, requiring in some recent cases as little as a wire transfer or email communication with a US nexus. Foreign subsidiaries of US companies are considered foreign nationals, subject only to the FCPAs territorial jurisdiction. However, parent companies (including foreign issuers) can be held responsible for a foreign subsidiarys conduct if it was authorized, directed or controlled. They may also be liable for an affiliates accounting violations.20

Jurisdiction under the Bribery Acts general and discrete offenses closely parallels the FCPA, providing both territorial and nationality coverage. The offenses apply to any conduct that occurs in whole or part in the UK, or elsewhere if undertaken by a person who has a close connection with the United Kingdom.21 Those with a close connection include, among others, UK citizens, ordinary residents and incorporated companies.
17
Improper performance may be found with respect to any function of a public nature. Bribery Act 3(2)(A). By contrast, the FCPA and Bribery Act discrete offense explicitly require an intent to gain improper business advantage. Whether this distinction would have practical significance is less clear, in part because business advantage would still be a factor under the Section 7 corporate offense. US prosecutors for many years relied on an analogous honest services doctrine in domestic public corruption cases, but in a widely reported decision last year, the US Supreme Court found this standard too vague to support criminal prosecution. (The case is Skilling v. United States, 561 U.S. __ (2010), discussed in an enforcement alert available on the ECA website.) It is not yet clear how good faith and other performance expectations listed in the Bribery Act will be applied, but given the broad range of functions and activities covered by the Act similar vagueness concerns could arise. 15 USC 78dd-1, 78dd-2. Domestic concern is defined to mean anyone who is a citizen, national or resident of the US, and any corporation, partnership or other entity organized under US law or with its principal place of business in the US. An issuer is any entity (domestic or foreign) with securities registered in the US or otherwise required to file reports with the Securities and Exchange Commission. Issuers are responsible for recordkeeping practices at majority-owned subsidiaries and affiliates, and for making a good faith effort to encourage appropriate practices at minority-owned affiliates. Bribery Act 12.
18
19
20
21

In addition, commercial organizations can be prosecuted under the separate Section 7 corporate offense of failing to prevent bribery by others. Jurisdiction under this provision is even broader, extending coverage to any company that carries on a business, or part of a business in the United Kingdom.22 In effect, a foreign company with only limited UK business ties could be liable for any corruption it carries out anywhere else in the world.23 As written, the corporate offense could reach even more extraterritorial conduct than the FCPAalthough at present the extent of this jurisdiction remains a matter of speculation. The Bribery Act does not say what it means to carry on a business, or part of a business in the UK, leaving to government and ultimately judicial interpretation whether jurisdiction could be based on such limited contacts as a subsidiary, agent or even distributor relationship. The comparable FCPA jurisdiction is keyed to issuer status, limiting action against foreign companies for wholly extraterritorial bribery to those listed on a US stock exchange or otherwise subject to SEC disclosure requirements. The government has said that it will apply a common sense approach to Section 7 and does not intend to assert jurisdiction over foreign companies based solely on incidental contactssuch as stock listing or ownership of a UK subsidiary.24 On the other hand, the minimum threshold for foreign company coverage is still not clear and officials have repeatedly expressed their intention to exercise Bribery Act jurisdiction aggressively to ensure that ethical UK corporates are not placed at a competitive disadvantage by the activities of unethical corporates wherever.25 Pending further guidance, a comparison of the outer limits of Bribery Act and FCPA extraterritorial jurisdiction is premature. All that can be said at this point is that stock listing in itself would not be enough under the Bribery Act to trigger jurisdiction over a foreign company but would under the FCPA. In two other respects, corporate coverage under the Bribery Act would appear to fall short of the FCPA. Corporates are less likely to be prosecuted directly for bribery under the general and discrete offenses, and under the corporate offense will have an adequate procedures defense not available under the FCPA.26 Parent company responsibility for bribery by a subsidiary also is more limited.
22
The Section 7 corporate offense is discussed separately below. It extends liability for failure to prevent bribery by an associated person to relevant commercial organizations, broadly defined to include a body which is incorporated under [UK law] and which carries on a business (whether there or elsewhere), and any other body corporate (wherever located) which carries on a business, or part of a business, in any part of the United Kingdom. Bribery Act 7(5). The offense applies to bribery irrespective of whether the acts or omissions which form part of the offense take place in the United Kingdom or elsewhere. Id. 12(5). Interview with Richard Alderman, Director of Serious Fraud Office, Compliance Week (Jan. 19, 2011). MOJ Adequate Procedures Guidance, supra n. 6 36. R. Alderman, Speech at 28th Cambridge International Symposium on Economic Crime (Sept. 6, 2010). The Guidance explains that a common sense approach would mean that organisations that do not have a demonstrable business presence in the United Kingdom would not be caught. MOJ Adequate Procedures Guidance, supra n. 6 at 36. Thus, for example, the mere fact of securities listing or ownership of a UK company would not in itself qualify a company as carrying on business in the UK. Demonstrable presence, however, is not defined, leaving unanswered the type or magnitude of contactor combination of contactsthat would trigger Section 7 extraterritorial jurisdiction over a foreign company. The practical limits on direct prosecution are addressed separately below. See infra note 31 and accompanying text.
23 24 25
26
10
The UK and US both target commercial bribery, but in different ways. This also is the case for domestic and passive bribery and books & records requirements.
The Bribery Act makes corporates responsible for affiliate actions taken on their behalf, but would not appear to reach bribery by an affiliate on its own account. This distinction has been highlighted by the Ministry of Justice in recent revisions to its adequate procedures guidance on associated persons liability.27 Foreign affiliates would still, of course, be subject to direct prosecution, provided the requisite territorial connection exists. Take-Away: Both laws contain expansive jurisdictional provisions authorizing criminal prosecution of individuals and companies for a wide range of conduct. As a practical matter, however, potential corporate exposure may be significantly greater under the FCPA. 3. Other bribery offenses The Bribery Act contains additional features that go beyond the FCPA and may require changes to some global compliance programs. UK-oriented programs also will need to take into account FCPA books and records requirements not found in the Bribery Act. a. Commercial bribery As can be seen from the preceding discussion, the FCPA and Bribery Act prohibitions on bribing foreign government officials are broadly comparable. However, the Bribery Act also bans commercial bribery, from one business to another. The prohibition on commercial bribery is in the Section 1 general offense, which has much wider scope than the discrete offense of bribing a foreign public official. The general offense makes it a crime to bribe any personwithout regard to official statuswith intent to induce improper performance of a relevant function or activity.28 This would include a bribe offered or paid in connection with purely commercial activities, such as securing a supply or other business contract. The ban on commercial bribery is exceptionally broad, extending to any activity connected with business, performed in the course of a persons employment or performed on behalf of a company for which performance is expected to be undertaken in good faith, impartially or from a position of trust. As the government explained in notes prepared for the Parliamentary debate on the Act, the reason for this expansive coverage is to ensure that the law of bribery applies equally to public and to selected private functions without discriminating between the two.29
FCPA provision
Although commercial bribery is not prohibited by the FCPA, it is by other US laws. The US does not have a general federal statute prohibiting bribery in commercial
27
MOJ Adequate Procedures Guidance, supra n. 6 42. In this analysis, a parent company may be held accountable for acts on its behalf by a subsidiary or other affiliate subject to the same limitations applicable to other associated persons, including that a bribe was intended to benefit the parent directly. However, liability ordinarily will not accrue through simple corporate ownership or investment even though a parent company may benefit indirectly from the bribe. Bribery Act 1(2); MOJ Adequate Procedures Guidance supra n. 6 at 18. Bribery Act Explanatory Notes 28. Section 3 of the Bribery Act lists relevant functions and activities subject to the improper performance standard, together with relevant performance expectations.
28 29
11

settings. However, most states do and violations of state law that involve interstate commerce can be prosecuted federally under the Travel Act.30 Commercial bribery also is subject to FCPA accounting requirements and can trigger enforcement action if not properly recorded and disclosed. Take-Away: Programs should make clear that bribery of any kind is strictly prohibited. Most companies already have a general prohibition on unethical conduct, but may not relate this specifically to international business. b. Passive bribery The Bribery Act also expressly prohibits passive bribery. The Section 2 general offense makes it a crime to receive or solicit a bribe in connection with improper performance of a public or commercial function or activity.31 The offense applies to any person subject to UK jurisdiction, whether the bribery in question is commercial or public. As with active bribery, a violation can be found whether a payment or other advantage is received directly or benefits another person and whether or not it achieves the desired result.
FCPA provision
There is no comparable provision for foreign bribery in the FCPA. However, passive bribery may violate state commercial bribery prohibitions and be prosecuted federally under the Travel Act or related statutes. Take-Away: Most programs already prohibit passive bribery, but may wish to emphasize Bribery Act criminal sanctions in training and related compliance materials. c. Domestic bribery Another difference is in the treatment of domestic bribery, which is covered by the Bribery Act but not the FCPA prohibition. The Bribery Act general offenses apply to bribery in the United Kingdom as well as abroad, in both active and passive forms and for commercial bribery as well as public bribery. Bribery is broadly defined, and the same jurisdictional and intent requirements described earlier for foreign public bribery apply.
FCPA provision
Domestic bribery is not addressed by the FCPA, but is prohibited by other US laws. The US criminal code (18 USC 201) makes it a crime to bribe a federal official and for an official to invite or accept a bribe. Similar prohibitions have been established
30
The Travel Act (18 U.S.C. 1952) makes it a federal crime to use the mail or any facility in interstate or foreign commerce (such as a telephone line or wire transfer) with intent to facilitate the promotion, management, establishment or carrying on of an unlawful activity, including bribery. See, e.g., US v. Welch, 327 F.3d 1081 (10th Cir. 2003) (Travel Act prosecution based on Utah bribery statute); US v. Young & Rubicam, 741 F. Supp 334 (D. Conn. 1990) (Travel Act prosecution based on New York commercial statute). For an illustrative state law prohibition on commercial bribery, see California Penal Code 641(3)(a) (defining prohibited commercial bribery). Bribery Act 2(2).
31
12
Although the FCPA does not have a standalong corporate offense, similar legal responsibility for bribery by employees or agents is established by other means. The more significant difference is in the treatment of proactive compliance efforts.
under state law for state and local officials, and additional rules apply to contract transparency, lobbying disclosure, political contributions and other interactions with or involving government officials. In addition, domestic commercial bribery may be prosecuted under the same authority described above. Take-Away: The Bribery Acts broader scope offers a useful reminder of the relationship between domestic and foreign compliance and opportunities to coordinate relevant standards and activities. Reviews should consider the full range of relevant domestic regulation, which in some areas may be more extensive than for analogous international activities. d. Failure to prevent bribery The Bribery Act establishes an additional corporate offense for failing to prevent bribery, designed to overcome past difficulties prosecuting companies directly for employee violations.32 The corporate offense is in Section 7 of the Act. It makes commercial organizations liable to prosecution for bribes paid or promised by an associated person to gain a business advantage. The offense applies to commercial as well as public bribery, regardless of where the underlying act occurred, and can be used to reach not only UK companies but also others that carry on business in the United Kingdom.33 An associated person is any individual or entity that performs services for or on behalf of the company, such as an employee, agent or subsidiary.34 The MOJ Adequate Procedures Guidance includes a detailed discussion of associated person status.35 As explained there, this coverage is to be determined based on overall circumstances (and not just formal relationships), and is intended to give Section 7 broad scope so as to embrace the whole range of persons connected to an organisation who might be capable of committing bribery on the organisations behalf. Section 7 is a strict liability offensethat is, prosecutors would not have to show criminal intent or negligence by a corporate, only that an associated person had engaged in prohibited bribery. Such persons need not have been convicted in advance, and the law assumes that conduct by an employee was on an employers
32
Bribery Act 7(1). Under the common law identification principle, companies could be prosecuted directly for bribery only if an offense was committed by a natural person who was the directing mind and will of the company (i.e., a board member or senior executive). MOJ Adequate Procedures Guidance, supra n. 6 14 n. 3 (citing Tesco Supermarkets v. Nattrass [1972] AC 153.) This was a hard standard for the government to meet, resulting in very few successful corporate prosecutions. See OECD Working Group Report at 63-66 (2005) (describing this limitation in UK law), available at http://www.oecd.org/dataoecd/62/32/34599062.pdf. The new corporate offense avoids this difficulty by making corporates strictly liable for failing to prevent bribery by an employee or other associated person. As explained earlier in the discussion on Bribery Act jurisdiction, Section 7 in effect extends nationality coverage to any non-UK company that carries on a business, or part of a business, in the UKallowing the Government to prosecute companies for bribery anywhere in the world whether or not there is a territorial connection to the United Kingdom. Bribery Act 8. MOJ Adequate Procedures Guidance, supra n. 6 37-43.
33
34 35
13

behalf. However, a company would have a defense to liability under this provision if it could show that adequate procedures were in place to prevent the bribery. (We discuss this defense separately below.)
FCPA provision
Although the FCPA does not have a stand-alone corporate offense, comparable legal responsibility for bribery by an organizations employees or agents is established by other means. The Bribery Act corporate offense addresses an evidentiary challenge US prosecutors have not faced. Under the FCPA, companies are regularly prosecuted for bribery by employees or other agents. Corrupt intent and other required elements of the crime are imputed based on the common law principle of respondeat superior, which makes an employer organization responsible for criminal conduct by an employee or agent taken on its behalf. In operation, respondeat superior closely parallels strict liability under the Bribery Act corporate offense. Both legal standards hold corporates accountable for bribery offenses by an associated person (employee or other agent under the FCPA) intended to benefit an organization commercially. Although commonly described as a strict liability offense, Section 7 liability under the Bribery Act is still contingent on criminal intent in the predicate general or discrete offense by an employee or other associated person.36 Also, agency is a broad concept under US law, comparable in scope to Bribery Act associated person coverage. The more significant difference between the UK and US models is in the treatment of proactive compliance efforts. Both laws encourage good compliance practice, but only the Bribery Act makes this a complete defense to liability. The adequate procedures defense is meant to heighten the priority given to front-end prophylactic measures, and this effect can already be seen at many companies. At the same time, questions have begun to surface about how the defense will be applied in practice as well as possible unintended consequences from breaking the liability link between employer and employee.37 Companies with UK-oriented programs should be aware that an adequate procedures defense under the Bribery Act would not shield a company from FCPA prosecution. Take-Away: Although both laws encourage proactive compliance, being able to demonstrate adequate procedures has much greater significance under the Bribery Act.
36 37
See MOJ Adequate Procedures Guidance 42. Although the Ministry of Justice has done an admirable job detailing basic guidelines for an effective compliance program (discussed below), it is far from clear how adequacy will be judged in specific circumstances. Qualitative assessments of actual practicein contrast to how a program looks on paperare notoriously difficult, with good models and practical experience still at a formative stage. (This partly explains past US reluctance to establish a program-based safe harbor or defense for the FCPA.)
14

e. Prosecution of senior officers A further Bribery Act provision extends criminal liability to culpable senior officers. Under Section 14 of the Act, a commercial organizations senior officers may be prosecuted for general or discrete offenses by the organization if the bribery occurred with their consent or connivance.38 Senior officer is defined to mean a director, manager, secretary or other similar officer, and would include officers who are foreign as well as UK nationals. However, foreign nationals would only be liable under this provision for offenses with a territorial connection to the UK. 39 Despite its apparent breadth, prosecution of senior officers under this provision is unlikely to be very common. Section 14 replicates consent and connivance provisions in prior law that were only rarely used because of the difficulty prosecuting companies directly for bribery violations.40 This will not change under the Bribery Act, and although corporates will now be subject to the separate offense of failing to prevent bribery these corporate violations are outside the Section 14 offense.
FCPA provision
Senior officers and directors are liable to prosecution for corporate offenses under the FCPA, and this has been a priority focus for US enforcement in recent years.41 Individuals may be prosecuted not only for consent or connivance in bribery by a subordinate, but also potentially for oversight failures. Under federal securities law, a corporate officer in a position of control who fails adequately to supervise the conduct of others may be held responsible for their actions.42 Take-Away: Both laws highlight management responsibility and authorize prosecution of individual officers in appropriate cases, although with broader apparent scope under the FCPA. f. Books and records offense Finally, the FCPA contains a books and records offense not found in the Bribery Act. FCPA accounting rules are in addition to the Acts prohibition of foreign public bribery. They require companies listed on US exchanges to keep accurate books
38
Bribery Act 14(2). The Act refers only to violations of the general and discrete offenses, and not the corporate offense of failing to prevent bribery. Section 14 limits liability for offenses that are based on nationality jurisdiction to senior officers with a close connection to the UK. This would include officers who are UK nationals or ordinarily resident in the UK. The term manager is not defined, but presumably would apply only to senior managers and not all managerial personnel. See supra note 32 and accompanying text. Aggressive prosecution of individuals is regularly cited as a cornerstone of FCPA enforcement. See, e.g., Address of Asst. Attorney General Breuer, 22nd National Forum on Foreign Corrupt Practices Act (Nov. 17, 2009) (http:// www.justice.gov/criminal/pr/speeches-testimony/documents/11-17-09aagbreuer-remarks-fcpa.pdf). This type of liabilityknown as control person liabilitywas first applied in an FCPA context in 2009, in the Natures Sunshine settlement (discussed in an alert available on the ECA website).
39
40 41
42
15
The Bribery Act and FCPA also take a different approach to statutory exceptions and defenses, particularly for facilitation payments.
and records, and maintain an effective system of internal controls.43 Although most commonly associated with slush funds and other deceptive practices used to make foreign public bribes, companies can also be prosecuted for failing properly to record commercial bribes or improper payments in the US itself. In addition, parent companies may be liable for accounting violations by a controlled foreign affiliate. FCPA accounting requirements are administered by the Securities and Exchange Commission (SEC), subject to civil penalty authority and a lower evidentiary burden that has made this a valuable enforcement tool. The SEC need only show that financial records were not properly maintained, not that a bribe was paid with corrupt intent.

There are no comparable provisions under the Bribery Act. However, other UK laws contain similar accounting requirements that may be used to complement Bribery Act criminal enforcement.44 Take-Away: Sound accounting and control practices are central to the FCPA and part of an effective compliance program. Global programs should reflect applicable regulatory requirements and evolving practice in both jurisdictions. 4. Statutory exceptions Programs also may need to be adjusted to reflect differences in Bribery Act and FCPA statutory exceptions and defenses. Only one of three FCPA provisions is in the Bribery Act, while two new ones have been added. a. Local law exception Both statutes contain a limited local law exception for payments or other benefits to foreign public officials allowed by host country law. The FCPA exception is in the form of an affirmative defense, shielding payments or other things of value given or offered to a foreign official when this is permitted under the written laws or regulations of the officials country. The exception is very narrow, and the burden of showing that applicable conditions have been met is on the person or entity claiming the defense.

The Bribery Act has a similar exception, but in a different form. It makes liability under the Acts discrete offense contingent on a financial or other advantage to a
43
FCPA accounting rules apply to all issuers, defined by statute to include any entity (domestic or foreign) with registered securities or otherwise required to report to the US Securities and Exchange Commission. See, e.g., Money Laundering Regulations (2007) and the Companies Act (2006). While the Bribery Act does not specifically address accounting concerns, a UK companys failure to keep adequate accounting records may trigger criminal liability for its officers under Section 387 of the Companies Act. A link also had been drawn between money laundering and corruption, described recently by one senior official as an area with a very great deal of potential [for enforcement]. Corruption and Money Laundering, R. Alderman comments reported on thebriberyact.com (6 March 2011).
44
16

foreign public official being neither permitted nor required by the written law applicable to that official.45 Although broadly comparable, the Bribery Act exception contains a reference to published judicial opinions not found in the FCPA. The Act defines written law to include not only a host countrys formal laws and regulations, but also any judicial decision evidenced in published written sources.46 What form publication would have to take and whether judicial interpretations of common law as well as statutory or agency rules would be covered is not yet clear. The FCPA defense, by contrast, refers only to payments lawful under the written laws and regulations of the host country, and although local judicial rulings would be taken into account, they would be a guide only and not controlling with respect to the FCPA defense. Take-Away: FCPA and Bribery Act local law exceptions are similar and should not require adjustment to most programs, although differences in form and terminology may be noted. b. Promotional expenditures The FCPA provides a second exception for reasonable and bona fide expenditures directly related to business promotion or contract performance. This exception also is in the form of an affirmative defense, requiring anyone who would rely on it to show that a payment or other benefit met the statutory standard. To qualify, an expenditure must be (a) directly related to legitimate promotional or contract activities, (b) reasonable under the circumstances, and (c) made in good faith. The exception is commonly used to reimburse reasonable travel expenses for educational or promotional programs, such as sponsored training or an educational trip to a business facility. Business hospitality not directly related to promotional or contract activities would not qualify for this statutory defense, but may still be permissible under the FCPA. The analysis would shift to whether required elements of an FCPA offense had been metin particular, whether hospitality was promised or given for a business purpose and with corrupt intent. (Reasonable and customary hospitality, given pursuant to established guidelines, ordinarily would not violate the FCPA.)

The Bribery Act does not have a comparable statutory exception.47 However, the government has made clear that it does not intend to prosecute companies for business hospitality and promotional expenses that are both reasonable and proportionate to the nature of their business. This clarification was recently elaborated in formal guidance from the Ministry
45
Bribery Act 6(3)(B). This condition is part of the statutory offense, rather than a separate affirmative defense. Although different in form, the intent appears consistent with the FCPA provision. It should be noted, however, that this statutory condition is only in the Acts discrete offense and not its broader general offenses. MOJ Adequate Procedures Guidance, supra n. 6 19; Bribery Act 6(7)(c). Language exempting legitimate commercial conduct was considered for the Bribery Act, but rejected out of concern that prosecutors might not have sufficient discretion to differentiate between legitimate and illegitimate corporate hospitality.
46 47
17
Although different in form, the Bribery Act and FCPA approaches to business hospitality and promotional expenditures are essentially similar.
of Justice.48 The guidance confirms that bona fide hospitality and promotional expenditures are an established and important part of doing business and it is not the intention of the Act to criminalise such behavior. As under the FCPA standard (for general hospitality), whether a particular expenditure is lawful or treated as prohibited bribery would depend on its specific facts and circumstancessuch as the type and level of benefit given, its manner and form, and the recipients influence over awarding of business or other action sought by the company. Expenditures that are reasonable, proportionate and consistent with normal (legitimate) business practice ordinarily will pass muster, while those considered lavish or otherwise unusual would carry higher risk.49 Differences in form notwithstanding, the Bribery Act approach to business hospitality and promotional expenditures is essentially similar to practice under the FCPA. Both laws (as interpreted) recognize a legitimate role for reasonable and proportionate promotional activities, limit enforcement to expenditures made with an illicit purpose, and judge legitimacy based on the overall circumstances. Both governments also have been criticized for providing too little practical guidance in this area. Take-Away: The practical challenge under both laws will be to establish and enforce clear policies that distinguish between legitimate and prohibited hospitality and promotional expenditures. Procedures developed for one jurisdiction should be compatible for use in the other. c. Facilitation payments A third FCPA exception addresses modest payments to facilitate or expedite performance of a routine governmental action. This is a narrow exception, limited to small payments made to secure routine actions such as processing a visa, obtaining phone, power or water service, and securing police or fire protection. The exemption is only from liability under the FCPA (and not other laws), and only available for non-discretionary actions to which a company is already entitled by law.50

There is no comparable exception in the Bribery Act. Facilitation payments are illegal bribes, subject to prosecution under the Acts general and discrete offenses. The Bribery Act adopts a zero tolerance approach to bribery, in line with
48 49
MOJ Adequate Procedures Guidance, supra n. 6 26-32. Incidental provision of routine business courtesy commensurate with the reasonable and proportionate norms for the particular industry ordinarily would not raise an inference of bribery. MOJ Adequate Procedures Guidance, supra n. 6 30. Conversely, expenditures that are lavish, concealed or not clearly connected with legitimate business activity would raise a red flag. Joint Prosecution Guidance, supra n. 6 at 10. In all such cases, the government would have to show that an expenditure was meant to induce improper performance (under the general offense) or secure a business advantage (under the discrete offense). The facilitation payments exception was not in the original statute, but added in 1988 amendments (with the local law and promotional expense defenses) in response to complaints that the FCPA was overbroad and disadvantaged US companies in world markets. At the time, grease payments were considered unavoidable in some markets. However, the statutory exception was drawn narrowly to preclude payments made to win or retain business or to influence other discretionary action such as licensing or other business regulation.
50
18

recent efforts at the OECD and elsewhere to discourage facilitation payments in international business.51 While not unmindful of the practical challenges from petty corruption in some markets, these are to be addressed through prosecutorial discretion rather than a formal exception.52 The government has issued detailed guidelines for prosecuting facilitation payments.53 Factors favoring prosecution include, in addition to size and frequency, that payments were premeditated or made in contravention of a clear and appropriate policy setting out procedures for responding to facilitation demands. Conversely, prosecution would be less likely for payments that were small and onetime or made under duress,54 or where an organization has clear procedures that were followed and payments came to light through a genuinely proactive approach involving self-reporting and remedial action. It is too early to know how these guidelines will be applied in practice, but two things seem clear. First, the government is serious about eliminating facilitation payments and will prosecute violations aggressively in appropriate circumstances. Second, facilitation payments that are premeditatedthat is, planned for or accepted as part of standard way of conducting businesswill be a particular priority. This would include, by implication, payments made pursuant to a formal policy exemption. Whether in other respects the sharp contrast often drawn between Bribery Act and FCPA practice will prove out is harder to say. The FCPA exception is much narrower than commonly assumed and there has been vigorous prosecution of asserted grease payments outside this range (for example, bribes paid to expedite a tax return). Conversely, recent characterizations of the Bribery Act zero tolerance approach have become more nuanced. The MOJ Adequate Procedures Guidance now recognizes, for example, that eliminating facilitation payments is a long term objective that will require economic and social progress and a sustained commitment to the rule of law elsewhere. 55 An immediate question for companies with traditional FCPA programs is
51
Although the OECD Anti-Bribery Convention does not preclude a statutory exception for facilitation payments, supplemental guidance issued in 2009 recognizes the corrosive effect of facilitation payments and encourages signatory countries to work toward their elimination. 2009 OECD Anti-Bribery Recommendation 6; see OECD Convention Commentaries 9 (recognizing exception). In response to an inquiry about facilitation payments during Parliamentary debate on the Bribery Act, the government representative advised that [w]e recognize that many UK businesses still struggle with petty corruption in some markets, but the answer is to face the challenge head-on, rather than carve out exemptions that draw artificial distinctions, are difficult to enforce, and have the potential to be abused. Providing exemptions for facilitation payments, as the US does, is not a universally accepted practice, and not something that we consider acceptable. Claire Ward, Hansard, 3 March 2010. Column 981. Joint Prosecution Guidance, supra n. 6 at 9. The guidelines list as a factor tending against prosecution that a payer was in a vulnerable position arising from the circumstances in which the payment was demanded. Joint Prosecution Guidance, supra n. 6 at 9. Vulnerability is not defined, but commonly assumed to refer to threats to individual health, safety or liberty rather than adverse consequences for a business (such as from delays clearing goods through customs). See, e.g., MOJ Adequate Procedures Guidance, supra n. 6 48 (discussing payments made in order to protect against loss of life, limb or liberty, and drawing connection to the common law defense of duress). Further guidance on this point, however, may be needed. MOJ Adequate Procedures Guidance, supra n. 6 46. This statement was added to the final version of the guidance in response to business concerns about the practicality of a zero tolerance approach in some markets.
52
53 54
55
19
The UK has rejected the FCPA approach on facilitation payments, retaining a prohibition on all such payments and warning that corporate practices that allow them may not qualify as adequate procedures.
whether to retain a facilitation payments exception. Although UK authorities have not explicitly said that these contravene the Bribery Act, they clearly will be an enforcement red flag. It has also been suggested (so far only informally) that corporate programs reflecting the FCPA exception may not qualify for the adequate procedures defense.56 Corporate opinion to this point has been divided on the FCPA exception. Although a growing number of companies had already begun voluntarily to drop this from their programs, others have been reluctant to move immediately to zero tolerance policies that would be difficult to enforce. Short of eliminating the formal FCPA exception, steps may be taken to raise awareness of and adherence to the strict limits of the exception. Although this may not shield a company from Bribery Act prosecution, implementing best practices in this area could help to reduce the risk. Take-Away: The UK has rejected the FCPA approach on facilitation payments, retaining a prohibition on all such payments and warning that corporate policies allowing them may not qualify as adequate procedures. Companies that continue to permit facilitation payments should take appropriate measures to ensure strict compliance with FCPA limitations and work to eliminate all payments in the future. d. National security Apart from these differences, the Bribery Act has a narrow statutory exception for certain national security activities not found in the FCPA. Section 13 of the Act provides a defense to liability under the general and discrete offenses for conduct shown to be necessary for the proper exercise of any function of an intelligence service or the armed services when engaged on active service.57 Coverage limitations and conditions are detailed in statute.
FCPA provision
There is no comparable FCPA provision. National security is not a defense to FCPA liability, although it can be a factor in the exercise of prosecutorial discretion. Nor would the Bribery Act defense be a bar to prosecution by US authorities for conduct by a UK company that also violates the FCPA. Take-Away: Conduct shielded by the Bribery Act national security defense may still be subject to prosecution under the FCPA.
56
UK Serious Fraud Office Discusses Details of UK Bribery Act, Gibson Dunn (Sept. 7, 2010) (summarizing informal briefing by senior officials of UK Serious Fraud Office). This warning is not found in official guidance, which instead appears to link adequacy to the particular facts and circumstances in a given case. MOJ Adequate Procedures Guidance, supra n. 6 4. The implication from such statements is that corporates will be judged based on procedures relevant to a particular offense onlyso that, for example, the government would ask in a case involving procurement bribery whether a corporate had procedures in place to prevent that bribery and not whether unrelated facilitation payments were permitted. (On the other hand, retaining a facilitation exception could combine with other factors to lower the governments general estimation of an organizations compliance commitment or program quality.) Bribery Act 13(1). Although the precise scope of this defense is not year clear, it would not appear to encompass more general assertions of national security based on diplomatic or related concerns.
57
20

e. Adequate procedures defense Finally, the Bribery Act provides a new adequate procedures defense to corporate liability not found in the FCPA. As explained earlier, companies are strictly liable for failing to prevent bribery by an associated person unless they can show they had in place adequate procedures designed to prevent the bribery.58 The defense technically is limited to liability under the Section 7 corporate offense, but because of the practical difficulty prosecuting companies directly under the general and discrete offenses in most cases it would effectively shield an organization from all liability under the Act. Adequate procedures are not defined in the Act, but instead illustrated through guidance for commercial organizations developed by the Ministry of Justice.59 The guidance is general in nature, emphasizing broad principles rather than detailed prescriptive standards. Companies are encouraged to use the principles as a guide, but cautioned that whether procedures were adequate in a particular case can only be resolved by the courts taking into account the particular facts and circumstances of the case.60 Six guiding principles have been identified, highlighting general expectations and illustrative practices for: (a) overall program design (i.e., proportionate procedures); (b) tone at the top; (c) risk assessment; (d) due diligence; (e) communication, including training; and (f ) monitoring and review. As many commentators have noted, these are broadly similar to best practices for anticorruption compliance in the US and elsewhere.
FCPA provision
There is no comparable defense under the FCPA. Companies are credited for good practice, but only in the charging and sentencing phases. Corporate compliance programs are evaluated based on standards developed by the US Sentencing Commission, commonly referred to as the Organizational Guidelines.61 First issued in 1991, these standards were substantially revised in 2004 and are reviewed annually for additional adjustments. Although technically voluntary, the Guidelines have become the de facto baseline for US programs. They inform not only sentencing decisions, but also government judgments about whether to prosecute a case and on what grounds.
58 59 60
Bribery Act 7(2). MOJ Adequate Procedures Guidance, supra n. 6. MOJ Adequate Procedures Guidance, supra n. 6 4. Although dispositive judgments can only be made by the courts, the perceived quality of organizations compliance efforts will be an important factor in the exercise of prosecutorial discretion. The Organizational Guidelines and related explanatory materials are available at (http://www.ussc.gov/Guidelines/ Organizational_Guidelines/index.cfm).
61
21
UK and US guidelines for effective compliance practice are broadly comparable, but with differences that may require adjustment to some programs.
The Organizational Guidelines are broadly comparable to the MOJs adequate procedures guidance, but with differences in emphasis and detail in some areas. For example, the US standards for program management and reporting channels are more detailed and prescriptive. Conversely, the MOJ Guidance contains elements not found in the Organizational Guidelinesfor example, on external reporting and verification. Take-Away: UK and US guidelines for effective compliance practice are broadly comparable, but with difference that may require adjustments to some programs.
The UK Bribery Act coming into force presents an opportunity, and a significant incentive, for companies to look closely at their anticorruption efforts. For many companies, the Bribery Act will necessitate few changes to their current compliance programs; for others it may be a wake-up call to reinforce and bolster existing efforts. It is always a good time for a clear-eyed assessment of anticorruption compliance, but never more so than now.
About LRN: Inspiring Principled Performance Since 1994, LRN has helped 15 million people at 700 companies worldwide simultaneously navigate complex legal and regulatory environments and foster ethical cultures. LRNs combination of practical tools, education and strategic advice helps companies translate their values into concrete corporate practices and leadership behaviors that create sustainable competitive advantage. In partnership with LRN, companies need not choose between living principles and maximizing profits, or between enhancing reputation and growing revenue: both are a product of principled performance. In 2008, LRN acquired green strategy firm GreenOrder. LRN works with organizations in more than 100 countries, and has offices in Los Angeles, New York, London and Mumbai. For more information, visit www.lrn.com, follow @LRNinc on Twitter, or call: 800-529-6366 or +1-646-862-2040.
22
INTERNATIONAL BRIBERY AND CORRUPTION

INTRODUCTION
The use of bribery to obtain business has long been condemned in Europe. This handbook sets forth the legal landscape affecting companies who seek European business, particularly government business. It should be noted that bribery is always, by its very nature, a two-way process. All acts of bribery involve at least two parties: "active" bribery refers to the party who offers the bribe, and "passive" bribery refers to the party who demands or accepts the bribe. This handbook considers the laws prohibiting bribery in the European Union (EU) and among member states of the organization for Economic Co-operation and Development (OECD), as well as laws in the three largest member states of the EU: the United Kingdom, Germany, and France. You should note that the rules against bribery in the various member states of the EU are not harmonized. All member states criminalize bribery of public officials, but not necessarily in the same way. Therefore, one needs to look at the national laws independently. This treatment provides only a general overview of the basic concepts and differences between international laws addressing bribery. It's not intended to provide legal advice or guidance regarding how you should act in a particular situation or country.
ANTIBRIBERY LAWS FOR EU OFFICIALS

In 1997, the EU adopted the Convention on the fight against corruption involving officials of the European Communities or officials of member states of the European Union (EU Convention). The EU Convention tackles bribery of EU and national officials. The penalties for violating the EU Convention differ from one member state to the next. However, in general, those committing an offense pursuant to the EU Convention may receive a fine and, in serious or repeated cases, prison time. I.
What Does the EU Convention Prohibit? A. Making or receiving bribes or offers of bribes
The EU Convention prohibits both active and passive bribery. It makes it illegal for any individual to bribe or attempt to bribe an EU or national official to gain an advantage of any kind (active bribery). This prohibition applies to bribes made not only to obtain or retain business from an EU or national official, but also to influence an EU or national official to act or refrain from acting in accordance with his duty. Example 1: A UK company is bidding for a contract to provide services to the EU. The company pays money to a European Commission official in charge of procurement in return for being awarded the contract. This is clearly a bribe designed to make the official act in a manner contrary to his duty by directing the business to the company. Example 2: GlobalDry, an EU company, sells hand dryers. It learns that the EU is preparing a report on whether such hand dryers are hygienic. GlobalDry has firm evidence that the dryers are perfectly hygienic, and it pays the official drafting the report to place a lot of emphasis on that evidence. This is a bribe, because even though GlobalDry's evidence
may be perfectly accurate, the official is being paid to emphasize the company's position. In addition, the EU Convention makes it illegal for an EU or national official to directly or indirectly request or receive advantages of any kind whatsoever for himself or a third party in order to act or refrain from acting in accordance with his duty (passive bribery). The EU Convention doesn't apply to the bribery of private company employees. Example 3: SeedCo is researching a highly controversial new form of seed production. The European Commission is investigating the environmental impact of such seeds. Several SeedCo executives meet with Tom, one of the officials in charge of putting together a report on the issue. During the meeting, Tom makes it clear that the Commission will be more likely to take a favorable approach if the company pays a sum of money to meet the "usual administrative expenses." The SeedCo executives know that Tom is requesting a bribe. Tom provides details for a bank account in Switzerland, and the company pays the sum into that account. Although Tom requested the bribe, SeedCo is liable for bribery for paying (or even promising to pay) the sum. The company would be blameless only if it had clearly refused Tom's request. The EU Convention prohibits bribes made either directly or through an intermediary. This means that payment through agents and payments to companies belonging to relatives or business associates of the foreign public official will also amount to an offense. Example 4: Global Corporation retains Susan, a sales representative, in Belgium. Susan secures a contract with the European Commission as a result of paying the official in charge of procurement. Susan then requests a higher commission than usual from Global for additional expenses. This would amount to a bribe, even though the company isn't directly involved, as the payment is made through Global's intermediary. The fact that Susan is requesting additional commission without providing a reason for it should alert the company that an improper payment might have been made. B.
What constitutes a bribe?

A bribe is an offer, promise, or advantage (such as a gift) that is intended to induce the recipient to misuse his position as an EU or national official to wrongfully benefit the payers by, for example, directing business toward them. A promise or payment is corrupt if it influences the official's decision or induces the official not to do something he ought to. Officials of EU institutions are required to be independent at all times, free of political or corporate affiliations of any kind, and above any acts of bribery. Most particularly, the conduct of EU officials is strictly regulated by the Community Staff Regulations, which state that EU officials may not take any "instruction," nor accept any "honor, decoration, favor, gift, or payment of any kind whatsoever except for services rendered either before their appointment or during special leave for military or other national service."
The EU Convention prohibits not just money payments but also anything that can be construed as an advantage of any kind. There is no minimum value of what violates the EU Convention, though it is unlikely to be violated if the item is of nominal value. "Facilitation payments" represent payments made to officials in order to "speed up" the administrative process. Such payments are illegal if paid to an EU or national official and, moreover, are illegal in every country in the EU and in Europe generally. Any of the following are likely to be considered payments: A payment or promise to pay money Facilitation payments Providing or promising to give gifts of any value Providing more than modest entertainment Providing or promising accommodation (for example, a holiday home/hotel) Providing or promising personal discounts Providing or promising shares in the company Providing or promising payments for spurious consulting services Example 5: The EU is considering investigating the sports industry. Concerned that investigation may affect the way it sells its sporting rights, the Sports Council, an industry association, invites Roger, the EU official in charge of the investigation, to meetings with people in the organization. Roger is also invited to one of the organization's sporting events, on the grounds that only by knowing the industry can the official make a reasoned assessment of the expenses and costs involved in the sport. Roger informs his superiors, who allow him to accept, as long as the EU pays his expenses. Roger goes to meetings, watches the event, and is given a modest restaurant meal. This probably doesn't infringe the EU Convention, as the official has met all his own expenses, and the meal, as long as it is modest, would not amount to a gift. Example 6: The EU is investigating mobile phone rates. Worldwide Telephones is concerned that the investigation will force it to lower tariffs for mobile phone calls. Worldwide is also the sponsor of a Premier League football team and invites Margaret, the official in charge of the investigation, to meetings at its head office. Margaret informs her superiors, and the EU pays her traveling expenses. After the meetings, Margaret is invited to watch a football match involving the sponsored team from the corporate box, and is given a meal in a nice restaurant. This could amount to a bribe within the meaning of the EU Convention. Although the gift may not have been offered with the intent of inducing the official to do anything irregular, it may be seen as an attempt to secure an improper advantage in connection with the Commission's investigation. Example 7: XYZ Company is interested in the developments in EU legislation. XYZ representatives attend a meeting with a member of the European Parliament (MEP) to discuss matters of concern. At the end of the meeting, the XYZ representatives give the MEP a baseball cap and a t-shirt with the XYZ logo. The baseball cap and t-shirt are unlikely to be construed as a bribe or as an object of value.
Example 8: Beta Manufacturing is trying to get the Commission to amend its current draft of a directive. Beta invites the official in charge to spend his holidays with the company's CEO in the south of France. The official is then given an all-expenses-paid holiday with his family at a hotel in Nice. This would clearly amount to a bribe within the meaning of the EU Convention, regardless of whether or not it finally influenced the official's behavior. C.
EU and national officials

The following are considered officials within the EU Convention: Employees of the EU (this includes officials in the Commission, European Court of Justice, European Parliament, Council, European Central Bank, European Court of Auditors, etc.) Persons temporarily assigned to the EU from either a public or private body National officials in an EU member state (as defined by the national law) Under the EU Convention, it is also an offense if the bribe is given not to the official but to a third party. Example 9: Music Monolith Incorporated has an interest in the findings of a European Parliament report into piracy on the Internet. The company comes into contact with a trainee from a consulting firm who has been temporarily assigned to work in the European Parliament. The trainee is involved in the preliminary drafting of the report. Music Monolith pays the trainee a sum of money to place a heavy emphasis on the company's arguments. The trainee, although not a permanent official in the European Parliament, is considered to be an official under the EU Convention. The payment is therefore a bribe. Example 10: A Belgian company wants to enter the French market for supplying road signs. The official working in the Ministry for Transport says that he will grant them the contract if a large sum of money is paid to his wife's bank account. The Belgian company agrees and is awarded the contract. This is a bribe, as the EU Convention covers not only EU officials but also national officials and any third party who carries out the corrupt act.
II.
Who Is Covered by the EU Convention?

The EU Convention places liability on the person who gave or received an offer or bribe. The EU Convention also places clear responsibility on the head of the company that employs the offender. This is to be determined in line with the national law in question when applying the EU Convention. For example, during the summer of 2003, the EU's official statistics-gathering body was accused of impropriety. The statistics gathered by this institution determine how much everyone pays into the annual budget and ensure that the European member states are obeying the single-currency rules. Accusations emerged that "unacceptable and irregular practices" had been taking place over the award of contracts. Investigators suspected that the value of some contracts was artificially inflated, with the money possibly siphoned off into secret bank
accounts. The Commission launched a full-scale investigation and suspended a number of officials. Suspicion fell on a French company that had been awarded 40 million in contracts between 1992 and 2002. All existing contracts with the company were suspended, and details were given to a Paris prosecutor. This case demonstrates the seriousness with which the Commission is now tackling allegations of bribery, and how the penal laws in member states such as France can be used to prosecute those suspected of improper action. III.
Jurisdiction
The EU Convention grants member states jurisdiction to deal with bribery among EU and national officials. The EU Convention states that a national court can claim jurisdiction if the offense took place on its territory or if the offender is a national of that member state. If an EU or national official is bribed while out of the jurisdiction of an EU member state, then determining who has jurisdiction falls under the laws of the member states concerned. According to the EU Convention, jurisdiction can be established based on the nationality of either the company or the official in question. The member state where the offense took place could also claim jurisdiction. If the company is not from an EU member state, then it is likely that the official and the company involved would be prosecuted either in the country of the official's nationality or the country where the offense took place. Example 11: A report emerges suggesting that an EU official from Spain, conducting a trade investigation in China, is bribed by one of the Chinese companies subject to the investigation. As the EU official concerned is Spanish, the Spanish courts decide to prosecute him and to launch proceedings in Spain against the Chinese company. In an actual case, in 1999, allegations of bribery were made against the European Commission, including one particularly serious charge leveled against the French commissioner. It was alleged that a friend of the commissioner, appointed and paid handsomely to carry out research into aging and AIDS, produced just 24 pages of worthless notes after 18 months of work. An inquiry found the French commissioner guilty of favoritism. In addition, other commissioners were found guilty of unrelated offenses. The president of the European Parliament drafted a resolution demanding that the commissioners at the center of the allegations resign. With the writing on the wall, the commissioners resigned en masse, spurring reforms within the commission and motivating the member states to put in place serious penalties for bribery of EU officials. In 2003, Belgian prosecutors brought charges of bribery against the French commissioner, and the Commission also launched a parallel investigation.
IV.
Penalties
It is a criminal offense under the EU Convention to bribe an EU or national official. The national laws determine the severity of the sentence. Penalties vary but always include fines--which can be unlimited in some countries--and, in serious cases, imprisonment. A person found guilty of bribery will have a criminal record.
It should also be noted, as an area of particular interest, that in the case of public contracts subject to EU procurement rules on compulsory advertising and bidding, companies may be excluded from participating in bidding procedures in the case of certain known prior misconduct. In other words, acquiring a "record" for misconduct in this area can lead to deliberate exclusion from public sector contracts. It is broadly stated that any company may be excluded from participation in a contract if it has been convicted of an offense concerning its professional conduct it has been guilty of grave professional misconduct proven by any means that the contracting authorities can justify In general, the stigma associated with bribery is such that a company or individual found engaging in such improper activities will not be trusted again, and their reputation and commercial standing will be severely damaged. V.
Lobbying the EU
It is worth noting that bribery and "lobbying" are still seen as two different things. Lobbying is considered a respectable activity under the EU Convention, and the European Commission has put forward a voluntary, self-regulating code of conduct for lobbyists that has been signed by most of the main EU public affairs practitioners. The European Parliament has also taken many steps to finalize a mandatory code of conduct that lobbyists would have to sign and abide by if they are to be listed on the register for recognized lobbyists and if they are to maintain regular access to the European Parliament buildings and facilities. The general view is that attempts to persuade EU officials of a particular viewpoint are not irregular provided they are not accompanied by any improper incentive for the officials concerned to take that point of view. Example 12: A company provides gas to a large market in the United Kingdom. There have recently been many developments at an EU and national level in this sector. The company decides to host a one-day conference in London to discuss the developments. The company invites EU officials, officials from the UK department of trade and industry, prominent lawyers, and experts in the field to speak. It hosts a lunch and, afterwards, a cocktail reception. This event would not be considered corrupt. Example 13: A French company is concerned about proposed amendments to a European directive. The company meets the Commission officials involved and hires a respected lobbyist, who makes representations to MEPs. The company also meets members of Parliament in the United Kingdom and France. The members of Parliament contact the minister concerned in this sector. The final draft of the directive takes some of the company's concerns into account. Again, this lobbying is perfectly acceptable, as there is no suggestion of any payments being made by the company to influence the drafting of the directive.
VI.
Employment of EU Officials
After leaving the service of the EU institutions, officials are "bound still to behave with integrity and discretion as regards the acceptance of certain appointments or benefits." In certain cases, senior officials may be prevented from engaging in certain types of employment for a period of three years after they have left the service. Example 14: A French gas company learns that a Commission official who is an expert in the field is considering leaving the Commission. The company offers the official a position as a consultant. The Commission official retires and informs the necessary bodies in the Commission of his intention to work for the French gas company. As long as the Commission does not raise any issues with this, and the official does not commence work until after leaving the European Commission, this is acceptable.
BRIBERY OF FOREIGN OFFICIALS: THE OECD CONVENTION

The OECD Convention on combating bribery of foreign public officials in international business transactions (the "OECD Convention") provides a degree of standardization of the law in this area. Thirty-eight countries have ratified the OECD Convention: Argentina, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Chile, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Japan, Korea, Luxembourg, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States. I.
What Does the OECD Convention Prohibit?

The OECD Convention is relatively narrow in scope. It applies only to "active" bribery, not "passive" bribery. Also, it only covers bribery of foreign public officials in relation to the performance of official duties in international business. The OECD Convention doesn't apply to nonbribery forms of corruption; bribery that is purely domestic; or bribery in which the intended recipient of the benefit is not a foreign public official. The bribery of private company employees is also not covered by the OECD Convention. A.
International business
The OECD Convention only covers bribes made for the purpose of obtaining an advantage in international business. It does not cover cases in which the bribe was made for purposes unrelated to the conduct of international business. Therefore, a facilitation payment to a foreign public official unrelated to international business may not be covered by the OECD Convention, but may be illegal in the OECD country or the country where the bribe took place. The OECD Convention covers payments made directly or through intermediaries.
B.

Any undue pecuniary or other advantage can constitute a bribe. The OECD Convention doesn't specify how much a payment or gift has to be worth to amount to a bribe. In essence, any sum or gift to a foreign public
official could amount to a bribe if its intention and/or effect is to cause undue influence. C.
Bribery of foreign officials

A foreign public official under the OECD Convention means any person holding a legislative, administrative, or judicial office in a foreign country. The foreign official can be elected or appointed. It includes any person exercising a public function for a foreign country, including a public agency or public enterprise. The OECD Convention also covers any official or agent of a public international organization, such as NATO or the United Nations.
II.
Who Is Covered by the OECD Convention?

The OECD Convention applies to any person who gives a bribe to a foreign public official or promises to bribe a foreign public official in the context of international business.
III.
Jurisdiction
In general, a person can be prosecuted in an OECD country that has ratified the OECD Convention if any part of the offense of bribing a foreign public official took place in that OECD country. That country may also prosecute its nationals for committing the offense of bribing a foreign public official, even if the offense didn't take place in that country. Example 15: Hans, a citizen of a European country that has ratified the OECD convention, is living in a non-OECD country. During the course of his work as a sales agent, he bribes a government civil servant of the non-OECD country to secure a contract involving the importation of vehicles. All the arrangements for the bribe are made in the non-OECD country. This comes to the attention of the authorities in his native OECD country. The bribe was made in the course of international business, and the civil servant would be considered a foreign public official. On his next trip home, Hans is prosecuted in his native OECD country for bribing a foreign official.
IV.
Penalties
The OECD Convention does not specify sanctions except to say that bribery is a criminal offense. The severity of the sentences will depend on the individual country, but in general the penalties are fines (which are sometimes unlimited) and imprisonment. Example 16: Andreas, who is from a European OECD country, is working for a company setting up their operations in a non-OECD country. Andreas bribes an official in the country to get the necessary license to export goods. He pays another bribe to a different official working in the public telephone monopoly to give his company preferential access to scarce telephone services, ahead of other companies that had applied many months before. The payment to the official to obtain a license would fall within the OECD Convention, as it is designed to procure an advantage in international business. The payment to the official to obtain telephone service probably wouldn't amount to an offense under
the OECD Convention, as the payment was not made for international business reasons.
BRIBERY LAW IN THE UNITED KINGDOM

The United Kingdom has long prohibited bribes not just to public bodies but to private bodies, as well. The UK Bribery Act, which came into effect in 2011, is its latest effort in this regard, and indeed is perhaps the most aggressive and far-reaching antibribery statute in the world. I.
What Does the UK Bribery Act Prohibit? A. Making or receiving payments or promises
The UK Act prohibits four types of conduct: Bribing another person Requesting or accepting a bribe Bribing a foreign public official Failure on the part of a company to prevent bribery by its employees and other associated persons The UK Act's ban on bribery includes facilitation payments, and the UK government has indicated its intent to prosecute those who make them, particularly if they are used as a standard way of doing business. 1. Bribing another person The UK Act prohibits the payment of bribes to anyonenot just a public officialto get that person to perform certain kinds of functions improperly. This includes any functions that are public in nature, business-related, employment-related, or performed on behalf of a company or other group of people. The UK Act refers to these as relevant functions. A function is performed improperly if the person performing it shows favoritism, acts in bad faith, or violates a position of trust. For example, paying someone to award a contract, overlook construction defects, or reveal an employer's confidential information would all be considered a bribe in exchange for improper performance, and therefore a violation of the UK Act. Example 17: Soapcom is a company that supplies soap to London offices. While negotiating a contract to stock Megacorp's headquarters with its products, the company agrees to give the Megacorp representative a cut of the contract price. The plan works, and the Megacorp employee appoints Soapcom as Megacorp's supplier. Both Soapcom and the Megacorp employee are guilty of bribery and could get an unlimited fine, and the individuals concerned could receive jail time. Example 18: A company is seeking to build a supermarket in the Birmingham area. In addition to the normal administrative costs, the company tells an official working in the local authority that they will pay a facilitation fee "to speed matters up." The money is paid to an account named by the official. This is a bribe within the meaning of the UK Act.
Whether someone's performance is improper is judged by UK standards, not the local custom or practice of the country or territory where you're doing business. So someone who's doing business in a country where bribery is viewed as normal can't rely on that fact to justify paying a bribe. It could still violate the UK Bribery Act even if local custom would allow it. The only exception is if the practice or custom is permitted or required by written law applicable to the country or territory in question. (But you should never rely on this kind of exception without the specific prior approval of the company's legal department.) Offering a bribe in an effort to get someone to perform a relevant function improperly is enough to violate the UK Act. Actual payment isn't required. And the person initiating the bribe doesn't have to offer or pay it himself. If he has someone else do it for him, it's still illegal under the Bribery Act. Example 19: Sam pays a local judge 50 to dismiss a traffic offense. His sister Charla offers to pay a housing inspector 10,000 to overlook building code violations, but her offer is rejected. And their cousin Tom has his assistant give an expensive watch to an employee of a private construction company in exchange for awarding a supply contract to Tom's company. Each of these is a bribe in exchange for the improper performance of public or business-related functions. The fact that Charla's offer was rejected and Tom's offer was made by his assistant on Tom's behalf doesn't matter. And the fact that Tom's assistant bribed an employee of a private company rather than a public official doesn't matter, either. 2. Requesting or accepting a bribe Requesting or accepting a bribe also violates the UK Act. This is the case whether the request or acceptance is done directly or through someone elseand whether it's done for the benefit of the person requesting or accepting the bribe or someone else. Example 20: Harold, a building inspector, has his assistant, Simon, solicit "expediting payments" of 100 each from various permit applicants to "jump the queue." Harold uses the proceeds to pay off a past-due loan from his brother-in-law. Harold has violated the UK Bribery Act even though the expediting payments were solicited by Simon rather than Harold directly, they were relatively small, and they were intended to benefit Harold's brother-in-law rather than Harold himself. 3. Bribery of foreign public officials Under the UK Act, it's illegal to offer or pay a bribe to foreign (non-UK) public officials to influence their performance of official functions and to gain a business advantage as a resultwhether or not the advantage is actually gained. Bribery of a foreign public official is illegal whether the bribe is offered or paid directly to the public official or to someone else with the official's consent. It's also illegal even if the bribe is aimed at getting the official
10
not to perform a function (like collecting import duties)or to perform a function that the official isn't authorized to perform. A foreign public official is anyone who holds a legislative, administrative, or judicial position outside the United Kingdom. It also includes people who perform public functions for a government agency or enterprise. For example, a member of another country's national assembly, a foreign planning officer, or a doctor working for a foreign public health agency or state-owned hospital could all be considered foreign public officials. Officials of public international organizations, like the United Nations, are also considered foreign public officials. Such bribes are illegal even if there's no improper performance in return. The intent to influence the official and gain a business advantage as a result is enough. Example 21: Jason is bidding on a construction contract with the rural development agency of a foreign country. He sends airfare to the official overseeing the contract, together with tickets to attend the country's national football finals, which have been sold out for months. Jason sincerely believes that his company's bid is more favorable to the development agency than the competition's and is furnishing the airfare and tickets simply to help ensure that the official gives his company's bid full and fair consideration. Jason has violated the UK Bribery Act even though his intent is to influence the official to give his company's bid full and fair consideration, rather than seeking an improper advantage in the bidding. 4. Failure of an organization to prevent bribery Any corporation, partnership, or other commercial entity that's organized or carries on a business in the United Kingdom is strictly liable if someone who's associated with it commits bribery to obtain or retain a business advantage for the organization. The only way an organization can avoid liability for its associated persons' bribery is to show that it had adequate procedures in place to prevent bribery. Any person or entity that performs services on behalf of the organization can be considered an associated person. It's presumed, for example, that an organization's employees are associated with it. But there may be others, as well. Depending on the circumstances, a company may be responsible for bribery by its agents, subsidiaries, joint venture partners, contractors, or other related entities if they intended the company to benefit as a result. A parent company, for example, could be liable if a subsidiary paid a bribe to obtain business for the parent. Example 22: Alicia, a German citizen, works as a tax accountant at a foreign subsidiary of XYZ Company, a German corporation with production facilities in the United Kingdom. She bribes a tax official in the foreign country to give a tax exemption to the subsidiary. She also
11
intends the bribe to result in significant tax savings to its parent, XYZ, for whom she performs tax services as part of her job. XYZ could be liable because it does business in the United Kingdom, Alicia is associated with XYZ, and she paid a bribe intended to benefit XYZ as well as her company. The fact that XYZ is headquartered in Germany doesn't matter, because it does business in the UK. And the fact that XYZ didn't know that Alicia was paying a bribe on its behalf doesn't mean that it's not liable for her conduct. It also doesn't matter that Alicia is not a UK citizen. As noted, the only way for a company to avoid liability for an associated person's bribery is to show that it had adequate procedures in place to prevent bribery. The UK Act doesn't specify what would qualify as adequate procedures for this purpose. The UK's Ministry of Justice (MOJ), however, has provided guidance on this issueand in particular the principles that companies should follow in developing their own preventive measures. These principles include, for example, making sure that the procedures are proportionate to the company's bribery risks the company's top-level management is fully committed to preventing bribery the company does adequate background checks and other due diligence on those who perform services on its behalf B.

A bribe can take virtually any form, as long as it has some value or, as the UK Act says, provides a "financial or other advantage." Here are just a few examples of what might be considered a "financial or other advantage": Cash or other gifts Discounts on products or services that aren't available to the general public Charitable contributions made at the request or on behalf of a public official Personal favors that may not have a clear monetary value Job offers Travel and entertainment There may be circumstances in which an inexpensive gift, a modest meal or entertainment, or necessary travel expenses may be provided without violating applicable bribery laws. On the other hand, it's also clear that such expenditures can be used as bribes. The more lavish the hospitality or expensive the travel, the more likely it is to violate the UK Act.
12
Under the UK Act, the ultimate issue is whether there's a connection between the expenditure and an effort to obtain a business advantage in return. The fact that the expenditure is consistent with industry norms doesn't necessarily mean that it's not intended as a bribeparticularly if those norms are lavish. For example, it may well be appropriate under the UK Act for a healthcare company to provide ordinary travel and lodging to a foreign public official so he can visit and assess one of its hospitals. On the other hand, a five-star holiday unrelated to an evaluation of the company's services is more likely to be viewed as a bribe. Example 23: A hotel is going to expand its premises. It offers free membership to its gym and swimming facilities to the local official in charge of construction permits. It doesn't mention its expansion plans, but sends them in shortly afterwards. The membership would be considered a bribe, as the hotel is trying to put itself at an advantage. Example 24: A company is involved in many investment activities. Dwight, one of the company's prominent directors, is a very good friend of Carol, a high-ranking civil servant in the ministry for media. On a sailing trip, Carol complains that her yacht is in very poor repair. Dwight tells her to leave the boat with him. The civil servant is pleasantly surprised when, a few weeks later, the yacht has been completely refurbished and repaired. A short time after that, a radio company being backed financially by Dwight's investment company is awarded a licensing contract to set up a new independent radio station in London. Unless Dwight and Carol could prove to the contrary, Dwight's gift of repairing and refurbishing the boat would be presumed to be a bribe, as his investment company was, through the radio company, seeking a government contract. II.
The UK Act's Jurisdictional Reach

The UK Act can apply to activities that occur within or beyond the borders of the United Kingdom. The act applies if any part of a bribery offense occurs in the United Kingdom. So, for example, if a bribe is wired or mailed from the United Kingdom, the act applies, even if the bribe was arrangedand the improper performance occurredelsewhere. And even if all the elements of the bribe occurred outside the UK, the Bribery Act still applies to anyone who played a role in the bribe and had a close connection to the UK. This could include, for example, British citizens and certain other British subjects, UK residents, UK corporations, and Scottish partnerships. Furthermore, an organization that does business in the United Kingdom could be liable under the UK Act for failing to prevent briberyeven if no part of the bribe occurred in the United Kingdom and none of the participants had a close connection to the UK. Example 25: Pierre, a Frenchman working for a Dutch bank in London, receives a loan request from a Dutch company. He agrees to smooth the figures to allow the loan to be granted, on the condition that a payment is
13
made to a numbered Swiss account, and the Dutch company agrees. Unfortunately for Pierre, his employer has taped the whole transaction, and the UK authorities apprehend him. The payment is a bribe. It doesn't matter that the Dutch company paying the bribe is not in the United Kingdom, or that the people involved are not British and the payment is made to a Swiss account. Once any aspect of the bribe takes place in the United Kingdom, UK law applies. Example 26: A UK company is opening offices in another country, which has a reputation for bribery. The company is attempting to get the necessary licenses from the government, but the officials in charge refuse to grant the licenses unless the company pays a facilitation fee. The company does so reluctantly. Although the facilitation fee paid is nominal, this still qualifies as a bribe under the UK Act. III.
Penalties
Any person found guilty of violating the UK Bribery Act can be subject to imprisonment of up to ten years, a fine (unlimited), or both. Companies that are victims of bribery at the hand of another company can sue to recover any losses incurred as a result of the bribery and for damages.
IV.
Employment After Leaving Civil Service

A civil servant's freedom to embark on alternative employment after having left the service is restricted. A committee exists within the civil service that scrutinizes appointments that civil servants propose to take up in the first two years following their jobs within the civil service. The committee often imposes certain conditions, such as requiring the civil servant to delay, for a set time period, accepting particular employment that may conflict with the former civil service position.
BRIBERY LAW IN FRANCE

French law prohibits active and passive bribery. Bribery is a criminal offense under the French penal code. A bribe can be money, a gift, or any other form of advantage. Facilitation payments are illegal. As with EU Convention rules and UK law, the emphasis is not on the value of the gift but, rather, its purpose.
I.
Public Officials
Under French law, it's illegal to offer or pay a bribe to an elected public official, anyone who holds public authority, or anyone who is responsible for public services (a "public official"), in an effort to get the official to perform or fail to perform official dutiesor reward the official for having done so use his official position to obtain contracts, employment, favorable decisions, or other favors from a public authority or the government (commonly known as "influence peddling")or reward him for having done so
14
French law prohibits all such payments, whether direct or indirect. Therefore, it doesn't allow people to get around the law by using intermediaries. As we've noted, passive bribery is also illegal. Therefore, it's illegal for public officials to solicit or receive bribes for performing or failing to perform official dutiesor for influence peddling. And individuals who aren't public officials also can be prosecuted if they solicit or receive bribes for influence peddling. Anyone who honors a request for a bribe in any of these circumstances is viewed as having engaged in bribery.
II.
Judicial Officials
The same rules apply to individuals involved in the justice system ("judicial officials")such as judges, jurors, registry officials, mediators, arbitrators, and experts appointed by a court or the parties. It's illegal for anyone to offer or pay a bribe to judicial officials for performing or failing to perform their official dutiesor for using their official position to obtain a favorable decision or opinion from a judicial officer. It's also illegal to bribe anyone else to use her influence to obtain a decision or opinion of this kind.
III.
Foreign Officials
The rules are also similar for foreign public officials and foreign judicial officials, such as officials of the European Commission, an EU member state or other foreign country, a public international organization, or a foreign or international court. It's illegal to offer or pay a foreign public or judicial official a bribe in exchange for the performance or nonperformance of official functionsor for influence peddling. And it's illegal for a foreign official to solicit or accept such a bribe. French courts have jurisdiction over the bribery of foreign officials if any part of the offense is committed in France or, in some cases, is committed by a French national outside of France. Example 27: A French company wants to operate trains in the United Kingdom. The British government has opened up one of the rail lines for bids, and it is well known that the current operator is out of favor because of a number of accidents on the line. The French company invites the UK official in charge to France to see its operations. It pays for the UK official to stay at the Ritz, all expenses paid, and agrees to pay a consulting fee to a company owned by the official. The French company is awarded the contract. This stay at the Ritz and the consulting fee would amount to a bribe under French law. It also is an offense under the UK Act, and it would be a matter for the courts to determine which court had jurisdiction over the proceedings. Example 28: A French company is seeking a contract with the European Commission to undertake a tourism survey in France. The company bribes a
15
Commission official during a visit to Paris. The company has engaged in active bribery, and the official is guilty of passive bribery under French law. Example 29: A French company is seeking to obtain an export license from another country. The sales representative of the French company asks for a 10% commission rather than the 5% commission that sales representatives usually receive. The sales representative then bribes the minister for trade in the country in question and is subsequently awarded the export license. Since the minister is an elected public official (and therefore a foreign official for the purposes of French law), the company has violated French bribery law.
IV.
Individuals Other Than Public or Judicial Officials

French bribery law also covers individuals who manage or work for entities in the private sector ("private sector employees"). It prohibits anyone from offering or paying a bribe to a private sector employee in exchange for the performance or nonperformance of an employment-related function, in violation of any legal, contractual, or professional obligation. It also prohibits a private sector employee from soliciting or accepting any such bribe.
V.
Penalties
Generally, the penalties for active bribery include a fine of up to 150,000, up to ten years' imprisonment, or both. The penalties for passive bribery and for the individuals and companies yielding to that request are a fine of up to 75,000 and up to five years' imprisonment. The same penalties apply to the active or passive bribery of private sector employees. Judges are subject to a fine of up to 225,000, 15 years' imprisonment, or both, in some cases. Other penalties also may apply, such as exclusion from business activities and loss of certain other rights; disqualification from public office; confiscation of the bribe itself and any other proceeds of the offense; and public display or dissemination of the court's decision finding guilt.
ANTIBRIBERY LAWS IN GERMANY

German law prohibits active and passive bribery. A bribe includes all advantages of any kind, whether material or not.
I.
Domestic Public Officials

It's illegal under German law to offer or pay a bribe to a public official anyone employed by a public agency or by a private entity that performs services for a public agency ("agency employee") a soldier in the federal armed forces
in exchange for the past or future performance or nonperformance of an official duty.
16
In addition, it's illegal to offer or pay a bribe to a judge or arbitrator for the past or future performance or nonperformance of a judicial act. Bribery aimed at getting any of these individuals to violate their dutyor rewarding them for a past violationis a separate and more serious offense. However, it's still a bribe even if it's merely intended to influence officials in the exercise of their discretion. It's also illegal for public officials, agency employees, judges, or arbitrators to solicit, entertain offers of, or accept bribes in exchange for performing, failing to perform, or violating their official dutiesor for allowing themselves to be influenced in the exercise of their discretion. Active or passive bribery can occur whether or not an official act or judicial act is actually carried out or is legally objectionable in and of itself. The offer, payment, solicitation, or acceptance of a bribe relating to official activity is sufficient. Example 30: A company bribes a judge to find in its favor. It turns out that the judge's decision is in fact legally correct. Nevertheless, the bribe is still illegal.
II.
Members of Parliament and Other Domestic Assemblies

German law forbids the actual or attempted buying or selling of votes for elections or ballots in the European Parliament and in public assemblies of the Federation, member states, municipalities, or municipal associations.
III.
Foreign Public Officials

German law prohibits the active bribery of the following foreign officials in international business transactions: Judge in a foreign state or international court Public official of a foreign state (including an official with a nongovernmental organization, or NGO, implementing a program funded by an international organization and entrusted with carrying out the organization's functions) Person entrusted with a public function, either with or for an authority of a foreign state, for a public enterprise with headquarters abroad, or other public functions for a foreign state Public official or other member of an international organization, or a person entrusted with carrying out its functions (such as, in most cases, EU officials) Soldier of a foreign state who is entrusted to exercise functions of an international organization Example 31: A German medical company is interested in supplying medical equipment to an NGO that is working in a developing country running a United Nations program. The German company bribes the NGO employee responsible for ordering equipment to order medical equipment from them. The German company likely has violated German bribery lawalthough the employee works for an NGO, the NGO is running a U.N. program, and, therefore, the employee could be regarded as a public official under German law.
17
German law also prohibits the active or passive bribery of judges of another EU member state members of a court of the European Communities public officials of another EU member state, whose positions correspond to that of a public official as defined in the German Criminal Code Community officials as defined in the Protocol of September 27, 1966 Members of the Commission and Court of Auditors of the European Communities
IV.
Bribery in the Private Sector

Under German law, it's illegal for an employee or agent of a business to solicit, accept, or entertain an offer for a bribe in a business transaction in exchange for giving someone else an unfair advantage in the competitive purchase of goods or commercial services. It's also illegal for anyone, for competitive purposes, to offer or pay a bribe in exchange for such advantage. These prohibitions apply to foreign as well as domestic transactions.
V.
Jurisdiction
German courts have jurisdiction over acts of bribery committed within Germany or, in some cases, committed outside of Germany by German nationals. Germany may also assert jurisdiction over bribery committed in a foreign country by a non-German permanent resident of Germany. This applies if the permanent resident is not extradited to the foreign country because extradition was not requested, was refused, or cannot be granted. Example 32: A citizen of another country is wanted by the authorities of his home country for bribery of officials there. Despite the overwhelming evidence against him, the German courts refuse extradition, as they cannot guarantee that the death penalty will not be invoked in the country in question. The German authorities may decide to try the person in Germany, even though none of the bribes took place in or involved Germany in any way. Example 33: Lawrence, a U.S. national, is registered as a permanent resident in Germany. German authorities discover that he has bribed a number of officials in another country to secure a monopoly over the sale of farm equipment there. Although the bribes were arranged and paid outside of Germany, he is arrested and tried in Germany as a permanent resident
VI.
Penalties
The penalty for bribery of a public official or foreign official is three months' to five years' imprisonment, a fine, or both. In particularly serious cases, the imprisonment can rise up to ten years. The penalty for bribing a member of Parliament or member of a foreign parliament is imprisonment of between one month and five years, or a fine.
18
BASIC PRINCIPLES FOR EMPLOYEES AND COMPANIES

Large companies acting on an international and pan-European basis are advised to implement an antibribery policy. Employees should refer to their company's policies if they are ever approached for bribes. To avoid violating bribery laws, individuals and companies (referred to below collectively as "enterprises") should follow the basic principles set out below in relation to "business in Europe," which are based on the guidelines drawn up by the International Chamber of Commerce. I.
Bribery and Kickbacks

No enterprise should directly or indirectly offer or give a bribe, and any demands for such a bribe should be rejected. Enterprises should not kick back any portion of a contract to employees of the other contracting party. Enterprises should not use other techniques such as subcontracts, purchase orders, or consulting agreements to channel government-bound payments to employees of the other contracting party, their relatives, or business associates.
II.
Agents
Enterprises should take reasonable steps to ensure that any payment made to an agent represents no more than an appropriate remuneration for legitimate services rendered no part of any such payment is passed on by the agent as a bribe a record of names and terms of employment for all agents in connection with transactions with public bodies or state enterprises is maintained and made available to auditors
III.
Financial Recording and Accounting

All financial transactions should be recorded properly and fairly in appropriate account books available for inspection by boards of directors and auditors. There should be no "off the books" or secret accounts. No documents should be issued that do not fairly record a transaction. A system of independent auditing should be put in place.
IV.
Political Contributions
Contributions to political parties or individuals should only be made in accordance with the applicable law. All contributions should be reported to senior corporate management.
V.
Company Codes
Enterprises should adopt and draw up their own codes of conduct and train their employees in, and inform them of, the rules. The code of conduct should apply to the company's subsidiaries, joint ventures, and agents.
19
TOP TEN THINGS TO REMEMBER ABOUT SARBANES-OXLEY: OVERVIEW

The goal of SOX is to restore investor confidence. After a series of corporate scandals featuring accounting manipulations that cost stockholders billions of dollars, corporate governance reform was needed. There were widespread conflicts of interest and abuses of power. SOX attempts to eliminate such conflicts and abuses and thereby restore investor confidence in the validity of the financial statements of public companies. The audit committee serves as an independent check on management's powers. The audit committee segregates duties to help maintain the independence necessary for an effective review by external auditors. Specifically, the audit committee separates senior management from hiring, paying, and reviewing the work of the external auditors. This way, the auditors feel less threatened by senior management, which should lead to a more independent review. An effective internal controls framework must include all employees. Internal controls are a series of checks and balances that can be as small as receiving authorization on a purchase of office supplies or as important as limiting access to confidential company information. SOX mandates that a reasonable set of controls be established to protect company assets and ensure the validity of the company's financial statements. All company employees need to be involved for these efforts to be successful. SOX provides severe penalties for those who violate it. SOX specifically empowers the SEC to take action against these people. The SEC can bar executives more easily from working as part of senior management or as directors of public companies. It can file civil charges against executives who try to manipulate or threaten external auditors. In addition, people who violate SOX can be fined up to $5 million and imprisoned for up to 20 years, depending on the violation. Internal controls are an extremely valuable tool. SOX requires management to be responsible for the company's internal controls program. Many controls limit the chances of theft and fraud throughout the organization by procedures such as authorizations and asset safeguards. Internal controls also force a company to understand its business and the potential problems it could face. Before SOX, providing nonaudit services that undermined auditor independence was more common. Audit firms used to provide their audit clients with other consulting services that were frequently more lucrative than the audit itself. On some occasions, auditors were unwilling to provide an independent review of the financial statements because they didn't want to upset senior management and risk losing their nonaudit services. Under SOX, auditors can't provide specified nonaudit services to their audit clients, and any nonaudit services they do provide must be preapproved by the audit committee.
www.eca.lrn.com 1
Management has often escaped responsibility for accounting errors by claiming ignorance. One of the reasons SOX requires CEOs and CFOs to certify quarterly and annual reports is because some of them blamed poor internal controls or ignorance of the controls for accounting errors. Under SOX, it's more difficult to use this as an excuse. By certifying the financial statements and internal controls, CEOs and CFOs are forced to take responsibility for their company's financial statements. SOX attacks many conflicts of interest beyond those of senior management and directors. Senior managers and directors aren't the only ones with potential conflicts of interest. For example, some investment bankers issued positive research reports on companies that did business with the bank and issued poor reports on companies that used their competitors. SOX separates the research section of investment banks from their other investment banking services so that each is independent. Control breakdowns don't always start with dishonesty, but rather with pressure. Many individuals who commit accounting fraud aren't thieves, just employees who feel pressure to meet high expectations. Sometimes it's managers trying to protect their employees from layoffs and thinking they can correct their manipulations in future quarters. The important point is to remain vigilant, because pressure combined with poor judgment can lead to breakdowns, and internal controls and an ethical corporate culture are the best tools to prevent these situations. SOX strives to create an ethical corporate culture. This legislation is comprehensive and extensive. From protecting whistleblowers to requiring transparency in accounting practices, SOX stresses honesty, responsibility, and the freedom to communicate, even when the news is bad. To fully meet the requirements of SOX, in both letter and spirit, a company must have an ethical culture.
www.eca.lrn.com 2
FREQUENTLY ASKED QUESTIONS ABOUT SARBANES-OXLEY - OVERVIEW

How did the corporate scandals leading up to SOX justify the need for legislation? Most of the institutions that were designed to provide protection against large-scale fraud were undermined to some degree. Investment bankers, analysts, lawyers, rating agencies, external auditors, senior management, and boards of directors all failed to protect investors. These failures were due in part to perverse incentives and conflicts of interest that should have been avoided. Legislation was needed to address these problems. What do external auditors do? Each public company is required to have an external auditor review its financial statements. The external auditor issues an opinion on whether the statements comply with the required accounting standards. In addition, SOX requires external auditors to review the company's internal controls over financial reporting to make sure they're effective in preventing fraud and providing reasonable assurance on the reliability of the financial statements. How does the PCAOB affect public accounting firms? In effect, there are two classes of public accounting firms in the United States: those that are qualified to audit public companies and those that are not. SOX gives the independent nonprofit board the ability to oversee public auditors and to analyze from an unbiased perspective whether they offer truly independent opinions. What are stock options? Stock options from your employer give you the right to buy a certain number of shares of your company's stock at a future time and price that your employer specifies. Options are widely used as an incentive for employees, and to allow them to share in the company's success. Does SOX address the conflicts of interest of investment bankers? Yes. Senior management and directors weren't the only ones to have serious conflicts of interest. At times, investment bankers issued positive research reports on companies that did business with the investment bank and issued poor reports on companies that used their competitors. SOX separates the research section of investment banks from their other investment banking services so that each is independent, which should lead to unbiased research reports. What is fiduciary responsibility? Fiduciary responsibility is a broad legal term that includes the duties of good faith, loyalty, and care that one must exercise in the management of another's money or property. Company employees who have a fiduciary responsibility must protect the company by putting the company's interests ahead of their own. What are the qualifications to be a financial expert on an audit committee? You must have a thorough understanding of internal controls for financial reporting and accounting standards specifically those dealing with accounting for estimates, accruals, and reserves. You should also have past experience that demonstrates your ability to understand basic financial statements.
www.eca.lrn.com 1
Why are accounting rules flexible? Accounting rules were designed to be widely applicable across many industries and types of companies. Flexibility has been a virtue, for the most part, by allowing companies to determine the best way to portray their finances in their financial statements. What are off-balance sheet liabilities? These are liabilities that companies formerly didn't have to list on their financial statements, so they were essentially deals hidden from stockholders. Some companies, like Enron, used this accounting loophole to distort their financial statements. Through creative deal structuring, the company could avoid classifying certain transactions as liabilities. SOX strives to close this accounting loophole. What types of compensation are available for whistleblowers subjected to retaliation? Compensation for unlawful retaliation includes reinstatement at the same seniority status the employee would have had, back pay with interest, and compensation for any special damages, including legal and witness fees. If you've been threatened in an effort to prevent the disclosure of information, contact your firm's audit committee or law or compliance department. What does it mean to certify financial statements? By certifying financial statements, the CEO and CFO are personally taking responsibility for them. Penalties for inaccurate certifications can be as high as 20 years in prison and a $5 million fine, or both. What does an internal controls framework do? An internal controls framework is a comprehensive process that helps a company operate efficiently and effectively. In this process, a company should create business objectives, determine risks, establish control activities, and define and communicate roles and responsibilities to all employees. Within this process, there are individual controls such as requiring authorizations on large purchases and limiting access to confidential information. Individual controls help to safeguard assets, safeguard ownership interests, and create credible financial reports. What are some examples of individual controls? Examples include authorizations, verifications, account reconciliations, reviews of operating performance, delegation of authority, security of assets, and segregation of duties. They occur throughout the organization, at all levels and in all functions. Why are internal controls important? Poor internal controls lead to the deterioration of virtually everything of value in an organization. Effective controls help ensure the accuracy of data. Inaccurate data can undermine the value of a company's financial statements and lead to poor managerial decisions since senior management uses this same data to make many business decisions. Poor controls also may undermine the relationships the company builds with its shareholders, customers, and suppliers.
www.eca.lrn.com 2
What is the audit partner rotation requirement? In general, audit partners are individuals who have substantial decision-making or other responsibilities in the audit of a public company. SOX requires that audit partners be rotated every five years. In addition, a former company employee can't take a job at the company's current audit firm and work on the company's audit until a one-year "cooling off" period has passed.
www.eca.lrn.com 3
YOUR RESPONSIBILITIES FOR FINANCIAL REPORTING

INTRODUCTION
Every company is accountable to its owners. In the case of a corner grocery store or gas station, the family that runs the operation may be the owners. For a law firm or medical group, the partners are the owners. In a large public company, the shareholders are the owners. As employees of a public companyfrom entry-level staff members to the company presidenteach person within the organization is also accountable to its shareholders. One way to account to a public company's owners is through financial reporting. For companies listed on a U.S. stock exchange (commonly referred to as public companies), financial reporting must be provided to the company's owners and government regulators every three months. Similar requirements and practices are in place for public companies in other countries. For the purposes of this handbook, however, the examples and specific references used will refer to the requirements of U.S. public companies. It should be noted that foreign companies that have their stock traded on U.S. stock markets or that sell bonds in the United States fall under most of the same regulations as do their U.S. counterparts. Over the past decade, the consequences of inaccurate financial reporting have been a regular news item. Various businesses, ranging from energy trading firms to long distance phone companies to public accounting firms, have either been fined, filed for bankruptcy, or gone out of business because of their actions. This is not a problem limited to the United States. Companies in Europe and Asia have also had similar problems, while governments around the world have pursued reforms similar to those in the United States in an effort to promote accurate financial reporting. In response to Enron and other high-profile fraud scandals and business failures, the U.S. Congress in 2002 enacted the Sarbanes-Oxley Act, strengthening existing financial reporting rules and creating new oversight requirements. These requirements have, more than any legislation before, established a broad list of standards surrounding the financial reporting process. This legislation is intended to enforce the notion that the quality of a company's financial reporting is ultimately the responsibility of that company's senior management, but is also dependent on the actions of all the employees in that organization. This handbook provides a general overview of the financial reporting process and the regulatory guidelines associated with the process. It does not provide legal advice or guidance regarding how you should act in a particular situation that involves suspected improprieties in the financial reporting process. Accurate financial reporting is a complex process subject to subtleties that cannot be completely covered in a brief treatment of this kind. Always consult your internal management and law department about any questions or concerns that you may have about the financial reporting process.
THE BASICS OF FINANCIAL REPORTING

I.
Regulatory Requirements
Public companies in the United States are subject to numerous regulatory requirements. A U.S. public company is a company that has offered stock to the investing public through a stock exchange in the United Statestypically either the New York Stock Exchange (NYSE) or the Nasdaq electronic stock exchange. Once a company is public, it has a number of responsibilities to its shareholders, the U.S. government, and the investing public. One of the major responsibilities that a public company must fulfill is to produce financial reports on a quarterly and annual basis. These reports, consisting primarily of an income statement, a balance sheet, and a statement of cash flow, show whether or not the company made money, outline sales and expenses for the period reported on, and list the company's assets and liabilities. Law and regulation dictate in large part the content of the financial reports as well as the methodology for creating them. Public companies are regulated by the Securities and Exchange Commission (SEC). The SEC has established rules for governing a public company and, in conjunction with other organizations, created standards for corporate behavior. Included within these standards is the requirement that financial reports be produced for the owners of the public company. They also specify when and how these reports should be generated. The accuracy of these reports is of paramount importance, as investors rely on them when making decisions to buy or sell company stock, as do banks and other lenders in deciding whether to loan money to the company. The U.S. government also relies on these reports in judging the overall health of the American economy. To ensure the accuracy of public companies' financial reports, the SEC requires that a certified public accounting (CPA) firm audit them annually for accuracy. This audit is intended to assure the investing public that the reports accurately reflect the financial condition of the company. The CPA firm will, at the end of the audit, give an "opinion" regarding whether the financial report is accurate and reliable. In addition to the annual audits that the CPA firms perform, most large public companies have an internal audit department. The role of the internal audit department is to conduct reviews (audits) of the company's operations in more depth and from a different perspective than those that the CPA firms conduct. In addition, it will examine the internal controls that the company has in place to ensure that the financial reports are accurate and the controls are operating effectively. The internal audit department will also look at the efficiency and effectiveness of the company's various operations as well as review other areas in which management may have questions or concerns. Example 1: A large multinational construction company has operations throughout the United States and in all continents around the world. The internal audit department establishes a plan in which all major locations are audited at least once every three years. Included in these audits are reviews to ensure that remote locations follow corporate policies and procedures. Specifically, the audits review all completed construction projects since the last audit to determine that all payments are made according to the construction contracts, payments for labor follow all local laws and are made in agreement with the local union contracts, and payments are made for actual work performed. In addition, the audits review the construction management process to verify that all permits and inspections are obtained and documented correctly. II.
Financial and Accounting Abuses
With all these audit, reporting, and oversight processes, how did the financial and accounting abuses that have been featured prominently in the nation's headlines ever occur? There is no simple answer to this question because there are numerous issues involved. The end result for the investing public is that the financial reporting it relied on turned out to be inaccurate for many companies. However, one thing did become clear: the CPA firms did not catch the inaccurate reporting. Why? In many cases, the CPA firms involved had helped set up the financial transactions at issue and had done so in such a way that investors became confused. In other cases, the CPA firms had not rigorously reviewed the results of the companies' internal audits in-depth or tested the quality of the internal audit work. In some other cases, the CPA firms had actually been the ones who had done the internal audit work for the companies in the first place. In addition, the CPA firms had provided the companies' management with guidance, advice, or work, which the firms were then called on to review during the year-end audit. Whether intentional or not, it's easy to see how a CPA firm conducting an audit of a company's financial reports would tend to refrain from criticizing the very work it had previously performed. Combine this with the fact that the CPA firms performed other services that often generated fees well in excess of those they earned for auditing financial reports, and it is easy to see how things could either intentionally or accidentally get overlooked. Example 2: A large multinational energy-trading firm filed for bankruptcy after an investigation revealed that its audited annual financial reports were inaccurate and had overstated its financial health. The investigation also found that the CPA firm that audited the company's financial reports had helped design the business structure that allowed the company to hide its financial risks and problems. In addition, it was learned that the CPA firm also performed the internal audit activities for the company. Given that the company paid the CPA firm fees totaling more than $52 millionmore than half of which was for consulting services and internal audit activitiesit appeared that the CPA firm was more concerned with earning the large consulting fees than conducting complete audits of the company's annual financial reports.
THE SARBANES-OXLEY ACT

On July 30, 2002, the Sarbanes-Oxley legislation became law as the Public Accounting Reform and Investor Protection Act. This legislation was enacted as a direct result of the many financial scandals that had affected the American investing public and financial markets. It creates greater accountability for accurate financial reporting, prescribes penalties for failing to comply with its provisions, and establishes a framework for corporate behavior in financial reporting and oversight of CPA firms with the objective of eliminating real or perceived conflicts of interest. It also established the Public Company Accounting Oversight Board as the policy-making body for regulating the provision of accounting services to public companies. I.
What the Act Includes

The major specifications of the act include the following: Code of ethics. All public companies are required to either establish a code of ethics for their senior financial management or disclose to the
government and investors why they did not establish one. The code must specify that the company will operate in an ethical and honest manner, disclose its financial and other significant matters in a timely and understandable manner, and comply with all governmental rules and regulations. Audit committee. All public companies are required to create an audit committee that is established by the company's board of directors. The audit committee is responsible for overseeing the financial reporting for the company, the annual audit conducted by the company's CPA firm, and the internal audit department's activities. The audit committee must be composed of members with specified levels of financial reporting expertise and independence from other aspects of the company's operations. Usually, some board members also serve on that company's audit committee, but they can only do so if they are not employees of the company. Whistleblowing. All public companies are required to establish a whistleblowing process to receive and review claims of inappropriate financial activities. Management report on internal control. The company must file an annual management report with the SEC on the company's internal controls for financial reporting, together with an attestation by the companys independent auditor. Management certifications. Management must certify that the financial reports are accurate and fairly present the company's financial condition; internal controls are in place to ensure that the reports are accurate; and the internal controls have been evaluated and are working. Management also needs to disclose if the internal controls are not working or if it, or others involved with the company's internal controls, has committed any fraud. Public disclosure. All public companies need to disclose any significant changes in their operation or financial condition. Auditing of internal controls. The CPA firm must audit a public company's internal controls as part of the year-end audit of the financial reports and determine if the internal controls are operating correctly. CPA firm conflicts of interest. A number of activities that CPA firms previously performed for public companies are now prohibited if the CPA firm performs the annual audit of the company's financial reports. These include: bookkeeping or preparing the company's financial reports designing or installing a company's computerized accounting systems internal audit services acting as management for the company other various activities where the CPA firm may have to evaluate its own work during the year-end audit of the financial reports
Penalties for fraud. Jail time and fines will be imposed if investors are defrauded. The act covers a wide variety of subjects that focus on one major objective: the accuracy of a company's financial reporting. This is accomplished through establishing accountability, eliminating conflicts of interest, and instituting internal controls.
Example 3: A large multinational company's audit committee receives a proposal from a CPA firm to perform the company's year-end audit. The proposal includes a schedule of the audit work to be done, the amount of hours to be spent, the areas to be audited, and total costs. Based on the audit committee's knowledge of the company's operations and financial structure, and its knowledge of general financial reporting practices, the committee will determine if the proposal meets the company's needs and is fairly priced. If the committee is satisfied, it will accept the proposal. If not, it will ask for clarifications and possibly changes. The audit committee may also contact other CPA firms to obtain alternative proposals before making a final decision.
UNDERSTANDING INTERNAL CONTROLS

I.
Internal Control Defined

In the simplest terms, an internal control is a process or procedure that provides reasonable assurance that the right thing to do gets done. Most companies further describe internal control as methods and procedures to provide reasonable assurance that management's objectives are met. Examples of management's objectives include accurate financial reports preservation of company assets compliance with all applicable laws and regulations, as well as the company's policies and procedures effective and efficient company operations
In the past, internal control was often looked at as an isolated subject. If a process, such as issuing a check, had controls in place, like review and approval by a manager, the process was viewed as controlled. Today, as a result of both Sarbanes-Oxley and the natural evolution of sound business practice, internal control is viewed in the bigger picture and as encompassing the entire organization. This broader concept of internal control has been accepted as the appropriate way to view control in an organization. II.
Core Elements of Internal Control

The five core elements of internal control are control environment risk assessment control activities information and communication monitoring
Each of these elements interrelates with the others, and all are necessary for an organization to have effective internal control. With the advent of SarbanesOxley, which requires that an appropriate framework for internal control be implemented, organizations have spent increasing amounts of time, money, and attention ensuring that these elements are in place and effective. B.
Control environment
The control environment sets the tone for the organization. Management needs to operate in an ethical and forthright manner and set forth its corresponding expectations of integrity and ethical behavior from its employees. Management, at all levels, needs to lead by example. It should model itself in a manner that encourages ethical behavior, fosters appropriate values, and allows for the identification and correction of behavior that does not meet these standards. For this reason, the establishment of a control environment is the foundation for the other elements of effective internal control. C.
Risk assessment
The risk assessment process is an aspect of internal control that occurs at all levels of an organization and is an ongoing process. Senior management constantly evaluates risks to the organization at a global level, such as the impact of current world events on a steady supply of energy, or the safety of staff in remote locations. Operating management assesses risk involved in more day-to-day activities, such as the security of work in process or finished goods inventory. At the same time, staff is also constantly assessing risk, although often in an informal manner, as employees perform assigned responsibilities and identify and address areas of potential error or problems on a daily basis. For a strong internal control system to work, the management and operating levels need to have a formal process to ensure that risks are evaluated on a regular basis and that plans are made to address those risks. For risks that employees identify, they need to have a process in which they can report those risks to management and have them addressed as necessary. Management needs to provide training on how to identify risks and must develop procedures outlining the steps for employees to follow. In some companies, all employees are empowered to resolve risks within set cost limits to correct problems that they identify. Other companies have established incentive programs for employees to identify risks and propose solutions.
D.
Control activities
Control activities are the major component of an internal control system and, in many organizations, are referred to as internal controls. Control activities occur in many forms. Some of the more common forms include: Policies and procedures. The best way to ensure that the right thing to do gets done is to have written, understandable guidelines that provide employees with directions on how to accomplish their duties. These policies and procedures can be broad, such as how to request approval to purchase equipment, or detailed, such as how to fill out an expense report. The guiding principal is that everyone works better if the rules are consistent and explained so that all employees know what is expected of them and how to perform their duties.
Example 4: For one large multinational company, business travel between locations and to clients and prospects is a large expense. The company has established a policy that outlines what travel expenses it will pay and provides limits as to how much it will pay for specific items such as hotels and rental cars. For example, according to the policy, hotel rooms in the continental United States must not cost more than $200 per night in major cities and $100 per night in other cities. The policy also states that an employee must purchase all air travel tickets through the corporate travel agency, or the company will not reimburse the employee. A set of procedures supporting this policy leads the employee step by step through the details of how to comply with it. For instance, the air travel procedure has phone numbers, names, and forms to use when ordering airline tickets, as well as instructions detailing who approves a request for tickets. Job descriptions. These go hand in hand with policies and procedures, as they define for all employees what is specifically expected of them and give both the employees and their managers yardsticks by which to guide and measure employee performance. Authorizations. Certain individuals within an organization have authority to do things. Purchasing officers are usually designated as the only authorized buyers for a company. Managers at certain levels are usually authorized to hire and fire employees. By having a defined framework of who is authorized to act in what capacity, employees, suppliers, customers, and the public can determine if they are dealing with the appropriate individuals within an organization.
Example 5: The purchasing department of a large electronics production company establishes various levels of authorization regarding who in the purchasing department is authorized to purchase on the company's behalf. These levels of authorization are listed on the company's purchase order, and indicate that a buyer may commit on orders up to $100,000. Above that limit, the vice president of purchasing must sign the purchase order for it to be binding. Approvals. Aligned with authorization is approval of an action. Individuals within an organization have the responsibility to approve certain actions. This can range from the audit committee approving the use of a CPA firm, to a manager approving an employee's expense report. The approval process is one of the key internal control principles as it helps ensure that actions are carefully reviewed. The more significant the impact an action may have on an organization, the greater the number of approvals it may require, or the more senior the management level it may require to approve the action.
Example 6: The human resources department for a large automotive parts manufacturer establishes various levels of approval for hiring new staff members. Managers can approve the hiring of assembly line workers for any open assembly job requisition. Hiring an assembly line worker without an open job requisition must be approved by the director of the human resources department for the assembly plant wanting to hire that worker. The director of human resources for the plant where a
manager will be assigned must always approve the hiring of the manager. Verifications. Many actions, particularly those involving large amounts of money, will require verification, an after-the-fact approval, before a requested action takes place. This control is necessary when a mistake or fraudulent action may not be caught, or the error corrected, if not immediately identified.
Example 7: A national insurance company receives payments at a number of locations across the United States on a daily basis. All the monies are deposited into one bank account for all locations at the end of each business day. The following morning, the corporate treasurer determines how much money can be invested and faxes instructions to the bank, instructing it to transfer certain amounts of money to a number of different investment companies. Before the bank will transfer the money, a bank staff member calls the insurance company and verifies with the controller in the accounting department that the instructions received are from the treasurer and are correct. Reconciliations. Just as individuals balance their personal checkbooks, an organization needs to balance or reconcile many of its activities on a regular basis. This control is essential in most accounting areas, where the need to verify figures in the accounting system against supporting information, such as cash or inventory, is essential to accurate financial reporting. Many areas of operations also are reconciled on a regular basis to ensure that what is expected to be in place is actually there.
Example 8: A national insurance company has a large number of bank accounts that serve specific functions, such as payroll, accounts payable, and accounts receivable. These accounts must be reconciled to the company financial records each month to properly account for all funds. The reconciliation process includes confirming that the bank has received all deposits and that all payments made by check or bank transfer agree with the company's financial records. This process must be completed each month to help ensure that no errors are posted to the accounting records. A failure to reconcile the bank accounts promptly could allow for errors to go undetected or become compounded over periods of time. Budgets. Just as reconciliations are performed to verify that what is recorded is what has occurred, budgets are needed to project what will occur in the future. Budgets form the basis for determining how many people to hire, what supplies and equipment to buy, how quickly to expand, and many other aspects of running a business. Comparing actual results with the budget then gives management the ability to assess actual and planned business volume and investigate areas where results were not as anticipated. This control then allows management to focus its attention on the areas that most need it. Reviews of performance. All employees are accustomed to receiving periodic performance reviews. They are one means of determining how well one has performed, identifying ways to improve, and recognizing strengths and successes. They also
help form the basis for possible raises or promotions. In the same manner, companies should conduct performance reviews of business activities, such as a sales campaign, a new product launch, or even the losing proposal to build a product for a potential buyer. The benefits for a company are the same as for an individual: strengths and weaknesses are identified, and alternate plans for the future can be developed. Example 9: A large electronics manufacturer is a major supplier to the automobile production industry. Every time a new car model is planned, the company submits proposals for the inclusion of electronic entertainment systems. Only one-third of its proposals are accepted. Because proposals are costly to prepare, the company establishes a process to review how they are developed and learn why they are accepted or rejected. Based on the results of these reviews, the company revises the proposal process to ensure that better communication occurs between the auto manufacturer and the company engineers. This will help the company to better understand and address specific requirements in future proposals. Documentation. All control activities should be documented and not left to recollection or conversation. It is especially important to document approvals, reconciliations, and other types of evidence of a control activity to confirm that the actions took place.
Example 10: A new receiving clerk for an electronics company does not fully understand the requirements for retaining documents when new materials arrive. After verifying that the goods have been delivered, the clerk usually keeps the packing slips for a week and then throws them away. Later, when materials are lost between the receiving dock and production, the clerk cannot prove that the amounts claimed to have been received and sent to production were actually received and forwarded. Security over assets. In addition to the various procedural controls described above, physical control needs to be maintained over all company assets, which includes supplies, inventory, facilities, and electronic or physical information, as well as employees themselves. Processes and procedures need to be in place to protect assets from accidental or intentional loss or damage.
Example 11: At a large production facility, portable tools are held in a secured tool crib and only distributed to authorized employees. To obtain the tools, the employee must have his supervisor's written authorization and a valid employee identification. Tool distribution is strictly controlled based on the authorizations, and the tools are inventoried after every shift. Managers are responsible for resolving issues regarding the return of tools at the end of every shift. Segregation of duties. Segregation of duties is a foundation of internal control. This principle describes the assignment of activities so that no one person has complete control over a key function or activity. With segregation of duties, both intentional
and accidental errors can be identified and corrected, as a second set of eyes will always be involved in the process. Example 12: At a large department store chain, responsibilities for payroll processing have been segregated so that accidental or intentional errors can be caught and corrected. Only the personnel department can create a file for a new employee and create or change a salary rate for an employee. Only the payroll department staff is able to process the payment for an existing employee. In addition, the payroll department staff cannot approve an employee's time card but can only process time cards that authorized managers have approved. Lastly, only the employee should enter time on the time card. At this company, the responsibilities for paying an employee are divided among four different individuals. These are just some examples of an organization's control activities. A company may develop other practices, depending on the nature of its business, what it does, and where it operates. It is extremely important to recognize that control activities acceptable in one country, for example the United States, may be culturally offensive in other countries and actually counterproductive. For this reason, the actual execution of some control activities may look very different from country to country, though they all are rooted in the same primary objective of ensuring that management's objectives are met. E.
Information and communication

For the control activities to function effectively, information and communication is critical. Financial reporting of actual performance as well as comparison against budgets; distribution of new policies and procedures; and reports on errors noted and corrective actions taken are some examples of information and communication crucial to the effectiveness of internal controls. Information, whether from automated systems or manually compiled, needs to be produced in a timely manner and in a format useful for managing and controlling the business. It also needs to be distributed throughout the organization, so that all parties affected by or responsible for the reported operations have the necessary data to carry out their responsibilities.
F.
Monitoring
Monitoring is a key feedback process in maintaining an effective internal control system. It is not, however, the same as the ongoing control or communication of activities. Monitoring is a separate, independent evaluation and oversight of internal control activities that is management's responsibility and is often assigned to the organization's internal audit department. The individuals responsible for the controls or the monitored activities do not perform management's monitoring function, but they should be alert to problems with such controls and activities and report them to the appropriate people in their company. Other monitoring roles may include compliance officers, ethics officers, or peer review committees.
Example 13: A large consumer electronics chain uses a sophisticated computer system to track inventory from receipt to point of sale. In addition, the store staff does a monthly physical inventory of actual stock on hand. As a monitoring function, the company's internal audit department annually conducts random physical inventories at half the company's stores to verify that they follow the inventory practices and that the practices work as designed.
WHAT YOU CAN DO TO HELP

Internal control is everyone's job. Organizations are all structured to have varying degrees of internal control, with management responsible for that structure as well as maintaining an environment where ethics and integrity are stressed and nurtured. Good internal controls should help employees meet their responsibilities. Policies and procedures should instruct, and personnel policies and job descriptions should guide, employee development. Control functions should help minimize errors, and information reporting and monitoring should help the business run efficiently and produce accurate financial reports for the owners. A strong internal control system will allow a company to comply with the regulatory and reporting requirements that the Sarbanes-Oxley legislation and the public stock exchanges mandate, both in the United States and throughout the world. All employees can support their company's internal control environment by complying with those policies and procedures and other control activities that affect their duties. If employees see ways to improve control or correct errors, they should bring them to the appropriate manager's attention. If employees notice weaknesses in internal control or outright violations of control activities, they should immediately report these observations to the appropriate manager. The manager can then deal with performance issues as appropriate. The manager can also review structural issues concerning how a task is controlled, or create a process improvement team to make necessary changes to improve control. Example 14: In a business management company's payroll department, the payroll manager accidentally processes a paymentwhich happens to be to herselftwice. When she learns of the mistake, she has an obligation to report the process error as well as refund the overpayment. The wrong thing to do would be to keep the payment and cover her tracks. Example 15: A teacher's aide at a university accidentally submits a health insurance claim that her physician also submits. Later, both the physician and the teacher's aide are paid for the billed service. The correct thing to do is for the teacher's aide to refund the duplicate payment and contact the human resources department to notify it of the claim processing error. The wrong thing to do is to keep the duplicate payment and submit more duplicates if it seems that no one is catching the error. Employees who are responsible for actually producing financial information should follow the accuracy controls for that data even if deadlines create a burden. Producing incorrect information quickly does not benefit anyone. Example 16: The accountant at a large insurance company, who is responsible for reconciling the company's bank accounts each month, falls behind because of other duties. Her supervisor pressures her to complete the reconciliations. To appear caught up, the accountant enters information in the reconciliations and makes her records look as if all bank activity is proper. As it turns out, fraudulent checks have been written on the
company's bank accounts, and more than $200,000 has been stolen. Because the fraud is not caught due to the intentionally overlooked bank activity, the company is not able to recover the money and has to correct the financial reports in future months once it finally identifies the previously undetected loss. In most organizations, internal control is part of the business culture, as are ethics and integrity. Complying with internal controls is part of doing one's job, and the corrective and verification control activities are taken for granted as one's responsibilities. The problem occurs when there is a breakdown of either personal or corporate ethics or integrity. An employee faced with such a situation needs to act in a much different manner, as this is no longer "business as usual." For example, frequent breakdowns in organizations' integrity and ethics have occurred in the area of recording sales. The pressure to match investors' expectations of sales, or a manager's expectations of an individual salesperson, has led to a number of frequently repeated scams in reporting sales: o Sales of nonexistent products or services. Particularly in the high-technology field, companies record sales for products or services not yet fully developed. Although it is acceptable to record a deposit for payment on a future product or service, a company should not show a sale on its books for products or services until all conditions for the booking of revenue under applicable accounting rules have been met. Consult your company's accounting or law department if you have any questions. Changing contract dates. In order to meet monthly or quarterly sales targets, companies often change contract dates from the first few days of a new month or quarter to reflect the previous period. In addition to reporting incorrect financial data, this practice can cause commissions to be overpaid to sales people if they have targets that are met because of it. Sales to related parties. To meet sales targets, sales contracts and other supporting documents are created for sales to related parties with the agreement that the goods or services will either never be delivered or performed, or that any goods delivered will be returned in the following period. Refunding or crediting back the sale occurs in the following month, and the individuals involved look for other ways to offset this "lost" sale when the next period closes.
In any of these cases, if an employee suspects that sales information is being incorrectly reported, he must report these observations to management.
HOW TO RESPOND WHEN SOMETHING DOES NOT LOOK RIGHT

I.
Reporting Violations
When an employee observes or becomes aware of a potential violation of policy or procedure, established internal controls, or the law, the employee is obligated to take appropriate action. Depending on the nature of the actions observed, the potential severity, and the position of those involved, the employee can take one of several courses of action: Report the matter to your immediate supervisor. If the matter appears to be a localized issue, and the employee feels comfortable, reporting the matter to her immediate supervisor is always the preferred course of action. Employees can address most matters at this level as a departmental operating issue.
Example 17: A data entry clerk at a large company learns that her coworkers are sharing passwords. If passwords are shared, individuals may be able to perform tasks that they are not authorized to perform, or they may be blamed for actions that they have not taken. The clerk reports the password sharing to her supervisor because she knows that control over computer hardware and software is necessary, since businesses rely heavily on these systems and the data they contain. Example 18: A manufacturing company uses a computer system that shows the time and date of the last activity by the user every time the user logs on to the system. A data entry clerk logs on to his computer system and notices that the time shown for his last usage is a time when he was at his doctor's office. The clerk knows that this indicates that someone has used his password and has accessed the system as him. He reports this to his supervisor immediately so the matter can be investigated. Report the matter to your supervisor's manager. If the matter appears to be more significant, or her immediate supervisor is a part of the problem, then the employee should report the matter to the manager above her supervisor.
Example 19: On a business trip, a supervisor asks his administrative assistant to pay for a dinner attended by the supervisor, the assistant, and a number of staff members. The supervisor explains that he will then be able to approve the expense report and won't have to explain the dinner to his boss. The company policy states that the highest level employee attending any business meal must pay and submit an expense report. In this case, the employee cannot report to her immediate supervisor regarding the matter, as he is part of the problem. The correct thing for the assistant to do is to report the matter to her supervisor's manager or go through one of the other reporting processes available to employees. Report the matter to your company's ethics officer, compliance officer, internal audit department, or human resources department. Most issuessuch as those recently seen in the mediashould, at a minimum, be reported through one of these channels. Generally, the senior company managers are charged with investigating claims of inappropriate behavior and can have matters investigated in a timely manner.
Example 20: A graphic designer for a major advertising agency notes that most supplies, equipment, and consultants used at her location seem to be from substandard vendors and that there are a lot of complaints about the quality of goods and services received. After looking into the matter more closely, she learns that the buyer responsible for supporting her location is sending a large amount of business to friends and relatives rather than to reputable suppliers. She should refer this significant matter to an ethics or compliance person within the company, the internal audit department, the human resources department, or to the whistleblower hotline, if there is one established by the company. Utilize your company's employee whistleblower hotline or audit committee reporting process. These are the processes to follow if the employee either identifies an ethical issue or feels the need to report the situation in a confidential manner. All whistleblower and audit committee reporting programs can maintain the confidentiality of the reporting
party's identity if confidentiality is desired. These processes also guarantee that impartial and independent reviews of the matter reported will take place. Example 21: The accountant for a computer company notices that a large amount of sales are booked each quarter to a customer that also sells a large amount of goods to his company. As he investigates these transactions, he learns that the goods his company sold have never been shipped and that the goods purchased by his company have never been received. In fact, the two companies have agreed to simply swap sales transactions to inflate the amount of sales on their books. Since this appears to be fraudulent financial reporting, the accountant refers the matter to the company's whistleblower hotline with sufficient detail to allow for a prompt review of the matter. II.
What to Include in Your Report

No matter which process the employee uses to report a matter of concern, he should be sure that any report of suspected inappropriate activity includes the following: Specifics. Include as much detail as possible, such as copies of documents, if appropriate, to support the concern. Facts. Include as much factual information as possible. However, do not make assumptions or speculate as to motives, decisions, or other possible actions that are not known firsthand. Honesty. The processes for reporting suspicious matters are tools to be used appropriately. They should not be used as a means of getting even with a coworker or manager or for making a labor-related point. An employee's ethical behavior in reporting a matter needs to be of the same high standard as the processes that are established to promote sound business practices.
CONCLUSION
Accurate financial reporting is critical in a free market economy with public ownership of large businesses. While the responsibility of actually preparing the financial reports belongs to a limited number of employees, the responsibility for the accuracy of the information contained in the reports belongs to all employees. By ensuring that the policies, procedures, and controls in place within an organization are followed, all employees can contribute to the accuracy of the financial reports. Conversely, intentional disregard of the established controls within an organization can lead to financial loss for the company as well as the potential for inaccurate financial reporting. Lastly, with the current focus on corporate ethics, all employees have the obligation to identify and report areas of concern when they suspect that intentional actions are taking place to defraud the organization, the investing public, or government regulators. As evidenced by recent news, the consequences of not doing so can have far-reaching and drastic effects.
FEDERAL SENTENCING GUIDELINES: THE RULES OF THE ROAD

INTRODUCTION
Generally speaking, corporations and other business entities may be criminally liable for actions taken by their employees in the course of their employment. Even the bestintentioned employees, doing only what they are told, can expose their company to severe criminal penalties. At least where federal crimes are concerned, the extent of those penalties depends largely on what are known as the Federal Sentencing Guidelines. These Guidelines establish standards for determining the appropriate range of sentences in a particular case. Among other things, they provide for reduced sentences if the convicted organization has made certain efforts to detect and prevent criminal activity before it occurs. Some states have also adopted sentencing guidelines that are similar in approach, if not in detail, to the federal standards. Because federal law governs so many aspects of modern business, it is important for corporate employees -- particularly executives and managers -- to have some understanding of the Sentencing Guidelines -- where they came from, how they work, and what can be done beforehand to help reduce criminal penalties if the company is later convicted of a crime. That is the purpose of this Handbook. It is designed to give you a brief overview of some basic concepts underlying the Sentencing Guidelines, including the need for an "effective compliance program" as a basis for sentence reduction. This Handbook is very general in nature, and is not designed to provide advice regarding the steps any particular company should take in order to reduce its exposure in the event of a criminal conviction. Any such steps should be taken only in conjunction with the advice of legal counsel. We will begin with some general background regarding the fundamental concepts of criminal law.
BASIC CONCEPTS
I.
What Is a "Crime"?
The U.S. Congress and the state legislatures of every state have passed statutes prohibiting conduct that is considered so harmful to society that it should be prosecuted and punished by the government. A "crime" is the conduct prohibited by these statutes. The punishment for commission of a crime may include such things as imprisonment, fines, probation and community service. An individual charged with a crime is entitled to certain rights or protections under the U.S. Constitution and the constitutions of individual states. Some of these rights are familiar to moviegoers and television watchers, such as the right to remain silent, the right to refuse to testify and the right to counsel. These rights are available to those accused of crimes because they face punishment by the government, which may include loss of their liberty or in some cases even death.
Most crimes involve some type of intentional act. The conduct must be done willfully or knowingly. Generally, those terms mean more than knowing what one is doing. Knowing that one is signing a check is not enough to prove the crime of forgery. However, knowing that one is signing a check with someone else's name, without that person's permission, is sufficient "knowledge" to prove the crime of forgery. Sometimes, of course, the situation is more complicated. For example, if someone honestly but mistakenly believes he is authorized to sign someone else's name, then the person probably would not be viewed as having the required knowledge for criminal liability, at least in some jurisdictions. On the other hand, a few crimes require no particular intent. For instance, some conduct will violate the environmental laws no matter what the degree of knowledge or lack of knowledge. II.
How Is a Criminal Prosecution Different from a Civil Lawsuit?

A criminal prosecution differs from a civil lawsuit in several respects. A criminal prosecution is initiated by the government, on behalf of all the people. Even though some criminal offenses involve harm done to individual victims, it is the government that charges the accused and is responsible for assembling all the witnesses, testimony, and evidence necessary to prove that the accused committed the crime. A civil lawsuit, by contrast, does not result in punishment by the government. It usually involves a dispute about money, and is usually between private parties, although the government can and does sue individuals and entities. Even if the lawsuit is based on an injury caused by negligence, the injured party sues to get monetary damages. Although the court in a civil suit can order a party to do or stop doing something, a civil suit is not primarily aimed at punishing the sued party. Another difference between criminal and civil cases is how hard they are to prove. The degree of difficulty in proving a case is called the "burden of proof." The government in a criminal case has to prove beyond a reasonable doubt that the crime was committed and the accused is the one who committed it. Beyond a reasonable doubt is a very high burden of proof. On the other hand, to win in a civil case, the person bringing the lawsuit (known as the plaintiff) has to prove the bad conduct and damages only by a preponderance of the evidence. This means that the evidence is weighted just slightly more in favor of the plaintiff. The bottom line is that the government in a criminal case has to have very strong evidence of the defendants guilt in order for the jury to return a verdict of guilty, whereas the plaintiff in a civil case has a much easier time of it. The reason for the higher burden of proof in a criminal case is the same as the reason why our Constitution gives persons accused of crimes certain additional rights -- a person found guilty of a crime will be punished by the government and the punishment may include the loss of liberty or in some cases even death.
III.
Can Corporate Entities Commit Crimes?

Corporations and other entities can be punished for criminal violations. Theoretically and legally, a corporation or other entity acts through its executives and employees, and is liable for criminal acts committed by them in the course of
their employment. Because entities cant be sent to prison, punishment for such acts is usually limited to fines. IV.
What Is a Criminal Conviction?

An individual or entity accused of a crime usually has a choice of plea bargaining with the prosecutor, often for a lesser charge, or going to trial and taking the risk that the judge or jury might render a guilty verdict. In either event, a guilty plea and a guilty verdict both result in a final decision of guilt, called a conviction. In sentencing a convicted individual or entity, the judge can impose a variety of penalties, including imprisonment for an individual, probation, fine, restitution, forfeiture, assessment of costs, and remedial orders such as mandatory community service.
V.
Federal Versus State Crimes

Under our federal system of government, both the federal government and the states are authorized to enact laws prohibiting criminal activity. The main difference is that state criminal laws generally involve local conduct -- for example, a robbery or homicide occurring within a certain states borders, whereas federal criminal laws must, under the Constitution, involve conduct affecting interstate commerce. As a practical matter, however, the interstate commerce requirement is fairly easy to meet, and as a result, there is a vast body of federal criminal law prohibiting everything from mail fraud, to robbery of federally-insured banks, to drug dealing, to assaults on federal officers. There is also a great deal of overlap between federal and state crimes. For example, securities fraud may violate both federal and state criminal law and may be prosecuted at both the federal and state levels. For our purposes, we will focus on federal law, and particularly the Federal Sentencing Guidelines. But you should be aware that states may have their own sentencing policies, which may resemble or differ from the federal guidelines in important ways.
FEDERAL SENTENCING GUIDELINES -- BACKGROUND

I.
Sentencing Practices Prior to the Guidelines

Until 1987, federal court judges had a great deal of leeway in deciding what punishment to impose on a person or entity convicted of a federal crime. All criminal statutes established maximum penalties, and a growing number set minimum penalties, but in between it was left to the judge to decide. The judge typically would consider the nature of the crime, the defendants criminal background and any other information the government or the defendant presented. This information included character references, information about other crimes or arrests, medical or mental illness, personal history, family circumstances, educational background and anything else the judge thought was important. The judge then weighed the information and imposed the sentence he felt was appropriate. As a result, persons and entities convicted of similar crimes, with similar backgrounds, often received widely different sentences.
II.
Creation of the Federal Sentencing Guidelines

Congress reacted to complaints regarding these sentencing disparities by passing the Sentencing Reform Act of 1984. The Act created the United States Sentencing Commission and directed it to develop guidelines reflecting the four basic purposes of criminal punishment -- deterrence, incapacitation, just punishment and rehabilitation. The Act further specified that the guidelines were to include categories, or levels of offenses, and offender characteristics, and sentencing ranges based on those levels. For example, an employee who embezzled $5,000 would be in a different category from an armed bank robber who has two prior convictions for bank robbery. The Act required federal judges to stay within these ranges when sentencing individuals or entities convicted of federal crimes. The Act also abolished parole so that now, a person sentenced for a federal crime will serve the entire term of imprisonment reduced only by a limited amount of "good behavior" credit. The Sentencing Commission was also given the authority to review the sentencing process and to make changes in the Guidelines as courts gained experience with them. The initial Guidelines went into effect November 1, 1987 and apply to all offenses committed by individuals after that date. The Guidelines for organizations were added and became effective November 1, 1991.
III.
The United States Sentencing Commission A. Composition of the Commission

The Sentencing Commission is an independent agency of the judicial branch of government. It consists of seven voting and two nonvoting members. The president of the United States appoints the seven voting members of the Commission, after consultation with judges, prosecutors, defense attorneys, law enforcement officials, victims of crime and others with an interest in the judicial process. The appointments are made with the advice and consent of the Senate. One member of the Commission is appointed by the president as the Chair and three are designated as Vice Chairs. Of the seven members, at least three must be federal judges. No more than four members may be members of the same political party. The Attorney General, or his or her designee, is a nonvoting member of the Commission. The voting members are appointed for six-year staggered terms. B.
Authority of the Commission

The Commission is responsible for issuing the Sentencing Guidelines as well as policy statements regarding their application. Congress set some limits on the Commissions powers and also made clear that it expected certain crimes to carry sentences at or near the maximum authorized, and offenders with particularly unsavory criminal histories to serve substantial prison terms. Congress also gave the Commission the power to review and revise the Guidelines.
C.
Amendments to the Guidelines

The Commission receives comments and recommendations from a variety of sources regarding the fairness and operation of the Guidelines.
Some of these sources include probation officers, the Bureau of Prisons, federal judges, the U.S. Department of Justice and the Federal Public Defenders. The Commission reviews and considers these comments and, from time to time, submits proposed amendments to the Guidelines to Congress with a statement of the reasons for each amendment. IV.
How the Guidelines Affect Individuals

The Guidelines generally limit the discretion of sentencing judges. As a result, individuals can no longer count on using their individual circumstances to sway the judge. Age, physical condition, family ties and responsibilities, level of education, employment record, community ties, and even mental condition are not ordinarily relevant in determining whether a lighter sentence, outside the applicable guideline range, would be appropriate. However, all these considerations may be relevant in setting conditions of probation. For example, a single parent who is the sole support for young children will not be eligible for a lighter sentence on that basis alone; however, continued support of the children may become a condition of probation. Likewise, a responsible job will not mean a lighter sentence, but may affect the appropriateness of home detention. In rare, extraordinary cases an individuals particular circumstances may be relevant to the sentence imposed. For instance, an elderly, infirm defendant may be sentenced to home detention instead of prison, if home detention would be an equally effective but less costly alternative to imprisonment.
V.
How the Guidelines Affect Organizations

Organizations, of course, cannot be sent to prison; however, substantial fines can put an organization out of business quickly. Like individuals, organizations can no longer use considerations such as "good corporate citizenship," or the harm to their employees and local community if they go out of business, to lower their sentences. All these considerations are viewed as having been taken into account by the Commission and are no longer a valid basis for receiving a lighter sentence. Consequently, an organization that gives substantial gifts to charity or community events, or that provides a large number of jobs to local citizens, can expect only marginal consideration for such activities at sentencing. In addition, many organizations that do business with the government may be barred from government business once they are convicted of certain types of crimes.
APPLICATION OF THE GUIDELINES TO INDIVIDUALS

Although our primary concern is with corporations and other entities, it is helpful to understand first how the Guidelines apply to individuals. I.
Determining the Base Offense Level

The first step in determining an individuals sentence is to determine the Guideline most applicable to the particular offense. An appendix to the Guidelines provides a useful cross-index from the numerous federal criminal statutes to the offense Guidelines. Once the appropriate Guideline is established, the second step is to determine the base offense level for the offense under this Guideline, and any adjustment to that base level due to the defendants specific conduct. For example, a minor
assault carries a base offense level of either 6 or 3, depending on whether the defendant had and threatened to use a firearm or other dangerous weapon. If the crime resulted in serious bodily harm to a person under the age of 16, the Guideline adds another 4 points. II.
Adjusting the Base Offense Level

The base offense level for the particular offense is then further adjusted by general adjustments not necessarily tied to any specific offense. The base offense level is increased, for example, if the victim is particularly vulnerable because of age or physical or mental condition, if the convicted person played a leadership role in the offense, if the defendant obstructed justice, or if the conviction was for multiple violations. For example, if the victim was physically restrained during commission of the offense, the level is increased by 2 points. The base offense level is decreased if the convicted person played a minimal role in the offense and has accepted responsibility for the offense by either reporting the offense, admitting the conduct, voluntarily paying restitution, voluntarily assisting the authorities or pleading guilty. For example, an individual convicted of fraud will receive a lower sentence if he was just a minor participant in the illegal conduct rather than an instigator.
III.
Determining the Individuals Criminal History

One of the premises of the Guidelines is that a convicted persons prior criminal behavior is relevant to sentencing for the current conviction, and that a person with a prior record of criminal conduct is more culpable than a first offender. Consequently, the Guidelines are structured to ensure that the lengthier and more serious the prior criminal conduct, the heavier the sentence for the new criminal conviction. For example, each prior imprisonment of more than 60 days adds 2 points, and each prior sentence of imprisonment for more than one year adds 3 points. Two points are added if the current offense occurred while the person was on probation, parole or the like, or if it was committed within two years after release from imprisonment. The number of points then determines which criminal history category the person falls into. Category I includes persons with zero or one criminal history points, Category II includes persons with two or three criminal history points, and so on up to Category VI, which includes persons with 13 or more criminal history points.
IV.
Determining the Sentence for Individuals A. Imprisonment

Once the offense level and criminal history category are determined, the range of possible terms of imprisonment is established by Guidelines sentencing table. On the right are listed the base offense levels from 1 to 43. Across the top are listed the criminal history categories, from I to VI. The applicable Guideline is determined by tracing the base offense level across the grid to the appropriate criminal history category. For example, lets take a person who is convicted of a complex fraud or embezzlement in an amount between $200,000 and $350,000. This carries a base offense level of 6, plus an additional 8 levels based on the amount. If the offense involved more than minimal planning, 2 points
would be added. Another two points would be added if the offender played a leadership role in the offense, but 3 points would be subtracted if the offender accepted responsibility by pleading guilty. The net result in that situation would be an offense level of 15. Assuming this was the offenders first conviction, the chart would dictate a sentence of 18 to 24 months in prison. B.
Probation
Some convicted individuals may be eligible for probation, or a relatively short sentence followed by probation, if their offense level and criminal history points are low. Alternatively, the judge may order a period of community confinement (a half-way house), home detention, or intermittent confinement, such as week-ends in jail, followed by probation. But both probation and these alternative sentences are discretionary -- the judge can still sentence the individual to the maximum prison term called for by the Guidelines. If probation is ordered, the term must be between one and three years. Persons on probation are subject to the supervision of the court, through the Probation Office, and are subject to conditions tailored to their specific circumstances, such as paying restitution and/or a fine, residing in a particular place, staying away from a specified place or area, attending a rehabilitation program, performing community service, periodic drug testing, and refraining from further criminal conduct.
C.
Restitution and forfeiture

Restitution means repaying the victim for the victims loss. It is not intended primarily to punish the convicted person, but rather to compensate the victim for the harm or loss. Restitution is frequently ordered as part of the sentence. The amount of restitution is determined by the judge, based on the victims loss. If the judge determines that a convicted person is unable to pay full restitution, the person may be ordered to make nominal periodic payments. In addition, certain criminal statutes provide for forfeiture of certain property by the convicted person, such as the proceeds of the crime.
D.
Fines
All convicted individuals are required to pay a fine, except when the person can show that he is unable to pay and is not likely to become able to pay. The fine is determined by referring to a table set out in the Guidelines establishing a minimum and maximum fine for each offense level. For instance, in the fraud example given above, an offense level of 15 would yield a minimum fine of $4,000 and a maximum fine of $40,000. The sentencing judge determines the fine within the range given in the table, based on factors such as the seriousness of the offense, the defendants ability to pay, any restitution that has been made and any other pertinent considerations. The maximum fine under the fine table is $250,000 for offense levels of 38 and above. However, some federal statutes authorize fines greater than $250,000, and in
those instances the judge must follow the statute and impose the higher fine. V.
Application of the Guidelines to Organizations A. General principles

Under federal (and state) criminal law organizations are liable for offenses committed by their employees and agents in the course of their employment. Therefore, illegal conduct by an employee may result in prosecution of both the employee and the organization. Because organizations can commit crimes only through their employees, the Sentencing Guidelines provide incentives for organizations to establish internal mechanisms for preventing, detecting and reporting criminal conduct. These goals are in addition to the traditional goals of sentencing -- just punishment, deterrence and rehabilitation. Generally speaking, the Sentencing Guidelines are structured so that the fine imposed on an organization reflects (1) the seriousness of the offense and (2) the level of the organizations culpability. For these purposes, the seriousness of the offense is normally determined by the victims loss. Culpability is generally determined by examining the organizations efforts to prevent and detect criminal conduct, the degree of involvement in the criminal conduct by high level personnel, and the actions of the organization after the discovery of the offense. This general structure, however, does not apply to organizations operated primarily for a criminal purpose or by criminal means. In their case, fines are set at amounts high enough to strip them of all their assets. B.
Remedying the harm

The judges first step in sentencing a corporation is to determine the appropriate restitution and remedial orders. Restitution will be ordered unless the court finds that the organization is unable to pay, in which case the court may order only nominal periodic payments. Restitution is based on the amount of harm or damage to the victim and generally equals the full amount of the loss. When there is an identifiable victim, the restitution is made to the victim -- in a lump sum, in partial payments, or in in-kind payments. For example, an entity convicted of defrauding a group of consumers by selling defective appliances or roof repairs will be ordered to pay an amount of restitution to the victims sufficient to repay them for their losses. In addition, the judge may order the company to take further corrective action, such as a product recall.
C.
Determining the fine

After determining the amount of the restitution order, the court must decide whether a fine should be imposed in addition to the restitution. If the court found that the organization could not pay the required restitution, then it need not go through the process of determining the appropriate fine, because no fine will be imposed. If it appears that the entity can pay the restitution order, the court should then determine the
fine. The restitution, if paid, will compensate the victims. The fine, which is a penalty, will be paid to the government. 1.
The base fine

The base fine for a corporation is the amount of the organizations gain from the offense, the amount of the victims loss caused by the offense, or the amount specified by the Guidelines fine table, whichever is the greatest. The amount specified in the fine table is based on the offense level. The offense level for organizations is determined in the same way as for individuals, with adjustments made for the specific factors set out in each Guideline. Thus, using the fraud example above, if the fraud were committed by a corporation, it would carry a base offense level of 6 (the same as for an individual), plus an additional 8 levels for the amount of the fraud, plus 2 levels for more than minimal planning, for a total of 16. The adjustments for role in the offense and acceptance of responsibility are not taken into account in calculating the base fine, but are relevant in calculating the entitys culpability score, as discussed below. Using the fine table for an offense level of 16 would dictate a base fine of $175,000. But because this is less than the $300,000 loss suffered by the victim, the actual base fine would be $300,000.
2.
Determining the culpability score

Once the base fine has been determined, a separate calculation must be done to determine the organizations culpability score. This process involves assigning points, or deducting them, for certain factors. A convicted entity starts with five points. A prior history of criminal activity on the part of the organization can add one or two points, depending on the crime and how long ago it was committed. Criminal conduct that violates an existing court order adds two points. Obstructing the investigation, prosecution or sentencing of the current crime adds three points. Obstruction includes such things as deliberately destroying or altering documents with knowledge that an investigation is underway, encouraging employees or coworkers to lie to investigators, threatening an employee who is cooperating with law enforcement authorities, and/or deliberately misinforming others about their rights and obligations with respect to the investigation. The culpability score increases depending on the size of the corporation and the level of the employees who were involved in the criminal conduct or who tolerated it. For example, a large organization (or unit of an organization) with 5,000 or more employees, in which high-level personnel participated in or condoned the conduct, or in which substantial authority personnel pervasively tolerated the offense, will have five points added to its culpability score. High-level personnel include directors, executive officers, individuals in charge of a major
business or functional unit, and individuals with substantial ownership interests. Substantial authority personnel include all high-level personnel, plus individuals who exercise substantial supervisory authority, such as a plant manager or a sales manager, and any other individuals who exercise substantial discretion when acting within the scope of their authority, such as individuals with authority to negotiate or set prices. Two factors will reduce the culpability score for an entity -- an effective compliance program, and self-reporting of wrong-doing. An effective compliance program is defined in the Guidelines and has seven components. These components will be discussed in more detail below, but the focus of the requirements is the deterrence, discovery and remedy of illegal conduct. If an entity has a compliance program that meets these requirements, the culpability score is lowered by three points. Finally, the score may be reduced if the entity reported the offense to law enforcement authorities. A prompt report before the entity became aware of a government investigation will reduce the organizations culpability score by five points. Lesser degrees of cooperation and acceptance of responsibility can result in a reduction of one or two points. 3.
Determining the multiplier and calculating the fine

Once the culpability score is determined, the Guidelines establish minimum and maximum multipliers based on that score. The greater the culpability score, the higher the multipliers. The multiplier is then applied to the base fine to determine the range of minimum and maximum fine that the judge can impose. For example, a culpability score of six yields a minimum multiplier of 1.2 and a maximum multiplier of 2.4. If the base fine was $300,000, the minimum fine the judge could impose would be $360,000 and the maximum would be $720,000. In cases involving fraud resulting in large losses, the multipliers can dramatically increase the fine range. For example, assume that a 1000-employee entity was convicted of a fraud involving $500,000 in losses, which was committed at the direction of the chief operating officer, in which the entity did not self report and had no compliance plan. The entity starts with five points as its culpability score. The COOs involvement in the fraud, committed by an entity of this size, adds 4 points, for a total of 9 points. The entity did not self-report the crime and had no compliance plan so it is entitled to no reduction. The final culpability score of 9 yields a minimum multiplier of 1.8 and a maximum of 3.6. These multipliers are applied to the base fine to yield the minimum and maximum fine range. In this example, the base fine is $500,000 (i.e., the greatest of the amount from the fine table ($250,000), the amount of loss to the victim ($500,000), and the amount of gain to the offender ($500,000)). Applying the multipliers, the fine range is $900,000 to $1.8 million. As noted above, the fine is in addition to restitution.
D.
Can a judge impose a sentence on an organization outside the Guidelines range?

Under relatively rare circumstances, a judge may impose a sentence greater or less than the range called for by the Guidelines, if the judge finds aggravating or mitigating circumstances of a kind or extent not adequately taken into account by the Sentencing Commission. For example, the court may go below the Guideline range if the organization has substantially assisted the government in investigating or prosecuting an unaffiliated individual or another organization. On the other hand, a higher sentence than the Guideline range may be justified if the offense resulted in death or bodily injury, threatened national security, threatened the environment or involved the bribery of a public official.
E.
Probation 1. When would a court order probation for an organization?

In addition to imposing a fine, the judge may place a convicted entity on probation, and must do so in certain circumstances -for example, if the entity has 50 or more employees and does not have an effective compliance program in place, or if the entity has a prior history of similar misconduct. The probation term is from one to five years for a felony and any period up to five years for a misdemeanor. Probation means that the entity remains under court supervision, through the courts probation office. As discussed more fully below, the court may also impose further conditions on the entity as part of the probation order. The probation office monitors the entitys compliance with such conditions and notifies the court if the entity fails to comply. 2.
What kinds of conditions of probation may a court impose on an organization?

The first condition of probation is always that the entity not commit another federal, state or local crime during the term of probation. Another universal condition is that the entity must pay restitution. In addition, the judge may order the entity to give notice to victims of the offense or to publicize the nature of the offense, the conviction, the punishment and the steps the entity will take to prevent recurrence. The organization may be required to file periodic financial reports with the court or the probation officer to ensure that it will be able to pay any deferred restitution or fine. The probation officer or experts hired by the court may examine the books and records of the organization and may question the employees of the organization from time to time during the probation period. The court may also order the entity to develop and implement a compliance program, with periodic reports to the court or probation officer.
If an entity does not comply with the conditions of probation, the court may extend the probation term, impose additional or more restrictive conditions, or revoke the probation and resentence the organization, presumably to a higher fine. 3.
Forfeiture
In certain cases, the government is permitted or required to seek a forfeiture order requiring the offender to turn over certain property to the government -- typically only proceeds of the crime. When prosecuting organizations, the government most often relies on the federal law against money laundering to obtain such an order. Although this statute was originally aimed at drug dealers, the government often uses it against legitimate businesses suspected of fraud or similar crimes. For example, an entity that does business with the federal government may be charged with fraud for overbilling the government. The proceeds of the fraud would be the amount of overcharges received by the entity. If the entity moves those funds from one account to another, it may be charged with money laundering in addition to fraud. The money laundering charge not only allows the government to seek forfeiture of those funds, but also carries much stiffer penalties than the fraud charge standing alone.
THE IMPORTANCE OF AN EFFECTIVE COMPLIANCE PROGRAM

Because the existence or nonexistence of an effective compliance program can play a significant role in the sentencing process, it is important to have some understanding of the basic requirements and benefits of such a program. I.
What Is an Effective Compliance Program?

An effective compliance program is defined in the Sentencing Guidelines as "a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct." The Guidelines specify seven steps that an organization must take in order for its compliance program to be considered "effective." A. The compliance standards and procedures established by the organization must be reasonably capable of reducing the possibility of criminal conduct. This requirement generally means that an organizations compliance program must address areas of vulnerability, taking into account the practices, procedures and business of that organization. At a minimum, the program must require compliance with all the laws, rules and regulations applicable to that organizations business. A person or persons within the high-level personnel of the entity must have overall responsibility for compliance with the standards and procedures. As noted above, high-level personnel include a director, an executive officer, or a person in charge of a major business or functional unit. This requirement is meant to ensure that the compliance program is taken seriously within the organization. This position is often designated compliance officer. The persons with overall compliance responsibility
B.
C.
D.
E.
F.
G.
should have direct access to the board of directors, usually through a compliance or audit committee. The organization has an obligation to exercise due diligence to ensure that individuals with substantial discretionary authority are not inclined to engage in illegal activities. This requirement means at a minimum that the organization must make efforts to determine whether persons in such positions, or proposed for such positions, have prior criminal records. In addition, reference checks of prospective employees should include an inquiry regarding any criminal conduct. The higher level the employee, or the more discretionary authority given to the employee, the more thorough the inquiry must be. In addition, many companies use regular performance appraisals to assess the their employees integrity and the quality of their compliance with the organizations standards. The entity must effectively communicate its compliance standards and procedures to its employees and agents. This requirement is usually met through required participation in regularly scheduled training education programs, or by distributing training education materials that explain the compliance standards and procedures in a practical manner. New employees should be introduced to the companys compliance standards within weeks of starting employment. Participation in all training and education activities should be documented. The organization must make reasonable efforts to achieve compliance with its standards. This goal is met through monitoring and auditing systems designed to detect criminal conduct by employees. The Sentencing Guidelines do not specify the auditing procedures required. These are left up to each company but likely involve auditing both the compliance processes and the entitys particular areas of potential vulnerability, such as billing, toxic waste disposal, or price-fixing. These areas of vulnerability will vary with each entity, depending on the type of business it is in. In addition, the Guidelines suggest that an entity have a reporting system in place, such as a "hot line," through which employees can report criminal conduct by others without fear of retribution. Many companies also encourage their employees to raise concerns with their supervisors. The organization must consistently enforce its compliance standards through disciplinary mechanisms. This requirement includes disciplining individuals who are responsible for the failure to detect an offense. Discipline must encompass high-level personnel as well as lower level employees, and should be carefully documented to show consistency and proportionality. Once an offense has been detected, the entity must take reasonable steps to respond appropriately and to prevent further similar offenses, including making modifications to the compliance program. The entity must respond quickly to make sure that the conduct is discontinued. In addition, if the organization chooses to self-report the offense to the government, it will receive the most significant benefit from self-reporting within 30 to 60 days of the discovery of the offense. Choosing to self-report an offense to government authorities is a significant decision which should be made only after careful consideration and with the advice of knowledgeable counsel. According to the Guidelines, the precise actions necessary for an effective compliance program will depend on a number of factors. These include the following, among others -The size of the organization. This is relevant in determining whether the program is sufficiently formal to actually prevent and detect violations of law. Although a compliance program for a small organization may be
relatively informal, a large organization generally will have to establish written policies and procedures for its employees. Whether the compliance program is tailored to address the types of offenses that are likely to occur in the organizations line of business. For example, an entity that handles toxic substances must have standards and procedures that ensure the safe and lawful handling of those substances. The organizations prior history. This may indicate the types of offenses that the organization should have sought to prevent. For example, a history of similar misconduct in the past casts doubt on whether the organization took all reasonable steps to prevent the current problem. The Guidelines also state that failure to incorporate and follow applicable industry practice or any standards called for by applicable government regulations will "weigh against" finding that the program is effective. II.
What Is the Impact of an Effective Compliance Program? Reduction of the fine A.

As discussed above, an effective compliance program can substantially reduce the fine imposed on an organization convicted of a crime. The three point reduction in the culpability score for an effective compliance program would reduce the score in the above fraud example from nine to six. The multipliers then would be a minimum of 1.2 and a maximum of 2.40, instead of 1.8 to 3.6. Applied to a loss of $500,000, the fine would be between $600,000 and $1.2 million as compared to a range of $900,000 to $1.8 million without an effective compliance program. B.
Deterrence and avoidance of improper conduct

An effective compliance program has benefits beyond reducing fines in the event of a conviction. The training, discipline, monitoring and auditing all serve to deter those who otherwise might be inclined to violate the law, or who might unwittingly expose the entity to criminal liability. By developing, implementing and genuinely supporting a compliance program encompassing the elements set forth in the Guidelines, business organizations -- and their employees, managers, executives and directors -- can help ensure that they are doing everything possible to conduct their business in compliance with the law.
C.
Early discovery of improper conduct

In the event the compliance program is not successful in completely deterring criminal conduct, it should uncover such conduct promptly. This effect depends on the regular, consistent and thorough auditing component of the compliance program. It is enhanced by the reporting system, which allows employees to report suspicious conduct anonymously. An entity that learns of illegal conduct must ensure that the conduct stops and may also self-report the conduct, thus leading to an additional reduction in the culpability score of up to 5 points in the event of a criminal conviction. Again, self-reporting is a very significant step, the advisability of which depends largely on the facts and the
applicable law, and should be undertaken only with the advice of counsel.
EDUCATIONAL HANDBOOK SECURITIES, MONEY LAUNDERING, AND THE USA PATRIOTS ACT
This comprehensive resource provides valuable information and tools that will help to supplement your ethics and compliance program training efforts related to Securities, Money Laundering and USA PATRIOT Act compliance. It includes a Topic Overview, Frequently Asked Questions about the topic area, a Top Ten list revealing the most important risks to your organization, rounded out by a Quiz that will help to assess your employees knowledge.
TOPIC OVERVIEW
INTRODUCTION
Given how easily vast sums of money pass through securities accounts, law enforcement authorities have increasingly focused on the securities industry as a potential haven for money laundering activity. This is especially true after the passage of the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act in October 2001, which substantially increased the anti-money laundering obligations of broker-dealers in the interest of combating terrorism. Law enforcement officials know that criminals and terrorists can and do use securities accounts to transfer and disguise proceeds of illegal activities. In addition, securities fraud is a type of criminal activity that can provide the basis for money laundering allegations. Therefore, prosecutors are apt to include money laundering charges in an indictment for securities fraud. As a result, we are seeing more and more federal money laundering investigations involving broker-dealers and their employees. These investigations are no laughing matter. They can be expensive, they can damage the business and personal reputations of the people investigated, and--if they lead to a trial and conviction--the people involved can face substantial civil and criminal penalties, including prison time, fines, and forfeiture of property. This is serious business, and you need to know how to spot money laundering and how to prevent it at your firm. A number of features make the securities business an attractive target for money launderers. First, it is, by nature, international. Brokerage firms frequently have offices all over the world, and it's common for transactions to be conducted by wire transfer from, to, or through numerous countries. Second, the securities markets are highly liquid, which means that purchases and sales of securities can be made and settled quickly. Third, because compensation at securities firms is often based on sales commissions, there is, among less scrupulous brokers, an incentive to disregard the source of customer funds. Finally, in some countries, securities accounts can be maintained by brokerage firms as nominees or trustees, thus permitting the identities of true beneficiaries to be concealed. For these reasons, you need to be aware of, and sensitive to, circumstances or transactions that suggest that a securities account is being used to launder money. We'll take a look at some potential indicators of suspicious activity later on. But for now, keep in mind that you must be alert to suspicious circumstances. Otherwise, you could expose yourself or your employer to substantial criminal or civil penalties. You also need to know and understand the record-keeping and reporting requirements that apply to you. You're probably aware that you and your firm are required to report any currency transactions over $10,000 to the federal government. In addition, some broker-dealers affiliated with banks are required to adopt suspicious activity reporting procedures that may require you to report certain unusual activity in an existing customer account. Under the USA
Please note that LRN ECA resources and materials are intended for internal use only by LRN ECA subscribers and distribution to non-subscribers outside of your organization is not authorized without express written permission from LRN.
www.eca.lrn.com
PATRIOT Act, the suspicious activity reporting requirement applies to all broker-dealers, as will specific due diligence requirements for customers in order to monitor account activity and to identify when accounts might be being used to launder money. This handbook is intended to help you understand the federal money laundering laws and the procedures many brokerdealers have adopted to ensure compliance. It is not intended to provide advice or guidance on how you should act in a particular situation. You should also understand that the money laundering laws are complex and that prosecutors are constantly seeking to expand them to apply to new situations. Moreover, not all broker-dealers have adopted the same know-your-customer and suspicious activity reporting procedures. You should therefore consult your firm's law or compliance department to determine what to do in any particular case. We'll first discuss some general background, including what money laundering is and how it works, and then follow with the specifics of the money laundering laws and how they apply to brokerage firms. We'll also cover some of the potential indicators of suspicious activity that you should watch for and how you can get to know your customer to prevent money laundering. Finally, we'll cover specific reporting and record-keeping obligations for brokerage firms and the penalties for failing to comply with the money laundering laws.
WHAT IS MONEY LAUNDERING?

I. In General Money laundering typically evokes images of drug cartels, suspicious-looking characters, and suitcases full of cash. Yet many activities and transactions we usually don't think of as money laundering may violate the law. You therefore need to know what money laundering is and how to spot it. Simply stated, money laundering is the process of making "dirty money" clean. It typically involves concealing the existence or source of funds and then disguising those funds by using them for apparently legitimate purposes. There are two kinds of dirty money. The first is money that comes directly from illegal activities, such as drug sales, gambling, larceny, bribery, and securities fraud. The second is money that comes from legitimate activities but is then concealed for an illegal purpose--for example, a businessman wants to hide legitimate income in order to evade taxes. Once it's hidden, its dirty money. II. The Stages of Money Laundering Money laundering usually involves three stages: placement, layering, and integration. Dirty money is initially placed into the banking and securities system, layered to obscure its origins, and finally integrated or reintroduced into the legitimate economy as "clean" money. These three stages often overlap, however, and should be viewed as seamless parts of a single ongoing process. A. Placement Placement occurs when dirty money--often in the form of cash--is first placed into the financial system. This can be done in several ways--for example, depositing cash directly into a bank or brokerage account, converting the cash into money orders or other cash equivalents that are then used to open an account, or funneling the cash through front businesses, such as neighborhood laundries or grocery stores, that make the actual deposits. However it's done, placement is aimed at getting the dirty funds into the system, where they can easily be moved from place to place.
www.eca.lrn.com
Remember, a money launderer who uses a brokerage account is mainly concerned with having the funds accepted into the system, and then moving them around. Investment returns are likely to be an afterthought, at best. Example 1: Jack uses his brokerage account to write and cash checks and make wire transfers, but he rarely invests in securities and seems unconcerned about their performance. This suggests that Jack may be using his account for placement rather than investment. You should report this activity to your supervisor or to your law or compliance department. B. Layering Layering is using complex financial transactions to move funds through various accounts and entities-both domestic and foreign. The purpose here is to put even greater distance between the funds and the illegal activities that generated them. By moving the funds frequently through many accounts and entities, the money launderer can further conceal their source, ownership, and location. For example, the funds might be moved through several foreign and domestic accounts and end up in an offshore company secretly controlled by the money launderer, which then uses the funds to make apparently legitimate loans to a domestic company owned by the money launderer's cousin. At each stage of the process, the source of the funds becomes more difficult to trace, particularly if the funds pass through countries with strong financial secrecy laws. This is just one simple example, however--the variety and complexity of layering techniques are virtually unlimited. Layering is often done through wire transfers, which enable the launderer to move money quickly from account to account or country to country. Layering is also the step at which the brokerage industry is most susceptible to money laundering. In short, you should be suspicious of any activity involving customer funds that makes no sense from a business or personal standpoint. If a transaction doesn't make sense to you, it may be an attempt to create a confusing paper trail to obscure the original source of the funds. Example 2: Bill is a customer of Global Brokerage. He deposits a large sum of money and then asks Ed, his registered rep, to transfer the money to an account either at the firm, another firm, or a bank for a recently formed company that lists Bill as its president. The address of the corporation is a post office box. Ed doesn't recognize the name of the corporation, and Bill hasn't explained what the corporation does. Ed should report this activity to his supervisor or to his law or compliance department, because it's possible that Bill has placed "dirty money" with the firm and then tried to use the firm to layer those funds through transfer into a corporate account. C. Integration After placement and layering, illicit funds are integrated into the general economy. Basically, the money is now being spent. This may be done through a variety of activities, such as buying homes, cars, or jewelry; buying or investing in a private business; or paying employee salaries and other routine business expenses.
www.eca.lrn.com
Example 3: A customer deposits a large sum of money into an account. The funds represent the proceeds of illegal drug sales. He then day-trades several different blue-chip securities so that he has effectively converted the entire value of the account into stock and back into cash in a very short period of time. The customer then asks the brokerage firm to open accounts in the names of his wife and children, gives himself discretionary authority over the accounts, and transfers the bulk of the assets from his account into the new accounts. He then writes checks from those accounts to pay for such things as a car for his wife and college tuition for his children. The illegal funds have thus been integrated. Integration can take many forms and can often appear to be legitimate business activity. You need to be aware of your customer's background and business to spot activities that might otherwise appear legitimate. Example 4: Al, a drug dealer, sets up a securities account using drug money. He buys $10,000 worth of securities through the account and pledges the securities as collateral for a loan to a fake business. Al then defaults on the loan, and the securities are liquidated to repay it. As a result, Al keeps the loan proceeds, and the lender is paid through what appears to be a standard liquidation. Al's illegal drug funds have thus been successfully laundered. D. Money laundering and the Internet You also need to be alert to money laundering through the Internet because the federal authorities know that it takes place and watch for it. Although the initial placement of illegally generated money still requires some contact between the customer and the broker-dealer, the Internet provides a fast, clean mechanism to facilitate placement, layering, and integration. Once a customer has successfully placed assets with a broker-dealer, it becomes a simple matter to transfer money, buy securities, pledge the assets, or perform any number of commercial transactions online. The transactions used to layer and integrate the funds are nothing new--they are the same old schemes that the money laundering statutes were designed to combat. The Internet simply provides a much faster and more impersonal means of laundering the funds. Example 5: Jack, a drug dealer, opens two online brokerage accounts: one with Global Online Brokerage and one with Internet Trading. He arranges to wire several thousand dollars from two bank accounts into each of the brokerage accounts, but in amounts just below reporting thresholds. He then day-trades several times, at low commission rates, netting just a little less than his opening balance. Finally, he arranges for a series of wire transfers to yet another bank account. Not once does he need to speak with anyone from either brokerage firm. Although in some ways the Internet makes it more difficult for brokerage firms to know who their customers are and whether they might be engaging in criminal activity, it can also be used to guard against money laundering. Firms can use databases and other publicly available information to learn more about online customers. Automated exception reports and other monitoring systems can also help brokerage firms and their employees better identify suspicious customer activity. Following up directly with customers who have been identified by these systems can help the firm verify the identity and activities of the customer.
www.eca.lrn.com
OVERVIEW OF THE MONEY LAUNDERING LAWS

Congress has passed three major laws designed to combat money laundering: the Currency and Foreign Transactions Reporting Act (Currency Act), passed in 1970 the Money Laundering Control Act of 1986 the Patriot Act, passed in October 2001
These laws require banks, broker-dealers, and other financial institutions to comply with various reporting and other requirements. They also prohibit such institutions from knowingly helping others launder funds. Let's take a closer look at these requirements. I. Currency Reporting A. In general Banks, brokerage firms, and other financial institutions must file a Currency Transaction Report (CTR) with the Internal Revenue Service for any cash transaction of $10,000 or more. The reporting rule covers any single transaction of $10,000 or more, as well as multiple transactions during the same day that total $10,000 or more. If the transaction involves currency and/or monetary instruments totaling more than $10,000 that are physically transported into or out of the United States, broker-dealers and the financial institution must file a Report of International Transportation of Currency or Monetary Instrument (CMIR) with the Commissioner of Customs. The notion underlying these requirements is that criminals deal primarily in cash while most legitimate businesses do not fear a paper trail. Reports of large currency transactions are therefore useful in helping to detect criminal activity. Although large cash transactions generally are not illegal in and of themselves, they must be reported. B. Structuring The $10,000 reporting threshold has generated a cottage industry in which low-level operatives scurry about to different banks, making cash deposits just under the $10,000 limit--a practice known as structuring, or "smurfing" (after the little blue cartoon characters that the operatives are said to resemble as they scurry from bank to bank). Structuring is illegal, and banks, brokerage firms, and other financial institutions must be alert to any efforts to evade the currency reporting requirement in this manner. Broker-dealers may be liable if an employee assists a customer in structuring a transaction to avoid these reporting requirements. For obvious reasons, transactions of $9,999 should raise suspicions. And even if you file a CTR or CMIR, you should still report any suspicious transaction to your firm's compliance or law department. Example 6: Your customer comes to you and requests that $15,000 worth of securities be liquidated and the funds wired to his U.S. bank account. You must report the wire transfer, and your employer must file a CTR.
www.eca.lrn.com
Example 7: Tuesday morning, a customer asks you to liquidate $5,000 worth of securities, have a check issued to bearer, and mail the check to an address overseas. Tuesday afternoon, he asks you to liquidate another $7,000 worth of securities and send the $7,000 by overnight courier to the same address. You must report this, and your employer must file a CTR and a CMIR. Remember, however, that even if no CTR or CMIR is required to be filed, multiple transactions over multiple days, even at different firms, might indicate an attempt to structure transactions to evade the reporting requirements. These transactions should also be reported to your law or compliance department. Example 8: Alan, a customer of Global Securities, deposits $8,000 into his brokerage account. As he does so, he says to Bill, his registered rep at Global, that he just deposited $6,000 at his bank earlier that day and $9,000 yesterday to his Global account. Alan also winks and says that he hates paperwork. No CTR is required to be filed because the single-day $10,000 threshold has not been reached. However, because Bill learned about the two other deposits and that Alan is probably trying to evade the reporting requirements, he should report the transactions as suspicious activity. Suspicious Activity Reporting As indicated above, banks and other financial institutions, including broker-dealers, must report suspicious activities that indicate possible money laundering. All broker-dealers are required to report suspicious activity effective January 1, 2003. Suspicious activities must be reported in writing to the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN), which is responsible for establishing, overseeing, and implementing policies to prevent and detect money laundering. The reports must be made on a government form known as a Suspicious Activity Report (SAR). Before Congress passed the USA PATRIOT Act in October 2001, the only brokerage firms required to file SARs were broker-dealer subsidiaries of banks. The NASD, NYSE, and other self-regulatory organizations (SROs) encouraged their other member firms to file SARs voluntarily, and many did so. Under the USA PATRIOT Act, all brokerage firms will be required to file SARs and to establish enhanced know-your-customer, due diligence, and other policies and procedures aimed at detecting possible money laundering. We'll take a more detailed look at these requirements--and at some examples of suspicious activities later in this handbook. You should also note that some states have their own laws requiring currency reports, SARs, or both. Helping Others Launder Money In general The ability to transfer funds into securities accounts through wire transfers or instruments such as cashier's checks or bearer securities can make it fairly easy for customers to use their accounts for money laundering purposes. For example, a drug dealer can use cash to buy money orders, then deposit the money order into a brokerage account.
www.eca.lrn.com
For this reason, the money laundering laws prohibit any brokerage firm or other financial institution from engaging in a financial transaction if it knows that the transaction involves the proceeds of a crime and its purpose is to conceal or disguise the nature, location, source, ownership, or control of the funds avoid federal or state currency reporting requirements through structuring promote crime evade taxes
Anyone who knowingly assists a money launderer in this way is also guilty of money laundering. Here are some examples: Assisting concealment: Example 9: Anne is a registered representative for Global Brokerage. Her customer, Phyllis, tells her that her recent profitable trade in Acme High Tech was due to inside information about Acme's just-announced merger, which she got from Acme's CEO. She asks Anne to take the money and buy 1,000 shares of a different company, XYZ Technologies, and then sell the XYZ shares the same day and buy yet another company's stock. Phyllis's requests might be attempts to conceal the source, location, and ownership of the illegal insider trading proceeds. If Anne helps her, she too may be engaging in money laundering. Assisting structuring: Example 10: Mark, a Global Brokerage customer, brings Alex, a Global registered rep, $70,000 in cash and asks him to make eight transfers of less than $10,000 each over a three-day period to other securities and bank accounts held in third-party names. He gives Alex a wink and mentions how paperwork is such a hassle. Alex knows that Mark is a drug dealer, but doesn't really care where the money came from. It turns out the cash came from the recent illegal sale of cocaine. If Alex complies with Mark's request to structure the transfers, he would be engaging in money laundering--and violating currency reporting requirements--and he could go to jail for doing so. Assisting criminal activity: Example 11: Ned, a Global Brokerage trader, enters into an agreement with other traders and officers at Company Incorporated to pump up Company's stock price by falsely touting its stock on the Internet and through market manipulation. The proceeds from this scheme are deposited into an account over which Ned has discretionary control and are used to finance a "pump-anddump" scheme on yet another stock. Ned has promoted a criminal activity--securities fraud--by using the original fraud proceeds to engage in other illegal pump-and-dump schemes. He can be found guilty under the money laundering laws and federal and state securities laws. Assisting tax evasion: Example 12: Ed, a Global Brokerage customer, tries to deposit with Bill, a Global registered rep, a check made out to Ed for $9,900. The check appears to be drawn on the account of Ed's poolhall business, Mind Your Pools & Cues. The memo line at the bottom of the check says
www.eca.lrn.com
"Repayment of Loan." Ed tells Bill that the money represents some of last year's proceeds from Ed's business, but that he hasn't reported the income on his taxes and that in fact he really didn't loan the company any money. If Bill accepts the check while knowing that Ed is trying to evade the tax laws, Bill might have also violated the money laundering laws. A. The $10,000 rule In addition to the above situations, employees of a broker-dealer can be guilty of money laundering if they knowingly receive or distribute through the broker-dealer $10,000 or more in property they know is derived from criminal activities. This is true whether or not the employee knew that the proceeds would be used for one of the purposes discussed above--for example, to promote criminal activity, to conceal the proceeds, or to avoid reporting requirements. Essentially, this law makes it illegal to engage in any transaction involving more than $10,000 in funds or other property if you know they came from criminal activity. Example 13: Bill has an account with Global Brokerage. He brings in $11,000 to deposit into his brokerage account, telling his broker, Dennis, that the funds came from his drug dealing business. Dennis really doesn't believe they will be used in further criminal activity and doesn't think the deposit was done to conceal the funds. Despite Dennis's beliefs, if he accepts the check from Bill, Dennis has probably engaged in money laundering because he knew the funds came from Bill's drug dealing and that they exceeded $10,0. B. Financial transactions For purposes of the money laundering laws, "financial transaction" includes virtually any activity involving a client's funds or account with the firm. Examples include a deposit; withdrawal; transfer between accounts; currency exchange; loan; purchase or sale of stock, bond, certificate of deposit, or other instrument; use of a safe deposit box; or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means. Although the traditional view of money laundering involves shady characters with bags full of cash, the laws are not, in fact, limited to transactions in cash or currency. Under the law, any monetary instrument is covered. These include coin or currency (of any country) as well as traveler's checks, personal checks, bank checks, money orders, and even bearer securities or other negotiable instruments. Each type of instrument involves special issues. Many broker-dealers restrict or prohibit cash deposits and third-party checks. If a customer brings you cash, you should be aware of the restrictions in effect at your firm. However, just because your firm might prohibit cash transactions doesn't mean you shouldn't worry about money laundering. As discussed later, there are special record-keeping requirements for wire transfers over $3,000 that will likely require you to report such wire transfers to your law or compliance department. And if your firm accepts third-party checks, you should know the third party and understand where or how it got the money to make the investment.
www.eca.lrn.com
C. Knowledge The "knowledge" standard relates to two issues: whether someone "knew" that the proceeds were from criminal activity and whether someone "knew" that a transaction was intended for one of the purposes mentioned earlier--to promote crime, for example. You might assume that there's no problem unless you actually knew these things for sure. But you would be wrong. For these purposes, "knowledge" includes more than actual knowledge--knowing, for example, that your customer's money came from a drug deal because he told you so. It also includes turning a blind eye to suspicious circumstances that indicate that money laundering may be occurring. Therefore, you should be vigilant in policing the activity in your customers' accounts. Burying your head in the sand can result in grave consequences for you and your firm. Remember, your actions and the activities of your customer may be judged later by prosecutors or judges with the benefit of "20/20 hindsight," flexible federal laws, and significant penalties. Therefore, you need to be especially careful at the outset to identify and prevent a transaction that might give rise to a money laundering prosecution. The key is to be alert to the potential indicators of suspicious activity. We'll take a closer look at these indicators when we discuss reporting suspicious activities. In the meantime, remember this: if you know what your customer is up to or choose to ignore the suspicious activity and help your customer launder dirty funds, you could find yourself being prosecuted for money laundering along with your customer. Example 14: Jack, a registered rep, gets a new client, Brian, who claims he's a student who works part time at the local convenience store to help pay for college. After about two weeks of little trading activity, Brian deposits more than $100,000 into his account over three days. He then asks Jack to wire the funds to a bank account in the Cayman Islands. Jack asks Brian where the money came from, but Brian simply tells Jack not to worry about it. Jack decides he won't probe any further, because he just doesn't want to know. Jack also tells Brian that his firm must report the transaction because it's greater than $10,000. Brian hesitates at first and then suggests that Jack transfer the funds in 11 increments of $9,000 and one $1,000 transfer. Jack, although now very suspicious, agrees to transfer the funds. If it turns out that Brian was engaged in criminal activity, Jack could be convicted of violating the money laundering laws. This is a high price to pay for ignoring some rather obvious suspicious activity. One other thing: it might seem obvious, but if you're told by a customer that cash or other proceeds are from criminal activity, and you nonetheless engage in a transaction or transfer for the customer, you have probably violated the money laundering laws. This is true even if the person you're dealing with turns out to be a government informant or undercover law enforcement agent. These kinds of "sting" operations are permitted to find and punish people who are willing to launder money on a criminal's behalf.
www.eca.lrn.com
D. International transfers Although we'll discuss other potential indicators of suspicious activity later, one thing you should watch out for is where the money is going to or coming from. Some countries may be very susceptible to money laundering--for example, because they have strict bank secrecy laws, encourage foreign investment without asking many questions, or have few resources available to police such activity. The U.S. government has begun focusing on transfers to accounts in certain countries, warning banks and other financial institutions to be particularly vigilant about transactions involving these destinations. The targeted countries currently include the Cook Islands Dominica Egypt Grenada Guatemala Hungary Indonesia Marshall Islands Myanmar Nauru Nigeria Philippines Russia St. Vincent and the Grenadines Ukraine
The money laundering laws are even stricter when it comes to international transfers. If you know that an international transfer is being made as a way to further criminal activity, it is considered money laundering even if the funds were legitimately acquired. Therefore, you should be especially wary of any request to wire or otherwise transfer money to or from accounts in the listed places. You should also be on the lookout for places that are not on this list but that may be susceptible to money laundering. Example 15: Tom, a drug dealer, has a securities account at Global Brokerage. He inherits $20,000 from a rich uncle. Tom deposits the funds in his securities account and has his registered representative, Mark, wire transfer the money to his bank account in Panama. Tom tells Mark that he's transferring the money so he can use it to pay for illegal drugs that he will bring into the United States. Even though Tom got the money legitimately, the transfer of the funds outside the United States for the purpose of furthering Tom's drug business is illegal, and both Tom and Mark are guilty of money laundering.
SUSPICIOUS ACTIVITIES AND KNOW-YOUR-CUSTOMER ISSUES

Because money laundering laws are so broad and don't allow financial institutions to turn a blind eye, knowing your customer is critical to preventing money laundering problems. You must therefore be sure to follow the know-yourcustomer procedures in effect at your company. In addition, it's up to you and your employer to police activity in securities
10
www.eca.lrn.com
accounts for suspicious behavior, and--when you detect such behavior--to prevent it from occurring. The best way to do this is to monitor the customer's use of the account and determine whether it's consistent with the relevant information regarding the customer's financial and securities sophistication, investment history, and investment strategy. I. Suspicious Activity Reporting A. In general Many firms have adopted procedures designed to ensure compliance with money laundering laws. These procedures are commonly referred to as the know-your-customer and Suspicious Activity Reporting (SAR) rules. They are modeled on the rules that apply to banks and broker-dealer subsidiaries of banks. You're probably familiar with the know-your-customer rules already in place at your firm for suitability and other purposes. While similar to FinCEN's rules in some respects, they may differ in others. Therefore, it's likely that your firm may already have specific policies and procedures that apply to you, and it's important for you to understand and follow those policies and procedures. In addition, the NYSE and NASD have urged member firms to adopt suspicious activity reporting procedures and to discipline members who fail to have procedures in place to detect and report suspicious activities. B. Reporting requirements Until January 1, 2003, the details of what you need to report will depend on whether you work for a broker-dealer that is a subsidiary of, or affiliated with, a bank. Broker-dealers that are bank subsidiaries are already subject to FinCEN rules and must report any known or suspected involvement by an officer, director, or employee of the broker-dealer in criminal activity involving transactions through the broker-dealer any suspected or known criminal activity when the amount of money involved is $25,000 or more in transactions through the broker-dealer regardless of whether a suspect can be identified any transaction or transactions equaling $5,000 or more that involve potential money laundering or violations of the transaction reporting requirements any transaction or transactions equaling $5,000 or more when the transaction has no business or apparent lawful purpose or is unusual for the customer, and the institution, after reasonable investigation, has no explanation for it
Bank broker-dealers must report any attempt to engage in these activities as well as the activities themselves. After January 1, 2003, under the USA PATRIOT Act regulations, all brokerage firms, regardless of whether they are affiliated with a bank, are required to file a SAR for any transaction conducted or attempted by, at or through a broker-dealer involving (separately or in the aggregate) funds or assets of $5,000 or more for which the broker-dealer detects any known or suspected federal criminal violation involving the firm, or the firm knows, suspects, or has reason to suspect that the transaction involves funds related to illegal activity is designed to evade the regulations, or
11
www.eca.lrn.com
has no business or apparent lawful purpose and the firm knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction
It's expected that the Treasury Department will issue regulations on SAR reporting soon that may provide additional guidance. The $5,000 reporting threshold doesn't mean that illegal activity involving less than that amount need not be reported. You should report any suspicious activity you discover to the appropriate contact person in your firm, regardless of the amount involved. Your firm will decide under what circumstances it will file the SAR. As a general matter, to protect yourself and your firm, and regardless of the $5,000 threshold, if you suspect that criminal activity is occurring at or through your firm, you should report the activity to your law or compliance department. In addition, you should be alert for suspicious activities in areas of your firm where you might not typically expect money laundering to occur. For example, you may work for a clearing broker--a firm that clears securities transactions for other firms (introducing brokers). While a clearing agreement will set forth the respective responsibilities of the clearing and introducing broker to adopt and follow know-your-customer procedures and to detect and report suspicious activity, such responsibilities generally remain with the introducing broker. The clearing broker's responsibility will typically not extend beyond producing reports (such as exception reports) that may assist the introducing broker to fulfill its responsibilities regarding know-your-customer procedures and suspicious activity reporting. Nevertheless, particular situations may arise that will alter that division of responsibility: if, for example, the clearing broker discovers that certain customers of the introducing broker, or the introducing broker itself, is engaged in money laundering, or if there is a particularly close relationship between the introducing and clearing brokers. In such cases, the clearing firm might have knowledge of customer transactions or other activities that point to possible money laundering violations. Therefore, if you're not sure what to do in a particular situation, report any instances in which you believe money laundering might be occurring at the introducing broker to your law or compliance department. Finally, if the firm reports a particular suspicious activity, it's illegal for you to tell the customer. In addition, it's illegal to disclose the SAR, or the fact that a SAR was filed, except to law enforcement agencies or securities regulators. C. Reporting safe harbor If you're not sure whether something is suspicious, you should inform your law or compliance department. The reporting laws contain a safe harbor for firms and their employees who report suspicious activities. This means that if the firm reports to the authorities what it believes to be a customer's suspicious activities, the firm and its employees are generally protected from a lawsuit brought by the customer for reporting the activity, even if it turns out to be legitimate. You should, however, have a good-faith suspicion that the law may have been violated and that the account or accounts are connected to the suspicious activity. In other words, you are not allowed to abuse the safe harbor. D. Examples of suspicious activities While it's impossible to list every potential situation that may be deemed suspicious, the activities can be segregated into two general categories: customer information and customer account activity.
12
www.eca.lrn.com
Here are some of the potential indicators of suspicious activity that you should be alert to concerning customer information: The customer seems unusually concerned about privacy. She is reluctant to provide routine information about identity, source of funds, business activities, and bank references that you would expect a customer to provide as part of normal account-opening documents. The customer provides information that is false or suspicious when verified. Examples include a phone number being disconnected, an address listed as a business address being in a vacant building, or an office space that seems inconsistent with the description of the business. The customer is reluctant to proceed when informed of currency reporting requirements. The customer withholds information necessary to complete required transaction reports. The customer refuses to identify or fails to indicate any legitimate source for the funds or other assets. The customer's appearance or demeanor is unusual or the customer acts excessively nervous under the circumstances. The customer is introduced by an overseas agent, affiliate, or other company based in a country that's known for drug trafficking, terrorism, or money laundering. The customer has no apparent reason for opening an account or using the firm's services, or for maintaining an account in a particular geographic region--for example, there's an office closer to the customer than the one the customer uses. The customer is the subject of news reports or rumors indicating that he is engaged in illegal activities or is under investigation by a government agency. The customer claims to be an agent (such as a lawyer or accountant) for someone else but does not reveal the identity of his principal or permit you to speak to him. The customer has difficulty describing his business or lacks general knowledge of his industry. The customer is from, or has accounts in, a country identified as a noncooperative country or territory by the Financial Action Task Force (FATF), which is an international organization of several countries, including the United States, dedicated to combating international money laundering. Here are some examples of customer transactions or account activity that might be suspicious under the circumstances: The customer wants to engage in transactions that lack business sense or apparent investment strategy, or that are inconsistent with the customer's stated business strategy. The customer engages in transactions that appear to be beyond his needs. The customer opens multiple accounts under different names or different business names, then makes deposits of just under $10,000 in each of them at the same time. The customer has multiple accounts under a single name or multiple names, with a large number of interaccount or third-party transfers. The customer tries to pay by using third-party checks. The customer opens an account using sequentially numbered monetary instruments that were purchased the same day and are just under bank reporting thresholds (for example, $9,900). The customer makes frequent deposits or withdrawals of large amounts of money for no apparent business or personal reason, or for a business that does not generate such large amounts of money.
13
www.eca.lrn.com
The customer attempts to make frequent or large deposits of cash, insists on dealing only in cash equivalents, or asks for exemptions from the firm's policies relating to the deposit of cash and cash equivalents. The customer frequently deposits funds in the account and immediately requests wire transfers to another city or country, when such activity is inconsistent with her business or personal activities. The customer frequently receives wire transfers from another city or country and purchases securities for payment to, or for the benefit of, a third party. Wire activity in the customer's account increases compared to prior account activity. The customer begins wiring funds to another country when such transactions have not occurred before or are inconsistent with past customer behavior. The customer engages in transactions at unusual times from unusual places. The customer doesn't show concern regarding risks, commissions, or other transaction costs. The customer makes wire transfers to countries such as the Marshall Islands, Russia, or other countries identified as havens for money laundering when such transfers are inconsistent with personal or business activities. The customer attempts to deposit bearer securities, third-party checks, or foreign bank drafts. The customer makes a funds deposit for the purpose of purchasing a long-term investment followed shortly thereafter by a request to liquidate the position and transfer the proceeds out of the account. The customer engages in excessive journal entries between unrelated accounts without any apparent business purpose. The customer requests that a transaction be processed in a way that avoids the firm's normal documentation requirements. The customer, for no apparent reason or in conjunction with other potential indicators of suspicious activity, engages in transactions involving certain types of securities, such as penny stocks, Regulation S (Reg S) stocks, and bearer bonds, which although legitimate, have been used in connection with fraudulent schemes and money laundering activity. The customer's account has inflows of funds or other assets well beyond the known income or resources of the customer. Large international funds are transferred to or from the accounts of a domestic customer in amounts and of a frequency that are not consistent with the nature of the customer's known business activities. A customer consistently uses third-party checks to pay for transactions.
Example 16: Susan goes to Global Brokerage to open a securities account. She claims to run a small delivery service. Soon afterward, she forms companies in Switzerland and the Cayman Islands that appear to have no viable operations, and wire transfers funds from the securities accounts to accounts held in those companies' names. This should be enough for Global to suspect that money laundering might be occurring. Example 17: Jake claims to run a small dry-cleaning business. He opens a securities account with you and deposits $1 million into the account. He and his wife drive expensive cars, buy and sell cars frequently, dress in expensive clothes, own an expensive house, flash large amounts of cash, and appear not to spend much time during the workday at their jobs. They also deposit and withdraw substantial amounts of cash into and out of their account. This should be more than enough for you to question whether Jake and his wife are using the securities account to launder funds from criminal activities and whether you would be giving them substantial assistance.
14
www.eca.lrn.com
Example 18: Mark opens an account and provides the same address for his home and business. He deposits a large sum of money into the account. Mark is only willing to give you the number of a cell phone, not a landline. When you ask for another number, he gives you what purports to be an office number, but you can never reach him at that number. These are potential indicators of suspicious activity, and you should either follow up to get more information or report your concerns to your law or compliance department. II. Know-Your-Customer Procedures A. In general Each of the examples above might, either by itself or in combination with others, indicate that a customer is engaging in illegal activity. Some of the examples are obviously suspicious, while others are not so obvious but--depending on the circumstances--still might indicate illegal activity. Of course, customers might also have legitimate reasons for acting in a particular manner. To tell the difference between actions taken by a customer for legitimate as opposed to illegal reasons, you need to have a good understanding of your customer and his needs. This will come from adequately knowing your customer. Many firms have procedures in place to ensure that you know your customer not only to comply with the securities laws, but also to help you spot suspicious activities that might point to money laundering or other crimes being committed by customers. The know-your-customer procedures are similar to the know-your-customer policies you may be required to follow in connection with determining whether securities are suitable for your customers. This makes sense, because if a customer is engaging in certain activity that appears to be unsuitable for the client based on everything you know, one possibility is that the customer is using a securities account to launder money or to engage in some other illegal activity. B. How to get to know your customer Set forth below is a general outline of know-your-customer procedures. Your firm has probably adopted its own procedures, so you should consult your compliance or law department about the specific procedures that apply to you. The goal of any know-your-customer procedure is to make reasonable efforts to determine the true identity of all customers and the ownership of all accounts identify the source of funds used by the customer to open an account and pay for trades monitor the account--both transactions and the flow of cash and assets to and from it--for activity disproportionate to the customer's apparent means, business, or background While your broker-dealer employer will likely have its own procedures for what you need to do to know your customer, all firms have certain minimum obligations under both the securities laws and the USA PATRIOT Act. Each firm must obtain certain information from its customers when opening an account, including the customer's name and residence whether the customer is of legal age
15
www.eca.lrn.com
the signature of the registered representative introducing the account and the signature of the member or partner, officer, or manager who accepts the account if the customer is a corporation, partnership, or other legal entity, the names of any persons authorized to transact business on its behalf
Rules issued by the SEC and the Treasury Department require that firms set up a customer identification program (CIP) to accomplish those things. Let's review some of the CIP's basics. First, they apply to any customer--that is, anyone who opens a new account or who is granted trading authority with respect to an account. So, for example, a person who already had an account when the CIP rules became effective isn't considered a customer for purposes of the rule. However, if that person opens a different account--such as a customer who has a cash account opening a margin account--that person becomes a customer and the CIP requirements would apply to him. The same holds true if a customer already has trading authority over one account, but is granted authority over another account. The rules apply to individuals as well as to all corporations and other organizations or entities. Under the CIP rules, you must get each customer's name, date of birth (if an individual), address, and documentary number (such as a social security number or taxpayer ID). You must also keep copies of documents used to gather and verify this information, such as copies of a valid driver's license for an individual or articles of incorporation for a company. You should then determine whether additional identifying information is required to reasonably believe the true identity of each customer. The specific rules you need to follow will be in your firm's CIP, so be sure to know what applies to you. In addition, prior to settlement of an initial transaction in the account, a firm is required to make a reasonable effort to get the following additional information (for accounts other than institutional accounts and accounts in which investments are limited to transactions in open-end investment company shares not recommended by the firm or its associated persons): tax identification and social security number occupation name and address of employer whether the customer is an associated person of another member firm
Under the USA PATRIOT Act, firms are required to verify the identity of any customer seeking to open an account keep records of information to verify a customer's identity check that a customer does not appear on any list of know or suspected terrorists or terrorist organizations such as those on the Treasury Department's Office of Foreign Assets Control (OFAC) website under "Terrorists" or "Specially Designated Nationals and Blocked Persons" (SDN List), or on the list of embargoed countries and regions
16
www.eca.lrn.com
Here are some sources and methods for gathering and keeping this information: For a customer who is an individual, get a driver's license, passport, government identification, alien registration card, major credit card, or other common form of identification. For a business, get evidence of legal status and authority (incorporation documents, partnership documents, resolutions, business licenses, and so forth). Complete a customer profile. Find out the customer's occupation (or the line of business for a company), investment experience, investment goals, age, financial sophistication, family circumstances, and so forth. Identify the customer's other securities accounts with the firm, including accounts in the names of others over which the customer has control. Look at the trading in those accounts. Has the customer moved large amounts of money in and out of those accounts? Engaged in frequent wire transfers? Engaged in foreign transactions? This may warrant additional investigation. Find out the customer's financial information. What is the customer's net worth and the net worth of immediate family members? What are the customer's assets, liabilities, income, and expenses each year? What is the customer's liquidity? Are the customer's income and financial position consistent with his stated occupation? Particularly if the customer is opening an account for a limited partnership, corporation, trust, or other third party, verify that the customer has authority to open the account and verify the identity of the beneficiary, if any, or the third party. Verify the source of the funds the customer is using to open an account or pay for trades. Be wary of customers who open accounts when there are other brokers closer to them. Ask these customers why they didn't open accounts with other brokers. Get personal and business references.
In addition, depending on the circumstances, you may want to use some or all of the following techniques to verify customer information when opening an account: Check phone numbers and addresses by telephoning or visiting the customer to thank her for opening the account. Investigate disconnected phone numbers and incorrect addresses further. Businesses that you find out don't exist or that don't appear to provide the services indicated are also suspicious and warrant further investigation. Check the customer's personal or business income, perhaps by your firm requesting tax forms or running a credit check. In consultation with your law or compliance department, consider whether a report should be requested from a private credit agency--for example, if the customer engages in significant margin activity. For a business, ask for financial statements, annual reports, marketing brochures, a description of the business, a list of suppliers and customers and their location, and a description of the locales in which the company does business (paying particular attention to whether it conducts international transactions). Conduct a search of available online databases or newspapers, periodicals, and other public information. Check with the local chamber of commerce or retrieve public filings with the Securities and Exchange Commission when appropriate. For a business, ask for information supporting the expected volume of funds generated. Gets an understanding of the customer's likely trading patterns so that you can detect deviations from them later.
17
www.eca.lrn.com
You should verify identification information at the time the account is opened, or within a relatively short period after--for example, within five business days after opening the account. If a customer refuses to provide the information, or appears to have intentionally provided false or misleading information, contact your law or compliance department before opening the account to seek guidance. Depending on the circumstances, some additional information may be useful for certain kinds of accounts. Below is a partial list and the types of information you may want to consider gathering when opening the account: Nonresident alien account: Get a current passport number or other valid government identification number, and all necessary U.S. tax forms. Also consider whether even more information is necessary, depending on which country the customer comes from. Domestic trusts: Identify the principal ownership of the trust. Also get information regarding the authorized activity of the trust and who is authorized to act on behalf of it. Personal investment corporations or personal holding companies: Identify the principal beneficial owners of offshore corporate accounts in which the accounts are personal investment corporations or personal holding companies. Try to identity who the beneficial owners are and where they're located. You may need additional due diligence depending on the entity's location in particular countries. Offshore trusts: Identify the principal ownership of a trust established in a foreign jurisdiction, and consider additional due diligence for trusts located in countries known to have lax oversight of trust formation.
C.
Institutional accounts, hedge funds, investment funds, and other intermediary relationships Simply because a customer is an institution doesn't mean that your anti-money laundering obligations have ended. Although institutional business differs from traditional retail business, this simply means that some of your anti-money laundering procedures will differ. In fact, even if an institution doesn't represent a credit risk to the firm because transactions are conducted on a delivery vs. payment (DVP) basis, you may still need to conduct appropriate due diligence to satisfy your anti-money laundering procedures. The due diligence obligations under know-your-customer rules for institutional accounts is a good place to start. Also consider getting information about the institution's customers or its intermediary's authority to act on behalf of the underlying client, as well as whether the institutional client or intermediary has policies and procedures of its own to know its own clients. Some things to consider when deciding what additional due diligence is appropriate for an institutional customer include whether the institution or its intermediary has established anti-money laundering policies and procedures your firm has prior experience with the customer or done business with it the customer is a registered financial institution based in a major regulated financial center or is a registered financial institution located in an FATF jurisdiction the customer has a reputable history in the investment business
18
www.eca.lrn.com
the customer is from a jurisdiction characterized as an offshore banking or secrecy haven or is one of the countries identified as being non-cooperative with international efforts to combat money laundering
D.
Special issues relating to correspondent accounts 1. Correspondent accounts with foreign shell banks It's illegal for a broker-dealer to establish, administer, or manage a "correspondent account" in the United States for an unregulated foreign shell bank. A correspondent account is an account established to receive deposits from, make payments on behalf of a foreign bank, or handle other financial transactions related to such a bank. Note that this definition is different from the one for correspondent brokerage accounts. A foreign shell bank is a foreign bank with no physical presence in any country. If you discover or suspect that you might be maintaining or establishing a correspondent account for a foreign shell bank, contact your law or compliance department for guidance. Due diligence for correspondent accounts with foreign banks For correspondent accounts with foreign banks that aren't shell banks, your firm is required to maintain records identifying the owners of the bank and the name and address of an agent residing in the United States who is authorized to accept service of legal process for the bank. It's also likely that your firm has a model certification issue by the Treasury Department that the foreign bank must complete. The form generally asks the foreign bank to confirm that it is not a shell bank and to provide the necessary ownership and agent information. The firm is required to recertify, if relying on the certification form, or otherwise verify any information provided by each foreign bank, at least every two years or at any time the firm has reason to believe that the information is no longer accurate. Under the USA PATRIOT Act, firms must establish appropriate, specific, and--when necessary-enhanced due diligence policies, procedures, and controls to detect and report money laundering for any foreign bank correspondent account. At a minimum, for foreign banks licensed by highrisk countries or operating under an offshore banking license, your firm needs to take steps to determine the ownership of the foreign bank conduct enhanced scrutiny of the account to report and detect suspicious activity determine whether the foreign bank maintains correspondent accounts for any other bank, and if so, the identity of those banks
Special due diligence for private banking accounts The USA PATRIOT Act also requires special due diligence for non-U.S. citizens who have private banking accounts with the firm. A private bank account is an account (or combination of accounts) that requires an aggregate deposit of funds or other assets of more than $1 million established on behalf of one or more individuals who have a direct or beneficial ownership interest in the account, and is assigned to, or administered by, in whole or in part, an officer, employee, or agent of a financial institution as a liaison between the institution and the direct or beneficial owner of the account.
19
www.eca.lrn.com
For private banking accounts, firms are required to take steps to determine the identity of the nominal and beneficial account holders, and the source of the funds deposited into, the account. If the account is for a senior foreign political figure, or any immediate family member or close associate of a senior foreign political figure, enhanced due diligence is required. The enhanced scrutiny should be designed to detect and report transactions that may involve the proceeds of foreign official corruption, such as bribery. Check your firm's procedures for the due diligence requirements that apply to you if you handle correspondent accounts for foreign banks.
RECORD-KEEPING REQUIREMENTS SPECIFIC TO BROKER-DEALERS

In addition to the records that broker-dealers must keep under the federal securities laws, certain currency or foreign transactions have specific record-keeping requirements. First, all financial institutions, including broker-dealers, must keep records of, among other things each extension of credit in excess of $10,000, unless it's secured by real property each instruction received or given regarding any transaction resulting in the transfer of currency or other monetary instruments or securities of more than $10,000 to or from any person, account, or place outside the United States (and cancellations of any such instructions if cancellation records are normally made) each advice, request, or instruction given to another financial institution or other person located in or out of the United States regarding a transaction intended to result in the transfer of funds, currency, other monetary instruments, or securities of more than $10,000 to a person, account, or place outside the United States
Broker-dealers must also keep, for each account, a record of the account holder's taxpayer identification number the identity of any nonresident account holder, either by recording the person's passport number or a description of some other government document used to verify his identity each document granting signature or trading authority over the account all transfers of currency, other monetary instruments, or securities of more than $10,000 out of the United States receipt by the firm of currency, other monetary instruments, or securities of more than $10,000 from outside the United States
For any wire transfer or other transmittal of funds that exceeds $3,000 that you send or receive for a customer, your firm must keep records of the following information for five years: the transmitter's name and address the amount of the transaction the execution date of the payment order the payment instructions from the transmitter received with the payment order the identity of the recipient's financial institution the name, address, account number, and any other specific identifier of the recipient, if received with payment order
20
www.eca.lrn.com
This record-keeping requirement travels with the wire transfer, so that if a broker-dealer acts as an intermediary, it is required to retain a copy of the transmittal order and must include in the corresponding transmittal order all the information it received from the sender. The information must be retrievable by the customer's name and account number, the sender's name and account number (for the sender's broker-dealer), and the recipient's name and account number (for the recipient's broker-dealer). While there are exemptions to the record-keeping requirement relating to wire transfers, you should not rely on an exemption without first consulting your law or compliance department. Therefore, when a customer asks you to make a wire transfer over $3,000, you should notify your law or compliance department. Remember, while these are recordkeeping requirements and not reporting requirements, any suspicious wire transfer--no matter how large or small--must be reported.
PENALTIES
It's probably apparent by now that law enforcement takes money laundering violations seriously. In fact, the penalties for violating the money laundering statutes are severe. Depending on the circumstances, fines against companies can be as high as $500,000 per violation or twice the amount of the property involved in the financial transaction. Individuals are subject to the same fines, as well as up to 20 years in prison. Even the penalties for violating the reporting requirements are harsh. An individual's willful failure to report $10,000 transactions is punishable by fines of up to $250,000, up to five years in prison, or both. A false statement or misrepresentation made on a report can carry a fine of up to $10,000, five years in prison, or both. The law even says that if the violation of the reporting statutes is part of a pattern of illegal activity involving more than $100,000 in a 12-month period, the fine can double up to a maximum of $500,000, ten years in prison, or both. Finally, even if you're not criminally prosecuted, civil penalties can be assessed for each willful failure to file a report, up to the greater of $25,000 or the amount involved in the transaction, up to $100,000.
21
www.eca.lrn.com
FREQUENTLY ASKED QUESTIONS ABOUT MONEY LAUNDERING, SECURITIES, AND THE USA PATRIOTS ACT
1. If my firm prohibits cash transactions, do I still need to worry about money laundering? Yes. Many brokerage firms have placed restrictions on cash deposits to discourage cash-based money laundering, but money laundering can take place with traveler's checks, personal checks, bank checks, money orders, bearer securities, and other negotiable instrumentsand funds that are in purely electronic form, too. 2. Can suspicious activity on the Internet be detected? Yes. Account-monitoring software, pattern recognition programs, and automated exception reporting systems can help identify it. 3. If a client tells me that the money in his account resulted from illegal activities, can I still execute transactions in the account? No. If you engage in any kind of transaction with such an account, you may be helping the customer launder money. You must report what you know to your supervisor or compliance department. They'll tell you what to do. 4. Which countries are known as money laundering havens? The Cook Islands, Guatemala, Indonesia, Myanmar, Nauru, Nigeria, and the Philippines. 5. Why is the securities business attractive to money launderers? First, it's international. Brokerage firms often have offices all over the world, making it easy to conduct wire transfers to other countries. The securities markets are also highly liquid, which means that purchases and sales of securities can be quickly made and settled. Compensation in securities firms is often commission-based, so there's a built-in incentive to disregard the source of customer funds. And brokerage accounts can be maintained as nominees or trustees, concealing the true identities of the beneficiaries. 6. Can clean money become dirty? Yes. All money starts out clean. But people with clean money can use it to evade legal obligations, such as taxes. They may try to hide it and report to the government less money than they make. Or they may hide the money to avoid other legal obligations such as divorce decrees and court judgments. Once hidden, such money becomes dirty. 7. How much money gets laundered? It's estimated between $590 billion and $1.5 trillion each year. 8. What's the point of "layering" dirty money? The point of layeringmoving money from one account to another, or from one form to anotheris to create a confusing paper trail that makes it more difficult to trace dirty money back to its original criminal source.
22
www.eca.lrn.com
9. Can dirty money be integrated into a business? Yes. It can be integrated into a business, and thus into the economy, by being used to buy or invest in a private business, pay employees, or purchase supplies. 10. Why does the $10,000 reporting requirement focus on cash? Criminals deal mostly in cash to avoid leaving a paper trail. Reports of large currency transactions are therefore useful in helping to detect criminal activity. 11. Are other types of financial institutions covered by the money laundering laws? Yes. The laws apply to all types of financial institutions: banks, broker-dealers, investment banks, currency exchangers, insurance companies, casinos, and others. 12. What kinds of securities industry crimes are covered by the money-laundering laws? Almost any securities industry crime you might think of is covered, including insider trading, market manipulation, wire fraud, and mail fraud. 13. Am I still guilty of money laundering even if a transaction I engage in wasn't specifically intended to conceal or structure funds, evade taxes, or promote another crime? Yesif it involves $10,000 or more and you know the money came from a criminal activity. Just engaging in transactions with such money is a crime, so the government only needs to prove that you handled dirty money, knowing it was dirty. 14. What does it mean to "know" something under the money laundering laws? You "know" about money laundering activities if you have actual knowledge of them, or even if you just turn a blind eye to suspicious circumstances that indicate that they may be occurring. The law here is concerned with whether someone knows that money being used is derived from a crime or that a transaction is designed to conceal the true nature of money, or to avoid federal or state reporting requirements. 15. Under the money laundering laws, do you "know" something only if someone tells you about it? No. The term "know" extends beyond the situation in which someone has told you about something. What you "know" can be proven by circumstantial evidence. Evidence that you turned a blind eye to your customer's activities and ignored red flags that indicated money laundering could implicate you in a crime. 16. Can I be convicted of money laundering just for ignoring red flags indicating suspicious activities? Yes. If you know what your customer is up to or choose to ignore red flags while assisting your customer in laundering money, you could find yourself being prosecuted for money laundering. 17. Can money laundering occur with any kind of financial instrument? Yes. Money laundering is not limited to cash transactions. It can involve stocks, bonds, and any other form of financial instrument, as well as electronic funds.
23
www.eca.lrn.com
18. What is a correspondent account? It's an account established to receive deposits from a foreign bank, make payments on behalf of a foreign bank, or handle other financial transactions related to such a bank. Note that this definition of a correspondent account is different from the definition of a correspondent brokerage account. A foreign shell bank is a foreign bank with no physical presence in any country. 19. I work for a clearing broker. Should I be concerned about money laundering at one of our introducing brokers? Yes, while a clearing agreement will set forth the respective know-your-customer and suspicious-activity reporting responsibilities, the clearing broker's responsibility will typically not extend beyond producing reports (such as exception reports) that may help the introducing broker fulfill its responsibilities. Nevertheless, situations may arise that will alter that division of responsibilityif, for example, the clearing broker finds that certain customers of the introducing broker, or the introducing broker itself, is laundering money. Then the clearing firm might have knowledge of customer transactions or possible money laundering violations. 20. What should I do if I suspect illegal activity but the transaction is under $5,000? The $5,000 reporting threshold doesn't mean that illegal activity involving less than that amount shouldn't be reported. You should report any suspicious activity you discover to the appropriate contact person in your firm, regardless of the amount involved. Your firm will decide under what circumstances it will file the SAR. 21. I work with institutional customers. Do I need to be concerned about money laundering? Yes. Institutional business differs from traditional retail business, but that just means some of your anti-money laundering procedures will differ. In fact, even if an institutional customer doesn't represent a credit risk to the firm because transactions are conducted on a delivery vs. payment (DVP) basis, you still need to conduct appropriate due diligence to satisfy your anti-money laundering procedures. 22. What is FinCEN? In 1990, the U.S. Treasury Department created the Financial Crimes Enforcement Network (FinCEN) to establish, oversee, and implement policies to prevent and detect money laundering. FinCEN acts as a central depository for reports filed by financial institutions. While FinCEN is an agency of the Treasury Department, it provides intelligence information to many law enforcement agencies, such as the Justice Department, enabling them to track criminals and their assets and to develop new strategies to curb money laundering. 23. What are some of the red flags I should look for regarding customer information? Watch for a customer being unusually concerned about privacy, providing information that proves to be false or suspicious when checked, being reluctant to proceed when informed of currency reporting requirements, withholding information necessary to complete required transaction reports, and being the subject of news reports or rumors that indicate illegal activities or investigation by a government agency. You can see more examples in the handbook.
24
www.eca.lrn.com
24. What are some of the red flags I should look for in customer account activity? While it's impossible to list every potential situation, some examples include a customer opening a number of accounts under different names, then making deposits of less than $10,000 in each simultaneously; making frequent deposits or withdrawals of large amounts of money for no apparent business or personal reason; frequently depositing funds into an account and immediately requesting wire transfers to another city or country when there isn't a clear connection between the transfers and the customer's business or personal activities; and consistently using thirdparty checks to pay for transactions. You can find more examples in the handbook. 25. Does the law protect me if I report suspicious activity and I'm wrong? Yes. If a firm reports a customer's suspicious activity to the authorities, both the firm and its employees are generally protected if the customer sues them for reporting it. Don't make such a report, however, unless you have a good-faith suspicion that the law may have been violated and that the account or accounts are connected to the suspicious activity. In other words, you aren't allowed to abuse the protection. 26. What are some of the due diligence steps I can take for correspondent accounts with foreign financial institutions? First, you can determine whether the account is subject to enhanced due diligence requirements and if there's a significant risk of money laundering. You may also consider public information from U.S. government agencies and multinational organizations regarding regulations applicable to the institution, as well as any guidance issued by the U.S. Treasury Department or your functional regulator (such as the SEC or state insurance commissioner) about money laundering risks associated with specific institutions and types of accounts. Another tactic is to review public information to determine whether the institution has been the subject of criminal enforcement or regulatory action related to money laundering. 27. What is a private bank account? It's an account (or a combination of accounts) at any financial institution, not just a bank. It requires a combined deposit of funds or other assets of more than $1 millionestablished on behalf of one or more individuals who have a direct or beneficial ownership interest in the accountand is assigned to or administered, whole or in part, by an officer, employee, or agent of a financial institution, who acts as a liaison between the institution and the direct or beneficial owner of the account. 28. What is the USA PATRIOT Act? In October 2001, the President signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, with the goal of creating a number of mechanisms to combat international terrorism. Among other things, the law significantly expanded companies' obligations to detect and prevent money laundering. Its anti-money laundering provisions apply to all money laundering activities, not just to those related to terrorism.
25
www.eca.lrn.com
TOP TEN THINGS TO REMEMBER ABOUT MONEY LAUNDERING, SECURITIES, AND THE USA PATRIOT ACT
1. Money launderingconverting dirty money into clean moneyis illegal. Dirty money is money gained from crime. Laundering it is also a crime. Even assisting others in money laundering is illegaland not reporting your suspicions of money laundering activity can be seen as assisting in the crime, as well. 2. You could inadvertently become involved in money laundering during any of its three stages. Broker-dealers can be caught up in money laundering schemes while helping clients deposit, transfer, or spend their money to purchase securities. They're usually involved at the stage in which money is transferred from one account to another. 3. Penalties for money laundering can be severe for both individuals and their companies. Depending on the circumstances, fines against companies can be as high as $500,000 per violation or twice the amount of the property involved in the transaction. Individuals are subject to the same fines, as well as up to 20 years in prison. Even the penalties for violating the reporting requirements are harsh: an individual's willful failure to report $10,000 transactions is punishable by fines of up to $250,000, five years in prison, or both. Finally, the government can seize and require forfeiture of any property that was part of a money laundering offense or that is otherwise "traceable" to it. 4. "Looking the other way" may make you an accomplice to the crime of money laundering. What you "know" about your customer's accounts may legally include what you can infer about any suspicious information or account activity. Reporting your suspicions about illegal activity is always safer than ignoring what may be criminal behavior. Turning a blind eye may implicate you in the crime. 5. If you suspect that criminal activity is occurring at or through your firm, report it to your law or compliance department. To protect yourself and your firm, you should be alert to suspicious activity that may indicate that money laundering or other crimes are being committed. If you're not sure what to do in a particular situation, it's best to go ahead and report any suspicious activities. If it turns out that you were wrong, you and your firm will be protected from lawsuits as long as your report was made in good faith. 6. Be suspicious if your customer intentionally provides incomplete or deceptive information. Information that a customer provides reluctantlyor that is falsemay indicate an attempt to cover up illegal activity. It can be the first sign that the customer is trying to launder money. 7. Large transactions made for no apparent business or personal reason should make you suspicious. The movement of large sums of money between accounts without any apparent basis in the customer's personal or business life might indicate illegal activity. Any type of unusual account activity is reason to look more closely at an account.
26
www.eca.lrn.com
8. Know-your-customer policies are designed to help you identify potential problems before they become actual ones. Because money laundering laws define "knowledge" broadly and don't allow you to look the other way, knowing your customer is critical to preventing money laundering problems. Following your company's know-your-customer procedures can help you detect and prevent the concealment of funds, the structuring of transactions, tax evasion, and other criminal activity. 9. There are detailed financial transaction reporting requirements for securities firms. Firms must file a CTR with the IRS to report any transaction exceeding $10,000 in currency. For transactions in currency or monetary instruments that alone or in combination exceed $10,000 and are physically transported into or out of the United States, a Report of International Transportation of Currency or Monetary Instrument must be filed with the commissioner of customs. And even if you're not required to make a report because a sum doesn't meet the required amounts, you should report any suspicious activity to your law or compliance department. 10. Be sure to know the specific record-keeping requirements for currency or foreign transactions applicable to your firm. Securities firms must keep information gathered under a CIP; records of credit extensions over $10,000 not secured by real property; instructions received or given resulting in transfers over $10,000 to anyone outside the U.S.; and each request, advice, or instruction to another person or financial institution about a transfer of more than $10,000 outside the U.S. You must also keep certain account-identifying information records of wire transfers or funds transmittals over $3,000 to or from customers, and all transfers in or out of the U.S. of securities or currency or monetary instruments over $10,000.
27
www.eca.lrn.com
TEST YOUR KNOWLEDGE OF MONEY LAUNDERING, SECURITIES, AND THE USA PATRIOT ACT
Question 1:
The money laundering laws apply to a) b) c) d) banks only financial institutions only everyone drug dealers only
Question 2:
Which step in the money laundering process disassociates the illegal funds from the crime by creating a complex web of financial transactions? a) b) c) d) placement layering integration transformation
Question 3:
Sue processes customer transactions at Worldwide Securities. She notices some odd wire transfers and investigates. The customer refuses to answer some questions, including where he got the money, and gives bogus answers to others. She learns that he lives in a country known as a money laundering haven and recently retired as deputy minister of finance. Lacking concrete proof of money laundering, Sue stops her inquiry and allows more transfers. If this customer launders money through the account, who is guilty? a) b) c) d) the customer only Sue only both Sue and the customer neither Sue nor the customer
Question 4:
Nicole gets a new private banking customer, a wealthy financier. He isn't a U.S. citizen and lives in a foreign country, where he serves as its minister of finance. What know-your-customer due diligence should Nicole perform? a) enhanced due diligence to detect and report transactions that may involve the proceeds of foreign political corruption b) only basic due diligence to determine his identity and the source of his funds c) enhanced due diligence only if he is opening the account as a correspondent account on behalf of a foreign bank d) the same amount of due diligence she would perform for a U.S. senior political figure
28
www.eca.lrn.com
Question 5:
For anti-money laundering purposes, what are the basic goals of know-your-customer policies and procedures? Check all that apply a) b) c) d) to determine the identity of the customer and the true ownership of the account to identify the source of the customer's funds to determine additional suitable products and services to offer the customer to determine whether the flow of cash and assets into the account is consistent with the customer's background
Question 6:
Under the USA PATRIOT Act, which of the following might require special or enhanced scrutiny as part of your knowyour-customer obligations? Check all that apply a) b) c) d) senior foreign political officials with private banking accounts correspondent accounts for foreign banks licensed in high-risk countries senior U.S. government officials with private banking accounts non U.S. citizens with standard accounts
Question 7:
Financial institutions, like securities firms, must report cash transactions of more than a) b) c) d) $1,000 $5,000 $10,000 $100,000
Question 8:
Robert's client wants to deposit $90,000 in cash. When Robert informs him of the reporting requirements for all currency transactions over $10,000, he asks Robert to break up the deposit into ten $9,000 increments. If Robert goes along with this, which of the following is true? Check all that apply a) b) c) d) he's illegally structuring the transaction to avoid the reporting requirements. he's legally helping a customer avoid extra paperwork. he's possibly assisting his customer in laundering criminal proceeds. he's using poor judgment, but not breaking the law.
29
www.eca.lrn.com
Question 9:
It might be a clue that money is being laundered if a customer Check all that apply a) is mean or gruff b) is excessively concerned with privacy c) provides false information d) places orders under several different names
Question 10:
Jerry suspects that his customer is conducting criminal activity through her account, and he reports it to his compliance officer. The company investigates and files a SAR. A government investigation determines that the customer's activity is legitimate. The customer, having had to hire a lawyer, is angry and embarrassed, and sues Jerry and the company. What is the likely outcome? a) the customer will win if the transaction was less than $5,000 b) the customer will lose, but only if Jerry and the company suspected money laundering c) the customer will win because her activity was legitimate d) the customer will lose as long as Jerry and the company filed the SAR in good faith
30
www.eca.lrn.com
Answer to Question 1:
(c) is the correct answer. Although there are special requirements for financial institutions, the money laundering laws apply to everyone
(b) is the correct answer. The money launderer tries to disguise the criminal origin of the dirty money by layering, which involves making a series of transactions to distance the money from its source. These transactions are often accomplished by wire transfer, which allows for quick, easy transfers of money from account to account or from country to country
(c) is the correct answer. Sue saw many red flags indicating possible money laundering, so she may be treated as if she had actual knowledge of it. By allowing the wire transfers, she participated in a transaction relating to the money laundering, so she was engaging in money laundering, too
(a) is the correct answer. The customer is a senior foreign political figure and is therefore subject to enhanced due diligence requirements, which are typically more stringent than for U.S. citizens, including U.S. political officials
(a), (b) and (d) are the correct answers. The goals of getting to know your customer for anti-money laundering purposes are to determine the customer's identity and the true ownership of the account; to identify the source of the customer's funds; and to determine whether the flow of cash and assets into the account is consistent with the customer's background. While the information may help you assess your customer's needs, this is not a goal of the know-yourcustomer policies and procedures for anti-money laundering purposes
(a) and (b) are the correct answers. Special due diligence is required for non-U.S. citizens who have private banking accounts, and enhanced due diligence is required for senior foreign political figures. Correspondent accounts for foreign banks licensed in high-risk countries also require special due diligence
(c) is the correct answer. Securities firms and other financial institutions must report any cash transaction of more than $10,000 to the IRS. This applies to single transactions of $10,000 or more and to multiple transactions that add up to more than $10,000 a day
(a) and (c) are the correct answers. What the customer wants to do is called structuring, and it's illegal. Engaging in or helping a client engage in structuring is a money laundering violation and is likely to aid the customer in laundering the criminal proceeds. This is a tactic used by money launderers to avoid having the funds traced back to them
31
www.eca.lrn.com
(b), (c) and (d) are the correct answers. Beware of customers who are excessively concerned with privacy, those who provide false information, and those who place orders under several names. Customers are also suspect if they're reluctant to go forward with transactions when you tell them about the reporting requirements, rumored to be involved in illegal activities, or unusually nervous or otherwise suspicious. Other clues that may point to money laundering are a lot of cash payments and international transfers in amounts inconsistent with the customer's business. A customer being mean or gruff isn't enough to indicate that he might be involved in money laundering

(d) is the correct answer. As long as Jerry and the company had a good-faith suspicion that illegal activity was being conducted with the account, they are protected, even if it turns out that the activity is legitimate. For reporting purposes, there is no requirement that the suspicious activity must relate solely to money launderingany suspected illegal activity involving the account can be reported
32
www.eca.lrn.com
MONEY LAUNDERING AND THE USA PATRIOT ACT

INTRODUCTION
Not too long ago, the phrase "money laundering" might have evoked images of drug kingpins and organized crime figures trying to hide their profits. But in recent years there has been a marked change in the scope of what American law enforcement authorities view to be money laundering. And there has been a vast change in the profile of the "usual suspects" of such violations. Alongside the drug and mob assets typically targeted by law enforcement are proceeds of criminal consumer frauds, stock manipulations, insurance fraud, domestic and foreign political corruption, healthcare frauds, and other criminal schemes--the content of which is only limited by the imaginations of those who would perpetrate them on the public. Most recently, under the USA PATRIOT Act, the laws have been expanded to fight terrorism. Because the laws that regulate the proceeds of all these offenses are generally the same, the reach of the money laundering laws has broadened significantly, along with the obligations with which citizens must comply. Violations of the money laundering statutes can carry federal prison sentences up to 20 years, $500,000 in fines, and forfeiture of any assets from the unlawful activities. Some states have their own money laundering laws and are very aggressive in enforcing them, as will be discussed later. The stakes are therefore enormous for all, and you must understand your obligations in order to reduce the risk of inadvertent violations. It is the purpose of this handbook to distill the essence of the very complex law of money laundering into a practical guide for understanding and behavior in the business world. We attempt to make the basic principles real by drawing on examples from actual situations and cases. In the end you will have the tools to recognize situations where money laundering may be occurring and take appropriate steps to protect yourself, your colleagues, and your company. You should note, however, that this handbook is not intended to provide advice or guidance regarding how you should act in a particular situation. You should therefore consult your law or compliance department to determine what you should do in any particular case.
WHY DOES THE GOVERNMENT CARE?

The government cares about money laundering because without money, crime does not pay. After all, it is the flow and circulation of money that permits criminals to "cash out" of their criminal schemes. Almost every crime is of limited use to the perpetrator unless it can be converted into real value, that is, the ability to purchase goods and services with a crime's proceeds. A successful bank robbery means nothing unless the robber can use the proceeds. A terrorist can't fund his activities if he can't get access to funds that are normally funneled to him. A highway commissioner taking payoffs gets nothing if she can't spend the money. A successful sale of multiple kilos of cocaine means nothing if the seller can't convert the proceeds into a mountain getaway or a racing-model Ferrari. The objective of the government's program is to target the flow of the money generated by crime and to prevent it from being actively employed in commerce. If law enforcement can be
successful in doing so, the government can strike at the heart of people's incentive to do crime in the first place. In addition, in October 2001, the president signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, with the goal of creating a number of mechanisms to combat international terrorism. Among other things, this law significantly expanded companies' obligations to detect and prevent money laundering. And although the law was enacted to fight terrorism, the USA PATRIOT Act's anti-money laundering provisions apply to all money laundering activities, not just those related to terrorism. Because the focus of the federal money laundering program is on the money, and the money that is involved in crime is overwhelmingly in cash, the program's attention is squarely--but not exclusively--on cash. How does the government get at it? We'll see in the next section.
WHY SHOULD I CARE ABOUT MONEY LAUNDERING?

You should care about money laundering for several reasons. First, the government has placed much of the responsibility for enforcing money laundering laws on companies and individuals in the private sector. This is based, at least in part, on the notion that those on the "front lines" are in the best position to detect and report potential money laundering by their customers. Under the PATRIOT Act, for example, all financial institutions have affirmative obligations to prevent and detect money laundering. This means they must have in place an anti-money laundering program that includes, at a minimum o o o o internal policies, procedures, and controls a designated compliance officer an ongoing employee training program an independent audit function to test the program
The definition of a financial institution is extremely broad and encompasses many companies that you might not think of in that way. Of course, traditional companies such as banks, savings associations, and credit unions are considered financial institutions. But so are securities firms, money services businesses (such as money transmitters and currency exchanges), and futures commission merchants. The definition also includes insurance companies that issue nongroup permanent life insurance, annuities, and other products that include a cash value or investment feature-as well as insurance companies that are required to register as broker-dealers under federal securities laws. The definition even includes dealers in precious metals, stones, or jewels; pawnbrokers; loan or finance companies; private bankers; travel agencies; telegraph companies; sellers of vehicles, including automobiles, airplanes, and boats; people engaged in real estate closings and settlements; investment bankers; investment companies (such as mutual funds); and registered commodity pool operators and commodity trading advisors.
WHAT IS MONEY LAUNDERING AND HOW IS IT ACCOMPLISHED?

Before we get to the details of the money laundering laws, it's important that you understand what money laundering is. Simply stated, money laundering is the process
of converting "dirty money" into what appears to be "clean money." Money either starts out dirty or it starts out clean and later becomes dirty. Money starts out dirty when it comes from illegal activities such as drug sales, gambling, larceny, political corruption, consumer swindles, securities fraud, credit card fraud, embezzlement, and other white-collar crimes, and the purchase and sale of illegal firearms. However, money that starts out clean can get dirty in several ways, usually involving the evasion of legal obligations such as taxes--people get money legally, but they try to hide it and report to the government less than they make. People also hide money to avoid other legal obligations, such as court judgments and divorce decrees. Once hidden, that money becomes dirty. Also, as we will see below, clean cash can become dirty if the money laundering laws themselves with regard to reporting cash are not followed. Money laundering typically involves concealing the existence, source, or application of income, and then disguising it to make it appear legitimate. It's estimated that the equivalent of between $590 billion and $1.5 trillion is laundered each year.
THE STAGES OF MONEY LAUNDERING

Money laundering usually involves three stages--placement, layering, and integration. Dirty money is initially placed into the financial system, layered to obscure its origins, and finally integrated or reintroduced into the legitimate economy as "clean" money. These three stages often overlap, however, and should be viewed as seamless parts of a single ongoing process. I.
Placement
Placement occurs when dirty money--often in the form of cash--is first placed into the financial system. This can be done in several ways--for example, depositing cash directly into a bank or brokerage account, converting the cash into money orders or other cash equivalents that are then used to open an account, or funneling the cash through front businesses, such as neighborhood laundries or grocery stores, that make the actual deposits. However it is done, placement is aimed at getting the dirty funds into the system, where they can easily be moved from place to place. Remember, a money launderer who uses an account in the financial system is mainly concerned with having the funds accepted into the system, and then moving them around. Investment returns are likely to be an afterthought, at best. Example 1: A general contractor, anxious to get business from the federally funded local housing authority, bribes the authority's executive director in return for being selected as the lead contractor on a public housing project. The contractor is advanced $200,000 for materials and startup costs. He deposits the money in his business's regular bank account. By doing so, he has just "placed" the proceeds of a crime (federal and state bribery) in the financial system.
II.
Layering
Layering is the use of complex financial transactions to move funds through various accounts and entities--both domestic and foreign. The purpose here is to
put even greater distance between the funds and the illegal activities that generated them. By moving the funds frequently through many accounts and entities, the money launderer can further conceal their source, ownership, and location. For example, the funds might be moved through several foreign and domestic accounts and end up in an offshore company secretly controlled by the money launderer, which then uses the funds to make apparently legitimate loans to a domestic company owned by the money launderer's cousin. At each stage of the process, the source of the funds becomes more difficult to trace, particularly if they pass through countries with strong financial secrecy laws. This is just one simple example, however. The variety and complexity of layering techniques are virtually unlimited. Layering is often done through wire transfers, which enable the launderer to move money quickly from account to account or country to country. In short, you should be suspicious of any activity involving customer funds that does not make sense from a business or personal standpoint. If a transaction does not seem right to you, it may be an attempt to create a confusing paper trail to obscure the original source of the funds. Example 2: Anne, a swindler running a water purification scam targeting elderly citizens, deposits the advances she receives from her customers in a bank account but, as a matter of routine, converts the proceeds of such advances into cashier's checks. The cashier's checks are then deposited into a second bank account under a different name. The funds in that account are wired to a wholesaler for a very substantial order of consumer home products, which are thereafter sold through a retail outlet in which the swindler has an interest. Anne has "layered" the proceeds of her criminal scheme. Example 3: Mark, a drug trafficker, purchases a large life insurance policy. He pays for the policy by wire transferring funds from two different bank accounts in which he had "placed" his drug money. Soon after receiving the policy, Mark exercises his right to return it under its "free look" provision. The insurance company sends Mark a refund in the form of a check, which Mark can now deposit into yet another bank account as an apparently legitimate check from the company. Mark has just successfully layered the proceeds of his drug trafficking. III.
Integration
After placement and layering, the money launderer's objective is to integrate the dirty money into the legitimate economy to further distance the money from its illegal source. In short, the money is now being spent. This may be done through what, to all appearances, are legitimate activities of investing in securities, buying property, purchasing a private business, paying employees, or purchasing supplies. Example 4: Anne, the water filtration swindler from Example 2, makes sufficient money from her scheme to purchase a condominium apartment. She makes a substantial down payment with the profits of her transactions, and thereafter pays the mortgage with her ongoing profits from the scheme. Anne has integrated her criminal proceeds into the conventional economy.
IV.
Money Laundering and the Internet

Although the initial placement of illegally generated money still requires some contact between the customer and a financial institution, the Internet provides a fast, clean mechanism to facilitate placement, layering, and integration. Once a customer has successfully placed assets with a financial institution, it becomes a simple matter to transfer money, buy securities, pledge the assets, or perform any number of commercial transactions online that, on their surface, are indistinguishable from legitimate financial activity. The transactions used to layer and integrate the funds are nothing new--they are the same old schemes that the money laundering statutes were designed to combat; however, the Internet provides a much faster, more global, and more impersonal means of laundering the funds.
THE THREE PILLARS OF THE LAWS AGAINST MONEY LAUNDERING

The legal strategy of the government against money laundering rests on three pillars. Each represents a separate type of obligation for citizens and companies. The first pillar is an overarching prohibition against participation in any transaction where the proceeds or assets are derived from a crime. We will call that the obligation to avoid dirty assets. Example 5: A retailer of home products sells $15,000 of hardware goods to a known criminal who pays cash from what the merchant knows was a recent crime. The merchant is guilty of money laundering in spite of having had no participation in the crime. Example 6: A real estate broker sells a house to a criminal who pays for it with proceeds of his criminal activities. The broker knows that the money is the proceeds of a crime. The real estate broker is guilty of money laundering because of the knowledge that criminally tainted funds were used as the basis of the transaction. The second pillar is the requirement that any transaction involving more than $10,000 in cash at a financial institution be reported to the Internal Revenue Service (IRS) regardless of whether there are any suspicious circumstances that surround the source of the funds. Furthermore, the aggregate amount cannot be broken down into individual amounts less than $10,000 to avoid the report. In fact, doing so--called structuring--is an independent crime. Finally, there is a similar reporting obligation whenever one leaves or enters the United States with more than $10,000 in cash. The report must be made to the Customs Service. We will call these collective duties the obligation to report cash. We will describe in detail below the circumstances that trigger the reporting obligation, but the most important characteristic is its absoluteness: the obligation arises whenever more than $10,000 in cash is part of a transaction of any kind at a financial institution or is taken into or out of the country. The penalties for violations of this obligation of the federal money laundering laws are less severe than when known tainted assets are involved; nevertheless, as described below, penalties for failures to report are substantial. Example 7: A generous uncle gives a lucky nephew $13,000 in cash. When deposited into a bank, a report of the transaction must be made to the IRS by the bank, and the customer must not discourage or otherwise interfere with the bank's report of the transaction.
Example 8: After receiving $13,000 in cash from his generous uncle, the lucky nephew-knowing that his bank is obligated to report his deposit of the full amount to the IRS-splits the money into $7,000 and $6,000 portions and deposits them separately in the bank. By doing so, the nephew has committed the crime of money laundering. Example 9: An institutional customer enters into a satellite communications services agreement and pays $14,000 in cash. Upon deposit, the transaction must be reported to the IRS by the financial institution. Any request by the satellite company that the report not be made is a criminal money laundering violation. The third pillar of the government's anti-money laundering program relates to the circumstances where corporations or other business entities are held responsible for the money laundering violations of their employees. Corporations can be responsible for the acts of their employees unless it is demonstrated that the company had a prevention program in place that diligently anticipated the risks of violations by its employees and the company took reasonable actions to prevent such violations from occurring. We will call this the obligation of companies to enforce compliance. It is therefore important that you understand and follow your company's anti-money laundering policies and procedures. Example 10: A vice president of a commercial real estate firm is convicted of knowingly brokering the purchase of an office building by a foreign national using the proceeds of an offshore bribery scheme. The real estate firm had no anti-money laundering policies or procedures in place. Depending on the circumstances, the company could be independently subject to prosecution and punishment. We will address all three pillars in detail below, but at all times remember the three pillars of the American law of money laundering: o o o II. the obligation to avoid dirty assets the obligation to report cash the obligation of companies to enforce compliance
Pillar 1: The Obligation to Avoid Dirty Assets

There are many technical aspects of the money laundering laws, but one easy proposition to keep in mind is: if you have knowledge that the source of the money, goods, or property that you are dealing with was a crime, then your involvement in the transaction makes you a participant in the crime of money laundering. And if you find yourself in that situation, get out of it. Example 11: You are a salesperson for a national consumer home products chain. You get a lead to a potential customer who wants to buy 1,000 compactdisk players. The person making the introduction tells you not to ask any questions as to why the customer would want to buy so many appliances, and then he winks and says, "The money is hot. You know what I mean?" You make the sale. It is later disclosed that the purchaser is part of a drug ring and that the reason for the purchase was to convert the profits of his trade into "clean" consumer products, which he then resold on the open market. You face years in prison and a huge fine.
A.
How the laws operate
You could very reasonably ask what crime a salesperson like the one in Example 11 is guilty of. The answer is that it is a crime to knowingly engage or attempt to engage in any monetary transaction involving criminally derived property. It is also illegal under the money laundering laws to receive or distribute more than $10,000 in cash or property known to have been derived from such crimes. "Criminally derived property" is any property gained through crime or bought with--or traded for--property gotten from a crime. Example 12: An insurance salesman sells a life insurance policy to a criminal who pays for the policy with proceeds of his criminal activities. The salesman knows that the money is the proceeds of a crime. The salesman is guilty of money laundering because of the knowledge that criminally tainted funds were used as the basis of the transaction. Example 13: Lee works for a communications equipment company that leases phones, other communication devices, and related equipment to a telemarketing firm that is engaged in a water purification consumer fraud, and he knows it. Lee is paid from the earnings of the scheme. By doing so, he has committed the crime of money laundering because he was paid with proceeds that were "derived" from a crime. The law goes on to define very broadly the kinds of "specified unlawful activity" that constitute crimes for these purposes. For example, any funds or property derived from the following kinds of criminal schemes are covered: sales of narcotics payoffs to any public official, local, state, or federal (bribery) loans and mortgages fraudulently obtained from a bank insurance fraud funds from illegal securities transactions, such as insider trading or a stock scam goods illegally imported into the country stolen property swindle, scam, or "get-rich-quick" schemes counterfeit funds willful violations of the air and water pollution environmental laws trading with countries, like Iraq, that have been designated as enemies of the United States or with people who have been identified as terrorists illegal trafficking in firearms and ammunition food stamp fraud healthcare fraud crimes committed abroad involving narcotics, violence, arson, or fraud against a foreign banking institution These are just a few examples. And as you can see, nearly any crime you can think of is covered by the money laundering laws. Example 14: You work for a medical supply house and sell equipment to an orthopedic group of doctors that does a high volume of workplace
injury treatment. Through your contacts with the customer, you become aware that the group systematically falsifies injury reports and the claims it submits to employers and insurance companies. You continue to sell to the group in spite of such knowledge. In taking payment from the group, you have committed money laundering. In this example you would be guilty of money laundering because you engaged in a monetary transaction (the sale of the equipment to the orthopedic group) with an entity whose funds were derived from a crime (healthcare and commercial fraud) you knew that the proceeds were dirty (even if you didn't know the particulars of the underlying crime) And like anyone else who violates this aspect of the money laundering laws, you would face ten years in prison and $250,000 in fines. B.
Increased punishment for monetary transactions involving other money laundering offenses
In addition to the law against being involved in a transaction with property derived from crime, there are even harsher penalties for someone who engages in a financial transaction with the proceeds of the above kinds of crimes intending to do any of the following: Promote the crimes. Assist in tax evasion. Conceal the source of the proceeds. Avoid reporting the proceeds of the transaction if more than $10,000 in cash is involved. Persons who violate this part of the money laundering laws are punished with up to 20 years in prison and a $500,000 fine. Example 15: Let's revisit Example 13, where Lee works for a communications equipment company supplying goods and services to a telemarketing company involved in a consumer scam. The principal of the scheme outlines her intentions, and Lee agrees to postpone receiving payment for the equipment until the business is up and running. Thereafter he's paid from the revenues of the business, which he deposits. Lee is guilty of this aggravated form of money laundering because he received and deposited the funds with the intention of having "promoted" the crime. He'd face 20 years in jail.
C.
The financial transactions that are covered

"Financial transaction" is broadly defined in the money laundering laws. It includes virtually any action involving a client's funds or account with the firm. For example, it includes deposits withdrawals transfers between accounts
currency exchanges loans extensions of credit purchases or sales of any stock, bond, certificate of deposit, or other monetary instrument use of a safe deposit box any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means Example 16: Ed engages in illegal insider trading by buying stock in his company just before a merger announcement. He then sells the stock at a profit and has the proceeds wire transferred from his brokerage account to his bank account. Ed has engaged in not only illegal insider trading, but also money laundering. If the brokerage firm has knowledge of Ed's illegal activities, it might be guilty of both aiding and abetting his insider trading and money laundering. III.
Pillar 2: The Obligation to Report Cash

The reporting obligation of transactions involving more than $10,000 in cash is actually how the American law of money laundering got started in 1970. The law was called the Currency and Foreign Transactions Reporting Act (the Currency Act). The reporting requirements aid law enforcement in identifying possible money laundering before the funds get layered and integrated into the legitimate money stream. The Currency Act and related regulations require banks and other financial institutions to report each cash transaction exceeding $10,000. This is done on a Currency Transaction Report (CTR). The reporting rule covers any single transaction that exceeds $10,000, as well as multiple transactions during the same day that add up to more than $10,000. And under the PATRIOT Act, all businesses, whether or not they are financial institutions, must now report a transaction of more than $10,000 in cash on Form 8300. For Form 8300 reporting purposes, cash includes currency and, in some circumstances, a cashier's check, money order, bank draft, or traveler's check in the amount of $10,000 or less. For transactions in currency or monetary instruments that alone or in combination exceed $10,000 and are physically transported into or out of the United States, persons are required to file a different form--a Report of International Transportation of Currency or Monetary Instrument (CMIR)--with the Commissioner of Customs. It is illegal to evade or assist in the evasion of these reporting requirements. A person may be liable if an employee assists a customer in structuring a transaction to avoid these reporting requirements. For obvious reasons, transactions of $9,999 should raise suspicions. And even if you file a CTR or CMIR, you should still report any suspicious transaction. While the immediate reporting obligation is on the bank or other financial institution, any request or encouragement by a customer that the teller not complete a report is an independent money laundering crime.
Example 17: You sell your used pickup truck for $18,000 in cash. You don't want to pay taxes on what you got from the sale, and you don't want to risk the IRS finding out about it by having the bank file a CTR recording the deposit. You are friendly with the bank teller at your local bank, so you ask that he not fill out a CTR as you present the money for deposit. He agrees. Both of you are guilty of money laundering. .
Structuring
The $10,000 reporting threshold has generated a cottage industry in which low-level operatives scurry about to different banks, making cash deposits just under the $10,000 limit--a practice known as structuring, or "smurfing" (after the little blue cartoon characters that the operatives are said to resemble). Structuring is illegal, and banks, brokerage firms, and other financial institutions must be alert to any efforts to evade the currency reporting requirement in this manner. Broker-dealers may be liable if an employee assists a customer in structuring a transaction to avoid these reporting requirements. For obvious reasons, transactions of $9,999 should raise suspicions. And even if you file a CTR or CMIR, you should still report any suspicious transaction to your firm's law or compliance department. Remember, however, that even if no CTR or CMIR is required to be filed, multiple transactions over multiple days, even at different firms, might indicate an attempt to structure transactions to evade the reporting requirements. These transactions should also be reported to your law or compliance department. Example 18: Alan, a customer of Global Securities, deposits $8,000 into his brokerage account. He tells Bill, his Global registered representative, that he just deposited $6,000 at his bank earlier that day and $9,000 yesterday to his Global account. Alan winks and says that he hates paperwork. No CTR is required to be filed because the single-day $10,000 threshold has not been reached. However, because Bill learned about the two other deposits and should know Alan is probably trying to evade the reporting requirements, he must report the transactions as suspicious activity. Example 19: Matt, a good customer of a credit union, brings Alex, the credit union manager, $70,000 in cash and asks him to make eight transfers of less than $10,000 each over a three-day period in accounts held in third-party names. He gives Alex a wink and mentions how paperwork is such a hassle. Alex knows that Matt is a drug dealer, but he doesn't care where the money came from--which turns out to be from a recent illegal sale of cocaine. If Alex complies with Matt's request to structure the transfers, this would be considered money laundering and Alex and Matt would likely be off to jail. IV.
Pillar 3: Corporate Compliance

Corporations and other business entities cannot be sent to prison, of course, but they can be, and are, prosecuted and convicted of criminal offenses, including money laundering, because of their employees' acts. Companies can face
millions of dollars in fines and the confiscation and forfeiture of their assets. However, the law offers the means for a company to avoid being charged (or if charged, to have its punishment reduced) if it's able to demonstrate that it took all reasonable steps, in terms of its internal policies and procedures, to prevent its employees from breaking the law. While this principle applies to all kinds of crime, it is especially prominent in the money laundering context because the threat of prosecution can be a powerful force to convince companies to take serious measures to get their employees to abide by the law. You must therefore be sure to know your company's policies and procedures and comply with them. If you have any doubt, you should consult your company's law or compliance department. Example 20: Mary is a customer services representative at a small bank in a major city. Her husband is a corrupt police lieutenant who functions as the "collector" of cash bribes routinely paid by the merchants in the precinct's neighborhood. Through Mary, her husband converts the cash, which is regularly in excess of $10,000, into blank money orders without reporting it to the IRS. The money orders are then distributed by the lieutenant to his coconspirators in the force. Mary and her husband are both indicted for money laundering. Whether or not the bank also would be prosecuted depends on what preventive steps and supervisory structures were in place there to prevent Mary's money laundering activities. .
The need for company compliance

First, under the PATRIOT Act financial institutions have an obligation to establish an anti-money laundering program. And because a company acts through its employees, employee conduct is crucial to ensuring that the company itself avoids violating the money laundering laws. There are generally two circumstances in which an employee can place her employer in jeopardy. The first is when an officer of a corporation commits a money laundering offense while directly acting on behalf of the company. Example 21: The president of a commercial real estate firm is aware that a prospective foreign investor has proceeds originating from a major bank swindle in the investor's home country. The president courts the client and offers him multiple real estate investment opportunities personally and through her staff. The investor eventually purchases an office building. The real estate company is paid a $300,000 commission. The corporation is guilty of transacting business with "criminally derived property." The president, of course, is also personally guilty of the same offense. More complicated, however, is the second kind of circumstance, where no one employee actually commits a crime, but two or more employees acting together cause the company to do so. This happens, for example, when one employee acts without a necessary element of "intent" or "knowledge" but other individuals in the company did have the knowledge that would have provided that "intent." The law considers a corporation to have the "collective knowledge" of all its employees' conduct and all of its employees' states of mind. (We address what it
means to "know" something under the law at some length later in this handbook.) Because a company can be held responsible for the collective knowledge of its employees, it can be convicted even if no employee of the company was individually guilty. Example 22: In the situation of the commercial real estate firm described above in Example 21, say the initial sales contact with the corrupt foreign investor is done by a junior broker in the firm, Michael. Michael knows of the illicit origin of the investor's funds in the foreign bank swindle, but he does not inform any of his superiors. His superiors, including the president, Donna, take over the sales presentations, and Donna closes the deal. Unfortunately, the firm has no anti-money laundering policies or procedures and doesn't train its employees on money laundering issues. The same $300,000 commission is paid to the firm. Despite having closed the deal, Donna did not commit any crime individually because she did not know of the criminal origin of the funds. Depending on all the circumstances, however, the company could be found guilty on account of the collective knowledge--Michael's conduct and actual knowledge of the tainted source of funds, and Donna and her staff's actions in closing the sale and accepting payment for it. A.
How compliance programs can make a difference

The existence of a compliance program has different impacts depending on the particular circumstances surrounding the crime. No matter how good a compliance program may seem, it may not be sufficient to shield a company from criminal liability and severe punishment if the company itself could be seen as intentionally having acted through its chief executive officer to commit an act of money laundering and to have ignored the policy behind the compliance program. However, if knowledge of the dirty source of funds is with a very junior person and the company's executives close the transaction without any knowledge, having a program at the company designed and implemented to prevent its employees from engaging in money laundering could well help the company to be freed of criminal responsibility for the illicit transaction (or at least have the fines leveled against it significantly reduced).
B.
What makes for an effective compliance program

As a result of the concerns identified above, many companies have implemented anti-money laundering policies and procedures to ensure that their employees comply with the law and to protect themselves and their employees from the acts of unscrupulous employees or others. The content of the compliance program is therefore paramount, and the ingredients of a compliance program can go a long way to protecting a company and its employees. These ingredients include a formally adopted written anti-money laundering plan as the company's official policy evidence that the plan was designed with an eye to the particular risks presented by its business and its industry--that is, the
content of the plan was responsive to the special risks of the company's business environment training materials and programs sufficient to explain the employees' obligations and ensure that the employees remain knowledgeable the designation of a person to oversee the implementation, review, and improvement of the program the regular review, evaluation, and refinement of the program by the senior management of the company While no compliance program can ever prevent all crimes committed by a corporation's employees, the critical factors in evaluating any program are whether the program is adequately designed to effectively prevent and detect wrongdoing by employees corporate management enforces the program and avoids any tacit encouragement or pressure on employees to engage in misconduct to achieve business objectives Each company's compliance program will be different. You shouldbe sure to know and understand the policies and procedures in place at your company. Example 23: An insurance agent at a large insurance company is found guilty of aiding a customer to launder money through making large overpayments of premiums and loans against other policies. The company's board of directors had circulated a strict money laundering prevention policy, which required that all employees and officers be provided with an understandable summary of the money laundering laws and provided training, including updated information about recent money laundering developments and practical guidance. A compliance officer had also been designated, who regularly communicated with the employees on the subject. All the above was publicly supported and reinforced by statements from the president and decisive disciplinary action when required procedures were not followed. If the agent had been given training, appeared to understand it, and thereafter signed an acknowledgement of that understanding, the company likely would not be prosecuted by federal authorities for money laundering.
WHAT IT MEANS TO "KNOW" SOMETHING UNDER THE LAW

The word "know" extends beyond a situation in which someone has told you something-in that circumstance actual knowledge is clearly established. However, if you are exposed to information that would lead an ordinary person to conclude that something is a fact, you might indirectly know it to be so. These facts, or red flags, that come to your attention point to whether or not you knew something was amiss. These red flags include o o o o the evasiveness of a person to describe how he or she came to the money or the property a person's reputation in the community knowledge that a particular crime occurred even though you do not know who was involved statements made by others about the customer acting suspiciously
o o
the customer's "demeanor": shifty eyes, sweaty palms, suspicious speech any other peculiar circumstance that marks the circumstances as odd and out of the ordinary (something that leaves you with the feeling that "something is not right")
Finally, you cannot turn a blind eye to your customer's activities by ignoring the above red flags that indicate money laundering may be occurring. If you do, you are considered by the law to have the equivalent of actual knowledge. While the law is complex, one thing is clear--you should be vigilant to oversee your customers' activity in their accounts to the extent that you can. Burying your head in the sand can result in grave consequences for you and your company. Remember, your actions and your customers' activities may be judged later by prosecutors or judges with the benefit of "20-20" hindsight, flexible federal laws, and significant penalties. Therefore, you need to be especially careful at the outset to identify and prevent a transaction that might give rise to a money laundering prosecution. The key is to be alert to the red flags. Example 24: Mary, a customer services rep at a neighborhood bank, is married to a corrupt police lieutenant who takes bribes from local merchants. Mary's supervisor often sees Mary "walk through" the transactions with the tellers in which the husband's illicit cash is converted to money orders. The supervisor reviews daily the reports of cash transactions that the tellers prepare for submission to the IRS, but he never asks why the tellers failed to complete reports for Mary's transactions. He also often notices that Mary's husband is ill at ease and always seems to be looking out the window, as if to see if someone is watching. The supervisor also notices that Mary, who is normally laid-back and upbeat, becomes visibly tense and stressed when her husband is in the bank. The local papers also expose evidence of widespread corruption among the police in the very part of town where the bank is located, and the bank's private security guard once whispered to the supervisor that Mary's husband was "dirty." All the above factors are circumstances that could prove that even if Mary's supervisor didn't actually know what was going on, it was because he chose to ignore reality. By turning a blind eye, the supervisor would be equally guilty of money laundering as if he actually knew what was happening. We'll take a closer look at these red flags when we discuss reporting suspicious activities. In the meantime, remember this: if you know what your customer is up to but choose to ignore red flags and help him launder dirty funds, you could find yourself and your company being prosecuted for money laundering, along with your customer.
CHECKS, WIRE TRANSFERS, AND OTHER FINANCIAL INSTRUMENTS

I.
Monetary Instruments
Although the traditional view of money laundering involves shady characters with bags full of cash, the laws are not limited to transactions in cash or currency. Any monetary instrument is covered, including coins or currency (of any country), as well as traveler's checks, cashier's checks, money orders, or even bearer securities or other negotiable instruments. Each type of instrument involves special issues. Many businesses restrict or prohibit cash deposits and third-party checks. If a customer brings you cash, you should be aware of the restrictions in effect at your company. However, even if your company prohibits cash transactions, you still need to watch out for money laundering. As we'll discuss below, there are special reporting requirements
within financial institutions for wire transfers over $3,000. If your firm accepts third-party checks, you should know the third party and understand where or how the third party got the money to make the investment. Example 25: You manage a consumer electronics store in an area of town where Marty is reputed to be involved in the drug trade. Several times a month, Marty purchases expensive TVs and other home entertainment equipment and pays with random third-party checks drawn on accounts having no apparent legitimate business connection to him. The combination of Marty's known reputation and the suspicious circumstance of his use of third-party checks could be strong evidence against you if the police later accuse you of money laundering for him. II.
International Transfers
Because money laundering doesn't always involve obviously suspicious characters or clearly dirty money, one thing you can watch for is where the money is going to or coming from, because some countries are known money laundering havens. The U.S. government has begun focusing on transfers to accounts in certain countries, warning banks and other financial institutions to be particularly vigilant about transactions to these destinations. In effect, transfers of funds or goods to or from these countries may constitute red flags of suspicious activity. The list of targeted countries, which changes from time to time, can be found at http://www.fatf-gafi.org/dataoecd/17/5/45540828.pdf. These countries are considered money laundering havens for a variety of reasons: They may have stringent bank customer secrecy laws, so it is hard to determine the identity of an account holder. They may be developing countries encouraging foreign investment and, therefore, don't ask many questions. They may be countries that allow investment by U.S. citizens but that do not themselves have particularly friendly relations with the United States. They may be experiencing a current state of political turmoil and so without resources or interest to devote to enforcement of money laundering laws. You should be especially wary of any request to wire or otherwise transfer money to or from customers in these places. You should also be on the lookout for places not on this list but exhibiting these same characteristics, because criminals are constantly exploring new and exotic locales that are conducive to money laundering. Example 26: You are in the wholesale automotive supply business. Your company receives an unusually large order for multiple standard items with a ship-to address in the United States that does not appear to belong to a company engaged in the auto parts business. The order is coming from a person in a thirdworld country, and the goods are paid for by a wire transfer in U.S. dollars originating from a bank in the same third-world country. On these facts alone, there is nothing necessarily illegal. However, your money laundering sensors should be up, and if other suspicious circumstances arise, you may be in trouble if you close the deal.
Like the prohibitions discussed above, if you know the funds are from criminal activity and they are transferred into or out of the United States to conceal them or to avoid transaction reporting requirements, you have committed money laundering. The money laundering laws are even harsher, however, when it comes to international transfers. Even if the funds transferred were legitimately acquired, international transfers are illegal if you know the transfer is done to promote the carrying on of criminal activity. This means that even if the funds come from legitimate business activities, if the transfer is done to promote criminal activity, it is considered money laundering and is illegal. One other thing: obvious as it may seem, if you are told by a customer that cash or other proceeds are from criminal activity, and you nonetheless engage in a transaction or transfer for the customer, you have probably violated the money laundering laws. This is true even if the person you're dealing with turns out to be a government informant or undercover law enforcement agent. These kinds of "sting" operations are permitted to find and punish people who are willing to launder money on a criminal's behalf. Example 27: Ned, an employee of a finance company, has a customer, Al, who he believes is a purchaser for a car company. Actually, Al is an FBI agent. Al brings Ned a check for $60,000, telling him that he received it as illegal kickbacks for purchasing parts from a particular supplier. At his direction, Ned deposits the money in the account of a third-party partnership that Al controls, and Ned subsequently transfers it to another account held in another party's name. Ned has just violated the money laundering laws even though he was set up by Al.
KNOW YOUR CUSTOMER AND SUSPICIOUS ACTIVITY REPORTS

Because money laundering laws define knowledge broadly and don't allow financial and other institutions to keep their "heads in the sand," knowing your customer is critical to preventing money laundering problems. Therefore, it is important that you follow the know-your-customer procedures in effect at your company. Although we refer to this obligation as "know your customer," the duty has a wider application, which also includes knowing your business partner, your client, your banker, and any other person or entity with whom you are conducting business. In addition, it is up to you and your company to police activity for suspicious behavior, and when you detect such behavior, prevent it from occurring. I.
Suspicious Activity Reports in General

Many companies have adopted procedures designed to ensure compliance with money laundering laws. These procedures are commonly referred to as Suspicious Activity Reporting (SAR) rules. They are modeled on the rules that already apply to banks and brokerage company subsidiaries of banks.
II.
Examples of Suspicious Activities

While it is impossible to list every potential situation that may be deemed suspicious, the activities can be segregated into two general categories-customer information and customer account activity. Some red flags that money laundering is afoot include situations such as these:
The customer seems unusually concerned about privacy. The customer is reluctant to provide routine information about identity, source of funds, business activities, and bank references that you would expect the customer to provide as part of normal conduct. The customer is from, or has accounts in, a country or territory identified as being of special money laundering concern by FinCEN (which will be discussed later) or as noncooperative by the Financial Action Task Force (FATF), which is an international organization made up of several countries, including the United States, dedicated to combating international money laundering. The customer provides information that turns out to be false or suspicious--for example, the phone number provided by the customer is disconnected, or the business address is for a vacant building or an office space that seems inconsistent with the description of business. The customer is reluctant to proceed when informed of currency reporting requirements. The customer withholds information necessary to complete required transaction reports. The customer's appearance or demeanor is suspiciously unusual, or the customer acts excessively nervously. The customer doesn't seem to care about returns on an investment, but instead focuses on restrictions relating to withdrawal or cancellation. The customer is named in news reports, or rumors circulate that the customer is engaged in illegal activities. The customer claims to be an agent (such as a lawyer or accountant) for someone else, but she does not reveal the identity of her principal or permit you to speak to him. Example 28: Your company plans and remodels office space. You are retained by a telemarketing firm with which you have not done business before to assist in remodeling an office suite. The suite is composed of a front office section equipped with high-end furnishings, fancy decorations, and a large interior space from which--you are told--telephone banks will be operated. In talking with the client contact, you become aware that the company is new to the area. The contact winks at you when you ask what brought the company to the area, and he says, "Things got a little hot at the last location for the guys who run this thing." Further, the billing address he gives you is a post office box far removed from the business. Your initial bill of $14,000 is paid in two installments of cash-first $8,000 then, two days later, $6,000. The client contact tells you, "It's important to do it that way to keep the feds away." You may well be doing business with a criminal telemarketing scam. Here are some examples of customer transactions and other account activity that might be suspicious under the circumstances: The customer purchases a product that's inconsistent with his or her needs. The customer makes orders under different names or different business names. The customer makes payments in cash or cash equivalents. The customer makes payments using sequentially numbered monetary instruments that were purchased the same day and are just under bank reporting thresholds (for example, $9,900). The customer makes large deposits and withdrawals for no apparent business or personal reason.
The customer attempts to deposit foreign bank drafts, third-party checks, money orders, or bearer securities. The customer engages in transactions that appear beyond its needs. The customer frequently makes advance payments in the account and then changes her mind and requests wire transfers to another city or country, when such activity is inconsistent with the customer's business or personal activities. The customer tries to pay using third-party checks. Payment for goods or services comes by wire transfers from another city or country, especially those suspicious countries referred to earlier. The customer requests early withdrawal or cancellation of an investment or insurance product, such as a single premium insurance product, particularly for cash or at a cost to the customer, or settlement to an individual third party. The customer engages in transactions at unusual times from unusual places. The customer attempts to pay with third-party checks or foreign bank drafts. The customer directs that a refund or other payment be made to an apparently unrelated third party, or names such a party as beneficiary on an insurance or other product. The customer borrows the maximum amount available under a product shortly after buying it. The customer buys an annuity or other life insurance policy and upon receiving the policy exercises his right to surrender it for a refund under its "free look" provision. Example 29: Janet works for Global Life, an insurance company. She sells Colin, a new customer, a large life insurance policy. Only days after receiving it, Colin surrenders the policy under its "free look provision" and instructs that the check be sent to him, but care of a different address than the one Janet has. When Janet calls him to clarify the address, he becomes belligerent and tells her to mind her own business, "or else." Janet should report this to her supervisor because Colin may be trying to engage in money laundering. Large international funds are transferred to or from the accounts of a domestic customer in amounts and with a frequency that are not consistent with the nature of the customer's known business activities. The customer suddenly increases the use of wire transfers, especially if they're made at unusual times or from unusual places. The customer requests to transfer money to any country known as a money laundering haven. The customer requests that a transaction be processed in a way that avoids the firm's normal documentation requirements. A customer consistently uses third-party checks to pay for transactions. Example 30: You are a space planner and remodeler for a telemarketer. The services are being provided around the country--your customer's business appears to be thriving. Payments to you for services are made by wire transfers from offshore bank accounts in the Cayman Islands and Panama. Your requests to meet the actual principals of the business are politely refused by your client contact. He explains that they "value their privacy." The contact periodically asks you to do the company the "favor" of exchanging checks from your company for cash. He warns you not to deposit more that $10,000 at a time in your account. With so many red flags flying, you would be hard pressed to claim credibly that
you did not think anything was out of the ordinary with this business relationship if later questioned by the FBI. III.
"Safe Harbor" for Those Making Reports

If you're not sure whether something is suspicious, you should inform your law or compliance department. The reporting laws protect firms and their employees who report suspicious activities. This means that if the firm reports to the authorities what it believes to be a customer's suspicious activities, the firm and its employees are generally protected from a lawsuit brought by the customer for reporting the activity, even if it turns out the activity was legitimate. This safe harbor protects a person whether she's required to report the suspicious activity because it is affiliated with a bank or isn't required to report the activity but does so voluntarily. You should, however, have a good-faith suspicion that the law may have been violated and that the person is connected to the suspicious activity. In other words, you are not allowed to abuse the safe harbor. Example 31: You work in a high-volume retail consumer products company. A customer who, less than a week before, had purchased $15,000 worth of appliances, returns the product unopened and unused, and he requests that a check be issued to "Cash" and be mailed to an account in the Cook Islands. Over the next two weeks he does the same thing for a similar amount and product. You should report this as a suspicious activity. Even if it is later determined that the customer broke no laws and he complains to your company, you and the company would likely be protected from liability for having reported him because of the safe harbor policy of the federal money laundering laws as they relate to financial institutions.
IV.
Know-Your-Customer Procedures A. In general

Each of the examples above might, either by itself or in combination with others, indicate that a customer is engaging in illegal activity. Some of the examples are obviously suspicious, while others are not. Of course, customers might also have legitimate reasons for acting in a particular manner. To be able to tell the difference between actions taken by a customer for legitimate as opposed to illegal reasons, you need to have a good understanding of your customers and their needs. This understanding will come from adequately knowing your customers. Many firms have procedures in place to ensure you know your customers not only to comply with the securities laws, but also to help you spot suspicious activities that might point to money laundering or other crimes being committed by customers. As will be discussed in the next section, certain financial institutions, including banks and securities firms, must have specific procedures in place for gathering customer-related information and verifying customer identities. Although insurance companies aren't covered by these detailed requirements, they must have procedures in place for obtaining all customer-related information necessary for an effective anti-money laundering program. A covered insurance company must also integrate
its agents and brokers into its anti-money laundering program, make sure they're properly trained on their responsibilities under the program, and monitor their compliance with it. The company must also obtain all relevant customer-related information from its agents and brokers (or other sources), and use that information to assess the money laundering risks associated with its business and to identify any red flags. B.
How to get to know your customer

Below is a general outline of know-your-customer procedures. Your firm has likely adopted its own. Therefore, you should consult your law or compliance department about the specific procedures that apply to you. The goal of any know-your-customer procedure is to make reasonable efforts to determine the true identity of all customers and the ownership of all accounts identify the source of funds used by the customer to open an account and pay for trades monitor the account--both transactions and the flow of cash and assets to and from the account--or activity disproportionate to the customer's apparent means, business, or background While your employer will likely have its own procedures for what you need to do to know your customer, many firms have certain minimum obligations they've established to comply with the money laundering laws. For example, under the PATRIOT Act, certain financial institutions, including banks and securities firms, must have specific procedures in place for opening customer accounts gathering customer information (including certain required items) verifying the customer's identity verifying that the customer doesn't appear on any government list of known or suspected terrorists or terrorist organizations-such as the Specially Designated Nationals (SDN) List issued by the Treasury Department's Office of Foreign Assets Control (OFAC) and available on its website at http://www.treas.gov/offices/enforcement/ofac/index.shtml. keeping records used to verify these things Following are some ways of gathering and keeping this information: For an individual customer, get a driver's license, passport, government identification, alien registration card, major credit card, or other common form of identification. For a business, get evidence of legal status and authority (incorporation documents, partnership documents, resolutions, business licenses, and so forth). Complete a customer profile containing information relevant to your business.
Identify the customer's other accounts or transactions with the firm, including accounts in the names of others over which the customer has control. Look at the trading in those accounts. Has the customer moved large amounts of money in and out of those accounts? Engaged in frequent wire transfers? Engaged in foreign transactions? This may warrant additional investigation. Find out the customer's financial information. What is the customer's net worth and that of immediate family members? What are the customer's assets, liabilities, income, and expenses each year? What is the customer's liquidity? Are the customer's income and financial position consistent with his stated occupation? Particularly if the customer is opening an account for a limited partnership, corporation, trust, or other third party, verify that the customer has authority to open the account and verify the identity of the beneficiary, if any, or the third party. Verify the source of the funds the customer is using to open an account or pay for the transaction. Get personal and business references. Ask questions. For example, where is the customer located? Is this a high-risk jurisdiction? What's the source of the funds? If it's an account, is it recently opened or located in a high-risk jurisdiction? What's the method of payment? If the customer is an individual, will anyone other than the account holder have control over how the account is managed or how the funds will be used? If it's a business, who owns it? In addition, depending on the circumstances, you may want to consider using some or all of the following techniques to verify customer information when opening an account. Check phone numbers and addresses by telephoning or visiting the customer to thank her for opening the account. In fact, it's a good idea to have customers provide street addresses to open an account, and not simply a post office box. A disconnected phone number or an address that is incorrect warrants further investigation and may be suspicious. Visiting a business and finding that it does not exist, or that it does not appear to provide the services indicated, warrants further investigation and may be suspicious. Check the customer's personal or business income. Having your firm request tax forms or run a credit check could do this. In consultation with your law or compliance department, consider whether a report from a private credit agency should be done-for example, if the customer engages in significant margin activity. For a business, ask for financial statements, annual reports, marketing brochures, a description of the business, a list of suppliers and customers and their location, and a description of the locales in which the company does business (with particular attention to whether it conducts international transactions). Conduct a search of available online databases or newspapers, periodicals, and other public information. Check with the local chamber of commerce or retrieve public filings with the Securities and Exchange Commission (SEC) when appropriate.
For a business, ask for information supporting the expected volume of funds generated by the business. Get an understanding of the customer's likely patterns of doing business with your company so that deviations from those patterns can be detected. You should verify identification information at the time theaccount is opened, or within a relatively short period after (for example, within five business days after opening the account). If a customer refuses to provide the information, or appears to have intentionally provided false or misleading information, it's a good idea to contact your law or compliance department before opening the account to seek its guidance. If your company provides some kind of an account for a customer, such as a bank account, investment accounts, and so forth, depending on the circumstances, some additional information may be useful for certain kinds of accounts. Below is a partial list and the types of information you may want to consider gathering when opening the account. Non-resident alien account: Get a current passport number or other valid government identification number, and all necessary U.S. tax forms. Also consider whether even more information is necessary, depending on which country the customer comes from. Domestic trusts: Identify the principal ownership of the trust. Also get information regarding the authorized activity of the trust and who is authorized to act on behalf of it. Personal investment corporations or personal holding companies: Identify the principal beneficial owners of offshore corporate accounts where the accounts are personal investment corporations or personal holding companies. Try to identity who the beneficial owners are and where they are located. You may need additional due diligence depending on the entity's location in particular countries. Offshore trusts: Identify the principal ownership of a trust established in a foreign jurisdiction and consider additional due diligence for trusts located in countries known to have lax oversight of trust formation. C.
Institutional accounts, hedge funds, investment funds, and other intermediary relationships
Your anti-money laundering obligations don't end when a customer is an institution. Although institutional business differs from traditional retail business, this simply means that some of your anti-money laundering procedures will differ. In fact, even if an institution doesn't represent a credit risk to the firm because transactions are conducted on a delivery versus payment (DVP) basis, you may still need to conduct appropriate due diligence in order to satisfy your anti-money laundering procedures.
The due diligence obligations under know-your-customer rules for institutional accounts is a good place to start. Also consider getting information about the institutional customer's or its intermediary's authority to act on behalf of the underlying client, as well as whether the institutional client or intermediary has policies and procedures of its own to know its own clients. Some things to consider when deciding what additional due diligence is appropriate for an institutional customer to include are whether the institution or its intermediary has established anti-money laundering policies and procedures your firm's prior experience/business with the customer has been positive or raised any suspicions the customer is a registered financial institution based in a major regulated financial center or located in a FATF jurisdiction the customer has a reputable history in the investment business the customer is from a jurisdiction characterized as an offshore banking or secrecy haven or is one of the countries identified as being noncooperative with international efforts to combat money laundering. 0.
Some special issues relating to correspondent accounts D. Correspondent accounts with foreign shell banks
It's illegal for a financial institution to establish, administer, or manage a "correspondent account" in the United States for an unregulated foreign shell bank. A correspondent account is an account established to receive deposits from, make payments on behalf of, or handle other financial transactions related to a foreign bank. A foreign shell bank is a foreign bank with no physical presence in any country. If you discover or suspect that you might be maintaining or establishing a correspondent account for a foreign shell bank, contact your law or compliance department for guidance.
1. Due diligence for correspondent accounts with foreign financial institutions For correspondent accounts with foreign financial institutions that aren't shell banks, your firm is required to maintain records identifying the owners of the institution and the name and address of an agent residing in the United States authorized to accept service of legal process for the bank. Your firm also likely has a model certification issue by the Treasury Department that the foreign bank must complete. The form generally asks the foreign bank to confirm that it is not a shell bank and to provide the necessary ownership and agent information. The firm is required to recertify, if relying on the certification form, or otherwise verify any information provided by each foreign bank, at least every two years or at any time the firm has reason to believe that the information is no longer accurate. Under the PATRIOT Act, firms are required to establish appropriate, specific, and, where necessary, enhanced due
diligence policies, procedures, and controls to detect and report money laundering for any foreign institution correspondent account. This due diligence should generally include: a determination of whether the correspondent account is subject to enhanced due diligence requirements--this requires that, when the correspondent account is for a foreign bank, you determine whether it operates under certain offshore banking licenses or under a banking license issued by certain jurisdictions a risk assessment to determine whether the correspondent account poses a significant risk of money laundering activity--consider such factors as its size, lines of business, customer base, or location; the products and services offered; the nature of the correspondent account; and the type of transaction activity for which it will be used consideration of any publicly available information from U.S. governmental agencies and multinational organizations with respect to regulation and supervision, if any, applicable to the foreign institution consideration of any guidance issued by the U.S. Treasury Department or your functional regulator (such as the SEC or state insurance commissioner) regarding money laundering risks associated with particular foreign financial institutions and types of accounts review of public information to determine whether the foreign financial institution has been the subject of criminal action of any nature, or of any regulatory action relating to money laundering, to determine whether the circumstances of the action may reflect an increased risk of money laundering through the account At a minimum, for foreign banks licensed by high-risk countries or operating under an offshore banking license, your firm needs to perform enhanced scrutiny to determine the ownership of the foreign bank conduct enhanced scrutiny of the account to report and detect suspicious activity determine whether the foreign bank maintains "correspondent accounts" for any other bank--and if so, the identity of those banks E.
Special due diligence for private banking accounts

The PATRIOT Act also requires special due diligence for non-U.S. citizens who have private banking accounts with the firm. A private bank account is an account (or combination of accounts) that requires an aggregate deposit of funds or other assets of more than $1 million established on behalf of one or more individuals who have a direct or beneficial ownership interest in the account, and is assigned to, or administered by, in whole or in part, an officer, employee, or agent of a
financial institution as a liaison between the institution and the direct or beneficial owner of the account. For private banking accounts, firms are required to take steps to determine the identity of the nominal and beneficial account holders, including the lines of business and source of their wealth, the source of the funds deposited into the account, and whether any account holder is a senior foreign political figure. Steps you can take include confirming information provided by account holders and their agents and contacting beneficial owners, as appropriate, to determine their ownership interest and source of funds. You can also use public databases to determine whether someone is a senior foreign political figure. If the account is for a senior foreign political figure, or any immediate family member or close associate of a senior foreign political figure, enhanced due diligence is required. The enhanced scrutiny should be designed to detect and report transactions that may involve the proceeds of foreign official corruption, such as bribery. This includes approval of the decision to open an account by senior management. The level of scrutiny will also vary depending on whether the official is from a jurisdiction known to be a money laundering haven, whether current or former political figures have been implicated in large-scale corruption, and the length of time since a former official has been in office. To account for all the risk factors, your enhanced scrutiny may include determining the purpose and use of the private banking account, the location of the account holders, the source of funds, the type of transactions engaged in through the account, and the jurisdictions involved in the transactions. Check your firm's procedures for the due diligence requirements that apply to you if you handle correspondent accounts for foreign banks.
PENALTIES
I.
Civil and Criminal Penalties

It should be clear by now that American law enforcement takes money laundering violations seriously. In fact, the penalties for violating the money laundering statutes are severe. Depending on the circumstances, fines against companies can be as high as $500,000 per violation or twice the amount of the property involved in the financial transaction. Individuals are subject to the same fines, as well as up to 20 years in prison. Even the penalties for violating the reporting requirements are harsh. An individual's willful failure to report $10,000 transactions is punishable by fines up to $250,000, five years in prison, or both. Interfering with the filing of a report is also a violation. A false statement or misrepresentation made on a report can carry a fine of up to $10,000, five years in prison, or both. The law even says that if the violation of the reporting statutes is part of a pattern of illegal activity involving more than $100,000 in a 12-month period, the fine can double up to a maximum of $500,000, ten years in prison, or both. Finally, even if you are not criminally prosecuted, civil penalties can be assessed for each willful failure to file
a report, up to the greater of $25,000 or the amount involved in the transaction, up to $100,000. II.
Forfeiture, Receivership and Revocation of Charters

Finally, the government can seize and cause to be forfeited any property that was part of a money laundering offense or that is otherwise "traceable" to the offense. If, for example, one convinces a bank teller not to report a cash deposit of $15,000, the $15,000 can be frozen and thereafter surrendered to the government. Similarly, a building bought with laundered money is subject to forfeiture. Furthermore, a commission paid with dirty money is the government's to keep. A financial institution convicted of a money laundering offense is subject to what is referred to in the industry as the "death penalty": receivership and the revocation of its federal charter, license, or other authorization to conduct business. Through this procedure, financial institutions guilty of money laundering can be permanently closed down. Example 32: While Mary is laundering the payoffs collected by her corrupt police lieutenant husband, the president of her bank periodically goes out of his way to welcome the husband when he comes to the bank, even inviting him into to his personal office in full view of the other bank employees. After the cop is arrested by the FBI as part of a sweep of corrupt police officers, he makes a plea bargain with the government and discloses that every month he gave the president several thousand dollars cash in "appreciation" for the money laundering services rendered to him and his fellow officers. In addition to all the individuals at the bank being personally prosecuted and jailed for money laundering, the bank would probably be placed in receivership and liquidated.
STATE LAWS
A number of states have laws that substantially parallel the federal money laundering statutes and regulations. Included among those states are California, Florida, and New York. Common to the laws of these three states and the federal ones is that knowing participating in transactions involving the proceeds of crime or criminally "derived" property or intentionally concealing the origin of such proceeds and property is illegal. Accordingly, what we have called the "First Pillar" of the law of money laundering--the obligation to avoid dirty assets--is enforceable against an offender in those states having such laws independently of the prohibition of such conduct under the law of the U.S. government. Consult your law department if you have any questions about the effect of state money laundering laws on your company. Example 33: If the bank where Mary works is in California, she, her corrupt police lieutenant husband, her head-in-the sand supervisor, and the compromised bank president could be sent to prison for lengthy terms for violating the state's laws prohibiting participation in any financial transaction of over $5,000 for the purpose of "promoting" or "facilitating" criminal activity. Such prison time would be over and above whatever federal time they had to serve for breaking the federal money laundering laws.
COORDINATED FEDERAL ENFORCEMENT AND OVERSIGHT
In 1990, the U.S. Treasury Department created the Financial Crimes Enforcement Network (FinCEN) to establish, oversee, and implement policies to prevent and detect money laundering. FinCEN acts as a central depository for reports filed by financial institutions. While FinCEN is an agency of the Treasury Department, it provides intelligence information to many law enforcement agencies, such as the Justice Department, enabling them to track criminals and their assets and to develop new strategies against money laundering. It also provides an increasingly valuable information resource to the general public. Among other things, FinCEN periodically designates foreign jurisdictions, institutions, classes of transactions, and types of accounts as being of "primary money laundering concern." For further information, see the "Section 311" page of the FinCEN website at http://www.fincen.gov/reg_section311.html. In addition, the interdiction and eradication of money laundering has been declared a national priority. In 1998 Congress passed, and the president signed, a law requiring the secretary of the Treasury and the attorney general of the United States to annually submit to Congress a "national strategy for combating money laundering and related financial crimes." The strategy is developed in conjunction with the Federal Reserve Board, the IRS, the SEC, the Postal Inspection Service, and states attorneys general and prosecutors. The unifying theme of the multipronged strategy is (1) strict prosecution and harsh punishment of individuals and businesses who violate the laws and 2) prevention through public and private industry alliances within the United States and internationally.
EDUCATIONAL HANDBOOK
ANTI-MONEY LAUNDERING FOR LIFE INSURANCE COMPANIES
This resource provides valuable reinforcement tools to supplement your AML training program efforts. It includes Frequently Asked Questions about the topic area, a Top Ten list revealing the most important risks to your employees, and is rounded out with a Quiz to assess your employees knowledge.
FREQUENTLY ASKED QUESTIONS ABOUT ANTI-MONEY LAUNDERING FOR LIFE INSURANCE COMPANIES
1. What is money laundering? Simply stated, money laundering is the process of making "dirty money" clean. There are two kinds of dirty money. The first is money that comes directly from illegal activities, such as drug sales, gambling, larceny, bribery, and securities fraud. The second is money that comes from legitimate activities but is then concealed for an illegal purpose such as tax evasion or terrorist activities. Money laundering typically involves concealing the existence or source of funds and then disguising those funds by using them for apparently legitimate purposes. 2. How much money gets laundered? It's estimated that between US$590 billion and US$1.5 trillion gets laundered worldwide each year. That's between 2% and 5% of the global gross domestic product. 3. How can I identify which countries are considered money laundering havens? The Financial Action Task Force (FATF) periodically publishes a list of countries that it regards as noncompliant. You can find this list on the FATF Web site (www.fatf-gafi.org). 4. If a client tells me that the money in his account resulted from illegal activities, can I still execute transactions in the account? No. If you engage in any kind of transaction with such an account, you may be helping the client launder money. You must report what you know to your supervisor or legal and compliance department. They'll determine what actions need to be taken. 5. Why is the insurance industry attractive to money launderers? While the movement of assets may not be as easy using insurance products as something like highly liquid securities at brokerage firms with offices all over the world, money launderers may still be drawn to insurance companies. Those laundering money may feel insurance companies will not have as comprehensive anti-money laundering programs. Also, compensation of insurance agents is often commission based, so there's a built-in incentive to disregard the source of client funds. In other words, criminals will try to launder money using insurance products because they feel they can get away with it.
www.eca.lrn.com
6. What businesses can be used to launder money? Any business entity that processes cash and transfers funds or other instruments of value can be used to launder money. Funds may be laundered through almost any kind of business, including investment banks, brokerages, commercial and retail banks, hedge funds, foreign currency exchanges, and, of course, insurance companies. Even businesses with a high cash turnover such as bowling alleys and travel agencies have been used to launder money. 7. If my company prohibits cash transactions, do I still need to worry about money laundering? Yes. Money laundering can take place with traveler's checks, personal checks, bank checks, money orders, bearer bonds, and wire transfers. 8. What is willful blindness? Willful blindness occurs when someone ignores signs that an account is being used to launder money, or doesn't take the required steps to report suspicious activity. The law here is concerned with whether someone knows or should be able to tell that the funds in question are derived from criminal activity, or that a transaction is designed to conceal the source of the funds. 9. Can I be convicted of money laundering just for ignoring warning signs indicating suspicious activities? Yes. If you know that your client is laundering money, or if you choose to ignore warning signs while assisting your client in laundering money, you could find yourself being prosecuted for money laundering. 10. What kind of knowledge would make me guilty of money laundering? A financial transaction involving dirty money can violate the money laundering laws if anyone involved knows or is willfully blind to the fact that it's designed to conceal or disguise the nature, location, source, ownership, or control of the proceeds of criminal activity. In addition, if anyone engages in a transaction with the intent to promote criminal activity or engage in tax fraud or evasion, this too violates the money laundering laws. 11. What are the penalties for money laundering? The penalties for violating the money laundering laws are severe. In the United States, depending on the circumstances and jurisdiction, fines against companies can be as high as US$500,000 per violation or twice the amount of the transaction. Individuals are subject to the same fines, as well as up to 20 years in prison. In addition, the government can seize the property involved. In Canada, the fines can be as high as $2 million and the prison term up to 5 years. 12. What is a Politically Exposed Person (PEP)? A Politically Exposed Person (PEP) is an individual who is or has been entrusted with prominent public functions in a foreign country, including heads of state; senior politicians; senior government, judicial, or military officials; senior executives of state-owned corporations; or important political party officials. PEPs also include individuals with close family ties or personal or business connections with PEPs. Prior to opening an account for a PEP, you should perform enhanced due diligence.
www.eca.lrn.com
13. What are some of the warning signs I should look for regarding client information? Watch for a client who's unusually concerned about privacy, who provides information that proves to be false or suspicious, who's reluctant to proceed when informed of currency reporting requirements, or who withholds information necessary to complete required transaction reports. 14. What are some of the warning signs I should look for in client account activity? While it's impossible to list every potential situation, some examples include making frequent large deposits or withdrawals for no apparent business or personal reason; frequently depositing funds into an account and immediately requesting wire transfers to another city or country when there isn't a clear connection between the transfers and the client's business or personal activities; and transfers to offshore accounts. 15. Does the law protect me if I report suspicious activity and I'm wrong? Yes. If a company reports a client's suspicious activity to the authorities, both the company and its employees are generally protected if the client sues them for reporting it. Escalate your concerns within your company when you have a good-faith basis for suspicion that the law may have been violated, and that the client's account or accounts are connected to the suspicious activity. Your company will formally decide whether to file a report. 16. Why does the government care about money laundering? Without money laundering, crime doesn't pay. Most crimes are useful to the perpetrator only to the extent that their proceeds can be used to purchase goods and services. The objective of the government's program is to target the flow of money generated by crime and prevent it from being laundered and potentially used in commerce. If law enforcement can succeed at this, the incentive to commit crimes will diminish. 17. How do I report activity that I think is money laundering? It's important that you report it in the correct way. You should not, under any circumstances, disclose your suspicions to the client. Instead, immediately notify your company's legal and compliance department. The department will decide whether to report the suspicious activity to authorities. 18. What are sanctions lists? Various countries have put together lists of people, groups, or entities that are thought to pose a high risk of crimes, including terrorism. It's recommended that you search for your clients' names on these lists. If you find an existing or potential client's name on a sanctions list, immediately contact your supervisor or legal and compliance department.
www.eca.lrn.com
TOP TEN THINGS TO REMEMBER ABOUT ANIT-MONEY LAUNDERING FOR LIFE INSURANCE COMPANIES
1. Money laundering is a crime in which funds are moved through one or several accounts, financial institutions, or countries to disguise their illegal origin and ownership. Proceeds of various crimes, including securities fraud, political corruption, arms trafficking, drug dealing, and simple theft, that are successfully laundered may then be spent or reinvested without detection by law enforcement. 2. "Willful blindness" may make you and your company accomplices to the crime of money laundering. Willful blindness occurs when an individual deliberately ignores signs that an account is being used to launder money, or engage in other suspicious activity, and takes no steps to report the suspicious activity. Burying your head in the sand and allowing your clients to engage in suspicious transactions can result in grave consequences for you and your company. Penalties for willful blindness may be as severe as penalties imposed on the money launderers themselves. Reporting your suspicions is always safer. 3. If you suspect that money laundering is occurring at or through your company, report it to your supervisor or legal and compliance department. To protect yourself and your company, you should be alert to suspicious activity that may indicate that money laundering or other crimes are being committed. If you're not sure what to do in a particular situation, it's best to escalate any suspicious activities to your supervisor or legal and compliance department. If your company reports suspicious activity to the government and it turns out that you were wrong, you and your company will be protected from lawsuits as long as your report was made in good faith. 4. An insurance company must develop and implement a risk-based anti-money laundering program applicable to its covered products. Being risk-based means the insurer's AML program must include policies and procedures based upon a risk assessment of the money laundering and terrorist financing risks associated with the insurer. Under the USA PATRIOT Act, the assessment would look at the risks associated with the insurer's covered products. 5. The AML program applies to covered products. For a life insurance company in the United States, covered products include permanent life insurance and annuity contracts other than group life insurance and group annuities, as well as any other insurance products with features of cash value or investment. In Canada, these products would be considered higher risk while products that the USA PATRIOT Act considers exempt would be considered low risk. 6. Insurers are required to incorporate agents and brokers selling covered products into their company's AML program. Money launderers take advantage of the fact that insurance products are often sold by independent brokers and agents who do not work directly for the insurance companies. These agents may have little know-how or motivation to screen clients or question payment methods.
www.eca.lrn.com
7. Under certain circumstances insurers are required to file Suspicious Activity Reports (SAR) in the United States or Suspicious Transaction Reports (STR) in Canada. In the United States these circumstances include transactions involving covered products with a face amount of at least US$5,000 that an insurance company knows, suspects, or has reason to suspect involve funds that come from an illegal activity, as well as transactions designed to avoid reporting requirements, or having no business or apparent lawful purpose. In Canada, there are no dollar limits or exclusions based on products or client types for this reporting requirement. Remember, if your company decides to undertake a review or report suspicious activity to a government entity, you must not, under any circumstances, disclose this information to the client. 8. Warning signs that a potential client is a money launderer frequently involve either the client's identity or his reason for wanting to open the account. Be wary of a client's reluctance to provide information about his identity, address, business activities, or source of funds. Clients whose backgrounds are inconsistent or whose behavior doesn't match their reasons for opening the account should also be watched carefully. 9. It's important for financial institutions to detect and prevent money laundering throughout the life of an account relationship, not just at the beginning. Money laundering can take place at any stage of an account relationshipfrom the first deposit of funds into an institution to the liquidation of funds when a client relationship is terminated. Signs of money laundering include clients who disregard commissions and transaction fees. Money launderers also tend to make wire transfers that have no apparent business purpose or that are sudden, unexplained, or extensive. Clients with numerous accounts should raise suspicions, especially if the accounts are under different names or serve no apparent business purpose. 10. Penalties for failing to abide by anti-money laundering laws and regulations can be severe. They include costly remedial measures, substantial fines levied against your company and individual employees, and a licensed person's permanent ban from the financial services industry.
www.eca.lrn.com
TEST YOUR KNOWLEDGE OF ANTI-MONEY LAUNDERING FOR LIFE INSURANCE COMPANIES

Question 1:
Which of the following statements is true? a) b) c) d) Money laundering always involves cash deposits Money launderers seek to disguise the source and ownership of funds through a series of transactions Money launderers include only drug dealers or terrorists Money laundering happens only at the time an account is opened
Question 2:
Which step in the money laundering process disassociates the illegal funds from the crime by creating a complex web of financial transactions? a) b) c) d) Placement Layering Integration Transformation
Question 3:
Why is an annuity contract considered a higher risk for money laundering than a property and casualty insurance policy? a) b) c) d) Because an annuity contract can have cash value and investment potential Because annuity contracts are riskier than any kind of insurance policy Because the amount invested in an annuity is usually larger than property and casualty insurance premiums Because property and casualty insurance protects you against a loss
Question 4:
Linda sees a picture on the internet of a client she recently opened an account for, Monica, shaking hands with a prominent Guatemalan government official. She calls Monica and, after sharing a chuckle about the picture, finds out they're cousins. Does this information change the way Linda should treat Monicas account? a) b) c) d) No, the account is already open and Monica hasn't laundered any money No, a relative of a prominent government official isn't a PEP Yes, Linda should perform enhanced due diligence, even though the account is already open Yes, Linda should freeze the account until an expanded identification process can be completed
www.eca.lrn.com
Question 5:
Each of the following is a warning sign of money laundering when opening an account except a) b) c) d) Excessive concern by a client about your company's compliance with government reporting requirements Altered or forged account opening documentation Reluctance to provide identifying information or documentation Client's personal identification documentation is issued by developing countries
Question 6:
Assessing the likelihood of a product being used to launder money is a component of what type of AML program? a) b) c) d) Client-based Risk-based Product-based Fear-based
Question 7:
Maurice has been a client of Lars for the past fifteen years. Should Lars still be mindful of suspicious behavior in Maurices transactions? a) Yes, a client could launder money at any time b) No, if Maurice was going to launder money he would have done it by now
Question 8:
Which of the following questions will help you detect and prevent money laundering or other suspicious activity? a) Do I know the source of the funds my client seeks to invest at the company? b) Do I know whether my client lives or is based in a sanctioned country or is on a sanctions list? c) Does my client's account activity make sense when compared with the client's stated investment objectives or with the account activity of other similarly situated clients? d) All of the above
Question 9:
Sandra is helping Zachary, a wealthy financier, open a variable annuity account. Zachary isn't a U.S. or Canadian citizen, and in fact is the Minister of Finance of a foreign country. When Sandra begins asking detailed questions about his identity and background, Zachary acts deeply offended and even claims that she's invading his privacy. What should Sandra do? a) b) c) d) Immediately stop asking questions. Tell him that she might have to file auspicious activity report if he refuses to answer the question. Tell him that she must verify every potential client's identity as part of the account opening process Open the account, but do nothing further
www.eca.lrn.com
Question 10:
Your company files a SAR for some transactions made by your customer. But you know the customer and know that the transactions are legitimate, so you speak to him about the SAR to preserve the business relationship. Which of the following statements best describes your actions? a) b) c) d) You violated the anti-money laundering laws You used good judgment to preserve an important customer relationship You perhaps behaved inappropriately, but you didn't violate the law You are allowed to discuss it because you didn't file the SAR
www.eca.lrn.com
b) is the answer. Money laundering is the process of hiding the criminal source of funds, generally through a series of transactions. While money laundering can certainly be done with cash deposits, it is not the sole means. Money launderers can include, among others, drug dealers, terrorists, government officials, lawyers, accountants, and wealthy businesspersons. Finally, money laundering can occur at any time in the life of an account
b) is the correct answer. The money launderer tries to disguise the criminal origin of the dirty money by layering, which involves making a series of transactions to distance the money from its source
a) is the correct answer. Products with cash value or investment potential, like an annuity contract, present a greater risk for money laundering. While property and casualty insurance doesnt have cash or investment value other kinds of insurance policies like permanent life can. Investing more in an annuity is not a certainty and the cash or investment value is the operative point. The fact that property and casualty insurance protects you from a loss is irrelevant with regard to risk of money laundering
c) is the correct answer. Monica is a PEP, because relatives or business partners of PEPs are assigned the same level of risk for money laundering. Even though the account is already open, Linda should now perform enhanced due diligence, because she's learned that the account is a higher risk than previously believed. Neither Linda nor her firm should freeze any accounts, which would be done by the local government if necessary
d) is the correct answer. Excessive concern about government reporting requirements, forged documentation, and reluctance to provide identifying documentation are all warning signs or red flags of money laundering. Identification from a less developed country isn't considered a warning sign
b) is the correct answer. Risk-based means the insurer's AML program must include policies and procedures that address the money laundering and terrorist financing exposure detected in a risk assessment. While it looks at products involved, the program is based on the risk associated with a given product rather than the product itself. Likewise there should be due diligence done based on each client but the program is rooted in risk
a) is the correct answer. Many companies have had clients who were law abiding for many years, if not decades, before laundering funds. A client's behavior can be suspicious regardless of the length of time he's been a client. It's important to be vigilant in watching for warning signs. Keep in mind that if you've had a client for fifteen years, you should be well equipped to identify inconsistent and suspicious behavior. As always, use your common sense and experience
www.eca.lrn.com
d) is the correct answer. Knowing the identity of clients and the source of a client's funds helps to ensure that your company is conducting business only with legitimate clients who have legitimate sources of wealth. Verifying that a client is not on a sanctions list will help to ensure that your company does not knowingly violate applicable sanctions. Finally, ensuring that a client's account activity makes business sense helps your company avoid being used for other than legitimate purposes
c) is the correct answer. Sandra should tell Zachary that she must verify his identity before opening an account. In fact, since Zachary is a PEP, she should perform enhanced due diligence. The fear of losing a customer is never an acceptable reason to skip verifying the client's identity. And it's illegal in many jurisdictions to tell your client about the filing of a suspicious activity report

a) is the correct answer. By informing the customer that the SAR had been filed, you violated the law, subjecting both yourself and your company to liability. It doesn't matter if your intention was only to preserve a customer relationship or that you weren't the one who filed the SARyou still violated the law
10
www.eca.lrn.com
CORPORATE INSIDERS AND SHORT-SWING TRADING

INTRODUCTION
Section 16 of the Securities Exchange Act of 1934 (the Exchange Act) imposes obligations and prohibitions on certain categories of insiders, who are viewed as especially likely to commit insider trading violations. Section 16 also seeks to discourage these insiders from favoring their own short-term stock profits over their company's longterm health and from manipulating the company's affairs to maximize such profits. Specifically, Section 16 -o o o requires such insiders to report holdings and transactions in their companys equity securities, makes them liable to the company for profits derived from short-swing trading of the companys equity securities, and makes it unlawful for them to engage in short sales of their companys equity securities.
These requirements and prohibitions are triggered when the company registers a class of equity securities (such as common stock) with the SEC under Section 12 of the Exchange Act. Such registration is required if -o o the class of securities is listed on a national securities exchange (or the NASDAQ National Market System), or the class of securities is held by a minimum number of shareholders and assets specified in the statute, and the company has $5,000,000 or more in assets.
Once the company registers a class of equity securities under Section 12, the provisions of Section 16 apply to certain of its insiders. Virtually all large, publicly traded companies would be covered by Section 16. You should understand that Section 16 and related SEC rules are extremely complex. What follows is a brief overview of some of the general concepts embodied in Section 16 and related rules, all of which are subject to a host of exceptions, exemptions, conditions, and other details too numerous to mention here. Therefore, you should always consult legal counsel regarding the applicability and effect of Section 16 on your specific situation.
INSIDER TRADING REQUIREMENTS

I.
Definition Of A Section 16 Insider

For Section 16 purposes, insiders include officers, directors, and beneficial owners of 10% or more of any class of equity securities registered under Section 12. (Note that this definition is narrower than the one used in the disclose or abstain rules discussed above.) A.
10% or more shareholders
For purposes of determining who are 10% or more shareholders, beneficial ownership means voting or investment power with respect to the securities (or the right to obtain such power within the next 60 days -- for example, through the exercise of an option or the revocation or termination of a trust). For example, if the companys common stock is registered under Section 12, any person (or group) who can vote or dispose of 10% or more of the companys common stock is a "10% or more" shareholder, and thus a Section 16 insider. B.
Officers
You should also note that a persons status as an officer depends on function rather than title. Any person who performs a significant policymaking function for the company may be an officer, even if the person is not assigned an officer title or is employed by the companys subsidiaries or other affiliates rather than the company itself. On the other hand, absent a policy-making function, the fact that a person is a vice president, for example, does not necessarily mean that he is an officer under Section 16.
II.
Reporting Requirements A. In general

All Section 16 insiders (including all officers, directors, and 10% or more shareholders) must periodically report beneficial ownership of company securities to the SEC and furnish a copy of each report to the company and to any stock exchange on which the companys shares are listed. These reporting requirements are designed not only to provide investors with information about the investment activities of Section 16 insiders, but also to alert the company and others to any short-swing trading by such insiders. B.
Beneficial ownership
For reporting purposes, a beneficial owner is defined as any person who has a direct or indirect pecuniary interest in the companys equity securities -- whether that interest arises from a contract, arrangement, understanding, relationship, or otherwise. Pecuniary interest means the opportunity to profit from -- or share in profits from -- a transaction in the securities. In other words, if the insider has the direct or indirect opportunity to receive all or part of the profits from transactions in certain securities, he is the beneficial owner of those securities for reporting purposes. Note that this definition of beneficial ownership is broader than the one used to determine whether a shareholder is a Section 16 insider in the first place. As noted above, anyone who has voting or investment power over 10% or more of class of equity securities registered under Section 12 is a Section 16 insider. But once this test is met, the insider must report all equity securities in which the insider has a pecuniary interest.
C.
Attribution
An individual may have an indirect pecuniary interest (and therefore beneficial ownership) in securities held of record by another person. For example, securities held by members of the insiders immediate family who live with the insider are presumed to be owned beneficially by the insider. Similarly, securities held by a partnership in which the insider is a general partner are attributed to the insider based on the insiders share of the partnerships profits or capital account, whichever is higher. Subject to some exceptions and conditions, beneficial ownership may also arise if -the insider is entitled to a performance-related fee for certain investment or other financial services, such as trustee, broker, or investment manager; the insider is entitled to acquire equity securities through the exercise or conversion of a derivative security, such as a stock option or convertible bond, whether or not the right is presently exercisable; the insider is entitled to receive dividends separate or separable from the underlying securities; or the insider is a trustee of a trust holding the securities, or is a beneficiary or settlor of the trust and has or shares control over trust investments. If the insiders company owns a portfolio of securities, beneficial ownership of those securities may be attributed to the insider provided the insider is a controlling shareholder of the company or has (or shares) control over the companys portfolio investments. D.
Failure to report
If the insider fails to file a required report in timely fashion, the company must report that fact in its proxy statement and annual report. The SEC may pursue administrative and judicial remedies against the delinquent filer, including seeking monetary penalties in federal court.
E.
Reporting forms
Depending on the circumstances, the insider must report beneficial ownership on one of three forms -- known as Form 3, Form 4, and Form 5. These are described below. 1.
Form 3
Form 3 is the initial report that must be filed when a person or entity first becomes subject to Section 16 requirements. When the company first registers a class of equity securities under Section 12, existing officers, directors, and 10% or more shareholder must file a Form 3 at the time of such registration. Thereafter, a Form 3 must be filed within ten days after a person or entity becomes an officer, director or, 10% or more shareholder.
You should note that in some cases the insider must report transactions that occurred before (as well as after) the insider was subject to Section 16. 2.
Form 4
Form 4 is used to report any changes in a Section 16 insider's beneficial ownership previously reported on Form 3. For example, the insider must use Form 4 to report a purchase or sale of securities that were previously reported on Form 3. If certain conditions are met, Form 4 need not include acquisitions totaling $10,000 or less in any six-month period. These are reported on Form 5. The insider must also use Form 4 to report certain exempt transactions, including -grants, awards, and other acquisitions from the company, dispositions to the company, and exempt discretionary transactions. In addition, the insider must use Form 4 to report all exercises and conversions of derivative securities, whether or not they are exempt from the short-swing trading rules. An insider must normally file the Form 4 within two business days after a reportable transaction is executed. In some cases, a broker or other third party decides when to execute the transaction, and the insider may not know it occurred until later. In that case, the filing deadline may be extended to five business days after the transaction occurred, or two business days after the insider is notified of it, whichever is earlier. This extension, however, applies only to certain types of transactions. The insider is responsible for meeting the fivebusiness-day deadline even if she isn't notified of the transaction. To help prevent late filings, insiders should ensure that they are promptly notified of any reportable transaction, particularly when a broker or other third party determines the execution date.
3.
Form 5
Form 5, the annual report, must be filed within 45 days after the company's fiscal year ends. Form 5 is used to report -any transactions that were exempt from the short-swing trading rules (other than those required to be reported on Form 4), acquisitions totaling $10,000 or less in a six-month period that were not required to be reported on Form 4, and
all transactions that were required to be reported on Form 4 but were not. F.
Exemptions
Certain transactions need not be reported, including, among others -certain stock splits and stock dividends, certain acquisitions through dividend reinvestment plans, certain transactions with respect to tax-qualified benefit plans, "spinoffs" or other distributions by the company of securities in another company, and transactions pursuant to domestic relations orders.
III.
Short-Swing Trading
Section 16 covers any short-swing trading in the companys securities by a Section 16 insider. These rules extend to trading in derivative securities. A.
Short-swing trading, generally

Short-swing trading involves a matchable purchase and sale or sale and purchase. A purchase and sale (or sale and purchase) are matchable if both occur within any period of less than six months. The short-swing trading rules are designed to discourage Section 16 insiders from becoming preoccupied with obtaining profits from short-term stock price fluctuations at the expense of serving the long-term financial health of their company, and from manipulating company events for the purpose of maximizing their own short-term trading profits. Though arbitrary, the six-month time period was viewed as roughly dividing those transactions that involve speculative abuse from those that reflect valid, long-term investments. Example 1: A director purchases stock in her company on June 1, 1998. The director subsequently sells stock in her company on September 30, 1998. The director has engaged in short-swing trading as the purchase and sale occurred within a period of less than six months. Example 2: A director purchases stock in her company on June 1, 1998. The director subsequently sells stock in her company on February 1, 1999. The director has not engaged in short-swing trading, as the matchable trades did not occur within less than six months of each other. Example 3: A director sells some stock in his company on June 1, 1998, taking advantage of the favorable market in the companys securities. In July, the price of the companys stock suddenly declines. The director decides to buy several shares of company stock. The director has engaged in short-swing trading here, as there is a matchable purchase and sale that occurred within a period of less than six months. A Section 16 insider who has engaged in short-swing trading is required to give up, or "disgorge," any realized short-swing profits and may have to pay interest and other amounts. The short-swing profits go to the company, not the companys shareholders. Changes in beneficial
ownership that are reported on Forms 4 and 5 may be used to help calculate short-swing profits. B.
Derivative securities
Although the definition of derivative securities is complex, the term basically includes any option, warrant, convertible security, stock appreciation right, or similar right to buy or sell an equity security or to receive cash based on the value of an equity security. The right to buy or sell the equity security or to receive cash based on its value is the derivative security The equity security to which the right relates is the underlying security. For example, an option to purchase a companys common stock would be a derivative security, and the common stock itself would be the underlying security. Similarly, a stock appreciation right, which is the right to receive payment equal to any increase in the companys stock price, would be a derivative security, and the stock itself would be the underlying security. The short-swing profit rules for derivative securities vary depending on how the derivative security was acquired. For example, if you go into the options market and purchase an option to buy company common stock, your option purchase is a matchable transaction for short-swing trading purposes. In other words, youll have short-swing trading liability for certain sales occurring within six months of your option purchase. On the other hand, if the company grants you an option to purchase its stock, that grant may be treated as an exempt transaction for short swing trading purposes if certain conditions are met. In other words, it wont be treated as a matchable transaction. Well discuss these exemptions in the next section. But first, lets consider what happens if no exemption applies. Absent an exemption, Section 16 covers the short-swing trading of derivative securities by insiders. For these purposes, any transaction in a derivative security is matched with transactions in (1) any other derivative security relating to the same type of underlying security and (2) the underlying security itself. To be matchable, the two transactions must go the "opposite way." If the two transactions would result in the purchase and sale or the sale and purchase of the same type of underlying security, they are matchable if all other conditions are met. For example, the short-swing trading rules would apply to each of the following if they occurred within six months of each other -The purchase of an option to buy common stock followed by the sale of an option to buy common stock (that is, the same type of derivative security relating to same type of underlying security). The sale of an option to buy stock followed by the purchase of a note convertible into common stock (that is, different types of derivative securities relating to the same type of underlying security). The purchase of an option to buy common stock followed by the sale of common stock (that is, derivative security and underlying security).
Example 4: A director sells shares of his companys common stock on June 1, 1998. In August 1998, the director purchases options to buy shares of the companys common stock. The director has engaged in short-swing trading, as there is a matchable purchase and sale of the derivative security and the underlying security within a six-month period. On the other hand, the exercise or conversion of the derivative security is generally not considered to be a purchase for purposes of the shortswing trading rules if two conditions are met. First, exercise or conversion price must be a fixed price. And second, the exercise or conversion price cannot exceed the market value of the stock unless the exercise or conversion is required by certain federal tax provisions. If these conditions are met, the short-swing trading rules generally permit insiders to exercise options and sell the underlying securities immediately, subject to the antifraud provisions of the federal securities laws, as long as the option was granted at least six months before the sale and there is no other matchable transaction. Example 5: An officer purchases options to buy common stock of the company on July 1, 1997. On November 1, 1997, the officer exercises those options. On January 15, 1998, the officer sells the shares of common stock acquired through the exercise. The officer has not engaged in short-swing trading, as there is no matchable purchase and sale within a period less than six months. The exercise of the option is considered a nonevent for purposes of short-swing trading. Example 6: On July 1, 1997, an officer purchases options to buy the companys common stock. A year later, on July 1, 1998, the officer sells shares of common stock in the company. On July 15, 1998, the officer exercises his options to purchase common stock. In August, the officer purchases additional options to buy the companys common stock. Here, the officer has engaged in short-swing trading. As in the previous Example, the exercise of the option is considered to be a nonevent for purposes of short-swing trading; it is simply disregarded. But in contrast to the previous Example, here there is a matchable purchase and sale within a period less than six months -- namely, the sale of common stock on July 1, 1998 and the purchase of options to buy common stock in August. So remember -- only the exercise or conversion of the derivative security is disregarded. The acquisition or sale of the derivative security (or the sale of the underlying security acquired through exercise or conversion) still counts as a transaction for purposes of the short-swing trading liability, unless it is otherwise exempt under the rules. C.
Exemptions for Employee Benefit Plans

Certain transactions between a company and its officers and directors are exempt from short-swing trading liability, based on the idea that these transactions essentially constitute a form of compensation. The exempt transactions include -grants, awards, and other acquisitions from the company; dispositions to the company; and
transactions in "tax-conditioned" plans. However, "discretionary transactions" (discussed below) are not exempt, even if they would otherwise qualify for exemption, unless certain conditions are met. 2.
Grants, awards, and other acquisitions from the company

Grants, awards, and other acquisitions from the company to or by an officer or director (such as an officer's purchase of company stock directly from the company or a company's grant of stock options to a director) are exempt from short-swing trading liability if certain conditions are met. For example, if an officer buys stock directly from the company, that purchase won't be matched against a sale of company stock, even if the sale occurred within six months. The same applies if the company grants the officer an option to purchase its stock. Subject to certain conditions, the grant is exempt and won't be matched against a sale of the company's stock, even if the sale occurs within six months. This exemption applies even if the participant controls the timing or certain other aspects of the transaction, such as deferring a bonus into a "phantom stock" or other deferred compensation plan. In order for the exemption to apply, one of the following conditions must be met -the acquisition is approved in advance by the entire board of directors or by a committee of the board consisting of two or more nonemployee directors, or the acquisition is approved in advance by the shareholders or ratified by them no later than the next annual meeting of shareholders, or the officer or director holds the securities for at least six months following their acquisition from the company, or in the case of derivative securities, either the officer or director holds the derivative securities (or any underlying securities acquired through conversion or exercise) for at least six months after the grant, or the grant is approved by the board of directors, a board committee, or the shareholders as explained previously. Example 7: Same facts as in the preceding Example, except that the officer is granted additional options to buy the companys common stock in August 1998, in a board-approved transaction, rather than buying the options in the open market. Here, the officer has not engaged in short-swing trading. In contrast to the preceding Example, there is no matchable purchase and sale within a period less than six months. The board-approved grant in August 1998 is not a matchable
transaction and therefore is not matched against the July 1 sale of common stock. However, you should note that the exemption applies only to the transaction with the company and not subsequent transactions in the securities acquired. For example, if the officer in the last Example exercised the August options then sold the shares in the open market, that sale would be a matchable transaction. If the officer purchased company shares within six months before or after that sale, he would have engaged in short-swing trading. 3.
Dispositions to the company

For a disposition to the company to be exempt, the disposition must be approved in advance by the full board, by a committee of at least two nonemployee directors, or by the shareholders. After-the-fact shareholder ratification is not acceptable for this purpose. Dispositions to the company include such things as the surrender of company securities to pay the exercise price of a stock option or related tax withholdings, the surrender of stock options or other rights in connection with the issuance of replacement rights, and the election to receive cash in settlement of a stock appreciation right.
4.
Tax-conditioned plans
Transactions that occur under a tax-conditioned plan are also generally exempt. Tax-conditioned plans are defined broadly to include -qualified plans, such as thrift, savings and 401(k) plans, and other broad-based employee benefit plans; excess benefit plans, which are operated in conjunction with a qualified plan and provide only the benefits or contributions permitted under the qualified plan and the federal tax laws; and stock purchase plans, including open market purchases under broad-based, payroll deduction plans. You should note that it is acquisition under the tax condition plan that is exempt, not the subsequent sale. The subsequent sale of shares acquired under a tax conditioned plan would be matchable for purposes of Section 16.
5.
Discretionary transactions
Many contributory employee benefit plans, such as a companys 401K plan, allow plan participants to chose among several funds in which they may invest, one of which may be a company stock fund. These employee benefit plans generally would permit a plan participant to transfer in and out of a company stock fund and receive cash withdrawals or loans from such funds. The SEC perceived the potential for abuse of the insider trading laws
where a plan participant/insider has discretion to acquire or dispose of equity securities of its company through the vehicle of its companys employee benefit plan, by engaging in fundswitching transactions or through the withdrawal of assets. To combat these perceived abuses, the SEC limits the freedom of plan participants/insiders to engage in these types of "discretionary transactions" while availing themselves of exemption from short-swing trading liability available for taxconditioned plans. These so-called "discretionary transactions," thus, are exempt from the short-swing trading rules only if one of the following conditions is met -The election to enter into the transaction is made at least six months after any prior election going the opposite way. For example, an officers election to acquire company securities pursuant to a company benefit plan must be made at least six months after any election by the officer to dispose of company securities under that plan or any other company plan. "Sameway" elections during the prior six months do not make the exemption unavailable. The transaction is in connection with the plan participants death, disability, retirement, or termination of employment. The transaction effects a diversification or distribution that the plan must make available to the participant under the federal tax laws. IV.
Short Sales And Sales Against the Box A. Liability for short sales and sales against the box
Section 16 prohibits insiders from making "short sales" or "sales against the box" of the companys securities, subject to some exceptions. A short sale occurs when the securities that are sold are not actually owned by the seller at the time of the sale. A sale against the box is a type of short sale. It occurs when the seller already owns the stock, but borrows additional shares to sell short. For Section 16 insiders, an illegal sale against the box occurs when the insider either -fails to deliver the security to the buyer within 20 days of the sale or fails to deposit the security in the mail or other channels of transportation within five days of the sale. Both types of transactions involve the sale of stock using borrowed shares, with the expectation that the market price of the companys stock will fall before the seller has to purchase shares to replace those that were borrowed. In other words, the insider is effectively betting against the company, hoping to realize a profit from a downturn in its stock. The short sale prohibitions were designed to prevent insiders from engaging in this type of behavior. These activities by a Section 16 insider may give rise to civil and criminal liability, but it is unclear whether one may bring private right of action for this type of conduct. B.
Exceptions
Section 16 and related SEC rules provide some exceptions to liability for short sales and sales against the box, including the following -1.
Good faith
An insider is not liable for selling against the box if the insider in good faith is unable to deliver or deposit the shares sold within the prescribed time periods without undue inconvenience or expense.
2.
When issued or when distributed securities

If an insider holds securities entitling the insider to receive other securities when issued or when distributed, without paying any further consideration, the insider may sell the securities to be acquired if -the sale is subject to the same conditions applicable to the insiders acquisition of the new securities, the insider exercises reasonable diligence to deliver the securities to the purchaser promptly upon issuance, and the sale is reported by the insider. The seller cannot use this exemption to sell more shares of the existing and new securities than the insider owns or expects to acquire.
3.
Put equivalent positions

A "put equivalent position" is a right to sell a security within a particular period and at a particular price. This is often used as a "hedge" against underlying stock positions -- in other words, the "put" allows the shareholder to limit the risk of price declines through a right to sell the stock at a certain price. Section 16 insiders may establish or increase put equivalent positions so long as the amount of securities underlying the puts do not exceed the underlying securities otherwise owned by the Section 16 insider. The availability of this exemption depends on the Section 16 insiders ability to continue to own, through the life of the put equivalent position, a sufficient amount of underlying securities to cover the puts.
4.
Certain exceptions for brokers and dealers

Section 16 and related rules provide an exception for short sales executed by a broker for an account in which the broker has no direct or indirect interest. This exception insulates brokers and their firms from liability when acting purely in an agency capacity on behalf of others. There is also an exception for certain short positions that arise in connection with the underwriting of large blocks of securities by a dealer.
5.
Arbitrage transactions
Certain arbitrage transactions by insiders are also exempt from the short-sale rules under Section 16 and related rules. Officers and directors are still subject to the reporting and short-swing profit rules with respect to such transactions. "Arbitrage," though not defined in the statute or the rules, generally means a specialized form of trading involving offsetting purchases and sales of securities or other commodities in the same or different markets.
Insider Trading: Avoiding Risky Behavior

INTRODUCTION
I.
What Is Insider Trading?

Insider trading occurs when an officer, director, employee, or other company insider buys or sells company securities while in possession of inside information (for example, material, nonpublic information regarding the company). For example, if an employee learns that company earnings will be far below expectations and sells her company stock before the news becomes public, the employee is guilty of insider trading. Insider trading can also occur when an insider provides inside information to someone outside the company, known as a tippee, who then buys or sells company securities before the information becomes public. In addition, insider trading can occur when a noninsider acquires inside information about the company from a source, other than the company, that has been entrusted with that information. If the noninsider then trades company securities before the information becomes public, this can be illegal insider trading. Whether it is in fact insider trading depends largely on whether the noninsider had a relationship of trust and confidence with the source and therefore a duty not to use the information for this purpose. The source's employees would normally have such a relationship. For example, if a law firm employee obtains confidential information about a corporate client from the law firm and then trades the client's stock before the information becomes public, that would likely be considered illegal. As an employee of the firm, the noninsider would normally have a relationship of trust and confidence with the firm and therefore a duty not to use confidential client information for that purpose. Subject to certain narrow exceptions, an insider, tippee, or misappropriator who trades while aware of inside information is guilty of insider trading, whether or not the person in fact used such inside information as the basis for the trade.
II.
The Purpose Of This Handbook

The purpose of this Handbook is to give you a brief overview of insider trading -what it is, when its prohibited, and what can happen if you engage in insider trading. We will start with the concept of inside information, and then briefly discuss the principal circumstances under which insider trading is prohibited. We will also briefly discuss some special rules regarding insider trading in the context of a tender offer (that is, an offer by a company or individual to purchase all or some of the securities of another company). As you will see, the rules governing insider trading are very complex and, to some extent, unsettled. But there are two things you should always keep in mind. First, insider trading is against the law. It may result in severe penalties, including fines and imprisonment. And even if the trade in question is legal, it may violate a companys internal policies regarding the trading of company stock, resulting in disciplinary action against the trader.
Second, given the complexity of insider trading law, a brief Handbook such as this one cannot begin to address all of the laws variations, nuances, and exceptions. Therefore, it is critical that you seek the advice of counsel if you have any question whether your trading activities might violate insider trading restrictions. Remember -- employees at all levels are subject to insider trading laws.
WHAT IS INSIDE INFORMATION?

I.
In General
Inside information is any material, nonpublic information about a company. The terms material and nonpublic are discussed more fully below. Inside information normally consists of information concerning a companys overall health and structure -- what is sometimes called company information. Information regarding a companys assets, earning power, and changes in management or control are examples of company information. Other examples include major discoveries, such as mineral deposits or oil, a major new contract, or the loss of an important contract, technical innovations, and potential exposure to liability. Inside information may also consist of market information -- information that does not necessarily involve the companys earning power, but that nevertheless affects the price of the companys stock. A listing or delisting of a companys shares on an exchange, a favorable research recommendation by a brokerage firm, a pending tender offer, and the anticipated purchase of large blocks of company stock are all examples of market information. As indicated above, inside information must be both material and nonpublic. Lets look at each of these elements in turn.
II.
Material
Information is considered material if there is a substantial likelihood that a reasonable investor would consider the information important in determining whether to invest. Even if the information by itself would not change the investors investment decision, it is still material if an investor would consider the information important in altering the "total mix" of information about the company. Materiality may be more difficult to determine when an event is contingent or speculative in nature, as is often the case with a proposed tender offer, merger, or reorganization. The uncertainty makes it difficult to determine whether the information would significantly influence a reasonable persons investment decision. When the information is contingent or uncertain, a court would weigh the likelihood and magnitude of the contingent event against the totality of other available information regarding the companys activities. The more likely the event, and the greater its impact if it should happen, the more likely it is that a court would find the information to be material. Information that courts generally consider to be material include things such as -the companys financial results,
the companys plans to do a public offering of its stock, upcoming stock splits, upcoming dividend payments, a companys plans to repurchase its own stock, upcoming management changes, and bankruptcy. Other information regarding the companys business, assets, or market for the companys securities may or may not be seen as material depending on -the size of the event to which the information pertains; the specificity of information; the reliability of the source of the information; and whether the information pertains to anything unusual or innovative ideas, such as news of a scientific breakthrough, or any other noteworthy occurrence or surprises. Thus, the discovery of new oil reserves might or might not be material, depending on the size of the reserves and their impact on the companys business. Information that is merely routine in nature or not unique to the company is less likely to be seen as material. Examples might include -industry trends, product descriptions, supply sources, corporate structure, and financial and accounting policies. However, it is important to bear in mind that almost any information may be viewed as material depending on its effect on the company and the value of its stock. For example, a change in accounting policies, even if industry-wide, could be material if it required the company to reduce its stated earnings. In determining materiality, courts frequently look to whether the insiders themselves viewed the information as important. The fact that the insiders acted on the information may itself suggest materiality. Example 1: Insiders of a mining company learn that the company has discovered a rich mineral deposit, and they immediately buy company stock and stock options. Some of the insiders had never before invested in company shares. Because the information itself appeared to influence the insiders decision, the information would likely be considered material. Example 2: Prior to a public offering, certain insiders decide to purchase company stock, even though, at the time, the stock is depressed in price. The information concerning the upcoming public offering would likely be considered material information. In determining materiality, courts also examine the markets reaction to the information once it becomes public.
Example 3: Tom discovered that his company was about to announce a major breakthrough in the design of its most important product. He immediately bought several thousand shares of his company's stock. When Tom's company later announced the news, its stock price rose by 25% within a few hours. In determining whether Tom had "material" information when he bought the stock, the later increase in the stock price tends to show that the information was material. A market's reaction to information once it becomes public is an important factor in determining whether information is material. Here, the price increase tends to show that the information was material to investors' investment decisions. Other factors that courts consider in determining materiality are the source and specificity of the information. Example 4: Neal Proffitt, an executive who has worked at Global Corp. for more than 20 years, tells a friend that Global Corp.'s earnings will be far below expectations this quarter. In determining whether the information is material, the fact that Neal is an executive with Global Corp. tends to show that information he revealed is material. III.
Nonpublic
Nonpublic information is information that is not yet disclosed to and absorbed by the investing public. Information is deemed public when it is generally known to the active investment community, even though the average investor may not be aware of it. The idea is that if a sufficient number of active investors are aware of the information, then the price of the security will accurately reflect the informations value. Information is considered to be nonpublic until it is released to the public through some recognized, widespread reporting medium, such as the Wall Street Journal or the Dow Jones News Service Broad Tape, and the public has had a sufficient opportunity to absorb it. Example 5: A press release in Canada discloses the companys discovery of rich mineral deposits. This release is picked up by a specialty magazine that reaches a few New York investment firms. Before the information is reported by the American press, certain insiders buy stock in the company. The information would likely be considered nonpublic information, and the insiders would likely be considered to have violated the insider trading laws, because the information is not effectively disclosed to the investing public and only partially reaches New York investment firms. Example 6: The companys discovery of rich mineral deposits is disclosed in an American press release that goes out shortly after 10:00 a.m. An insider trades in the companys stock at 10:20 a.m. The information would still likely be considered nonpublic because the insider did not allow a reasonable waiting period for absorption by the investing public. How long a waiting period is required depends on the way in which the information is disclosed and whether the information is of a type that easily translates into investment action. Even after the information is disclosed in publications such as the Wall Street Journal, courts will sometimes look at
subsequent fluctuations in the trading volume and market price to determine when the investing public has absorbed it.
WHEN IS INSIDER TRADING PROHIBITED?

Generally speaking, insider trading is prohibited in two circumstances. The first is where the person trading has -- or is deemed to have -- a relationship of trust and confidence with the company whose shares are being traded and as a result, has access to inside information regarding the company. The second is where a noninsider wrongfully acquires inside information from a source other than the company, entrusted with confidential information about the company. In the first circumstance, insider trading is prohibited under what is known as the special relationship theory. In the second circumstance, insider trading is prohibited under what is known as the misappropriation theory. Both of these are discussed below. Under either theory, the person who has the inside information must refrain from trading until the information is disclosed to and absorbed by the public. This is known as the duty to "disclose or abstain." You should understand that the mere possession of the information is enough to prevent you from trading. As well see later, except in extremely limited circumstances, even if you planned to buy or sell a security before coming into possession of inside information, you cannot trade after receiving the information. I.
Special Relationship Theory

The special relationship theory is premised on the idea that certain people who are in a relationship of trust and confidence with the company have a fiduciary obligation to the company (and those who buy and sell its securities) not to trade the companys securities while in possession of inside information. The types of individuals who are subject to this theory include not only insiders, but also temporary insiders, and tippees. A.
Insiders
The following is a list of people who are likely to be deemed insiders because of their relationship of trust and confidence with a company -the company itself, directors, officers, other employees, and controlling shareholders (that is, shareholders who have substantial holdings in the company). Employees at all levels are deemed to be insiders, and for these purposes, an independent contractor is treated as the equivalent of an employee (or a temporary insider, described below). One court has held that an independent contractor can be treated as an insider even though the contractor receives no compensation for his services. Example 7: An independent contractor assists a company in finding a merger partner. The independent contractor attends the merger negotiations, advises the companys president on certain aspects of the merger, and helps arrange some of the meetings with the potential
merger partner. Although the independent contractor receives no compensation from the company with respect to the transaction or otherwise, he nevertheless would likely be found to be an insider under the special relationship theory. B.
Temporary Insiders
Temporary insiders are people who are given confidential inside information about the company -- usually for a limited purpose. There are two general categories of temporary insiders -- those people that would be considered fiduciaries of the company and those people who are not traditionally considered fiduciaries but who may nevertheless be given confidential information about the company. Following is a list of the types of people who may be deemed temporary insiders. The list, though long, is not exhaustive, but it will give you some idea of the wide variety of people who may fall into this category. lawyers accountants engineers management consultants public relations consultants financial advisors financial printers testing laboratories lenders underwriters proposed merger partners customers suppliers financial analysts/consultants institutional investors press and wire services media personnel stock exchange employees employees of self-regulatory agencies (such as the Financial Industry Regulatory Authority, or FINRA) As noted above, independent contractors may be characterized as employees (and therefore insiders) or as temporary insiders. In either event, the independent contractor must disclose or abstain from trading while in possession of inside information. The important point to remember is that any relationship of trust and confidence with the company may trigger the disclose-or-abstain obligations of the insider trading laws. In the case of both insiders and temporary insiders, once the relationship with the company is terminated, the insider status ceases. Those persons would, however, still be treated as insiders with respect to any inside information they learn during the course of their relationship of trust and confidence with the company. However, information that is learned independently about the company by these persons after their relationship with the company ceases likely would not be considered inside information unless the information was acquired through a tip.
C.
A narrow exception
Under the insider trading laws, if you trade a security while in possession of inside information, the SEC views you as having traded based on that information. In other words, you are deemed to have used the information to trade merely by possessing it. This is so even if you decided to trade before learning about the information. A narrow exception to this general rule applies when certain binding contracts or plans are set up before receiving the inside information. First, you must demonstrate that before becoming aware of the information, you -entered into a binding contract to purchase or sell the security, provided instructions to another person to execute the trade for your account, or adopted a written plan for trading securities. Second, you must demonstrate that, with respect to the trade, the contract, instructions, or plan -expressly specified the amount, price, and date; provided a written formula or algorithm, or computer program, for determining amounts, prices, and dates; or didnt permit you to exercise any subsequent influence over how, when, or whether to effect trades; you cant rely on this exception, however, if someone else exercises such influence while aware of the inside information. Third, you must demonstrate that the trade that occurred was pursuant to the contract, instruction, or plan. If you alter or deviate from the contract, instruction, or plan, or enter into a corresponding or hedging transaction with respect to the securities, the trades do not comply with the exception. Example 8: Richard is the CFO of Global Manufacturers, Inc. He instructs his broker to buy 1,000 shares of Global's stock on the first trading day of each month and at no other times. The arrangement is in writing and directs the broker to buy the shares without consulting Richard. In the last week of June, he learns that Global will announce on Tuesday, July 1, that it will be taken over by another company at a large premium over the stock price. Richard calls his broker and tells him to buy the shares on June 30 instead of July 1. Despite his earlier instructions to buy shares only on the first trading day of each month, Richard convinces his broker to buy the shares on June 30, and his broker does so. In this instance Richard was able to influence when the trade occurred and therefore cannot use his "plan" as a defense against later insider trading charges.
D.
Tippees
For purposes of insider trading law, tippees are generally treated as insiders. A tippee is a third party not otherwise associated with a company who is tipped by an insider (here, also referred to as the tipper), thus receiving confidential inside information about the company in which he subsequently trades. Tipping is the term that is applied to the insider/tippers communication of inside information to the third party tippee. A family member or a friend of an insider generally will be subject to tippee liability if he trades on inside information. Under the special relationship theory, a tippee, like other insiders, may be precluded from trading under the "disclose or abstain" rule. However, the tippee is subject to this rule only if the insider/tipper has breached his fiduciary duty to the company by disclosing the information to the tippee, and the tippee knows or should know of the breach. Generally, a tippee should know there is a breach if a reasonable person would conclude that the insider/tipper has no legitimate reason for divulging that information to him. Courts will generally find that an insider/tipper breaches his fiduciary duty by tipping where he receives a personal benefit from the disclosure, including an indirect benefit such as the expectation of reciprocal tips, an enhancement in good will, or a good feeling when giving confidential information to a friend or relative. Example 9: Frank is a programmer for WizBang.com, a hot new music Internet company publicly traded over the counter. He has been developing a new web player which, if it works, will revolutionize the delivery of music over the web. Frank has been told confidentially that, in private executive conversations, Macrosoft, the giant in the industry, has committed to invest $100 million in WizBang if the product delivers as promised. Preliminary tests indicate the player is robust and works well with all browsers. Frank calls his father-in-law, Jack, fills him in on the latest developments at WizBang, and suggests that he quickly invest $50,000 in WizBang. Frank tells Jack that he would buy too if he could, and that if it works out as he expects, Jack can send Frank and his wife on the cruise they've talked about for years. The stock subsequently skyrockets (after the product is announced and Macrosoft invests), and Jack makes a killing. Is there an insider trading problem here? Jack is a classic tippee. He will, if discovered, have to disgorge his profits (discussed later in this handbook) and may be subject to additional penalties. A court would likely find a breach of a fiduciary duty on Frank's part in disclosing the tip, and knowledge on Jack's part of the breach. Jack would certainly know that his son-in-law was an insider in possession of confidential information that he had no right to disclose. Frank admitted that he was unable to trade on the information. Notwithstanding the possibility of a cruise, Frank certainly will have a warm feeling when his father-in-law "scores" on his "hot tip."
E.
Selective disclosure
Public companies sometimes share information with securities analysts or certain large shareholders before making full disclosure of the information to the public. This most often occurs in the context of
meetings or conference calls with industry analysts about a companys financial results and expectations. Occasionally in the past, those who were privy to the information beforehand were able to trade on that information before the information reached the general public. This practice, known as "selective disclosure," closely resembles tipping. Specific rules prohibit companies from making such selective disclosures unless the company immediately, or shortly thereafter, publicly discloses the information through a press release or some other means. Specifically, the rule requires that whenever a public company discloses inside information to securities analysts or certain investors (like large shareholders), the company must -simultaneously publicly disclose the information if the selective disclosure is intentional, or promptly and publicly disclose the information (generally within 24 hours), if the selective disclosure is not intentional. Failure to make public disclosure within the appropriate time frame is a violation of the reporting rules under the federal securities laws. Both the company and individuals responsible for the companys failure to comply can be held liable by the SEC for violating the rule. Example 10: Ned is the CFO of Global Manufacturing, Inc. During his monthly conference call with Wall Street industry analysts, he inadvertently tells them that the companys quarterly profits will be greater than expected because it just landed a huge contract. Global must publicly disclose this information within 24 hours. The selective disclosure rules are complex. You should consult with your company's law department if you have any questions about complying with them. II.
Misappropriation
The misappropriation theory may impose insider trading liability on noninsiders who owe no fiduciary obligations to the company or shareholders of the company by virtue of any special relationship of trust or confidence with the company, but rather are individuals who owe fiduciary obligations to the source of the confidential information regarding the company. These are people who would escape liability under the special relationship theory. A noninsider is liable under this theory if (1) the noninsider acquires inside information about the company from a source entrusted with that information (for example, a law firm representing the company in litigation), (2) the noninsider trades company securities before the information becomes public, and (3) the noninsider had a relationship of trust and confidence with the source and therefore a duty not to use the information for this purpose. The source's employees would normally have such a relationship. Example 11: An employee of a financial printer hired by Company A handles documents announcing a takeover bid for Company B. Although Company Bs name does not appear on the documents, the employee is able to deduce its identity from other information contained in the documents. Without disclosing his
knowledge, the employee buys stock in Company B and sells the shares at a profit shortly after the tender offer is announced. In a leading case involving this fact pattern, a federal appellate court held that the employee had defrauded his employer (the printer) by misappropriating material nonpublic information regarding the issuer (Company B). In reaching this conclusion, the court found that the employee had damaged one of his employers most valuable assets -- its reputation as a safe repository for client secrets. Accordingly, the employee was liable for insider trading under the misappropriation theory. This relationship of trust and confidence doesnt exist just in the business setting -- personal relationships are also covered. Certain relationships are presumed to be relationships of trust and confidence. These include -whenever a person agrees to keep information in confidence; when two people have a history, pattern, or practice of sharing confidences, and the recipient knows or reasonably should know that the other person expects the information to remain confidential; or when the information is provided to a spouse, parent, child, or sibling. Example 12: Jan works in the accounting department of Worldwide Pharmaceuticals, Inc. While helping to prepare the companys quarterly financial report, she learns that earnings will be substantially higher than expected. That evening, Jan tells her husband Bill the good news, noting that the company stock she has in her retirement plan will probably go up as a result. The next day, without telling Jan and while the information is still nonpublic, Bill buys 1,000 shares of the companys stock through a local brokerage firm. Bill has most likely violated the insider trading laws under the misappropriation theory. Other relationships may also be considered relationships of trust and confidence, depending on the circumstances.
INSIDER TRADING IN THE TENDER OFFER CONTEXT

I.
Rule 14e-3
In addition to the general insider trading principles described above, the SECs Rule 14e-3 regulates insider trading in the context of a tender offer. This Rule contains two separate prohibitions -- a prohibition on trading and a prohibition on tipping.
II.
Trading Prohibition
Rule 14e-3 is triggered when a tender offer has commenced or the acquiring company has taken a substantial step to commence the tender offer. Once this happens, the Rule prohibits trading by any person who -is in possession of inside information relating to the tender offer; knows or has reason to know that the information is nonpublic; and knows or has reason to know that the information was acquired directly or indirectly from either the acquiring or the target company, or from any
officer, director, partner, employee, or any other person acting on behalf of either the acquiring or target company. Anyone who has inside information regarding a tender offer and knows or has reason to know that it is nonpublic and that it was acquired from certain people is subject to the Rules trading prohibitions. This means that the person may not trade in the securities of either company involved in the tender offer unless the inside information regarding the tender offer is first disclosed to and absorbed by the public. Rule 14e-3 casts a broader net of liability than the special relationship theory. It covers any person who receives inside information regarding a tender offer in the circumstances described above, and is not limited to those who would be considered insiders of the acquiring or target company. III.
Anti-Tipping Provisions
Rule 14e-3 also prohibits certain people from communicating inside information regarding a tender offer to others, when such communication will likely result in a violation of the Rule. The people subject to this prohibition typically include -the acquiring company; the target company; any officer, director, partner, employee, or any other person acting on behalf of the acquiring or target company; and any other person acting on behalf of the foregoing. Any person who would be prohibited from trading on the information is also prohibited from communicating it to others. You should note that the anti-tipping provisions do not apply to good faith communication of inside information to other parties involved in the planning and execution of the tender offer.
IV.
Exceptions To Rule 14e-3

The Rules trading prohibitions are subject to some exceptions -- for example, the purchase of the target companys shares by or on behalf of the offering company, and the sale by any person of the target companys shares to the offering company. In addition, entities may be exempt from liability if -the entity has implemented policies and procedures reasonably designed to ensure that its employees would not violate Rule 14e-3, and the entity can demonstrate that the individual making the investment decision on its behalf was not aware of the material, nonpublic information.
REMEDIES FOR INSIDER TRADING

A broad array of remedies is available against anyone who violates the insider trading laws by trading while in possession of inside information. These remedies include enforcement by the Securities and Exchange Commission (SEC), federal criminal enforcement, state civil and criminal enforcement, enforcement by self-regulatory organizations, and private actions brought by individuals. Many of these remedies have
been strengthened or otherwise expanded with the passage of The Insider Trading and Securities Fraud Enforcement Act of 1988 and the Sarbanes-Oxley Act of 2002. I.
SEC Enforcement
The SEC has a broad arsenal of enforcement powers that it may use against inside traders and tippees. The SEC may use its own administrative remedies or bring an enforcement action against the violator in federal court. A.
Administrative remedies
In an administrative proceeding, the SEC can impose monetary penalties or require the violator to surrender, or "disgorge," any profits gained or losses avoided as a result of insider trading. The SEC may also issue a cease and desist order, which requires the violator to comply with certain provisions of the federal securities laws or SEC rules. The SEC may also pursue disciplinary proceedings against any regulated entity or individual involved in insider trading, including a broker-dealer, investment adviser, investment company, and any person associated with such entity or individual. These disciplinary proceedings may result in revocation, suspension or denial of registration, censure, or other prohibitions. In addition, the SEC may suspend, limit, or bar any person from practicing before the SEC, if such person is found to lack character or integrity, has engaged in unethical or improper professional conduct, or has violated any provision of the federal securities laws or regulations, including insider trading laws.
B.
Federal court actions

In addition to its administrative remedies, the SEC may bring an enforcement action in federal court seeking to enjoin further insider trading and to recover any profits gained, or losses avoided, through prior unlawful trades. The SEC may also recover a penalty of up to three times such profits or avoided losses. The amount of the penalty in each case depends on the frequency and seriousness of the violation and the degree of willfulness involved. The SEC may also seek to bar an individual from serving as an officer or director of a publicly-held company by showing a substantial lack of fitness to serve in such capacity. The ban may be conditional or unconditional, and may also be temporary or permanent.
II.
Federal Criminal Prosecution

Federal law generally makes willful violations of the securities laws a crime. To convict for insider trading, the prosecutor must show, among other things, that the defendant realized that he or she was committing a wrongful act that involved a significant risk of violating the insider trading laws and used some "instrumentality of interstate commerce" (such as a telephone, the mail or wire services, or the facilities of a national securities exchange) to engage in insider trading or tipping.
III.
State Civil And Criminal Enforcement

States may pursue insider trading violations under state securities laws and criminal statutes. Depending on the jurisdiction, state civil remedies may include injunctions; cease and desist orders; and revocation of broker-dealer, investment adviser, and other licenses.
IV.
Self-Regulatory Organization Enforcement

Self-regulatory organizations (SROs), such as the New York Stock Exchange and FINRA, must require their members to comply with federal securities laws. SROs may fine, censure, suspend, or expel errant members, among other remedies.
V.
Private Suits
Individuals can bring private lawsuits against those who violate the insider trading laws. Remedies include cancellation of the plaintiffs trade or recovery of any damage incurred by the plaintiff as a result of the transaction. And as discussed below, the law expressly allows "contemporaneous traders" to sue for violations of the insider trading laws.
VI.
The Insider Trading And Securities Fraud Enforcement Act Of 1988

In 1988, Congress enacted the Insider Trading and Securities Fraud Enforcement Act (ITSFEA) to enhance the detection and punishment of unlawful insider trading. Following is a brief summary of some of the more important features of the Act. A.
Expanded civil penalties

ITSFEA broadened the SECs authority to seek civil penalties for insider trading by making "control persons" liable for such penalties in some circumstances. The penalties now cover not only the inside trader, but also any person who had the power to influence or control the direction, management, policies, or activities of the trader. These penalties -assessed against the employer or other controlling person -- can be up to three times the amount of the profit made or loss avoided by the insider, or $1,425,000, whichever is greater. These amounts are subject to periodic adjustment. In order for liability to attach, the control person must -know or recklessly disregard the fact that the insider was likely to violate the insider trading laws and fail to take appropriate steps to prevent such violation, or in the case of a broker-dealer or investment advisory firm, knowingly or recklessly fail to implement and enforce certain procedures to prevent such violations.
B.
Increased criminal penalties
ITSFEA (and later, the Sarbanes-Oxley Act of 2002) also increased the criminal fines and the maximum prison terms for unlawful insider trading. The criminal fine is up to $5 million for violations committed by individuals and up to $25 million for violations committed by entities. The maximum prison term is 20 years. In addition, states may impose their own penalties for insider trading, which could exceed federal penalties. C.
Private right of action for contemporaneous traders

Under ITSFEA, any person who trades in a security while in possession of inside information is liable to any other person who contemporaneously trades in securities of the same class on the opposite side of the transaction -- for example, an investor buys shares of ABC common stock at the same time the insider sells shares of the same stock. Although courts had recognized such liability before ITSFEA, the statute made it explicit. A defendants total liability for contemporaneous trading is limited to the profit gained or loss avoided by the defendant as a result of the insider trade. Tippers are liable for all profits gained and losses avoided as a result of trades by their tippees.
D.
Increased supervision of broker-dealer and investment adviser employees

ITSFEA also requires broker-dealers and investment advisers to supervise their employees more closely. Specifically, they must establish, maintain, and enforce written policies designed to prevent the misuse of inside information by their employees. Such policies are subject to review by the SEC.
E.
Payment of bounties to informants

ITSFEA authorizes the SEC to award "bounties" to individuals who provide information regarding insider trading violations. The SEC may pay informants up to ten percent of any civil penalty obtained as a result of the information.
GLOBAL COMPETITION
INTRODUCTION
This handbook discusses the general principles that are common to the major systems of competition law throughout the world. Competition law is linked very closely to economic theory, and because such principles are universal, many of the laws are similar. This handbook explains how some agreements among competitors are almost always considered illegal, no matter how well-intentioned the agreements and regardless of their effect on the market. Other agreements aren't always illegal--their legality depends on whether the restrictions are outweighed by positive aspects. The main areas that will be addressed are as follows: o o o o o o Restrictive agreements Illegal unilateral behavior Powers of the regulators International cooperation between regulators Consequences for violations of competition law Guidelines to aid compliance
This handbook provides a general overview of competition law. It doesn't provide legal advice or guidance regarding how you should act in a particular situation that involves competition or antitrust law. These laws are complex and subject to subtleties that a brief treatment of this kind cannot completely cover. Always consult your internal management or company lawyer about any questions or concerns you may have about competition law.
WHAT IS COMPETITION LAW?

Competition law is the framework that protects and encourages free competition among companies and businesses in the marketplace. By regulating their behavior, competition laws seek to ensure that companies' competitive instincts are undiminished while also ensuring that they conduct themselves in an acceptable manner that doesn't restrict trade or commerce. Competition is a basic mechanism of the market economy, and in freely competitive markets, companies will generally do all they can to attract new customers and retain existing ones. This is most commonly achieved by keeping prices as low as is economically possible and by continually trying to produce goods that are more desirable and of better quality. Markets that are freely competitive therefore offer benefits for both consumers and the competing companies themselves. Customers and consumers reap the advantages of being able to choose between products of differing price and quality, while companies can rest assured that their rivals aren't using underhanded tactics to drive them out of business. In short, competition law instills a standard of fairness in the market, rewarding success, protecting all involved from anticompetitive behavior, and forcing companies to find ways of turning out the best products in the most efficient way.
DO MOST COUNTRIES HAVE COMPETITION LAWS?
At present, around 80 countries have competition laws. The most well-known systems of competition laws are those of the United States, the European Union, Japan, and Canada. Many other countries, such as Australia, New Zealand, Brazil, Chile, Peru, Korea, Thailand, the Philippines, South Africa, Zambia, and Tunisia, also have competition laws. The extent of the applicable rules can vary considerably, and, generally, countries with the most developed free market economies tend to have the most advanced systems. In some cases, such as in the United States, the country has federal antitrust laws (as competition laws are known there), and then each state has its own antitrust laws as well. Similarly, member states of the EU have national competition rules, and they apply European competition law when the behavior affects trade between the EU member states. The EU consists of the following 27 member states: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. It should also be emphasized that the jurisdiction of competition laws is generally very much effects-based. This means that, in general, the competition authorities in the country in question will assume jurisdiction over any company whose behavior leads to anticompetitive effects in that country, no matter where they're based or where they made the decision to follow a particular course of action. Companies based in the EU or the United States shouldn't assume that they can avoid competition law by holding their meetings outside the EU in, for example, Geneva, Switzerland, to form anticompetitive agreements within the EU or the United States. Regardless of where they meet, they're likely to come within the scope of the competition law of the countries affected. Example 1: The sales director of Americon meets the sales director of his competitor Europawn at a trade fair in Geneva. For years, Americon has been trying to break into Europawn's market in the EU, and, likewise, Europawn has been competing fiercely for Americon's market in the United States. Because they're the main providers for their particular product, this situation has forced both companies to reduce prices to compete with each other. The two sales directors decide to call a truce and to not compete in each other's territories so that they can both raise prices without fear of competition. This is an anticompetitive agreement. Although the agreement was concluded in Switzerland, a country that isn't in the EU or in the United States, because the agreement is likely to have an effect on competition in both of those jurisdictions, both U.S. and European competition law and penalties are likely to apply.
WHO REGULATES COMPETITION LAWS?

Generally, competition laws in a country are enforced by a regulator or regulators that have been charged with the specific purpose of carrying out the tasks of the competition laws in question. For example, in the United States, the Department of Justice's Antitrust Division and the Federal Trade Commission enforce antitrust policy on a federal level. In Japan, the Japanese Fair Trade Commission is responsible for the enforcement of Japanese competition law (the Antimonopoly Act). In the EU, the competition laws can be found in the provisions of the Treaty establishing the European Community (EC Treaty). Although previously only the European Commission had the power to enforce all parts of the EU competition laws, as of May 1, 2004, national competition authorities in each EU member state also have the power to enforce them. The European Commission and the national competition authorities will
decide whether the commission or a particular national competition authority is "best placed" to deal with a case. Always subject to there being an effect on trade between EU member states, under the new system of laws, national competition authorities, rather than the European Commission, are likely to be left in charge of investigating cases where a violation takes place in three or fewer EU member states. However, the European Commission reserves the right to deal with a case affecting EU competition law regardless of the number of EU member states concerned (particularly if the case is especially important or serious). That said, the commission is more likely to deal with cases if a violation concerns at least four EU member states--although the national competition authorities in the countries concerned may assist them in their investigation. The regulators and the powers that they have to enforce competition rules are discussed later in this handbook. Example 2: Massive Motors, a large multinational car manufacturer, enters into agreements in France, Germany, Sweden, and Spain that prevent its distributors from selling outside their own countries (where cars are cheaper) to countries where cars are more expensive, such as the United Kingdom and Ireland. Following a tip-off, the European Commission launches an investigation into its conduct and eventually fines the company. The European Commission, rather than the national competition authorities in each of the countries concerned, would assume jurisdiction, because the anticompetitive conduct involved distributors in four member states and affected trade between a number of EU member states. Example 3: The 10 companies that produce raw material for paint agree to simultaneously raise their prices to customers in the United Kingdom. It's likely that in this case the U.K. competition authority would investigate the anticompetitive agreement because it affects only the U.K. market. Example 4: Megacorp is by far the largest software company in the United States. It decides to eliminate its weaker competitors throughout the country, and in particular those in California and Texas, by offering its software at severely reduced rates to computer manufacturers throughout the country for a short period of time. Once these competitors have been eliminated, Megacorp intends to raise prices again. This is anticompetitive conduct. Because the agreements affect trade throughout the United States, federal law applies, and the matter will be dealt with by the Department of Justice together with the Federal Trade Commission. In addition, the antitrust regulators in individual states, such as California and Texas, may decide to take parallel action against Megacorp. Apart from the regulators, courts also play a significant role in enforcing competition law. This is especially the case in the United States, where it isn't unusual for consumers as well as companies harmed by anticompetitive conduct to bring private damage lawsuits based on competition law arguments. Due to the system changes in the EU as of May 1, 2004, this is likely to also become the trend there.
WHY IS COMPETITION LAW RELEVANT TO MY BUSINESS?

The importance that governments attach to preventing restrictions to competition is reflected in the level of penalties that may be administered to those that violate the rules.
Infractions of competition laws may lead, in most major jurisdictions, to fines substantial enough to cause serious harm to companies, damage to reputations, civil suits, and voiding of contracts, and in some countries may even lead to imprisonment. It's therefore not just the business that may suffer, but the individuals involved in the decision making and execution of policies. So it's in the interest of companies and their employees alike to be aware of the competition rules in the jurisdictions in which they're operating.
RESTRICTIVE AGREEMENTS
I.
Illegal vs. Legal Agreements

The aim of competition law is to ensure that each company doing business decides independently how, when, and where to carry out its business in any given market--for example, by deciding independently what prices to charge. At the heart of all competition legislation is the concept of harm to competition. For example, in the United States, the Sherman Act prohibits "every contract, combination...or conspiracy, in restraint of trade or commerce." The equivalent legislation in the EU, Article 81 of the EC Treaty, prohibits agreements that "have, as their object or effect, the prevention, restriction or distortion of competition." In addition to provisions that set out prohibitions, some competition systems also include exemptions that seek to strike a balance between the harm an agreement may cause and the benefits that it gives rise to. For example, agreements that result in an overall benefit to the consumer or efficiency gains may be allowed to stand when this effect is proven. In assessing the harm to competition, the authorities will always try to look at the agreement within the context of the whole market and take into account all those factors present that might enable companies to influence the markets in any way. In this regard, competition authorities place particular importance on the proportion of sales a given company achieves in a given year seen in relation to the overall market for a particular product type (the "market share"). For example, a soft drink company's sales may account for 30% of the total lemonade market. By comparing different companies' market shares, competition authorities can obtain an indication of how the market is structured and which companies are strong in a particular market. Market shares will be considered in more detail in relation to unilateral behavior, but they're also of relevance to agreements, because clearly an agreement between two very small companies won't usually lead to effects on the rest of the market. An example of this can be found in EU law, where the European Commission has established thresholds related to combined market shares, under which there's a presumption that there will be no appreciable restriction on competition. Put simply, companies need to have some degree of market power for their conduct or agreements to have harmful effects on competition. A caveat to this general rule is that in some circumstances, such as price-fixing and market sharing, behavior is deemed so harmful to competition that the market shares of the parties are irrelevant in assessing whether a violation of competition law has occurred. In other words, where "hardcore" violations are
concerned, authorities rule that the law has been violated on the basis of the nature of the conduct rather than its actual effect on the market. Example 5: Two small Belgian manufacturers of chocolates enter into an agreement to produce their chocolates together. They create a production joint venture and invest in more modern production equipment. Each has a market share in Belgium of 2% to 3%, with limited sales in the Netherlands and France. They agree not to compete with each other for the duration of the agreement. Given their small size and market share, the agreement is unlikely to violate either EU competition law or national competition law, even though the noncompete portion is technically a restriction of competition. II.
How Is an Illegal Agreement Formed?

Companies can violate competition laws without making a written agreement. All they have to do is reach a mutual understanding or consensus that they will coordinate their commercial activities. Competition laws cover such situations to make it harder for companies to circumvent them. For coordination to exist, it's sufficient that at least one company agrees to behave a certain way in a given market and that, as a result of contacts between the parties, uncertainty as to their competitive conduct in the market is reduced. For example, if a company knows in advance that its competitors will raise prices at a given time by a given percentage, that reduces the normal commercial uncertainty about its competitors' future actions in the market. In some cases, such coordination can, for instance, be inferred from an ongoing commercial relationship between the parties, without any formal arrangement between them. A written or otherwise explicit agreement isn't necessary to prove the existence of an agreement. There's no need for a secret handshake or even a knowing wink. Understandings may be unspoken and often don't require verbal communication. It isn't even required that coordination is in the interest of all parties, nor does it matter if one party was coerced into going along with the other's demands. If the facts indicate that it was highly unlikely the parties were acting independently, a competition authority might conclude that an unlawful agreement exists, and it could start an investigation. During their investigation, authorities may look to see whether the parties have had opportunities to meet, such as through trade associations, or whether there have been exchanges of email or other correspondence. More indirectly, authorities may try to determine whether parties systematically aligned prices or increased their prices within a short timeframe of each other, or by a similar degree (for example, each company increases its prices by 5% within a week). On the other hand, unilateral decisions by one company are unlikely to amount to anticompetitive agreements, because there's no meeting of minds, even if such decisions have an impact on other companies. For example, parallel behavior, whereby one company independently sets a given price level and its competitors simply follow this "price leader," doesn't necessarily violate competition law, unless other circumstances indicate that some sort of understanding has been reached. You need to keep in mind, however, that unilateral decisions may be anticompetitive if the company has a large degree of market power, as will be discussed below.
It's usually illegal for companies to group together to boycott another company-for example, by refusing to sell to a specific dealer that has imported goods from outside the country or state. Such boycotts are illegal because they restrict competition within that particular country or state. However, this must be distinguished from situations that arise when individual companies have legitimate reasons for collectively refusing to deal with a particular customer, such as safety concerns or credit worthiness or when a professional body refuses entrance to inadequately trained people to practice in that profession. If at some point you're faced with a situation where a competitor suggests that you should participate in an illegal agreement, you must clearly and adamantly reject the offer and make sure others who are present know that you're rejecting it. If possible, have your rejection recorded in writing--for example, in the minutes of the meeting. Also, go to your company's law department or senior management, or both, and tell them about the offer. Keeping the offer secret may get your company into trouble, even if you rejected the offer and didn't do anything wrong. The common thread that all authorities look for is the element of coordination, however it's manifested. As one U.S. judge said, "A knowing wink can mean more than words." Example 6: Three companies operate a ferry service from Italy to the island of Sardinia. Prices and ferry timetables are available through the Internet. The prices of all three rise simultaneously the week before the high season. In addition, the timetables of all three operators change so that no ferry service is competing with any other ferry service. The combination of the price increase and the change of the timetables so that the operators aren't competing with each other--and with only three in operation--suggests that the three ferry operators have entered into an anticompetitive agreement. There would be strong grounds for presuming that the three ferry companies agreed on a price increase and agreed to eliminate competition against each other. The Italian Competition Authority may therefore decide to investigate the matter. Example 7: Following a series of meetings between high-level directors, five pump manufacturers adopt one standard for building a component part of their competing products. Shortly afterwards, they all raise their wholesale prices simultaneously by 10%. It's unlikely that five companies would adopt a standard and raise prices simultaneously without an agreement. Therefore, even if there's no proof of an actual meeting or discussion, the price increase might be considered the result of an illegal agreement and might bring about an investigation. Example 8: Three producers of popular computer games in Japan raise the prices of their games to exactly the same price on the same day. The games are exported to the EU, Australia, and the United States and make up a significant percentage of all computer games sold in these territories. There's no explicit evidence of price collusion. However, the fact that all three game manufacturers raised prices simultaneously, and in the same fashion, may indicate that there was collusion and that an illegal agreement took place. The Japanese competition authorities may decide to commence an investigation. In addition, because the games are exported to the EU, the United States, and Australia, the authorities in all these jurisdictions may decide to take action if there's an effect in their jurisdictions (for example, higher prices for retailers).
Example 9: Soshoes, a popular sports shoe company in the United States, sends a leaflet to its subsidiaries in the EU and Australia instructing them to raise the prices of their shoes to retailers by 30%. The subsidiaries carry out this order. Even though this decision affects the purchasers, there's no anticompetitive agreement, because decisions that only involve those within a company don't violate competition law. Also, because the company isn't dominant in the market, it couldn't be said to be abusing its strong market position. Example 10: A manufacturer of photo equipment, Click AB, normally communicates with its distributors by way of circular letters. Click AB decides on its own to send a circular letter to all of its U.K. distributors, requiring them not to export digital cameras to France. Some distributors are against the export ban, because it will hurt their business. But, nevertheless, they comply with Click AB's request, because they're afraid of losing their distributorship position. Although Click AB could be argued to have ordered the export ban unilaterally, by agreeing not to export the cameras to France, the distributors have entered into an agreement that may violate Article 81 of the EC Treaty. It doesn't matter whether--on a commercial level--the distributors agreed with the export prohibition or not.
EXAMPLES OF ILLEGAL BEHAVIOR

I.
Price-Fixing
Price-fixing may take many forms, but the key element is that the supplier attempts to directly or indirectly suppress price competition. Whether the pricefixing takes place between competitors on the same level of the supply chain or involves parties on different levels of the supply chain, such as a supplier and a distributor, it is prohibited. It's almost always illegal for competitors to reach agreements on what prices they charge. Authorities deal with perpetrators harshly and may impose fines. Some jurisdictions, such as the United States, Japan, and the United Kingdom, impose criminal sanctions. For example, in the United States, most criminal prosecutions for antitrust violations involve price-fixing in one form or the other. Even where the market shares of the parties aren't very high, the chances of the parties being given an exemption are extremely slim. Indeed, in the United States, one of the tools for interpreting the Sherman Act is the per se rule. Under this rule, certain restraints of trade are seen to be so unlawful that little inquiry into the actual effects is necessary. The principle here is that some practices are so unlikely to be found to be reasonable that they are presumed to be anticompetitive from the outset, and any investigation would be a waste of time and money. The most obvious example of price-fixing is when the parties agree on a minimum price to be charged at the next level on the supply chain. Called resale price maintenance, this practice has been subject to many investigations by authorities in the EU, the United States, and elsewhere. However, this should be qualified by emphasizing that the setting of recommended or even maximum resale prices is acceptable, as long as the supplier doesn't seek to enforce such levels and the distributor is free to set price levels according to its own pricing principles. And in some countries, including the United States, minimum resale
price maintenance may be legal if it benefits consumers more than it harms them. Obviously, there are many other ways in which prices may be set indirectly. For this reason, agreements to consult on each other's price lists or the exchange of detailed information on production costs is classed as price-fixing. Similarly, any agreement as to the terms of sale that impacts the price is also illegal. Examples of this may include agreements not to discount from list prices or not to offer discounts over a maximum figure. Offering the same credit or delivery terms or agreeing to maintain price gaps between varying types of goods may also be considered violations. Indeed, there are many ways of setting prices, but what they all have in common is that the behavior reduces the uncertainty that a company would usually have in respect to its competitors' actions, and therefore has an impact on the price that the consumer pays for the good. Trade association activities are worth mentioning at this point. Because they often collect industry-wide statistics for discussions, it may be difficult to draw a line between what's legal and what isn't. Trade associations group together industry participants and act as an important outlet for matters of common industry concern, such as advertising rules, upcoming legislation affecting a given industry, environmental issues, and other issues. Such discussions are normally legal. However, the authorities are particularly alert to the activities of such organizations and have often in the past found trade associations to be a forum for anticompetitive discussions. Competition authorities therefore pay close attention to them and may act when there's evidence of the disclosure of sensitive information about businesses, or when the meetings become a forum for discussing prices or other anticompetitive issues. When participating in meetings for these associations, companies should therefore be extremely alert to what's being discussed and not involve themselves in any anticompetitive issues. As a matter of practice, trade associations should also have a strict competition and antitrust policy in force. Example 11: A large supplier of television sets supplies the main retail outlets in the United Kingdom. Every month, it sends its recommended retail prices to these outlets. It discovers that one outlet consistently undercuts the others by failing to adhere to the recommended retail price. The supplier contacts the outlet and states that it will raise its prices to the outlet unless the recommended retail prices are respected. This is contrary to competition law, because although the supplier is setting recommended prices, in practice, it's fixing the prices. Example 12: A Japanese trade association of DVD player manufacturers meets for its annual meeting in Tokyo. The trade association is going to discuss the latest proposed environmental regulations on making DVD machines more disposable and whether two other Japanese companies should be brought into the trade association. At the meeting, they agree on a strategy to deal with the proposed environmental legislation. They also agree to allocate customers among themselves. Furthermore, one week following the meeting, the trade association issues a memorandum to all members stating that they ought to increase prices by 20%.
Japan's Antimonopoly Act strictly regulates the conduct of trade associations. The meeting itself between competitors under the trade association wouldn't be illegal under Japanese antimonopoly rules, and the decision to agree on a strategy for the proposed environmental legislation would be a legitimate activity. However, the decision to allocate customers among themselves is illegal. The memorandum by the trade association instructing its members to increase prices would likely cause the trade association to be considered a cartel and would be illegal. Example 13: The heads of marketing from five leading fast food companies meet, after a conference on healthier foods, in a bar at the conference hotel in Las Vegas. Though they are mostly happy about their current margins on the sale of fast food, they nonetheless agree to raise prices by 5% every quarter for a year. Although one of the marketing people is only able to convince his boss to raise prices by 3%, and another only by 1%, the remaining competitors raise prices for sale in the United States as agreed. The agreement constitutes a blatant price-fixing agreement, even though it isn't implemented exactly as agreed. II.
Market Sharing
When competitors agree to divide up certain potential or existing customers or create geographical areas where they won't compete against each other, this is called market sharing. Any agreement that would limit one competitor's attempts to make sales in the other's territory is likely to violate competition law. It should be noted that in the EU, market sharing is considered particularly serious, because it isolates geographic markets and prevents the integration of EU countries towards a single market (one of the primary goals of the EU). Such violations aren't granted any exemption under EU competition rules. Because territorial divisions among competitors acting at the same level in the supply chain have the potential to eliminate all competition among them, agreements allocating customers or territories among competitors are automatically treated as being unreasonable in the United States. U.S. courts have found that such agreements are anticompetitive, regardless of whether the parties split a market within which both do business or whether they merely reserve one market for one or the other. This approach is followed in the EU where, in general, such restrictions are considered "hardcore" and not eligible for exemption. However, most agreements between a supplier and its distributor are no longer automatically characterized as unreasonable in the United States. U.S. courts apply a "rule of reason" approach, whereby they consider whether a supplier's interest in inducing distributors to invest in promotional activities for the supplier's product, aggressive marketing, and quality control mitigates any restrictive effects. Restriction of competition among one supplier's distributors is considered in light of the restriction's potential procompetitive effect among all suppliers in the market. In the EU, competition rules also regulate the manner in which a supplier may grant an exclusive territory to its distributors, and as long as the supplier doesn't have a market share in excess of 30% and doesn't prevent "passive" sales (that is, restricting distributors from meeting unsolicited orders from customers outside of the territory), the supplier is allowed to grant its distributors an exclusive territory. Above the 30% market share threshold, the
restriction is subject to an individual assessment of whether it can qualify for an exemption. Example 14: Pharmaz NV, a Dutch producer of a popular brand of painkillers, and not a dominant player in the market, is worried about huge gray market imports from low-priced Spain to the high-priced United Kingdom. Pharmaz has been tracking sales between these two countries for some time and decides to do something about the gray market imports. It sends out a circular to its Spanish distributors, stating that if they continue to supply outside their national markets, they will no longer receive supplies from Pharmaz. Although they're unhappy with the terms, the Spanish distributors agree to go along with the restriction and not to source the product from alternative sources because they don't want to lose business from Pharmaz. There's an agreement between Pharmaz and its distributors to prevent competition within the EU, so, therefore, EU competition law applies. The agreement amounts to market partitioning. Even though the distributors are unhappy with the situation, the fact that they acquiesced and followed the terms set out means that they are parties to the anticompetitive conduct. Example 15: The two leading Japanese manufacturers of microchips meet the directors of the three leading U.S. manufacturers of microchips. The Japanese companies agree not to export to the United States, and in exchange the U.S. companies agree not to export to Japan. This is an anticompetitive international cartel that divides the United States and Japan between cartel members. However, does it actually affect competition within those territories? Japanese competition law prohibits agreements between Japan and foreign countries if such agreements restrain competition within the Japanese market. This case would be a violation of the Japanese Antimonopoly law because it would reduce competition within Japan. The international cartel would also fall under U.S. antitrust law if it was deemed to restrain competition within the United States. Example 16: Five companies in the United States producing sports wear exchange their customer lists. There's a great deal of overlap. They agree that each producer can identify its top three customers and that no other competitor will sell to those three customers. This conduct allocates customers, and it violates competition law by reducing the competition for the companies' largest customers. Example 17: Ryson sells vacuum cleaners and has a market share of 15% in the vacuum cleaner market in the EU. It appoints an exclusive distributor in France and Germany and reserves the United Kingdom for itself. After three years, some retailers located in the French distributor's territory decide to purchase the vacuum cleaners from the German distributor because they're much cheaper over there. On Ryson's instructions, the German distributor refuses to sell vacuum cleaners to any French retailers, telling them that they can only buy the vacuum cleaners from the French distributor. This is illegal under EU competition law because customers cannot be prevented at any point from buying the goods on their own initiative from another distributor outside of that territory. III.
Bid Rigging
Also known as collusive tendering, this practice occurs when companies agree to collaborate over their response to invitations to tender bids. They can therefore determine the outcome of the process, completely negating the competitive
element of the offer process and, in so doing, predetermining the price of the contract. Companies involved in this sort of action usually take turns to "win" a tender process. Governments or large companies usually initiate tender processes. Each has responsibilities to the public or shareholders to get the best value for its money. For this reason, a bid rigging agreement is clearly to the detriment of the party inviting the bids, who's plainly not benefiting from the competitive process that an invitation to tender should entail. In addition, there may be considerable disadvantages to other companies within the market who aren't party to the agreement and who have very little chance of winning a bid in the face of collusion. Example 18: The Irish government decides to upgrade its computer system in hospitals throughout Ireland. It opens up tenders to companies to make bids through the various national health boards. Due to the specialist nature of the tender, there are only four potential companies that could fulfill the criteria. At a meeting, the four competitors decide that Healthcom will submit the successful bid to the Southern Irish Health Board. Datacom will submit a tender that's too high, Healthcheck will offer a bid under terms that would be totally unacceptable to the health board, and Nursecom will withdraw its bid. The companies agree to carry out similar tactics regarding the tenders from the Eastern, Western, and Northern Irish Health Boards so that each of them has one of the winning bids. Without this agreement, there would have been competition on the market for the bids, and the health boards would have gotten a more competitive price. This is an illegal bid rigging agreement. The Irish Competition Authority could launch an investigation and impose fines, and the perpetrators could face criminal sanctions including time in prison. IV.
Output Restrictions
This practice leads to an increase in prices without any actual agreement on the prices themselves, because it involves an agreement to simply lower production volumes. The basic principles of supply and demand would lead to an excessive demand and a rise in prices, thereby manipulating the market. Such an undertaking would be especially effective when most or all of the producers in a market were involved in it, because in that case competitive behavior would cease completely. Example 19: The most important worldwide producers of vitamins for cat food are worried about serious overcapacity in the industry, which squeezes their margins. In fact, most producers are selling cat food vitamin products at a loss. The CEOs of these companies therefore meet at a luxury golf resort just outside Tokyo to try to solve their common problem. Instead of agreeing on specific quotas, which they believe will be very hard to monitor and therefore enforce, they orally agree to shut down a number of production plants across Europe, the United States, and Japan over a period of two years. They furthermore agree to immediately reduce their production time by three hours a day and to refrain from investing in additional production capacity. The shutdown of production plants and the increase of machine downtime have a direct impact on how many vitamins can be produced and thus acts as an output restriction. The agreement, even though oral, restricts competition between the parties. Because the agreement restricts competition in the EU, Japan, and the
United States, it will give rise to possible action from the regulators in these territories. V.
Information Sharing
A distinction must be drawn between legitimate sharing of information and information sharing that's anticompetitive. Legitimate sharing may lead to improvements in competition, because all parties involved are able to spot patterns in trade and take more successful courses of action. An example of this can be seen in trade associations. The important thing to bear in mind is that information that's sensitive from a business perspective shouldn't be exchanged, because it will have an impact on the future commercial behavior of the companies concerned and allow companies to make decisions that reflect those of their competitors. Example 20: A waste paper trade organization collects data on all sales of waste paper in the EU and information on production costs. It also contacts waste paper customers and obtains estimates of the expected level of demand for the next five years. By way of an independent accountant, it compiles statistics showing the overall sales of waste paper in the EU, broken down by type of waste paper. The information doesn't identify any manufacturer individually and it's always backdated at least one year. Furthermore, the trade organization calculates the average overhead costs and provides its own estimate of future demand. It posts the information on the publicly available part of its Internet website. The information exchange is unlikely to violate Article 81 of the EC Treaty, because it's kept to general statistical information and general forecasts, which may serve to provide better planning for its members. The fact that everybody--not only its members--has access to the information is also a positive factor. Example 21: The ten members of the Japan trade organization for manufacturers of personal stereos agree to set up an information exchange system to monitor sales of personal stereos in Japan, the United States, and the EU. The trade organization convinces all dealers to complete and send in a specific form every time a sale of a personal stereo is registered. The dealer form contains information on the brand, the location of the dealer, and the value of the sale. The trade organization compiles the information and provides it in a weekly report to the members. The information made available to the members identifies each individual member's sales in different regions of Japan, the United States, and the EU and provides a calculation of each member's market share. It also gives an average sales price per region, broken down by brand of personal stereo. This information violates Japanese antimonopoly law, EU competition law, and U.S. antitrust law, because it removes any uncertainty about the competitors' sales and sales prices.
ILLEGAL UNILATERAL BEHAVIOR

I.
Principles
Another fundamental aspect of competition law deals with the unilateral conduct of companies holding a high degree of market power. A company in a strong or dominant market position must behave with caution in the market. It's important to stress, however, that being successful and earning a strong position by being
the best and the most efficient in a market isn't a problem. It's only the abuse of market position that competition rules prohibit. In the EU, a company in a dominant position in a given market is prohibited under Article 82 of the EC Treaty from abusing that position through anticompetitive practices. In the United States, companies are prohibited from monopolizing the market through unlawful means under the Sherman Act. An unlawful monopoly exists when only one firm controls the market for a product or service, and it has obtained that high level of market power not because its product or service is superior to others, but by suppressing competition with anticompetitive conduct. In Japan, private monopolization constitutes a violation under the Antimonopoly Act. Private monopolization refers to the formation of market power or the exercise of existing market power by a firm by artificially excluding or controlling the business activities of other companies. II.
What Is Market Power?

In the context of unilateral behavior, a firm that has a dominant position, for example by virtue of an especially high market share, is said to have market power. The first step in determining market power is deciding what constitutes a distinct market. Simply put, a market is distinct if the goods cannot be substituted for any other product. For example, the market for cars is a market that is distinct from that of motorcycles, because the two goods aren't interchangeable. It's important to stress that the concept of market power is flexible. It has been used previously in relation to illegal agreements. Market power is a question of degree, and for a company to be classified as having enough market power to be dominant, it will need a considerably higher degree of market power than those that are acting pursuant to an agreement. In most jurisdictions, market power is usually assessed by referring to the share that a company has of a particular market. Once a company attains a certain size relative to others operating in the same market, it may find that it has the commercial freedom to act independently with little or no regard to its competitors or concern about losing customers to them. A company in this position is clearly dominant, because it's effectively acting outside the constraints of free competition. Many of the competition law systems provide some guidance on what sort of size may constitute a dominant position. Generally, a company with a market share of less than 30% isn't considered to be in a dominant position. On the other hand, authorities might consider a market share of more than 40% tantamount to a dominant position, especially if there's a significant gap before the nearest competitor and the high market share is held over time. The area between 30% and 40% is a gray zone, where the question of a dominant position depends on the general competitive outlook of the market structure as well as the number of competitors in the market. A market share exceeding 50% means that there's likely to be a presumption of dominance. While analyzing market share is often a relatively straightforward way of deciding whether a company holds a dominant position, other factors may have a significant influence on the level of power that a company exerts. A large, but not
monopolistic, market share in conjunction with, for example, the holding of patents to new technology may lead in practice to the company acting as if it held a monopoly. The economies of scale associated with a large and wellestablished company may also have the same effect in a market that new competitors are trying to enter, and in these instances they may find these "barriers to entry" too great to overcome. III.
Abusing Market Power

Common to all competition legislation is the recognition that in some instances significant market power will inevitably arise purely as a result of the nature of the market and the greater efficiency of one company over all others. It's therefore important to distinguish between a situation where companies are driven out of a market by competition alone and situations involving anticompetitive activities.
IV.
Types of Abuse of Market Power A. Exclusivity

Exclusivity involves a dominant supplier binding its customers to agreements to buy all or most of their products from that supplier. This practice is problematic because it hinders competitive offers from the dominant supplier's competitors, in a market in which competition is already dampened by the presence of one large actor. B.
Tying
These are agreements by which a dominant supplier makes requirements of a customer in relation to an unrelated market in which the supplier is active. This would be the case when, for example, a supplier of one product attempts to force the customer to buy other products or services as well. Example 22: A German manufacturer of sausage-making machines, WunderWurst AG, holds a dominant position in the German market. It supplies the majority of sausage makers throughout the country with sausage-making machines. It also makes the sausage skin into which the sausage meat is packed. To try to drive up profits, the manufacturer decides to make the sale of sausage machines conditional on the purchaser agreeing to buy sausage skins from WunderWurst AG as well. Such a policy would prevent the other sausage skin suppliers from competing fairly with WunderWurst AG. Therefore, this behavior is likely to be anticompetitive under German competition law.
C.
Long-term agreements
When dominant companies impose contracts that have terms of several years without the possibility of termination, that often constitutes an abuse. Not only do such contracts remove the supplier's incentive to perform, they also restrict the mobility and freedom of choice of customers. Equally, contracts that impose lengthy notice periods for termination may also be deemed abusive. There are no guidelines on the time limits in either of these scenarios, and, therefore, authorities
generally look at standard industry practice to decide whether a practice is abusive. D.
Discriminatory business terms

Dominant suppliers shouldn't discriminate among their customers without being able to demonstrate fair and objectively justifiable grounds. Such discrimination would disadvantage some customers while giving others an unfair advantage. The general rule is that a dominant company must treat customers in similar situations alike. For example, two customers buying identical quantities will in general have to pay similar prices for the goods. The obligation not to discriminate isn't just related to price--it applies equally to other aspects of the supply agreement, such as credit terms. In the United States, this is tempered somewhat by the fact that it may be possible to discriminate between end users.
E.
Loyalty discounts
This practice involves a dominant undertaking offering customers discounts to discourage them from seeking alternative sources of supply. Discount schemes of this type generally are only permitted when the supplier can justify the discounting. For instance, such justification could come from a cost savings being passed on to the customer for quantity purchases.
F.
Refusal to supply
Somewhat simplistically put, if a particular product is indispensable for a given customer, a dominant supplier may be obliged to sell the product to anyone who wants to buy it. However, the supplier may set up reasoned, nondiscriminatory, and objectively justified criteria for supply. For example, it may require orders to amount to a certain reasonable minimum or refuse to supply a bad payer on credit terms. Example 23: Chemico is a leading chemical company that, among other matters, makes the raw chemicals for paints. It also sells its own paints. One of its main competitors in the paint market is ColourCo, which recently launched a very successful beige paint. However, the main chemicals required for most of its paints, including the beige paint, must be sourced from Chemico. Chemico refuses to supply the chemicals to ColourCo in the hope that it will have to withdraw as a competitor in the markets where it's most active. This refusal to supply would be anticompetitive, because there's no legitimate reason for the refusal--for example, ColourCo isn't in financial difficulty--and Chemico's intention is purely to drive ColourCo out of the downstream market for paint.
G.
Predatory pricing
Selling below cost in a given market in an attempt to drive a competitor out of business, with the intent of raising prices afterwards to exploit a market devoid of competition, constitutes a violation of most competition laws. This practice usually involves loss-making, or barely profit-making, prices that selectively target the customers of a specific competitor. The
short-term losses incurred are then usually offset by the increased profits that the supplier will realize in the long term.
THE POWERS OF THE REGULATORS

I.
Powers to Investigate
The clandestine nature of the agreements or actions of companies makes it necessary for authorities to have suitable powers for investigating abuses and violations of competition laws. In addition, many systems of law include provisions whereby those who claim to be harmed by the violations may make notifications to the authorities and ask them to initiate an investigation. In the United States and the EU for instance, the Department of Justice and the European Commission, respectively, even encourage such whistleblowing by offering immunity from prosecution in return for information on cartels. Therefore, members of cartels are very often the ones who first inform the regulators of the cartel's existence so they can benefit from the immunity offered by the authorities.
II.
Powers to Search Premises

The ability of investigators to search office premises for information and evidence is essential if competition laws are to be enforced. In the EU, the European Commission has the power to conduct surprise investigations at companies' premises. These so-called dawn raids involve agents going into office premises unannounced and asking that they be allowed access to certain documents. Some EU member states have also enacted their own legislation that sets out even more extensive powers. In the United States, the Department of Justice, which is the authority in charge, is given fairly broad powers and often works alongside the FBI or other investigative agencies in conducting searches of this nature. Similarly, in Japan, the Japanese Fair Trade Commission has the power to enter buildings and request information from companies it suspects are violating Japan's competition laws.
III.
Request for Documentation

The European Commission has, in addition to the powers of search and entry into companies' premises, the power to make written requests for documents. In the United States, the Federal Trade Commission and the Department of Justice also have the power to request information from companies. The use of requests for information is also a common feature in other jurisdictions. Investigators with the Japanese Fair Trade Commission, for instance, may enter premises of a company under investigation and require personnel to submit reports, information, or data. Obstructing an investigation is a criminal offense in Japan.
IV.
Undercover Surveillance
In the United Kingdom, the Enterprise Act, which came into force in 2003 and made involvement in cartels a criminal offense, introduced new powers of intrusive surveillance for the Office of Fair Trading (OFT), the body in charge of investigations. Such powers enable OFT to carry out surveillance on residential premises and in private vehicles by the use of covert devices (for example, microphones and cameras) or the presence of individuals on the premises. Recent changes in European legislation have also given the European Commission extended powers to undertake home searches, bringing the EU more into line with other countries where measures of this sort are common. In the United States, the FBI has played a huge part in the increase of prosecution of anticompetitive practices and is instructed by the Department of Justice in a large number of investigations to undertake secret surveillance. Among the methods it employs, the FBI is able to plant recording devices, and several high-profile cases have been assisted by the use of video- and audiotapes of actual meetings involving the protagonists' discussions as to how to fix prices. Usually, this covert stage begins an investigation, and only later are interviews and search warrants used to collect more information. By that stage, authorities, such as the FBI, usually have gathered enough material to put forward damning evidence against those involved. V.
Tips for Dealing with a Dawn Raid

First of all, remain calm. Phone the company lawyer or external legal advisers. Ask the officials for their authorization to carry out the search and note the subject matter of the investigation. Ask the officials to wait for your legal advisers to arrive. Most competition authorities will usually be willing to wait up to an hour. Allow the officials to inspect and copy only documents that relate to the subject matter of the investigation. Identify to the official any documents that you consider legally privileged (that is, any communication between the company and its legal advisers or documents compiled for seeking legal advice). Answer specific questions relating to the subject matter of the investigation, but don't volunteer information. Ensure that you make an accurate record of the investigation and know which documents the officials have copied. Above all, don't allow any documents to be destroyed or concealed and don't provide any information that's incorrect or misleading.
INTERNATIONAL COOPERATION BETWEEN REGULATORS

Governments throughout the world have increasingly recognized that well-designed competition law, along with efficient methods of enforcement, is beneficial to all in promoting economic growth. Globalization of markets has also made it increasingly important for countries to coordinate their approaches to these laws, and regular communication on such matters has enabled them to learn from each other's experience in addressing common problems. One way governments have addressed this is by bilateral and multilateral agreements in which participating states agree to cooperate with each other on individual cases. These are, of course, particularly advantageous for the United States, the EU, and Japan, which are home to many companies operating on an international scale. In addition, forums have been established that give all countries the opportunity to gain access to information
networks and to participate in discussions. Some examples of agreements and networks are considered below, showing what a priority the preservation of competition has become. I.
International Agreements to Cooperate in Competition Cases

Many of the major nations have bilateral cooperation agreements in place. A good example is the Positive Comity Agreement between the United States and the EU. Such agreements generally provide for the reciprocal notification of cases under investigation, coordination of enforcement activities, exchange of certain information, and the possibility for one party to request that another take enforcement action.
II.
International Networks
The International Competition Network provides competition agencies from developed and developing countries with a network for addressing enforcement and policy issues of common concern. It facilitates procedural and substantive convergence in competition enforcement and now has over 70 members worldwide, with substantial representation from each continent. The Organisation for Economic Co-operation and Development (OECD) operates a similar system, occasionally holding a Global Forum on Competition that gives OECD member states the opportunity to discuss issues and address problems.
III.
European Competition Network

The European Competition Network (ECN) is made up of the competition authorities from each of the EU member states as well as the European Commission. The ECN was established as part of the reforms of EU competition law and will play a key role with regard to case allocation, exchange of information, and mutual assistance during investigations. It should promote the coherent application of European competition law by introducing cooperation between national competition authorities in the EU member states and the commission. It makes arrangements for extensive information sharing and consultation within the network to avoid double procedures and, therefore, situations of potential conflict. It also gives the commission and national authorities the power to provide each other with evidence on any matter of fact or law, including confidential information, for the purpose of enforcing the EC Treaty.
CONSEQUENCES FOR VIOLATIONS OF COMPETITION LAW

The consequences for violations of competition law may be severe for both the company and individuals involved in the violation, such as company directors. The following are examples of typical penalties that could be applied for violations of the law. I.
Fines
Generally, the level of fine will depend on the gravity and the duration of the violation, but the maximum fines possible can be extremely high. In the EU, the European Commission may impose fines of up to 10% of the turnover (or
revenue, as this is known in the United States) of each group of companies involved. In the United States, companies may be subject to fines of $10 million or more and individuals can be fined up to $350,000. II.
Imprisonment
In the United States, Sherman Act antitrust violations involving agreements between competitors usually are punished as criminal felonies. The Department of Justice alone is empowered to bring criminal prosecutions under the Sherman Act. Individual violators can be sentenced to up to three years in a federal prison. Within the EU, both the United Kingdom and Ireland use criminal sanctions, and prison sentences may in some cases be as long as five years. Several other member states operate a similar system, and typical sentences range from six months to five years, depending on the nature of the offense and the amount of cooperation of the parties. In Japan, anticompetitive behavior can result in prison sentences of up to three years. Furthermore, refusal or obstruction of an investigation by the Japanese Fair Trade Commission can result in a sentence of up to six months. In countries that don't currently have such penalties, steps are being taken to follow the lead of the models provided by such countries as the United Kingdom and the United States. In Australia, the Competition and Consumer Commission has appointed a working party to look into how the introduction of criminal offenses in competition cases could work, and it seems to be a widely held view that a change to the legislation in this respect is now imminent.
III.
Damages
Most legal systems provide individuals with the possibility of bringing lawsuits for damages caused by violations of the law. In the United States, for example, legislation provides that damages awarded to a private plaintiff can be tripled. Given that a lawsuit of this kind would usually be in addition to any criminal or civil sanctions that the competition authorities impose, it should serve as a fairly persuasive deterrent. The possibility of large damages payments has also been increased in recent years by the advent of class actions in some countries. These measures certainly have encouraged proceedings by making it easier for people to bring actions for large damages claims. The rise in the number of these actions in the United States and Canada in particular shows an increasing willingness to pursue companies through the courts in this manner.
IV.
Damage to Reputation
In addition to the penal or civil law consequences, there's a commercial aspect in that companies that are found to have engaged in anticompetitive behavior risk seriously damaging their reputations in the eyes of their customers. This ultimately can have a damaging long-term effect on a company, because customers may decide to take their business elsewhere. Furthermore, it may tie up significant management time and effort in dealing with an investigation.
V.
Disciplinary Consequences
All employees engaged in anticompetitive behavior place themselves at risk of infringing their own companies' internal rules and could face disciplinary action by the company regarding their employment. In addition, some legal systems provide the possibility that directors involved in anticompetitive behavior can be barred from acting as directors again for a period of time. In the United Kingdom, directors found in serious violation of competition rules can be disqualified from taking up a directorship in the United Kingdom for up to 10 years.
GUIDELINES TO GOOD CONDUCT

I.
Some Simple Principles to Follow

Things to do: Avoid contact with competing companies unless you have a legitimate reason for it. Be aware that a poor choice of words can make a perfectly legal activity look suspect. Such words include "avoid a price war," "share markets," and "coordinate our bids with our competitor." State that you cannot discuss price-fixing, timing of pricing changes, fixing bids, or other business terms and conditions. Terminate conversations about such topics. Keep accurate file notes of such events, including what was said, and inform the law department. Obtain approval from the law department before joining any trade association or industry body. Things to not do: Do not discuss or agree on price-fixing, timing of pricing changes, fixing pitches, or other business terms and conditions on which the company does business. Do not discuss or agree on restrictions concerning markets or sources of supply (by location or customer). Do not discuss pitches for contracts or procedures for responding to invitations to pitch. Do not seek access to, allow competitors access to, or even discuss confidential or other unpublished business information such as prices, preparation for pitches, costs of production or distribution, profitability, strategy, business and marketing plans, service development plans, and information on customers. Do not discuss or agree to the blacklisting or boycotting of any customers, competitors, or suppliers. Do not participate in any trade association or other industry body gatherings where any of the above "don't" subjects are discussed.
CONCLUSION
Many, if not most, countries have implemented competition laws, and infringement of such laws may have serious consequences, for both the companies and the individuals involved. Competition law is complex and often subject to interpretation. You therefore shouldn't hesitate to contact your law department or legal advisers if you have any questions or have an issue you feel needs discussing.
EU COMPETITION
INTRODUCTION
Articles 81 and 82 are the main competition law provisions in the European Union (EU). o o Article 81 makes illegal any agreement or concerted practice that significantly restricts competition and affects trade between EU countries. Article 82 makes illegal any unilateral abuse of a dominant position that affects trade between EU countries.
You should be aware that most EU countries have identical or largely similar provisions in their national competition law. The European Union consists of the following 27 Member States: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. This handbook focuses primarily on competition law issues under Article 81 and thus on competitors that either openly or subtly agree to fix prices or otherwise gain an advantage over their competitors. However, it also touches on the issue of what rules apply to companies that have a large degree of market power. You will learn in this handbook that some agreements among competitors are almost always considered illegal, no matter how well-intentioned the agreements and regardless of their effect on the market. Other agreements are not always illegal, but their legality depends on whether the restrictions are outweighed by the positive aspects. Dealings between direct competitors get the highest level of competition law scrutiny by the European Commission and national competition authorities, and, if found illegal, can be liable for high fines in most cases. Equally, those who attempt to partition the EU markets along national borders or otherwise are intensively prosecuted and fined by the European Commission. This handbook provides a general overview of European competition law. It does not provide legal advice or guidance regarding how you should act in a particular situation that involves European competition law. These laws are complex and subject to subtleties that cannot be completely covered in a brief treatment of this kind. Always consult your internal management and company lawyer about any questions or concerns you may have about European competition law.
DEALING WITH COMPETITORS

I.
Overview
The European competition law prohibition against anti-competitive agreements consists of two steps. The first step under Article 81(1) is to assess whether an agreement restricts competition to an appreciable extent. The second step under Article 81(3), which is only taken if a restrictive agreement has been found to exist, is to determine, on balance, whether the pro-competitive benefits produced by the agreement outweigh the anti-competitive effects. If the balancing turns out in favour of pro-competitive effects, an agreement may be
eligible for an exemption from the prohibition. The balancing of pro- and anticompetitive effects is subject to specific conditions. Briefly, the agreement must meet all of the following four conditions in order to obtain an exemption. It must contribute to commercial/economic progress (so-called efficiency gains) give a fair share of the resulting benefit to consumers not contain any unnecessary restrictions not eliminate competition in any given market Even if only one of the above conditions is not met, there can be no exemption. Article 81 applies between companies that are on the same level of the supply chain (for example, between manufacturers--the relationship is considered horizontal) as well as companies at different levels of the supply chain (for example, between a manufacturer and a distributor--the relationship is considered vertical). If an agreement violates Article 81(1) and is not exemptible under Article 81(3), such an agreement, or at least any restrictive clause in the agreement, is legally void and unenforceable. As you can imagine, this can have serious consequences in a commercial relationship if, for example, an exclusive supply agreement or a patent and/or know-how license agreement that forms the basis of a company's core business is void and unenforceable. Furthermore, such illegal agreements can attract substantial fines and lead to lawsuits with claims for damages. II.
Illegal vs. Legal Agreements

The aim of Article 81 is to ensure that each company doing business in Europe independently decides how, when, and where to carry out its business on any given market. For example, each company should independently decide which prices to charge or whether to sell its products only in one country or several. Agreements that interfere with the competitive structure of a given market by restricting two or more companies' commercial options are likely to violate Article 81. Some categories of agreements, however, are not considered to be anticompetitive and thus are not caught by Article 81(1). Especially if the parties to an agreement are not big players in a given market, this is normally the case for cooperation agreements that do not imply any coordination of the parties' competitive behaviour in the market, such as cooperation between companies that are not competitors in any shape or form between competing companies that cannot independently carry out a given project or activity concerning an activity that does not influence the relevant parameters of competition (for example, setting standards or addressing common environmental issues) Example 1: Three medium-sized building companies want to bid together for the right to construct a huge hotel complex on the Canary Islands. The companies, although in the same line of business, have complementary skills and, as they are not large companies, do not have the resources needed to be able to complete the project individually. The agreement is likely to either fall outside
Article 81(1) completely or at least obtain an exemption, as the parties could not reasonably be expected to be able to carry out the job independently. Likewise, cooperation between companies with low turnover and insignificant combined market shares normally does not restrict competition and may fall outside Article 81 as well, especially if the cooperation does not involve any agreement on prices, limiting output, or sharing of markets. Although this is not fixed in stone, usually agreements between competitors that collectively hold a share that is less than 10% of a given market will not violate Article 81. Example 2: Two small Belgian manufacturers of chocolates enter into an agreement to produce their chocolates together. They create a production joint venture and invest in more modern production equipment. Each has a market share in Belgium of 2-3%, with limited sales in the Netherlands and France. They agree not to compete with each other for the duration of the agreement. Given their small size and low market share, the agreement is unlikely to violate Article 81, even though it restricts competition between them. The European Commission has issued a range of guidance rules in the form of so-called block exemptions, which grant automatic exemptions to agreements between competitors that fulfil certain conditions. Such rules exist more notably for R&D agreements, specialisation agreements, different types of distribution agreements, and agreements relating to patent and know-how license agreements. Typical for most of them is that they apply if the market share of the parties to the agreement is relatively low (between 15% and 30%). Needless to say, these rules are highly complex pieces of legislation, and advice from your company lawyer on whether they apply to your particular situation is always necessary. Finally, agreements between companies within the same corporate group are not caught by Article 81 as they are considered to form a single economic entity, notwithstanding that they may be different companies. It is not even necessary that the parent company own all of the shares in the subsidiary, as long as it effectively controls market behaviour of the subsidiary, through a majority shareholding, majority representation on the board, or other method. Example 3: The parent company of the world's leading producer of kitchen appliances decides that its wholly owned subsidiaries distributing products in the Benelux and France must simultaneously raise prices by 30% on the same day. As the subsidiaries are all part of the same corporate group, Article 81 does not apply and the agreement to collectively raise prices does not run afoul of that provision. III.
How Illegal Agreements Are Formed

The concept of agreement or concerted practice in the law basically boils down to some form of mutual understanding or consensus that leads to coordination of commercial activities. For coordination to exist, it is sufficient that at least one company agrees to behave a certain way in a given market and that, as a result of contacts between the parties, uncertainty as to their commercial conduct on the market is reduced. In some cases, such coordination can, for instance, be inferred from an ongoing commercial relationship between the parties without any formal arrangement between them.
A written or otherwise explicit agreement is not necessary to prove the existence of an agreement. There is no need for a secret handshake or even a knowing wink. Understandings may be unspoken and often do not require verbal communication. It is not even required that coordination be in the interest of all parties, nor does it matter if one party was forced or coerced into going along with the other's demands. If the facts indicate that it was highly unlikely the parties were acting independently, a competition authority might conclude that an unlawful agreement exists. On the other hand, unilateral decisions by one company do not violate Article 81, even if such decisions have an impact on other companies. For example, parallel behaviour, whereby one company independently sets a given price level and its competitors simply follow this 'price leader', does not necessarily infringe Article 81, unless other circumstances indicate that some sort of understanding has been reached. You need to keep in mind, however, that unilateral decisions may be subject to Article 82 if the company has a large degree of market power, as will be discussed below. If you are at some point faced with a situation where a competitor suggests that you should participate in an illegal agreement, you must clearly and adamantly reject the offer and make sure others who are present know that you are rejecting the offer. If possible, have your rejection recorded in writing, such as in the minutes of the meeting. Also, go to your company's legal counsel and/or senior management and tell them about the offer. Keeping the offer secret may get your company into trouble, even if you rejected the offer and, as such, did nothing wrong. Example 4: Following a series of meetings between relatively high-level managers, four bicycle manufacturers adopt one standard for building a component part of their competing products. Shortly afterwards, they all raise their wholesale prices simultaneously by 10%. It is unlikely that four companies would adopt a standard and raise prices simultaneously without an agreement. Therefore, even if there is no proof of an actual meeting or discussion, the price increase might be considered the result of an illegal agreement. Example 5: A manufacturer of photo equipment, Click AB, normally communicates with its distributors by way of circular letters. Click AB decides on its own to send a circular letter to all its UK distributors, requiring them not to export digital cameras to France. Some distributors are against the export stop as it will hurt their business, but nevertheless they comply with Click AB's request, as they are afraid of losing their distributorship position. Although Click AB could be argued to have ordered the export stop unilaterally, by agreeing not to export the products to France, the distributors have entered into an agreement that can be caught by Article 81. It does not matter whether-on a commercial level--the distributors agreed with the export prohibition or not. Example 6: Three mobile phone manufacturers sell phones through retail stores. A fourth sells on the Internet. All four announce within three weeks of each other that they are going to adopt one of two competing technological innovations. They all select the same one. Later, they each announce price increases in the
trade press, as they have in the past. Additionally, the company that sold on the Internet starts selling only through retail stores. The conduct could be evidence of an illegal agreement. There is parallel pricing activity, plus other factors (announcements of the price increase, and a company changing its sales channel to conform to its competitors' sales channels). Also, the facts presented no apparent evidence of any independent justification for the common conduct. Example 7: Pharmaz NV, a Dutch producer of a popular brand of painkillers, which is not a dominant player in the market, is worried about huge grey market imports from low-price Spain to the high-price UK. It has been tracking sales between these two countries for some time and decides to do something about it. Without discussing the issue with its distributors in these two countries, it decides to limit the quantity of its drugs that each of its Spanish distributors can buy. In Pharmaz NV's letters to its Spanish distributors, it explicitly states that the allocated quantity corresponds to its estimate of what that particular distributor can sell on the Spanish market. The Spanish distributors are unhappy with the decision and try to find an alternative source for Pharmaz NV's painkiller products. The decision to try to curb grey market sales has been taken by Pharmaz NV on its own without any help from or consensus with its distributors. No agreement can be found, and the unilateral action does not violate Article 81. As Pharmaz NV is not a dominant player in this market, it does not infringe Article 82 either. IV.
Trade Between EU Countries

For European competition law to apply (both Article 81 and Article 82), there has to be a certain minimum level of what is known as effect on trade between EU countries. If there is no such effect on trade, only national competition law may apply. The nature and amount of proof required might be different than you would expect. In fact, both the European Commission and the European courts have had very liberal interpretations of the effect-on-trade condition, and it has traditionally not taken much to trigger it. What does effect on trade mean? Simply described, there must be a certain influence on the pattern of trade between EU countries. Although it may be surprising to you, it does not matter whether this influence is direct or indirect or even whether there is a 'here and now' effect or it is only a potential effect at some time in the future. Some measure of guidance as to whether the effect-on-trade condition is met or not can be found by taking a look at a couple of specific factors, including: The nature of the agreement. Cross-border cartels are normally designed to affect trade by restricting cross-border sales. A joint venture confined to the territory of a single member state is in a sort of grey area that may or may not affect trade and thus requires more intense analysis. An agreement limited to two local retailers in a given city in one EU country will almost never affect trade.
The nature of the products. When products are easily traded across borders or are important for companies that want to enter or expand their activities in other EU countries, effect on trade is more likely to be found than when there is a limited cross-border demand. The market position and sales volume of the companies. It is more likely that the dealings of a large multinational company will affect trade than the commercial decisions taken by the local independent ice cream parlour on the corner of a given street. The latter factor ties into the fact that not all effects on trade trigger European competition law. The effect has to be of a certain magnitude--it has to be significant enough to be able to have an impact. This is normally measured in terms of importance of the companies involved in the anti-competitive agreement or conduct. The threshold varies with the actual circumstances of a particular case, but usually if the market share affected by the agreement or the conduct exceeds 5%, it is likely that effect on trade can be found. However, it should be kept in mind that under this threshold, national competition law is likely to apply with much the same end result anyway. Even agreements concerning exports out of the EU can have an effect on trade if they deflect trade patterns within the EU. For example, exports of excess capacity will have an effect on the prices of the products that remain within the EU. Finally, whether the companies involved in an agreement or an abuse are inside or outside the EU is of no importance. The reach of European competition rules goes beyond the EU if the anti-competitive practices are implemented or have effects within the EU. Example 8: Two important producers of rubber bands for office use agree to share their markets so that The New Rubber Band Company will only sell to customers in Greece and The Good Old Rubber Band Company will only sell in Italy. This creates direct effects on trade between EU countries, as there will suddenly no longer be as much competition for the products in Italy and Greece. Example 9: A Chinese producer of high-end sports gear, The Fastest Shoes, enters into new agreements with its distributors in different EU countries. As part of the distribution setup, it is agreed that The Fastest Shoes will only honour the warranty if the end-user customer goes to a retail outlet in the same country as where the shoe was sold. This creates disincentives for consumers to engage in cross-border trade and thereby produces indirect effects on trade between EU countries. Example 10: Two years before the telecom market is liberalised in Germany, the incumbent German telecom operator enters into a joint venture with the German railways to use the rail tracks to lay down high-speed cables. The agreement grants exclusivity to the German telecom operator for a period of 15 years. Even though the agreement is between two companies within the same EU country, the agreement affects trade because, at the time of the agreement, it is foreseeable that the telecom market will be liberalised and that telecom operators from other EU countries need to lay down their own infrastructure in order to compete on the German market.
Example 11: The 15 most important producers of the raw material for paper production are all located outside the EU. Together they supply around 95% of all such products within the EU. They agree to simultaneously raise prices for sales to countries in the EU by 5-10%. The agreement is likely to affect trade between EU countries as prices will be affected within the EU.
PRICE-FIXING, BID RIGGING, MARKET SHARING, OUTPUT RESTRICTION, AND INFORMATION SHARING
I.
Overview
Price-fixing and bid rigging are two of the most classic examples of illegal behaviour. Both constitute 'hardcore' restrictions violating Article 81 and are unlikely to obtain an exemption. A group of colluding companies is most often referred to as a 'cartel'. Likewise, agreements to allocate markets between competitors and agreeing on what the output of goods should be are both hardcore restrictions covered by Article 81. Such agreements are unlikely to be able to obtain an exemption, even if the market shares of the parties are not high. The fact that competitors often exchange information in one form or the other can also be problematic in some instances. Below, the anti-competitive aspects of such agreements are explained in more detail.
II.
Price-Fixing
It is almost always illegal for competitors to reach agreement on what prices to charge and can lead to very high fines and--under national law in some EU countries--even criminal sanctions in rare cases, including prison sentences. Such agreements do not obtain an exemption, even if the market shares of the parties are not high. Price-fixing is prohibited between competing companies at the same level of trade--at a horizontal level. It is equally prohibited if it takes place between a supplier and a distributor and/or retailer in a vertical relationship (so-called 'resale price maintenance'). Price-fixing can take many forms, some of which are set out below. However, it should be kept in mind that the prohibition against price-fixing covers any agreement that might directly or indirectly suppress price competition. Blatant price-fixing is obviously covered, such as an agreement between competitors setting minimum prices under which the parties' products cannot be sold. Likewise, a supplier and a distributor and/or a retailer may not agree on what minimum level of prices the distributor (and/or retailer) should charge to sell its products on to the next level of the supply chain. This is traditionally known as resale price maintenance and has been the subject of many decisions from the European Commission to charge fines. On the other hand, setting recommended prices or, under certain circumstances (if the parties' market share does not
exceed 30%), maximum sales prices is not illegal, if the manufacturer does not seek to enforce such recommended or maximum prices but leaves it up to the distributor to determine at which price it wants to sell the product. Also, even more indirect anti-competitive agreements may violate Article 81, such as an agreement to consult on each other's price lists before publication or to exchange detailed information on each other's production costs. This all serves to reduce the normal uncertainty about one's competitors' commercial actions. This is the case even if the exchange of price information is through a third party, for example, a trade organisation. Agreement on any term of sale that has an impact on price is illegal. One example would be competitors agreeing not to discount from published list prices or only to offer certain maximum discounts. Even offering the same credit or delivery terms can be caught by the prohibition. Similarly, agreeing to keep a certain price differential between different types, sizes, quantities, or qualities of products is illegal, for example, by agreeing that the price for a given luxury product must be 150% higher than the price for the comparable medium-range product. Likewise, agreements between competitors on joint selling of comparable products are likely to infringe competition law as they are likely to lead to coordinated prices, even if done through an independent agent. The same applies to a trade organisation's paying out certain sums to support promotion of exports, if this leads to exporters being able to charge lower prices when exporting than they would otherwise be able to. The issue of trade organisations is mentioned a couple of times above. Trade organisations group industry participants and act as an important outlet for matters of common industry concern, such as advertising rules, upcoming legislation affecting a given industry, environmental issues, and others. Such discussions are normally legal. However, the authorities are particularly alert to the activities of such organisations and have often in the past found trade organisations to be a forum for anti-competitive discussions. You therefore need to be extra careful if you participate in trade organisation meetings and avoid any discussion on any anti-competitive issues, such as price-fixing or other pricerelated issues. Trade organisations often collect and exchange industry-wide statistics. Such statistics may be perfectly legal, but you should keep in mind that they normally must not be producer specific, nor should they involve any disclosure of information that is considered sensitive from a business perspective. Again, if a competitor suggests that you should participate in an illegal agreement, you must refuse to participate and make sure others who are present know that you are rejecting the offer. Have your rejection recorded in the minutes of the meeting, and if the trade organisation members persist with the discussion, leave the meeting. Remember to inform your company's legal counsel and/or senior management as soon as possible. Example 12: The heads of marketing from five leading breakfast cereal companies meet, after a conference on healthier foods, in a bar at the conference hotel in Geneva. Although mostly happy about their current margins on the sale of cereals, they nonetheless agree to raise prices by 5% every quarter for a year. Although one of the marketing people is only able to convince his boss to raise prices by 3%, and another only by 1%, the remaining
competitors raise prices for sale in the EU as agreed. The agreement constitutes a blatant price-fixing agreement, even though agreed outside the EU and even though it is not implemented exactly as agreed. Example 13: An important manufacturer of everyday cosmetics, The Beautiful Face, has a range of distributors in each EU country. It tells its distributors that its products should be sold at a given price, which it terms 'recommended sales price'. On the packaging, it prints these recommended sales prices. It learns that some of its distributors sell below the recommended sales price. The Beautiful Face contacts these distributors and tells them that it will raise wholesale prices if the recommended sales prices are not respected. Word gets around among the distributors and they all respect the recommended sales prices. Although setting recommended sales prices is allowed, The Beautiful Face is likely to have infringed Article 81 as it indirectly has tried to make the recommended sales price into a fixed sales price by printing the price on the packaging and coercing the distributors into selling at these prices. Example 14: Two companies dealing in inflatable rubber dinghies, a Swedish and a Greek company, agree that their customers will only be offered 15 days of credit instead of the normal 90 days of credit. This is likely to infringe competition law as it removes the element of competition surrounding how much credit the customers can get. III.
Bid Rigging
Bid rigging, or collusive tendering as it is sometimes known, is an offshoot of normal price-fixing and consists of a practice whereby competing companies agree amongst themselves to collaborate over their response to invitations to tender, for example, from a government entity or a large company seeking a competitive offer process. It is particularly likely to be encountered in the engineering and construction industries, where companies compete for very large contracts, and normally requires a considerable amount of information exchange to function. The colluding companies agree which company shall win the current tender and arrange amongst themselves to either bid above or not on the conditions of the tender or the like. Next time there is a tender, another company will win, and so on. Example 15: A school district decides to accept bids from several different milk suppliers for an exclusive contract to provide milk to all of the district's schools for a period of time. Several competitors get together and decide that Global Dairy will submit the winning bid, and that they will each take turns submitting winning bids for other schools in the future. In accordance with their agreement, Universal Dairy withdraws its bid, Acme Dairy submits a bid that is too high, and Worldwide Dairy submits a bid with terms that the school district could never accept. Global Dairy wins the contract. Without the suppliers' bid-rigging agreement, there would have been competition for the contract, and the district may have gotten a better price. The milk suppliers have entered into an illegal price-fixing agreement.
IV.
Market Sharing
When competitors agree to divide up certain potential or existing customers or create geographical areas where they will not compete against each other, this is
called market sharing. Any agreement that would tend to limit one competitor's attempts to make sales violates competition law. Market sharing agreements between competitors in the EU are viewed as particularly serious because, apart from the obvious anti-competitive effects, they serve to isolate geographical markets and thus retard the process of integrating the EU countries into a single market, which is one of the prime aims of the EC Treaty. Such violations cannot be granted an exemption under Article 81(3). Example 16: At a trade show, most of the larger national cement producers meet. After some discussion, they finally agree not to export white cement products outside their home countries and to try to talk smaller producers into doing the same. Because of the ingrained distrust among the companies' CEOs, the agreement is only partially successful in keeping each producer in his own market, and a large proportion of them try to sell outside their home markets anyway. The aim of the agreement is to allocate geographical markets, which clearly violates Article 81. It does not matter if the agreement is successful. Example 17: Five companies producing TVs and radios exchange their customer lists. There is a great deal of overlap. They agree that each producer can identify its top three customers and that no other competitor will sell to those three customers. This conduct allocates customers, and it violates competition law by reducing the competition for the companies' largest customers. Market sharing can also take place in a vertical context. Under one of the block exemptions mentioned above, a producer is allowed to restrict its distributors from undertaking active sales efforts outside the allocated territory (such as direct mail, visits, or establishing a branch for the sale of given products outside a designated territory). However, the producer may not in any way try to curb grey market sales (parallel imports) by prohibiting passive or unsolicited sales to customers that come to the distributor wishing to export the products to another territory. Example 18: Sticky, a U.S. company that produces collectible stickers and cards immensely popular with young children, trades in products bearing the image of the popular Super-T Flying Tortoise characters. The little cards are 2.5 times more expensive in the UK than in Portugal. Sticky involves its distributors in a strategy designed to prevent wholesalers and retailers in countries where SuperT products are sold at a comparably high price from importing those products from low-priced countries. Sticky repeatedly sends out 'circular letters' asking its distributors in several EU countries to help it trace back parallel imports and monitor the final destination of Super-T products. Sticky also follows up with phone calls and personal meetings where, in clear terms, it tries to discourage sales to parallel importers. Sticky threatens to cut off supplies to those distributors who do not comply with this distribution policy. Clearly, by imposing a division of national markets to keep prices up and actively seeking to sustain such division, Sticky has seriously violated competition law. Example 19: The German luxury car manufacturer StarCar GmbH learns that one of its authorised dealers in Finland--where cars are among the cheapest in the EU--has a steady business in selling cars to customers located in Austria, where prices are among the highest in Europe. To help its dealers in Austria
keep their margins up, the car manufacturer threatens the Finnish dealer to cut off further supplies if it does not stop selling the cars to Austrians. The Finnish dealer immediately complies with the car manufacturer's request and hereafter tells potential Austrian customers that it cannot sell to them, as this would undermine the Austrian market. The car manufacturer and the dealer have entered into an agreement to artificially partition markets, which infringes European competition law. As discussed earlier, it does not matter whether the dealer was coerced into accepting the market sharing. V.
Output Restrictions
A further way a cartel might be able to raise prices without actually agreeing on the prices themselves is by agreeing to restrict its members' output. If output is restricted, prices are likely to rise or at least not fall. Clearly, this is most efficient if all or most of the relevant producers are involved in the cartel. The cartel members will most often agree on a quota system allocating a specific part of the total industry output to each producer. However, it may also be that an agreement is reached for one company to completely stop production of a given product in exchange for the other company stopping production of another product. None of the companies exchange products for sale by the other. Both companies gain by lowering output on a particular product benefiting the other, with the effect that prices are raised. Whatever way this is implemented, such agreements are serious violations of competition law and are highly unlikely to be able to obtain an exemption. Example 20: The most important worldwide producers of vitamins for cat food are worried about serious over-capacity in the industry, which squeezes their margins. In fact, most producers are selling cat food vitamin products at a loss. The CEOs of these companies therefore meet at a luxury golf resort just outside Tokyo to try to see if they can solve their common problem. Instead of agreeing on specific quotas, which they believe will be very hard to monitor and therefore enforce, they orally agree to shut down a number of production plants across Europe over a period of two years. They furthermore agree to immediately reduce their production time by three hours a day and to refrain from investing in additional production capacity. The shutdown of production plants and the increase of machine downtime have a direct impact on how many vitamins can be produced and thus act as an output restriction. The agreement, even though oral, restricts competition between the parties and infringes Article 81.
VI.
Information Sharing
Competitors sometimes agree to exchange information with one another. Much information exchange is perfectly legal, such as joint compilation of market research or general industry studies or statistics, including giving everybody a picture of overall sales and output in a given industry without identifying individual companies. Such information only serves to give everybody a better understanding of a given industry and enhances competition, particularly if it is not limited to the parties to the agreement but is publicly available. Agreements to exchange information can, however, pose problems under European competition law if they consist of exchanging information that is sensitive from a business perspective. For example, it would be contrary to
Article 81 for companies to provide competitors with detailed information that would normally be regarded as confidential business information. Information on individual prices and rebates and other directly price-related information are clearly the most sensitive in this respect. Exchanging detailed information on other vital business issues can, however, also be problematic, such as information on production or distribution costs, forecast capacity, and investment plans. It should be mentioned that it may be permissible to exchange detailed information if the information is sufficiently historic and does not have any real impact on future commercial behaviour. However, any such exchange should be considered carefully by your company's legal counsel before you agree to it. You should be aware that an agreement to exchange information could particularly be a problem if the market is highly concentrated, with only a few players active in the market, as it facilitates collusion between the remaining parties. Finally, it does not really matter whether the information is exchanged directly between competitors or through another medium, such as a trade organisation. What matters is the precise content of the information exchanged. Example 21: The eight members of the UK trade organisation for manufacturers of tractors agree to set up an information exchange system to monitor sales of tractors in the UK and Ireland. The trade organisation convinces all dealers to fill out and send in a specific form every time a sale of a tractor is registered, which it further cross-checks with publicly available information on registered tractors. The dealer form contains information on the brand, the location of the dealer, and the value of the sale. The trade organisation compiles the information and provides it in a monthly report to the members. The information made available to the members identifies each individual member's sales in different regions of the UK and Ireland and provides a calculation of each member's market share. It also gives an average sales price per region broken down by type of tractor. This information exchange clearly violates Article 81 as it removes any uncertainty about the competitors' sales and sales prices. Example 22: The members of a trade organisation for producers of nails and bolts agree to exchange information on their list wholesale prices together with approximate sales volumes. The information is given to the trade organisation, which then makes sure that it does not refer to any specific company. They also agree that they will exchange information on average rebates given to large customers. The trade organisation secretariat compiles the lists for all 13 members of the organisation. Even though compiled by the trade organisation, the exchange of price lists and average rebates is likely to violate Article 81. It is easy for the members to see which company corresponds to each sales volume, and the average rebate gives a fairly precise indication of final sales prices. Example 23: A waste paper trade organisation collects data on all sales of waste paper in the EU and information on production costs. It also contacts customers for waste paper and obtains estimates of the expected level of demand for the next five years. By way of an independent accountant, it compiles statistics showing the overall sales of waste paper in the EU, broken down by type of
waste paper. The information does not identify any manufacturer individually, and the organisation makes sure that the information is always backdated at least one year. Furthermore, it calculates the average overhead costs and provides its own estimate of future demand. It posts the information on the publicly available part of its Internet website. The information exchange is unlikely to infringe Article 81 as it is kept to general statistical information and general forecasts, which may serve to provide better planning for its members. The fact that everybody--and not only its members-has access to the information is also a positive factor.
ABUSE OF DOMINANCE
Article 82 is an important companion of Article 81. Whereas Article 81 is concerned with agreements between two or more companies, Article 82 is directed toward the unilateral conduct of dominant companies that act in an abusive manner. A dominant company must behave with caution on the market, as getting on the wrong side of Article 82 can have serious consequences in terms of fines. It is important to stress, however, that being successful and earning a company a strong position by being the best in a given market is not a problem. It is only the abuse of market position that is caught by Article 82. First of all, what is a dominant position? Basically, if a company finds that it has the commercial freedom to act with little or no regard to the competitors in the market, rather than being forced to react to the commercial initiatives of other market participants, it may be in a dominant position. Usually, a company with a market share of less than 30% would normally be considered as not in a dominant position. The authorities might well consider a market share of more than 40%, on the other hand, tantamount to holding a dominant position, especially if there is a significant gap before the nearest competitor and if a high market share is held over time. The area between 30% and 40% is a 'grey' zone, where the question of a dominant position will depend on the general competitive outlook of the market structure as well as the number of competitors in the market. Unless there are exceptional circumstances, a market share exceeding 50% means that there is a legal presumption of dominance. In such a case, it is up to the dominant company to disprove the presumption. In any event, the level of the market share is not the only indicator of dominance. Other factors taken into account include, for example, superior technology in terms of patents, deep pockets in terms of overall financial size and strength, economies of scale, strong trademarks, and the like. Finally, although rare, dominance can also be collective, such as when two companies together hold a dominant position. This could, for instance, be the case where two or three companies each hold around a 25% market share in a transparent market and there are some kinds of connecting factors between the companies, such as common board members or joint venture agreements. Now, what constitutes an abuse of a dominant position? The following examples of abuse illustrate the point.
o o
Loyalty discounts. If a dominant undertaking offers its customers a special discount to discourage them from seeking alternative sources of supply, this will be contrary to competition law. The discount arrangement must be based on fair grounds, such as cost savings for the supplier passed on to the customer (as, for instance, quantity discounts) or otherwise rewarding functional services of customers (for example, a wholesaler who carries out warranty repairs of the supplier's products). 'English clause'. An 'English clause' here means an agreement between a dominant company and its customer to the effect that the customer will not accept an offer from another supplier until the dominant company has declared that it does not wish to match it--after having obtained all information about the relevant quotation. Normally, such a clause is considered to constitute an abuse, partly because the application of this clause by a dominant supplier makes it difficult, or impossible, for its competitors to penetrate the market, and partly because the supplier gains an insight into the pricing policy pursued by its competitors. Price discrimination. Different prices charged to different groups of customers in similar conditions, in a market where a company has a dominant position, may constitute an abuse, if the price differences are not based on concrete cost differences (for example, currency translation fees, taxes and duties, or transport costs). Predatory pricing. Selling below cost in a given market in an attempt to drive a competitor out of business, with the intent of raising prices to exploit a market void of competition, constitutes an infringement of competition law. Predatory pricing normally includes loss-making or barely profit-making prices selectively targeted at the customers of a specific competitor. It typically masks an aggressive long-term plan aimed at driving a competitor out of the market, and losses are frequently financed out of the income generated by other sales on the same or other markets. This type of pricing policy is unlawful. Exclusivity. A dominant supplier may not bind its customers to buy all or most of their products from it--not even in return for a special discount. Long-term agreements. Contracts for several years without the possibility of termination may be an abuse, as by their nature such agreements restrict mobility of customers, and competition in the market is already somewhat restricted by the mere presence of a dominant company. Tying. Agreements that include requirements not directly linked to the subject of the agreement are not allowed. Thus, a dominant supplier may not make it a condition for supplying product X that the customer should also buy product Y. Refusal to supply. Somewhat simplistically put, a dominant company is obliged to supply anyone who wants to buy from it. However, the undertaking may set up reasoned, nondiscriminatory, and objectively justified criteria for supply. For example, an undertaking may require orders to amount to a certain minimum, or refuse to supply a bad payer on credit terms. Dissimilar business terms (discrimination). A dominant undertaking may not discriminate amongst its customers without being able to demonstrate fair and objectively justified grounds. This applies not only to prices as set out above but also to other terms of delivery.
CONCLUSION
Infringing European competition law rules may severely damage a company's reputation and result in the imposition of substantial fines. In addition, a company may incur civil liability in the context of a lawsuit if a competitor or a customer has suffered damages as a result of illegal behaviour. Last but not least, key agreements may be unenforceable if they are at odds with competition law.
Companies therefore all need to be sensitive to any circumstances that may fall within the sphere of European competition law. Questions about European competition law are often difficult to answer, and you should consult your company's lawyer if in any doubt.
CMP300-a72en
Antitrust: Overview
COURSE HANDBOOK
CMP300-a72en: Antitrust: Overview
Introduction Dealing with Competitors I. II. III. The Existence of an Agreement The Restraint Must Affect Interstate Commerce The Agreement Must Unreasonably Restrain Trade
1 1 1 2 3 5 5 8 11 12 12 16 17 18 19 20 20 23 23 24 24 25 25 26
Dealing with Customers, Suppliers, Dealers, and Distributors I. II. III. Price Restraints Nonprice Restraints Illegal Tying Agreements
Price Discrimination I. II. III. Elements of a Price Discrimination Violation Defenses to a Price Discrimination Claim Buyer Liability
Monopolization I. II. III. IV. V. VI. The Relevant Market Measuring Monopoly Power Deliberate Anticompetitive Conduct Attempts to Monopolize Conspiracy to Monopolize Joint Ventures
Mergers and Acquisitions I. II. III. Mergers Between Competitors Efficiencies and Synergies Mergers Between Noncompetitors
Copyright 2005 LRN, The Legal Knowledge Company
Introduction
This handbook is designed to provide a summary of the most important antitrust laws. It first addresses how antitrust laws affect dealings between competitors. It then addresses how the antitrust laws affect the relationships between sellers of goods and services, and their customers, suppliers, dealers, and distributors. It then focuses on the concept of price discrimination. Finally, the handbook briefly discusses monopolization and monopoly power, as well as mergers and acquisitions. You should keep in mind that the antitrust laws are complex and subject to a number of exceptions and special situations that cannot be covered in a brief treatment of this kind. Applying even the most basic legal principles to any particular situation can be highly complicated. It is important, then, to remember that this handbook does not provide any advice or guidance about what you should do in a particular situation. You should always be sure to get such advice from your company's lawyer.
Dealing with Competitors

The Sherman Act is the main antitrust law in the United States, and the primary antitrust law that governs dealings between competitors. The Sherman Act makes illegal any agreement that affects interstate commerce and that restrains trade.
The Sherman Act prohibits agreements between competitors that either openly or subtly agree to fix prices or otherwise gain an advantage over their competitors. Some agreements among competitors are always considered illegal, no matter how wellintentioned the agreements and regardless of their effect on customers. Other agreements are not always illegal, but their legality depends on their effect on consumers. I.
The Existence of an Agreement

In the context of an antitrust violation, a written or explicit agreement is not necessary to prove the existence of an agreement. There is no need for a handshake or even a knowing wink. Understandings may be unspoken and often do not require verbal communication. Example 1: Four bicycle manufacturers simultaneously adopt one standard for building a component part of their competing products. Then they all raise their prices.
August 13, 2007
It is unlikely that four companies would adopt a standard and raise prices simultaneously without an agreement. Therefore, even if there is no proof of an actual meeting or discussion, the price hike might be considered an illegal agreement. Parallel behavior exists when one competitor changes prices and other competitors follow, often in the same direction and in the same amount. While parallel behavior is not necessarily illegal, if there are other facts tending to suggest that the parties conspired to set prices, those facts could show the presence of an illegal agreement. For example, if any of the following exist, coupled with parallel behavior, there might be an antitrust violation: regular communications between the parties about prices or market conditions a history in the industry of price-fixing anything else tending to suggest motives to agree
Generally, the more a company can document that it made its decision independently and for good business reasons, the more likely that its parallel conduct will not be found to be unlawful. Example 2: Three cellular phone manufacturers sell phones through retail stores. A fourth sells on the Internet. All four announce within three weeks of each other that they are going to adopt one of two competing technological innovations. They all select the same one. Later, they each announce price increases in the trade press, as they have in the past. Additionally, the company that sold on the Internet starts selling only through retail stores. This conduct could be evidence of an illegal agreement. There is parallel pricing activity, plus other factors (announcements of the price increase, and a company changing its sales channel to conform to its competitors' sales channels). Also, there is no apparent evidence of any independent justification for the common conduct. II.
The Restraint Must Affect Interstate Commerce

Before it is illegal under the antitrust laws, the conduct in question must have an effect on interstate commerce. Federal courts have been quite liberal with the requirement to prove an effect on interstate commerce. Example 3: Universal Hospital, which serves a metropolitan area bordering three states, claims that competing Five Lakes Hospital, in violation of antitrust laws, conspired to block its expansion. Five Lakes Hospital claims there is no effect on interstate commerce, and therefore there can be no violation of the antitrust laws. Five Lakes is probably wrong about the effect on interstate commerce because almost every agreement that restrains trade has an effect on interstate commerce. Universal Hospital probably serves patients from other states and receives payments from out of state. Therefore, the conduct probably has an effect on interstate commerce.
August 13, 2007
The point to remember is that it does not matter how local the operation is. If interstate commerce is affected, a business's conduct can be regulated under federal antitrust laws. III.
The Agreement Must Unreasonably Restrain Trade

There are two basic kinds of agreements that unreasonably restrain trade: agreements that almost never benefit consumers and almost always restrain trade agreements whose legality depends on whether they harm competition in a market and hurt consumers, or whether they promote competition and benefit consumers
There are certain agreements that are always illegal because they always, or almost always, harm competition to the detriment of consumers. These types of agreements are referred to as per se violations of the antitrust laws. In other words, they are automatically illegal, and little or no factual inquiry is made to determine whether the agreement promotes or harms competition. Among these types of agreements are agreements that affect price market (customer or territory) allocations group boycotts and other refusals to deal
Example 4: CarCo and AutoCo are the two main sellers of automobiles in the United States. They both sell in all 50 states. They agree to allocate territories. CarCo will sell only in the East and AutoCo only in the West. They can prove this will reduce their costs and lower prices for consumers. The companies have violated the antitrust laws because an agreement to allocate territories is always illegal. The fact that consumers may benefit from lower prices is irrelevant. There are other types of agreements that may or may not be illegal, depending on whether the conduct hurts or promotes competition. For example, two competitors might enter into a joint venture to develop a new product and agree to sell it together. Example 5: Two competitors enter into a joint venture to develop a new product and agree to sell it together. They use the same sales force and sell the product at a single fixed price. The legality of the conduct depends on whether the procompetitive advantages such as expanded choices for the consumer, lower prices, or expanded services or options outweigh any harm to consumers from this arrangement. The bottom line is that agreements among competitors that allow companies to better compete are not necessarily unlawful. Still, such agreements may be unlawful if a court determines that they harm competition more than they benefit consumers.
August 13, 2007
A.
Agreements that are always or almost always illegal

There are a number of types of agreements that almost always harm competition. They include price-fixing and bid rigging--an agreement among competitors that has the purpose of setting prices. agreements on terms of sale--agreements to use uniform or standard trade-in allowances, cash down-payment requirements, discontinuation of free service, and limitation of discounts. agreements on costs--agreements among competitors concerning internal costs and charges that are not line items paid by customers but are included in the price charged. market allocation--competitors agree to divide up certain potential customers or create geographic areas in which they will not compete. output restrictions--agreements that affect the production or sale of a company's products. group boycotts and other refusals to deal--competitors agree not to deal with another competitor or someone who is attempting to become a competitor.
Example 6: Sam's Skirts and Don's Dresses buy clothing from some of the same manufacturers and sell the clothing at their retail stores. Sam's and Don's do not buy all the same products. However, when they buy identical products, they do not always pay the same prices. Sam's and Don's agree to mark up girl's dresses 105% above the wholesale prices charged to them by the manufacturers. Even though Sam's might be paying a different price than Don's for the same dress, the 105% markup agreement is still illegal because it restrains the independent pricing decision of a competing seller of the dress. Example 7: PharmoCo and MedicineCo make aspirin. Each has a 40% market share. They agree to run their factories no more than 30 hours per week. This agreement is illegal because by limiting the time the factories run, output is restricted, and less aspirin is produced. This could lead to lower aspirin supplies in the market, higher prices, and damage to competition. B.
Group activities
Certain group activities, such as trade associations and joint buying or selling agreements, are relatively common and, when properly organized, make companies better competitors. However, sometimes these group activities violate the antitrust laws. Examples of legal and illegal group activities include industry self-regulationindustry-wide groups organized to address common problems whose solutions frequently benefit consumers.
August 13, 2007
trade associations--an organization of competitors in a particular industry that looks after the collective interests of its members, through such actions as petitioning Congress and state governments and making consumers aware of the industry's products. associations' denial of membership--associations refuse membership to certain kinds of companies or competitors, or expel a member because of some misconduct. covenants not to compete--employment contracts that spell out a period of years after the termination of employment during which the employee agrees not to compete. information exchanges--competitors exchange price information, as well as other information. joint buying agreements--competitors agree to buy input ingredients used to manufacture or create the products they sell.
Example 8: A trade association of companies that manufacture men's suits collects and disseminates data showing the prices charged by each company to its customers. This conduct is likely illegal. Once each company knows how much the other charges, it can raise prices to the same level. This hurts competition. Example 9: Global Corporation is asked by Beta and Delta Corporations to increase its prices by 5% at a trade convention. Global's representative refuses to do so and walks away. Beta and Delta vote Global out of the association. This boycott is illegal because it is done to advance a price-fixing conspiracy between Beta and Delta.
Dealing with Customers, Suppliers, Dealers, and Distributors

Antitrust issues can arise from a number of manufacturer-dealer activities, including pricing discounts cooperative advertising allowances
As with dealings between competitors, dealings with customers, suppliers, dealers, and distributors are also governed by the Sherman Act. I.
Price Restraints
August 13, 2007
A.
Resale price maintenance

Manufacturers and their dealers often communicate about the price the dealer will charge when it resells the product to the consumer. In antitrust law, if a manufacturer and its dealer agree on the price the dealer will charge, the agreement is called resale price maintenance. (The same is true if a wholesaler or other entity in the distribution chain enters into such an agreement with its dealers.) In some cases, a manufacturer might want to require all its dealers to sell at a price no lower than a specific amount. For example, the manufacturer might say that no dealer may sell the product for less than $10 per unit. This is called minimum resale price maintenance. It's sometimes used, for example, to encourage retailers to invest in the type of decor, customer service, and other amenities often associated with high-end products. On the other hand, a manufacturer might want to require its dealers to sell its product at or below a certain price--for example, no more than $10 per unit. This is called maximum resale price maintenance. It's sometimes used, for example, to help increase sales volume by keeping consumer prices low. For many years, both minimum and maximum resale price maintenance were considered automatically illegal under federal antitrust law. That rule has changed, however, and both forms of resale price maintenance may now be considered legal under federal law, but only if the conduct benefits consumers more than it harms them. Example 10: Universal Oil Company is a major gasoline refiner that sells gasoline by long-term contract to independently owned service stations. Universal includes in its contract with the stations a provision forbidding the stations from reselling regular grade gasoline at a price less than $3.00 per gallon. This arrangement may violate federal antitrust law if it harms consumers (for example, by keeping prices high) more than it benefits them (for example, by preventing price wars that could drive some dealers out of the market and thus reduce competition). You should note, however, that resale price maintenance is still automatically illegal in some states. Therefore, even if a particular arrangement is legal under federal law, it may still violate applicable state antitrust laws. Consult your company's law department if you have any questions. In addition, the rules regarding resale price maintenance apply to arrangements between manufacturers and their dealers. If, for example, a manufacturer enters into an agreement with another manufacturer to set prices, that agreement will be considered price fixing, which is automatically illegal under federal law and could subject those involved to civil and criminal penalties.
August 13, 2007
B.
Suggested resale price

Generally, a manufacturer does not violate antitrust laws if it merely suggests a resale price to its dealers. That is because to violate the antitrust laws, there must be an actual agreement. A suggestion is not an agreement. Still, manufacturers should avoid the appearance that they are forcing dealers to adopt the suggested resale price. Therefore, they shouldn't- threaten dealers with termination or other sanctions for not following the suggested resale price police or attempt to enforce dealer pricing publicize the termination of dealers to other dealers make retaliatory price increases take any other form of coercive action against a dealer
If a dealer follows the manufacturer's pricing policy and any of these five things have occurred, what started out as a "suggestion" may be considered resale price maintenance and could violate antitrust laws, depending on how it affects consumers. C.
Other pricing activities and price-related restraints

Even if a manufacturer does not expressly agree with its customers on the resale price, a manufacturer's actions can still influence the resale price. Not all influence on resale prices is illegal, however. If a manufacturer causes lower retail prices and increases its ability to compete with other sellers, the conduct in question probably doesn't violate antitrust laws. One common example occurs with promotion plans--such as when a car manufacturer offers its dealers rebates if they buy cars during a certain month. Example 11: CarCo, an automobile manufacturer, offers buyers a $1,000 rebate if they buy in the month of March. CarCo does not sell cars directly to consumers but, rather, through car dealerships. This promotion plan is probably legal. The dealerships can charge whatever they want for the cars. The rebates help to lower prices, but the manufacturer has not imposed a requirement that the dealers price at a certain level. Although promotion plans are generally legal, the final determination of whether they unreasonably restrain trade depends on whether the manufacturer is using the promotional program to force its dealers to offer the product at a particular price and, if so, how those actions affect consumers. When a manufacturer can show that its rebates and promotions actually lower retail prices and increase the manufacturer's ability to compete with its rivals, the courts are likely to find the programs to be legal. Some manufacturers reimburse their dealers if they advertise the manufacturer's products. If these reimbursements, called cooperative-advertising allowances, are applied equally to all the manufacturer's participating dealers, they are
August 13, 2007
usually legal. However, a manufacturer should not use the allowance to force an agreement on price. Forcing an agreement on price through the use of cooperative advertising could be illegal. Example 12: Flamerock, a tire manufacturer, has a suggested retail price of $99.99 for steel-belted radials. Flamerock also offers all its dealers a rebate of $5.00 per tire if the dealer advertises the tires in full-page ads in the Sunday newspaper. The only dealer that does not sell the steel-belted radials for $99.99 is a discounter that advertises prices of $74.99 for these tires. Flamerock refuses to pay the discounter the $5.00 rebate unless it raises its price. By refusing to pay the rebate, Flamerock is attempting to coerce the price-cutting dealer to raise prices. If the dealer does so, the manufacturer's actions could violate the antitrust laws, depending on how they affect consumers. II.
Nonprice Restraints
In addition to the price restraints and price-related restraints discussed earlier in this handbook, a number of other arrangements between manufacturers and their distributors and dealers can violate antitrust laws. These include limiting a dealer to a certain territory or to a particular customer exclusive dealing arrangements
These types of arrangements are not automatically illegal. The key questions in determining whether these arrangements are illegal are whether they help the manufacturer to compete with other competing manufacturers (called interbrand competition--see the discussion below) and, therefore, benefit consumers whether the arrangements/restrictions ultimately harm consumers
A.
Interbrand and intrabrand competition

Competition by one manufacturer against another is called interbrand competition. Antitrust laws are very concerned with promoting interbrand competition. Competition within a brand (for example, by two dealers selling an identical product) is called intrabrand competition. Antitrust laws are less concerned with intrabrand competition. Example 13: Two soft drink manufacturers compete to sell their product to a national theater chain. Competition between them is interbrand competition. Example 14: Two distributors of a single brand of beer are trying to sell beer to a local bar. Competition between these distributors is intrabrand competition. Still, if the restraint is actually an agreement between competitors--for example, an agreement to carve up territories or customers between competitors--the restraint will violate the antitrust laws.
August 13, 2007
Example 15: Gas station owners who market gasoline for Universal Oil Company approach Universal to try to convince it that one of its dealers is expanding into their territories. Accordingly, they ask for territorial limits and Universal agrees. This agreement would be illegal because a group of competitors--the gas station owners--seeks to enter into agreements to hurt one of their competitors. B.
Territorial restraints
Usually, a manufacturer wants its distributors to compete against the distributors of other manufacturers, not among themselves. The manufacturer benefits when its dealers win sales that might have gone to other manufacturers, not when one of its dealers beats out another of its dealers for the same sale. As a result, manufacturers want to restrict the amount of competition that occurs among dealers of their own products.
C.
Customer restrictions
When a dealer is restricted to selling to certain customers, the legality of the restrictions will depend on whether the restriction helps the manufacturer compete against other manufacturers (interbrand competition). Example 16: Clearview, a window manufacturer with a 20% market share, sells through dealers. It divides its customers between its dealers, Acme and Beta. This is probably legal because the customers have alternative window suppliers who make up the other 80% of sales. The allocation between the two dealers thus does not harm interbrand competition and, in fact, may promote interbrand competition, because the Clearview dealers can focus on getting sales from other manufacturers' dealers without having to compete with other Clearview dealers.
D.
Exclusive dealing
Sometimes, manufacturers prohibit their dealers from selling competing products (products not made by the manufacturer). In these situations, they enter into exclusive agreements. There are two main types of exclusive dealing arrangements: exclusive distributorships, in which there is an agreement between a manufacturer and a distributor to sell only the products of the manufacturer requirements contracts, in which the buyer agrees to purchase its entire need for a particular product or service from one seller
Exclusive distributorships usually carve out a territory where the dealer is the manufacturer's chosen outlet. Exclusive distributorships also limit the dealer's ability to carry competing products.
August 13, 2007
Example 17: Universal Oil Company has entered into franchise agreements with a number of local service stations in California to provide gasoline. The franchise contracts require the service stations to purchase all their gasoline only from Universal. Universal has engaged in exclusive dealing by entering requirements contracts with these service stations. The key issue with exclusive dealerships and requirements contracts is whether they prevent competitors of the manufacturer or supplier from offering competing products for sale to a significant share of consumers. If the answer to this question is yes, prices for that product are usually driven up. Because price increases harm consumers, the agreement is probably illegal. Example 18: Gasolia is a small oil company that has entered into franchise agreements with 10% of the independent service stations in California to provide a supply of gasoline. The franchise contracts require the service stations to purchase their gasoline only from Gasolia. Because Gasolia can require only 10% of the local independent service stations in California to purchase their gasoline needs from them, their contract is probably legal and will not raise antitrust concerns. That is because with only 10% of the stations under contract, other oil companies can still find outlets for their gasoline. Interbrand competition is not harmed. E.
Tying
A tying arrangement occurs when a seller refuses to sell or lease a particular product (called the tying product) unless the buyer also agrees to purchase or lease another product (called the tied product) from the seller. Example 19: Big Soap refuses to sell toothpaste to grocery stores and pharmacies unless they also buy its toothbrushes. By imposing this requirement, Big Soap basically is forcing retailers to buy Big Soap toothbrushes rather than those of other manufacturers. This is a tying arrangement. The tying product is the toothpaste, and the tied product is the toothbrush. Tying arrangements cause two competitive problems. First, when the seller of the tying product (for example, toothpaste) is the dominant seller of that product, it uses its dominance to sell the less-desirable tied product to consumers (for example, a toothbrush) and forecloses another seller from making the sale. Second, tying arrangements tend to force all other manufacturers of tied products (for example, a toothbrush) to develop the tying product (the toothpaste) as well in order to compete with the manufacturer attempting to tie. These problems usually make it harder for competitors to compete effectively. It might increase their costs or discourage them from trying to compete for sales in the first place. Consequently, such conduct is illegal under the antitrust laws. Example 20: Universal Muffler, the maker of the dominant muffler product in the United States with an 85% market share, requires retail muffler shops to purchase its automobile batteries when purchasing its mufflers. This conduct is an illegal tie. Other automobile battery makers are hurt because they cannot compete for sales. Also, if the other battery manufacturers want to compete, they would have to start selling mufflers, and they may be unable to do so.
August 13, 2007
10
III.
Illegal Tying Agreements

Not all tying agreements are illegal. Several factors affect whether a particular tying arrangement violates the law. Tying can be illegal when all four of the following things are present: A. There are at least two separate products. The seller is refusing to sell one product without the other. The seller has a certain amount of dominance (market share) in the tying product. The tie affects a nontrivial amount of commerce in the tied product.
At least two separate products

Sometimes, the question of whether two items constitute separate products is difficult to answer. In those cases, the most important question to ask is whether sufficient separate demand exists to justify treating the products as separate. Example 21: ShoeCo requires retail shoe stores to buy shoes in pairs--it will not sell a single right shoe or a single left shoe. This is obviously not an illegal tie. Consumers do not think of right and left shoes as two products. So requiring the purchase of both is legal.
B.
The seller is refusing to sell one product without the other

The second requirement, the seller's refusal to sell the two products separately, is usually easily met because sellers often require joint purchases. There is no requirement that a seller announces it is refusing to sell two products separately. A seller's refusal to sell the products separately is usually shown if it offers the two items for sale together only. If the seller offers them separately but at a higher price than if sold as a package, the arrangement usually does not violate the law. However, if the difference in price is great, the arrangement might be considered tying and, therefore, may be illegal. The general rule is that if the package price savings are more than can be justified by a seller's costs savings, the arrangement can violate antitrust laws. Example 22: PharmCo sells an acid-reflux reduction drug to pharmacies and has a 75% market share. It sells the drug at $15 per 100 pills. It also sells an antidepressant drug for $20 per 100 pills. Pharmacies that buy the two drugs as a package are given a substantial discount on the package and are charged $20 for 100 pills of each. This may be an illegal tie. Although PharmCo is willing to sell the two drugs separately, its pricing policy may force pharmacies to purchase both drugs.
August 13, 2007
11
C.
Market share or dominance

If the seller has the ability to raise prices (often measured by market share), it probably has market power. The uniqueness of a tying product may also indicate market power. Example 23: MedCo has 70% of the market for hospital-quality thermometers. Because MedCo's market share is so large, it probably has market power coming from its 70% market share, and the market power requirement is met.
D.
The tie affects a nontrivial amount of commerce

The last requirement of a tying arrangement is that the amount of commerce affected by the arrangement is nontrivial. This is usually easy to prove, because it is normally measured in dollars rather than market share. Example 24: The Fore Company manufactures golf clubs. It sells its clubs directly over the Internet. It requires buyers of its clubs to purchase a dozen golf balls with every purchase. The total value of these golf ball sales, if accounted for separately, would be $27,000 per year. This is probably a nontrivial amount of commerce.
Price Discrimination
Price discrimination basically means selling the same product at two different prices. Most of the laws and rules we will be discussing in this section of the handbook arise from the RobinsonPatman Act, which prohibits certain discriminatory pricing activities. I.
Elements of a Price Discrimination Violation

Under the Robinson-Patman Act, it is unlawful to discriminate in price between different purchasers of commodities of similar grade and quality. A company violates the price discrimination provisions of the Robinson-Patman Act if all of the following apply: The same seller makes two or more sales to two different purchasers. The sales are made at about the same time. The sales are of tangible goods (not services). The sales are of similar grade and quality. Different prices are charged. The goods are for use in the United States. At least one of the sales involves interstate commerce and crosses state lines. The difference in price causes competitive injury.
Price discrimination laws apply, however, only if the purchasers are resellers rather than end users of the product.
August 13, 2007
12
A.
Two completed sales to two different purchasers

Only completed sales can violate the Robinson-Patman Act. Offers to sell and refusals to deal do not constitute violations. Example 25: Universal Textiles makes denim material and sells it to companies that manufacture and sell blue jeans. Universal offers Yardex a price of $10 per square yard. It offers the exact same material to Global for $11 per square yard. Global refuses to buy the product at the higher price, claiming it is discriminatory. Because there have not been two completed sales to two different purchasers, price discrimination liability cannot exist.
B.
Reasonably close in time

For sales to be reasonably close in time, they need not be made at precisely the same time. However, the more time that passes between sales, the less likely it is that a price discrimination violation has occurred. Example 26: Universal, Inc., a manufacturer of stereo equipment, sells its equipment through a nationwide network of retail dealers. Universal offers its top 10 dealers a price on stereo receivers of $200 per unit. Initially, Universal does not offer this price or even this product to its remaining 30 dealers. Two weeks later, when it has additional inventory available, Universal offers and sells the identical receivers to the remaining 30 dealers at a price of $300 per unit. Universal may have violated the price discrimination laws. It has charged two different prices for the same product. Although these sales are two weeks apart, they were made so close in time that Universal probably engaged in price discrimination.
C.
Sale of commodities
The Robinson-Patman Act applies only to the sale of commodities. Generally, commodities are tangible products. The Robinson-Patman Act does not apply to real estate or intangible items. Intangible items include things like securities mutual fund shares medical services cable television service fees
Example 27: Accountants, Inc., prepares taxes for individuals at mall locations throughout the United States. It charges $250 per hour to prepare a federal return in New York and $350 per hour to prepare a federal return at its stores in New Jersey.
August 13, 2007
13
Accountants, Inc., does not sell a tangible product--it sells a service. Therefore, it is exempt from the price discrimination laws and cannot be liable for a price discrimination violation. D.
Similar grade and quality

The Robinson-Patman Act applies only to products of like (similar) grade and quality. If there are major physical differences between the products sold, the price discrimination laws do not apply. However, sales of products with minor physical differences that do not affect whether customers will choose one product over another are covered by the Robinson-Patman Act. Example 28: Universal Oat Corporation sells two oat flour products, one with a higher bulk content of oats than the other, for two different prices. The manufacturing costs for both products are the same. However, in the marketplace, there is greater consumer acceptability for the higher bulk oat product. Under the price discrimination laws, because there is a physical difference between the products, the products will not be considered like (similar) grade and quality. Therefore, Universal Oat Corporation can sell these products at two different prices without violating the antitrust laws. This is true even though the manufacturing costs are the same.
E.
With a different price

Any price difference is price discrimination. However, charging the same price to two customers is never price discrimination under the Robinson-Patman Act even if the seller's costs of selling to one purchaser are much higher than those of selling to the other. Example 29: Chicken Farms, Inc., has its only plant in the southeastern United States. Chicken Farms, Inc., sells chicken at one price to all supermarkets throughout the United States. It costs Chicken Farms, Inc., substantially less to sell in the Southeast than in other regions because the delivery costs are lower on deliveries in the Southeast. Chicken Farms, Inc., has not engaged in price discrimination. The price discrimination laws are concerned solely with whether there is a difference in price to buyers. The seller's costs are irrelevant. 1. Availability of discounts When a claimed discriminatory price is functionally available, in other words, accessible to all customers (even if those customers do not take advantage of the price difference), the seller has not charged two different prices and has not engaged in price discrimination. Example 30: Car Co. manufactures automobiles and sells them through a nationwide dealer network. It offers a new car model to its dealers at
August 13, 2007
14
different prices depending on the volume purchased. Dealers buying 2,000 units can buy at a price of $14,000 per vehicle. Dealers buying 3,000 units can buy at a price of $13,000 per vehicle. The volume discounts are available to all Car Co.'s dealers. Car Co. has not engaged in price discrimination because it has made its price discounts functionally available to all its dealers. 2. Functional discounts Functional discounts are sometimes an exception to price discrimination laws. A functional discount is a discount provided to companies that perform a distribution role in the supply chain. Manufacturers often sell to distributors (sometimes called middlemen or wholesalers) that resell the products to retail stores that ultimately sell to consumers. The distributors themselves bear the costs of hauling and storing the products, customer billing, and so forth. Sometimes, manufacturers also sell directly to some retail stores. In this situation, the manufacturers bear such costs. F.
Requirement of competitive injury

Only price discrimination that may substantially injure competition violates price discrimination laws. Injury to competition generally is found either at the seller's level (primary-line injury) or at the customer level between favored and disfavored customers (secondary-line injury). Primary-line injury typically involves a company that unfairly prices its products to destroy a business rival. In these cases, the company's objective is to eliminate competition, or render it less effective, and, thereby, gain and exercise control over prices. Example 31: Universal Router has a 72% market share for Internet routers, which move data across the Internet. Its chief rival is Global Data. Global Data has a 12% share, and its three biggest customers buy most of its routers. Universal Router cuts its own price to these three customers by 50%, attempting to put Global out of business. Any injury to Global Data is primary-line injury because it is harm caused to one of Universal Router's competitors. A company causes primary-line injury when it sells its product at prices that are below its costs the company reasonably expects to recoup its losses resulting from below-cost pricing
When some customers are forced to pay higher prices than their competitors, this is called secondary-line injury.
August 13, 2007
15
Example 32: Medco sells medical thermometers to four competing hospitals. Three of the hospitals are charged $6 per unit. One of the hospitals is charged $7 per unit. Medco has engaged in price discrimination, and the injury to the hospital that paid $7 per unit is a secondary-line injury because it involves price discrimination between competing purchasers. If the companies being charged different prices are not in competition with each other, no secondary-line injury exists. Example 33: Medco sells thermometers to four different hospitals. Three of the hospitals receive a price of $6 per unit and the fourth receives a price of $7 per unit. The fourth hospital is 60 miles from the closest of the three other hospitals. The three other hospitals are within five square miles of each other. The issue here is whether the fourth hospital actually competes with the three other hospitals. If patients are unlikely to view the fourth hospital as a substitute for going to one of the three other hospitals, the fourth hospital does not compete with the other three, and there is no secondary-line injury. G.
For use in commerce within the United States

The Robinson-Patman Act applies only to sales that are in commerce. This means that one of the sales must cross a state boundary. However, an intrastate sale can satisfy this requirement if it falls within the stream of interstate commerce, which is almost always the case. In addition, many states have price discrimination laws that prohibit price discrimination for sales that occur wholly within the state. Still, the price discrimination laws do not apply to sales outside the United States. For price discrimination laws to apply, there must be two sales that involve products for use, consumption, or resale within the United States. Any price discrimination involving sales to foreign countries is not subject to the RobinsonPatman Act. Example 34: Montana Computer Sciences, Inc., sells desktop computers to retail computer stores in Montana and Canada. For the same product, Montana Computer charges one price to stores in Montana and a different price to stores in Canada. Because both sales are not for use, consumption, or resale within the United States, the price discrimination laws are inapplicable.
II.
Defenses to a Price Discrimination Claim

There are three reasons why a seller is allowed to price discriminate cost justification meeting competition changed conditions
Any one of these reasons is an absolute defense to a charge of price discrimination.
August 13, 2007
16
A.
Cost justification
A seller may charge different prices to different purchasers when the different prices are justified by savings the seller obtains for cost of manufacture, delivery, or sales. For example, if it costs more to ship to a particular buyer than to other customers, the seller may pass along the increased cost (but not more) to the buyer in the form of a higher price. The additional cost and resulting price increase, however, must be carefully documented. Example 35: A manufacturer plans to charge a different price to its customers based on their distance from its factory. This price difference is unrelated to shipping costs and is based on the manufacturer's perception of "what each market will bear." This pricing plan, if implemented, may be unlawful price discrimination under the antitrust laws.
B.
Meeting competition
When a seller, in good faith, offers a lower price to meet a competitive price offered by another supplier, the offering of the lower price does not violate the price discrimination laws. Example 36: Universal Cola, Inc., sells cola products to distributors in California. For years, Universal sold to customers all over the state at the same price. In 2000, however, Global Cola, Inc., began selling cola products in southern California at a price 10% lower than Universal's products. Universal immediately dropped its price 10% in southern California, thereby setting up a seemingly discriminatory price structure between its northern and southern California distributors. If Universal was, in good faith, lowering its prices in southern California to meet Global's prices, Universal's conduct does not constitute illegal price discrimination.
C.
Changed conditions
Price discrimination laws permit price differences due to changing conditions that affect the market or marketability of a product. For example, price differences can often result from the perishable nature of goods, the obsolescence of seasonal goods, distress sales under court process, or goingout-of-business sales. Example 37: Universal Glass, a maker of glass bottles for alcoholic spirits, is going out of business. Prior to the announcement of its going-out-of-business sale, Universal sold its bottles at a uniform price of 6 cents per unit. When Universal announced it was going out of business, it dropped its price to 3 cents per unit.
III.
Buyer Liability
August 13, 2007
17
The price discrimination laws also make it illegal for a buyer to knowingly induce a seller to discriminate in price. Example 38: A group of distributors of automotive parts forms a group buying organization that successfully obtains large-volume discounts from various suppliers, but does not otherwise create any cost savings for the seller from joining together. Each of the group members knows that the sole function of the group buying organization is to obtain a better price than the price offered to competitors that are not part of the group.
Monopolization
If a company becomes the dominant firm in its industry, it can face potential problems because it can be considered a monopoly under the antitrust laws. But how dominant is "too dominant" for purposes of the antitrust laws? As a general rule, a company has obtained illegal monopoly power if both of the following are true: It has obtained the power to control prices or exclude competition. It has engaged in deliberate anticompetitive conduct designed to acquire or preserve monopoly power.
Still, not all monopolies are illegal. Achieving a monopoly through lawful means, such as having a superior product, is legal. However, if a company either unlawfully obtains a monopoly, or lawfully obtains a monopoly but then unlawfully maintains the monopoly, such conduct will violate antitrust laws. Example 39: Global Operations Corp. manufactures neon signs. Solely because of the superiority of its products, Global controls 85% of the neon sign market. Gadget Corp., Global's main competitor, files a lawsuit alleging that Global has gotten too big and is a monopolist. Global has not violated the antitrust laws. There is nothing illegal about being big and having an 85% market share, as long as Global achieved this market share because it had superior products. Two questions should be asked to determine whether a company has obtained an illegal monopoly: Does the company have a monopoly--in other words, the power to raise prices or exclude competition? Has the company engaged in unlawful conduct to acquire or maintain that monopoly?
The power to control prices and the power to exclude competition are related, because a company's ability to control prices usually depends upon its ability to exclude its competitors or otherwise injure another company's ability to respond to price changes. Example 40: RocketGas, a gas station, is located within one-quarter mile of three other gas stations. It raises its prices 10%. The competitor gas stations do not raise prices.
August 13, 2007
18
RocketGas does not have the ability to control prices and, therefore, does not have monopoly power. I.
The Relevant Market

Monopolies exist in specific markets. Usually, one can't determine whether a monopoly exists without first defining the market in which the monopoly may exist. In the context of monopolization, relevant markets consist of both of the following: A. A product or service A geographic scope
Product or service markets

To define a product or service market, one must identify the competitors that offer the same or similar products or services. Example 41: DogAppeal is the largest seller of dry dog food in the United States. DogAppeal has an 80% share of the dry dog food market but does not sell canned dog food. When canned dog food is included in the market, DogAppeal's share of the product market of dry and canned food combined is only 40%. Whether canned dog food is included in the dog food market in general or is a separate market depends on the answer to one simple question--if prices of dry dog food go up, will enough consumers switch to canned dog food that the price increase will cause dry dog food sellers to lose money? If the answer is yes, then the dog food market consists of dry dog food and canned dog food. If the answer is no, there are separate markets for dry dog food and canned dog food.
B.
Geographic markets
A geographic market is determined in much the same way a product market is determined. When determining geographic markets, it is important to know whether consumers will buy from sources farther away than a narrow geographic area (the geographic market is the region from which consumers will turn to buy products in the face of a price increase) whether sellers may be willing to ship goods greater distances in the face of a price increase from a rival (when a rival raises prices in one region, this may allow a seller an opportunity to begin shipping goods to take advantage of the higher market prices)
Example 42: The price of baked goods goes up in one city. Bakeries in another city, 80 miles away, normally don't ship their goods to the first city because the distance is too great. If bakeries in the second city decide to ship goods into the first city in response to the price increase by the bakeries in the first city, the second city's bakeries might then be in the same geographic market.
August 13, 2007
19
II.
Measuring Monopoly Power

Measuring a firm's ability to control prices or exclude competition is not easy, and courts make great use of market share data to determine to what extent a company could do so. Market share data is often expressed as the percentage of sales a company makes of a specific product. For example, if CarCo sells 40,000 cars in the United States and a total of 100,000 cars are sold in the United States, CarCo has a 40% market share. Example 43: A wheat farmer in South Dakota typically produces 6,000 bushels of wheat per year. He sells his wheat to a local flour mill and to a company that sells the wheat abroad on the world market. The farmer's wheat accounts for three percent of the wheat available to the flour mill at current prices and one-millionth of a percentage of worldwide wheat. The South Dakotan farmer will not have market power. There is virtually nothing he can do to control prices either on a worldwide market or even to the more captive local buyer. If the farmer withholds his wheat from the marketplace, the flour mill likely could obtain the three percent the farmer supplied from other existing sources who, like the farmer, were selling their surplus into the broader world market for wheat. Although market share is one indicator of monopoly power, it is not the only indicator. Other factors to consider when assessing whether a monopoly exists include barriers to new competitors entering into or expanding in the market cost advantages from sheer size or technological advantages stability of market shares of competitors over time pricing trends
Of these factors, barriers to entry is probably the most significant. Therefore, if the barriers to entry are very low--in other words, a new competitor could easily enter the market--a business probably does not have monopoly power even if it has a 100% market share. Example 44: A beauty salon operates in a small town. The same town has a beauty salon school that attracts aspiring candidates from throughout the tri-state area and has a number of locations from which a beauty salon could operate. The closest competitor salon is a one-hour drive away. Customers will not drive that far to have their hair cut. Even though there is one beauty salon in town and customers would not travel to the next town, the presence of the beauty salon school shows that there is no shortage of skilled workers in town. Additionally, there are several potential sites for other beauty salons in the small town. These facts indicate that entry into the business is probably easy enough that it constrains the prices of the current salon and that the barriers to entry into the town's beauty salon market are low. The current salon cannot control prices or exclude competition because new entry would defeat any attempt to do so. The beauty salon does not have monopoly power. III.
Deliberate Anticompetitive Conduct
August 13, 2007
20
For a company to have illegal monopoly power, it must undertake some deliberate anticompetitive conduct. Deliberate anticompetitive conduct does not mean that a would-be monopolist adopts practices that it believes will result in monopoly power. The monopolist's intent to achieve a monopoly is not as important as the effects of its actions. It is enough that the conduct does one of the following: Unreasonably restricts consumer choices and is anticompetitive Tends to exclude others from the market, without being designed simply to make the company a better competitor
Example 45: Universal Software is the maker of the nation's most popular PC operating system software, with 98% of sales. It refuses to sell its operating system software to customers unless they also buy its word processing program. Universal Software's practice may be illegal because it has monopoly power, and it has taken a deliberate act that restricts consumer choice of word processing software. There are no hard-and-fast rules for determining illegal monopoly power, and each case will turn on its own facts. In fact, there are different kinds of anticompetitive conduct that, coupled with market power, are illegal under the antitrust laws. Such conduct includes things like A. predatory conduct refusals to deal denial of access to an essential facility monopoly leveraging
Predatory conduct
Predatory conduct is behavior that would not be economically rational for the company, except for its adverse effect on competition. Example 46: Clearview, a manufacturer of glass bottles for alcoholic beverages, is flush with cash due to successfully investing its corporate stock portfolio in Internet company stocks. Clearview's other two competitors are not so fortunate. Clearview decides to enter into long-term contracts that feature prices 40% lower than the prices it currently charges. These prices are well below the cost of manufacturing and distributing its products. It believes that its two competitors will not be able to compete very long in light of its prices and will likely go out of business, after which Clearview intends to raise prices. This conduct might be found to be anticompetitive and illegal. Although lowering prices could be seen as procompetitive, selling below cost is not necessarily procompetitive if, after eliminating existing competitors, Clearview raises prices, thereby hurting consumers.
August 13, 2007
21
B.
Refusals to deal
In general, a company has the right to refuse to deal with anyone. However, there is an important exception to this broad rule. The right to refuse to deal does not apply if the refusal is done to create or maintain a monopoly. Example 47: The only newspaper publisher in a city has 70% of local advertising sales and refuses to permit businesses to advertise in its newspaper if those same businesses advertise over radio or television stations in its circulation area. This newspaper's advertising policy is probably illegal. If the newspaper's share of advertising sales were less, the result might be different. For example, if it were 10%, then stores would not be compelled to limit their advertising to the newspaper, and competitive choice would not be eliminated.
C.
The essential facilities doctrine

Another type of refusal to deal is known as the essential facilities doctrine. Under this doctrine, monopolization occurs when the monopolist owns something that is necessary to compete in a market and refuses its competitors access to it. By denying them the essential facility, the owner can dominate a different market downstream of the facility. Example 48: Telco is the local telephone company in the state of East Dakota and is a regulated monopoly there. Telco also offers long-distance telephone service. EDP competes with Telco in long-distance service in East Dakota. It seeks access over Telco's local lines to reach customers directly. Telco refuses, saying that the local lines belong to it. Telco's refusal to allow EDP access is probably illegal. Telco is denying access to lines it owns, but it is using its stranglehold over local service to exclude competition in long-distance service. Absent a good business reason, this probably violates the antitrust laws. For a denial of access to an essential facility to violate the antitrust laws, four things must be present: The monopolist must control an essential facility. A competitor must not be able to practically or reasonably duplicate the essential facility. The monopolist must deny use of the facility to a competitor. It must be feasible for the monopolist to provide the facility.
D.
Monopoly leveraging
Similar to the essential facility doctrine is monopoly leveraging. Monopoly leveraging is using monopoly power in one market to monopolize or attempt to
August 13, 2007
22
monopolize in another market. Courts disagree as to whether monopoly leveraging is legal and under what circumstances it might be illegal. Example 49: Universal Cable, a cable television company, develops its own allsports network channel. At the same time, Universal switches the desirable channel number (Channel 7) of Sportsfan, an all-sports network it carries, to an undesirable location in its system, Channel 101. Sportsfan complains that Universal is using its monopoly over the cable distribution system to harm competition in the market for all-sports television in the geographic areas served by Universal. Universal's switching of Sportfan's channel might be illegal in some circumstances. Consult your company's law department if you have any questions on this issue. IV.
Attempts to Monopolize
Another way for a company to violate the antitrust laws, even when it fails to accumulate monopoly power, is by attempting to monopolize. A company can be guilty of attempting to monopolize if all the following are present: The company engages in predatory or anticompetitive conduct. The company's specific purpose is to monopolize. The company has a dangerous probability of achieving monopoly power.
V.
Conspiracy to Monopolize
Two or more firms can agree to conduct their business in ways that tend to control prices or exclude competition. A company conspires to monopolize when all the following are present: The company agrees with others to undertake acts. The company intends to monopolize (control prices or exclude competition). The company undertakes some overt act to carry out the agreement.
To conspire to monopolize, it is necessary to have the goal of achieving the power to control prices or exclude competition. This contrasts with monopolization in general, when all that is necessary is that the monopolist intends to take the action it takes--it does not need to intend that the consequences lead to market power. Example 50: Two manufacturers of fine china agree to raise barriers to entry in their business by requiring that their dealers (department stores and stores selling high-end household items) not carry any other brands but their own. Together they have on average 70% of fine china sales. Each sends out a notice to its dealers announcing that the company is considering changing the exclusivity of the dealer relationship.
August 13, 2007
23
The manufacturers have conspired to monopolize. The two companies have a high market share, they have entered into an agreement to hurt rivals, and they have taken steps to enforce the conspiracy. VI.
Joint Ventures
Joint ventures between corporations often present different kinds of monopolization issues. A joint venture can take many forms, but, generally, it is a contractual relationship between two separate companies to form a corporation, partnership, or some other legal entity through which they conduct some form of business. Companies enter into joint ventures for many reasons. In addition, a joint venture differs from an ordinary contract between two companies because it usually involves something more than an arm'slength agreement. As a general rule, the antitrust laws are not concerned with the corporate structure of a joint venture. However, one of the goals of the antitrust laws is to make sure that joint ventures limit competition only to the extent necessary to achieve a procompetitive benefit. Calling an agreement between competitors a joint venture will not avoid antitrust liability if the goal or result is to unnecessarily limit competition. To avoid antitrust liability, a joint venture between competitors must not only provide a competitive benefit, but it must also not hurt competition more than the value of the benefit it provides. In addition, the joint venture must not hurt competition between its parties any more than necessary to obtain the procompetitive benefit. Example 51: Two cosmetics companies decide to pool their research and development (R&D) resources to develop a longer-lasting lipstick that will not smudge. They believe collaborating will bring a new product to market 50% faster. They set up a joint research venture avoiding integration of their other activities (for example, blush and mascara) so that their trade secrets are not revealed. They also agree to jointly market the new lipstick product. The joint marketing probably causes the joint venture to be illegal. Unless the parties could not undertake the venture without joint marketing, this marketing should be kept within each competitor's separate business unit (like their other products) to avoid antitrust liability. The joint marketing makes it more likely these companies will agree on price or other aspects of lipstick sales. This could have an anticompetitive effect because it restricts each company's independent decision making.
Mergers and Acquisitions

The Clayton Act, the federal statute used most often to challenge mergers, prohibits any merger that substantially lessens competition or tends to create a monopoly. The fundamental concept to keep in mind in connection with mergers and acquisitions is that competition tends to keep prices in check. When the Department of Justice (DOJ) or the Federal Trade Commission (FTC) evaluates a proposed merger, it applies issued Merger Guidelines describing
August 13, 2007
24
how the FTC or DOJ will evaluate a merger how it will assess the likelihood that prices might rise after a merger how it will evaluate the likely competitive responses that might undermine the success of such a price increase
The Merger Guidelines tend to be the last word on the criteria to evaluate whether a merger presents a competitive problem. For the small number of mergers that result in lawsuits, the courts often use the Merger Guidelines to review any antitrust implications. I.
Mergers Between Competitors

Mergers between competitors can lead to the creation of monopoly or market power. Monopoly power is the power to control prices or exclude competition. A number of factors are important in evaluating whether a proposed merger threatens to lessen competition: The relevant product market definition The relevant geographic market definition The analysis of market share and market power The likelihood of adverse competitive effects The likelihood of timely and sufficient new entry into the market Efficiencies or cost savings that would lead to price decreases
II.
Efficiencies and Synergies

Mergers are also undertaken to achieve efficiencies or synergies. Efficiencies and synergies mean savings that lower the cost of producing or distributing a product savings that otherwise permit the merged company to cost-effectively produce more of the product than the two companies combined could before the merger
If the cost of producing or distributing the product goes down, the company's output of the product will generally go up, because, presumably, the company would pass those savings on to consumers in the form of lower prices. The theory behind this is that the company could earn more profit with a lower price and increased output than it could by keeping the additional profits per unit sold and not increasing its output. Example 52: Two companies that make car batteries operate at only 40% and 45% of their plants' capacities respectively. By combining their operations into one plant, they will save $2.25 per unit of output by eliminating redundant systems, workers, and combining their equipment more efficiently than either could do alone.
August 13, 2007
25
III.
Mergers Between Noncompetitors

Because antitrust laws focus on whether mergers substantially lessen competition, mergers between companies that do not compete usually do not raise antitrust issues, and government enforcers are likely to let them pass without challenge. However, there are two types of mergers between noncompetitors that U.S. antitrust enforcers tend to carefully review A. mergers between potential competitors so-called vertical mergers
Potential competitors
If two companies do not currently compete, their merger can still lessen competition if it removes a company that planned on expanding into the other's product or service or into the other's geographic market. Whether competition will suffer depends on the government's analysis of the same factors its uses in evaluating mergers between actual competitors: The relevant product market definition The relevant geographic market definition The analysis of market share and market power The likelihood of adverse competitive effects The likelihood of timely and sufficient new entry into the market Efficiencies
In short, the framework for analyzing a merger between potential competitors and actual competitors is generally the same. The differences come into play when applying the guidelines to the acquisition of a company that does not have existing sales. Therefore, the DOJ and the FTC evaluate B. whether the relevant product and geographic markets are highly concentrated whether there are other likely potential entrants
Vertical mergers
A vertical merger is the acquisition of a company's source of supply or source of distribution.
August 13, 2007
26
Example 53: QuickServe, a fast-food restaurant chain, purchases a company that processes beef into hamburger patties. The purchase is vertical because beef processors supply hamburger patties to fast-food restaurants. Often, vertical acquisitions can save money and streamline operations. They generally do not lessen competition and can often make the acquiring company a more effective competitor. In some circumstances, vertical mergers can harm consumers, however. If, as a result of a vertical merger, a company can more easily achieve any of the following things, the merger may substantially lessen competition by foreclosing competitors from access to a substantial share of the market forcing a new entrant to enter at both the level of the acquiring company and at the level of the acquired supplier or distributor obtaining sensitive information about the acquiring company's competitors by acquiring a company that supplies those competitors enabling the acquiring company to evade regulations of a government regulatory agency by using the acquisition of its supplier to increase its costs
In each of these situations, the vertical merger is said to have horizontal effects. That is, it affects competitors of the firm doing the acquisition.
August 13, 2007
27
ANTITRUST: HOW MERGERS AND ACQUISITIONS ARE REVIEWED

INTRODUCTION
When two companies merge, antitrust issues may arise. When two competing companies merge, the presence of antitrust issues depends on how much competition remains after the merger. Mergers between companies that do not compete, or mergers that probably would not lessen the amount of competition among the remaining competitors, generally don't raise antitrust issues no matter how large the merger and how much money is involved. The Clayton Act, the federal statute used most often to challenge mergers, prohibits any merger that substantially lessens competition or tends to create a monopoly. We'll discuss each of these bold-face terms in more detail later in this Handbook. However, the fundamental concept to keep in mind is that competition tends to keep prices in check. To illustrate this concept, consider the following. Sellers of products and services generally want to make the highest profits on sales possible. Up to a point, raising prices will increase profits. At some point, however, the price increases will result in lost sales to competing sellers and, in turn, lost profits. Thus, if a merger lessens competition (that kept prices in check) so that a seller can increase prices above premerger levels, the merger probably will be deemed illegal. Because it is more difficult to break up merged companies after the fact than it is to stop the merger in the first place, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) are allowed to screen mergers for antitrust concerns before they are completed. The premerger notification process (often called Hart-Scott-Rodino) applies to acquisitions of all sorts, including acquisitions of company stock or assets, and acquisitions by or from individuals, partnerships, and corporations. When the DOJ or the FTC evaluates a proposed merger, it applies Merger Guidelines that they have issued describing -o o o how the FTC or DOJ will evaluate a merger, how it will assess the likelihood that prices might rise after a merger, and how it will evaluate the likely competitive responses that might undermine the success of such a price increase.
If prices probably will not rise, and competition will remain intact after the acquisition, the merger is likely to go unchallenged. Most mergers that qualify for FTC or DOJ review do not raise any significant antitrust issues. Thus, most agency reviews are terminated quickly. Even mergers that present antitrust issues are investigated by the agencies, and antitrust concerns are resolved by requiring the parties to the merger to dispose of certain assets (subsidiaries, plants, brands, or intellectual property) to level the competitive playing field to premerger competitive conditions. Still, a small percentage of mergers result in a court challenge by the agency.
Because the FTC and DOJ undertake much of the merger review, their Merger Guidelines tend to be the last word on the criteria to evaluate whether a merger presents a competitive problem. For the small number of mergers that result in lawsuits, the courts often use the Merger Guidelines to review any antitrust implications. The purpose of this Handbook is to acquaint you with the issues that can arise in connection with mergers between competitors, as well as the types of competitive concerns raised by mergers of noncompetitors, and to provide an overview of the means the government uses to enforce these laws. You should keep in mind that determining whether a merger violates the antitrust laws depends on the unique facts and circumstances of each particular situation. The broad scope of these circumstances cannot be covered in a brief treatment of this kind. It is therefore important to keep in mind that this Handbook does not provide any advice about what you should do in a given situation. Make sure you always seek such advice from your company's lawyer.
MERGERS BETWEEN COMPETITORS

Mergers between competitors can lead to the creation of monopoly or market power. Monopoly power is the power to control prices or exclude competition. Let's take a look at the concept of competition and how mergers can affect competition. Competition tends to keep prices in check. Mergers can lessen competition and, hence, loosen constraints on prices because, by purchasing one's competitor, one removes the competitor from the marketplace. If a merger removes a competitor whose effect in the market was to keep prices low, prices probably will rise as a result of the loss of competition. The acquiring company and its remaining competitors at that point probably could raise prices above the levels that existed before the merger. This is the classic case of how a merger can lessen competition. Example 1: Two boat rental companies operate on a small island. East Side Rental and West Side Rental compete for customers from all across the island. Recently, East Side raised prices, but West Side did not follow suit. West Side received considerably more business following East Side's price hike, and East Side lost revenue. West Side then agreed to buy East Side. After the acquisition, West Side probably can raise prices without losing revenue. The existence of two boat rental companies created competition by keeping in check the price consumers would pay for boat rental services. The FTC or DOJ might challenge this merger because after the merger, prices will likely increase. Just because a competitor leaves the marketplace does not mean that the market will no longer be competitive. Whether a market remains competitive after a merger depends on whether remaining competitors exist and whether they are capable of competing on price, quality, and other terms of competition in the industry. Thus, if ten other boat rental companies existed on the island in the previous example, the loss of one through acquisition would not clearly lead to a price increase and might not, therefore, violate the antitrust laws. The following factors are important in evaluating whether a proposed merger threatens to lessen competition --
o o o o o o
the relevant product market definition, the relevant geographic market definition, the analysis of market share and market power, the likelihood of adverse competitive effects, the likelihood of timely and sufficient new entry into the market, and efficiencies or cost savings that would lead to price decreases.
We'll explain each of these factors in this Handbook. II.
The Relevant Market

To determine whether companies compete and, therefore, whether an acquisition might lessen competition, one must first define the market in which they compete. The resulting lessening of competition can lead to the creation of a monopoly. When a company has monopoly power, it has power over a market. Relevant markets consist of -a product or service and a geographic scope. To determine the size of either the product or the geographic market, the Merger Guidelines we discussed earlier use a test that evaluates sellers in particular areas that are currently keeping the prices in check. The guidelines do this first by determining the narrowest category of product or service overlap between the merging parties. In other words, in a merger between margarine manufacturers, the government will focus not on a broader category such as all spreads that are used on toast or fats used in cooking. Instead, the governments first focus will be on margarine. Then, using industry data, the government will assume a small, but significant increase in price (usually 5%) of that product. If the data shows that increasing prices would cause consumers to switch to alternate products, then firms producing those additional products would be included in the market. So, in our margarine example, if increasing prices of margarine causes a nontrivial number of consumers to switch to butter, the market includes butter as well. We'll take a look at both of these methods of analysis more fully below. A.
Product and service markets

Sellers generally sell products or services. Some products create natural markets because they are distinct enough not to have adequate substitutes. One example is golf balls. If the price of all golf balls goes up 5% tomorrow, golf ball consumers probably wouldn't switch to some other kind of ball to play golf. Therefore, golf balls is probably a product market. If one golf ball manufacturer buys a sufficiently large number of its competitors, absent entry by new competitors, the acquiring golf ball manufacturer would likely be able to raise prices above preacquisition levels. Defining the market in other product and service areas can be more difficult. Therefore, it is important to start with as narrow a definition of the product as possible. For example, if two drugstore chains merge, they may lessen competition in the sale of some products but not others.
Drugstores sell many products, from prescription medications to pencils. In the sale of some of these products, the chain could have market power postmerger. In the sale of other products, it might not. To invalidate the merger, there need be only one overlapping product that might lessen competition. Example 2: Universal Drugs, a national drugstore chain, agrees to buy a regional drugstore chain, Swenson's Pharmacy. Universal and Swenson are the only drugstores available to consumers in a 25-mile radius. Both drugstore chains sell school supplies. The government receives complaints that the merger will lessen competition in the sale of school supplies. School supplies are also sold by mass merchandisers, discount stores, arts and crafts stores, and grocery stores located within the same 25-mile radius. The market for school supplies probably includes more than just drugstore sales. Because school supplies can be bought from a mass merchandiser or from an art supply store within the geographic areas in which the drugstores sell, the merger may not remove enough competition to allow the acquiring drugstore to raise prices or to exclude competition after the merger. Therefore, the merger probably does not violate the antitrust laws as far as school supplies are concerned. More facts would be needed to make this determination, however. Example 3: Universal Drugs, a national drugstore chain, and Swenson's, a regional drugstore chain, are the only two companies that sell prescription drugs in a 25-mile radius. Universal agrees to buy Swenson's. Unless some new competitor will enter the market and sell prescription drugs in the area, the FTC or DOJ may challenge the merger, because the product market is prescription drugs and the price of prescription drugs could go up after the merger. In determining whether products or services compete with each other, it is useful to consider how interchangeable the products are in terms of function. The key consideration here is how consumers view the interchangeability of those products. In fact, two items that are completely interchangeable in terms of function might still not be in the same market if consumers do not consider them to be interchangeable. Example 4: The two largest fine furniture stores in the country, Truecraft and Handiworks, decide to merge. The average price of a chair produced by the merging parties is $800. In an effort to convince government antitrust enforcers investigating the merger that they will not be able to raise prices after the merger in a proposed market for chairs, Truecraft and Handiworks point to 150 other manufacturers of chairs, including manufacturers of folding chairs, lawn chairs, and metal and vinyl covered chairs used by party centers and caterers. Chairs made by these companies cost, on average, $20. Although a lawn chair could substitute with a fine chair handcrafted by the merging companies because it would suit the purpose of providing a
place to sit, the two products clearly do not compete. The prices for cheap lawn chairs do not constrain prices for fine handcrafted chairs. Another way to define a product or service market is to examine whether producers can switch from making a slightly different product to making the one that is the subject of the antitrust review. If producers can switch their manufacturing to the product in question with relative ease and within a short time following a merger, those companies that can switch would be included in the product market even if they do not currently produce the product. The fact that a producer can switch production to the product in question probably keeps prices in check premerger and likely would continue to do so following the merger. Example 5: Two fine chairmakers, Handiworks and Truecraft, claim that SofaSoft, a sofa maker that currently does not make chairs, should be included in the market for fine chairs because it could convert from making upholstered sofas to making upholstered chairs by making minor changes to its equipment and by using many of the same fabrics and materials. Furthermore, the skills necessary to construct a sofa are comparable to those necessary to construct a chair. SofaSoft probably is in the market for fine chairs. B.
Geographic markets
In addition to defining a product or service market, the geographic market in which the merging parties compete must be defined. After doing so, one could find that there is no competitive overlap because the merging partner occupied geographically separate markets and that the parties are using the merger to expand into new geographic areas. If that is the case, no antitrust violation would result. Example 6: Burt's Ice Cream Company sells ice cream cones at stands throughout the southeastern United States, but does not sell north of southern Virginia. Softswirl sells ice cream cones at stands in the northeastern United States, but does not sell south of Pennsylvania. Although both companies sell the same product, neither company overlaps geographically. Therefore, they do not compete in the same market, and it is unlikely that consumers in either geographic market would view them as competitors. The size of a geographic market depends on the distance consumers will travel to obtain the product in question. If two competitors currently serve the same customer base, they probably occupy the same geographic market. Example 7: Joe's Pizza and Fred's Pizza are pizza restaurants that operate within one-quarter mile of each other in a suburb of a large city. Joe decides to sell his restaurant to Fred. There are three additional pizza restaurants within two miles of either of the merging restaurants. Assuming the sale of pizza through restaurants is a distinct service separate from the sale of food and other kinds of restaurants, the issue here is the size of the geographic market surrounding these two restaurants. To determine if the market is broad enough to include the
other three restaurants, one would need to evaluate industry data to see if the other three restaurants serve customers in the same geographic area. For example, one might look at the delivery areas they serve or data from credit card sales to see where customers live. The presence of overlapping customers is not the only indicator of a single geographic market. Often, one restaurant whose customer base lies just beyond another will constrain the prices of the first restaurant. Example 8: If the customer base of Joe's in the previous example is contained in a one-mile radius around his restaurant and the same is true for the restaurants two miles away, the customer bases for these three restaurants basically bump up against each other. Any price increase at Fred's restaurant might cause customers at the edge of his customer base to patronize one of the other restaurants two miles away from Fred's. If Fred buys Joe's restaurant, a price increase postmerger by Fred might cause some of his customers to patronize the other restaurants. If so, those other restaurants could keep prices in check in the future. Thus, the three other restaurants should be included in the same geographic market. One also must analyze the distance that a seller will ship a product when determining a geographic market. If a seller will increase the distance it will ship a product in response to a general increase in prices, the seller should be included in the same market. Example 9: Kitty Food, a regional cat food producer, does not ship into New England because the cost of shipping from its plant is too expensive for it to make an adequate profit. If the prices for cat food in New England go up enough to justify the additional cost, Kitty Food may find it worthwhile to sell into that geographic area. Therefore, Kitty Food should be included in the same geographic market. III.
Market Share and Market Power

After defining the product or service market and geographic market, one must determine whether the merger will lessen competition. If, after the merger, the merging companies likely will have the ability to control prices or exclude competition, the merger may violate the antitrust laws. Because measuring whether a company has the ability to control prices or exclude competition is not always easy, courts and the government antitrust enforcement agencies make liberal use of market-share data to determine to what extent a company could begin to control prices or exclude competition. High market shares tend to suggest market power. Example 10: A farmer in southern Illinois plants corn and usually produces 10,000 bushels per year. He sells the corn to a local corn-oil processing plant and to companies that sell the corn abroad on the world market. The farmer's corn accounts for one-millionth of a percent of the worldwide corn availability and two percent of the corn used by the corn-oil processor. This farmer will not have market power because if he raised his price, numerous substitute suppliers could sell to his buyers. The farmer would likely not sell a
single kernel of corn if his prices were out of line with the market overall. This is an example of low market share. Example 11: Four companies make soaps and other toiletries for sale to hotel chains. Soap companies bid for contracts to supply individual hotel chains in competition with each other. One company is the largest with 50% of sales. Another company is known as the largest discounter of price in its bids. The large company agrees to buy the company known for discounting prices, whose share of the market is 10%. When a company with 50% of the sales in a market purchases another that has 10% of sales, serious antitrust questions will arise. This merger will be scrutinized to see whether the remaining competitors can keep in check any price increases by the new, larger soap company. This is particularly true because the purchased company was known as a price discounter that gave hotel chains a price alternative. Two different tests are used to evaluate whether a specific market share confers market power on the merged company. The courts generally use a four-firm concentration test. Under this test, if the top four firms in a market possess collectively a 70% share of the market, the merger of any two of the top four firms is likely to create market power and, therefore, generally, would not be permitted. Accordingly, the higher the market concentration, the more likely it is that high market share will lead to market power. Example 12: MedCo has a 40% share of the sales of kidney dialysis machines, the largest market share all of the companies that sell these machines. There are ten companies that sell these machines. The next largest competitors after MedCo have shares of 15%, 13%, and 10%. MedCo buys the company with the 10% share. Under the four-firm concentration test, the four firms with the highest market share premerger have 78% of the market (40% + 15% + 13% + 10%). The market is highly concentrated, and the merger between MedCo and the company with 10% of the market is likely to confer market power. Under the Merger Guidelines' standard, the DOJ and the FTC evaluate the concentration or market shares by using a statistical method called the Herfindahl-Hirschmann Index (HHI). The HHI is the sum of the squares of the market shares of the product and geographic markets. This index is then evaluated against standards developed by economists. Example 13: There are ten firms competing in a market for the manufacture and sale of lawn mowers in the United States. Each has a 10% share. The premerger HHI would be the sum of the squares of the market shares or 102 x 100 x 10 = 1,000. The government then measures how much the HHI will change as the result of the merger. The premerger HHI compared to the change brought on by the merger will determine whether the merger creates market power. The increase in the postmerger HHI level can be quickly determined by taking the market shares of each of the two merging parties, multiplying them by each other, and then doubling that number. Thus, if two merging companies have
respective market shares of 5% and 10%, the merger would increase the premerger HHI level by 100 points -- 5 (market share of first firm) x 10 (market share of second firm) x 2 (the number is doubled) = 100, which is the increase in HHI from this merger. The government will generally challenge mergers if the postmerger HHI is above 1,800, and the postmerger index increases by more than 100 points. In contrast, the agencies will likely not challenge a merger if -the premerger HHI is between 1,000 and 1,800, and a postmerger increase is less than 100 points; or the premerger HHI is above 1,800, but the postmerger increase is less than 50 points. When the premerger HHI is less than 1,000, the merging companies will probably avoid antitrust scrutiny altogether because the relatively large number of competitors probably can preserve competition after the acquisition. Although the HHI approach can seem mechanical, it is often used as a screening device to determine the existence of genuine anticompetitive effects of a merger and whether a merger should be investigated more thoroughly. IV.
Potential Adverse Competitive Effects of Mergers

A merger can result in two primary adverse competitive effects. First, with one fewer competitor, the remaining competitors can more easily coordinate prices or enter into conspiracies. The second and more subtle effect is an increased ability to institute a unilateral price increase resulting from the loss of competition from the particular competitor that was purchased. This is called a unilateral effect. With a unilateral effect, the harm to competition does not depend on interaction with other competitors, but stems from the removal of a competitor whose presence was the only real alternative choice to consumers. Removing that competitive alternative also removes the force that kept prices in check. As a result, postmerger prices will likely rise for consumers. .
Coordinated interaction
Whether a merger lessens competition by making it easier or more likely for competitors to coordinate prices or enter conspiracies depends on postmerger market conditions. Removing competitors could lead to coordinated conduct, particularly if a history of conspiracies to restrain trade exists in the affected industry and the characteristics of the market have not changed. The government probably would challenge a merger if it believes that coordinated conduct would result in such a situation. Example 14: A dairy in central Ohio finds it difficult to make a profit. A competitor seven miles away agrees to buy it. The two dairies, along with a third dairy had, in the past, competed for contracts from school lunch programs to supply milk to the schools. Three years ago, employees of the three dairies were convicted of bid rigging contracts for school lunch
programs. The market for milk products has been basically flat since that time and, if anything, it is more difficult to make a profit. A merger of the two dairies would likely cause antitrust enforcers to challenge the acquisition. Not only are the competitors being reduced from three to two -- which, in most cases, would lead to higher prices -but the past conspiracies also indicate that it is more likely that the two remaining firms would coordinate their future conduct. A.
Unilateral effects
With a unilateral effect, a company can raise prices to some or to all its customers after a merger without the assistance or agreement of its remaining competitors, but it could not have done so before the merger. Unilateral effects can occur when products are differentiated. Differentiated means that, in the minds of consumers, there are differences in the product that affect purchasing decisions. For example, corn is not differentiated. Consumers buying corn generally do not care which farmer grew it. Consumer products, on the other hand, are differentiated. For example, it is relevant to consumer choice that a product is a premium brand versus a discount brand. Unlike an undifferentiated product, consumers of branded products often perceive the merged parties' respective products as their first and second choices. In other words, one seller's brand is a consumer's second choice after the brand of the first seller. If one competitor owns both the first and second choices in a product market, the company can raise the price of the first choice knowing that it will capture some of the resulting lost sales with the second. In a premerger situation, the independent producer of the second choice keeps this from happening. Although some consumers will switch to the third choice or choose not to buy at all if the price of the first choice is raised, if a sufficient number of consumers continue to purchase from the company, the company might be able to profitably raise prices above premerger levels. Example 15: Pain Ease and Synapse are two of the larger manufacturers of pain relievers and intend to merge. Synapse believed premerger that it could not profitably raise prices because too many of its customers would switch to alternative products, the closest of which is Pain Ease. If Synapse purchases Pain Ease it could profitably raise the price of Synapse because it would capture enough of its lost Synapse sales through increased sales of Pain Ease to make the increase profitable. Unilateral effects can also affect markets that are not differentiated. Commodities such as corn mentioned above can also experience unilateral price increases as a result of mergers. Example 16: On a Hawaiian island there are three oil refineries that refine crude oil into gasoline which they sell wholesale to gas station dealers. Two of the refineries plan to merge. Together they will have 65% of market sales. No other companies on the mainland United States are willing to sell to dealers on the island. If the third (nonmerging) refinery is working at capacity -- in other words it cannot increase its
output, which would tend to keep prices in check -- the merged company might profitably increase prices above premerger levels, at least until the point at which the higher prices encourage shipments from the mainland. For this merger to cause prices to increase on a sustained basis, the third (nonmerging) competitor must be working at capacity, also known as having a capacity constraint. Otherwise, if it could increase its prices, more product would be placed on the market, and prices would come down or be kept in check. Prices would also be kept in check if the mainland refiners were willing to ship gasoline to the island from their refineries. If the price increase postmerger made it profitable for mainland companies to ship the gasoline to the island, the added supply would also keep prices in check and not make it profitable for the merged company to raise profits beyond a certain point. Absent these conditions, however, the merger could result in a unilateral effect without any assistance from the remaining competitor. V.
Entry
A merger that otherwise could lessen competition might be allowed if it is likely that new entries to the market will replace the firm acquired in the merger. Before the merger of the gasoline refiners in the previous example, refiners on the mainland were not selling into the Hawaiian market. If they, or anyone else, could enter the market, either by shipping into it or building a new refinery there, and operate in such a way as to replace the company that was merged, the merger would not have an anticompetitive effect. Although the government cannot predict with certainty whether new entry would occur after the completion of a merger, the government still evaluates the likelihood and sufficiency of entry to determine whether entry would occur in a timely fashion and defeat any attempted price increase resulting from the removal of the merged competitor. To be timely, the entry of a new competitor generally must occur within two years, measured from the time the new entrant considers entering, up to the time it has a significant impact in the marketplace. For entry to be likely, the government assesses whether entry would be profitable to a new entrant at premerger prices. That way, if, after the merger, prices rise and a company not currently in the market enters and helps push prices back down to premerger levels, the entrant could still compete at the premerger price. An entrant that cannot compete at premerger prices might not stay in the market. Example 17: Two bicycle manufacturers agree to merge. The merging companies claim that a sports equipment manufacturer that is not currently making bicycles is a potential entrant to the market. This manufacturer could profitably make and sell bicycles only if bicycle prices rose 5% postmerger. The manufacturer would not be considered a likely entrant because it could not profitably enter at premerger prices, since without the 5% increase, the manufacturer could not make a profit. Even if entry is likely and timely it must also be sufficient to replace the merged competitor. This means that the new entrant must enter the same product space as the competitor that just departed the market. For example, a maker of dry dog
food is probably not in the same product market as canned dog food because many consumers do not buy each product interchangeably. In addition, for an entrant to counteract a price increase in a specific geographic market or a price increase imposed on a specific class of customers, it must be able to capture sales in that geographic market or from that customer class. Example 18: While investigating a merger, the government defines a market for the sale of saltwater tropical fish. A potential entrant that sells freshwater species is identified. Whether this seller is a viable entrant depends on its ability to add saltwater fish to its product line. If it is more costly for the seller to maintain saltwater fish, the potential new entrant might not be able to expand profitably into saltwater species postmerger and therefore might not be considered a potential entrant to replace the merged company. In summary, if new entry after a merger would be timely, likely, and sufficient, such that the competitive force merged out of the market would be replaced, the government would likely allow the merger to occur. VI.
Efficiencies and Synergies

Mergers are sometimes undertaken to achieve efficiencies or synergies. Efficiencies and synergies mean -savings that lower the cost of producing or distributing a product or savings that otherwise permit the merged company to cost-effectively produce more of the product than the two companies combined could produce before the merger. If the cost of producing or distributing a product goes down, the company's product output will generally go up because presumably the company would pass those savings on to consumers in the form of lower prices. The theory behind this is that the company could earn more profit with a lower price and increased output than it could by keeping the additional profits per unit sold and not increasing its output. Example 19: Two companies that make car batteries operate at only 40% and 45% of their plants' respective capacities. By combining their operations into one plant, they will save $2.25 per unit of output by eliminating redundant systems and workers and by combining their equipment more efficiently than either could do alone. The FTC and DOJ will balance claimed efficiencies against any anticompetitive effects of a merger. If the efficiencies outweigh the anticompetitive effects, the government will allow the merger to proceed. This rarely happens in practice because efficiencies can be difficult to predict with certainty or precision. For efficiencies or synergies to be given credit by a government enforcement agency, they must be -substantial, verifiable, and
not capable of being achieved by the parties without a merger (in other words, a joint venture agreement could not achieve the same efficiencies or synergies). In practice, efficiencies are not likely to compensate for anticompetitive effects of an acquisition unless those anticompetitive effects are minimal. Efficiencies will almost never justify a merger that creates a monopoly or near monopoly. VII.
Exceptions to Prohibited Monopolies or Near Monopolies

There are two situations in which the government will allow a merger even if it would lessen competition--the failing firm and the failing division. The government allows a failing firm or division to be acquired--despite the anticompetitive effect--because a firm or division that has virtually no chance of being saved from insolvency is not likely to be a competitive force in the future. The government's standard for this exception is high, however. If there is any chance the firm or division could survive without the merger--or any likelihood that it will be acquired by another company that doesn't raise competition issues-the exception probably won't apply. .
The failing firm

To be a failing firm, the firm must establish that -it is unable to meet its financial obligations in the near future, it is unable to reorganize successfully under Chapter 11 of the Bankruptcy Act, it is unable to obtain a reasonable alternative offer that poses less of a competitive threat than the proposed merger and has attempted in good faith to obtain such an offer, and its productive assets will exit the relevant market if the merger is not approved. Productive assets include plants, machinery, and any other equipment used to produce the product being sold. It is difficult to prove all these elements in most situations, even when the company being bought is financially unsound. Example 20: Closeshave and Global Razors, two manufacturers of electric razors, agree to merge. Closeshave has 50% of electric razor sales in the United States. Global, on the other hand, has been unprofitable for eight years, is deeply in debt, and has a flawed business model. Consequently, it cannot reorganize under Chapter 11 of the Bankruptcy Code. Global has tried to find other buyers, but no one wants to buy it. At fire-sale prices, however, two other manufacturers of electric razors with smaller market shares than Closeshave have expressed interest in buying some of Global's machinery. This scenario does not meet the failing firm test because, even though it looks as though Global will fail and cannot turn itself around, its productive assets -- machinery -is likely to stay in the relevant market.
A.
The failing division

The failing division defense is similar to the failing firm defense described above, except it is used in situations in which the acquisition is of only a portion of a company's assets. If the company is seeking to sell a division and the division is failing, it will be treated in much the same way as a failing firm. However, the requirements are a bit different. Specifically, to be failing -the division must have a negative cash flow on an operating basis, the division's productive assets must be likely to exit the relevant market in the near future absent the acquisition, and the company that owns the division must be unable to obtain a reasonable alternative offer that poses a less competitive threat than the proposed merger and has attempted in good faith to obtain such an offer. Because the company whose division is claimed to be failing has the ability to allocate costs, revenues, and intracompany transactions on its books, the government always requires credible evidence that the division will fail. Example 21: Thrustco, a maker of jet aircraft and helicopters, is trying to sell its long-troubled helicopter division to a competitor. There are only three helicopter sellers doing business in the United States. Thrustco claims its helicopter division is failing and, even if its deal is anticompetitive, it should proceed. Thrustco has not separately accounted for the cash flow of its division in the past because its manufacturing process for both jets and helicopters uses similar processes and materials and are done alongside each other, commingling materials. Its sale to a competitor will likely not be approved unless, at the very least, it can produce a proper accounting that indicates the division has a negative cash flow.
MERGERS BETWEEN NONCOMPETITORS

Because antitrust laws focus on whether mergers substantially lessen competition, mergers between companies that do not compete usually do not raise antitrust issues, and government enforcers are likely to let them pass without challenge. However, there are two types of mergers between noncompetitors that U.S. antitrust enforcers tend to carefully review -o o mergers between potential competitors and so-called vertical mergers.
Both of these types of mergers are evaluated to see if they will lessen competition in a relevant market despite the fact that the companies involved do not compete. If competition is likely to suffer, the government may challenge the merger. II.
Potential Competitors
If two companies do not currently compete, their merger can still lessen competition if it removes a company that planned to expand into the other's product or service market or into the other's geographic market. In one sense, many companies could be described as potential competitors. For example, a maker and seller of carbonated bottled water could use its process and distribution to become a maker and seller of carbonated soft drinks. A national chain of pizza restaurants could use its marketing, food preparation, and site location know-how to develop a hamburger restaurant chain or a Mexicanfood chain. If the bottled water company we just mentioned has actual plans to enter the soft drink business and the soft drink company enters into an agreement to buy it before it can execute those plans, the antitrust enforcers would treat the acquired bottled water company as if it were already a competitor. The agencies do this because, absent the merger, consumers would have benefited from the additional competitor. Because a company is planning to purchase another and has actual plans to compete with the target company in the future does not mean that the acquisition will substantially lessen competition. Whether competition will suffer depends on the government's analysis of the same factors it uses in evaluating mergers between actual competitors -the relevant product market definition, the relevant geographic market definition, the analysis of market share and market power, the likelihood of adverse competitive effects, the likelihood of timely and sufficient new entry into the market, and efficiencies. In short, the framework for analyzing a merger between potential competitors and actual competitors is generally the same. The differences come into play when applying the Guidelines to the acquisition of a company that does not have existing sales. For example, the Hirfindahl/Hirschmann Index (HHI) we discussed earlier will not work under these circumstances because to calculate changes to HHI, the two companies must be selling the same product. Therefore, the DOJ and the FTC evaluate -whether the relevant product and geographic markets are highly concentrated and whether there are other likely potential entrants. If there is a highly concentrated market as outlined in the HHI test we discussed earlier and there are few other potential entrants, the DOJ and the FTC are likely to challenge the acquisition. Example 22: Transpipe, a natural gas pipeline company, operates a pipeline through which natural gas is shipped to, among other places, Salt Lake City. Transpipe is the only pipeline that serves Salt Lake City. Transpipe agrees to purchase Shipco, the operator of numerous gas pipelines in the southeastern United States -- an area where Transpipe does not currently operate pipelines. Shipco had plans to build a pipeline from the spot where its transmission system ends in the Texas Panhandle to Salt Lake City.
This merger would probably be challenged by the government. First, the market likely would be natural gas delivery to Salt Lake City. Second, there are generally few substitutes for pipelines. Third, Shipco had actual plans to enter the market. Fourth, the market is as concentrated as it can be because there is only one supplier of natural gas that serves Salt Lake City. Based on these facts, it appears that Shipco's competition likely would have brought prices down. There are also high barriers to entry in building pipeline systems. For example, there are rights-of-way to acquire over large territories, as well as regulatory environmental hurdles. III.
Vertical Mergers
A vertical merger is the acquisition of a company's source of supply or source of distribution. Example 23: QuickServe, a fast-food restaurant chain, purchases a company that processes beef into hamburger patties. The purchase is vertical because beef processors supply hamburger patties to fast-food restaurants. Often, vertical acquisitions can save money and streamline operations. They generally do not lessen competition and can often make the acquiring company a more effective competitor. Using the example above, QuickServe's acquisition of the beef-processing company puts its competitors at a disadvantage because QuickServe has been able to lower its costs of production. Lower prices are good for consumers, and the antitrust laws will generally not be used to level the playing field for competitors at expense of consumers. In some circumstances, vertical mergers can harm consumers, however. If, as a result of a vertical merger, a company can more easily achieve any of the following things, the merger may substantially lessen competition -Foreclose competitors from access to a substantial share of the market. Force a new entrant to enter at both the level of the acquiring company and at the level of the acquired supplier or distributor. This means that the new entry may be deterred because the new entrant must enter two lines of business to compete rather than just one. Obtain sensitive information about the acquiring company's competitors by acquiring a company that supplies those competitors. Enable the acquiring company to evade regulations of a government regulatory agency by using the acquisition of its supplier to increase its costs. In each of these situations, the vertical merger is said to have horizontal effects. That is, it affects competitors of the acquiring firm. A.
Foreclosing competitors
A company can foreclose competitors from a substantial share of the market as a result of a vertical acquisition of a supplier or distributor in a number of ways. This most commonly occurs when a company buys a supplier that is important to its competitors and then disadvantages those competitors by refusing to sell them supplies or raising supply prices.
Example 24: Gasolia sells gasoline across the United States at gas stations. It purchases Pumpco, the manufacturer and seller of 80% of the gasoline pumps sold to gas stations across the United States. After the acquisition, it raises prices for gasoline pumps by 15% to oil companies other than itself. This vertical merger harms Gasolia's oil company competitors. It will also harm consumers if gas prices are increased as a result of the more expensive gasoline pumps. B.
Forcing entry at two levels

A company can acquire a supplier, distributor, or even a different but related product to hinder companies trying to enter the market. By bundling its existing product with the product of the company it acquires, the acquiring company can force new entrants to enter into the sale of both products. This makes entry harder and competition is lessened. Example 25: Global Software has 90% of the computer operating system software market. It acquires Browser, Inc., a maker of Internet browser software. Browser competes with several other browser software companies. The operating system software and browser software do not compete because they serve different functions. Consumers like how the two software systems operate together on the computer, and Global distributes the two software programs as a single integrated package. Softwrite, another software manufacturer, has been creating a new operating system software to challenge Global's. Because of the introduction of Global's single bundled software product, Softwrite believes it must develop or buy a browser software maker to be competitive with Global. Note that the acquisition created a bundled single software package that consumers liked. The advantages to consumers brought on by this bundling might be considered an efficiency that tends to justify the merger because the advantages would lead to enhanced consumer satisfaction and more output. However, the merger also negatively impacts new entrants that might challenge Global's 90% share. It is likely that this merger, as posed, would be challenged due to Global's overwhelming dominance.
C.
Obtaining sensitive information

If a company acquires its supplier, it may learn significant information about its competitors that also use that supplier. Such information could consist of a competitor's production capacity, scheduled plant downtimes, and other sensitive data. Armed with competitively significant information, a company could choose not to compete as vigorously, assured by the information it acquired from the supplier that its competitors will not have the ability to compete against it. This result is significant because its effect would be similar to an outright agreement among competitors. Example 26: Global Wings is a manufacturer of jet fighter aircraft that competes with two U.S. companies and a few non-U.S. companies for sales to both U.S. and foreign governments. Global buys three titanium mines that collectively account for 50% of titanium production worldwide.
Titanium is an important input for jet fighters. By keeping track of its competitors' purchasing patterns, the titanium mines collect useful information about Global Wings's competitors' overall capacity and about how much of that capacity is committed at various times. A bid for supplying a government customer is upcoming, and Global Wings determines that each of its competitors is utilizing so much of its capacity that it is unlikely that any will be able to submit a competitive bid. Global then decides that it, too, can avoid submitting a competitive bid (even though approximately 50% of its capacity is unused). Without this information, Global would have bid a lower price. Global Wings has, through a vertical merger, gathered secret information about its competitors, and it is using the information to charge higher prices. This acquisition would likely be challenged. D.
Evading regulation
Some industries, such as retail electric power, regulate prices. Often, prices for the regulated company are set by the appropriate regulatory agency based on the company's reported costs plus an amount the regulatory agency believes is a fair return on investment. However, regulatory agencies do not automatically accept stated costs without inquiry. Example 27: An electric utility attempts to buy a maker of natural gas turbines that are used to generate electricity using natural gas as fuel. If it increases the price of turbines after the merger, it will likely be able to pass those costs on to customers. This merger might be challenged if the electric utility had the incentive and ability to increase its input costs. For example, if the utility raised the price on turbines overall, it might gain some revenue by increasing its own costs and passing those on in its prices. However, the utility would likely lose sales volume to other utilities who would purchase from alternative turbine suppliers. These sales losses could easily exceed the gain from the cost pass-on. If the company selectively increases the prices it charges itself while keeping prices to others lower, it might avoid losing turbine sales, but it would also run some risk that the regulatory agency would not allow it to pass on those selectively increased costs.
MERGER ENFORCEMENT PROCEDURE

I.
Federal DOJ/FTC
As discussed earlier in this Handbook, before a merger of any significant size can be completed, government antitrust enforcers are given the opportunity to screen the merger for antitrust problems. In the United States, merging companies must file a Premerger Notification Form that outlines some significant information about the companies involved in the transaction. After the FTC reviews the form for completeness, the DOJ and
the FTC determine which of the two agencies will evaluate the merger or acquisition. After a 30-day period for review of the Premerger Notification Form (15 days for tender offers), the reviewing agency either decides to initiate a larger scale investigation, called a Second Request, or permits the merger or acquisition to proceed. A Second Request is a large-scale investigation involving document and data requests that allow the agencies to thoroughly review the acquisition and the affected markets. Once the companies have substantially complied with the Second Request, the reviewing agency has 20 days (10 in the case of tender offers) to determine whether it will file a lawsuit to stop the merger or acquisition. Sometimes, the merging companies and the government reviewing agency negotiate a compromise that will allow the portions of the merger or acquisition that do not raise antitrust problems to proceed while preserving the competition that would be removed by any troublesome aspects of the proposed merger or acquisition. Sometimes the compromise requires a company to license technology or a brand, or to agree to do or not do something in the future. However, these compromises are generally not favored by the reviewing agencies. Instead, the reviewing agencies generally require more structural relief. What this means is that merging companies must divest businesses or assets to third parties. Before agreeing to such a divestiture, the government will require that those third parties have all the means necessary to compete, thereby replacing the party that is being merged out of existence. Otherwise, the government will probably file a lawsuit to stop the merger. Example 28: Luigi's Linguine, a processor of wheat into pasta, agrees to purchase Carla's Cavatelli, a competitor. The government is concerned with the degree of concentration of pasta processors, especially in the western United States, where there are fewer competitors. Pasta's weight limits how far it can be shipped economically. For the merger to be approved, the government requires Carla's to sell two of its plants, one in Colorado and one in northern California. The plants must be sold to a buyer that is not already selling in the western United States and that is approved by the government. Sometimes, a compromise is not possible. If this is the case and if the acquisition presents antitrust problems, the agency will seek relief in court -- both the DOJ and the FTC file a lawsuit to prevent the merger or acquisition. Most companies will abandon a proposed merger or acquisition if the government indicates that it will file such a lawsuit. Even if a lawsuit is not filed before the merger, the government can file a lawsuit years later, claiming that the acquisition(s) monopolized a market. II.
Other Merger Review

State attorneys general (state AGs) and private parties can also file lawsuits to prevent mergers. The state attorneys general usually enforce state antitrust laws,
which are similar to federal antitrust laws. It has become increasingly common for state attorneys general to participate simultaneously in the process of reviewing mergers and acquisitions that have an impact in their states. This requires coordination with either the DOJ or the FTC. Often, state AGs review the same documents produced to the FTC or the DOJ and join in any compromise agreement that is negotiated between the federal agencies and the parties. In addition, private parties sometimes seek to stop mergers by filing lawsuits under the same antitrust laws that are enforced by the DOJ and the FTC. Although private lawsuits are uncommon, a number have been attempted in recent years. In addition to the states and private parties, certain regulated industries' mergers are reviewed by these regulatory agencies having jurisdiction over the parties. Some of these reviews are conducted alongside DOJ or FTC reviews.
AVOIDING ILLEGAL COMPETITION

INTRODUCTION
I.
The General Nature of Unfair Trade Practices Laws

The law of unfair trade practices promotes and maintains the integrity, fairness, and efficiency of the competitive marketplace by regulating how businesses may treat one another and how businesses may treat consumers. The guiding principle is that society will generally be better off if markets are freely competitive and if consumers can choose between competing products based upon an understanding of the real differences and merits of the products. In maintaining the market's integrity, fairness, and efficiency, courts must balance the interests of businesses, consumers, and the broader public interest. At times, these interests are plainly in harmony (for example, businesses and consumers share an interest in promoting honest advertising in the marketplace), and at other times, there are apparent conflicts (for example, businesses may have an interest in securing monopoly or near-monopoly protection for ideas and trade secrets, whereas the consumers' interest may be in promoting free use of ideas). Lawsuits between competitors usually involve a contest between the interest in robust competition and notions of fair play. This can be a difficult balance to maintain because the idea of robust competition anticipates that each business wishes to deprive its competitors of their customers and profits. In other words, each business has a legitimate interest in beating out its competitors. Each business is permitted to injure its competitors so long as the business is engaged in competitive activity. It is only when competitive activity exceeds the bounds of fair play that the law steps in. Lawsuits by consumers against businesses (or lawsuits filed against businesses on behalf of consumers by federal or state agencies, such as the Federal Trade Commission) usually do not involve a balancing of robust competition and fair play. When the plaintiff is a consumer, the only issue is whether the consumer was treated honestly and fairly. A business's interest in competition does not justify misrepresenting facts to consumers or otherwise treating a consumer improperly. A.
The Many Sources of Unfair Trade Practices Law

Courts do not usually resolve unfair trade practices claims by applying the sort of broad generalities just described. Instead, the law has developed more specific legal claims (known as causes of action) with specific facts that must be proven, along with a small number of specific defenses or privileges. This significantly simplifies the effort to distinguish legitimate competition from unfair practices. The creation of specific causes of action with concrete proof requirements is helpful not only to courts in resolving claims, but also to businesses in trying to conform their behavior to the requirements of the law.
The law of unfair trade practices has developed slowly over the last hundred years or so, and the development has not been particularly systematic. The early development took place mostly in state courts under state law. State law causes of action include interference with business relations, trade secret misappropriation, misrepresentation, "passing off," and product disparagement. Federal law developed, but as of today, federal claims under a law called the Lanham Act include trademark infringement, passing off, and product disparagement. The Federal Trade Commission also has a broadly defined mandate to prevent unfair trade practices. The law of unfair competition directly affects the way in which businesses compete against each other, and it applies to all types of business decisions and to all levels within a business organization. From decisions about how to compete for contracts with suppliers, employees, and customers, to decisions about major advertising campaigns, the law of unfair competition provides the legal touchstone for fair competitive behavior. Running afoul of the law of unfair competition can be very damaging and expensive to a business. In addition to the possibility of very large damage awards (including punitive damages), time that employees spend involved in litigation is time taken away from a business's core functions. In rare cases, the law of unfair competition can even threaten a corporation's very existence. This Handbook provides a brief overview of some of the major types of unfair competition, including interference with business relations, misappropriation of trade secrets, misrepresentation and false advertising, trade disparagement, and passing off, as well as the principal remedies for such violations. For the most part, this Handbook focuses on unfair trade practices between competitors and generally does not address relations with consumers. There is another body of law that addresses such practices as price-fixing, monopolization, and so on. This area is called antitrust, and it is the subject of a different Handbook. Antitrust issues are not included in this Handbook. You should note that the law of unfair competition is very complex and subject to a host of variations, exceptions, and other details that cannot be addressed in a brief treatment of this kind. This Handbook provides only a general overview of some of the basic concepts of unfair competition law. It is not intended to provide advice or guidance regarding how you should act in a particular situation involving potential unfair competition issues. You should always consult with legal counsel with respect to any such situation.
INTERFERENCE WITH BUSINESS RELATIONSHIPS

I.
Intentional Interference with Contract

In business, the competitive struggle is, for the most part, a battle over contracts. The business that secures the most contracts at the best price wins the battle. The law permits, and indeed encourages, businesses to compete with each other to attract customers and secure contracts. However, once a business has entered into a contract with a customer or supplier, the law protects that contract from interference by competitors. As a matter of fair play, the law does not permit
one business intentionally to interfere with a competitor's existing contracts with others, or to try to induce someone to breach a contract. This rule is good for all business because it promotes stability in contractual relationships. As a practical matter, it means that when a company enters into a contract with another, it will not have to worry as much about whether a competitor will try to undermine the contract by making a better offer. On the other hand, it also means that companies must be very careful not to take any actions that could be viewed as interfering with another company's contracts. In order to establish the cause of action for intentional interference with contract, the person making the claim must prove the following facts (called "elements") -there is an existing and valid contract with a third person; the person accused of interfering had actual knowledge of the contract; the person accused of interfering intended to induce a breach or impairment of the contract, or otherwise to interfere with it; the contract was breached or impaired; the breach or impairment was caused by the interference; and the person making the claim was damaged. Even if these facts are proven, there will be no liability if the interference was justifiable or excusable. B.
The requirement of an existing and valid contract

A claim for intentional interference with a contract requires the person making the claim to have had an existing contract with a third person. In the absence of an existing contract, the only possible claim is interference with prospective economic advantage (discussed below). In an interference case, courts use contract law to determine whether a contract exists. As a general matter, a contract is simply a promise or set of promises that are enforceable in court. In a commercial context, a contract usually involves an offer, an acceptance, "consideration" (which basically means each party gets something from the deal), and sufficiently certain terms to enable a court to enforce the bargain. If there is no contract, there can be no cause of action for interference with a contract. The law of contracts generally does not impose any particular requirement as to the form of a contract. Generally speaking, contracts may be written or oral, and the method by which a contract is made is generally up to the contracting parties themselves. However, certain types of contracts, such as those involving a transfer or mortgage of real estate, must be in writing. Unless the law requires the particular type of contract to be in writing, if all the other elements of the claim are met, someone can be liable for interfering with an oral contract. Determining whether oral discussions have created a contract can be difficult. The process of entering a complex contract in the modern business world may stretch over a multi-day, multi-month or even multiyear time frame. The process is sometimes broken down into discrete parts, with the parties initially reaching an "agreement in principle" concerning major terms before committing the time and resources to
reach a final contract on all terms. When this process is used, a question arises whether the agreement in principle is itself a contract that can form the basis of an action for interference with contract. There is, unfortunately, no clear answer to this question either based on decided cases or in practice. It is clear that merely labeling an agreement as an agreement in principle does not, by itself, prevent that agreement from being a contract. In other words, there is no "safe harbor" for agreements in principle. At most, the fact that an agreement is labeled an agreement in principle is one factor, among many, that a court may use to determine whether a contract exists. One of the largest damage awards in U.S. history arose from a claim for interference with an agreement in principle. This case is a constant reminder of how risky it can be to interfere with ongoing negotiations that may have ripened into a contract. Example 1: Programmer has developed a meta-programming language that might become the next web-based development tool. Programmer has been negotiating with Web Co. for the rights to the language. Worldwide Corp. learns about the negotiations and contacts Programmer. Worldwide asks Programmer whether he has made a deal with Web Co. Programmer says that there is nothing in writing, and that while they have agreed orally on a price, which he discloses to Worldwide Corp., a lot remains to be negotiated. Programmer invites Worldwide Corp. to make an offer. Worldwide Corp. makes a better offer and signs a written contract with Programmer. Worldwide is taking a very big risk in this example. Programmer told Worldwide that he had an oral agreement on price with Web Co. That agreement may constitute a binding contract, and when Worldwide offered Programmer a better price and purchased his computer language, Worldwide may also have interfered with the contract. If someone you are negotiating with discloses that they are also negotiating with a competitor, exercise caution. Even if a contract exists, that contract must be "valid" for there to be a claim of interference. Courts agree that contracts for the performance of a crime, or that involve the commission of unlawful acts, are invalid. Contracts that unreasonably restrain trade are also invalid. Interference with the performance of such contracts does not give rise to liability. In some states, contracts that are unenforceable for certain reasons (for example, the contract is not in writing when required, only one party receives consideration, one of the parties is a minor, or the contract is grossly unfair or "unconscionable") cannot give rise to liability for interference with contract. Other states treat such contracts as valid though unenforceable, and in these states, interference with an unenforceable contract can still give rise to liability. Because there are variations from state to state, you need to consult with counsel if there is a chance your conduct may involve contractual interference, even if you believe the contract itself may be invalid or unenforceable. C.
Actual knowledge of the contract
A person must have actual knowledge that a contract exists to be held liable for intentional interference with a contract. Actual knowledge is not the same as believing that there is a contract or having actually seen the contract. It can be sufficient to know the facts giving rise to a contract even if the person is mistaken about whether those facts constitute a contract. Even if a person acts on the advice of counsel that no contract exists, the person may still be liable. Example 2: Programmer has developed a meta-programming language that might become the next web-based development tool. Programmer has been negotiating with Web Co. for the rights to the language. Worldwide Corp. learns about the negotiations and contacts Programmer. Worldwide asks Programmer whether he has made a deal with Web Co. Programmer says that there is nothing in writing, and that while they have agreed orally on a price, which he discloses to Worldwide Corp., a lot remains to be negotiated. Programmer invites Worldwide Corp. to make an offer. Worldwide believes, erroneously, that Web Co. and Programmer do not have a contract because nothing is in writing. Worldwide Corp. makes a better offer and signs a written contract with Programmer. In Web Co.'s suit against Worldwide, Web Co. prevails. Worldwide had actual knowledge of the facts that established a contract between Web Co. and Programmer (i.e., the oral agreement on price). If a court determines that the oral agreement was a contract, the court will likely decide that Worldwide had actual knowledge of the contract, even though Worldwide believed (erroneously as it turned out) there was no contract. D.
Intentional conduct
Courts generally hold that in an action for inducing breach of contract (or otherwise interfering with a contract), the person making the claim must prove that the competitor intended to induce a breach or otherwise interfere. This usually requires showing a purpose or desire to induce the breach or knowledge to a substantial certainty that the conduct would induce a breach. Even when there is a breach of contract, figuring out whether someone actually induced that breach can be a close question. If the third party decides to breach a contract with one business in order to enter a contract with a competitor, the third party's decision may not have been induced by the competitor; it may simply have been the third party's independent decision. But if the competitor initiated the contact with the third party or pursued the prospective customer with offers of better terms, courts are likely to find inducement and impose liability for interference.
E.
Breach or impairment of the contract

In its most common form, this cause of action involves a breach of contract that results in economic harm. If one company refuses to honor its contract to purchase widgets from a second company, and instead buys them from a third company, the second company suffers lost
revenues. That is not, however, the only situation in which this claim can be asserted. It is also unlawful interference with a contract to prevent someone's performance of a contract, to make it more expensive or burdensome, or to induce a breach of contract by making threats of economic reprisals. Example 3: Resurfacer has a contract to resurface a portion of a highway. Competitor, who lost the bid for the highway construction project, enters into a contract with the primary local supplier of road gravel to purchase such a large quantity of gravel that Resurfacer will have to purchase gravel from a nonlocal supplier at a higher price, thereby making Resurfacer's contract much less profitable. Competitor purchased the gravel with the intent to inflict economic injury upon Resurfacer. Resurfacer sues Competitor for interference with contract. Resurfacer will prevail. Competitor intentionally interfered with Resurfacer's contract by making it significantly more expensive for Resurfacer to perform, even though Resurfacer did perform and did not actually breach the contract. Competitor has no justification for its conduct -- as explained below, the simple desire to inflict economic injury upon a competitor is not a valid justification in all circumstances. Some contracts are "terminable at will," which means that either party is free to terminate the contract at any time. Many employment agreements fall into this category. Many states hold that a third party can induce a party to terminate an "atwill" contract without liability for contractual interference. But other states hold the opposite -- i.e., the third party can still be liable for contractual interference even if the contract itself was terminable at will. And, even if the third party is not liable for contractual interference, it can still be liable for interference with prospective business advantage (discussed below). Therefore, you should always consult counsel before engaging in any conduct that might be viewed as interference (for example, trying to lure away a rival company's employee who has an employment contract). F.
Wrongful or unjustified conduct

The conduct constituting interference must also be "independently wrongful" or must lack justification. Independently wrongful conduct includes misrepresentation, defamation, threats of force or violence, improper use of trade secrets, unfair competition, or malicious breach of contract. But even if the defendant's conduct is not independently wrongful, there may be liability for interference if the conduct lacks sufficient justification. Example 4: Resurfacer has a contract to resurface a portion of a highway. Competitor, who lost the bid for the highway construction project, enters into a contract with the primary local supplier of road gravel to purchase such a large quantity of gravel that Resurfacer will have to purchase gravel from a nonlocal supplier at a higher price, thereby making Resurfacer's contract much less profitable. Competitor
purchased the gravel with the intent to inflict economic injury upon Resurfacer. Competitor also physically threatens and intimidates those truck drivers who have agreed to contract with Resurfacer to transport materials to the construction site. Resurfacer sues Competitor for interference with contract. Resurfacer will prevail. As explained above, buying all of the local gravel with the sole intent of inflicting economic injury upon Resurfacer likely constitutes an interference with Resurfacer's contract to resurface the highway. Buying the local gravel makes Resurfacer's contract less profitable, and the sole desire to inflict economic injury upon a competitor is not a sufficient justification. Similarly, there is no justification for threatening truck drivers who have agreed to work for Resurfacer. Such conduct may be independently wrongful (e.g., threats and intimidation may constitute an assault and battery) and is unjustifiable. The most important rule here is that a desire to compete by itself is not considered a valid justification for interfering with a competitor's contracts. Once a business has a valid contract, a competitor is not privileged to interfere simply to advance its own competitive interests. As discussed more below, there is a different rule for interference with prospective economic advantage. II.
Interference with Prospective Economic Advantage

The conduct discussed above -- intentionally interfering with or inducing a breach of a contract -- arises when someone already has a contract with a third person, and a competitor interferes with that contract. And, as just noted, a business is not justified in interfering with a competitor's contracts solely for competitive reasons. Now suppose that a business is just about ready to enter into a contract with a third party. A competitor learns about the pending deal. May the competitor interfere with that prospective contract by, for example, offering betters terms? The answer, generally, is yes. A business is justified in competing against a competitor to make or secure contracts. That, after all, is the very essence of competition. Competing businesses are allowed to vie for the same customers by trying to make the best offer, and competition can continue right up to the moment the customer makes a final decision and enters into a contract. This does not mean, however, that a competitor can do whatever it wants in competing for customers. There are still limits of fair play placed upon competition. That is what interference with prospective economic advantage is all about. It sets the limits of fair competition up until the time contracts are made. The elements of intentional interference with prospective economic advantage are similar to interference with a contract. They are -a prospective economic relationship between one person or entity and some third person, with a probability of future economic benefit; a competitor's knowledge of that prospective relationship; intentional acts by the competitor designed to disrupt the relationship; actual disruption of the relationship; economic harm caused by the competitor's wrongful conduct; and
no justification for the interference. The first element is an economic relationship between the person making the claim. This relationship must have probable future economic benefit to the person making the claim. There must be more than a mere speculative hope of future economic benefit. Courts will not permit recovery to be based on mere speculation. But if there is more than mere speculation and there is a genuine probability of future economic benefit, the courts then may be willing to compensate the disappointed party. The general rule is that it must be "reasonably probable" the prospective economic advantage would have been realized but for the interference. Courts generally accept that a business's potential relationship with prospective customers is a sufficiently strong interest to be protected from improper interference. It is thus well settled that the opportunity to obtain customers is protected. But there is a critical difference between inducing a breach of contract and interfering with prospective economic advantage. Generally speaking, the courts do not recognize a competitor's privilege where interference with a contract is concerned. On the other hand, courts do recognize a competitor's privilege to interfere with another business's prospective economic relationships, so long as the competitor does not engage in wrongful or unfair conduct. A business engaging in proper competition is privileged to interfere with another company's prospective economic relationships -- for example, by offering better terms. Example 5: Programmer has developed a meta-programming language that might become the next web-based development tool. Programmer has been negotiating with Web Co. for the rights to the language. Worldwide Corp. learns about the negotiations and contacts Programmer. Worldwide asks Programmer whether he has made a deal with Web Co. Programmer says that Web Co. has made him a good offer, the basic terms of which he discloses to Worldwide. Worldwide makes a better offer, and Programmer enters into an agreement with Worldwide. Because Web Co. and Programmer did not have a contract, assuming that Worldwide does not use any wrongful or unfair conduct, Worldwide has a competitor's privilege to interfere with Web Co.'s negotiation with Programmer by offering better terms and entering into a contract with him. The important thing to keep in mind is that a competitor cannot use wrongful or unfair means to gain a competitive advantage over another company, even if no contractual interference is involved. Wrongful means include fraud, defamation, threats of force or violence, improper use of trade secrets, unfair competition, or malicious breach of contract. Furthermore, even absent any wrongful conduct, a competitor can still be liable for interference with prospective advantage if its sole motive was to injure the other company. If the competitor's sole motive is to injure, the conduct is unjustified since the conduct does not further the underlying purposes of fostering competition. The competitor must have "at least in part" a competitive purpose. Example 6: Barbershop Co. operated a neighborhood barbershop. Serviceco's president personally disliked Barbershop Co.'s president. In order to injure
Barbershop Co., Serviceco opened a competing barbershop in the same neighborhood and took steps to deprive Barbershop Co. of its customers. The steps included setting prices consistently below Barbershop Co.'s prices, even if the price was too low to sustain a barbershop at reasonable profitability over the long run. Serviceco also engaged in a pattern of disparaging comments about Barbershop Co. Serviceco always intended that as soon as Barbershop Co. went out of business, Serviceco would close its competing barbershop. When Barbershop Co.'s shop closed, it sued Serviceco for interference with prospective economic advantage. Barbershop Co. prevailed. The facts in this Example are from a real case. Serviceco's sole purpose was to destroy Barbershop Co. Serviceco's pricing strategy may have been technically legal (it might be a close question whether Serviceco was illegally setting prices below its costs, which might be an antitrust violation), and generally disparaging comments about a competitor are probably not actionable (so long as the comments are nonspecific things such as, "I don't like their haircuts"). But there is no justification for deliberately setting out to injure a business by driving away its customers. The fact that Serviceco had no intention of remaining in the barbershop business is what convinced the court that there was no genuine competitive motivation for the conduct.
MISAPPROPRIATION OF TRADE SECRETS

Many businesses own trade secrets, information that would cause substantial competitive injury if it were disclosed to competitors. The law recognizes the value of trade secrets to business, and protects trade secrets from improper misappropriation by others. Trade secrets are one category of a business's "intellectual property" interests, which may also include copyrights, patents, and trademarks. An important difference between trade secrets, on the one hand, and copyrights, patents, and trademarks, on the other, is that trade secrets must be kept secret. By contrast, copyrights, patents, and trademarks are necessarily public. The law of trade secrets is important for two reasons. First, it tells a company what steps it has to take to protect its trade secrets, which can be lost if a business does not take proper precautions. Second, the law of trade secrets tells a company what it can and cannot do with respect to a competitor's trade secrets. Unlawful misappropriation of a competitor's trade secrets can lead to costly litigation. In most jurisdictions today, trade secret law is statutory. The National Conference of Commissioners on Uniform State Laws proposed a Uniform Trade Secrets Act (UTSA) in 1979, and over 40 states have now enacted the UTSA into law with only minor variations. I.
What Is a Trade Secret? A. Trade secret defined

A trade secret is any information, including a formula, pattern, compilation, program, device, method, technique, or process, that (a) derives economic value from being kept secret, (b) is not known or readily ascertainable by competitors using proper means, and (c) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Courts consider the following factors in determining whether information rises to the level of a trade secret -- (1) the extent to which the
information is known outside of the business, (2) the extent to which it is known by employees and others involved in the business, (3) the extent of measures taken by a company to guard the secrecy of the information, (4) the value of the information to the company and its competitors, (5) the amount of effort or money expended by the company in developing the information, and (6) the ease or difficulty with which the information could be properly acquired or duplicated by others. Any business information that satisfies the definition can be a trade secret. Trade secrets can include such things as customer lists, chemical formulas and mixing instructions, computer programs, policy and procedures manuals, design drawings or modifications for a product, and industrial processes, to name just a few. B.
What is a secret?
A trade secret must be secret and must not be publicly known or generally known in the trade or business. Information that is public knowledge cannot be a trade secret. If an individual discloses his trade secret to others who are under no obligation to protect the confidentiality of the information, or otherwise publicly discloses the secret, the information no longer is secret and is no longer subject to trade secret protection. In addition, if a competitor already knew the information claimed as a trade secret prior to an alleged misappropriation and did not learn the information through improper means, then the information is not considered secret. As long as a competitor learned the information through proper means, the information may be freely used by a competitor, and the competitor would not be subject to a claim of misappropriation of trade secret. The key to secrecy is the ease with which the information can be developed through proper means. If the information can be readily duplicated without considerable time, effort, or expense, then it is not secret, even if it is not actually known to any competitor. This rule helps ensure that courts will not stifle competition by protecting information that is readily reproducible by others. Unlike the patent system, the law of trade secrecy is not intended to reward the first inventor or developer of information. Rather, it is intended primarily to enforce confidential relationships and to encourage fair play in competition. Example 7: Paintco's research and development division has developed a computer-based control process that improves the quality of Paintco's oil-based paints without significantly increasing costs. The computerbased control process is based largely on an unpatented process that was publicly disclosed in a recent scientific journal by governmentsponsored university scientists. Based on the same article, Colorco develops the same computer-based control process. Was Paintco's process a trade secret? No. There is no trade secret to be protected here. The economically useful information was contained in the journal article, which was public. It did not require a substantial expenditure of resources for either Paintco
or Colorco to use the journal article as the basis for improving their manufacturing processes. The issue of whether information is readily ascertainable often arises in customer list cases. Where the customers on the list are readily ascertainable by consulting publicly available information (such as the phone book, street maps, trade journals, and other similar sources), courts have rejected claims of trade secrecy. By contrast, when a customer list could have been assembled only through the conduct of business over a substantial period of time, and it would require a substantial expenditure of resources for a competitor to duplicate the list independently, courts are more likely to conclude that the list is a trade secret. Example 8: Electrico, a supplier of electrical goods to retail stores within City, maintains a list of customers and potential customers. The list has been created over the years by Electrico's sales force, and the list is treated as confidential by Electrico. Nearly all of the names on the list could be found by consulting the local yellow pages under relevant listings (such as for hardware stores). Competitor hires one of Electrico's employees who had access to the list, and the employee gives Competitor a copy of the list. Electrico is not likely to be successful in its suit against Competitor for misappropriation of trade secrets. The customer list probably does not derive economic value from being kept secret since it would be relatively easy for any competitor to compile such a list from public sources such as the yellow pages. However, Competitor should take care in hiring Electrico's employee and using Electrico's customer list. Even though a trade secret lawsuit probably would not be successful, trade secret cases tend to be very fact specific. If there is any chance of a misappropriation of trade secrets, it is a good idea to consult counsel to assess the potential legal liability. Because of the requirement that a trade secret not be generally known or readily obtainable, courts have generally held that information disclosed in an issued patent or published patent application, or information otherwise subject to disclosure as a matter of law, does not constitute a trade secret. Similarly, when products are sold to the public, the information embodied in the product itself, such as the combination of parts used to make the machine work, are part of the public domain and no longer protectable as trade secrets. This may occur even though the plaintiff did not intentionally or deliberately make the public sale. Public disclosure of information through carelessness can preclude protection. C.
Reasonable means to protect secret information

To get and keep trade secret protection, the company or person must also take reasonable measures to keep the information secret. If the person claiming a trade secret has taken no measures whatsoever to maintain secrecy, it is fair to assume that the person did not regard the information as a trade secret. The test is one of reasonableness. Heroic measures to ensure secrecy are not essential, but reasonable precautions must be taken to protect the information.
Reasonable efforts commonly include confidentiality agreements identifying the information as a trade secret, keeping the information under lock-and-key, and limiting access to specified employees on a need-to-know basis. The fact that trade secret information is known by many persons within an organization or has been licensed to other organizations does not necessarily mean that reasonable means to protect secrecy have not been observed as long as the disclosures are necessary to exploit the information and the recipient of the information is obligated not to disclose it. However, disclosure to third persons not subject to a duty of confidentiality can negate trade secret status. Half-measures to secure trade secret information are dangerous and will sometimes be rejected by courts. For example, in one case, the company proved that its customer list was stored on a computer to which only three employees had access, yet the company did not restrict distribution of hard copy printouts of the list, and the printouts were not labeled "confidential" or "do not copy." Although employees received a manual informing them in general terms that a great deal of company information distributed for internal use was confidential and not to be revealed to any person outside of the company, the manual did not identify what information was actually confidential. There was no evidence that employees signed a confidentiality agreement. The court held that the company had not taken reasonable measures to protect secrecy. Here is another example of inadequate security measures. One company employed a particular "layout" and "approach" in making grommets, a part used in the manufacture of automobiles. The court held that the layout and approach were not protectable as a trade secret because the company did not treat the information as a secret. In particular, the company had not screened off or restricted any areas in its plant and did not systematically screen visitors. Management routinely allowed suppliers and customers to be shown through the plant and did not inform plant workers or visitors that anything in the plant was confidential. But as noted above, heroic measures are not required. In one case, for example, a competitor took pictures from a plane of another company's plant while it was being built, and the pictures revealed significant aspects of the company's secret process for producing methanol. After construction, the process would have been concealed from view by a roof, but during construction, the process was in plain view from above. The court held the competitor liable for misappropriation and explained that it would be unreasonable to require a company to put a roof over the unfinished plant during construction to guard its secret manufacturing process. Example 9: Marbleco developed a special process for polishing large slabs of marble at twice the speed and half the cost as Marbleco's competitors. The process, developed by Marbleco's own research department, is a closely guarded secret. Only Marbleco's management, the research department, and employees who work in the polishing rooms have access to the secret, and all of those employees are required to sign confidentiality agreements. The polishing rooms are closed to the public. Marbleco's profits and market share rise
dramatically. Marbleco's management enters into negotiations to sell all of Marbleco's assets, including the secret process, to Rock Corp., one of Marbleco's competitors and the largest producer of large marble slabs in the world. Marbleco does not require Rock Corp. to sign a confidentiality agreement, and Marbleco's executives learn about the secret process during the negotiations. Rock Corp. breaks off negotiations and immediately puts the process to use in its own manufacturing plants. Marbleco clearly had a trade secret up until the time it disclosed the process to Rock Corp. Until that disclosure, Marbleco appears to have taken reasonable steps to ensure the secrecy of the process, and the process appears to have substantial economic value derived from its secrecy. However, by disclosing the secret to Rock Corp. without requiring Rock Corp. to sign a confidentiality agreement, Marbleco may have lost its trade secret. Some courts might impose a duty of confidentiality on Rock Corp. even without a formal agreement, but Marbleco has taken a very substantial risk by disclosing its secret process to a competitor without making sure the secret could not be used by Rock Corp. if negotiations for the sale of Marbleco's assets fell through. II.
How Is a Trade Secret Misappropriated?

In general, a person who acquires, discloses, or uses another's trade secret can be held responsible for misappropriation when that person knows or has reason to know improper means were used to discover the trade secret or disclosure is otherwise improper. The Uniform Trade Secrets Act (UTSA) defines "improper means" as including "theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." Cases involving independently wrongful or illegal conduct are relatively obvious examples of improper means. But liability is not limited to such examples. In other words, the method used to acquire the trade secret may be legal but nevertheless improper. For example, in the case noted above involving aerial photographs of a plant under construction, the court held that such conduct, though perhaps not illegal, was improper and exceeded the bounds of fair competition. Example 10: Manufacturer owns a trade secret in a special manufacturing process. All Manufacturer's employees who know about the secret are required to sign confidentiality agreements, and Manufacturer closely guards the secret. Competitor hires Supervisory Employee, who knows the details of the trade secret, away from Manufacturer. Supervisory Employee discloses the secret to Competitor in violation of Supervisory Employee's confidentiality agreement with Manufacturer, of which Competitor was aware. Manufacturer sues Competitor for misappropriation of trade secrets and wins. Raiding a competitor's staff for employees who possess confidential information is a good way to get sued. Even if the employee is the person who developed the secret process, the trade secret usually belongs to the company, and the employee has no right to divulge the trade secret to a competitor.
On the other hand, trade secrets can be properly acquired in a number of ways, including -discovery by independent invention; discovery under a license from the owner of the trade secret; discovery based on observation of the item in public use or on display; discovery of the trade secret from published literature; discovery by accidental disclosure; or discovery by reverse engineering, that is, by starting with the known product and working backward to find the method by which it was developed, the acquisition of the product having been by a fair and honest means, such as purchase of the item on the open market. The most difficult cases for courts have involved reverse engineering. Reverse engineering typically involves beginning with a publicly distributed product and working backward from that product to discover the trade secret. The tough factual question in many of the cases is whether the discovery was by pure reverse engineering, or whether the so-called "reverse engineering" was actually given a substantial boost by relying on improperly disclosed trade secrets. The question is particularly close when someone who previously worked for the company with the trade secret, and who has knowledge of the trade secret, is hired by the company that later claims reverse engineering. In such cases, the jury or court may draw the unfavorable inference that what appears to be reverse engineering on the surface is actually a cover for misappropriation of trade secrets. In addition, while reverse engineering is a proper method of discovering a trade secret, the fact that a trade secret could have been reverse engineered or could have been discovered using other lawful means, does not mean that improper means may be used instead. The improper means (such as obtaining information by having a former employee of the owner of the trade secret breach a duty of confidentiality) may still constitute a misappropriation.
MISREPRESENTATION
One of the most important premises of our free market system is that the public interest is best served by economic competition between businesses based on merit. When consumers are able to make rational judgments and comparisons between products and services based upon accurate and reliable information, the result is to favor the business that produces the better product and service (which ultimately results in improving the quality of all products and services as businesses compete for customers). Markets break down when there is inaccurate or misleading information about products and services. We do not approve of a business "getting ahead" by fraud -- the days of caveat emptor (which means "buyer beware") have long since passed. On this basis, misrepresentation is a form of unlawful unfair competition. Laws against misrepresentation promote honesty and accuracy in business transactions. A business that makes misrepresentations in order to secure contracts is a business that runs the risk of having those contracts overturned by courts, of being subjected to large damage judgments, and of becoming the target of investigation by local district attorneys or state attorneys general. A misrepresentation is a false representation of fact, upon which a person justifiably relied, resulting in economic or monetary loss. Whether someone is liable for a
misrepresentation depends on whether the misrepresentation was intentional, negligent, or innocent. The most culpable or blameworthy conduct involves a deliberate, intentional falsehood that someone hopes will induce reliance by another -- lying. This is called fraud, and it usually triggers an award of punitive as well as compensatory damages. False representations include active concealment, that is, conduct which prevents a person from discovering the truth. Fraud is virtually always unlawful. The next level of culpability is negligence. Someone who makes a representation without a reasonable basis for believing in its truth will generally be held responsible for pecuniary harm that results, but only if the speaker had a "legal duty" to the listener to use reasonable care in making the representation. For example, an accountant has a duty to use reasonable care in making representations to its client about the client's financial condition, but in most jurisdictions, an accountant does not owe a duty of reasonable care to unknown and unrelated third parties who may rely upon the accountant's report. In these jurisdictions, a third party who relies upon a negligently prepared accountant's report cannot sue the accountant for a negligent misrepresentation. A person may also be held responsible for negligence for failing to make a statement (i.e., for nondisclosure) in circumstances where a duty exists to make an accurate disclosure. For example, if there is a fiduciary relationship between two persons (e.g., principal-agent, doctor-patient, lawyer-client, partner-partner, director-corporation, franchisor-franchisee), the fiduciary has a duty to make accurate disclosures. Finally, there are some circumstances in which a business will be held liable for "innocent" misrepresentation. An innocent misrepresentation occurs when the speaker did not intend to commit a fraud or induce reliance and had no reason to know that its statement was false. We begin with the elements of a misrepresentation, that is, a false representation of fact on which someone justifiably relies with resulting pecuniary loss. We then turn to the different levels of culpability used by courts in placing responsibility on the speaker. I.
Representation of Fact
Liability for misrepresentation attaches only to false representations of fact. In business, you rely on another's mere opinion or prediction at your own risk. A representation of fact, by contrast, purports to state something objectively true about the world apart from the speaker's opinion. That is the sort of statement on which people should be allowed to rely. It is difficult to state a simple definition for the word "fact," but generally speaking, a statement of fact is a proposition that is objectively verifiable at the time it is made. Although this may seem like an odd definition at first, it works rather well in practice and help explain the results in many cases. For example, a statement by a seller to a buyer that "this stone is a diamond" is a statement of fact because it asserts a proposition that is objectively verifiable at the time it is made. That is, the stone referred to by the seller either is or is not a diamond, and it is theoretically possible at the time the statement is made to determine its truth.
By contrast, a statement by a seller to a buyer that "this painting is a great work of art" is not a statement of fact concerning the painting referred to, because it asserts a proposition that is not objectively verifiable at the time it is made. A painting may be considered by some people to be a great work and by others to be a piece of junk. There is, however, no objective basis for choosing between these two conclusions since quite reasonable people may reach exactly opposite conclusions. Generally, then, representations of judgment or taste are usually not statements of fact. Similarly, general statements in advertisements touting the superiority of a particular product in vague terms are called "puffing," and cannot be the basis of a lawsuit for misrepresentation, because such statements are not objectively verifiable. Puffing has been variously defined by the courts. Some courts have described puffing as involving outrageous generalized statements, not involving specific claims, that are so exaggerated as to preclude reliance by consumers. Another court has described puffing as involving claims that are either vague or highly subjective. As a general matter, predictions are also not considered to be statements of fact. A statement that "the Dow Jones average will be at 12,000 next year" is not a statement of fact because the statement is not verifiable at the time it is made. The statement will become verifiable after the passage of a year, but the statement is not itself a representation of fact at the time it is made. There are many statements that are not clearly either pure fact or pure opinion. The courts have struggled, for example, with statements of value or worth. The naked statement by a seller that a piece of property is worth $5,000 is sometimes treated as a fact and sometimes treated as opinion. The difficulty with treating representations of value as statements of fact is that a statement of value is oftentimes not verifiable when made since the value of a property is ordinarily determined by what a willing buyer would pay for the property, and that is a future event. On the other hand, the value of a property sometimes is measured by looking at the value of comparable properties. The value of comparable properties may at least establish a range of possible, verifiable values. Courts usually solve these cases by asking whether the representation of opinion implies a representation of one or more facts, which then can form the basis for a claim of misrepresentation. Example 11: Ticket Co., which manufactures lottery scratch-off tickets, represents in its promotional advertising to state officials that Ticket Co.'s tickets are better than the tickets made by Competitor. Ticket Co. also represents that its tickets have been rated superior in United States government testing and that Competitor's tickets were found in government testing to be less secure. Standing alone, the general statement that Ticket Co.'s tickets are "better" would probably not be viewed as a representation of fact, but rather as mere puffing. However, the representations about government testing are representations of fact and, if false, may form the basis for a lawsuit. If both statements are made in the same advertisement, the claim that the tickets are better is likely to be regarded as relating to the government testing and, if false, could form the basis of a lawsuit. The difference between lawful "puffing" and unlawful misrepresentation can be difficult to discern in practice, because businesses are often tempted to go beyond mere puffing and to be specific in praising one's own product or service
and in criticizing a competitor's product or service. The best practice is always to make sure that any specific representations are true when made. II.
Falsity
The party claiming fraud or misrepresentation must prove that the representation in question was false. Courts do not require perfect accuracy, of course, since that standard would be beyond human capabilities. But there must be a substantial correspondence between reality and the representation. For example, a representation that there were "approximately" 18,000 cubic yards of earthwork was held to be false when, in reality, there were 36,000 cubic yards. There is very little discussion in the cases about what constitutes truth and falsity in the context of misrepresentation. Courts usually express in conclusory terms whether a representation is true or false without even attempting to define the concepts.
III.
Justifiable Reliance
There can be liability for a misrepresentation only if the person making the claim actually relies upon the representation, and that reliance is justifiable. The idea is that a misrepresentation doesn't cause injury unless the plaintiff actually relied upon the truth of the statement. Example 12: Customer buys a used car from Dealer. After buying the car, Customer reads in a newspaper ad that the car was supposed to have air conditioning. In fact, the car does not have air conditioning. The ad ran for a week prior to the date Customer bought the car, but Customer did not read the advertisement until after making the purchase. Nothing was said to the Customer about air conditioning. Customer will not have an action for misrepresentation because Customer did not rely on the representation made in the newspaper advertisement. The reliance must also be justifiable. Generally speaking, reliance is not justifiable unless the misrepresentation is "material," meaning that a reasonable person would regard the statement as important in making a decision. Example 13: Retailer misrepresents to a Commercial Customer that certain treated lumber it sells will last ten years when used for raised planter boxes. In fact, the treated lumber has been rated by its manufacturer for only five years when used in direct contact with the soil. When the lumber rots after only five years, Customer sues Retailer for the costs associated with early replacement of the planter boxes. Customer is likely to prevail. The representation that lumber would last for ten years for a particular use is material because a reasonable person would attach importance to that statement in deciding whether to purchase the lumber for a particular use.
IV.
Injury
To recover damages for misrepresentation, the person making the claim must normally show some measure of monetary loss. For example, in the lumber example, the damages would probably be measured by the difference in value between lumber that will last ten years and lumber that will last only five years. Misrepresentations that result in personal injury may also give rise to liability. For example, in one case, the manager of an apartment complex represented to a prospective tenant that the complex was secure. Based on that representation, the prospective tenant signed a lease and moved in. The tenant was subsequently raped on the complex's grounds, and she successfully sued the complex for damages arising out of the misrepresentation. V.
Types of Misrepresentation A. Fraudulent misrepresentation

As noted above, the most serious form of misrepresentation is fraud -i.e., a deliberate misstatement of fact that is intended to induce, and in fact does induce, someone's reliance. The speaker need not actually know that the statement is false in order to be liable for fraud -- it is enough to act recklessly with respect to the truth of the statement. In addition, active concealment of the truth also constitutes fraud -- for example, if someone covers a crack in an engine block with a gasket sealer before trying to sell the car. B.
Negligent misrepresentation
Someone can also be held liable for negligent misrepresentations -misstatements made by a speaker who has a duty to find out whether the statement is true or false, and who has negligently failed to do so. In other words, these are statements the speaker should have known weren't true. The idea here is that a person making a representation ordinarily has a duty of reasonable care to the person to whom the statement is made regarding the truth of the statement. Failure to exercise reasonable care means that the speaker is liable to those persons to whom the speaker owes a duty of care (which, at a minimum, means the person or persons to whom the representation is directed). Example 14. Accounting Firm conducts an audit of Corporation and provides its report to Client for Client's use in deciding whether to invest in Corporation. The audit is negligently conducted, and it incorrectly reports that Corporation is in sound financial condition when, in reality, it is in serious difficulty. Client relies upon the report and invests in Corporation, which shortly thereafter goes bankrupt, causing Client to lose its entire investment. Client sues Accounting Firm for negligent misrepresentation relating to the report. By providing its audit report to Client, Accounting Firm assumes a duty of reasonable care with regard to the report's contents. Because Accounting Firm negligently prepares the report, it can be held liable to Client for economic harm or loss resulting from that negligence. However, a speaker does not owe a duty of care to the entire world. Given the speed with which communications now circle the globe, a
single statement can be picked up and retransmitted thousands or tens of thousands of times (rumors reported as fact in the media are a good example). If everyone who relied on that statement could sue the speaker once the statement turned out to be false, every speaker would be exposed to a potentially ruinous liability entirely out of proportion to the person's culpability (i.e., negligence). As a result, most jurisdictions limit liability for negligent misrepresentation and permit recovery only by those persons for whose benefit and guidance the speaker supplied the information. Example 15: Accounting Firm conducts an annual audit for Client and reports that Client's books are consistent with Generally Accepted Accounting Principles (GAAP). Investor across the country gets a copy of the report from a web page and relies upon the report in buying Client's stock. The audit was negligently conducted, and a reasonable audit would have discovered substantial discrepancies in Client's financial records. Client goes bankrupt, and Investor loses the entire investment. Investor sues Accounting Firm for negligent misrepresentation based on the report. In most jurisdictions, investor would lose his lawsuit since Accounting Firm did not prepare its report intending that unknown persons such as Investor would rely on it. However, it should be emphasized that the law is different from jurisdiction to jurisdiction on this point. In some jurisdictions, Investor's lawsuit would be permitted. A person may also be held liable for negligent misrepresentation for failing to make a statement (i.e., for nondisclosure) in circumstances where a duty exists to make an accurate disclosure (discussed below). C.
Innocent misrepresentation
An innocent misrepresentation occurs when the speaker not only does not intend to commit a fraud, but does not even know or have reason to know that its statement is false. Courts that recognize liability for innocent misrepresentations have generally limited the scope of liability to sales or commercial transactions where the representation relates to a material part of the transaction. In such transactions, the speaker is usually a merchant or seller who has superior knowledge of the product. Liability for innocent misrepresentations developed concurrently with the consumer protection movement, and the greatest number of cases involve misrepresentations in the context of consumer sales transactions. In nearly all states today, consumer protection statutes now provide a statutory remedy for false statements of fact about the characteristics of consumer products or services.
VI.
Failure to Disclose
A mere failure to disclose information known to the speaker but not known to the hearer ordinarily does not result in liability for misrepresentation. The law
ordinarily does not require each of us to correct the misimpressions of our fellow humans. Liability arises for a mere nondisclosure only when the law imposes a special duty of disclosure on the speaker. There are two situations where a duty of disclosure exists -- (1) where the speaker has already made a representation on the same subject matter that would be misleading without a full disclosure, and (2) where the relationship between the parties creates a duty of disclosure. Example 16: Collector buys a glass vase from Antique Dealer for $100. Collector believes, correctly, that the vase is a valuable antique worth $15,000-$20,000 when sold at auction. Collector is not liable for misrepresentation for failing to tell Antique Dealer the vase's true worth. Collector does not owe a duty to Antique Dealer to disclose the true value of the glass vase so long as Collector did not make any representations to the dealer about that value of the product. There is nothing in the relationship between the parties to suggest that a duty of disclosure exists. It was an "arm's-length" transaction in which the seller was an antique dealer and thus, presumably, an expert. Example 17: Antique Dealer sells Weekend Shopper a $100 glass vase for $15,000. Here the result is different, particularly if Weekend Shopper asked questions about the quality or value of the vase (e.g., "Is it really from the 17th century?"). In such a case, a court might find that Antique Dealer has made some type of unlawful misrepresentation about the vase even though the dealer may have tried to remain essentially silent and passive. Courts are sensitive to situations where one party to a transaction (e.g., Antique Dealer) has a significant bargaining and knowledge advantage over the other party (e.g., Weekend Shopper), and it would be inequitable to permit the superior party to employ his or her advantage to the other's detriment. Even if a person has no duty to speak, once that person begins speaking, he must speak truthfully and not leave the listener with a misimpression of the facts. Half-truths are just as misleading as outright fabrications (and perhaps more so since a half-truth may lull the listener into a sense of security). Thus, by making a representation on a particular subject matter, the speaker takes on a duty to make a full and accurate representation. Example 18: Weekend Shopper brings to Instrument Dealer an old violin and asks if Dealer would like to buy it. Dealer recognizes the violin as a very valuable Guarneri, worth thousands of dollars. Weekend Shopper asks the dealer whether the violin is made by anyone famous such as Stradivarius, and Dealer says, "I don't know. I know it's not a Stradivarius." Dealer buys the violin for $250. Dealer has committed an actionable misrepresentation. Dealer in this example makes a factual misrepresentation by falsely stating "I don't know" in response to Weekend Shopper's question. In the particular circumstances presented, where Weekend Shopper clearly is unaware of the value of the violin and Dealer deliberately misleads Weekend Shopper into believing that its value is minimal, a court is likely to hold Dealer liable for the misrepresentation.
Courts have also imposed a duty to speak where there is a special relationship between the parties. In general, the relationships subject to a duty of disclosure involve a "fiduciary" relationship or other relationship of confidence. Examples include relationships such as principal-agent, doctor-patient, lawyer-client, partners, co-tenants, director-corporation, majority shareholder-minority shareholder, and franchisor-franchisee, just to name a few. If such a relationship exists, then the person holding the position of trust and confidence (such as a trustee) has the duty to disclose material information to the other party. Special relationships may exist in many other situations. In some circumstances, for example, a bank may have a fiduciary relationship with its customers, although this is a somewhat controversial area. An exclusive distributor may owe fiduciary duties to a profit-participant who depends entirely upon the exclusive distributor for the generation of profits. (On the other hand, there generally is no fiduciary relationship between a manufacturer and a distributor.) A minority shareholder engaged in a takeover battle may in some circumstances owe fiduciary duties to other minority shareholders. The point to keep in mind is that if you or your company has a relationship of trust and confidence with another person or entity, you or your company may have special disclosure obligations to that person or entity. You should seek legal advice if you have any question regarding the existence or extent of such obligations.
FALSE ADVERTISING
I.
What Is False Advertising?

False advertising is a claim brought by a consumer or a competitor against an advertiser based upon false statements made by advertiser about its own goods or services. (False statements about a competitor's goods or services may be trade or product disparagement, discussed below.) False advertising claims by a competitor against an advertiser are generally brought under Section 43(a) of a federal statute known as the Lanham Act. False advertising claims by a consumer against an advertiser do not fall under the Lanham Act. Consumer claims must be brought in state court under applicable state consumer protection laws. Whether brought under federal or state law, false advertising claims have the same basic purpose -- to promote accuracy and honesty in commercial advertising. The Federal Trade Commission itself can also bring a false advertising claim, under the Federal Trade Commission Act (FTCA). The FTCA prohibits "unfair or deceptive acts or practices," and this law has been interpreted to protect the vast multitude of consumers (not just the average or reasonable consumer), including the ignorant, the unthinking, and the credulous. Most state attorneys general have similar authority under state unfair trade practices statutes. False advertising can thus give rise to federal and state enforcement as well as private litigation. A false advertising claim requires the person making the claim to prove the following -The advertiser made false or misleading descriptions or representations of fact about the nature, characteristics, or qualities of the advertiser's goods or services.
There was actual deception or at least a tendency to deceive a substantial portion of the intended audience. The statements of fact were material, that is, were likely to influence the purchasing decision. The statements were made in the context of commercial advertising or promotion used in connection with goods or services. The person making the claim has been or is likely to be injured as a result of the false or misleading statements. As can readily be seen, the elements of a claim for false advertising are very similar to the elements of a misrepresentation claim. II.
Who Can Sue for False Advertising?

A claim under Section 43(a) of the federal Lanham Act for false advertising is brought in federal court. A direct competitor or by any person who has suffered a business or commercial loss as a direct result of false or misleading advertising can sue. As a practical matter, the vast majority of false advertising suits are brought by competitors. It is also common once a lawsuit has been filed for the business sued to file a similar lawsuit against the business who sued, complaining about the other side's advertising. A consumer can not sue for false advertising under Section 43(a) of the Lanham Act. Instead, a consumer who has been injured by false advertising is limited to state law claims. In addition to misrepresentation, virtually all states now have some form of consumer protection statute that could be used as the basis for a false advertising claim.
III.
Statements of Fact
In false advertising as in misrepresentation generally, the statement in question must be a statement of fact (i.e., statements that are objectively verifiable). Vague and general statements in advertisements touting the superiority of a product are often treated as permitted "puffing" because such statements are not readily verifiable. For example, generalized claims, standing alone, that the seller's product is better than a competitor's product are usually viewed as puffing. The same is true for slightly more specific claims, such as a seller's statement that its lamps were "far brighter than any lamp ever before offered for home movies." The rhetorical question, "Would you prefer to do business with the phone company with the best technology, lower rates, and better customer service?" and the statement, "We're the low cost commercial collection experts" were both held to be puffing. However, there are no "magic words" which are always treated as puffing, and even a word as vague as "better" can, in some contexts, be treated as a statement of fact. On the other hand, when a statement becomes specific enough to be objectively tested, it ceases to be puffing and can then be the basis for a false advertising claim. For example, although the statement quoted above that a seller's lamps were "far brighter" than competitors' lamps was puffing, the more specific claim that the lamp had "35,000 candlepower and ten-hour life" was not puffing. An advertisement claiming that the seller's oil provides "longer engine life and better
engine protection," if false, could be unlawful because the claim was both specific and measurable by comparative research. Example 19: Cereal Manufacturer claims that its raisin-bran cereal tastes better than Competitor's, has more raisins per box, and that the raisins are plumper. The picture on the front of Cereal Manufacturer's raisin bran boxes shows many more raisins per serving than are actually contained in the box, and the raisins in the picture have been digitally enlarged. Both Cereal Manufacturer and Competitor use the same type of raisins and both use approximately the same number of raisins per box. Competitor sues for false advertising. The suit will probably be successful. The statement that the cereal tastes better is puffing and is not actionable. But the representation about the number of raisins in the box and their plumpness are representations of fact that can be objectively verified. The false pictures on the box present a closer question since it may be doubtful whether consumers would treat the picture as being an accurate representation of the product. On the other hand, if the picture purports to be an accurate representation (and is not obviously distorted or enhanced), a court could treat the picture as a representation of fact and not as puffing (see the example below). IV.
Customer Confusion or Deception

A person suing over false advertising must establish that the false or misleading advertisements were likely to mislead or confuse consumers. This can be a difficult fact to prove since it could theoretically require testimony directly from consumers about their interpretation of an advertisement and their reliance on it. In order to avoid the expense and inconvenience of proving customer confusion in every case, the courts have held that when an advertisement is "literally false," customer confusion is assumed to exist and need not actually be proved. Where a claim in an advertisement is shown to be literally false, the court may enjoin the use of the ad without reference to its actual impact on the buying public. Example 20: OJ Manufacturer advertises its juice on television as "pure, pasteurized juice as it comes from the orange." The ad also states that the juice is "the only leading brand not made with concentrate and water." The advertisement shows a famous athlete squeezing an orange and then pouring that freshly-squeezed juice directly into a carton. In fact, juice is not already pasteurized when it comes from the orange, and OJ Manufacturer's juice is not only heated as part of the pasteurization process, but is also sometimes frozen prior to packaging. Competitor sues for false advertising. The advertisement is literally false, and a court is likely to issue an injunction to prevent the advertising from continuing even without evidence of consumer confusion or deception. The advertisement gives the clear impression that the juice goes directly from the orange into the carton, and that is simply untrue, despite the fact that it seems unlikely anyone would believe juice comes from the orange already pasteurized. If someone can show that the advertiser has intentionally set out to deceive the public, courts will assume customer confusion and deception, but will give the advertiser the chance to demonstrate that, in fact, no consumers are confused.
If an advertisement is not literally false (but is possibly misleading) and there is no evidence of an intent to deceive, the person making the claim must present evidence that consumers actually are misled or deceived. This is usually done with a combination of consumer surveys and testimony under oath from a handful of consumers. V.
Proof of Injury or Likely Injury

It is not enough simply to show that customers have been confused or deceived as a result of the defendant's advertising. The competitor making a claim under Section 43(a) of the Lanham Act still must also prove that a harm to the competitor is at least likely to result from this consumer confusion. The competitor must provide a "reasonable basis" for concluding the competitor has been or is likely to be damaged as a result of the false advertising. This usually involves one or more of the following -showing a logical causal connection between the false advertising and sale of the competitor's product or service, demonstrating through anecdotal testimony some harm in the form of lost sales or damage to reputation, consumer surveys showing possible harm to the plaintiff, and/or sales figures demonstrating harm.
VI.
Private Enforcement and Government Enforcement

False advertising claims can be brought by competitors under Section 43(a) of the federal Lanham Act, by consumers under state law, and by federal and state enforcement agencies (i.e., the Federal Trade Commission and state attorneys general). Lawsuits by competitors and by government enforcement agencies usually seek an injunction to stop the false advertising. In these cases, no actual injury need be shown. It is enough if there is a likelihood of consumer harm or a tendency or capacity to deceive. However, when a consumer brings an individual claim under state law to recover damages for false advertising, the consumer usually must show more than the mere possibility or likelihood of damage. Generally, the consumer must show that the false advertising caused the consumer to suffer some harm (e.g., because the consumer relied on the false advertising, the consumer purchased a product he would not have otherwise purchased). As a practical matter, because of the possibility of lawsuits by competitors or by the government, a company cannot safely engage in false advertising even if the company believes that its advertising is not actually harming any consumers. Instead, in designing an advertising campaign, a company must assume that any false statements of fact could result in a lawsuit.
TRADE DISPARAGEMENT
As noted above, false advertising claims arise only when a business has misrepresented the quality of its own goods or services. When a business is misrepresenting the quality of a competitor's goods or services, that is called trade (or product) disparagement. Comparative advertising -- where an advertisement expressly comments upon a competitor's products or services -- often leads to claims for both false advertising and trade disparagement.
False advertising law and the law of trade disparagement together mean that virtually any misleading statements made in commercial advertising have the potential to result in legal liability. In short, the law insists upon substantial accuracy in advertising. I.
Elements of Trade Disparagement

A person making a claim of trade disparagement must show publication of a statement of fact (or opinion that implies a fact) -that disparages the products or services of another, that is false or misleading, that directly results in actual monetary harm to the person making the claim, and that is not privileged. Product disparagement claims may also be brought under Section 43(a) of the Lanham Act. The differences between trade disparagement under state law and product disparagement under Section 43(a) are relatively small and do not merit a detailed discussion in a brief treatment of this kind. Simply put, false statements of fact about a competitor's product or service create a substantial risk of liability under both state and federal law. A statement disparages another business's products or services if it casts doubt upon the quality of those products or services, and either (a) the speaker intended it to cast such doubt, or (b) a hearer of the statement would reasonably understand it to cast such doubt. Generalized criticisms or comparisons are generally not actionable. The person making the claim generally has to prove that the disparaging statements are false or misleading. If the statement are "substantially true," no claim can be made. Statements that are false in some immaterial or trivial way are permitted. To support a claim, the statements must be false in substance. The requirement of showing monetary harm is difficult to fulfill. The person making the claim must show particular sales that were lost or a general decline in business resulting from the disparaging statements (as opposed to a decline resulting from other business factors, which don't count).
II.
Competitor's Privilege
As part of our competitive economy, businesses are allowed to disparage competitors' products in general terms, so long as the disparagement does not include false representations of fact. This privilege is not lost even if the speaker does not actually believe that the products are superior to the competitor's. You can think of this privilege as covering "negative puffing" -- vague and nonspecific product comparisons unflattering to the competitor. Like ordinary puffing, this is permitted on the theory that consumers do not actually rely on such statements in making product purchase decisions. Example 21: Painkiller Co. published two advertisements about Aspirin Corp.'s product. In the first set, Painkiller stated that the U.S. government had tested Aspirin Corp.'s product, and found it to be only about 40% as effective as
Painkiller's. In the second advertisement, an actor hired by Painkiller stated that Aspirin Corp.'s "stuff was no good." Aspirin Corp. sues for disparagement. The first type of statement is unlawful disparagement. It specifically casts doubt upon the quality of Aspirin Corp.'s goods in direct comparison to Painkiller's goods, and supports that negative comparison with reference to the results of an alleged, but false, government test. Potential customers would understand it to cast serious doubts upon the quality of Aspirin Corp.'s product. The second statement would probably not be considered disparaging since, like puffing, it amounts to nothing more than a generalized, vague comparison of the products.
PASSING OFF AND TRADEMARK INFRINGEMENT

One of the most important representations about a product or service is the identity of the person or business responsible for producing it. The identity of the producer of a product or service (that is, its source) is important because customers often rely upon this information in making purchasing decisions. Consumers develop loyalties to a particular producer based upon their experience with that producer's products. Businesses cultivate that type of loyalty by using distinctive labels or packaging that consumers will recognize, and businesses want to prevent competitors from using identical or confusingly similar labels that might mislead consumers. Misrepresentations about the source of a product or service are actionable under both state and federal law. The state law causes of action include passing off (so named because the seller in such cases is accused of passing off goods produced by one company as though they were produced by another), ordinary misrepresentation (discussed above), and trademark infringement. The federal causes of action arise under Section 43(a) of the Lanham Act (which deals generally with misrepresentations of the source of a product or service) and Section 32 of the Lanham Act (which deals with the infringement of registered trademarks). Today, most litigation over misrepresentation as to source is brought in federal court under the Lanham Act. While there are minor differences in detail between the state and federal causes of action, for our purposes it is sufficient to discuss passing off and trademark infringement under the Lanham Act. I.
Passing Off
There is no single method of passing off. The means employed to accomplish the deception are entirely irrelevant. Passing off can be as simple as explicitly stating to a buyer that "This product was made by the X Corporation," when in fact the product was not made by X Corporation but by the seller or another. Passing off also includes all manner of implied representations. For example, when the seller serves a Pepsi or other cola to a customer who has explicitly requested a Coca-Cola, passing off has occurred because serving the Pepsi under these circumstances constitutes an implied representation that the drink served is a Coca-Cola. More commonly, passing off involves the use of confusingly similar imitations of product appearance, product packaging, or other identifying symbols used in conjunction with the product, such as trademarks or trade names.
The crux of passing off is the likelihood that consumers would buy a product believing it to have one source when in fact is has another. The law is aimed at preventing such confusion. When the representation in question explicitly relates to the source (e.g., "This product was made by X Corporation") or clearly implies something about the source (e.g., serving one brand of drink in response to a request for another brand), the likelihood of confusion as to source is inherent in the misrepresentation. More difficult problems arise when the misrepresentation as to source must be inferred from other product characteristics, such as appearance, packaging, or symbols or words used in conjunction with the product. In these cases, courts have required the person making the claim to establish that the particular appearance, packaging, or symbols actually conveys information to buyers about the source of the product. This is usually established by conducting surveys of consumers. So long as there is no confusion as to source, and absent a patent, copyright, or trademark, there is nothing to prevent one manufacturer from producing a product that is similar in function and appearance to a competitor's product. Indeed, there are strong public policy reasons to promote precisely that type of competition, for example, lower prices to consumers. A.
Secondary meaning
Suppose Company X produces widgets that are forest green in color (which, we will assume, is not a functional characteristic for widgets -that is, the color is purely ornamental and performs no useful function). If buyers associate forest green widgets with Company X widgets, buyers of widgets would be likely to be confused as to source if Company Y began producing widgets of the same or a confusingly similar color. On the other hand, if buyers of widgets do not associate forest green widgets with any one company, then they will not be confused when Company Y comes out on the market with another forest green widget. Perhaps all widgets are forest green. As this example illustrates, the likelihood of consumer confusion as to source depends upon whether the product characteristic being imitated or copied communicates to consumers some information about the source of the product. When a product characteristic conveys particularized source information about the product, courts say that the characteristic or mark has acquired secondary meaning. Example 22: Safeco builds safes. Safeco safes have a gold stripe around the middle of the safe. However, customers do not associate safes that have a gold stripe with Safeco. Lock Co., a competitor, decides to paint a gold stripe around the middle of its safes as well. Safeco sues Lock Co. for passing off. Lock Co. will prevail. Because customers do not associate gold-striped safes with Safeco, the gold stripe does not have secondary meaning. Without secondary meaning or a valid trademark, Lock Co. is free to copy the gold stripe.
B.
Functional characteristics
Courts do not permit functional product characteristics or packaging to serve, by themselves, as the basis for a passing off claim. For example, assume that the basic shape of a pair of scissors is a functional characteristic. Any company that manufactures scissors will have to produce a product similar in shape to scissors manufactured by other companies. In that case, courts will not permit one scissor company to base a passing off claim solely on the similar shape of scissors produced by its competitors -- the shape is a functional characteristic of the product. Example 23: Cereal Manufacturer makes "pillow-shaped" shreddedwheat cereal. There is no patent protecting the shape of the shredded wheat or the method of manufacture. Competitor also manufactures shredded wheat in the same shape used by Cereal Manufacturer. The evidence shows that the pillow shape is functional -- changing the shape would significantly increase the cost of producing the cereal (because of the particular type of machinery necessary to produce the cereal), and the quality of the cereal would be impaired with another shape. Cereal Manufacturer sues Competitor for passing off. Competitor will prevail. The evidence shows that the shape is functional because it contributes to efficiency and cost savings in manufacturing the product and affects the product's quality. Even if consumers associate the pillow shape with Cereal Manufacturer, because it is functional, Competitor may freely copy the shape. In all cases alleging passing off or source confusion under the Lanham Act, the person making the claim must prove that consumers are likely to be confused about the source of the product. There is no liability unless the misrepresentation is likely to cause confusion, or to cause mistake, or to deceive as to source or affiliation. Likelihood of confusion is judged from the perspective of an ordinary consumer examining the product or service, and it is often proven using consumer surveys. II.
Trademark Infringement and Dilution

The law of passing off deals generally with the problem of misrepresentation about the source of a product or service. However, there is a special type of source confusion called trademark infringement. Trademark law was developed in order to give businesses the ability to create and use distinctive marks on their products and to prevent competitors from using confusingly similar marks. By concentrating source information in identifiable marks, the law promotes efficiency in the marketplace by allowing consumers to tell easily and reliably whether goods or services come from a particular source. Trademarks are protected by both federal law (under the Lanham Act) and state statutes. Although there are some differences in detail, the protection afforded to trademarks under the Lanham Act are generally the same as protections afforded under state law. In general, trade "marks" consist of any word, name, symbol, or device, or any combination of these, used either to indicate the source of goods or services (i.e., trademarks and service marks), or to certify some quality or feature of goods or services (i.e., certification marks). Courts have been quite generous in finding
marks, permitting such things as numbers, colors, pictures, and sounds to serve as marks. "Trade dress," which includes the overall nonfunctional design of the product and packaging, has also been recognized as a mark. The clear long-term trend is in the direction of extending trademark protection broadly to anything that serves to convey source information to consumers. The Lanham Act recognizes four types of marks: trademarks, service marks, certification marks, and collective marks. Trademarks and service marks (e.g., "KODAK," "YALE," or "FORD") are used on goods and services to identify and distinguish those goods and services from the goods and services of others, and to indicate the source of the goods or services, even if that source is unknown. Certification marks are used to certify regional or other origin or one or more features or qualities of the goods or services (e.g., the "GOOD HOUSEKEEPING SEAL"). Collective marks are trademarks or service marks used by the members of a cooperative, an association, or other collective group or organization. Service marks, certification marks, and collective marks are generally subject to the same registration requirements and receive the same type of protection by the Lanham Act as trademarks. One of the most important restrictions on marks is that a word or symbol that has become the generic name for the good or service cannot serve as a mark indicating source. A "generic name" is the name used by the public to refer to the good or service itself, as opposed to a particular brand of the product or service. Example 24: One company invented a moving staircase and called it an "escalator." Over time, the word "escalator" came to mean a moving staircase in general, instead of a particular brand name. Another company began manufacturing a moving staircase under the name "escalator." The first company sued the second, alleging trademark infringement. The first company lost its trademark in the word "escalator" when, in the public mind, the word came to mean the product itself instead of a particular brand name product. That is, when "escalator" became the generic name for moving staircases, all competitors were free to use the word "escalator" to describe their product. The point to keep in mind here is that you should not use your company's brand names to describe the generic class of products manufactured by your company, and if you see other companies doing so, you should report such use to your supervisor or your company's legal counsel. For example, if your company manufactured copy machines under the brand name "Duplitex," using the name as a verb ("please duplitex this for me") or as a generic description of the product ("our competitor's duplitex machines aren't nearly as fast as ours"), this could lead to loss of trademark rights if it became common practice among the public. It is not a problem to use your trademarked name as an adjective ("please make a Duplitex copy of this for me"). A.
Infringement of registered and unregistered marks

The Lanham Act protects marks that have been registered with the federal Patent & Trademark Office as well as unregistered marks. Registration carries with it certain advantages in litigation (e.g., presumptions regarding ownership and validity of the mark), as well as in terms of creating priority over subsequent users.
A mark that has been registered on the "principal register" may be protected from infringement by a lawsuit under 32 of the Lanham Act. To establish a claim under 32, the person making the claim must prove -ownership of, a valid mark (a trademark, service mark, collective mark, or certification mark), that was properly registered, that gives the plaintiff the exclusive right to use that mark in commerce in connection with the goods or services specified in the registration, a copy or confusingly similar imitation of which has been used by another person in commerce, and the use of which is likely to cause consumers to be confused or deceived as to the source of the goods or services. Even if a mark is not registered under the Lanham Act, the owner still may bring an infringement action under Section 43(a), as a passing off claim, and the elements are substantially the same. B.
Likelihood of confusion
The crux of a trademark infringement action is the likelihood that consumers will be confused or deceived as to source as a result of a second person's use of the same or a confusingly similar mark on his goods or services. The legal test for infringement actions under both sections of the Lanham Act discussed above are the same -- whether the public is likely to be deceived or confused by the similarity of the marks. Courts generally decide this issue from the standpoint of the ordinary and reasonably prudent purchaser. In other words, the perspective is that of consumers in the marketplace. Consumers in stores are unlikely to dissect a trademark, and courts accordingly judge the overall impression that a particular trademark or other mark is likely to make. Courts are less likely to do a detailed, sideby-side comparison of the two marks unless that is the way consumers are likely to view the marks in the marketplace. If consumers for a particular product are likely to inspect the goods with some care, or are relatively sophisticated purchasers in that market, courts will use a more detailed approach. The courts are generally in agreement about the type of evidence that is relevant in determining the likelihood of consumer confusion as to source. The following factors are used -- (1) the "strength" or "weakness" of the marks (how well known the mark is, and how likely consumers are to associate the mark with a particular maker); (2) similarity in appearance, sound, and meaning between the marks; (3) the class of goods in question; (4) the marketing channels; (5) evidence of actual confusion; and (6) evidence of the intention of the defendant in selecting and using the alleged infringing name. The important thing to note is that trademark infringement is serious business and can lead to hefty damage awards against the infringing
party. Therefore, be very careful about using marks on your company's products or packaging that may lead to confusion between your product and a competitor's. C.
Trademark dilution
A claim of trademark infringement requires proof that the use of the mark is likely to confuse consumers as to the source of the goods or services. Some marks have become so valuable and so identifiable with one particular business that any unauthorized use of the mark, even when there is no confusion as to source, may injure the owner of the mark because the mark's meaning becomes "diluted" in the minds of consumers. To protect against this type of injury Congress and a number of statutes have enacted "antidilution" statutes. Typically, these statutes protect only highly distinctive, well-known marks, and protection is limited to uses that are likely to disparage or dilute the value or distinctiveness of the protected mark. So, for example, if a bakery started to sell donuts under the mark, "KODAK," even though few or no consumers would be likely to be confused about the source of the donuts, a suit against the bakery to protect the value of KODAK's mark would be possible. For most purposes, the basic rule for a business should be not to use another business's mark or a mark confusingly similar to another business's mark for any purpose. That is the best way to avoid legal entanglements.
REMEDIES
Lawsuits are often divided into two parts. The first part involves the question of whether the person sued should be held liable for doing something wrong (such as interfering with a competitor's contract or infringing a trademark). The second part addresses what remedies the court will give for the wrongful conduct. The law of remedies is important because the losing party ultimately must follow whatever judgment the court enters (either by paying money damages or taking something other action). There are basically two types of remedies that are commonly employed in unfair competition cases. First, a court can enter a judgment requiring the loser to pay monetary damages to the winner. Second, a court can enter an order called an injunction that specifically directs the losing party either to take certain actions or to refrain from taking certain actions. I.
Damages A. Compensatory damages

To be awarded money damages, the winning party must (a) prove that it in fact suffered some injury or is reasonably certain to suffer an injury as a result of the wrongful conduct, and (b) establish a reasonably certain estimate of the amount of the damages. The losing party may reduce the award by demonstrating that the winner failed to take reasonable steps to avoid (or "mitigate") the extent of the harm. In lawsuits between businesses, the winning side will normally seek to recover "lost profits" as part of its damages. Most businesses would not
bother to sue unless they felt that their "bottom line" had been significantly affected as a result of the other side's conduct. Indeed, one primary purpose in filing a lawsuit is usually to recover business losses (as well as prevent a recurrence of the conduct). To recover lost profits, the winning side must establish what its profits would have been if the wrongful conduct had not occurred, and to subtract from that figure that the winner's actual profits during the same period. This is much easier said than done in many cases, since there usually are multiple factors that may affect a company's profits having nothing whatsoever to do with the wrongful conduct. Market demand for a company's services or products may fluctuate seasonally. Costs may dramatically rise or fall over short periods of time. Major, one-time events may skew a company's profits. Better or worse management may lead to profits or bankruptcy. With all of these factors, distinguishing between a fall in profits attributable to the wrongful conduct and a fall in profits attributable to some other factor or factors can be extraordinarily difficult, if not impossible. In light of these difficulties, the issue often arises whether lost profits can be proved with "reasonable certainty." Both the fact and the amount of damages must be proved, although once the fact of damages is established, courts give substantial leeway in establishing the amount. The fact of lost profits can often be shown by evidence that profits fell shortly after the wrongful conduct began, together with anecdotal evidence from customers that, as a result of the wrongful conduct, they took their business elsewhere. Even if the fact of injury is established, the winning side must still show the amount of damages with reasonable certainty. Although courts are willing to tolerate a fair amount of uncertainty in determining the amount of damages, the evidence must nevertheless rise above speculation and conjecture. Example 25: Competitor disparaged Company's product in a letter sent to all of Company's existing customers. Shortly after the letter was sent, Company's sales dropped off dramatically. Company's profits for the prior year from the sale of the product were $100,000. Following the letter, profits dropped to $20,000 annually and remained at that level for one year until Company successfully convinced its customers that the letter was false. Company did this by spending $50,000 on a responsive advertising campaign. Testimony from several customers who had dropped Company established that the letter was the primary reason for refusing to buy from Company. Company should be able to recover as lost profits the difference between its profits from the sale before the letter and its profits after the letter. On the facts given, this appears to be $80,000. In addition to these lost profits, Company was forced to spend $50,000 in an attempt to counter the effects of the disparaging letter. Company will also be able to recover this amount as damages. B.
Punitive damages
Punitive damages are ordinarily available only if the jury finds that the losing party not only violated the law, but also engaged in particularly blameworthy conduct that warrants additional punishment or deterrence. Depending upon the jurisdiction, sufficiently blameworthy conduct means malice, fraud, oppression, gross negligence, criminal conduct, recklessness, or conscious disregard for the rights and safety of others. It is well settled that punitive damages are not available when the conduct is mere negligent. Something more is required. Punitive damages, or a similar penalty in the form of an award of double or triple the amount of compensatory damages, are available for all the claims of unfair trade practices discussed in this Handbook. Punitive damages have been awarded for interference with contract, misappropriation of trade secrets, and trade libel or product disparagement actions. While the Lanham Act does not itself authorize an award of punitive damages, Section 35(b) of the Act authorizes triple damages for intentionally using a counterfeit mark, and a winning party may be able to recover punitive damages on a state law trademark or unfair competition action that is brought together with a Lanham Act claim. The most dramatic punitive awards usually involve personal injury or massive environmental and property damage. The punitive awards in the Ford Pinto case and the Exxon Valdez incident are but two examples. Yet juries have not hesitated to make huge punitive awards in unfair trade practices cases if they are sufficiently outraged about perceived corporate wrongdoing, motivated by excessive greed or other evil motives. The jury (or the court in a nonjury case) has broad discretion to fix the amount of punitive damages based on a number of factors, such as the amount of compensatory damage, the egregiousness of the defendant's conduct, the risk posed to the public, and the financial condition of the losing party. A corporation can generally be held liable for punitive damages only when its officers, directors, or managing agents have personally engaged in the blameworthy conduct, authorized or ratified the conduct, or knowingly hired an unfit employee in conscious disregard of the rights or safety of others. The basic idea is that a corporation should not be held liable for punitive damages unless an employee with managerial responsibility was actually engaged in or approved the blameworthy conduct. In a few jurisdictions, a corporation can be liable for punitive damages when any employee's conduct is sufficiently blameworthy, as long as the conduct is within the employee's scope of employment. II.
Injunctions
An award of damages creates a monetary debt that the losing party owes the winning party. In some cases, an award of damages will not fully compensate the injured party. In those cases, courts may enter an injunction. An injunction is a court order that directs a person to refrain from, or engage in, particular conduct (e.g., "the defendant is hereby enjoined from using the plaintiff's mark in defendant's advertising"). There are basically two types of injunctions --
permanent injunctions (which may be entered at the end of a trial after a finding of liability) and preliminary injunctions (which may be entered shortly after the complaint has been filed and long before the trial). A.
Permanent injunctions
Whether an injunction is available is not simply up to the party filing the lawsuit. Courts generally will not issue an injunction unless damages are inadequate as a remedy. There are four common situations where courts have found damages to be inadequate -The party filing the suit has been deprived of property or intangible rights that are unique (e.g., real property or special personal property such as family heirlooms). Monetary damages cannot be measured with sufficient certainty (e.g., lost future profits). Multiple damage lawsuits would be required for complete monetary relief (for example, because the wrongful conduct is likely to continue or be repeated). Damages are available but not, as a practical matter, collectible (e.g., the wrong-doer is insolvent). Unfair competition cases commonly fall within one or more of these categories. For example, property rights in trademarks, trade secrets, and other intellectual property are arguably unique. Reputational harm resulting from trade libel, damages for lost future profits, and competitive injury from false advertising or other unfair trade practices will often result in damages that cannot be measured with any degree of certainty.
B.
Preliminary injunctions and temporary restraining orders

A permanent injunction can be entered only after the court has fully considered the matter on its merits (which, if there is a trial, can be many months or years after the conduct in question). Courts can protect a party claiming injury during the pendency of the lawsuit only by issuing a preliminary injunction or temporary restraining order. As a practical matter, unfair competition cases are often won or lost within weeks of filing the lawsuit -- at the preliminary injunction stage. If a business can "enjoin" (stop) a competitor's wrongful conduct without a trial, the dispute may be moot by the time a full trial takes place. For example, if a competitor's advertising campaign is only going to last 13 weeks in any event, stopping the campaign in the first week with a preliminary injunction may end the case as a practical matter. Even in cases where the preliminary injunction does not end the litigation, putting an end to a continuing harm while the suit is pending, which is the primary purpose of a preliminary injunction, is often of critical importance to the party filing suit. A temporary restraining order (TRO) is another form of preliminary relief, except that a TRO is a form of very short-term, emergency relief. A party might seek a TRO to stop the airing of a television advertisement scheduled to be broadcast the very next day.
Temporary restraining orders ("TROs") and preliminary injunctions differ from final, permanent injunction in two important ways. First, TROs and preliminary injunctions usually are based upon only partial evidence, often presented to the court with documents rather than live witnesses. Second, TROs and preliminary injunctions are temporary relief designed to last only until the final determination after a full hearing on the merits. In short, this type of relief is tentative and temporary. These two characteristics largely determine the standards courts employ in determining whether to grant a TRO or a preliminary injunction. Rather than determining whether the party filing suit has proved its case, courts assess the likelihood that that party will ultimately prevail after all the evidence is presented. The issue presented by a motion for a preliminary injunction is, strictly speaking, not whether the party seeking the injunction is legally right, but how likely it is that party is right. Second, because the relief is granted (temporarily) before all the evidence is in, courts must weigh the comparative hardship on the parties if the injunction is granted or denied -- whether the party seeking the injunction will be irreparably harmed if the injunction is denied and whether that harm is outweighed by the harm to the party opposing the injunction if it is granted. In sum, courts generally consider the following factors in deciding whether to issue a TRO or preliminary injunction -likelihood that the party seeking the injunction will ultimately win the lawsuit, whether the party seeking the injunction will suffer irreparable harm if the injunction is denied, the balance of hardships between the parties, and the public interest. C.
Contempt
The ultimate weapon that stands behind injunctions is the power of contempt. A person over whom the court has jurisdiction is subject to sanctions (including imprisonment) for violating an injunction. This is very different from a judgment for damages. A damage judgment simply creates a debt. An injunction, by contrast, is an order that the court can specifically enforce by fining or imprisoning someone who does not comply. The stakes are thus much higher with injunctions. As a result, technical or accidental violations of an order will not be contempt, and contempt is also unavailable if the party has made a diligent and reasonable attempt to comply. This does not mean that "good faith" or simple reliance upon advice of counsel is a defense to contempt. To the contrary, conscious violation of a court order is contempt even if the party relied on the advice of counsel. The trial court has broad discretion in setting an appropriate contempt sanction. Sanctions can include an order compensating the other party for damages resulting from the noncompliance, an award of any profits gained by noncompliance, an award of attorneys' fees, and/or imprisonment.
ANTITRUST: PRICE DISCRIMINATION

INTRODUCTION
In this Handbook, we'll take a look at the antitrust issues relating to price discrimination. Price discrimination basically means selling the same product at two different prices. Most of the laws and rules we will be discussing arise from the Robinson-Patman Act, which prohibits certain discriminatory pricing activities. You should keep in mind that not all price discrimination is illegal. Additionally, the Robinson-Patman Act contains many complex rules and regulations subject to a number of exceptions and special situations that simply cannot be covered in a brief treatment of this kind. It is therefore important to keep in mind that this Handbook does not provide any advice or guidance about what you should do in a particular situation. Make sure to get such advice from your company's lawyer.
ELEMENTS OF A PRICE DISCRIMINATION VIOLATION

Under the Robinson-Patman Act, it is unlawful to discriminate in price between different purchasers of commodities of similar grade and quality. A company violates the price discrimination provisions of the Robinson-Patman Act if -o o o o o o o o the same seller makes two or more sales to two different purchasers, the sales are made at about the same time, the sales are of tangible goods (not services), the sales are of similar grade and quality, different prices are charged, the goods are for use in the United States, at least one of the sales involves interstate commerce and crosses state lines, and the difference in price causes competitive injury.
We'll discuss each of these elements, as well as other issues, in this Handbook. II.
Two Completed Sales To Two Different Purchasers

Only completed sales can violate the Robinson-Patman Act. Offers to sell and refusals to deal do not constitute violations. Example 1: Universal Textiles makes denim material and sells it to companies that manufacture and sell blue jeans. Universal offers Yardex a price of $10 per square yard. It offers the exact same material to Global for $11 per square yard. Global refuses to buy the product at the higher price, claiming it is discriminatory. Because there have not been two completed sales to two different purchasers, price discrimination liability cannot exist. In addition, the Robinson-Patman Act does not apply to long-term leases, to acting as an intermediary between a seller and its customers, or to licensing computer software.
Example 2: Global Operations manufactures a computer-operating system that is used in high-end workstations. It licenses its computer software at two different prices. Companies willing to buy its word processing application software in a package can license the operating system for $85. Companies that refuse to license the word processing software must pay $95. Licensing computer software is not a "sale" under the price discrimination laws. Therefore, Global Operations has not engaged in price discrimination. III.
Reasonably Close In Time

For sales to be reasonably close in time, they need not be made at precisely the same time. However, the more time that passes between sales, the less likely it is that a price discrimination violation has occurred. Example 3: Universal, Inc., a manufacturer of stereo equipment, a manufacturer of stereo equipment, sells its equipment through a nationwide network of retail dealers. Universal offers its top 10 dealers a price on stereo receivers of $200 per unit. Initially, Universal does not offer this price or even this product to its remaining 30 dealers. Two weeks later, when it has additional inventory available, Universal offers and sells the identical receivers to the remaining 30 dealers at a price of $300 per unit. Universal may have violated the price discrimination laws. It has charged two different prices for the same product. Although these sales are two weeks apart, they were made so close in time that Universal probably engaged in price discrimination. Example 4: Global Toys is a toy manufacturer that sells to toy stores. Global offers a new Johnny Thunderbolt racing car to its 30 largest customers at a price of $12 each. Global sells all its available inventory. Fourteen months later, Global gets new inventory of the same product and sells it for $28 each to some of its other toy store customers. Whether Global has engaged in price discrimination depends on whether the two sales are considered reasonably close in time. Fourteen months is a long enough period that these two sales are probably not close enough in time to constitute a price discrimination violation.
IV.
Sale Of Commodities
The federal price discrimination laws apply only to the sale of commodities. Generally, the term "commodities" means tangible products. The RobinsonPatman Act does not apply to real estate or intangible items. Intangible items include -securities, mutual fund shares, medical services, coupon books, rail transportation, cable television service fees, billing and collection services,
traveler's checks, cellular telephone service, printing of comic books, long-distance voice telecommunications services, and advertising. Example 5: Accountants, Inc. prepares taxes for individuals at mall locations throughout the United States. It charges $250 per hour to prepare a federal return in New York and $350 per hour to prepare a federal return at its stores in New Jersey. Accountants, Inc. does not sell a tangible product -- it sells a service. Therefore, it is exempt from the price discrimination laws and cannot be liable for a price discrimination violation. When a transaction involves both the sale of goods and the sale of services, the price discrimination laws apply only if the dominant nature of the transaction is the sale of goods. Example 6: Universal Cable, Inc. sells cable television services to various consumer subscribers in a major midwestern city. In addition to providing a cable service for a monthly fee of $40 per month for basic cable, Universal sells, but does not lease, the set-top boxes needed to use the cable system. The boxes are sold in the northern part of the city at $20 per box, but are sold in the southern part of the city for $24 per box. Whether Universal has engaged in price discrimination depends on whether it is providing a service or selling a product. Since this transaction involved both the sale of a product (the set-top boxes) and the sale of services (cable TV), determination of whether Universal engaged in price discrimination will depend on the dominant nature of the transaction. If the dominant part of this transaction were the sale of the set-top boxes, price discrimination laws would apply. V.
Similar Grade And Quality

The Robinson-Patman Act applies only to products of like (similar) grade and quality. If there are major physical differences between the products sold, the price discrimination laws do not apply. However, sales of products with minor physical differences that do not affect whether customers will choose one product over another are covered by the Robinson-Patman Act. Example 7: Universal Oat Corporation sells two oat flour products, one with a higher bulk content of oats than the other, for two different prices. The manufacturing costs for both products are the same. However, in the marketplace, there is greater consumer acceptability for the higher bulk oat product. Under the price discrimination laws, because there is a physical difference between the products, the products will not be considered like (similar) grade and quality. Therefore, Universal Oat Corporation can sell these products at two different prices without violating the antitrust laws. This is true even though the manufacturing costs are the same.
To avoid a price discrimination violation, it is not enough to simply give a product a premium brand name. If two products are physically identical, and one has a premium brand name attached and the other does not, the price discrimination laws still apply. Example 8: Universal Muffler Corporation sells identical mufflers with different names. One version, which it calls Super Muffler, is sold to various retail muffler dealers at $88 per unit. Universal also sells its "consumer value" muffler to a limited number of customers for $68 per unit. The two mufflers are identical. Because the two mufflers have no physical differences, they will be considered like grade and quality despite the premium name brand attached to one of the products. The price discrimination laws apply, and Universal has engaged in price discrimination. When the goods sold are perishable, the products usually cannot be of like grade and quality. Example 9: Global Bagel Corporation sells fresh bagels to various supermarkets in one region for $2 per dozen. It sells day-old bagels at $1 per dozen. The bagels are identical except for freshness. When perishable products are at issue, the like grade and quality determination is made at the time of the actual sales. Fresh bagels are physically different from day-old bagels and, therefore, price discrimination is permissible. VI.
With A Different Price

Any price difference is a price discrimination. However, charging the same price to two customers is never price discrimination under the Robinson-Patman Act even if the seller's costs of selling to one purchaser are much higher than those of selling to the other. Example 10: Chicken Farms, Inc. has its only plant in the southeastern United States. Chicken Farms, Inc. sells chicken at one uniform price to all supermarkets throughout the United States. It costs Chicken Farms, Inc. substantially less to sell in the Southeast than in other regions because the delivery costs are lower on deliveries in the Southeast. Chicken Farms, Inc. has not engaged in price discrimination. The price discrimination laws are concerned solely with whether there is a difference in price to buyers. The sellers costs are irrelevant. To determine whether there is a difference in price, actual net prices (after all rebates, credits, and discounts) are compared. Differences in payment terms, credit extensions, the provisions of coupons, and similar variables can also be reviewed to determine whether there is a price difference. Example 11: Coffee Corp. sells coffee to supermarkets throughout the southwestern United States. It provides 10% of its best retailers with coupons that they can pass on to their customers for a $1 discount per pound of coffee sold. Coffee Corp. does not provide these coupons to its other retailers. When
the customers of these retailers turn in these coupons, the retailers can then, in turn, return them to Coffee Corp. for reimbursement. In determining whether there are two different prices, these consumer coupons will be factored into the equation. In essence, Coffee Corp. is charging 10% of its retailers $1 less per pound. It is irrelevant that the two different prices might have been charged to wholesalers and retailers as opposed to competing purchasers. Example 12: Universal Gasoline Corp. sells gasoline to various service station dealers in local markets. Universal also sells to distributors. Distributors have their own trucks and distribution facilities. They also purchase gasoline and then resell it to retail service station dealers. Universal sells to its distributors for 2 per gallon less than it sells to its dealers. These two prices will be considered a price difference. While there may be other competitive justifications for allowing the price difference, the requirement of a price difference is met based on these facts. .
Availability of discounts
When a claimed discriminatory price is functionally available, in other words, accessible to all customers (even if those customers do not take advantage of the price difference), the seller has not charged two different prices and has not engaged in price discrimination. Example 13: Car Co. manufactures automobiles and sells them through a nationwide dealer network. It offers a new car model to its dealers at different prices depending on the volume purchased. Dealers buying 2,000 units can buy at a price of $14,000 per vehicle. Dealers buying 3,000 units can buy at a price of $13,000 per vehicle. The volume discounts are available to all Car Co.'s dealers. Car Co. has not engaged in price discrimination because it has made its price discounts functionally available to all its dealers. Companies using discounts must, however, make sure that all their purchasers are aware of the available discounts and have the ability to take advantage of the lower price. Example 14: Car Co. sells one of its models to a nationwide dealer network. It will offer a $2,000 discount per unit to any dealer that purchases a minimum of 4,000 units per year. However, Car Co. only informs its most favored dealers (meaning the top 10% in sales) about the discount. Car Co. is engaging in price discrimination. Because it has not advised all its customers about the discount, it is charging different prices to different customers.
A.
Functional discounts
Functional discounts are sometimes an exception to price discrimination laws. A functional discount is a discount provided to companies that perform a distribution role in the supply chain. Manufacturers often sell to distributors (sometimes called middlemen or wholesalers) that then resell products to retail stores for ultimate sale to consumers. The distributors themselves bear the costs of hauling the products, storing products, customer billing, and so forth. Sometimes, manufacturers also sell directly to some retail stores. In this situation, the manufacturers bear the costs of hauling and storing the products, billing customers, and so forth. The manufacturers often sell to their distributors and direct sale retailers at two different prices. The manufacturers justify this on the ground that the distributors perform a function in the distribution chain that reduces the manufacturer's costs. As a result, distributors get the benefit of a functional discount. Functional discounts are permissible only if the amount of the discount is a reasonable reimbursement for the marketing functions performed by the distributor that received the lower price. These functions might include hauling the products, storing products, customer billing, and so forth. Example 15: Universal Drugs sells drugs to various wholesalers. The wholesalers then resell the drugs to retail pharmacies. The wholesalers are the only link between Universal and certain pharmacies, and the wholesalers advertise and solicit accounts, deliver the products, deal with customer billing, and so forth. Universal also sells directly to certain pharmacies. In those cases, Universal must absorb the costs of soliciting sales, delivery, customer billing, and so forth. Universal gives its wholesalers a price that is 12% lower than direct sale retail pharmacies. It justifies the price difference based on the added services that the wholesalers provide in the distribution process. Whether Universal has engaged in price discrimination will depend on whether the price difference is a reasonable reimbursement for the actual marketing functions performed by the wholesalers. In other words, the 12% discount that the distributors get must be approximately equal to Universal's savings or the wholesaler's costs. If you or your company is considering functional discounts for certain wholesalers or other members of your company's distribution network, you should always consult counsel to make sure they are justifiable. VII.
Requirement Of Competitive Injury

Only price discrimination that may substantially injure competition violates price discrimination laws. Injury to competition generally is found either at the seller's level (primary line injury) or at the customer level between favored and disfavored customers (secondary line injury). Primary line injury typically involves a company that discriminatorily and unfairly prices its products to destroy a business rival. In these cases, the company's objective is to eliminate, or make less effective, competition and, thereby, gain and exercise control over prices.
Example 16: Universal Router has a 72% market share in the market for Internet routers, which move data across the Internet. Its chief rival is Global Data. Global Data has a 12% share, and Global Data's three biggest customers buy most of Global Data's routers. Universal Router sells routers to these three customers for 50% less than it charges other customers, attempting to put Global out of business. Any injury to Global Data is primary line injury because it is harm caused to one of Universal Router's competitors. A company is guilty of primary line price discrimination when -it sells the same product to different customers at different prices; the price it charges in some of those sales is below its costs, it made the below-cost sales for the purpose of driving one or more competitors out of business, and it reasonably expects to recoup its losses resulting from the below-cost sales. Below cost sometimes means below marginal cost (the cost to produce one additional unit of the product). Other times, below cost means below average variable costs (the sum of all variable costs divided by output). Although the definition varies, any pricing below some measure of cost should raise antitrust concerns. Recouping one's losses resulting from below-cost sales means that the seller can regain or recapture its losses. In primary line cases, the offending company typically has a strong market share and relatively high cash reserves. As a result, it can suffer losses for some period and still survive. It therefore prices below cost, forcing weaker companies to also price below cost to maintain sales. When the weaker companies are ultimately forced out of business, the stronger company raises its prices back to even higher levels to recoup its losses resulting from below-cost pricing. Example 17: Universal Engines is a large manufacturer of outboard boat engines. Petes Outboards, a start-up company, makes and sells outboard engines in several Southeastern states. According to leading boating magazines, Petes engines offer far better performance than Universal's. Universal, seeing the competitive threat, sells its engines to customers in Petes market area for $1,500 each ($200 below its cost) while selling the same engines elsewhere for $2,200 each. Universal does this to put Petes out of business, hoping that once Petes is driven from the market, Universal will be able to raise prices back to or above previous levels and recoup its investment. Whether Universal has engaged in conduct that violates the price discrimination laws will depend on the answer to four questions. First, did Universal sell the same product to different customers at different prices? Second, did it charge below-cost prices in some of those sales? Third, did it do so for the purpose of driving a competitor out of business? And fourth, did it reasonably expect to recoup its losses from below-cost pricing? We know from our facts that the answer to the first three questions is yes, but the fourth is not so clear. If there are competitors able to expand their output of engines, or other companies capable of making competing engines that will enter the market once prices are raised to the previously high levels, Universal probably cannot count on being
able to recoup its losses. On the other hand, if there are few or no rivals in or about to enter the market, Universal may be able to recoup its losses by putting Petes out of business. Proving that a company has the ability to recoup its losses resulting from belowcost pricing is extremely difficult. Still, because the potential penalties are so serious, any time a company prices its products below cost, it should consult legal counsel. When some customers are forced to pay higher prices than their competitors, this is called secondary line injury. Example 18: Medco sells medical thermometers to four competing hospitals. Three of the hospitals are charged $6 per unit. One of the hospitals is charged $7 per unit. Medco has engaged in price discrimination and the injury to the hospital that paid $7 per unit is a secondary line injury because it involves price discrimination between competing purchasers. If the companies being charged different prices are not in competition with each other, no secondary line injury exists. Example 19: Medco sells thermometers to four different hospitals. Three of the hospitals receive a price of $6 per unit and the fourth receives a price of $7 per unit. The fourth hospital is 60 miles away from the closest one of the three other hospitals. The three other hospitals are all within five square miles of each other. The issue here is whether the fourth hospital actually competes with the three other hospitals. If patients are unlikely to view the fourth hospital as a substitute for going to one of the three other hospitals, the fourth hospital does not compete with the other three, and there is no secondary line injury. You should keep in mind that the development of the Internet is likely to have a substantial impact on secondary line injury cases because the geographic area of competition is likely to increase for many companies. Example 20: Universal Books sells books through retailers across the United States. For years, it has priced its books based on geographic markets so that all buyers in the same geographic market received the same price. Universal justified the different geographic price zones because retailers in each zone competed with each other, but did not compete with retailers in different price zones. Beginning in 2000, all Universal's retail customers started Internet sites through which they sold books. Western Books, one of Universal's retail customers in its highest price zone, complains. Western Books argues that as a result of internet sales, it now competes with all Universal's retail customers in all zones. As a result, Western Books claims it is entitled to Universal's lowest price. Anything else would be illegal price discrimination. Western Books has a legitimate argument. In electronic commerce, all vendors are, in a sense, right across the street from each other. Now that Universal's retail customers have switched to Internet sales, Universal might lose its argument that the price discrimination was legal because its retail customers did not compete.
VIII.
For Use In Commerce Within The United States

The Robinson-Patman Act applies only to sales that are in commerce. This means that one of the sales must cross a state boundary. However, an intrastate sale can satisfy this requirement if it falls within the stream of interstate commerce, which is almost always the case. In addition, many states have price discrimination laws that prohibit price discrimination for sales that occur wholly within the state. On a related note, the price discrimination laws do not apply to sales outside the United States. For price discrimination laws to apply, there must be two sales that involve products for use, consumption, or resale within the United States. Any price discrimination involving sales to foreign countries is not subject to the Robinson-Patman Act. Example 21: Montana Computer Sciences, Inc. sells desktop computers to retail computer stores in Montana and Canada. For the same product, Montana Computer charges one price to stores in Montana and a different price to stores in Canada. Because both sales were not for use, consumption, or resale within the United States, the price discrimination laws are inapplicable. However, when products are first sold in the United States for later resale to a foreign country, the price discrimination laws apply. Example 22: Montana Computer Sciences, Inc. sells desktop computers to a company in Montana that resells the products in Montana. It also sells to a wholesaler in Idaho that then resells the computers in Canada. Montana Computer Sciences, Inc. sells the desktops to the Idaho reseller at a price 10% lower than the price it sells to its Montana customer. Montana Computer Sciences, Inc. has engaged in price discrimination. The fact that the Idaho company ultimately will resell the product into a foreign country is irrelevant. Once two sales at different prices occur in the United States, the price discrimination laws apply.
DEFENSE TO A PRICE DISCRIMINATION CLAIM

There are three reasons why a seller is allowed to price discriminate -o o o cost justification, meeting competition, and changed conditions.
Any one of these reasons is an absolute defense to a charge of price discrimination. II.
Cost Justification
A seller may charge different prices to different purchasers when the different prices are justified by savings the seller obtains for cost of manufacture, delivery, or sales. In practice, this is difficult to prove because the seller typically must establish, through rigorous accounting, that the price differential is equal to the additional costs incurred in selling the product to the buyer that pays the higher price.
Example 23: A manufacturer plans to charge a different price to its customers based on their distance from its factory. This price difference is unrelated to shipping costs and based on the manufacturer's perception of "what each market will bear." This pricing plan, if implemented, may be unlawful price discrimination under the antitrust laws. Example 24: Universal Music is a retailer that sells recorded music. Its business is being ruined by giant discount store chains that sell their products for less than Universal's wholesale cost. The giant chains buy most of their music from Global CD, Inc. Global provides discounts to customers that buy in large volumes. One reason why the discount chains are receiving their recorded music products at a lower wholesale price might be that it costs a manufacturer such as Global less, on a per-unit basis, to deal with large-volume customers. If that is the case, Global might have a cost justification defense to the differential pricing. However, if the wholesale price difference is not justified by cost differences, the conduct may constitute an antitrust violation. III.
Meeting Competition
When a seller, in good faith, offers a lower price to meet a competitive price offered by another supplier, the offering of the lower price does not violate the price discrimination laws. Example 25: Universal Cola, Inc. sells cola products to distributors in California. For years, Universal sold to customers all over the state at the same price. In 2000, however, Global Cola, Inc. began selling cola products in southern California at a price 10% lower than Universal's products. Universal immediately dropped its price 10% in southern California, thereby setting up a seemingly discriminatory price structure between its northern and southern California distributors. If Universal was, in good faith, lowering its prices in southern California to meet Global's prices, Universal's conduct does not constitute illegal price discrimination. Whether a company has taken sufficient steps to verify the existence of a lower competitive price depends on the specific facts of each situation. The more effort a company makes to verify the competitive price and the more documentation is maintained in a company's file on this point, the more likely it is that the company will be found not to have engaged in illegal price discrimination. Example 26: Universal H2O sells bottled water. It hears rumors that its main competitor, Global Eau, has reduced prices in one region by 7%. Universal sells to several retailers that stock both Universal and Global products. Universal has its sales representatives go to these retailers to verify the reduction. In addition, Universal is told by other customers that they are receiving price reductions from Global Eau. Sales representatives for Universal also document reduced prices of Global products in supermarkets by 6%. In response, Universal lowers prices 7% in the region. Universal appears to have acted in good faith because it has taken reasonable steps to verify that it is lowering its price to meet competition.
If a seller makes a good-faith effort to verify that it is responding to a competitor's price, the seller can lower its price to meet competition, even if the seller was mistaken about the lower price. Example 27: Universal H2O sells bottled water. It hears rumors that its main competitor, Global Eau, has reduced prices in one region by 7%. Universal takes good-faith steps to verify the 7% reduction by its competitor. In response, Universal lowers prices by 7% in that region. Universal later discovers that Global Eau's discount applies to carbonated soda products and not bottled water. Universal did not violate the price discrimination laws if it had a good-faith belief that it was meeting a competitor's price and took reasonable steps to verify the price. This is true even if it is later revealed that Universal was mistaken. Of course, when a seller cannot verify a lower competitive price, it cannot claim that is was merely meeting the competition. Example 28: Universal Tech, Inc. sells high-end chipsets to various computer manufacturers throughout Texas. Its five largest customers are in the Austin area. Universal also has other customers throughout the state. Universal historically sells the chipsets at a uniform price. When Universal hears rumors that a competitor is charging a lower price in the Austin area, it investigates and learns that the rumors are false. The lower price is for low-end chipsets that did not compete with Universal's products. Nonetheless, Universal lowers its prices in Austin. Universal is guilty of price discrimination. Universal's efforts to verify a meeting competition defense failed, and its lower price in Austin was not a good-faith response to competition. Although a seller is required to take certain steps to verify that a competing seller has offered a lower price, the seller must be careful not to engage in price-fixing with the competing seller when it seeks to acquire information about the competitor's lower price. Example 29: Universal Cola, Inc. sells cola products to distributors throughout California. For years, Universal sold the cola products to distributors all over the state at the same price. However, more recently, Universal hears rumors that Global is selling competitive cola products in southern California at a price that is 10% lower than the price at which Universal is selling identical products. Universal tries to investigate the matter by calling Global officials and asking for verification concerning the price at which Global is selling its products. Global provides a price list, which confirms that it is selling identical products at the lower price. Universal then seeks to match Global's lower price in southern California. Universal should not have sought to verify Global's pricing through direct contact with Global. This conduct could be found to be price-fixing and could subject Universal to civil and criminal liability. Even though there is no evidence of an actual price-fixing agreement, the exchange of price information among competitors is subject to strict antitrust scrutiny. Under no circumstances should you contact a competitor directly to verify a price. IV.
Changed Conditions
Price discrimination laws permit price differences due to changing conditions that affect the market or marketability of a product. For example, price differences can often result from the perishable nature of goods, the obsolescence or reduced value of seasonal goods, distress sales under court process, or going-out-of-business sales. Example 30: Universal Glass sells its bottles to a customer for 6 each. A few days later, it announces that it is going out of business and sells the same type of bottles to another customer for 3 each. If Universal is legitimately going out of business, its sale of the bottles to another customer at a different price does not violate the price discrimination laws. The concept of changed conditions also includes situations in which goods become obsolete or less desirable based on a change in technology. Example 31: On June 1, Universal Computers sells 100 of its state-of-the-art Model M computers to a distributor for $900 each. On June 5, it begins selling the much faster Model Q computer. That same day, it sells 100 Model Ms to another distributor for $400 each. If the Model Q has made advancements that make the Model M less desirable, or even obsolete, Universal probably has not violated the price discrimination laws by selling the Model M to another distributor for less than the pre-Model Q price.
LESS COMMON EXAMPLES OF PRICE DISCRIMINATION

I.
Buyer Liability
The price discrimination laws also make it illegal for a buyer to knowingly induce a seller to discriminate in price. Example 32: A group of distributors of automotive parts forms a group-buying organization that successfully obtains large-volume discounts from various suppliers. Each of the group members knows that the sole function of the groupbuying organization is to obtain a better price than the price offered to competitors that are not part of the group. This is illegal price discrimination on the part of the members of the group-buying organization, as well as the suppliers that sell to them.
II.
Brokerage Provision
Price discrimination laws prohibit a party to a sales transaction from receiving a brokerage commission, or other compensation disguised as a brokerage commission, when it is actually a rebate on the price paid. Unless the payment is for actual services rendered, a violation has occurred. Example 33: Universal Laboratories, a manufacturer of generic (nonbranded) pharmaceutical products, sells an antidepressant drug to various drugstores throughout Nevada. Universal's largest customer, Global Drugstores, requests that Universal supply the drug at a price 10% lower than Universal's other customers. Universal initially refuses. However, because it is concerned that it
will lose Global's business, Universal agrees to allow Global's parent company to act as its agent and receive a 10% brokerage fee on all sales of the antidepressant drug to Global. Universal has violated the price discrimination laws because the brokerage fee is not made in connection with actual services rendered. III.
Promotional Assistance
The Robinson-Patman Act prohibits a seller from granting advertising and promotional assistance or services to some customers unless the same assistance or services are available to all customers on proportionately equal terms. In other words, the same assistance or services must be offered to all customers in proportion to the amounts purchased (in terms of dollars or quantity) by particular customers. Promotional assistance means that a seller pays money or provides services in connection with the resale of its products. Promotional assistance or services include -cooperative advertising, handbills, demonstrations and demonstrators, catalogs, cabinets, display materials, prizes or merchandise for conducting promotional contests, and special packaging or package sizes. Example 34: Universal Plumbing, a maker of plumbing supplies in the southern United States, decides to provide cooperative advertising allowances to its customers. If customers purchase specific quantities of Universal Plumbing's products, Universal will take out an ad in local newspapers for the customer and pay 100% of the ad's cost. Whether Universal has violated price discrimination laws depends on whether Universal has made the same deal available on proportionately equal terms to all its customers. If it has not, it has probably violated the Robinson-Patman Act. Even providing an employee to go on a joint sales call to help demonstrate the benefits of the manufacturer's product can be considered a promotional allowance. Example 35: Universal Furnace sells furnaces to plumbing and heating companies. The plumbing and heating companies then resell the furnaces to large commercial customers, such as home builders. Universal sets up a program where it will send a Universal employee on joint sales calls to home builders with any plumbing and heating customer that agrees to buy furnaces exclusively from it. Universal is probably violating the law because it has offered promotional assistance (demonstrators of its product going on the joint sales calls), but it has not made the offer available to all customers.
A slotting allowance is a special kind of promotional assistance. A slotting allowance is a payment made for the purchase of display or shelf space. Such allowances are most common in the food industry when, for example, a food manufacturer makes an up-front payment to a supermarket for access to its shelves. Slotting allowances raise antitrust concerns when they allow a dominant manufacturer to have an unfair competitive advantage. This is particularly true when payments allow the dominant manufacturer to exclude a rival's products from supermarket shelves. Example 36: Global Cereals has a 75% market share of sweetened cereals. It agrees to pay a fee to all the major grocery stores in Atlanta to have the primary shelf space in their stores for its cereal products. Global's agreement with these stores might violate the antitrust laws in that Global Cereals has paid money in connection with the resale of a product that excludes Global's rivals from getting access to consumers. Reasonable payments to compensate a retailer for the costs and risks of stocking a new, unproven product are probably legal, if there is no agreement to keep a rival's products off the shelves. Example 37: Universal Jerky Corp. develops a new dried-beef product. It offers to pay all minimart-type stores in Kansas City a flat fee if they will stock the new product. If these payments are made to compensate the minimarts for the risk of using valuable space on a new product and there is no agreement to exclude any rival's product, this slotting allowance is probably legal. Although there is no single definition of "proportionately equal terms," proportionality can be achieved most easily by basing the payments made or the services furnished on the dollar volume or on the quantity of goods purchased during a specified period.
ENFORCEMENT
The Robinson-Patman Act allows companies and individuals to bring civil lawsuits against companies that have violated the price discrimination laws. In addition, both the Federal Trade Commission (FTC) and the Department of Justice (DOJ) can and do bring lawsuits when a company or individual violates the RobinsonPatman Act. Although the number of FTC and DOJ Robinson-Patman Act cases has declined over the years because of private-party enforcement as well as state price discrimination law, companies must still be careful to avoid price discrimination.
ANTITRUST: TALKING WITH YOUR COMPETITORS

INTRODUCTION
The Sherman Act is the main antitrust law in the United States and is the primary basis for the Lessons in this Handbook. The Sherman Act makes illegal -o o o any agreement, that affects interstate commerce, and that unreasonably restrains trade.
This Handbook focuses on competitors that either openly or subtly agree to fix prices or otherwise gain an advantage over their competitors. You will learn in this Handbook that some agreements among competitors are always considered illegal, no matter how well intentioned the agreements and regardless of their effect on customers. Other agreements are not always illegal, but their legality depends on their effect on consumers. You will also learn in this Handbook about activities involving competitor communications at trade association meetings, industry selfregulation, and exchanges of information among competitors. Dealings between direct competitors get the highest level of antitrust scrutiny by courts, the Department of Justice (DOJ), the Federal Trade Commission (FTC), and state attorneys general. You should keep in mind that not all agreements among competitors are illegal. Additionally, the law contains many complex rules and regulations subject to a number of exceptions and special situations that simply cannot be covered in a brief treatment of this kind. Applying even the most basic legal principles to any particular situation can be highly complicated. It is important, then, to keep in mind that this Handbook does not provide any advice or guidance about what you should do in any particular situation. Make sure to get such advice from your companys lawyer.
THE EXISTENCE OF AN AGREEMENT

The antitrust laws regulate unilateral and joint conduct differently. The actions of a single firm, even one with monopoly power, can often be justified on the ground that they promote competition and help consumers. However, joint activity of two or more competitors is viewed much more harshly, because when two or more firms enter into an agreement there is a much greater chance of harm to consumers. Most often, a key issue in dispute is whether the conduct in question involved a single firm or arose out of an agreement among competitors. In the context of an antitrust violation, a written or explicit agreement is not necessary to prove the existence of an agreement. There is no need for a handshake or even a knowing wink. Understandings may be unspoken and often do not require verbal communication. It does not matter if one party was forced or coerced into going along with the others demands. If the facts indicate that it was highly unlikely the parties were acting independently, a court might conclude that an unlawful agreement exists.
Example 1: Four bicycle manufacturers simultaneously adopt one standard for building a component part of their competing products. Then they all raise their prices. It is unlikely that four companies would adopt a standard and raise prices simultaneously without an agreement. Therefore, even if there is no proof of an actual meeting or discussion, the price hike might be considered an illegal agreement. I.
Parallel behavior
Parallel behavior exists when one competitor changes prices and other competitors follow, often in the same direction and in the same amount. While parallel behavior is not necessarily illegal, if there are any other facts tending to suggest that the parties conspired to set prices, those facts could show the presence of an actual illegal agreement. For example, if any of the following exist, coupled with parallel behavior, there might be an antitrust violation - regular communications between the parties about prices or market conditions, a history in the industry of price-fixing, anything else tending to suggest motives to agree.
Generally, the more a company can document that it made its decision independently and for good business reasons, the more likely that its parallel conduct will not be found to be unlawful. Example 2: Three cellular phone manufacturers sell phones through retail stores. A fourth sells on the Internet. All four announce within three weeks of each other that they are going to adopt one of two competing technological innovations. They all select the same one. Later, they each announce price increases in the trade press, as they have in the past. Additionally, the company that sold on the Internet starts selling only through retail stores. The conduct could be evidence of an illegal agreement. There is parallel pricing activity, plus other factors (announcements of the price increase, and a company changing its sales channel to conform to its competitors' sales channels). Also, the facts presented no apparent evidence of any independent justification for the common conduct. II.
Attempts to conspire
As discussed earlier, conspiracies to restrain trade require some sort of agreement. If a competitor picks up the phone, calls another competitor, and proposes to fix prices, there is no violation if the company receiving the call declines the proposal. Attempts to conspire are not conspiracies when they are rejected. Still, such attempted activity could result in - an investigation by antitrust enforcers, wire fraud or mail fraud charges by the DOJ or FTC, or introduction of such evidence at a trial in which parallel conduct is alleged.
So what should you do if a competitor invites you to participate in an illegal agreement? Clearly and adamantly reject the offer and make sure others who
are present know that you are rejecting it. Also, report it to your company's lawyer immediately. Whether the competitor asked you directly or indirectly, whether it was explicit or unspoken, and even if you said no -- make sure you report it to your company's law department and document it according to the lawyer's instructions. III.
Conspiring with a subsidiary

It takes at least two separate entities to form a conspiracy. However, because many corporations have subsidiaries and affiliates, it is important to know that a corporate parent generally cannot conspire with a wholly owned subsidiary. In addition, most courts have concluded that a conspiracy cannot exist between two subsidiaries or sister corporations wholly owned by the same corporate parent. This is because subsidiaries or sister companies are considered single entities (not separate companies) under the antitrust laws. Example 3: Universal Operations, Inc. owns all the voting stock of Global, Inc. and Galaxy, Inc. A customer files a lawsuit claiming Global and Galaxy agreed to fix prices. Most courts would conclude that Global and Galaxy are incapable of conspiring in violation of the antitrust laws. Most courts would also conclude that if Global and Galaxy were not owned by a single company, but instead by several individuals who manage all of Globals and Galaxys affairs, Global and Galaxy could not have conspired to violate the antitrust laws. It is important to remember that the outcome of an antitrust lawsuit can vary depending on the specific facts and also on the jurisdiction in which the lawsuit is filed. Also, many federal courts disagree about whether this general rule applies when a subsidiary is less than 100% owned by a corporate parent. Some courts treat ownership of 51% or more the same way 100% ownership is treated. Others have concluded that any ownership of less than 100% means that a conspiracy can exist between a parent and a subsidiary or between two subsidiaries of the same parent. For this reason, you should consult your company's law department on this issue before entering into contracts with your company's parent or subsidiary, or another subsidiary of the parent.
THE RESTRAINT MUST AFFECT INTERSTATE COMMERCE

Before it is illegal under the antitrust laws, the conduct in question must have an effect on interstate commerce. The nature and amount of proof required might be different than you would expect. In fact, federal courts have been quite liberal with the requirement to prove an effect on interstate commerce. As a practical matter, interstate commerce is rarely an issue. Most commercial activities, particularly by large companies, affect interstate commerce. Example 4: Universal Hospital claims that competing Five Lakes Hospital conspired to block its expansion. Five Lakes Hospital claims there is no effect on interstate commerce. Five Lakes is probably wrong about the effect on interstate commerce because a substantial amount of its medicine and supplies are from out-of-state sellers, a large
portion of its revenues came from out-of-state insurers, and the planned expansion would be underwritten by out-of-state lenders. Thus, the conduct had an effect on interstate commerce. The point to remember is that it does not matter how local the operation is. If interstate commerce is affected, a business's conduct can be regulated under federal antitrust laws. Furthermore, every state has enacted its own antitrust and unfair competition laws. Therefore, even if there is no effect on interstate commerce, state antitrust laws can still apply to the conduct of a particular business.
THE AGREEMENT MUST UNREASONABLY RESTRAIN TRADE

There are two basic kinds of agreements that unreasonably restrain trade -o o agreements that almost never benefit consumers and almost always restrain trade and agreements whose legality depends on whether they harm competition in a market and hurt consumers, or whether they promote competition and benefit consumers.
There are certain agreements that are always illegal because they always, or almost always, harm competition to the detriment of consumers. These types of agreements are referred to as per se violations of the antitrust laws. In other words, they are automatically illegal, and little or no factual inquiry is made to determine whether the agreement promotes or harms competition. Among these types of agreements are -o o o agreements that affect price such as price-fixing and bid rigging, market (customer or territory) allocations among competitors, and certain types of group boycotts and other refusals to deal.
If two competitors engage in any of these activities, the conduct is illegal even if the companies can show that the conduct promotes competition. Example 5: CarCo and AutoCo are the two main sellers of automobiles in the United States. They both sell in all 50 states. They agree to allocate territories. CarCo will sell only in the East and AutoCo only in the West. They can prove this will reduce their costs and lower prices for consumers. The companies have violated the antitrust laws because an agreement to allocate territories is always illegal. The fact that consumers may benefit from lower prices is irrelevant. There are other types of agreements that may or may not be illegal, depending on whether the conduct hurts or promotes competition. For example, two competitors might enter into a joint venture to develop a new product and agree to sell it together. They might also use the same sales force and sell the product at a single fixed price. This conduct is not automatically illegal. Instead, the legality of the conduct depends on whether the pro-competitive advantages such as expanded choices for the consumer, lower prices, or expanded services or options outweigh any harm to consumers from this arrangement.
The federal government believes that some collaborations provide significant benefits for competition and consumers. It has published "Antitrust Guidelines for Collaborations Among Competitors" to help companies judge whether a particular agreement is likely to be challenged. These guidelines contain several safety zones where collaborations are unlikely to be challenged as a general matter -- for example, if a joint venture and its participants have a combined market share of no more than 20% of each market in which competition is affected. Again, however, you should consult your company's law department before engaging in any joint venture, even if you believe it falls within a safety zone. The bottom line is that agreements among competitors that allow companies to better compete are not necessarily unlawful. Still, such agreements may be unlawful if a court determines that they harm competition more than they benefit consumers. II.
Types of agreements A. Price-fixing

An agreement among competitors that has the purpose of setting prices is a classic example of illegal behavior. Direct agreements on what prices to charge are always illegal, and the individuals involved can be held criminally responsible and imprisoned. In recent years, there have been several highly publicized lawsuits brought against companies that have entered into direct agreements on price. Example 6: Employees of two dairies get together and agree that they will charge local grocery stores at least $2 for a half gallon of milk. The dairies are fixing prices, and both the companies and their employees can be found criminally responsible. The employees may go to jail, and the companies may be forced to pay fines. As we discussed previously, there need not be a formal agreement for an activity to be considered price-fixing. Unspoken understandings and parallel conduct can lead to liability as well, although criminal prosecution is usually reserved for outright agreements. B. Bid rigging In a bid-rigging agreement, competitors agree on who will submit the winning bid on a government or other contract. Like price-fixing, bid rigging is so likely to harm competition and consumers that the courts usually treat it as illegal automatically. Here's an example of bid rigging: a school district decides to accept bids from several different milk suppliers for an exclusive contract to provide milk to all of the district's schools. Several competitors get together and decide that Global Dairy will submit the winning bid, and that they'll each take turns submitting winning bids in the future. In accordance with their agreement, Universal Dairy withdraws its bid, Acme Dairy submits a bid that's too high, and Worldwide Dairy submits a bid with terms that the school district could never accept -- so Global Dairy wins the contract. Without the suppliers' bid-rigging agreement, the district may have gotten a better price. The milk suppliers have harmed competition.
C. Agreements on terms of sale An agreement does not have to be an agreement on price to be unlawful. Some other agreements affecting price are still considered price-fixing and are thus automatically illegal. These types of agreements include - agreements to use uniform or standard trade-in allowances, cash down payment requirements, discontinuation of free service, and limitation of discounts.
If the terms of sale are an area in which sellers have competed in the past, any agreement to restrict competitor activity as to the terms of sale may be illegal. Example 7: The managers of three competing car dealerships meet and agree that they will not pay more than the price published in the blue book for any used car trade-in and will increase their cash down payment requirement from 10% to 15% down. The agreements on trade-in price and down payment terms are both examples of illegal price-fixing. The agreement not to pay more than blue book is considered price-fixing even though there is no agreement on a specific price. Even if the agreement on the minimum down payment term does not have a direct effect on the ultimate price charged, it is still illegal because sales terms such as these have an effect on consumer costs. D. Agreements on costs Agreements among competitors concerning internal costs and charges that are not line items paid by customers but are included in the price charged, are also almost always illegal. Examples of these include - agreements among competitors establishing uniform markups, mandatory surcharges, specifying price differentials between grades of a product, and the adoption of classifications of customers entitled to discounts.
Example 8: Sams Skirts and Dons Dresses buy clothing from some of the same manufacturers and sell the clothing at their retail stores. Sam's and Don's do not buy all the same products. However, when they buy identical products, they do not always pay the same prices. Sam's and Don's agree to mark up girls dresses 105% above the wholesale prices charged to them by the manufacturers. Even though Sam's might be paying a different price than Don's for the same dress, the 105% markup agreement is still illegal because it restrains the independent pricing decision of a competing seller of the dress.
Example 9: Two makers of vegetable oil buy soybeans from farmers as a basic input product for making oil. Soybeans are graded on their oil content. High-grade beans contain more oil than low-grade beans. The vegetable oil companies do not agree on what price they will pay for any beans, but agree that the difference between what they pay for high- and low-grade beans will be 15 per bushel. This agreement is illegal because the agreed-on differential affects the prices charged, and without the agreement the two buyers would compete for the farmers crops. It does not matter that buyers are fixing the price they pay, rather than sellers fixing the sale price. Both situations can violate the antitrust laws. Some agreements that affect prices are considered automatically illegal under the antitrust laws, even if a sales price is not fixed. Agreements among competitors that affect prices and that courts have declared automatically illegal include - agreements to use a common sales agent to fix prices, agreements to use a uniform list price as a common starting point for negotiations with customers, agreements to restrict price or feature advertising, agreements to use specified accounting methods, agreements to require a percentage contribution from each contract to be placed into an industry-wide collective bargaining fund, agreements to use only a specific group of subcontractors, agreements to adopt standard-setting that stabilizes prices, agreements to exclude a price-cutting competitor from a trade show, and agreements to advertise prices collectively.
Example 10: Tired of repeated price wars, several retailers of stereos and televisions agree that while they are free to charge whatever price they wish on any item, they will not advertise prices in the Sunday newspaper. This is automatically illegal because the agreement affects price. Even though the retailers are free to charge any price, the advertising agreement will tend to discourage price competition. Although it may be more common to think of competitors agreeing unlawfully to fix the minimum price of a product, it is also always illegal for competitors to set a maximum price for their products. Both situations restrict the freedom of competitors to use their own judgment in competition with each other. Example 11: Two competing bookstores agree not to sell the newest best-selling spy novel for more than $24.95. This is illegal. E. Market allocation Another area in which courts are willing to declare an agreement almost always illegal is market allocation. When competitors agree to divide up
certain potential customers or create geographic areas where they will not compete, this is called market allocation. Any agreement that would tend to limit one competitors attempts to make sales could violate antitrust laws. Example 12: Two supermarkets operate in a town. One is on the east side, and the other is on the west side. The east side supermarket develops a plan to open a store on the west side. The president of the west side store and the president of the east side store speak by telephone and discuss the east side store's plan. After this conversation, the east side store decides not to open the store on the west side. This decision is an agreement among competitors not to compete in each others territory. They have allocated markets, and this is illegal. The result is the same in the bidding context. Specifically, any agreement restricting the projects each competitor will bid on is automatically illegal. Example 13: Two companies preparing to bid for mineral rights on federal lands decide that they each want the same two parcels. In light of this, they are better off not bidding on both parcels because they would be competing against each other. Therefore, they agree that one will submit a bid on one parcel, and the other will bid on the other parcel. This is illegal, and it does not matter that there are other bidders or whether the conspiring companies win or lose the bid. Allocating customers is also illegal. Example 14: Five consumer products companies exchange their customer lists. There is a great deal of overlap. They agree that each can identify its top three customers and that no other competitor will sell to those three customers. This conduct allocates customers, and it violates the antitrust laws. F. Output restrictions Agreements among competitors that affect the production or sale of a company's products are called output restrictions. These agreements are almost always illegal. Examples of output restrictions include - agreements that limit production or set production quotas, agreements to discontinue a product, agreements to limit business hours, agreements to close a particular facility or to restrict its production, agreements to set a minimum quantity of a product sold, and agreements to fix the amount of a basic ingredient.
These agreements are almost always illegal because they are entered into for the purpose of harming competition and not for some purpose of benefiting competition.
Example 15: PharmoCo and MedicineCo make aspirin. Each has a 40% market share. They agree to run their factories no more than 30 hours per week. This agreement is illegal because by limiting the time the factories run, output is restricted and fewer aspirin are produced. This could lead to lower aspirin supplies in the market, higher prices, and damage to competition. If the output restriction agreement benefits consumers overall and does not unnecessarily restrict competition between the parties, it may not violate the antitrust laws. Example 16: CompuMax and CompuPro are two major producers of a variety of computer software. Each has a large, worldwide sales department and has developed and sold its own word processing software. But despite all efforts to market this software, each company has achieved only slightly more than a 10% market share, and neither is a major competitor to the two firms that dominate the word processing software market. CompuMax and CompuPro determine that their complementary areas of design expertise would allow them to develop a far better word processing program together than either can produce on its own. They form a joint venture, WordFirm, to jointly develop and market a new word processing program, with expenses and profits to be split equally. CompuMax and CompuPro both contribute experienced software developers, with expertise in word processing software, to the joint venture. After forming WordFirm, both companies concentrate their resources on developing their new product, and lower their output of independent products. Here, both companies have combined their design efforts, using complementary expertise, in a common endeavor to develop new word processing software that they could not have developed alone. This integration of economic activity is likely to result in greater choices for consumers, and likely will not be deemed to violate the antitrust laws. The key to understanding the difference between illegal and legal agreements lies in the questions of whether the agreement on output is combined with some objective other than reducing output and whether that other objective enhances competition to the benefit of consumers. If the agreement causes prices to rise, this hurts consumers and is illegal. The simplest way to understand when output agreements are legal is to consider a joint venture. Sometimes, two companies cannot do something alone, but together they can provide a product or service that might not otherwise be available. By combining their efforts to bring about something they could not do alone, the combination tends to increase output overall, and is probably legal. Example 17: Phase Corp. has developed a patented method for sending signals over telecommunications lines twice as fast as conventional means. Its product is not very useful unless it can be switched from one
line to another. Switchco has a patent on advanced switching technology. Phase Corp. and Switchco create a joint venture to deliver a more effective integrated service to the marketplace. To the extent that the two companies can deliver a more efficient product by combining their operations, their joint venture will benefit consumers and likely would not violate the antitrust laws. The question of whether a particular joint venture agreement is legal is often difficult. Each agreement will be reviewed on its own merit. If an agreement benefits consumers overall, and does not otherwise unnecessarily restrain competition, it probably does not violate the antitrust laws. If the agreement causes prices to rise or restricts the amount of goods or services available to consumers it is likely illegal and possibly criminal. Therefore, it is important to consult counsel before entering into these arrangements. G. Group boycotts and other refusals to deal In a group boycott, competitors agree not to deal with another company or supplier. Group boycotts are often illegal -- but not always. Although some group boycotts may be legal, whether this is true in a particular case depends on numerous factors, such as the purpose of the boycott, its effect on the boycotted company, and its effect on output and consumer prices. For example, a boycott aimed at enforcing a technical standard may be easier to justify than one designed to limit competition. But again, you should always consult your company's law department if you are considering an agreement of this kind. Example 18: A group of clothing stores agree that the stores will refuse to buy clothing from any manufacturer that operates its own retail stores. This is an illegal group boycott. Example 19: A group of computer hardware manufacturers agree on a standard design for some of their circuitry. This has the effect of lowering the costs for the computer manufacturers because they can force suppliers to make a standard product that is always compatible with their designs. The computer manufacturers will not buy from a supplier that does not meet the new specification. This arrangement might not be illegal. If the arrangement lowers costs (especially to consumers) and makes the supply of parts easier, it might not violate the antitrust laws, even if it tends to hurt certain suppliers. If there were evidence suggesting that the move was made primarily for the purpose of hurting certain suppliers, however, it may be illegal. Example 20: A trade association of specialty chemical companies expels a member company without explanation. The expelled company was known to be a price-cutter, but was also known to have failed to comply with many Trade Association rules. The rules it broke reflected negatively on the industry in the press.
Here, the association members might be able to demonstrate a proper justification for the decision. Whether this was legal depends on the real reason for the expulsion. Although expelling a member for price-cutting is illegal, expelling a member for rule breaking is probably legal. III.
Group activities
Certain group activities such as trade associations and joint buying agreements are relatively common and, when properly organized, make companies better competitors. However, sometimes these group activities violate the antitrust laws. .
Industry self-regulation
In many industries, competitors organize industry-wide groups to address common problems whose solutions frequently benefit consumers. Often, competitors establish standards (technical or otherwise) that benefit consumers. Courts will look to the rules for membership and the actions of the particular group to determine whether the conduct is intended to harm the ability of competitors to compete or to raise prices to consumers. If the conduct is likely to harm consumers, the standard setting-activity will likely violate the antitrust laws. Example 21: A group of realtors agree that being able to list their properties for sale on a single list accessible by all of them will make selling houses easier. They agree on a set of rules governing how they can list the properties and also agree not to include information on prices offered by potential buyers or other information that is competitively sensitive. This program probably does not violate the antitrust laws. The group activity promotes competition and there is no exchange of sensitive price information. Example 22: A group of competitors that make household products form an association that grades the products and publishes their reports. The competitors agree that the association will give its A+ grade only to products from the founding members. This agreement is illegal. Although grading products is often beneficial, consumers will be hurt because the products of nonfounding members cannot get the highest grade. This will hurt those companies and reduce competition.
A. Trade associations Companies in a particular industry often create an association to look after their collective interests, such as petitioning Congress and state governments and making consumers aware of the industrys products. These arrangements are, in most respects, more formalized versions of the industry self-regulation discussed above. Trade associations have been around for a long time. They serve useful functions and often benefit consumers.
However, two trade association activities are the focus of antitrust laws - illegal conspiracies, including price-fixing, certain group boycotts, and market allocation conspiracies (which are always illegal), and disciplinary actions or expulsion of association members (which look like group boycotts by the remaining members).
Because of the potential for illegal agreements when competitors gather together to advance their mutual interests, many trade associations long ago adopted practices designed to eliminate the likelihood that association meetings would be used as a cover for illegal activities. These practices include - an independent professional staff not employed by any particular members, agendas and minutes for meetings, and the presence of outside legal counsel (also unaffiliated with the members) to monitor meetings.
Despite such safeguards, attendees of association and other legitimate meetings among competitors should be wary of invitations to enter into illegal agreements and should avoid them. Again, if faced with an invitation to enter into an illegal agreement, you should object clearly and adamantly (so there is no question that you are rejecting it). You should also immediately notify your company's law department and follow its instructions. Another function performed by many associations is information gathering, including competitively sensitive information such as cost and price data, for sharing among members. If this information were displayed in such a form that it could be used to fix prices, the activity likely would be illegal under antitrust laws. Example 23: A trade association of companies that manufacture mens suits collects and disseminates data showing the prices charged by each company to its customers. This conduct is likely illegal. Once each company knows how much the other charges, it can raise prices to the same level. This hurts competition. One way for a trade association to avoid this problem is to display the information in such a way that no member can identify another members data. If competitor price information is provided in such a way that no company knows what any specific competitor is charging, the conduct is probably legal. However, with very small associations, data collection may have to be avoided altogether if the data are competitively sensitive and the companies' identities are transparent. Example 24: A group of five manufacturers of commercial movie projectors form an association. The association collects data on costs. Costs are considered competitively sensitive data, allowing a competitor, armed with the data, to avoid competing as vigorously. The data are
collected by an independent accounting firm and fed back to the members anonymously, but because of the way they are reported, the costs of the three smallest members can be ascertained. This may be illegal. Even though the data are listed anonymously, the members can probably figure out which data belong to certain competitors. This may lead to price-fixing and is probably illegal. B. Associations' denial of membership Occasionally, associations refuse membership to certain kinds of companies or competitors. Additionally, associations will sometimes expel a member because of some misconduct. In determining whether these acts are illegal, the denial of membership and expulsion are analyzed in the same manner as group boycotts and industry selfregulation. For example, if the denial of membership has the effect of injuring the competitor to the extent that it cannot compete effectively, the denial may be illegal. Therefore, in evaluating the denial of membership, a court will try to determine whether - the purpose was to disadvantage a competitor, the boycotting firms have market power or the ability to deny something essential to effective competition, the purpose of the denial is to enforce an illegal agreement such as price-fixing, and the denial was made to enhance competition among the firms and make the market more competitive.
Example 25: Global Corporation is asked by Beta and Delta Corporations to increase its prices by 5% at a trade convention. Globals representative refuses to do so and walks away. Beta and Delta vote Global out of the association. This boycott is illegal because it is being done to advance a price-fixing conspiracy among Beta and Delta. Example 26: Universal Diet Corp. has made numerous false and misleading dieting claims for its weight control plans and frozen entrees. It has been disciplined by government regulators but continues to make different misleading claims. Global Foods and Lite-Foods organize a successful vote to kick Universal Diet Corp. out of their association on the grounds that its membership hurts the credibility of Global Foods and Lite-Foods. This conduct probably does not violate the antitrust laws because effective communication of weight loss information is good for competition. C. Covenants not to compete Increasingly, especially in technology companies, employment contracts include a covenant not to compete, which usually spells out a period of years after the termination of employment during which the employee
agrees not to compete (alone or with a competitor). When a business is sold to another company, these clauses are often used to keep the key management of the company that was sold from immediately turning around and competing against the buyer. These types of agreements are not automatically illegal. Whether they are legal depends on whether they are reasonably limited to protecting a legitimate business interest of the company demanding the covenant not to compete. Courts usually look at whether the covenant is sufficiently limited with regard to - time, territory, and the types of products covered.
If the length of time, the scope of the territory, or the extent of the products covered is too great -- in other words the limitations exceed what is necessary to protect the companys legitimate interests in its trade secrets and other confidential business information -- the covenant not to compete may be illegal. Example 27: A computer manufacturer that produces a range of software employs someone to conceive and develop personal finance software. The average shelf life of a generation of software is two years. The covenant not to compete in this employee's contract restricts him from working for any other software manufacturer in the United States for four years. This is likely illegal because the restrictions are too broad in terms of time and products. There are many noncompeting software applications this employee is being kept from working on. Absent proof that any trade secrets the employee learns from personal finance applications are transferable to other software applications, this restriction likely is unlawful. In addition, because the average software shelf life is two years, a four-year covenant is too long. D. Information exchanges Competitors exchange information from time to time without violating the antitrust laws. However, to be legal, such exchanges must be highly structured to avoid the possibility of an illegal conspiracy charge. Therefore, information exchanges should always be conducted under legal counsels direction. Example 28: Several computer software manufacturers who make antivirus software learn of a deadly new computer virus. Each knows certain information about the new virus. None knows enough to bring an antivirus software platform to market in time to counteract it. They organize a meeting, to be attended by counsel, to exchange what they know in hopes of creating an appropriate blocking software. The development of the new product would be considered a legitimate purpose and such conduct would probably be legal.
It is important in undertaking any information exchange that the information itself be narrowly tailored to meet the legitimate business objective. If the information exceeds what is justified as a legitimate business objective the information exchange is probably illegal. Example 29: As in the previous Example, several computer software manufacturers who make antivirus software learn of a deadly new computer virus. They organize a meeting, to be attended by counsel, to exchange what they know in hopes of creating an appropriate blocking software. When they meet, they also discuss the creditworthiness of some of their mutual customers. This would likely be seen as the exchange of competitively significant information unrelated to developing a new product. If a customer were cut off by the group due to credit problems, the exchange of this information is strong evidence of a group boycott. Therefore, the exchange of information about the creditworthiness of their mutual customers is probably illegal. E. Joint buying agreements Group purchasing agreements are agreements between competitors to buy input ingredients used to manufacture or create the products they sell. For example, homebuilders might form a group purchasing organization to buy lumber. Courts will generally look to the facts and circumstances to determine whether the agreement harms or promotes competition. Generally, purchasing arrangements are illegal when - the arrangement accounts for so large a portion of the overall purchases of a product or service that the buyers can exercise market power over the purchase price or the product or services being purchased jointly amount to such a large portion of the total cost of what the joint buyers are selling that getting those goods or services at the same price facilitates price-fixing. In other words, if the joint buyers buy so much of a product that they can command too big a discount, the arrangement is illegal.
Example 30: A specialized chemical is used in the manufacture of rubber. Several large tire manufacturers, representing 75% of all purchases, get together to form a joint purchasing entity to buy the chemical. These tire manufacturers likely have market power for purchasing the chemical and would likely not be allowed to combine their buying power. By joining together, they can force the seller to reduce prices, harming the seller. In addition, competitor tire companies that are not part of the joint purchasing entity are disadvantaged because they will be forced to pay a higher price. The formation of a joint purchasing entity might also be unlawful if the input ingredient being bought is a large part of the total cost of the product the joint buyers sell.
Example 31: Several ice cream manufacturers decide to combine their buying power for the purchase of cream. Ice cream manufacturers account for approximately 10% of total U.S. cream purchases, but cream constitutes 50% of the cost of ice cream. This arrangement would likely be illegal because these competitors are obtaining a single price for an ingredient to their final product that covers one-half their total cost. This is likely to facilitate collusion in the future sale of ice cream. In other words, each ice cream manufacturer knows what half the costs are for its competitors. As a result, these competitors will likely use that information to fix prices in the future, and the antitrust laws, therefore, prohibit this type of information exchange.
VALUING AND RESPONDING TO EMPLOYEES' CONCERNS

INTRODUCTION
Every day, employees around the world make decisions that affect their companies and the public--decisions that affect public health and safety, the environment, financial markets, workplace safety, or their company's reputation and integrity. An incorrect decision could have serious consequences for the company, its employees, shareholders, customers, or the public. It's natural for an employee to be concerned about decisions that appear to conflict with company policy, the law, regulations, or other rules. By creating a supportive environment, providing channels for employees to raise concerns, and responding to these concerns properly, the company demonstrates that it values employees' opinions and concerns as well as the process of expressing them. Although employees are often protected from retaliation by law, many naturally feel that they are at considerable risk if they report a concern. It takes courage to do so. In most cases, employees will discuss their concern with management, expecting it to be addressed satisfactorily. If it is not, employees might worry about the consequences of inaction and report their concerns to outside sources such as government regulators, legislative bodies, nongovernment organizations, or the media. All employees should be able to recognize situations where an action is unethical, illegal, or could result in damage or injury. Managers should have the tools and support to address employee concerns--before those issues undermine, or negatively affect, the work environment. Failing to recognize employee concerns or prevent retaliation can, and often does, result in a damaged reputation, increased examination by regulators, and expensive lawsuits. However, if a company has trained its managers to listen and respond to employees in a timely and effective manner, employees' concerns can be addressed and resolved. Internal resolution, without retaliation against the employee, can enhance the company's reputation. It is also likely to minimize public criticism, attacks on the company's integrity and its management's credibility, and the litigation and public oversight that often follow disclosures of corporate wrongdoing. This handbook provides information and suggestions on how to effectively respond to employees' concerns in a timely fashion, anticipate and prevent workplace retaliation, and address complaints of retaliation when such incidents do happen. While this handbook does not provide legal advice, it does include basic legal principles that apply in many instances. You should always ask for specific advice and guidance from your management, human resources department, or law department as soon as issues of concern arise.
EXPECTATIONS FOR WORKPLACE CONDUCT

Companies expect their employees to perform their work legally, ethically, and safely. Corporate codes of conduct, behavioral expectations, and core principles exist to inform employees at all levels that company owners, directors, and executives insist on--and expect--ethical and legal behavior. In an increasingly multinational corporate environment, these principles must be interpreted, implemented, and enforced in many different environments. Regardless of the cultural differences in work environments and behavior, the consequences of ignoring safety risks or engaging in unethical conduct will
affect the entire company. Consider the impact that recent financial scandal and environmental disasters have had on well-known companies, and you'll recognize the significant role that each employee has in making sure the corporation acts ethically. A company should expect all employees to take responsibility for their own behavior and actions. This is particularly true when an employee's decisions can potentially affect the health and safety of the workforce, the public, or the environment, or the corporation's integrity. Employees across the company are often in the best, and sometimes only, position to recognize risks, identify unethical or improper conduct, or stop unsafe activities. For example, employees might know the details of potentially questionable financial transactions. They might know where toxic waste is being improperly buried, dumped, discharged, hidden, or abandoned. They may also know of maintenance procedures that involve "shortcuts," possible security threats that aren't being reported, pipeline and oil refinery dangers going unrepaired, potentially dangerous transportation cargoes or vehicles, and numerous other risks to public and workplace health and safety, or threats to the corporation's integrity. Many corporate, environmental, safety, or financial disasters may even be prevented if employees with knowledge of the situation or condition speak out and voice their concerns. Therefore, it's important for all employees, at all levels, to ask questions and challenge behavior that violates corporate values or expectations or puts anyone at risk. Employees should be able to discuss issues with management in a nondisruptive manner with the confidence that their concerns will be addressed respectfully, professionally, and as quickly as possible. Whether or not an employee's concern is accurate, all concerns should be considered and the employee treated with respect. However, there are times when personality conflicts or other work-related tensions create a complex situation. Under these circumstances, there are often alternative routes available for employees to raise issues anonymously or to seek assistance. For example, they can contact another member of management, a corporate ombudsperson (an officer who investigates complaints), or an employee concerns program. Example 1: Tom, a business analyst at Global Operations, discovers what he believes is misconduct in connection with a large government contract. After reviewing the most recent audit, he confirms that a substantial amount of funds relating to the project is unexplained, or being misreported. He also discovers that the project hasn't been reported properly in the company's filings with the government oversight agency. He is very concerned that there may be misconduct connected with the reports, but doesn't know what to do because his supervisor has approved the reports. After careful consideration, he decides to discuss the matter with the company's ombudsperson. Global Operations should address these concerns in a respectful, professional, and timely manner.
ANTICIPATING AND PREVENTING RETALIATION

I.
"Zero Tolerance" for Retaliation

When an employee raises concerns that, if true, might embarrass the company, slow down progress, or reflect a view different from the corporate position, someone within the corporation might wish to silence these critical views or eliminate them entirely. This may occur through subtle or direct actions, such as systematically excluding the worker who speaks out, interfering with his work, or
terminating his employment. If actions are taken against an employee because he raised concerns, the actions can be considered retaliation. In addition to isolating or ignoring an employee, taking away professional duties or responsibilities, or terminating employment, forms of harassment, intimidation, discrimination, and retaliation may include humiliating, embarrassing, or mistreating an employee interfering with an employee's performance of duties denying normal benefits and opportunities of employment giving a bad performance evaluation firing, laying-off, or forcing retirement creating a hostile work environment--such as finding fault with every little action Managers should ensure that employees who have disclosed concerns or issues aren't subjected to unfair employment actions. There is never a legitimate basis to humiliate, embarrass, or put down another employee. Example 2: Debbie, a materials handler for an aviation construction project, notices that recently shipped bolts are not the correct size or material for their intended use. She informs her supervisor, and he says he'll investigate. Her supervisor then discloses the issue to her coworkers, who begin to tease her with comments about the size of bolts that would "make Debbie happy." The next day, someone leaves big plastic toy bolts on her workbench with tags saying "pick me, pick me." Other humiliating jokes occur over the next few weeks. Debbie discusses the situation with the human resources department, which conducts an investigation and concludes that Debbie's coworkers have improperly subjected her to harassment and a hostile work environment, and that her supervisor didn't stop the action. All her coworkers receive a written letter of reprimand, and her supervisor is suspended for one week without pay. Any retaliation can have serious effects on a corporation. First, an employee who believes he has been punished for raising a concern should challenge those actions internally. This should result in an investigation and, if supported, disciplinary action against the perpetrator. Second, an employee usually has a legal right to challenge the retaliatory conduct in a lawsuit, which could disrupt the company's business, be costly, and damage its reputation. Third, and by far the most risky to the company, is that other employees may choose to be silent about wrongdoings or safety risks rather than face similar retaliation, a situation often referred to as a "chilling effect." Such silences can be more damaging than any identified issues, because potentially dangerous issues may never be addressed, and therefore can't be resolved or repaired. This can have severe consequences for the corporation. Therefore, it's against policy in most corporations, and against the law in most countries, to take retaliatory action against someone who has raised a concern about violations of law; health, safety, or environmental issues; discrimination; financial integrity; and other ethical issues, regardless of whether the concern was raised internally or externally. As part of instilling confidence in employees to raise their concerns, many companies have a "zero tolerance" policy for any form of retaliation against these employees.
It's critical for managers to recognize that, under many legal protection systems, they can't punish employees for failing to follow management directives that the employees believe violate a compliance requirement or endanger others, or for raising a safety or integrity concern to a regulator or even the media. The laws usually protect employees who are trying to protect the unknowing public from a company's questionable operations. The employee doesn't have to be correct about his concern to be protected from retaliation, but must genuinely believe that the issue, if true, would put the environment, workforce, or public at risk. These legal protections, as well as companies' policies, dictate that an employee must not be harassed, humiliated, embarrassed, or subjected to any retaliation in the terms and conditions of her employment because she raised issues. The purpose of antiretaliation law is to protect employees from retaliation for raising concerns, ensure the flow of information about compliance or safety issues, and prevent a "chilling effect" among employees. The objectives of the laws are to make sure that safety or financial integrity issues are raised and addressed before there is harm to people, the environment, or the corporation's financial integrity. Finally, a company's failure to accept responsibility for offending conduct undermines its commitment to zero tolerance. This means that when harassment or intimidation of, or retaliation against, an employee is demonstrated, the company must take some form of disciplinary action. If the retaliation was public, it should be publicly decried by management and acknowledged by the offending party. Example 3: Dale is a human resources specialist assigned to a large construction company's engineering department. Dale receives his performance evaluation from the director of engineering. During the past two years, Dale has investigated and proved two incidents of sexual harassment by a project manager, who has received his last warning. A summer engineering trainee reports another sexual harassment complaint against the project manager to Dale. At a management meeting, Dale tells the director about the project manager's alleged behavior and gives the director a write-up of the complaint. The director takes Dale's write-up, tosses it in the trash, and says that he needs the project manager to get the job done and that the summer trainee will be leaving in a few months anyway. The director also reminds Dale that he will be giving him his performance review in a few weeks, and that he will be evaluated on his being part of the engineering team. No other members of the management team speak out. Dale decides to report the situation anonymously to the company ombudsperson. II.
Preventing Retaliation
Management and coworkers' reactions to an employee who raises concerns about company operations can often be negative and sometimes hostile. In these circumstances, it's critical that managers anticipate such a reaction and work actively to prevent it. They should remind employees that retaliation is against company policy and, in many countries, against the law. In well-managed companies, employees will raise their concerns, without fear of retaliation, through their management, and will receive a timely and effective response to those concerns. However, even in the best circumstances, situations are not always well managed. Employees should also have other routes
available to raise issues, such as compliance hotlines, employee concern programs, human resources organizations, an ombudsperson, or other alternatives. Employees are also entitled, usually as a matter of law, to pursue their concerns with government regulators and others without fear of reprisal. In the United States, for example, a qui tam action allows employees to sue on the government's behalf to recover damages for fraud in government contracts. The purpose of a qui tam action is to encourage those who are aware of fraud against the government to pursue it, and it provides both protection from retaliation and a "bonus" payment from the recovery, if the claim is successful. Qui tam cases also provide significant deterrents to fraud activities, providing up to triple damages against the company. When employees bring their concerns to government regulators, they may have to satisfy specific requirements if, for example, they had pursued internal company routes first and then stopped. But in many countries, employees are permitted to pursue their concerns with regulators freely, without fearing employment termination or other detrimental action. Example 4: Tim is an accountant for a medical supplies company. He discovers what appears to be a system of double-billing the federal government for payments for a hospital's supplies. Tim believes that this practice has been going on for several years. He is aware of the bonus payment for disclosure of false claims to the government, but is also afraid that disclosing this will get him fired. He contacts the hospital's ombudsperson anonymously to report his suspicions, which results in an investigation but changes nothing. He then takes copies of his evidence and submits it to the government. Tim's company suspects him of revealing the information leading to the government investigation and fires him. Tim files a qui tam action, alleging fraud against the government and retaliatory termination. Tim wins, and a jury awards Tim three times the amount of his lost income, and a portion of the money that the government collected as a result of Tim's disclosure. His former employer loses all its government hospital contracts for five years. III.
Legitimate Discipline
At times, employees who voice concerns to their employer will be subjected to adverse employment actions that are unrelated to those concerns--they are related instead to legitimate performance or misconduct concerns. Unfortunately, the employee, and others, will often see adverse employment actions of this kind as retaliation. Because of these perceptions, it's important to ensure that legitimate performance- or behavior-related discipline is consistent with actions taken against employees who have the same type of behavior or performance issues but who have not raised concerns. Under employee protection laws and many company policies, the range of actions that can be considered "adverse" is very broad, from a transfer of duties to poor performance reviews to employment termination. To help prevent retaliation, possible actions, such as disciplining the employee or terminating his employment, should be considered carefully prior to implementation. Any punishment must be consistent with company policies and practices. By having a system of checks and balances, as well as a process to investigate any allegations of retaliation, the company will send a strong message that retaliation will not be tolerated.
DIFFERENT MOTIVATIONS FOR REPORTING CONCERNS

People react to workplace situations in different ways. Some people seek to avoid conflict, and others welcome it. Some people are motivated by fear, and some by rewards. Some employees are very sensitive to management's actions, and some are not. Being a good leader requires the ability to deal with many different types of people with diverse backgrounds, personalities, and ways of responding to situations. Generally, employees who raise concerns often consider and respond to them in similar ways. While no situation or person should be labeled, the following examples provide an overview of how some different types of employees might approach raising concerns--and some insight into how to respond. I.
The "Visionary" Employee

Example 5: Mary, an environmental engineer, learns that equipment at her power plant is not working properly, and substantial amounts of contaminants are being discharged into the air, violating the company's air permits. Mary is even more concerned that the cloud is drifting directly over schools, parks, and playgrounds before it disperses. She fears children are being exposed to the discharge of heavy metals, which may also be damaging the environment. Mary has pursued this issue with management without any success. She now must decide whether to report the violation, or "blow the whistle," by calling regulators or a newspaper or television station, or ignore the problem. Mary decides not to ignore the problem and to continue to raise the issue until it gets addressed-even if she gets dismissed along the way. Mary is a visionary--she can, and does, envision harm to the public and the environment. Like many visionaries, Mary is likely a loyal employee, dedicated to the company and to protecting its reputation and image. She doesn't have a history of performance or behavior problems. Her management and coworkers respect her. Other employees support her concerns, but do not want to take the lead in approaching management about the situation. Mary envisions the catastrophe that could occur if the issue is not resolved and feels that she is the only person who can stop it, having spent a substantial amount of time studying and understanding the problem. She will raise her concerns through management and firmly believes that someone in management will see that her concerns are valid. Although visionaries don't want to be dismissed, they are prepared for the possibility that losing their job may be the consequence of raising their issues. When a visionary describes the issue of concern, it's often in terms of the potential catastrophe that may occur. While this description may create the impression that the employee is exaggerating the issue, it's the way the visionary describes how serious she believes an issue is. Responding to visionaries takes a substantial amount of time: first, to understand the potential catastrophic consequences that the employee is concerned about and second, to understand what has allegedly caused the problem. The response process is often not a simple undertaking and usually requires a number of increasingly complex interviews about the issues. Often the visionary has spent months, or longer, developing the basis for the concern. The manager must take sufficient time to understand the facts from the visionary's perspective so that he can conduct his own investigation and decide what action, if any, needs to be taken. An abbreviated interview or an attempt to obtain the main
point must be avoided as it can cause distrust or a breakdown in communications with the employee. II.
Anonymous Concernee
For a variety of reasons, many employees will only raise concerns anonymously. Their issues are usually very specific technical concerns, procedural and policy violations, or incidents of wrongdoing. Unlike the visionary employees, who are concerned about potential disaster, the employees who anonymously raise concerns simply want management to be aware of the information and take appropriate action. Employees who raise concerns anonymously will not necessarily raise issues through management but, rather, will provide information through the route that will best protect their identity. Companies should offer a number of methods for employees to use anonymously, such as a hotline or a drop-box that provides identification of issues without identifying the employees. If possible, these routes should also provide a method for employees to obtain feedback without losing their anonymity. If the disclosure comes in a telephone conversation, the recipient should not attempt to identify the employee--even if it's obvious who is calling. The recipient of an anonymous call should try to obtain as much information as possible, as it may be the only occasion when there is contact with the employee. Example 6: James, a supervisor at a paper manufacturing company, identifies what he believes is a serious, and potentially dangerous, malfunction of a papercutting machine. He brings the issue to the safety manager, who ignores it and tells James that the machine was repaired years ago so he shouldn't worry about it. The manager also says that "no one has lost a hand yet." Nevertheless, James doesn't accept the safety manager's assurances. James, who has a wife and baby and needs his job desperately, is torn about what to do. He decides to file an anonymous concern over the hotline. After a couple of weeks, he calls back to ask about progress. He agrees to cooperate with an independent investigation. As a result of the investigation, James learns that the machine was, in fact, fixed years ago by the installation of an automatic safety shutdown that he was not aware of. The safety manager apologizes for his thoughtless comment and thanks James for using the hotline and having the courage to report an issue that he sincerely believed put workers at risk. Safety training for work on the machine is also changed to provide a better description of the safety shutdown system.
III.
Constant Complainers
Some employees seem to complain constantly about almost everything. As a result, it's often difficult for managers to take the complaints seriously, particularly if the issues appear to be not very significant. These employees are often very rigid in their unwillingness to change procedures or processes. Their concerns, whether in opposing a proposed change or about an abuse of company resources, are as significant to them as the potential disaster is to the visionary. While it's sometimes difficult to respond and takes a substantial amount of patience, it's important to exercise good management skills in addressing the complaints of all employees. Human resources professionals can often provide guidance for management techniques and response strategies, but it's critical to appropriately respond to all allegations or concerns.
The employee will react to how his concern is handled. Even if the complaint appears unimportant, an appropriate and nonretaliatory response is necessary. It's important that employees are encouraged to raise their concerns because, the next time, the concern might be more serious. The importance of addressing employee concerns centers on the response rather than the concern. Even if an employee complaint appears unimportant, an appropriate and nonretaliatory response is necessary. IV.
The Self-Serving Employee

Unfortunately, some employees may tend to abuse the protections set to guard against retaliation. These employees may attempt to avoid accountability for performance or behavior issues by attempting to characterize themselves as genuine whistleblowers or concerned employees. In these cases, an employee may falsely claim that he has been subject to discrimination for disclosing concerns. While careful review of all the circumstances is important to determine the facts, employees who haven't been retaliated against are usually unable to provide a link between the alleged retaliation and any disclosures of wrongdoing. Because the perception of retaliation can be as damaging as actual discrimination, responding to all complaints--even invalid ones--must be done in a professional and thoughtful manner.
PROVIDING EMPLOYEES WITH TIMELY AND EFFECTIVE RESPONSES TO CONCERNS

Employers should be mindful of many considerations when receiving and responding to employee concerns. I.
Receiving and Responding to Employee Concerns

Managers play an essential role in creating a work environment in which employees feel free to raise questions and concerns. The employees' direct supervisor has the first, best, and sometimes only contact with employees who may have valuable knowledge and opinions about a potential defect in the maintenance, engineering, or operations of a company, or about a corporation's financial management or other defect in business practice. Management's reaction to an employee's concern has an immediate, and often irreversible, impact on the employee and the work environment. How should managers react? Though every employee situation may be different, the following four-step process provides a way to address employee concerns: Listen to, identify, and verify the employee's questions and concerns. Establish a time or event to get back together. Investigate the issues or concerns with an open mind. Provide a timely and effective response to the employee. To begin, the correct reaction to an employee's concern is to praise the initiative the employee took to address the problem and commit to solving it. Managers should acknowledge the employee's concerns and try to understand the employee's perspective.
Example 7: Paula, a lab technician for a chemical company, is walking outside during her lunch break. Although the company complies with government standards regarding release of chemicals, she notices that the plants by the stream seem to be dying and there's an oily substance on the water's surface. When she reports the problem to the manager of the company's wastewater treatment facilities later that day, he thanks her for coming to him. He tells her that though the company is compliant, this could be a new problem. While Paula's in his office, the manager schedules a company inspector to test the stream the next day. He asks Paula to call him in a few days if she would like the results. The wrong reaction is for managers to attack or criticize the employee's motives or loyalty. It's also wrong for managers to express anger or hostility toward the employee, accuse him of breach of trust, humiliate him, or ignore or undervalue the concern. Such a reaction will make the employee and others reluctant to raise issues for fear of receiving the same type of treatment. It takes courage for the employee to raise the concern, and it is vital that the message to others is that managers are receptive and respond positively to employees who approach them with concerns. Example 8: Dean, an electrical inspector for a U.S. construction company, is conducting inspections of electrical junction boxes at a new company headquarters in a foreign country. While inspecting the final electrical work, he discovers that inferior cable has been used in some of the construction work in the on-site day care center. Dean, who is on the electrical code committee for his union back in the United States, knows this type of cable has led to several fires and has been banned from use. Dean writes rejection tags on the junction boxes. While he is doing so, his supervisor, Dwayne, comes into the room. Dean is afraid that Dwayne is going to be angry with him for issuing the tags. Instead, Dwayne calls all the other workers and inspectors together and publicly thanks Dean for identifying the problem and preventing a possible fire in the day care center. After hearing the employee's concerns and agreeing on a follow-up meeting, the manager should make a prompt determination of the following: Is immediate intervention required? Is there an imminent safety, health, or environmental danger alleged? Are there allegations of harassment, discrimination, or retaliation? If the answer is "yes" to any of these questions, the manager must act promptly to stabilize the situation and expedite the investigation. The manager should also consider seeking advice from any relevant company resources or, occasionally, through engaging a suitable external specialist. The investigation's first priority should be to develop a full understanding of the employee's concern through dialogue with the employee. The objective is to obtain a clear, concise statement of the problem, not to convince the employee that the concern is invalid. The conversation should, to the extent possible, develop the facts and the basis for the employee's concern. Claims of retaliation or unsafe conditions can be highly emotional for employees, and discussions of such issues can spread quickly through the workforce. The wrong reaction to the sorts of concerns listed above can poison a work
environment within hours, causing a loss of productivity and an erosion of trust in management. Failure to investigate and address claims of safety, policy, compliance, or legal violations promptly can be extremely costly to the organization. If not resolved as soon as possible, such complaints can lead to formal claims and lawsuits and often the loss of talented employees and managers. Providing timely and effective answers to employee concerns is critical to establishing and maintaining the trust of employees. Delay in initiating and completing investigations breeds suspicion among employees who may already be fearful. II.
Circumstances that Contribute to Employee Concerns and Fears

Most organizations experience at some time circumstances that may provide fertile ground for employees to develop concerns--concerns they fear to address internally. If an employee believes it is hopeless to raise a concern within the company, he often will consider alternative routes. Such circumstances may include any of the following: There is heavy media attention, increasing regulatory activity, and strong public concern regarding environmental and health and safety consequences of the organization's business. There are significant budget cuts and unusually tight financial controls, and work is driven by unusual and unrealistic schedule demands. The organization is enduring a deteriorating economic cycle, a disruption due to reorganization, reengineering, mergers, or downsizing and layoffs, and changes in leadership. The organization is complex, dealing with highly diverse technological and scientific tasks, or is geographically diverse. The organization is led by a strong "command and control" management style; it is autocratic, not participatory. The organization doesn't adapt to occasional dramatic changes in the industry, and instead becomes more rigid in its practices. These circumstances may be important indicators of a work environment in which employees will be hesitant to voice their concerns and will consider taking issues to outside entities to have them addressed.
III.
What Happens When Management Doesn't Provide an Effective Response

Employees will take their concerns to whomever can provide a timely and effective response. That route could be to a can-do supervisor, an effective ombudsperson, a telephone "concerns line," or a newspaper reporter. All companies expect that employees will use their management to address issues, but the reality is that sometimes employees may not have confidence in their supervisor--or the supervisor simply can't get the attention of management to address an issue. When the internal routes for addressing concerns break down, the external checks and balances of a regulated work environment may take over.
If an employee has taken the route of addressing concerns with management and the results are unsuccessful, seeing the issue on the front page of a local newspaper should come as no surprise to management. By the time an event occurs, the employee and management often have already made decisions about addressing the concerns. In most cases, the employee first confronted an issue that was significant enough to discuss it with management. This was a critical decision, in which the employee balanced the risk to her career against the risk to the public, her coworkers, or the corporate image if she chose to be silent. Ideally, the employee will trust some method within the corporate structure to raise the concern, and the concern will be addressed in a timely manner, with the proper respect to the employee and without any retaliation. Sometimes, managers who fail to act on the employee's concerns originally--or who believe that the concerns were addressed and should be abandoned--will be defensive. Some managers may react by questioning the motives or actions of the employee who has raised the concerns. As previously discussed, though this reaction may be natural, it's also wrong and can result in significant problems. Responding to employee concerns in a positive and respectful manner is the right way to address these matters and will usually result in a positive outcome.
LITIGATION CLAIMS HAVE NO WINNERS

In many cases, employees who are the subject of retaliation may file a lawsuit. An employee may commence a lawsuit to recover lost wages, get his job back, or punish the employer for perceived wrongs and obtain justice. Regardless of who wins a lawsuit, the action is disruptive to company business and the employees involved. A lawsuit rarely produces satisfactory results for either side. Litigation takes time away from the company's business for depositions, court proceedings, and preparation of a lawsuit for trial. Frequently, the lawsuit involves opening up company records and files, as well as significant inquiry into the basis of the decisions being challenged by the employee. In short, even if the company wins in litigation, cases are expensive, time-consuming, and disadvantageous for everyone. Example 9: Bonnie, an 18-year veteran medical technician responsible for sterilizing surgical equipment, discovers that the sterilizer is not working properly. She reports this to her supervisor, who decides that the instruments are "probably" okay. She tells Bonnie to set up the operating rooms for the next day's surgery. Bonnie does so, but after she finishes, she checks the sterilizing equipment again. She's not at all sure that she has done the right thing, fears contamination of unsuspecting patients, and removes the instruments from the operating rooms. She advises the surgical staff of the situation and, after an 18-hour day, goes home. The next day she's 20 minutes late for work because of a traffic accident en route and is fired for "tardiness." Bonnie files a lawsuit for wrongful termination. During the trial, Bonnie proves that the sterilizer had, in fact, failed to sterilize the instruments, that hospital employees were routinely late without consequence, and that the real reason she was terminated was because her decision to not set up the operating rooms had cost the hospital and its surgeons a quarter million dollars in medical procedures scheduled that day. When the trial is over, the hospital administrator and director of the surgery department are forced to resign. The families of two patients who died of post-surgical infections sue. The hospital accreditation board increases its auditing of the hospital. The public rating of the hospital drops from "excellent" to "barely acceptable." Finally, federal funding is taken away, following a government investigation. The hospital has to file for bankruptcy, and Bonnie never gets rehired or receives her back pay.
Bonnie acted courageously and probably saved the lives of patients. Despite this, the generally unsatisfactory outcome could have been avoided if managers had acted promptly and responsibly to investigate Bonnie's concerns, recognize her actions in attempting to do the right thing, and ensure that the company's nonretaliation policies were followed.
CONCLUSION
Employees will raise their concerns via the route that provides them timely and effective responses. In situations where the employee fears retaliation, she may choose to raise concerns anonymously or sometimes not at all. To ensure that employees raise their concerns and that issues are resolved internally, a company should establish appropriate policies and expectations for behavior, train its management and employees about them, and insist they are followed. Doing so will result in the company being able to effectively respond to all employee concerns, avoid litigation and damage to its public reputation, and, ultimately, be a better place to work.
ADDRESSING POTENTIAL WHISTLEBLOWER CLAIMS

INTRODUCTION
As a manager in a business organization, you face many important challenges that are critical to your company's success. One of these is properly managing employees who raise concerns about the ethics or legality of your company's business practices or operations. As you will learn, failing to properly manage employees with such grievances can cause significant legal and financial troubles for both you and your company. This handbook will help you recognize and respond effectively to situations in which employees bring ethical or legal grievances to your attention. Initially, it explains the difference between the two types of employees with such grievancesdissenters and whistleblowers. Next, it illustrates the potential risks and opportunities to your organization posed by these employees. The handbook then describes the methods you can use to take advantage of the opportunities, to reduce the risks and to prevent future problems. The handbook provides a general overview of the legal and management principles that govern your handling of employees with grievances. It does not provide legal advice or guidance regarding how to act in a particular situation. As you can imagine, proper management techniques are usually case-specific and subject to subtleties and nuances that cannot be covered completely in a brief treatment of this kind. If you have any questions or concerns, you should always consult internal management and company counsel for further assistance.
EMPLOYEES WITH LEGAL GRIEVANCES

Employees with ethical or legal grievances generally fall into two categoriesdissenters and whistleblowers. We'll use the term "legal grievance" to mean a complaint or concern about the legality or ethics of a company's business practices, activities, or operations. For purposes of this discussion, legal grievances don't include petty gripes or purely personal issues that arise between employees. A dissenter is an employee with a legal grievance who has o internally brought the legal grievance, either anonymously or in his own name, to the attention of a manager, an attorney in the company's law department, the corporate compliance officer, or another company representative, or not disclosed the legal grievance to anyone.
Example 1: John, the head of Global Operations' accounting department, receives an email from Mary, an accountant in his department, that raises a concern about the legality of Global's financial-disclosure practices. The message warns that unless the problem is promptly addressed, Mary will report the situation to government investigators. Under these circumstances and until such time as she goes "public" with the information, Mary is a dissenter. Example 2: Steve, a product packager for Foods Incorporated, is concerned that certain products don't meet quality standards. Because Steve doesn't want to "rock the boat," he
doesn't tell anyone about his concerns. Even though he has decided to remain silent, Steve is still a dissenter who can turn into a whistleblower. The most important thing to remember about a dissenter is that he or she represents an opportunity, not a problem. Dissenters should be welcomed and thanked for bringing their concerns to management's attention. A dissenter is saying that he or she has faith in you that if you know about a problem, you will take appropriate action to resolve it. Think about how much better it is for you to learn about problems in your organization from people who feel free to talk with you, rather than from a reporter or a government official. Although the key distinguishing characteristic of dissenters is that they haven't taken their legal grievances public, it's important to remember that every dissenter is a potential whistleblower. As you will see, whistleblowers can cause big problems for your organization. Whistleblowers are employees who have already gone public with their grievances. On many occasions, whistleblowers are former dissenters who felt that their legal grievances were not taken seriously or resolved to their satisfaction. Employees who blow the whistle often believe that they have no other choice but to go outside the company to resolve their concerns. Example 3: Denise, a customer service specialist, told her manager that several mail room employees had made inappropriate sexual comments in her presence. When her manager failed to respond, and after a few more incidents, Denise filed a complaint with the Equal Employment Opportunity Commission (EEOC). By taking her concerns public, Denise has become a whistleblower. Other whistleblowers take their grievances public without ever raising their concerns with the company. Some of these individuals feel that raising concerns on an internal basis won't fix the problem. This is often the case when the perceived conduct or activities are widespread or involve senior management. Other individuals, motivated by personal or emotional issues, may simply want to harm the organization. Whistleblowers generally air their legal grievances to anyone who will listen. Their audience can include, but is not limited to, o o o o government investigators, customers, competitors, and media organizations.
In addition, whistleblowers may also disclose their grievances to outside attorneys they hire to pursue legal action against you and your company. As discussed more fully in the next section, whistleblower claims pose real and significant risks to your organization. At the very least, they can interfere with business operations and add stress to the work environment. Whistleblower claims that end up in court can result in huge financial penalties. They can also limit or destroy your company's ability to do business with the government and other government contractors, and they can land you and other members of your company in jail. Whistleblower claims that are leaked to the press can affect your company's image and customer relationships. Therefore, it is extremely important that you effectively manage dissenters and their legal grievances before they blossom into whistleblower complaints.
WHISTLEBLOWING: PRACTICAL AND LEGAL CONSEQUENCES

When a dissenter turns into a whistleblower, you and your company will likely suffer significant practical and legal consequences. The potential severity of these consequences makes your role in protecting your company against this kind of activity very important. Whistleblowing can seriously disrupt your company's and your department's operations. In many cases, your company will conduct its own internal investigation to determine whether the whistleblower's allegations are true. Depending on the nature of the allegations, your company may also have to respond to an external investigation conducted by law enforcement or other government agencies. If the whistleblower has personally sued your company, your company must defend itself in that proceeding as well. The bottom line is that responding to whistleblower complaints is time-consuming, expensive, and an inefficient use of company resources. Example 4: Katherine, general counsel of Worldwide Corporation, learns that an employee-turned-whistleblower has filed a false-claims lawsuit against the company. Katherine meets with David, the whistleblower's former supervisor, to discuss the allegations and plan Worldwide's legal defense. Katherine informs David that, in addition to Worldwide's own investigation, there will likely be a federal investigation. She explains that these investigations and the pending lawsuit will require David and his department to gather evidence, review and prepare documents, comply with search warrants, give testimony (perhaps more than once), and otherwise assist her in defending the company. Whistleblowing has other costs as well. Because whistleblowers are generally protected from retaliation by their employers, it is not uncommon for them to remain employed while their allegations are pending. Under these circumstances, the work environment and employee morale may suffer as a result of increased tensions and strained relationships. This affects employee health and productivityand, with them, the company's ability to succeed. All told, these practical consequences of whistleblowing activities can have both an operational and financial impact on your company. In the next section, this handbook addresses the legal and financial dangers posed by dissenters who turn into whistleblowers. I.
The Federal False Claims Act

The Federal False Claims Act (FCA) is a federal law that punishes and prevents financial fraud on the federal government. As discussed below, this is an important statute for whistleblowers because anyone with knowledge that a fraud has been committed can bring suit on behalf of the government and be paid part of the money that the government recovers. So the FCA provides a financial incentive for dissenters to turn into whistleblowers. The FCA applies to anyone, including individuals and organizations, who does business directly or indirectly with the federal government. An indirect relationship exists when a person or company does business with a government contractorthat is, an individual or organization that has a direct business relationship with the federal government.
In other words, the FCA prohibits anyone from submitting, or causing someone else to submit, false claims for payment to any federal government program. Example 5: Hospitals Incorporated is a large hospital chain that submits claims for payment to the Medicare program for the services it provides to Medicare patients. The FCA applies to the bills that Hospitals Incorporated submits to this federal healthcare program. Example 6: Universal Pharma, a pharmaceutical manufacturer, contracts with the U.S. Veterans Administration (VA) to provide certain prescription drugs to VA hospitals. The FCA applies to the bills submitted to the VA by Universal Pharma. Example 7: Global Helicopter manufactures helicopters for the U.S. military. Global subcontracts with World Copter Parts for the rotors used in the military helicopters. The FCA applies to World Copter Parts when it bills Global for the rotors used to fulfill Global's government contract. The FCA also applies to Global when it bills the government for the helicopters. In addition to the information on the actual claim forms themselves, the FCA also applies to false information contained in documents that are submitted to support claims for payment. In other words, false certifications, statements, and other types of documentary support will implicate the FCA, even if the information on the actual claim form or invoice is accurate. For example, government contractors are often required to submit annual (or even more frequent) cost reports that extensively detail the contractor's use of government funds. Cost reports typically include supporting documentation that relates to specific line items in the cost report. The FCA applies to these types of documents as well. The FCA also prohibits false statements made to avoid paying money that is owed to the federal government. If your company is mistakenly overpaid by the government or receives federal funds to which it is not entitled, it is legally required to return the money. The knowing failure to do so, including any effort to hide or reduce the obligation to return the funds, will likely violate the FCA. Example 8: Global Petroleum bills the federal government $5,000 for marine fuel provided to the U.S. Coast Guard. Because of a mistake by the government, Global receives a check for $7,500. Global is legally required to return $2,500 to the government and may be liable under the FCA if it fails to do so. Finally, federal law enforcement officials often take the position that the delivery of substandard goods or services under a government contract violates the FCA. Whether the courts and federal lawmakers agree with this policy remains to be seen. This ambiguity, however, has not deterred law enforcement officials from pursuing false-claims investigations and actions based on concerns over quality. Until these issues are clarified, you should be aware that whistleblower complaints about product or service quality may lead to false-claims investigations and lawsuits. Always consult your manager or your company's law department if you have any questions or concerns about potential false claims.
The penalties for violating the FCA can be enormous. Any person who violates this law will have to pay back the government the amount it is owed, times three. And on top of these triple damages, the violator will be liable for a civil penalty of not less than $5,500 and not more than $11,000 for each false claim submitted. The potential penalties are determined on a per-claim basis, and the courts have interpreted each invoice that a company submits to be a separate claim. So the total liability facing your organization can quickly escalate, especially when a large number of claims or invoices are involved. Example 9: Over the course of a year, City Hospital submits 20 claims for $1,000 each to the Medicare program for healthcare services that were not necessary for the diagnosis and treatment of the patient. The Medicare program pays City Hospital a total of $20,000 for these claims. Under the FCA, City Hospital's potential damages are $60,000 (three times $20,000) and its maximum potential penalties are $220,000. All told, 20 $1,000 false claims could cost City Hospital $280,000, plus legal expenses. Equally important, individuals and organizations in violation of the FCA can be excluded, on a temporary or permanent basis, from doing business with the federal government. During the period of exclusion, the individual or organization may not submit claims to the government for payment. In addition, other nonexcluded companies that contract with the government may be prohibited from conducting government-related business with excluded companies. The FCA also allows whistleblowers to bring false-claims lawsuits on behalf of the federal government. Once the suit is filed, the federal government has the opportunity to investigate and join the suit. If the government succeeds in the lawsuit, the whistleblower is entitled to a percentage of the amount of money the government recovers. Whistleblowers who file FCA cases are protected from any retaliatory measures on the part of their employers. If a whistleblower is discharged, demoted, suspended, threatened, harassed, or discriminated against in any other way for filing an FCA action, he may have an additional claim for retaliatory discharge. Example 10: Phillip, a billing manager, files a false-claims lawsuit against his employer, Dynamic Enterprises. In the suit, Phillip alleges that Dynamic intentionally inflated invoices it submitted to the federal government. When Dynamic's CEO finds out about the lawsuit, he fires Phillip and orders company security to escort him from the premises. By discharging Phillip for filing an FCA lawsuit, Dynamic's CEO has exposed the company to additional damages for wrongful termination. Although the FCA was originally passed in the mid-1800s, the penalty and whistleblower provisions were substantially strengthened in 1986. The effects of these changes and the impact of whistleblowers on the successful prosecution of FCA cases have been dramatic. Between 1986 and 2000, the federal government recovered nearly $7 billion in damages and penalties for violations of the FCA. Fifty-seven percent (57%) of these recoveries, approximately $4 billion, can be attributed to whistleblower claims. In the same time frame, whistleblowers filed over 3,300 lawsuits under the FCA. The statistical trends suggest that these numbers will rise significantly in the future.
By far, the most frequent targets of whistleblower complaints have been healthcare organizations and defense contractors, because these industries tend to have the most extensive business relationships with the federal government. To better illustrate the potential magnitude of the financial penalties, consider the following results from whistleblowing claims brought under the FCA: A pharmaceutical manufacturer agreed to pay $875 million to settle charges that it illegally filed, and caused others to file, false claims with the federal government. A large hospital system agreed to pay $840 million to settle charges that it submitted false claims for payment to the Medicare and Medicaid programs. A defense contractor agreed to pay $150 million to settle charges that it falsified invoices for payment in connection with a military helicopter contract. These are just a few examples of the huge financial penalties that can result from whistleblower claims under the FCA. Moreover, these massive penalties are not limited to the healthcare and defense industries. Any industry or company that does business, directly or indirectly, with the federal government is potentially at risk. Other industries that have suffered multimillion dollar penaltiesincluding a number of high-profile settlements over $100 millioninclude banking, oil and gas, insurance, and environmental services. II.
Other Laws
From a managerial perspective, the FCA is an important concern because it gives employees the power to sue their employers for perceived violations of law. The FCA, however, is only the tip of the iceberg. First, at least ten statesincluding California, Delaware, Florida, Hawaii, Illinois, Louisiana, Massachusetts, Nevada, Tennessee, and Texashave false-claims statutes that are similar to the FCA. As a result, you and your company may be subject to state false-claims proceedings in addition to a federal lawsuit. If your company does business in any of these states, you should determine whether it is subject to any additional or different legal requirements. Example 11: Global Construction has a contract with the federal government and the state of California to conduct structural safety tests on an interstate highway. In its bid, Global falsely stated that it would use certified engineers to conduct the tests. In fact, Global used unskilled, uncertified engineers. After Global bills both government entities for the tests, a Global employee reports the incident to the authorities. Under these circumstances, Global may be liable under both state and federal laws for its false claims. Second, there are other federal and state laws that, like the FCA, contain whistleblower provisions. One of these is the federal Sarbanes-Oxley Act, which was passed in 2002 in response to the corporate scandals involving Enron and other prominent companies. Sarbanes-Oxley prohibits publicly traded companies from retaliating against employees for reporting certain forms of corporate fraud including mail fraud,
wire fraud, securities fraud, and fraud against the company's shareholders or a financial institution. It also prohibits the company's officers, employees, contractors, subcontractors, and agents from engaging in such retaliation. Employees are protected as long as they reasonably believe that fraud has occurred and they report it to a supervisor or other person in the company who's authorized to deal with the matter, a federal agency or law enforcement authority, or a member or committee of Congress. They're also protected if they assist those individuals or entities in their investigation of the conduct. If retaliation occurs, the employee can seek reinstatement, back pay, and other amounts from both the company and the individuals responsible. The company and individuals involved may also face civil and criminal penalties, including fines and imprisonment, as well as enforcement actions and sanctions by the Securities and Exchange Commission. In addition, Sarbanes-Oxley requires the audit committees of publicly traded companies to establish procedures for employees to report their concerns about questionable accounting or auditing matters. These procedures must allow employees to report their concerns on an anonymous and confidential basis. Sarbanes-Oxley also requires company lawyers to report securities law violations and similar matters to the company's chief legal officer and, if the officer fails to respond appropriately, to the company's audit committee or board of directors. In addition, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 offers financial incentives to individuals to come forward and assist the government in identifying and prosecuting people who have violated federal securities laws. Under that law, anyone who voluntarily provides the SEC with "original information" regarding possible securities law violations can receive between 10% and 30% of any award obtained by the SEC in an enforcement actionif the information led to the award and the award itself exceeds $1 million. It's illegal to retaliate against anyone who provides such information, as long as the person reasonably believes that a violation has occurred, is ongoing, or is about to occur. Retaliation is prohibited even if the person doesn't qualify for the whistleblower reward. To qualify for a reward, the disclosure must be "voluntary," which generally means that it's not being disclosed in response to a government investigation or requestor a preexisting contractual or other duty to disclose the information. In addition, the information must be "original," which generally means that it's based on the whistleblower's independent knowledge or analysis, and not, for example, on publicly available sourcesand isn't already known to the SEC from another source. However, certain information may or may not be considered original, depending on its source and other circumstances. The rules regarding what's "voluntary" or "original," who's eligible for a reward, how the reward is calculated, and so forth, are lengthy and complexand contain numerous conditions and exceptions. You should consult your company's
law department if you have any questions about how they apply to specific situations involving employees you supervise. Other federal statutes that contain whistleblower provisions and/or protections include various laws that regulate the environment, workplace health and safety, transportation, agriculture, labor relations, employee benefits, mining, equal employment opportunity, and maritime activitiesto name a few. Example 12: Paul, an engineer for Global Aerospace, repeatedly tells senior management that certain waste disposal activities violate the federal Clean Air Act. After management doesn't respond, Paul reports his concerns to the federal government, which, after a lengthy investigation, orders Global to fix the problem. When Global fails to comply with the government order, Paul files a lawsuit against the company. From the time Paul first reports his concerns internally, he is protected from retaliation for his whistleblowing activities. Even when whistleblowers don't have the legal right to directly sue their employers for their legal grievances, they can still land their employers in the middle of a government investigation or, even worse, a government prosecution. Employees may be motivated by the hope that by "blowing the whistle" they will get amnesty in any subsequent government enforcement action. Sometimes, a simple phone call to the government from a knowledgeable employee is all it takes. The risk is especially great for companies in highly regulated industries. This is true because increased regulation multiplies the number of issues about which whistleblowers can complain.
WHISTLEBLOWING: A "C.L.E.A.R." PATH TO PREVENTION

Given the serious consequences of whistleblowing, it is essential that managers appropriately handle situations involving dissenters. Through careful and responsible management, you can help reduce the risk of whistleblower activities and limit potential harm. Just as important, you assist your company in detecting, correcting, and preventing illegal and unethical business practices. These are the hallmark qualities and goals of your company's compliance program. You play a central role in the success of these efforts. One accepted approach to handling dissenters is a five-step process known as C.L.E.A.R. When a dissenter is at your door, you should o o o o o Consider that the dissenter may be right. Listen to what the dissenter has to say. Examine all evidence. Assess all relevant information. Respond to the dissenter.
Each of these steps is explained below. One of the first mistakes a manager can make is to immediately reject a dissenter's legal grievance because of the "source" of the information. This can be a temptation if the dissenter is known as a troublemaker in the workplace. Some employees may have the
tendency to "cry wolf," and some just like to complain, but this kind of complaint must still be taken seriously. Example 13: Steve appears at Jayne's office door, and she immediately thinks, "Not again. What is it this time?" In the past year, Steve has complained about the coffee filters, the kitchen facilities, the parking arrangements, and even circulated a petition to end the casual Friday dress code. "I want to talk about a concern I have," Steve says as he walks into his manager's office and shuts the door. "Have a seat, " Jayne says, hoping this won't take long. Even though Jane may have a natural impulse to roll her eyes and downplay whatever Steve has to say, he may have valuable information to provide. If his "concern" is in fact a serious allegation, the potential consequences may be devastating. Jayne shouldn't dismiss any complaint without considering the facts. Remember that not all dissenters are whistleblowers-in-waiting. Many desire to resolve the matter internally and help their companies fix problems. These dissenters are your friends, not your enemies. By first considering that a dissenter may be right, you reduce the likelihood that a major liability will go unnoticed and, at the same time, avoid alienating those employees who are interested in protecting your organization. There are three reasons why you should listen carefully to what the dissenter has to say. First, if she is, in fact, bringing a real problem to your attention, this interaction may be your company's first and best opportunity to contain the situation. Problems that go unchecked tend to escalate into even bigger ones. By being available and listening to the dissenter's concerns, you can better evaluate whether an urgent response is needed. Remember, under the FCA, damages and penalties accrue with each false claim submitted. If a problem involving the repeated submission of false claims exists, a prompt solution to the problem will stop the claims, and the resulting penalties, from piling up. Example 14: Sophia, a billing specialist for Drugstores Incorporated, tells Martha, her manager, that the company was improperly billing the federal government for a specific medication. Martha, realizing that Drugstores submitted ten claims a day for the drug, immediately investigated and confirmed Sophia's concerns and then corrected the problem. By listening and quickly responding, Martha saved the company up to $110,000 per day (ten claims of $11,000 each) in penalties alone. Second, this first interaction with a dissenter is an ideal time to begin gathering information about the situation. After listening carefully to the dissenter, you will be in a better position to ask follow-up questions and learn everything the dissenter knows. Example 15: In responding to Sophia's concerns about Drugstores Incorporated's billing practices, Martha carefully interviews Sophia to learn everything she knows about the situation. Martha's interviewing technique includes exploring Sophia's personal knowledge of the events and asking her to identify any other relevant witnesses and evidence. Third, by showing the dissenter that he is being heard, you have taken an important step toward gaining his trust and confidence. After all, by coming to you with his concerns, the dissenter has demonstrated his trust and confidence in you. You can return the favor by making him feel valued and instilling confidence that you and your company will do what is necessary to resolve his concerns. This confidence-building process begins with listening.
Some dissenters may ask you to keep their identity anonymous. In fact, they may be reluctant to disclose any specific information unless you promise that their names will not be revealed. Always remember that your response to this question can greatly affect the dissenter's confidence in you and, accordingly, his willingness to seek internal resolution of the grievance. Your company may have policies and procedures covering a dissenter's confidentiality. Be sure to know what they are. In the absence of any procedures, if the matter is handled entirely internally, you can assure the dissenter that you will not reveal his identity unless you're absolutely required to do so. This means that you should explain that, in certain limited circumstances, you may have to divulge this information, such as in connection with a formal investigation or legal proceeding. In the spirit of confidence-building, however, it's important to emphasize that you will respect the dissenter's wishes to the best of your ability. Just as you should not assume that the dissenter is wrong or motivated by the desire to cause trouble, neither should you assume that the dissenter is right. There is usually another side to every story and, in listening to the dissenter, you are only hearing one person's perspective on the facts. Many dissenter complaints stem from poor communication, incorrect information, or a basic misunderstanding of legal requirements. As a result, you should not simply accept the dissenter's allegations at face value. Rather, these allegations should serve as the starting point for fact-finding activities. Once you hear the dissenter's side of the story, you should identify and gather the additional information, if any, that you need to manage the situation. At all times in the evidence-gathering process, it is important to be objective. By considering all logical possibilities, you can better determine whether there is a reasonable explanation for what occurred. In addition, the results of your objective fact-finding activities will help guide you in further responding to the situation. Example 16: Stephen, a production manager for Global Construction Materials, receives an anonymous complaint from a Global employee about the safety specifications of certain Global products. In response, he conducts initial and follow-up interviews, reviews documents and computer files, identifies the relevant safety specifications, and researches company policies and procedures. Throughout his investigation, Stephen also consults with company management and legal counsel for guidance and additional direction. Once you have gathered all relevant evidence, you must assess these facts and circumstances to determine how to respond to the dissenter's allegations. After appropriate consideration, you may very well determine that the dissenter is wrong and that no further action is required. In this case, you should document your conclusion and report these findings to management. On other occasions, you may find that the dissenter's allegations have merit and warrant further response. At this point, you must decide whether you can and should attempt to resolve the problem yourself, or whether you should seek help from your supervisor, senior management, company counsel, or some other responsible corporate official. This decision to get help will usually depend on your familiarity and/or expertise with the issues raised, as well as the potential seriousness of the dissenter's claims. If you are unfamiliar with the legal aspects of the dissenter's grievance, or if the stakes of
noncompliance are high, you may want the assistance of someone who is more knowledgeable and experienced in issues of this kind. It is always better to be overly cautious than to be careless. After assessing all of the relevant information (and enlisting help if the situation requires it), you should report your conclusions to company management. In the report, you should describe the dissenter's allegations, the results of your fact-finding efforts, the identity and activities of company personnel whose help you enlisted, the steps you've taken to resolve the problem, and your recommendations for further action, if any. Depending on your company's policies and procedures, your reports to management may be written or verbal. In the case of written reports, you should always remember that this document itself may become evidence in a subsequent legal proceeding. In fact, you may be called to the witness stand to explain what you wrote in your report. Example 17: Stephanie, a line manager for Global Enterprises, is called to testify in a false-claims lawsuit brought by a former Global employee. While on the stand, Stephanie is asked to look at an incident report she wrote, which has been enlarged for the jury to see, and to explain what she meant by the statement, "a bunch of customers complained about product safety." In fact, only three of Global's 25,000 customers had reported safety concerns in the last five years. Stephanie's failure to report her findings accurately and carefully could expose Global to legal problems. Because written incident reports may become evidence, you must choose your words carefully. Always be objective and thorough; don't embellish the facts or conclusions (after all, this is not a creative-writing exercise), or state conclusions that aren't supported by facts. Ask yourself what you, as a member of a jury, would believe. Finally, it is important that you meticulously document all of your activities and findings. Careful documentation of your company's response to a dissenter's complaint will help your organization respond to the problem effectively, defend itself in a subsequent external investigation or lawsuit, and demonstrate its commitment to legal and ethical business practices. Last, but not least, it is important that you keep the dissenter apprised of the status of your investigation. This includes giving the dissenter progress reports, especially when the investigation takes time to complete, and advising him of the resolution of his concerns. Keeping the dissenter informed about the status of your investigation shows him that you are taking his grievance seriously. If the dissenter feels that he is being taken seriously and that the company will act on his concerns, he is less likely to become a whistleblower and expose your company to greater risk. This is true even where the dissenter ultimately disagrees with your conclusions and your final resolution of the matter. Example 18: Keeping the dissenter adequately informed may require more than simply telling him your ultimate resolution of the issue. Depending on the situation, you may also want to describe what you and your company have specifically done to investigate and resolve the grievance. By describing the investigative steps taken, you are further showing the dissenter that his concerns are important to you and your company. By providing dissenters with ongoing information about the status of their grievances, you are also, in essence, thanking them for bringing these matters to your attention. Remember, you would rather learn about potential corporate misconduct from an
employee who wants to help than from a government agent with a badge and gun. If you show the dissenter, by keeping him "in the loop," that you and your company value his concerns and want his input, you are encouraging the dissenter to stay within the chain of command in the future. On occasion, the need for confidentiality, especially during an investigation or lawsuit, may limit your ability to keep the dissenter fully informed about the status of his grievance. In this situation, you should strive to keep the dissenter as informed as possible, consistent with the requirement of confidentiality. You should also explain the need for confidentiality, emphasizing that it protects employee rights and permits a more effective company response.
WHISTLEBLOWING: OTHER CONSIDERATIONS

Thus far, this handbook has discussed the dangers that whistleblowers pose to your organization and has recommended an approach for managing dissenters when they appear at your door. Several additional considerations that can further reduce whistleblowing risks and prevent future whistleblower claims deserve mention. As previously explained, whistleblowers are generally protected from retaliation by their employers for lawful whistleblowing activities. These retaliation protections are broad. They prohibit employers from discharging, demoting, suspending, threatening, harassing, or otherwise discriminating against whistleblowers. Importantly, these whistleblower protections involve more than just retaliation by company management. In fact, a company must also make sure that the whistleblower's coworkers do not intimidate or harass the whistleblower. The failure to prevent abuse by coworkers can also lead to liability on the part of the company. If a company retaliates against an employee for blowing the whistle, it may be subject to additional employment-related claims such as wrongful discharge or workplace harassment. The potential damages that can result from retaliation claims can be significant and are in addition to any damages and penalties that may result from the grievances initially raised by the whistleblower. As a result, it is extremely important that you handle whistleblowers with care and avoid retaliation at all costs. The potential damages for wrongful termination and workplace harassment can include, at a minimum, lost wages, medical expenses, pain and suffering, and evendepending on the severity of the circumstancespunitive damages. Although the presence of a whistleblower can negatively affect your workplace environment and your employees' morale, you should try to keep things as "normal" as possible. The whistleblower must be free to fulfill his job responsibilities without harassment, intimidation, or interference. Sometimes, it may be necessary to remind the whistleblower's coworkers to steer clear of these behaviors. At the very least, you should inform your staff that retaliation will not be tolerated under any circumstances. Example 19: Felix, a branch manager for a nationwide bank, learns that one of his branch employees has filed a whistleblower lawsuit against the bank. To avoid any backlash in the workplace, Felix immediately meets with each branch employee on a confidential, one-on-one basis. He explains to each employee that a coworker has filed a lawsuit against the bank and that an initial investigation into the allegations is underway. He further tells each employee that, until the matter is resolved, neither the lawsuit nor the investigation should be discussed with anyone. In addition, Felix emphasizes that any
harassment or intimidation directed at the whistleblower is unacceptable and may result in discipline. He also encourages each employee to promptly bring any issues or concerns to his attention. On the other hand, freedom from retaliation does not mean that a whistleblower can do whatever she wants. If a whistleblower breaks the law, violates company policies, or fails to fulfill her employment responsibilities, you should follow your company's established disciplinary procedures. However, because your company's treatment of a whistleblower may be scrutinized, you should ensure that any disciplinary action taken is supported by solid evidence and is consistent with the sanctions imposed on anyone else for similar conduct. Example 20: Two Global Corporation customer service representatives each have one unexcused absence from work. One of them is a whistleblower, one isn't. All things being equal, Global cannot impose greater discipline on the whistleblower than on the other employee for the same improper conduct. In addition, you should always remember that a dissenter-turned-whistleblower is now in a position to hurt your company. As an adversary, a whistleblower may try to do things that further his case against the organization. For example, a whistleblower may try to record discussions at work, and even attempt to "manufacture" incriminating conversations. Or he may try to remove documents, files, computer disks, and other company property that he feels will support his case. Because such property is valuable to your company, both in terms of defending itself against the whistleblower's allegations and with respect to its competitive edge in the marketplace, you should keep your eyes open for suspicious behavior. Such scrutiny also helps remind your employees, including the whistleblower, of any company policy that prohibits the removal of company property. Finally, if you have credible evidence that a whistleblower is improperly removing company property from the premises, you may want to ask him to show you the items he wants to take. Because this is a delicate issue, however, you should always consult senior management and company counsel about any questions or concerns. Providing your employees with avenues to report their concerns is one of the most effective deterrents to whistleblowing activities. More often than not, dissenters are genuinely motivated by the desire to help their company fix a problem, and they simply want to be heard. But if they are not given the option of reporting their grievances internally, they may that feel they have no other choice but to go outside the company for assistance. As a manager, making yourself available and encouraging your employees to bring their concerns to your attention is a good start toward opening and maintaining lines of communication. There is more, however, that you can do to effectively prevent whistleblowing fiascoes. For any number of reasons, employees may not be comfortable reporting their grievances to you. Some employees may feel, rightly or wrongly, that you are a participant in the questionable activity. Some may fear retaliation and reprisal. Because you don't want these dissenters to disappear and resurface as whistleblowers, it is important to provide them with other ways to report their concerns.
If your company already has a corporate compliance program in place, it may have established a hotline for employees to call with problems or concerns. Compliance hotlines, which enable employees to report their concerns anonymously, can reduce fears of retaliation and encourage the internal reporting of grievances. You should make sure your employees are aware of the hotline and, in doing so, reinforce their obligation to report problems immediately through any available channel. You should also consider other types of reporting mechanisms that serve the same purpose. A simple and inexpensive solution is the use of a suggestion box that allows employees to report concerns on either an anonymous or identified basis. As is the case with a compliance hotline, you should make sure your employees are aware of and understand their reporting options and obligations. Finally, you should be sensitive to the major warning signs of potential whistleblowing activity. Example 21: Common warning signs of whistleblower activity include an employee's removing company property when it does not relate to her job responsibilities, as well as an employee's consistently ignoring the chain of command and taking her complaints directly to upper management. While these activities, in and of themselves, do not prove that an employee is a likely whistleblower, you should nevertheless recognize these warning signs and be prepared to respond accordingly.
CONCLUSION
Dissenters and whistleblowers are a permanent part of corporate life. Because dissenters can help and whistleblowers can hurt your company, your role in preventing the transformation from ally to adversary is critical. By responsibly managing would-be whistleblowers and ensuring that employees have real avenues to raise their grievances, you can reduce these risks and make a substantial contribution to your company's future success.
PRIVACY LAWS: PROTECTING PERSONAL INFORMATION

INTRODUCTION
The Internet and computer technology have made it possible to collect, sort, and disseminate massive amounts of information. In every type of business, people have realized how useful information can be for marketing purposes--especially information about individuals. It is now easy for a business to target its marketing efforts toward individuals most likely to be interested in its products or services. And selling collected information can be lucrative. As information collection and dissemination have become big businesses in their own right, many individuals have become concerned about losing their privacy. They're concerned about how their personal information is used, and by whom. When personal information collected by one business is disclosed to others, individuals lose control of who has access to information about them--and, in some instances, cannot even fully track where and how far the information has traveled. Because of this, there is concern about personal information being misused. Neither the federal government nor individual states have attempted to regulate this area, favoring a free-market regulatory philosophy on informational privacy instead. The theory has been that it's in the best interest of businesses to voluntarily provide the protections necessary to persuade individuals to release information to them--and, conversely, that if businesses do not provide sufficient protections, individuals will withhold their personal information from the marketplace until satisfactory protections are in place. Thus, in the United States, statutes protecting the privacy of personal information have only been enacted in situations in which it appeared that free-market regulation was not working. In those cases, the resulting statutes have been fairly narrowly focused to address the specific problems at hand. The result is a patchwork of federal and state privacy laws, each with a limited scope-none of them comprehensive. There are overlaps, gaps, and inconsistencies between the existing privacy statutes. What follows is a summary of several primary privacy laws with which insurers are required to comply. To a great extent, these laws overlap, and care must be taken to ensure that all of the requirements are satisfied.
WHAT IS GLB AND HOW DOES IT WORK?

Title V of the Gramm-Leach-Bliley Act, a federal law that protects the privacy of personal information, is one important piece of this privacy patchwork. In 1999, Congress was considering legislation to allow insurance companies, banks, and securities firms to engage in the others' businesses in ways that had been prohibited since the Great Depression. With changing times, the barriers between banks, insurers, and securities firms no longer seemed necessary or beneficial. Congress and many others realized, however, that one consequence of breaking down those barriers would be that huge amounts of sensitive personal information could be shared among these financial institutions without any limitations.
To address this situation, Title V, "Privacy," was added to the Gramm-Leach-Bliley Act (GLB) shortly before its final passage. While Title V is just one discrete part of GLB, we will refer to it as GLB. GLB requires each financial institution to respect the privacy of its customers and consumers and to protect the security and confidentiality of their nonpublic personal information. GLB does not prohibit financial institutions from using nonpublic personal information about customers or consumers; nor does it apply in any way to the sharing of nonpublic personal information with affiliates. Rather, it gives customers and consumers the right, in certain circumstances, to limit the disclosure of their personal information (called "opting out") to entities that are not affiliated with a financial institution that has it. I.
Important Terms
GLB applies to financial institutions, which it defines very broadly. The term unquestionably includes all insurance companies and agents selling insurance products to individuals, and to all banks and securities firms that provide products or services to individuals. GLB protects nonpublic personal information, which it defines as personally identifiable financial information about an individual that is not publicly available. While the statute refers to personally identifiable "financial" information, the term "financial information" is defined so broadly that there is no real requirement that the information actually be financial in nature--and, as a practical matter, nonpublic personal information includes all personally identifiable information about an individual that is not publicly available. Example 1: Alpha Insurance Company would like to make some money by selling personal information about its policyholders. Knowing that GLB limits the disclosure of individually identifiable financial information, Alpha wants to segregate and sell personal information that it believes is not financial--such as name, address, and social security number--from other information that it believes is financial, such as coverage amounts and premium payments. Under GLB, Alpha may not sell policyholders' names, addresses, or social security numbers if the information is disclosed in a way that indicates that the individuals are customers of Alpha (because it reveals a financial relationship with Alpha) or if it gathers the names, addresses, and social security numbers from personally identifiable financial information that is not publicly available, such as from applications. The nonpublic personal information GLB protects is that of customers and consumers. Customers are individuals who have an ongoing relationship with the financial institution; consumers are individuals who have more tangential contact, such as former customers, declined applicants, and beneficiaries of a group insurance policy. In effect, an individual who has a policy with an insurer is a customer entitled to the protections GLB provides. Example 2: John, a longtime policyholder of Alpha Insurance Company, terminates his policy with Alpha and obtains coverage from Beta Insurance Company. Under GLB, Alpha must protect the confidentiality and security of personal information that it has collected about John over the years, even though he is no
longer a customer. (However, as you'll see later in this handbook, unlike Alpha's obligations to its current customers, its obligations to give John notice and an opportunity to opt out of the sharing of such information do not arise unless Alpha wants to disclose John's personal information to a nonaffiliated third party outside GLB's exceptions.) II.
Scope and Exceptions

GLB does not apply to all sharing of nonpublic personal information. As mentioned earlier, it does not apply to sharing with affiliates. Also, it does not apply to the sharing of nonpublic personal information collected in connection with nonconsumer transactions. It applies only to the sharing with nonaffiliated third parties of nonpublic personal information gathered in connection with consumer transactions. Even within that category, however, there are significant exceptions--situations in which financial institutions may share nonpublic personal information with nonaffiliated third parties even if the customer has opted out of third-party sharing. We refer to such information as information "within" or "under" GLB's exceptions. For example, financial institutions may disclose information when necessary to effect, administer, or enforce a transaction requested or authorized by the customer with the customer's express consent to protect against fraud to a consumer reporting agency in connection with a merger or sale of the financial institution to the institution's lawyers and auditors to protect the confidentiality and security of the institution's records regarding the customer as required for institutional risk control to insurance rate advisory organizations as required to comply with federal, state, or local laws to comply with government investigations and judicial or regulatory proceedings to respond to a subpoena or summons, judicial process, or relevant regulatory proceedings In addition to the general exceptions listed above, there is an exception to the opt-out requirements that allows a financial institution to disclose nonpublic personal information to a nonaffiliated third party so the third party can perform services for the financial institution, including marketing the financial institution's own products and services. This exception also permits disclosure to nonaffiliated third parties with which the financial institution has joint marketing arrangements. If information is shared under the service provider/joint marketing exception, the financial institution must describe such sharing to its customers. It must also have a contractual agreement with the third party that the third party will not use or disclose the shared information for any purposes other than those for which it received the information. Example 3: In addition to its extensive personal lines business, Beta Insurance Company has a division that insures small business owners. Beta has retained A-1 Claims Handlers to perform all claims-handling functions. It also routinely
shares customer information with Excellent Consumer Reports, and routinely gives its auditors access to all customer information. Beta also shares information about its small business owner customers and its personal lines customers with Sell-It Marketers. Beta does not need to give notice of most of the information-sharing practices mentioned. Beta's sharing with A-1 is within GLB's general exceptions (servicing), as is its sharing with Excellent Consumer Reports (sharing information with a consumer reporting agency) and with its auditors (internal risk control purposes). Beta has no GLB obligations as to its sharing with Sell-It of information concerning its small business owner customers, because GLB does not apply to commercial businesses. However, Beta must comply with GLB's requirements before sharing information about its individual customers with SellIt. Sharing personal information with nonaffiliated third parties that will use the information to market products other than Beta's is precisely the type of information sharing that GLB seeks to control. III.
How It Works
GLB accomplishes its general goal of requiring financial institutions to respect and protect the privacy of the information they collect about their customers and consumers by requiring that financial institutions (1) notify customers--and in some circumstances, consumers--of their practices related to nonpublic personal information and (2) give customers and consumers the opportunity to choose whether the financial institution may make certain disclosures of their nonpublic personal information. A.
Notice
Financial institutions must give customers, both at the beginning of a customer relationship and annually thereafter (as long as the individual remains a customer), a clear and conspicuous notice of their privacy policies, which must include the following: The categories of nonpublic personal information the financial institution collects The categories of nonpublic personal information the institution discloses outside certain exceptions (discussed below) The categories of entities to whom the institution discloses nonpublic personal information The customer's right, if any, to opt out of certain information sharing The customer's right under the Fair Credit Reporting Act (FCRA) to opt out of certain affiliate sharing The institution's security practices and procedures Whether the institution makes disclosures within GLB's exceptions and, in limited circumstances, the types of such disclosures Financial institutions must also give the same initial notice to their consumers whose nonpublic personal information they wish to disclose, before they disclose it.
The notice must be delivered in such a manner that each customer can be reasonably expected to receive actual notice--it must be clear and conspicuous. It must be in writing; oral delivery is not sufficient. Electronic notice is permissible if the customer agrees to receive it electronically. Example 4: Beta Insurance sends its policyholders an envelope-sized flyer containing a notice of its privacy policies, including information responsive to all required categories, except that--since it has no affiliates (relevant only for FCRA and certain state law compliance) and does not disclose personal information to nonaffiliated third parties--it does not provide any information about opt-out procedures. The flyer is included in an envelope containing numerous marketing flyers for Beta's products as well as for other consumer items, and does not contain any especially noticeable heading or other identifying features. Since it does not share any personal information with third parties, the contents of Beta's notice are probably adequate, and mailing the notice is an acceptable method of delivery. However, it is not likely that printing the notice on such a small piece of paper and including it with numerous marketing flyers will satisfy GLB's requirement for the notice to be clear and conspicuous. B.
Choice
GLB only applies to the sharing of nonpublic personal information with nonaffiliated third parties. If a financial institution does not share nonpublic personal information with nonaffiliated third parties outside GLB's exceptions, it is not required to give its customers any choice about the sharing of their information. However, if the financial institution does share nonpublic personal information with nonaffiliated third parties outside GLB's exceptions, GLB expressly requires that the financial institution inform the customer in the notice (1) that he may opt out of the financial institution's sharing of his information and (2) how he may do so. Under GLB's opt-out system, a financial institution may share nonpublic personal information with nonaffiliated third parties outside GLB's exceptions unless the customer expressly directs it not to do so. This differs from some other existing and proposed privacy laws (which we'll discuss later) that give individuals a choice about the sharing of their personal information in the form of an "opt in" (the institution may not share personal information unless the individual expressly states that it may). Example 5: Delta Insurance Company performs all claims functions for its two affiliates, Gamma Insurance Company and Sigma Insurance Company, so the three companies routinely share nonpublic personal information. In addition, Delta sells nonpublic personal information about its customers to Sell-It Marketers. Also, Delta has a joint venture with Money Bank to sell insurance products. Delta must include GLB opt-out information in its privacy notice for its selling of customer information to Sell-It. Because GLB does not apply to affiliate sharing, Delta does not need to include an opt-out notice for its sharing with its affiliates or for its sharing for the purpose of its joint
venture with Money Bank (joint marketing exception). However, its privacy notice must include descriptive information about the categories of information it discloses and the categories of nonaffiliated third parties, such as Money Bank, with whom it has joint venture or joint marketing agreements. IV.
Reuse and Redisclosure Limitations

Once information has been shared with a nonaffiliated third party, GLB places limits on what the third party may do with it (other than use it for the purpose for which it was received). The limits differ depending on whether the information disclosure is subject to GLB's notice and opt-out requirements ("outside" GLB's exceptions) or whether it is exempted from those requirements by one of GLB's exceptions ("within" or "under" GLB's exceptions). Thus, it is very important to know the source of any nonpublic personal information, and the reason for which it was received. A.
Nonpublic personal information received under exceptions

If a financial institution receives nonpublic personal information from a nonaffiliated third party under one of GLB's general exceptions, it may disclose the information to an affiliate of the nonaffiliated third party from which it received the information, to its own affiliates, and to anyone else if the disclosure is within GLB's general exceptions. However, a financial institution receiving nonpublic personal information from a nonaffiliated third party may use the information only for the purpose for which it was received. Example 6: Delta Insurance Company provides claims-handling services for Omicron Insurance Company and, as a result, routinely receives from Omicron nonpublic personal information about Omicron's customers. Delta's receipt of information from Omicron is within GLB's general exceptions (service functions). Therefore, Delta may disclose the information to an affiliate (if any) of Omicron, to its own affiliates, and to anyone else if the disclosure is within GLB's general exceptions. Delta itself may use the Omicron information only for handling claims on Omicron's behalf--the purpose for which it received the information.
B.
Nonpublic personal information received outside exceptions

There are no restrictions on a financial institution's reuse of nonpublic personal information received outside GLB's exceptions. The institution may redisclose the information to affiliates of the nonaffiliated third party from which it received the information, to its own affiliates, and to anyone to whom the nonaffiliated third party itself could have disclosed the information. Example 7: Delta Insurance Company purchases from Alpha Insurance Company information about Alpha's individual customers so that Delta
can market to Alpha's customers certain insurance products that Alpha does not provide. GLB contains no exception that would exempt this information from its requirements. Therefore, Delta may disclose the Alpha information to an affiliate, if any, of Alpha; to Delta's own affiliates, if any; and to anyone else to whom Alpha could have disclosed the information. Delta itself may use the Alpha information for any purpose. This is because Alpha was required by GLB to notify its customers that it disclosed nonpublic personal information to nonaffiliated third parties such as Delta for marketing purposes and to give its customers an opportunity to opt out of such disclosure. Because customers have been notified of the disclosure but have not opted out of it, the customer is deemed to have consented to the disclosure, and the recipient is allowed full use of the information. V.
Limitations on the Sharing of Account Number Information for Marketing Purposes

One area to be aware of relates to account numbers. A financial institution may not disclose--other than to a consumer reporting agency--an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail. If disclosure of an account number is an issue, be sure to know for what purpose it is being disclosed, and check with your law or compliance department.
VI.
Agents
Insurance agents are "financial institutions" for purposes of GLB, and thus are subject to all of GLB's compliance requirements. However, the regulations implementing GLB for insurers minimize complexities and redundancies that GLB otherwise creates for insurers and their agents. For example, if the insurer provides notices as required by GLB, and the agent does not disclose nonpublic personal information to anyone other than the insurer and its affiliates, other than as permitted by GLB, the agent does not need to send its own separate notice. This does not, however, relieve agents of the obligation to safeguard the security and confidentiality of nonpublic personal information in their possession or to which they have access. Example 8: Agent X is an independent agent who sells insurance on behalf of several unrelated companies, all of which provide GLB notices as required. Agent X does not disclose nonpublic personal information to anyone other than the insurer with whom individuals' coverage is placed. Agent X would, however, like to use nonpublic personal information of the policyholders of Alpha Insurance Company to try to sell those policyholders insurance products not sold by Alpha. Agent X has no obligation to provide GLB notices, as the insurance regulations implementing GLB relieve him of it. If, however, he begins using the nonpublic
personal information of Alpha's policyholders for purposes of marketing products to them that are not sold by Alpha, Agent X becomes obligated to send his own notice. This rule is a modification made in the insurance regulations implementing GLB. The implementing regulations passed by the regulators for other financial service companies did not include a similar modification. This causes some problems for insurance agents who are licensed to sell securities so that they can sell variable products. The U.S. Securities and Exchange Commission (SEC) regulates financial institutions that sell securities, including insurance agents who are licensed to sell them. While the regulations governing securities firms and those governing insurers are largely the same, they are different in that the SEC regulations do not relieve annuities-selling insurance agents of the obligation to send initial and annual privacy notices. This makes sense in a traditional securities situation, in which it is the agent--not the company--who generally has the ongoing relationship with the customer. This is not always the case, however, in situations in which an insurance agent is selling variable products. In those situations, the customer-company relationship is often the primary continuing relationship. Example 9: Agent T is a registered representative of XYZ Broker-Dealer and sells variable annuities on behalf of Beta Insurance Company, which sends notices as required by GLB. Agent T does not disclose nonpublic personal information concerning Beta's policyholders to anyone. XYZ must also send privacy notices to individuals who purchased Beta's variable annuities from Agent T if Agent T has established a customer relationship with them. Securities dealers selling variable insurance products must send their own privacy notices to individuals with whom they have a customer relationship. The SEC regulations, unlike the insurance regulations, do not, at this time, exempt insurance agents licensed to sell securities from GLB's notice requirement. VII.
Regulatory Authority A. Functional regulators

Rather than give one single agency complete authority to enforce GLB, Congress divided enforcement authority among the various regulators with day-to-day regulatory authority over financial institutions. These functional regulators were also directed to promulgate implementing regulations applicable to the financial institutions for which they had regulatory authority. For insurers, state insurance regulators are the functional regulators. B.
NAIC model regulation 0. Adoption

To assist the state regulators in fulfilling their obligation to promulgate implementing regulations, the National Association of Insurance Commissioners (NAIC) drafted a model regulation titled Privacy of Consumer Financial and Health Information (NAIC Model Regulation). As of May 2002, 35 states had adopted regulations based on the NAIC Model Regulation (although, as discussed later, a number of them
omitted the provisions concerning the privacy of personal health information). 1.
Specifics
The NAIC Model Regulation is largely similar to the regulations adopted by other functional regulators for banks, securities firms, and credit unions. The NAIC Model Regulation provides detailed definitions of important terms, identifies the required content of privacy and opt-out notices, and details methods for opting out and delivering notices. It also provides specific information on GLB's exceptions and reuse and redisclosure limits. When we refer in this handbook to "GLB," we are referring not only to the statute, but also to the regulations implementing it.
2.
Health information
The NAIC Model Regulation is notable in that it includes model regulations specifically governing the privacy of personal health information. GLB itself did not mention personal health information, nor do the implementing regulations adopted by the other functional regulators. However, because GLB's definition of "personally identifiable information" has been so broadly construed, it could cover personal health information. Because many insurers routinely have access to and use personal health information in the ordinary course of business, the privacy of personal health information is more of a concern for insurance regulators than for bank and securities regulators. Under the NAIC Model Regulation, insurers may not disclose nonpublic personal health information, outside specified exceptions, to anyone (there is no exception for disclosures to affiliates) without the express authorization of the customer to whom such information applies. As noted, however, there are exceptions. For example, nonpublic personal health information may be disclosed to facilitate the performance of numerous insurance functions by or on behalf of the insurer, including claims handling, fraud detection, loss control, and risk management. Example 10: Omicron Insurance Company issues group health insurance plans. It collects nonpublic personal information about individuals' beneficiaries when it handles claims they have submitted. Omicron is not required to obtain authorization from the individuals to use their information to handle their claims, because claims handling is an exception to the NAIC Model Regulation's health information requirements.
Omicron would be prohibited from disclosing the information to another entity unless it first obtained express consent from each individual whose information it wanted to sell. The NAIC Model Regulation specifies the required content of a valid authorization to use or disclose personal health information, and further states that no authorization may remain valid for more than 24 months. The authorization request form, like the general notice, must be clear and conspicuous. It may be delivered to a consumer or customer as part of the general optout notice. Including the health information provisions in the NAIC Model Regulation was a matter of some controversy. Of the 35 states that enacted regulations based on the NAIC Model Regulation, 21 adopted it in its entirety, while 14 adopted only the portion concerning nonpublic personal financial information. 3.
The NAIC 2002 Model Regulation

In addition to its model privacy regulation, the NAIC has also issued a model regulation regarding the security of personal information, known as the 2002 Model Regulation on Standards for Safeguarding Customer Information. Where adopted, this regulation requires insurers to implement a comprehensive written security program designed to protect the security and confidentiality of nonpublic customer information. The security program must include appropriate administrative, technical, and physical safeguards designed to ensure the security and confidentiality of such information--and to protect it against threats, hazards, and unauthorized access. The regulation also suggests procedures for meeting these requirements.
C.
The SEC and Regulation S-P

Many insurance companies have broker-dealer affiliates that must comply with the SEC's privacy provisions, which are contained in Regulation S-P. Regulation S-P applies to brokers, dealers, investment companies, and registered investment advisers. Like GLB, it requires each institution to provide written notice about its privacy policy and practices, describing, among other things the categories of personal nonpublic information that may be collected and disclosed to whom such disclosures may be made and under what conditions the firm's policies on sharing information about former customers, and its policies and procedures for protecting the security and confidentiality of such information
In addition, firms must give individuals the chance to opt out of the disclosure of their personal information. Like GLB, Regulation S-P distinguishes between consumers and customers. A consumer becomes a customer in Regulation S-P if she enters into a continuing relationship with the financial institution. Here are some examples of a continuing relationship: The consumer has a brokerage account with you, or a consumer's account is transferred to you from another brokerdealer. The consumer has an investment advisory contract with you (whether written or oral). The consumer is the record owner of securities you have issued if you are an investment company. The consumer holds an investment product through you, such as when you act as a custodian for securities or assets in an individual retirement arrangement. The consumer purchases a variable annuity from you. The consumer has an account with an introducing broker or dealer that clears transactions with and for its customers through you on a fully disclosed basis. You hold securities or other assets as collateral for a loan made to the consumer, even if you did not make the loan or do not effect any transactions for him. You regularly effect or engage in securities transactions with or for a consumer even if you don't hold any of his assets. Example 11: Alex calls his longtime friend, Global Insurance agent Janet, to buy a variable life insurance contract. Janet indicates that the contract will be sold through Global's affiliate, Global Securities. Because the variable life insurance contract is both an insurance product and a security, Alex will also be considered a customer of Global Securities, and the provisions of Regulation S-P will apply. The procedures for providing notice differ between consumers and customers. Under Regulation S-P, for consumers, the financial institution must provide notice prior to disclosing their nonpublic personal information. And even if the firm doesn't disclose such information, it must provide the notice if the consumer becomes a customer of the firm. If the firm doesn't disclose the information, and the consumer doesn't become a customer of the firm, the firm doesn't need to provide the notice to the consumer. For customers, notice must be provided no later than the point at which the institution enters into a continuing relationship. Practically, this means the initial notice to a customer can be provided at the same time as when other required customer notices are provided. Customers must also be provided with an annual notice, the purpose of which is to remind them of the privacy policy and to inform them of any changes to it. If you work for a broker-dealer subsidiary or other financial institution covered by Regulation S-P and you are not sure of your obligations, consult your law or compliance department.
HIPAA
I.
Background
Another federal statute, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also provides informational privacy protections. HIPAA has a number of purposes, including protecting the ability of insureds who are changing jobs or leaving the workforce to keep their health insurance. Another is simplifying and streamlining administrative burdens related to providing and paying for healthcare by standardizing the descriptions of various services and requiring the increasing use of electronic technology to store and transmit health information. To achieve the purposes of HIPAA, Congress directed the United States Department of Health and Human Services (HHS) to adopt regulations or standards that detail how routine financial and administrative transactions related to healthcare (for example, healthcare claims or health plan enrollment) are to be performed electronically. This standard, called the Electronic Transactions Rule, explains what health, financial, and demographic information about patients, health plans, healthcare clearinghouses, and healthcare providers must share with one another when conducting these standard electronic transactions. While Congress recognized the cost savings that could be achieved by decreasing the paperwork burden related to providing and paying for healthcare services, it also understood that the confidentiality and integrity of health information stored and transmitted electronically must be protected against improper access, disclosure, and manipulation. To limit this risk, HHS also was tasked with developing a second rule that restricts the use and disclosure of all individually identifiable health information, and a third rule that requires measures be taken to protect electronic protected health information (e-PHI) from malicious attacks, a security incident, or inadvertent breaches of its integrity. The second rule is known as the Privacy Standards, and the third rule is the Security Standards. The Privacy Standards govern the ways certain health information, termed protected health information (PHI), may be used internally by the party who creates and maintains it as well as how and when that party may disclose the PHI to third parties. Essentially, the premise of the Privacy Standards is that no one may use or disclose an individuals PHI unless the Privacy Standards direct or allow an entity covered by them to do so. There are four tiers of protection of PHI that stipulate how it may be used or disclosed: 1) disclosures that are required regardless of an individuals permission, 2) permitted uses and disclosures without individual permission, 3) permitted uses and disclosures once the individual receives a copy of a covered entitys Notice of Privacy Practices, and 4) permitted uses and disclosures in accordance with the individuals written authorization. A.
Important terms
The term covered entity includes entities that provide or pay the cost of medical care. This obviously includes many insurers. It does not apply to life, property/casualty, workers' compensation, or accident disability insurers, even though all of these insurers routinely obtain and use
personal health information in the regular course of business, and, in some cases, actually pay the cost of healthcare. Individually identifiable health information includes any information that relates to the physical or mental health or condition of an individual, the provision of healthcare to an individual, and payment for those services that can be used to identify a particular individual. The HIPAA Privacy Rule safeguards a subset of individually identifiable health information called protected health information, which is defined as all individually identifiable health information transmitted or maintained in any form by covered entities. The HIPAA Privacy Rule also places constraints on the use and disclosure of PHI by business associates, which are entities that perform functions on behalf of a covered entity that require the use or disclosure of PHI. Examples of such functions include: claims processing, billing, data analysis, or utilization review, and legal, actuarial, or financial services provided by entities outside the covered entity if the provision of those services involves the disclosure of PHI. Assuming the Privacy Standards are followed as required by law, PHI should not flow freely from a covered entity to third parties unless the rules permit it. Example 12: Omicron Insurance Company sells group health insurance policies. Its affiliate, Zeta Insurance Company, sells life insurance policies and has traditionally had access to medical information about the beneficiaries under Omicron's group health policies. Zeta used the medical information to market life insurance policies to Omicrons beneficiaries. Under the HIPAA Rule, Zeta, who is neither a covered entity nor a business associate, will no longer be able to use Omicron's information unless Omicron obtains express authorization from each beneficiary. B.
Notice
In order for a covered entity to use or disclose an individuals PHI for purposes of treatment, payment, or healthcare operations, it must first give the individual notice as to how it may use or disclose the information. This notice is referred to as a Notice of Privacy Practices. For insurers covered by HIPAA, the notice had to have been distributed to enrollees currently in the plan by April 14, 2003, the HIPAA compliance date. New enrollees have the right to receive the notice at the time of their enrollment in a plan. If the health plan materially revises its privacy practices, it must notify all enrollees within 60 days of the revision. In addition, health plans must also inform enrollees at least once every three years about the availability of the notice and how to obtain a copy. HIPAA notices must be written in plain English and must contain the following heading:
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY. In addition, the notice must describe, with an example, the types of uses and disclosures the covered entity makes for treatment, payment, or healthcare operations purposes, as well as other uses the covered entity is permitted to make of the information confirm that other uses and disclosures will be made only with the individual's written authorization, which can be revoked disclose that the covered entity may, for example, provide appointment reminders and information about treatment alternatives or other health-related benefits and services, and contact the individual for fund-raising purposes Group health plans, health insurance issuers, or HMOs also must notify individuals that these organizations may disclose PHI to the sponsor of a plan. The notice must also inform the individual of his rights to request restrictions on certain uses or disclosures inspect and copy PHI about himself request amendments to his PHI receive an accounting of disclosures of PHI the covered entity has made during the immediately preceding six years obtain a paper copy of the notice (for anyone who agreed to receive the notice by e-mail) receive confidential communications (that is, the right not to have appointment reminders sent to their home) The notice must further disclose that the covered entity is legally obligated to maintain the privacy of PHI and to send the notice is required to abide by its notice currently in effect reserves the right to change its notice and that, if it does, it will provide a revised notice to individuals must provide a mechanism for registering complaints, a means to contact the covered entity, and an effective date for the notice C.
Good-faith acknowledgment and authorization

The Privacy Standards require that a covered healthcare provider obtain some type of written statement from individuals acknowledging that they received the notice. Health plans are not held to this same requirement. Unlike informed consent, covered entities are under no obligation to make sure an individual reads or understands the notice; their duty is complete once they deliver the notice in the manner required by the Privacy Standards. The last tier under which PHI may be used and disclosed--uses and disclosures that are permitted only in accordance with the individuals
written authorization--is the most restrictive and the most protective. This category is the catchall and mandates, basically, that if a particular use or disclosure was not specifically permitted in one of the other three methods enumerated above, then a covered entity must obtain express authorization from the individual for the use or disclosure of his or her PHI. The authorization must specifically describe who is authorized to release the information to whom information may be released what types of information may be released the purposes for the release the patient's right to withdraw the authorization at a later date and to receive a copy of it Consequently, because disclosure of PHI to life or disability insurers is not permitted elsewhere in the Privacy Standards, a covered entity must obtain a signed HIPAA-compliant authorization from a patient or enrollee before releasing any PHI to these organizations. The disclosures required by the first tier include releases of PHI to the individual whom the PHI describes. The second tier permits a number of uses and disclosures for public policy reasons. Other state and federal laws and regulations typically govern these areas. Thus, a covered entity need not give notice or obtain permission to use or disclose PHI for the following reasons: as required by law for public health purposes for reporting abuse, neglect, or domestic violence to carry out health oversight activities for law enforcement purposes for identification and location purposes for use by coroners and medical examiners for research activities to avert a serious threat to health or safety for specialized government functions for purposes of workers' compensation (state law continues to govern) D.
Access and correction rights

Unlike GLB, the HIPAA Privacy Standards provide individuals the right to inspect and copy PHI about themselves, although there are a number of circumstances in which the covered entity may refuse individuals access. In addition, individuals have the right to request amendment of their PHI. Again, the covered entity is not required to agree to make the amendments, but whatever the covered entity's decision, it must make a prompt decision and inform the individual.
E.
The relationship of GLB and HIPAA
It was recognized early on that health insurers that fell under both the GLB definition of a financial institution and HIPAAs definition of a covered entity could potentially be exposed to both sets of privacy rules. Although GLB directed seven federal agencies to promulgate regulations to implement it, it did not grant any federal agency the right to regulate health insurers. Instead, state insurance authorities were given incentives to adopt and enforce laws consistent with GLB. As a result, health insurers could be faced with having to comply with the federal HIPAA Privacy Standards and the federal GLB rules. Because Congress failed to address the interaction between HIPAA and GLB, the Federal Trade Commission and the other agencies charged with implementing GLB worked together with HHS to prevent the imposition of duplicative and inconsistent rules. The FTC also decided that it would take the position that persons engaged in providing insurance would be within the jurisdiction of state insurance authorities, and, therefore, these parties are not subject to dual federal agency jurisdiction for information that is both nonpublic personal information and personal health information. Furthermore, because HIPAA trumps state laws that are (1) contrary to it or (2) less stringent, a health plan needs to compare the state law in the jurisdictions in which it operates to the HIPAA Privacy Standards in order to develop a single set of operating rules (which likely will be made up of both state law and the Privacy Standards) for using and disclosing nonpublic personal information/personal health information under its control. A state law is considered contrary if a covered entity would find it impossible to comply with both the state law and the federal Privacy Standards or the state law is an obstacle to achieving the purposes underlying HIPAA. There are several exceptions to this general rule of preemption; however, only three are particularly pertinent to health plans. First, HHS determines that a state law must be followed in order to prevent fraud and abuse related to the provision of or payment for healthcare to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation for state reporting on healthcare costs for other purposes of serving a compelling need related to public health, safety, or welfare Second, the state law requires the reporting of disease or injury, child abuse, birth, or death; or it requires the conduct of public health surveillance, investigation, or intervention. Third, the state law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensing or certification, or individual licensing or certification. The Privacy Rule also does not preempt or trump a state law that relates to the privacy of health information and is more stringent than the federal requirements. More stringent means that the state law provides greater
privacy protection of health information, such as when the law establishes greater limitations on disclosures, creates more individual rights with respect to PHI, or provides greater access to PHI for individuals than the federal law. Example 13: A state law that requires that patients consent to disclosures of their health information for treatment and/or payment purposes would be considered more protective than the federal Privacy Standards, and, therefore, not preempted. Example 14: A state law that permits the disclosure of medical information to an insurance institution (other then an insurer covered by the Privacy Standards) without written authorization of the patient would be considered less stringent, and, therefore, preempted by HIPAA.
FAIR CREDIT REPORTING ACT

The Fair Credit Reporting Act (FCRA) was enacted in 1970 to protect consumers from injury to their reputation resulting from improper uses of credit information. The original focus of the statute was to ensure the fair and accurate reporting of consumer credit information by consumer reporting agencies and to provide a system for reducing the risk of inaccurate information being disseminated. Later amendments to FCRA require consumer reporting agencies to provide privacy protections for consumer reports. I.
Important Terms
A consumer reporting agency is defined as any person who--for monetary fees, dues, or on a cooperative nonprofit basis--regularly engages, in whole or in part, in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. A consumer report is any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Such a report is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for, among other things, credit or insurance to be used primarily for personal, family, or household purposes. Example 15: Delta Insurance Company, one of a group of related insurance companies (ABC Group), runs and maintains a central electronic data bank in which information about all policyholders of all insurers in ABC Group is collected, and to which all insurers in ABC Group have access. The information includes names, addresses, and social security numbers; information about each insurer's transactions and experience with each customer; and the results of credit report inquiries each insurer made to Excellent Consumer Reports. Delta does not share information outside its affiliates. Delta is a consumer reporting agency under FCRA because it collects information that is within the definition of a consumer report about individuals for the purpose of disclosing it to others. It does not matter whether this is Delta's primary purpose for gathering the information. Under FCRA, if just one purpose
of collecting information is to make it available to others, the entity is a consumer reporting agency. II.
Scope and Exceptions

Like GLB, FCRA requires that consumer reporting agencies take steps to safeguard the privacy and security of consumer information in their possession. FCRA is important to insurance companies because its definitions are very broad--generally speaking, insurers and the consumer information in their possession fall within those definitions. If insurers collect consumer information and then share it with third parties--affiliated or not--they are likely to be consumer reporting agencies under FCRA, and thus subject to its requirements. FCRA permits the disclosure of consumer reports only in specified circumstances: In response to a court order or subpoena To someone the credit reporting agency has reason to believe intends to use the information in connection with a credit transaction requested by the customer For employment purposes To underwrite insurance involving the individual In connection with a business transaction initiated by the individual To determine whether the individual continues to qualify for an account It also allows affiliated companies to communicate information solely concerning transactions or experiences between the consumer and the person making the communication. This is called "transaction or experience" information. This is data related to a financial institution's own experience with its accounts--such as outstanding balances, delinquency in paying bills, or the length of time an account has been open.
III.
Notice and Choice

FCRA also permits the disclosure of very limited information from consumer reports for marketing purposes if the consumer is first notified and given the opportunity to opt out of such disclosures. If a consumer is given such notice and an opportunity to opt out, information that would otherwise be within the definition of a consumer report is outside the definition for the limited purpose of the consumer reporting agency disclosing it to its own affiliates. Other disclosures can only be made with the express authorization of the consumer.
IV.
Access and Correction Rights

FCRA requires that consumers be given access to the information the consumer reporting agency has about them, and the right to request correction of inaccuracies in that information. The consumer reporting agency is not required to make requested corrections--but if it does not do so, it must place a note in the
consumer's file indicating the specified information that is disputed and the grounds for the dispute. V.
Other Provisions
The FCRA also includes identity-theft and other consumer-protection provisions that, among other things entitle consumers to free credit reports once a year and in particular circumstances entitle consumers to "flag" particular accounts where identity theft is suspected and block any information resulting from identity theft from their credit reports allow identity-theft victims to obtain copies of the thief's credit application and other account-related activity require financial institutions and creditors to adopt procedures for detecting identity theft prohibit creditors from obtaining or using consumers' medical information in connection with credit decisions, except in specified circumstances allow consumers to opt out of information-sharing among creditors and their affiliates for marketing purposes Some of these provisions are being phased in over time. Consult your law department if you have any questions about the status of a particular provision.
1982 NAIC MODEL INSURANCE INFORMATION AND PRIVACY PROTECTION ACT

I.
Purpose and Background Important terms A.

In 1982, the NAIC issued its Model Insurance Information and Privacy Protection Act (the 1982 NAIC Act). As with the NAIC Model Regulation discussed previously, the 1982 NAIC Act is simply a model for privacy legislation that individual states may or may not enact. It nevertheless affects many insurers, as at least 17 states enacted and still have on the books statutes based on the 1982 NAIC Act--in some states in addition to the NAIC Model Regulation discussed above, and in other states instead of it. The 1982 NAIC Act applies to insurers and protects individually identifiable information, which includes medical record information. The 1982 NAIC Act requires opt-in consent for disclosures of individually identifiable information that are outside its exceptions. B.
Scope and exceptions

The 1982 NAIC Act prohibits insurance institutions, agents, and insurance support organizations from disclosing personal information about an individual without her express consent. However, as with GLB, there are exceptions to that prohibition. For example, there are exceptions for disclosures to
enable a person to provide services to the insurer, if the person receiving the information has agreed not to further disclose the information without the individual's consent prevent fraud confirm insurance benefits enable an insurer to perform its functions in connection with an insurance transaction involving the individual There are also exceptions for disclosure to insurance regulatory, law enforcement, or other governmental officials as required or permitted by law in relation to a merger or sale of all or part of the business of an insurer to a person who will use the information solely for marketing purposes by a consumer reporting agency to a group policyholder for purposes of reporting claims experience or conducting an audit of the insurer's operations or services Example 16: Alpha Insurance Company wants to share with its affiliates individually identifiable information of policyholders so that they can market to those policyholders. The policies in question are subject to state law that follows the 1982 NAIC Act. The 1982 NAIC Act expressly excepts the sharing of information for marketing purposes. Therefore, Alpha can share information with affiliates who will use it solely for marketing purposes. C.
Notice, choice, access, correction

Like GLB and HIPAA, the 1982 NAIC Act requires insurers to notify applicants and policyholders of their information practices in connection with insurance transactions. The notice must be provided at certain times, such as application and policy renewals, and may be combined with the GLB notice. Like FCRA and HIPAA, the 1982 NAIC Act gives policyholders access to information about them and permits them to request corrections to it. The insurer is not required to make the corrections requested, but if the individual disagrees in writing with the insurer's decision, the insurer must include that statement in the individual's file.
SECURITY
GLB requires not only that insurers protect the privacy of personal information, but that they also take steps to safeguard nonpublic personal information in their control. To implement the GLB security requirements, the NAIC has issued its 2002 Model Regulation on Standards for Safeguarding Customer Information. Where adopted, this model regulation requires insurers to implement a comprehensive written security program designed to protect the security and confidentiality of nonpublic customer information. The security program must include appropriate administrative, technical, and physical safeguards that are designed to ensure the security and confidentiality of such
information and to protect it against threats and hazards, as well as unauthorized access that could result in substantial harm or inconvenience to any customer. The NAIC's model regulation also sets out examples of methods that an insurer may use to implement its requirements, including: o o o o o o o o identifying internal and external risks to the security and confidentiality of customer information assessing the likelihood and potential damage of such threats assessing whether its current safeguards are sufficient to control those risks designing an information security program to control identified risks regularly testing key controls, systems, and procedures using due diligence in selecting service providers requiring service providers to implement appropriate measures to carry out the model regulation's objectives monitoring and evaluating their information security programs and making appropriate changes in light of technology advances, internal or external threats, sensitivity of customer information, and their own business arrangements
The HIPAA Security Standards apply to protected health information that's stored or transmitted electronically (also called "electronic protected health information"). They are more specific than the NAIC's 2002 model regulation, but they require the same general actions. The HIPAA Security Standards require that covered entities have in place technical protections (information technology and systems protections), administrative safeguards (policies and procedures concerning the security and confidentiality of personal information), and physical protections (locks on the doors) to secure electronic protected health information. They then identify specific required and addressable actions in each category. Adequately safeguarding the security of personal information requires not only significant technical safeguards, but physical and administrative protections as well. For example, not only must the institution's technology systems be adequate and appropriately configured, company personnel who have contact with customers or nonpublic personal information must understand the privacy rules. They must also be alert to situations in which there is a potential for improper release of personal information, so that these situations may be dealt with on both individual and system-wide levels. Example 17: Alpha Insurance Company is a midsize stand-alone insurance company that performs all its own underwriting, claims, billing, and marketing functions. Alpha must identify and assess security risks to personal information, take steps to minimize those risks, and have a written security program even though it does not disclose customer information outside the company. GLB's security requirements apply to all customer information even if it is not disclosed to any other entity.
ENFORCEMENT
I.
GLB
GLB does not give individuals the right to sue for violations of its provisions. Rather, it delegates enforcement authority to the functional regulators for the various financial institutions--for insurers, that means state insurance regulators. In many states, state attorneys general also have enforcement authority, either
along with or on behalf of state insurance regulators. Enforcement actions are often based on state unfair trade practices. II.
HIPAA
HIPAA likewise does not give individuals the right to sue. HHS has enforcement authority for HIPAA. While HHS has expressed its preference for voluntary and cooperative resolution of compliance problems, HIPAA does authorize the secretary of HHS to impose penalties for violations--not more than $100 per violation for routine violations, with an annual cap of $25,000, and fines ranging from $50,000 to $250,000 and/or imprisonment of up to ten years for knowing violations.
III.
FCRA
Unlike GLB and HIPAA, FCRA does give individuals the right to sue for violations. In addition, the Federal Trade Commission (FTC) and other federal regulators have enforcement authority and are authorized to impose fines of up to $25,000 per knowing violation. Further, states have the authority to enforce FCRA if the FTC has declined to bring an enforcement action in a given situation.
IV.
The 1982 NAIC Act

The 1982 NAIC Act gives individuals the right to sue for specific alleged violations. States that have enacted a version of the 1982 NAIC Act have typically specified the permissible recovery. In addition, the insurance regulators of a state may also enforce the 1982 NAIC Act pursuant to their general enforcement authority.
PRIVACY ISSUES
INTRODUCTION
All businesses collect and maintain information about individuals. In doing so, companies may expose themselves, often inadvertently, to myriad privacy laws. In recent years, loss of personal privacy has become a major concern to individuals. This has led to a complex array of state, federal, and international laws dealing with data protection and privacy. There is no comprehensive legislation in the United States that broadly protects personal privacy. There are, however, a growing number of federal laws that apply to specific kinds of data, such as an individual's financial or health-related information. These laws may apply only to particular industries, such as financial institutions, or may have particular requirements that mandate particular uses of the information. Businesses must determine whether any federal laws apply to their collection and use of personal information. Understanding state laws is also important. Many states provide additional or stronger protection for various aspects of privacy. Indeed, some states have included the right to privacy in their state constitutions. Compliance with federal and state laws is not enough for many businesses. Many companies are also required to comply with international data-privacy laws. These laws, particularly in Europe, may be much more comprehensive than what is required under U.S. law. It's not practical to discuss all laws impacting individual privacy in a short handbook like this one. Furthermore, privacy is emerging as one of the hottest liability issues of the new millennium, and privacy laws often change. So this handbook reviews some of the most important current laws that address privacy as they impact U.S. business and employers. Since many U.S. companies do business with individuals overseas or have employees working abroad, key features of European data-protection laws will also be addressed. This handbook provides only a general overview of all of these laws. It does not provide legal advice or guidance on how you should act in a particular situation. Privacy law is complex, and the laws differ depending on the states or countries in which you do business or have employees. Consult your law or compliance department for detailed advice and guidance.
FINANCIAL INFORMATION
Individuals are concerned about how their financial information is used and want to be assured that information is accurate, secure, and not misused. This section addresses national privacy laws governing consumer reports and financial information. It also includes a discussion of federal rules concerning the prevention of identity theft. I.
Consumer Reports: The Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACT Act)
The Fair Credit Reporting Act (FCRA) is a federal law designed to protect the privacy of consumer report information and to ensure that information is as accurate as possible. In January 2004, the Fair and Accurate Credit Transactions Act (FACT Act) came into effect. The FACT Act amends the
FCRA to strengthen the consumer reporting system and includes provisions to fight identity theft. This discussion will incorporate both the FCRA and the FACT Act. A.
Consumer reports
The FCRA applies to information in consumer reports. Consumer report information impacts a consumer's creditworthiness or other credit characteristics and may include credit history, driving record, criminal activities, and, in some instances, information on an individual's character, general reputation, personal characteristics, or mode of living. Consumer reports may be written or oral. The FCRA regulates consumer report information compiled by a consumer reporting agency (CRA) . CRAs collect and evaluate consumer credit information for the purpose of selling it to third parties, such as banks, insurance companies, and employers. CRAs include many kinds of businesses, such as credit bureaus, tenant and employee screening companies, check verification services, and medical information services that collect information to help other businesses evaluate consumers. The FCRA imposes obligations on CRAs as well as those who supply information to CRAs. Companies that use consumer reports have additional obligations. Example 1: MegaStore regularly supplies payment and account information concerning customers using the MegaStore credit card to Ultra CRA, a national company in the business of compiling information for credit scoring. MegaStore is not a consumer reporting agency since it furnishes, but does not evaluate, information about its customers. Because Ultra CRA evaluates the information and provides it to others, it is a consumer reporting agency. However, because MegaStore furnishes information, the FCRA imposes obligations on it as well.
B.
Obligations of consumer reporting agencies

In general, CRAs may only furnish consumer reports for certain purposes defined as legally permissible. Permissible purposes include issuing reports ! ! ! ! as instructed to do so in writing by the consumer to a person who will use the information to extend consumer credit in connection with underwriting a consumer insurance policy for employment purposes
The FCRA requires users of this information to identify themselves and to certify that the purposes for which the information is used are legally permissible. Example 2: Global Insurance contacts National CRA to request a consumer report for Joyce, who has applied for a life insurance policy. Global Insurance certifies that it will only use the information in Joyce's consumer report to determine her eligibility for insurance. Since Global
Insurance will use the information in connection with underwriting a consumer insurance policy, a permissible purpose, National may furnish the report. Example 3: Adam is a Global Insurance employee who regularly requests consumer reports as part of his job. He sends a request to National CRA for a consumer report on his fiancee, Amanda. He wants to use the information to find out whether she has been honest about her debt, and he certifies this in his request for the report. Since a background check on a prospective spouse is not a permissible reason for a consumer report, National may not furnish the information. In part, the FCRA was enacted so that consumers could protect their credit reputation by preventing inaccurate information from being circulated. Prior to its enactment, consumers had difficulty obtaining the information contained in their consumer reports. The FCRA requires that if a consumer requests his consumer report, the CRA must clearly and accurately disclose the information in the file, including the identity of each person who has requested the report, and must obtain proper identification from the consumer before doing so. The FCRA does not require the CRA to provide all information on those who have requested the consumer report. If the request is for employment purposes, the CRA must identify those who requested the information in the two years preceding the request. If the request was for any other purpose, the CRA must identify those who requested the information only during the year preceding the request. If the consumer does not specifically request his credit score, the CRA is not obligated to disclose it, but it must provide a statement that the consumer may request and obtain his credit score. Example 4: Linda sends a written request to Ultra CRA for a copy of her consumer report and a list of anyone who has ever requested her consumer report. Ultra CRA first obtains proper identification from Linda, and then releases the information. Since Linda did not request her credit score, Ultra CRA does not disclose it but sends a statement to Linda that explains she may request and obtain her credit score. When providing a consumer report to an individual, the CRA must include a disclosure that describes the rights of consumers to dispute the accuracy of items in the file, how to exercise these rights, and a list of all the federal agencies enforcing the FCRA. Consumers may dispute the completeness or accuracy of any item of information in their consumer reports. The CRA is required to investigate the dispute, unless it has reasonable grounds to believe that it is frivolous or irrelevant. If the information turns out to be inaccurate or can no longer be verified as accurate, the CRA must delete the information from the report. If specifically directed to do so by the consumer, the CRA must notify anyone who received the inaccurate report for employment purposes within the previous two years and any other person who received the report within the previous six months. C.
Obligations of those who use consumer reports
Businesses use consumer reports to determine a consumer's eligibility for insurance, personal credit, or employment. Often, lenders or insurance companies make decisions on extending consumer credit or individual insurance policies based on an individual's credit score. In addition, lenders and insurance companies may have risk-based pricing, providing better rates to those with good credit ratings than those with poor credit ratings. On January 1, 2004, the FACT Act amended the FCRA to require companies to provide new or prospective customers with a notice if they use consumer report information in connection with determining rates. Example 5: John has been licensed to drive an automobile for six months and wants to change his automobile insurance carrier. He applies for new insurance from Global Insurance. Global must provide John with a notice that it will use consumer report information to determine whether to offer him an insurance policy and to set the appropriate rate. If a company denies credit or insurance, or charges a less favorable rate on the basis of information in a consumer report, it must provide an adverse action notice to the individual. The notice must contain (1) the name, address, and telephone number of the CRA that supplied the information; (2) a statement that the CRA didn't make the decision and can't give specific reasons for it; and (3) a notice that the consumer has the right to a free copy of the consumer report information upon request and to dispute its accuracy or completeness. Example 6: Global Insurance obtains a consumer report for John from Mega CRA. The report indicates that John has a poor credit history, including a bankruptcy three years ago. Global extends a policy to John at a rate higher than its standard rate, basing its decision primarily but not entirely on John's limited driving experience, not his credit score. Global must still provide an adverse action notice because the consumer report played a part in its decision to charge the higher premium. D.
Obligations of employers
The FCRA allows employers to use consumer reports of actual and potential employees for various employment purposes. For example, an employer may request a job applicant's credit payment record if that person has applied for a cashier position. The FCRA imposes special rules for employers using information from consumer reports. The employer must notify the individual in writing that it will request consumer report information. The individual must give written authorization before the employer may request the information. In addition, before releasing information, the CRA from which the information is ordered must require that the employer certify that it is in compliance with the FCRA and will not misuse any information contained in a consumer report in violation of federal or state laws or regulations. Example 7: Charms Incorporated advertised for cashiers for its MegaMall location and received 100 applications. The company wants consumer reports on each qualified applicant because it plans to eliminate applicants with poor credit history. Charms must first notify
each applicant and obtain a written authorization to request the information, and the CRA from which the information is ordered must require that Charms certify that it is in compliance with the FCRA and that it will not violate any laws in its use of the information. Employers often make employment decisions based on the information found in consumer reports. But before denying a job application, firing an employee, passing someone over for a promotion, or taking some other adverse action based on consumer report information, the employer must send a pre-adverse action notice to the individual. This notice must include a copy of the individual's consumer report and a statement of her rights under the FCRA. After an adverse action has been taken, the employer must provide an adverse action notice informing the individual orally, in writing, or electronically that an adverse action has been taken. The employer must provide contact information for the CRA that supplied the report along with a statement that it was not the CRA that made the employment decision. It must also inform the individual that she may request and receive a free copy of the consumer report and dispute the accuracy of the report with the CRA. Example 8: Mann Industries has legally obtained consumer reports for three employees it is considering for promotion to a highly sensitive financial position. The first employee's consumer report shows only one credit account. The second employee's report indicates a fairly high debt load with a good repayment history. The company decides against the first employee because it wants someone with more financial responsibility, and it decides against the second employee because his debt load seems too high for the position's salary. Mann is required to provide both employees with a pre-adverse action disclosure and an adverse action notice because the information was used to make adverse employment decisions. Employers sometimes hire outside agencies to investigate claims of discrimination or to conduct more thorough background checks for key executive positions. If these include interviews with friends, neighbors, coworkers, or others about the character, general reputation, personal characteristics, or lifestyle of an individual, the information gathered becomes an investigative consumer report. The FCRA requires the employer to notify the employee that it is obtaining an investigative consumer report. The employer must also supply a copy of the report to the employee no more than three days after the employee requests a copy. The employer may not delete information in the report to keep the identity of a witness confidential. Employers are subject to lawsuits if they fail to provide notice, get consent, or provide pre-adverse action disclosures and adverse action notices to unsuccessful job applicants or employees. The FCRA imposes civil liability on any CRA or user of a consumer report that is negligent or willful in failing to comply with its requirements. The FCRA allows individuals to sue employers and to seek punitive damages for deliberate violations. In fact, courts are receptive to claims of civil liability for obtaining consumer reports under false pretenses and have held employers accountable for the actions of their employees if there are no procedures in place to verify that employees are obtaining consumer reports only for proper purposes.
Example 9: Jane and Larry are divorced, but Larry wants to reconcile. Larry's current roommate works as a collector for Acme Debt Collectors, a large company that regularly obtains consumer report information from a large CRA. Larry pressures his roommate into obtaining Jane's consumer report and uses the information in it to harass her. Jane may sue Acme for violating her rights under the FCRA. E.
Obligations of information furnishers

Many companies regularly report information to CRAs, such as credit bureaus, tenant screening companies, and check verification services. Such companies are furnishers of information and are subject to FCRA obligations to ensure that the information reported is accurate. Furnishers have a duty to establish policies and procedures regarding the accuracy and integrity of information they report to CRAs. A furnisher may not report information it knows or has reason to know is inaccurate. In addition, consumers may dispute the accuracy of the information reported about them to a nationwide CRA. The FCRA requires furnishers to provide consumers with an easy-to-understand method to dispute the accuracy of information submitted about them. This must be provided in easy-to-read language. The FCRA requires the furnisher to investigate the dispute and report its findings, usually within 30 days, to the CRA. If the furnisher discovers that the information reported is inaccurate, it must correct the information and resubmit the corrected information to the CRA and all other national CRAs. Example 10: MegaStore regularly reports information about late credit card payments to Ultra CRA. Stephen, a customer of MegaStore, contacts Ultra CRA to dispute MegaStore's report that he paid his store credit card bill 30 days or more after the payment due date on three occasions. MegaStore investigates the dispute and finds that the information was inaccurate. As required by the FCRA, MegaStore then corrects the information and resubmits it to Ultra CRA and all other national CRAs. As of January 1, 2004, the FCRA as amended by the FACT Act requires lenders to notify consumers if negative information will be reported to a CRA. They may do so immediately or within 30 days of reporting the information. If a consumer continues to engage in the negative behavior, such as sending late payments, the lender does not have to send the consumer additional notices before reporting the subsequent negative information to the CRA. Example 11: Bruce's most recent payment on his home equity loan with MegaBank is 60 days past due. MegaBank reports instances of late payments to a CRA and then informs Bruce that it has reported his late payment. If Bruce continues to make late payments on this account, MegaBank does not have to send him additional notices. The law allows a lender to send a general notice to its customers that it reports negative information to CRAs with other materials sent to customers, such as its Gramm-Leach-Bliley Act privacy disclosures
(discussed in the next section). However, the lender may not send the notice with the initial Truth in Lending Act disclosure statement. F.
Sharing consumer report information

It's often useful for financial institutions to share consumer information with their affiliatescompanies with whom they're related because of common ownership or corporate control. Financial institutions may share transaction or experience information with their affiliates. This is firsthand information about a consumer, such as a history of late payments. However, if they wish to share other types of consumer information with an affiliate, they must first give the consumer clear and conspicuous notice of that factand an opportunity to prevent the sharing by "opting out." In addition, a company that receives certain kinds of consumer information from an affiliate can't use that information to market its products to a consumer without first giving the consumer a separate notice and the opportunity to opt out. If the consumer decides to opt out, the company can't use the shared information for that purpose. Unlike the "sharing" notice, the "use" notice applies to transaction or experience information. Therefore, even though affiliates can share such information without giving the consumer a notice and the opportunity to opt out, the company receiving it can't use it for marketing purposes without going through those steps. Example 12: Universal Incorporated sends consumer report information about its customers to its subsidiary, Universal Financial. Universal Financial plans to use the information to market its new financial services products to Universal Incorporated's customers. Before doing so, Universal must provide a clear and conspicuous notice to its customers that it will use their information to market products, and it must provide customers with an easy way to opt out. If a consumer doesn't opt out, Universal Financial may solicit the consumer. There are a number of exceptions to the notice and opt-out requirements. For instance, a financial institution does not have to send the notice and opt-out information if the consumer has a preexisting relationship with it. This could apply, for example, if the consumer has purchased, rented, or leased goods or services in the 18 months prior to a solicitation being sentor has applied for a loan or other product in the three months before that date. Example 13: Sonia has a checking account with WorldBank One. Because Sonia has a preexisting relationship with WorldBank One, the bank can send her its own marketing pieces and those of an affiliate without having to provide notice or the opportunity to opt out.
G.
Identity theft prevention

1. Red flag rules
One of the reasons Congress enacted the FACT Act was to strengthen efforts to fight identity theft. As required by the act, several federal agencies have issued regulations aimed at achieving that goal. These regulations, known as the "red flag rules," require financial institutions and other creditors to adopt a written identity-theft program for their covered accounts. "Covered accounts" are accounts that are primarily used for personal, family, or household purposes and involve multiple payments or transactions. Examples include credit cards, home mortgages, auto loans, and savings or checking accounts. Covered accounts also include any other account where there is a reasonably foreseeable risk of identity theft. Although the precise nature of an identity-theft program may vary from company to company, it must include reasonable policies and procedures designed to "detect, prevent, and mitigate identity theft" in connection with covered accounts. Among other things, the program should include policies and procedures for identifying relevant "red flags"such as a significant change in the use of credit, indications that a credit application has been forged or altered, or discrepancies between information furnished by the purported customer and information already on file with the company. The program must also include policies and procedures for responding to red flags, such as monitoring the account, contacting the customer, changing passwords, or reopening the account with a new account number. In addition, the identity-theft program must be approved by the company's board of directors or appropriate committee; administered by the board, the committee, or a senior executive; and periodically updated to reflect changes in risk. 2. Consumer-generated alerts The FACT Act added a section to the FCRA that allows individuals to place alerts on their consumer reports. A consumer may place an initial alert if he believes that he is, or is about to be, the victim of fraud. If a consumer provides a CRA with a police report indicating that she is a victim of identity theft, the consumer may request that an extended alert be placed on her file. The law allows members of the military to place an active duty alert on their files. These alerts notify the CRA and users of consumer reports that the consumer is or may be the victim of identity theft or is on active duty in the military. If a lender receives a consumer report with an initial or active duty alert, the lender must use reasonable procedures to verify the identity of the consumer. This might include calling a particular phone number designated by the consumer for purposes of verification. If the consumer report contains an extended alert, the lender must take further steps to
ensure the identity of the person seeking credit. Typically, this means identifying the consumer in person. Example 14: On June 1, WorldBank One receives a phone call from a person who identifies herself as Mary. The person requests a credit limit increase of $2,000 on her WorldBank One credit card. There is an extended fraud alert on Mary's consumer report, so the bank requires that the person calling go to a branch in person to make the request. The law provides further protection for those who have been the victims of identity theft by requiring CRAs to block all information resulting from identity theft. II.
Gramm-Leach-Bliley Act (GLB Act)

Congress passed the Gramm-Leach-Bliley Financial Modernization Act (GLB Act) in response to privacy threats to financial information. It protects nonpublic personal information held by financial institutions. Examples of nonpublic personal information include information from a credit application, account balance or payment history information, information from a consumer report, or information collected through an Internet "cookie." Information that is available as part of government records or telephone books, newspapers, or an unrestricted website is public information not protected by the GLB Act. The GLB Act requires financial institutions to give consumers privacy notices explaining the company's information sharing practices. It provides consumers with the right to limit some sharing of that information. A.
Financial institutions
The GLB Act imposes obligations on financial institutions to respect the privacy and confidentiality of customer information. The GLB Act includes a complex and broad definition of financial institutions. As a result, many businesses that might not consider themselves financial institutions are required to comply with the GLB Act. Financial institutions as defined by the GLB Act are those engaged in financial activities, including lending, exchanging, insuring, investment advisory services, underwriting or dealing in securities, brokering or servicing loans, leasing or appraising real or personal property, guaranteeing checks, assessing credit, providing financial or investment advisory activities, providing management consulting and counseling services, and selling traveler's checks. However, extending credit by deferred payment or "layaway" doesn't convert a business into a financial institution. Example 15: MegaStore extends credit to store customers by issuing its own credit card directly to the consumer. MegaStore must comply with the GLB Act. It is a financial institution under the GLB Act because extending credit is a financial activity. If MegaStore did not issue its own credit card, but accepted payment by personal check or an externally issued credit card, it would not be considered a financial institution. A career counselor or employment agency specializing in providing services to individuals employed by or seeking employment with financial organizations or the finance, accounting, or auditing department of any company is also covered by the GLB Act.
Example 16: Janet owns and operates an employment agency. Over the last two years, approximately 80% of her work has been helping individuals find positions in the accounting department of Global Resources Corporation. For the purposes of the GLB Act, this counseling service is a financial institution. Other examples of those engaged in financial activities include a jewelry store that routinely performs appraisals as a part of its business or an automobile dealership that provides customer financing or lease agreements for a term longer than 90 days. B.
Privacy notice
The GLB Act requires financial institutions to establish a privacy policy and to provide a privacy notice. A financial institution's obligation concerning how often it must provide the notice depends on whether those who obtain its services are consumers or customers. A consumer is an individual who obtains or has obtained a financial product or service for personal, family, or household reasons. Example 17: Amanda walks into Not-a-Bank, a check cashing company, to cash her paycheck. She is a consumer of Not-a-Bank. A customer is a consumer with a continuing relationship with the financial institution. If consumers obtain loans, purchase an insurance product, become clients of tax preparers, or seek the assistance of credit counseling services, they become customers and must receive privacy notices. Example 18: Joseph applies for a store credit card to purchase a new dishwasher for his family's summer home. On the application, he provides MegaStore with his social security number and annual income. MegaStore offers Joseph a credit card, which he accepts. Joseph is now a customer of MegaStore, because MegaStore has provided him with a financial product or service that indicates a continuing relationship. The difference between consumers and customers is important. The GLB Act requires financial institutions to provide customers with a notice of their privacy policy at the time the consumer becomes a customer. The act also requires them to provide the notice annually thereafter until the customer relationship terminates. Consumers are entitled to notice if the company shares their information with nonaffiliated companies. The privacy notice must be given to individual consumers or customers by mail, in person, or, in the case of an online lender, posted on the company's website with a requirement that online customers acknowledge receipt. The privacy statement must be a clear, conspicuous, and accurate statement of the company's privacy practices. It should include what information the company collects, with whom the information is shared, and how the company protects nonpublic personal information.
C.
Sharing nonpublic personal information
Consumers and customers have the right to opt out of, or say no to, having their information shared with third parties. The privacy policy must explain and offer a reasonable way for an individual to opt out. However, the GLB Act provides no opt-out right in certain situations: ! ! ! ! When the financial institution shares information with its affiliates When the financial institution shares information with companies that provide essential services like data processing or servicing accounts When disclosure is legally required When the financial institution shares the information with outside service providers that market the company's products or services
Example 19: Seth has a checking account with WorldBank One. WorldBank One may provide nonpublic personal information it has about Seth to its affiliated company, WorldBank Financial. WorldBank Financial may use the information to market its own products and services to Seth. The GLB Act doesn't require WorldBank One to provide Seth with the opportunity to opt out of this information sharing. As mentioned, the GLB Act does not prevent financial institutions from sharing nonpublic personal information with affiliates, nonaffiliated third parties that provide it with services, or joint marketing partners with which the financial institution has a contractual relationship. However, these entities are prohibited under the FCRA from using the information for marketing purposes unless they give the individual the opportunity to opt out and he has not done so. Financial institutions must keep in mind that the GLB Act doesn't override the requirements of the FCRA. Just because the GLB Act doesn't prohibit sharing certain information doesn't mean that sharing that information is permissible under the FCRA.
MEDICAL INFORMATION
The collection and use of medical information, like financial information, is highly regulated. A number of state and federal laws govern how employers may collect, store, and use medical information. This is becoming an increasingly complex area of privacy and compliance. This section will consider a number of federal laws impacting the privacy of medical information. In addition, many states have laws requiring additional protection for this information. I.
The Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA)
The Americans with Disabilities Act (ADA) is one of the primary federal laws requiring employers to protect the privacy of its employees' medical information. All private sector employers with 15 or more employees must comply with the ADA. The ADA prohibits employers from using medical information for discriminatory purposes. In general, it prohibits employers from prying into an employee's medical condition beyond what is necessary to assess that person's ability to perform the essential functions of a job or to determine her need for accommodation or time away from work. The ADA also requires employers to safeguard information concerning medical conditions or medical histories of job applicants and employees. These medical confidentiality rules protect all applicants and employees, whether they are disabled or not.
Medical information must be kept separate from other employee information. It must be recorded on separate forms and kept in files separate from general personnel records. The ADA further protects the privacy of the information by limiting how and when medical information may be disclosed. Employers are allowed to disclose the information only in limited circumstances. Employers may ! ! ! inform supervisors and managers regarding necessary restrictions on work or duties or necessary accommodations inform first aid and safety personnel if a disability may require emergency treatment disclose information to government officials investigating ADA compliance who request access to records
What a supervisor or another employee does with confidential medical information can create liability. Unauthorized disclosure of an employee's medical condition poses serious problems. Example 20: Rachel holds a data entry position at Universal Machines. Three years ago, she was injured on another job and received partial benefits from workers' compensation. Recently, she put in for a transfer to a warehouse position at Universal Machines. The job has physical demands. Reviewing Rachel's application for transfer and her personnel records, the manager for the new position discovers that Rachel has lifting restrictions and some perceived intellectual deficiencies. The manager discusses her conditions with some of the warehouse employees to determine whether hiring her would have a negative impact on morale or productivity. If the records indicating that Rachel received workers' compensation and has perceived intellectual deficiencies were in her personnel files, Universal Machines has violated the ADA mandate that records containing medical information be kept separate. The warehouse manager also violated the ADA, which protects Rachel from the unauthorized disclosure of medical information. This is true whether she is disabled or not. The Family and Medical Leave Act (FMLA) is another federal law that protects employees' medical information. Under the FMLA, eligible employees can receive up to 12 weeks of unpaid leave during a 12-month period to recover from their own serious health conditions; to care for a newborn child, a newly adopted child, or a newly placed foster child; to care for certain seriously ill family members; or, in some circumstances, when a family member is on active military duty or about to go on active military duty. The FMLA also provides leave of up to 26 weeks in a single 12-month period to care for a qualifying family member who's suffered a serious injury or illness in the line of military duty. The FMLA allows an employer to require an employee to provide certification issued by a healthcare provider that supports the employee's request for leave or to provide the medical history of the family member the employee will take leave to care for. An employer may also require documentation from a medical provider recertifying the employee's ability to return to work. Because all of these documents contain medical information, the FMLA requires that the employer keep this information confidential. Treatment of this information under the FMLA is similar to that under the ADA: it must be maintained in files separate from personnel files. Employers also may have to comply with state statutes that further regulate the use and disclosure of medical information. These laws may impose additional
requirements on employers to ensure that employee medical information remains confidential, and they may prohibit the disclosure of medical information without written consent. II.
Health Insurance Portability and Accountability Act (HIPAA)

Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect the health insurance coverage of people who change or lose their jobs. The Department of Health and Human Services issued the privacy regulations that accompany HIPAA to protect medical information in the digital age. Together, they provide a national framework for health privacy protection and enhance the rights of consumers by providing them with information about their privacy rights with regard to their health information. The HIPAA rules delineate when and how protected health information may be used or disclosed. While most individuals are aware of these rules from the paperwork concerning privacy they may have signed when visiting their physician, many are unaware that the rules impact businesses and employers that are not part of the medical profession. A.
Covered entities
The HIPAA rules require covered entities to comply with privacy rules. Covered entities include every healthcare provider who transmits health information in connection with a claim, benefits inquiry, or referral authorization. Institutions, such as hospitals, and noninstitutional providers, such as physicians, dentists, and other organizations that furnish, bill, or are paid for healthcare, are considered healthcare providers. Individual and group health plans that pay for medical care are also covered entities. These include health maintenance organizations; long-term care insurers; and health, dental, vision, and prescription drug insurers. Typically, employers are not covered entities unless they are hospitals or insurers. However, if an employer sponsors medical or dental insurance plans for employees, it could be a covered entity. Employer-administered health plans and multiemployer health plans are covered entities. The degree to which the HIPAA privacy requirements impact an employer depends on whether the employer's healthcare plan is fully insured or self-administered and whether the employer has access to personal health information. Employeradministered group health plans with fewer than 50 participants are not covered entities and are exempt from the HIPAA privacy rules. Example 21: Global Corporation's primary function is manufacturing computer components. Global sponsors a fully insured group healthcare plan and doesn't have access to the personal health information of its employees. Global is not a covered entity. The plan insurer would bear most of the HIPAA compliance burden. Example 22: Worldwide Incorporated is a computer component manufacturer with 150 employees. It funds and administers its own private health insurance for its employees. Because Worldwide has more than 50 participants in its self-insurance plan, the part of the company that administers the plan must follow all of the HIPAA rules for covered entities. This is true even if a third party administers the plan.
B.
Personal health information and privacy rules

The HIPAA rules apply to individually identifiable health information, or personal health information (PHI) . This includes data that identifies the individual and relates to ! ! ! an individual's past, present, or future physical or mental health or condition the provision of healthcare to the individual the past, present, or future payment for healthcare that can be used to identify an individual
If individual identifiers have been removed from PHI, there is, for the most part, no restriction on its use. Name, address, birth date, social security number, or patient numbers all make health information individually identifiable. The HIPAA privacy rules give individuals a fundamental right to be informed of privacy issues concerning their PHI as well as the privacy practices of their health plans and healthcare providers. As a general rule, the covered entities we have discussed are required to develop and provide individuals with notice of their privacy practices. The notice must include ! ! ! ! how the covered entity may use or disclose protected health information the individual's rights and how the individual may exercise those rights, including how to make a complaint to the covered entity the covered entity's legal duties with respect to the information, including a statement that it is required by law to maintain the privacy of the information whom an individual may contact for more information
Example 23: Worldwide Incorporated, the computer component manufacturer with a self-administered health plan mentioned in the previous example, must provide notice to the employees enrolled in its health plan that complies with the rules for covered entities. The notice must include all of the details listed above. If a covered entity makes material changes to its privacy policy, it must revise and redistribute the notice. In general, a covered entity may disclose protected information without getting written permission if it is providing the information to the individual, or for its own treatment, payment, or healthcare operations, such as quality assessment or administration. C. Breach notification As we've seen, patients have the right to be informed of their covered entity's privacy policies. But what happens if despite those policies, there's an unauthorized transfer, use, or other breach of the protected information?
If the breach poses a significant risk of harm to the individual involved, the company must notify the individual of the breach. This notice must include, among other things, a brief description of what happened, the types of PHI involved, and any steps the individual should take. The notice must be given without unreasonable delay, and in any event within 60 days after the breach was discovered or should have been discovered. And in some cases, the company may also have to notify the federal government and local media. Business associates must also notify their covered companies of any breach of PHI they become aware of. Breach notification isn't required, however, if the company has taken certain steps (such as the use of certain forms of encryption) to protect the PHI against unauthorized access. It's also not required for the use or disclosure of a limited data set that excludes the individual's birth date and zip code certain inadvertent uses or disclosures of PHI that don't result in a violation of the Privacy Rule the inadvertent disclosure of PHI to someone who isn't likely to be able to retain itfor example, because it was mailed to the wrong address and returned by the Post Office unopened
Vendors of personal health records (PHR)and other PHR-related entities not covered by HIPAAare also subject to breach notification rules. These rules are similar to those for HIPAA-covered entities, but there are some differences. For example, the non-HIPAA rule may require notification even if there's no evidence of a significant risk of harm from the breach. In any event, both the HIPAA and non-HIPAA notification rules are lengthy and complex. You should be sure to consult your company's law department or other designated party if you have any questions. D. Authorized uses and disclosures Unless a covered entity uses or discloses PHI for treatment, payment, healthcare operations, or another legal purpose listed in the HIPAA rules, it must obtain written authorization from the individual before using or disclosing the information. The authorization must be in plain language and must contain specific details regarding the information to be disclosed, who is disclosing and receiving the information, and an explanation that the individual has a right to revoke her authorization. Example 24: Emily's employer requires that she go through periodic drug screening because she works in a highly sensitive position. MedcoTest performs the tests. Before releasing Emily's results to her employer, it must obtain her written authorization.
Other examples of disclosures or uses that would require an individual's authorization include disclosure to a life insurer for coverage purposes or disclosure to a pharmaceutical firm for marketing purposes.
1. Marketing
The HIPAA rules give individuals control over whether and how their PHI is used and disclosed for marketing. In most instances, individuals must provide written authorization before PHI may be used for marketing. The HIPAA rules carefully define marketing as making "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." Example 25: Global Insurance provides health insurance to consumers. Before Global may market its home or life insurance products to its health insurance consumers, it must get their written authorization to do so. There are exceptions to the authorization requirements. No authorization is needed for face-to-face communications with an individual, or if the communication is a promotional gift of nominal value. This means that, for example, a dentist's office may give patients free toothbrushes and floss, or a doctor's clinic may give patients pens with the clinic's logo. Some activities are excluded from the definition of marketing. A covered entity is not considered to be marketing when it communicates about an individual's treatment. In addition, communications about services offered by a provider or participating providers are not marketing. So, when a doctor refers a patient to a specialist, the referral is not considered marketing. 2.
Business associates
The HIPAA rules only apply to covered entities, but many healthcare providers and health plans use the services of outside businesses, such as consultants, accountants, data-processing services, or lawyers. If these outside businesses perform activities or functions that involve the use of PHI, they are business associates. The functions or activities that may qualify a business as a business associate include claims processing or administration, billing, benefits management, and practice management. To comply with HIPAA, the covered entity is required to ensure that business associates will ! ! ! only use PHI for the purposes for which they were hired safeguard the information help the covered entity fulfill its privacy duties
Covered entities must have a written contract with business associates before disclosing PHI. The contract must limit the
business associate's use of the information and impose security, inspection, and reporting requirements. Virtually every employer will be impacted to some extent by HIPAA, because most employers receive health information from covered entities in the form of doctors' notes for medical leave and information from health insurance providers. Because of the requirements for authorization, HIPAA may make it difficult to get medical information for preemployment physicals or some requests under the FMLA. III.
FCRA
Some kinds of consumer reports contain medical information. On January 1, 2004, the FACT Act changed the FCRA by limiting when and how consumer reports may include medical information relating to past, present, or future physical, mental, or behavioral healthcare or relating to payment for healthcare. For instance, the FACT Act prohibits a CRA from furnishing a consumer report containing medical information in connection with an insurance transaction unless the consumer has provided oral, written, or electronic consent. Example 26: Jonah has applied for term life insurance from Apex Life Insurance. Before ordering a consumer report from the Medical Information Bureau, a CRA, Apex Life must get Jonah's consent. If Apex Life turns down Jonah's application based on information in the report, it must also provide an adverse action notice. A consumer's oral, written, or electronic consent is sufficient when medical information is provided by the CRA for insurance purposes. However, the requirements are more rigid if medical information is provided for employment purposes or in connection with credit transactions. In these cases, the consumer must provide written consent. In addition, the CRA must determine that the information to be furnished is relevant to process or effect the employment or credit transaction.
EMPLOYEE MONITORING
The FCRA, ADA, FMLA, and HIPAA are federal laws that protect the privacy of employees, and there are myriad other laws that protect employee privacy. Employees who work for the government in the public sector receive some privacy protection from the Constitution. The Fourth Amendment's provision against unreasonable searches and seizures protects federal employees, and the Fourteenth Amendment extends protection to state employees. Because the Constitution only applies where there is "state action," it does not provide privacy protection to those working for private companies. Employees in the private sector may seek protection under federal and state laws. States vary in how personal privacy is protected. Some states, like California, protect an employee's right to privacy in the state constitution. Other states have enacted legislation to protect various aspects of the collection and dissemination of certain employee information. Many states allow employees to bring tort lawsuits against employers for invasion of privacy, publication of private information, or publication of personal information in a false light. Because employee privacy laws vary from state to state, this section will focus on federal laws that are applicable to all or most employers, and specifically on laws that impact an employer's ability to monitor employees. Monitoring employees has become an increasingly common practice because of employer concerns over employee productivity,
potential liability for harassment or discrimination, or concern over the loss of trade secrets. Monitoring employees' telephone conversations, voice-mail messages, pagers, and e-mail messages has some risks. A number of laws that protect employee privacy come into play, including state and federal electronic surveillance laws, state constitutions, statutes, and common law. Much in this area of law has not yet been settled, but it is important to be aware that legal issues may arise when monitoring employees. I.
Electronic Communications Privacy Act (ECPA)

Employers who monitor telephone conversations and e-mail must be familiar with the Electronic Communications Privacy Act (ECPA) . The ECPA applies to all persons and businesses. It governs intercepting oral, wire, and electronic communications, so it applies not only to telephone communications but to email, instant messaging, and text and digitized images as well. The ECPA makes it illegal for anyone, including an employer, to intentionally intercept the contents of an oral, wire, or electronic communication. The ECPA also prohibits unauthorized access to stored communications, but recent cases indicate that retrieving communications from post-transmission storage (messages already sent by an employee and received by the recipient) does not violate the ECPA. Example 27: Federated Insurance Company becomes suspicious that Melanie, one of its employees, is about to leave the company and take key customers with her. Federated knows that Melanie sent an e-mail to its chief competitor and is now concerned that she might be sharing proprietary company information. Without telling Melanie, Federated searches its main file server where her emails are stored. The company finds a number of messages confirming its suspicions and fires Melanie for disloyalty. Because the e-mails were stored, Federated did not violate the prohibition against intercepting e-mail. Monitoring an employee's telephone use or e-mails in real time could be legally problematic. If an employer plans to monitor phone calls, it must clearly and specifically state that such transmissions will be monitored. Software permitting real-time monitoring of employees' e-mails is currently available and widely used. An employer may be subject to liability if it uses this software without notifying employees and getting their consent. Violating the ECPA is a federal crime, and individuals whose privacy has been violated may sue. Example 28: MegaStore hires Andrew as a customer service representative. The company notifies its employees of its policy of monitoring customer service calls as part of its training program, so Andrew is aware of the policy. While on a lunch break, Andrew receives a phone call from a friend who asks about a job interview Andrew had with a competitor the previous evening. Andrew's supervisor monitors the conversation, confronts him, and terminates his employment. This monitoring violates the ECPA. Because the employees only consented to the monitoring of work-related calls, the supervisor should have hung up as soon as it became apparent that it was a personal call. The ECPA does provide some exceptions to the rule prohibiting the interception of communications. The business-use exception allows employers to legally monitor employees' activities if it is done in the ordinary course of business.
But employers must be careful that the monitoring truly is justified by a business concern. Example 29: Concerned about employee productivity, Universal Corporation randomly monitors telephone calls made from employees' desk phones. On one occasion, a Universal manager listens in on a sexually explicit conversation between Alicia and her boyfriend. Alicia sues, and Universal claims that it was permitted to intercept employee phone calls, including this call, in the ordinary course of business. The court could find that listening to Alicia's phone conversation is not in the ordinary course of business, because monitoring a personal call wasn't justified by a business concern. It is important to note that the ECPA provides only for minimum protections. States may have wiretapping laws or electronic monitoring laws that impose additional restrictions. For example, Connecticut has a state statute restricting employers from electronically monitoring employees' e-mail, unless the employer has reason to believe that the employee has violated the law or is engaged in activities that would cause a hostile work environment.
INTERNATIONAL PRIVACY ISSUES

If your business has a website, does business with individuals in other countries, or has employees abroad, there are additional potential legal pitfalls. Unlike the United States, which has a number of state and federal laws protecting some aspects of individuals' personal information, many countries have adopted an all-encompassing, stricter approach to privacy law. The European Union (EU) developed the first and most extensive legislation for the protection of personal data privacy, and many other nations have adopted similar or identical privacy laws. I.
European Union Privacy Directive

In 1995, the European Parliament approved the Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Privacy Directive). The Privacy Directive required each EU member state to enact legislation in line with its requirements. The countries in the EU included Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, the Republic of Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. Norway, Iceland, and Liechtenstein have also adopted the Privacy Directive. These three nations, together with the members of the EU, make up the European Economic Area (EEA). The Privacy Directive sets out requirements for protecting personal data, ensuring data quality, and protecting the rights of individuals, as well as strict rules governing the transfer of data outside the EEA. This section of the handbook focuses on a few key provisions, particularly those that impact U.S. businesses. A.
Key concepts
As a starting point, European law takes an approach to protecting personal information that is different from that of American law. In
Europe, personal privacy is a fundamental human right. Personal information about an individual belongs to that individual. It is treated as property, and the law protects an individual's right to prevent others from using what is hers without her express permission. One example of how the EU and the United States approach privacy differently is the requirement to get approval before processing someone's personal data. Each country in the EEA has an independent supervisory authority, a government organization charged with policing data protection in that country. Companies in the EEA must notify the supervisory authority before they can process personal data. The notification must include the purpose of the processing, which data will be processed, who will receive the data, whether the data will be transferred to a non-EEA country, and whether appropriate security measures have been taken. Failure to properly notify the supervisory authority may result in civil or criminal penalties. All businesses in an EEA country must comply with the data-protection legislation in that country. U.S. companies that do business with individuals in the EEA, or that have employees stationed in these countries, must know that the Privacy Directive is only a blueprint for privacy law. The 30 countries in the EEA may have their own dataprotection laws, and a U.S. company doing business in those countries must comply with the particulars of those laws. Example 30: GlobalCo is a multinational corporation based in New York that has subsidiaries in Paris and London. GlobalCo must fully comply with the French implementation of the Privacy Directive with regard to its employees in Paris and with the British implementation in London. This is true regardless of the nationality of the employees. French dataprotection law will apply to French, American, and British employees working for GlobalCo Paris and the British law will apply to French, American, and British employees at GlobalCo London. Furthermore, a business doesn't have to be located in one of these countries to feel the impact of the Privacy Directive. If a business uses equipment in one of these countries to process personal data, it must comply with the law of that country. The data-protection laws in each EEA country protect personal data. Personal data includes any information about a living individual, or data subject, who can be identified either from that piece of data alone or from that data combined with other data. Example 31: Camden Coffees owns a chain of coffee shops across the United Kingdom. It maintains personnel files on each employee in the location where the employee works. Certain information about all employees is also stored in a central database. Information in the central database is stored by employee ID number, rather than by name, to protect the employee's privacy. The employment information is protected personal data, since the employee number identifies the data subject. The Privacy Directive and the data-privacy laws of the EEA countries include special categories of sensitive personal data that require special protections. At a minimum, these categories include data relating to racial or ethnic origin, political opinions, religious or other belief
systems, trade union membership, physical or mental health, and sexual life. Businesses should consult the law in a particular EEA country to determine whether additional categories of sensitive personal data are included and for precise information concerning how to handle this data. The Privacy Directive regulates the processing of personal data. Processing is broadly defined to include collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disseminating, erasing, or destroying data. Virtually any use of data fits the definition of processing, including storing it in manual files in some instances. The law requires that personal data must be fairly and lawfully processed. The data processor must provide data subjects with a notice in clear and conspicuous language that explains the purposes and uses for which their data is being collected. It must also inform them of how to contact the organization with questions or complaints. Notice should be given when the data is collected, or, at the latest, before the data is processed. In some instances, notice will not be enough to make processing legal. However, if an individual has given unambiguous consent, the data may be legally processed. Businesses must consult the law in a particular EEA country to know how to meet the requirements for achieving unambiguous consent in that country. Consent is not required if processing the data is necessary to perform a contract with the data subject or is required by law. Example 32: Gary works for Medco International, a U.K. company. Medco may legally process health information about Gary without first obtaining his permission so it can make required payments under the Statutory Sick Pay regime. The Privacy Directive requires that data obtained and held must be relevant and not excessive in relation to the purposes for which it is collected. Therefore, when a company collects information, it must ensure that it asks for no more information than is necessary. Example 33: U.K. Financial sells home insurance policies. The application form asks for the applicant's date of birth. Unless the company can show a good reason for requiring the information, it is likely to be considered excessive. Example 34: Worldwide Enterprises in Brussels advertises for applicants for an accounting position. It requests that the candidate provide information about previous work experience, responsibilities, achievements, academic qualifications, and membership in professional associations. All of this information will likely be relevant and not excessive. If the job advertised were for an unskilled trainee on an assembly line, questions about academic qualifications might be excessive and unlawful. The data-privacy laws require organizations to ensure that data is kept no longer than is necessary. Companies should seek legal advice in the country in which they are based regarding the amount of time stored
data may be kept. Data storage (or destruction) decisions must also take into account any applicable document retention requirements. Example 35: Worldwide Enterprises receives 40 applications in response to its advertisement for the accounting position and hires one applicant. The applications of the 39 unsuccessful candidates must be destroyed when they are no longer required in connection with recruiting. However, Worldwide should securely store the applications until the time for possible claims from unsuccessful applicants has passed. The Privacy Directive and national laws give certain rights to data subjects. Upon written request, an individual is entitled to access to the information a company holds on her, the purpose for which it is used, the source of the information (if known), and the recipients to whom it has been disclosed. The company may charge for providing this data. In the U.K., the maximum fee a company may charge is 10. Example 36: Sara works for Worldwide Programmes in London. She believes that she was passed over for promotion because of sexual discrimination. In compliance with U.K. law, Sara submits a written request for all personal data the company holds on her and includes the 10 fee. Worldwide must collect and collate information held by the human resources department, her managers, and all other areas of the business that may have information. This includes all e-mails relating to her. Companies must also ensure that they disclose only information that is legally allowed to be disclosed. For instance, if an e-mail contains personal data about two employees and only the first has requested access, the information about the second employee may not legally be disclosed. Each EEA country has detailed rules regarding what information may and may not be disclosed. The Privacy Directive, as it is implemented in each EEA country, requires that information be accurate. Because of this, data subjects have the right to access their information, correct data about themselves, and erase or block personal data if it is inaccurate or not current. The Privacy Directive and implementing legislation require "appropriate technical and organizational measures" to ensure that personal data is kept secure from "accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing." Therefore, it is highly important that organizations adopt an appropriate security policy and encrypt data transmitted over the Internet. B.
Application to U.S. businesses

The Privacy Directive reaches far beyond businesses physically in one of the EEA countries. Except in very limited circumstances, the laws prevent data from being transferred outside the EEA, unless it is sent to a country that provides adequate protection.
In the eyes of the EU, U.S. law doesn't provide adequate protection for personal data. Supervisory authorities will prevent companies from transferring personal data to the U.S. unless the company takes certain steps. For example, the Privacy Directive allows the transfer of data if the individual's unambiguous consent has been obtained. Generally, unambiguous consent requires a full explanation to the individual about the transfer, including the specific purpose(s) of the processing, the organization to which the data will be transferred and whether it will be sent on to a third party, and a statement that the country to which the information will be sent doesn't provide the same level of protection as the individual's home country. Example 37: International Medco has an office in Munich. To process employee data at its Chicago headquarters, International Medco requires each employee to sign a form that states: "As a condition of employment with International Medco, I consent to the processing of my employmentrelated personal information for all employment purposes at the headquarters in the United States." This notice doesn't meet the requirements of German law. In this case, "all employment purposes" is not specific enough. It also doesn't mention whether the information will be transferred to a third party, which is likely if the employer uses an external payroll company. The consent is further flawed because it fails to mention that the data will receive less protection in the U.S. than it does in Germany. Finally, German law may not allow an individual to provide this kind of consent. Consent may have to come from a works council, an organization required under German law to represent employees' interests. Companies don't have to get individual consent if they have a contract with a company in the EEA that ensures adequate safeguards for the personal data. The European Commission has produced a model contract for use when the data is to be transferred to a company outside the EEA. The Privacy Directive also allows the company to adopt a code of conduct containing its privacy practices. In either case, the contract or the code must closely track the protections in the Privacy Directive as it has been implemented into national law. Whether a company uses a contract or a code of conduct, it must provide individuals with a way to enforce their rights. Before a company using a contract or code of conduct may transfer data, it must receive the approval of the supervising authority in each of the countries from which it intends to send personal data. After the EU adopted the Privacy Directive, many countries adopted data-privacy laws to ensure that data continued to flow. Rather than passing comprehensive data-privacy legislation, the United States negotiated Safe Harbor Principles with the European Union. Since late 2000, a U.S. company regulated by the Federal Trade Commission (FTC) or the U.S. Department of Transportation may self-certify that it complies with appropriate data-protection standards. The company must annually certify that it adheres to and follows the Safe Harbor Principles. It can do so in a number of ways, including developing its own code of conduct or joining an industry privacy organization that follows the principles.
Example 38: Airways International, a U.S.-based travel agency with an affiliate in London, wants data on British customers to be transferred from London to the United States for processing. Airways signs on to the Safe Harbor Principles, adopts a code of conduct, and follows all of the other requirements for compliance. Airways ensures that its code of conduct is based on U.K. data-privacy law. Airways may transfer the personal data. The advantage to signing on to the Safe Harbor Principles is that the company isn't required to get approval from the British information commissioner before data is transferred. There are disadvantages, though. Since the Safe Harbor Principles require the company to designate how complaints and claims against the company will be handled, the company exposes itself to civil and criminal actions in the United States.
PRIVACY POLICIES
Certain types of companies are required by law to have privacy policies. As a practical matter, most companies that maintain websites for providing information or selling their goods or services post their privacy policies online, even if not legally required to do so. The policies state what information is collected, for what purposes it is used, to whom the information is disclosed, and how the information is protected. If a company has a privacy policy, it must exercise care to ensure that the policy is followed. This requires training employees, maintaining internal procedures, and auditing to ensure the policy is being complied with. Failure to follow its posted policies could expose the company to liability under a variety of state and federal laws. Example 39: Universal DrugCo provides a prescription reminder service for its customers. Customers may sign up to receive e-mail to remind them when to take their medications and when to order refills of their prescriptions. A new employee sends reminders to 600 customers using Universal's antidepressant medication. The e-mail addresses of all 600 people to whom the reminder is sent appear in the "To" line of the email, disclosing every recipient's address. Universal DrugCo had posted its privacy policy on its company website stating, "We at Universal respect our customers' privacy rights." This action opens Universal to federal and state lawsuits for unfair and deceptive trade practices. Furthermore, unless an online privacy policy clearly states that it only applies to the collection of data online, it will be presumed to cover other forms of data collection and use. The FTC, state attorneys general, and plaintiffs' lawyers are scrutinizing online privacy promises made by businesses to consumers. Claims can be brought under state privacy laws state unfair and deceptive trade practices law, breach of implied contract, negligence, or fraud, in addition to federal unfair and deceptive trade practices law.
CONCLUSION
The landscape of state, federal, and international privacy laws will change as courts, legislatures, and regulatory agencies grapple with issues relating to how businesses and employers collect, store, and use information. Because of this, it is important to maintain close contact with compliance officers and company attorneys to ensure that all legal requirements are being met.
SECURITY OF ELECTRONIC HEALTH INFORMATION UNDER HIPAA

INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) directed the United States Department of Health and Human Services (HHS) to adopt regulations or standards that require routine financial and administrative transactions related to healthcare (for example, healthcare claims or health plan enrollment) to be performed electronically. This standard, called the Electronic Transactions Rule, explains the health, financial, and demographic patient information that health plans, healthcare clearinghouses, and healthcare providers must share with one another when conducting these standard electronic transactions. While Congress recognized that decreasing the paperwork burden related to providing and paying for healthcare services would cut costs, it also understood that the confidentiality and integrity of health information stored and transmitted electronically needed to be protected against improper access, disclosure, and manipulation. To limit this risk, it also asked HHS to develop a rule that restricts the use and disclosure of all individually identifiable health information, and a rule that requires measures be taken to protect electronic protected health information (e-PHI) from malicious attacks, security incidents, or inadvertent breaches of its integrity. The first rule is known as the Privacy Standards, and the second rule is known as the Security Standards. o o A malicious attack generally means the purposeful contamination of a system with a virus or worm designed to damage or disrupt it. A security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with the operation of an information system. Integrity describes a quality of data, and suggests whether that data or information has been altered or destroyed in an unauthorized manner.
This handbook will help you understand the Security Standards, as well as what policies and procedures your organization will need to implement in order to comply with the law. Following an introductory discussion about the general framework of the Security Standards, we will describe the various actions entities covered by HIPAA (covered entities) must take to secure the e-PHI they store and transmit. This handbook provides a general overview of the HIPAA Security Standards. It does not provide legal advice or technical guidance as to the specific procedures any particular covered entity should take to protect e-PHI in its possession. HIPAA and the security of stored and transmitted electronic data are highly technical subjects that cannot be covered completely in a summary format such as this. Always consult your internal management and law and technology departments about any questions or concerns you have regarding the security measures these standards require.
THE SECURITY STANDARDS GENERALLY

I.
Relationship to the Privacy Standards

The Privacy and Security Standards are necessarily linked. Protection of the privacy of health information depends on safeguards to ensure the data is
available when needed, and that it is not accessed, altered, or deleted inappropriately while being stored or transmitted. It also requires safeguards on the uses and disclosures of the information, even when it is safely stored. The Security Standards provide a framework for the first set of safeguards; the Privacy Standards address the second set of controls. Those entities that are required to comply with the Privacy Standards also must comply with the Security Standards. HHS's Centers for Medicare and Medicaid Services (CMS) has issued a series of guidance documents designed to help covered entities understand and implement the security standards. According to CMS, these guidance documents seek to explain specific requirements, the thought process behind those requirements, and possible ways to address them. CMS has also issued guidance on remote use of--and access to--e-PHI. These guidance documents are available on the CMS website at http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPag e. II.
Purpose of the Security Standards

The Security Standards require covered entities to implement reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all the e-PHI they create, transmit, receive, or maintain protect against reasonably anticipated threats or hazards to the security or integrity of their e-PHI protect against uses or disclosures of the e-PHI that are not required or permitted under the Privacy Standards ensure their workforce will comply with their security policies and procedures
III.
Applicability of the Security Standards A. Covered entities

The Security Standards apply to the same covered entities as the Privacy Standards. They also apply to covered entities' business associates. The three categories of covered entities include health plans and healthcare clearinghouses, as well as those healthcare providers that transmit PHI electronically in connection with standard transactions. All officers and employees of a covered entity are required to follow the safeguards regardless of whether they work on-site at the covered entity or remotely from home or another location. Example 1: Heart Associates is a cardiology group practice. The group's transcriptionist works part-time from home and part-time at the office. When she works from home, she uses her own laptop to produce the necessary correspondence and e-mails completed letters to the office to be printed and mailed. Even though the transcriptionist uses her own computer, Heart Associates is responsible for ensuring that security measures are implemented at her home to protect the e-PHI stored and transmitted from there. 1.
Health plans
A health plan is an organization that provides or pays the cost of medical care. Health plans include health insurance companies, group health plans (such as those offered by employers), and health maintenance organizations (HMOs). The term "health plan" also includes government-administered health benefit programs such as Medicare, Medicaid, Department of Veterans Affairs programs, and TRICARE (Department of Defense). Workers' compensation, automobile, life, property, and casualty insurers are not considered health plans, and, therefore, need not follow the Security Standards, even if a policy they issued contains coverage of certain healthcare costs. 2.
Healthcare clearinghouses
Healthcare clearinghouses are companies that process or facilitate the processing of healthcare transactions. The clearinghouse accepts PHI from one source, converts the information to the standard format, and transmits the information to another entity. Generally, clearinghouses will then perform the same transaction in reverse. The most common type of clearinghouse is a billing company that submits health insurance claims to health plans on behalf of healthcare providers. First the healthcare provider sends financial and clinical information to the billing company, then the company formats the information into the standard health claims format required by the Electronic Transactions Rule and submits the file to a payer.
3.
Healthcare providers
A healthcare provider is an individual or organization that is recognized by Medicare as a provider, or an individual or organization that provides, bills, or is paid for healthcare services in the normal course of business. Hospitals, physicians, skilled nursing facilities, home healthcare agencies, clinical laboratories, medical equipment suppliers, and other licensed/certified healthcare professionals are all considered healthcare providers. The Security Standards only apply to healthcare providers that transmit PHI electronically in connection with the transactions identified by Congress. These transactions include healthcare claims and status reports payment and remittance advice determination of eligibility for health plan benefits referral certifications and authorization health plan enrollment, disenrollment, eligibility for health plan coverage, and premium payments coordination of benefits first reports of injury If a healthcare provider does not perform any of the transactions listed above electronically, it is not considered a covered entity,
and, therefore, is not required to comply with the Security Standards. Example 2: Family Care, a primary care practice, maintains some PHI in paper format, and stores some electronically. Family Care hires an independent billing company, Fast Collections, to submit all its claims for payment electronically. Family Care is subject to the Security Standards because Fast Collections is performing a standard electronic transaction on its behalf. B.
Organizations of covered entities

The Security Standards also apply to certain organizations made up of covered entities, called affiliated covered entities and organized healthcare arrangements. In addition, entities whose business is not primarily healthcare related but that operate in part as a health plan, healthcare clearinghouse, or a healthcare provider must follow the Security Standards. In this later situation, the entity is called a hybrid entity. 0.
Affiliated covered entities

The Security Standards allow affiliated entities as a group to designate themselves as one covered entity for purposes of complying with the rules. Affiliated covered entities are two or more legally separate healthcare organizations under common ownership or common control. Common ownership exists if one of the involved entities owns at least 5% of another entity. Common control means an entity has the power to significantly influence or direct the actions or policies of another entity. Affiliated covered entities are allowed to share e-PHI with one another, provided the way each of the entities creates, receives, maintains, and transmits e-PHI complies with both the Privacy Standards and the Security Standards. The entities also must maintain a written or electronic record of their designation as affiliated entities for six years from the later of the date the documentation was created or last in effect.
1.
Organized healthcare arrangements

An organized healthcare arrangement (OHCA), on the other hand, may be formed between or among legally separate covered entities that integrate their clinical or administrative operations. OHCAs differ from affiliated covered entities in that they are separate covered entities that are not necessarily related to one another through common ownership or control. A common example of an OHCA is a healthcare system that includes different types of healthcare providers, such as a hospital, medical staff, an ambulatory surgery center, and so on. Each member of the OHCA must comply with the Security Standards.
2.
Hybrid entities
Hybrid entities are single organizations that perform some healthcare-related activities in addition to their primary business activities. If an organization elects to consider itself a hybrid entity, only the healthcare department of the organization is subject to the Security Standards. Example 3: A manufacturing plant that operates an on-site employee health clinic that performs any of the standard electronic transactions would qualify as a hybrid entity. The clinic, as the healthcare component, would be responsible for securing the integrity of the e-PHI it stores or transmits. In particular, the clinic must have safeguards in place to protect the unauthorized access or transmission of its e-PHI by the manufacturing plant's nonhealthcare divisions.
C.
Business associates 0. Who is considered a business associate?

Business associates are entities that perform services or functions for a covered entity or that provide legal, accounting, management, consulting, accreditation, financial, and operational services for other covered entities that involve use of e-PHI held by the covered entity. The term "business associate" does not include employees, independent contractors, volunteers, and other persons working under the covered entity's direct supervision. Example 4: Davis Eye Care, a large ophthalmology group practice, submits claims for its services electronically. Once a year, it hires a coding and billing consultant to audit its claims to ensure it is billing for its services accurately. In order to perform the audit, the consultant requires the clinical and billing records for a sample of services furnished by the practice. The practice provides the patient information to the consultant electronically. Because the coding consultant is performing a service on Davis Eye Care's behalf that requires the use of e-PHI, the consultant would be considered a business associate under both the Privacy Standards and the Security Standards. 1.
Terms of the business associate relationship

Under the Security Standard dealing with business associate contracts and other arrangements, a covered entity may allow a business associate to create, receive, maintain, or transmit ePHI on its behalf. However, with some exceptions, the covered entity and its business associate must first enter into a contract that complies with the Privacy Standards (the contract must establish how the business associate may use and disclose the e-PHI it has on behalf of the covered entity) and that requires the business associate to
implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the e-PHI that it creates, receives, maintains, or transmits on behalf of the covered entity ensure that any agent or subcontractor it provides with e-PHI agrees to implement reasonable and appropriate safeguards to protect it report to the covered entity any security incident it becomes aware of make its policies and procedures available to the Secretary of HHS for purposes of determining the covered entity's compliance with the Security Standards The business associate contract also must give the covered entity the right to terminate the contract if the business associate violates an important part of the agreement. 2.
A covered entity's liability for its business associates

A covered entity is not responsible for security violations committed by its business associates, unless it knows of the wrongdoing and fails to take steps to stop the business associates' actions and to limit any harm they cause. Generally, covered entities are not expected to monitor their business associates; however, when a covered entity learns of potential violations, it must investigate the activity. Example 5: City Hospital hires Accurate Collections to collect accounts receivable that are more than 90 days old. As part of its contract with City Hospital, Accurate Collections agrees that it will protect the e-PHI it receives from the hospital. It will do so by implementing log-in IDs to authenticate users trying to access the e-PHI and passwords programmed to limit usage such that only those collection agents working on a particular account will be able to enter, read, or alter its data. A member of Accurate Collections marketing staff uses the e-PHI to develop marketing materials. If City Hospital doesn't know that Accurate Collections failed to protect the e-PHI from a security incident, it probably can't be held responsible for the violations. On the other hand, if City Hospital learns of Accurate Collections' failure to protect the data and doesn't take steps to correct the problem, it could be liable for violating the Security Standards. If a covered entity cannot, with reasonable effort, correct a business associate's violation of the Security Standards, it must terminate the business associate contract. If terminating the relationship is not possible or would cause significant hardship for the covered entity, it must report the violation to HHS.
IV.
Protected Health Information A. e-PHI
The Security Standards apply to protected health information (PHI) in electronic form. The term PHI has almost the same meaning for the purposes of the Security Standards and the Privacy Standards. E-PHI is defined as individually identifiable health information (IIHI) (except for IIHI contained in certain education and employment records) that is transmitted or maintained in electronic format. IIHI includes health, financial, and demographic information, created or received by a covered entity, that identifies or could be used to identify the individual who is the subject of the information and relates to one of the following: The past, present, or future physical or mental health or condition of an individual The provision of healthcare to an individual The past, present, or future payment for healthcare provided to an individual Unlike the Privacy Standards, which apply to IIHI in any format (electronic, oral, or paper), the Security Standards pertain only to electronic PHI (e-PHI). Electronic PHI includes information maintained or transmitted in any type of electronic media, but does not include paper information transmitted by facsimile. Thus, the scope of the IIHI that must be protected by the security safeguards is more limited than that protected by the Privacy Standards. Electronic media means storage devices in computers (hard drives) and any removable/transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card. It also refers to transmission devices used to exchange e-PHI already in electronic storage. Transmission media include such things as the Internet, a company-to-company extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media from one location to another. B.
De-identified e-PHI
Covered entities and business associates may de-identify PHI by removing, encrypting, or otherwise concealing all individually identifiable information. Properly de-identified PHI is not subject to the Security Rule because it is no longer considered protected health information. If deidentified electronic information is subsequently reidentified, however, it reacquires the protection of the Security Standards. A covered entity has two ways to de-identify health information. The first way involves a covered entity or business associate removing all identifying characteristics, including (but not limited to) names and addresses (except the state and the first three zip code digits) dates (except the year) social security numbers medical record numbers telephone and fax numbers e-mail and other Internet addresses health insurance numbers
identifiable photographs any other form of unique identifier Other unique identifiers may include account numbers, vehicle identifiers, and driver's license numbers. Information relating to gender, race, ethnicity, and marital status is not individually identifiable and doesn't have to be removed. Example 6: University Medical Center agrees to provide a certain patient's information to a pharmaceutical company as part of the company's risk management program. The center's medical records department removes all information believed to identify the patient and leaves the patient's gender, age, and marital status in the chart. The file sent to the pharmaceutical company also includes a photograph of the patient's face. It was not removed because the picture does not contain the patient's name or any other identifying information. Because the photograph sent to the pharmaceutical company can be used to identify an individual, University Medical Center failed to properly de-identify this medical record. Even if all identifying characteristics have not been or cannot be removed, it is still possible for PHI to be treated as de-identified. The second way a covered entity can determine that PHI is not individually identifiable is if a qualified statistician examines the PHI and determines that the risk of reidentification is very small.
THE STANDARDS AND IMPLEMENTATION SPECIFICATIONS

I.
Flexibility of Approach
For the most part, covered entities may use the security measures of their choice to reasonably and appropriately address their own unique circumstances. They are expected to assess their own security risks and devise, implement, and maintain appropriate measures to address their security needs. So, for example, a healthcare provider with poor or nonexistent access controls on its databases will be more susceptible to hacking than an entity with protections in place, and will have to develop more policies and procedures to comply with the Security Standards. The entity already following a security plan need only make certain that the plan really is being followed and continues to be effective. How a covered entity satisfies the security requirements and which technology it decides to use are business decisions left to individual covered entities. In deciding what security measures to adopt, a covered entity must consider its size, complexity, and capabilities its technical infrastructure, hardware, and software security capabilities the cost of particular security measures the probability and degree of the potential risks to the e-PHI it stores and transmits
II.
Implementation Specifications
While the Security Standards give covered entities a great deal of flexibility, most of the standards are accompanied by implementation specifications that
provide instructions for implementing a particular standard. Some standards do not contain any corresponding implementation specification because the standard itself is instructive enough to guide implementation. Implementation specifications are either required or addressable. Covered entities must implement required specifications as part of their security programs, but not addressable specifications. When a specification is addressable, a covered entity can decide whether it is reasonable and appropriate for it to adopt the specification, based on its level of security risk, the effectiveness of other security measures it has in place, and the cost of implementing the specification. If the covered entity determines that the measure is reasonable, it must use it. Example 7: Diabetes Clinic specializes in the treatment of individuals with insulin-dependent diabetes. To help train newly diagnosed patients how to calculate their daily insulin dose, the clinic has started asking patients to e-mail their blood sugar levels to the clinic nurse every morning. The nurse then sends a return e-mail to each patient with the proper insulin dose for the day. The access control standard under the Security Standards' Technical Safeguards includes an addressable implementation specification about encrypting and decrypting e-PHI. If Diabetes Clinic decides that there is a risk that its e-mail communications with its patients could be intercepted or otherwise accessed inappropriately, Diabetes Clinic will have to take measures to protect patients' ePHI. If it can't find an alternative to encryption, the clinic will have to follow the addressable implementation specification the Security Standards requires, unless doing so would be unreasonable. On the other hand, if a covered entity decides that it is not reasonable and appropriate to implement the measure, it may opt not to do so, if it documents how and why it reached this conclusion. Example 8: Dr. Ply is a solo practitioner and a covered entity. He has two employees who serve as his medical technicians and work together to handle all the administrative needs of his office. The workforce security standard in the Security Standards contains an addressable implementation specification (called workforce clearance procedure) that suggests covered entities change employees' access to e-PHI to match the requirements of their job descriptions. Nevertheless, Dr. Ply may decide, provided he documents the reason for his decision, that there is no need to grant varying levels of access to e-PHI because both his employees require equal access to the records. Should Dr. Ply's practice grow, necessitating that he hire several more employees, the Security Standards would require him to revisit his decision not to employ this addressable specification. A covered entity remains responsible for ensuring that it complies with the standards in the Administrative, Physical, and Technical Safeguards and must maintain a written record of how it is accomplishing this. Therefore, if a covered entity chooses to forego an addressable implementation specification and is not in compliance with the standard, it must adopt an equivalent security measure. Example 9: General Pediatrics is a small group practice in a rural town. It bills for the services it furnishes electronically and stores patient financial data on a hard drive in the office PC. The integrity standard is one of several standards that fall
under the Technical Safeguards. The integrity standard requires covered entities to have policies and procedures in place to protect e-PHI from improper alteration or destruction, and suggests that covered entities consider implementing an electronic mechanism to corroborate that their e-PHI has not been manipulated in an unauthorized manner. After assessing the risk that the integrity of its patient data could be altered or destroyed, the General Pediatrics security officer decides that it's unreasonable to back up the practice's e-PHI using CD-ROMs, because if the practice's only computer broke down, it would be unable to read the backup disks. Consequently, General Pediatrics decides that it can better protect the integrity of the patient records by making paper copies of its critical records. III.
Documentation Requirements
In addition to requiring covered entities to comply with individual standards that address various vulnerabilities in their electronic information systems, the Security Standards also impose certain documentation requirements. Every covered entity must implement reasonable and appropriate policies and procedures to comply with each of the standards outlined in the following sections. The policies and procedures must be written (which may be electronic) and maintained. Changes also must be documented. Policies and procedures must be retained for six years from the date of their creation or the date when they were last in effect. The policies and procedures must be made available to all the members of a covered entity's workforce subject to them. Every covered entity also is expected to review its documentation periodically, and update it as needed, in response to changes in its security environment and business operations.
ADMINISTRATIVE SAFEGUARDS
The Administrative Safeguards require covered entities to develop and implement a security management process that includes policies and procedures that address the full range of their security vulnerabilities. To comply with the Administrative Safeguards, a covered entity must implement eight standards. I.
Standard: Security Management Process

Covered entities must design policies and procedures to prevent, detect, contain, and correct security violations. To meet this standard, four required implementation specifications must be incorporated into a covered entity's security plan. The first specification requires covered entities to complete a thorough risk analysis capable of identifying the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of the e-PHI they hold. The second specification calls on covered entities to adopt a risk management process to identify and implement appropriate security measures based on the risk analysis and the entity's specific circumstances. The security measures must
be of sufficient quality and specificity to reduce the risks and vulnerabilities to an appropriate level and allow the entity to comply with the general requirements of the Security Standards. The general requirements, as specified earlier, are to ensure the confidentiality, integrity, and availability of all the e-PHI they transmit and store protect against reasonably anticipated threats or hazards to the security or integrity of their e-PHI protect against uses or disclosures of the e-PHI that are not required or permitted under the Privacy Standards ensure their workforce will comply with their security policies and procedures The third specification requires covered entities to adopt a sanction policy to apply to workforce members who fail to comply with the security policies and procedures. The fourth specification requires covered entities to perform regular, periodic reviews of information system activity. Example 10: Good Life Health Plan is a covered entity. To be sure that its security plan is working as expected, and to comply with the periodic review specification, it conducts quarterly internal audits of record system activity including such things as logins, file accesses, and security incidents. Good Life also reviews a random sample of its audit trails. Audit trails log all accesses to ePHI and contain such information as the date and time of an access, the information or record accessed, and the user ID under which the access occurred. II.
Standard: Assigned Security Responsibility

This standard requires covered entities to identify an individual to be their security officer or security official. The person in this role is responsible for developing and implementing the polices and procedures determined by the covered entity to be necessary in order for it to protect the e-PHI it stores and transmits. This standard does not contain any implementation specifications.
III.
Standard: Workforce Security

As part of workforce security, covered entities must implement policies and procedures to determine and assign e-PHI users access privileges. To do so, covered entities must decide which programs certain employees need to access, as well as what particular sets of data within those programs they need. Restrictions on access should depend on an employee's job description and the amount and type of e-PHI that she needs to meet the expectations of her role. Access privileges also may be designed to control an individual's ability to read, write, or amend e-PHI stored by the covered entity. These policies also must set forth how a covered entity intends to prevent workforce members from obtaining access to e-PHI outside the scope of their access privileges. This standard contains three addressable implementation specifications, and no required specifications. The implementation specifications are: authorization and supervision, workforce clearance procedures, and termination
procedures. Because these items are only addressable, covered entities need only employ those they believe are reasonable and appropriate to reduce their security risk. The authorization and supervision specification instructs covered entities to determine whether it's necessary, in order to protect their PHI, to supervise those employees who work with e-PHI or to monitor those locations where e-PHI might be accessed. Workforce clearance procedures direct covered entities to consider whether they need to implement formal procedures to determine whether certain access privileges assigned to employees are appropriate. Termination procedures describe the method a covered entity will use to end an employee's access to its e-PHI when he leaves the covered entity. Example 11: Research Medical Center is involved in sensitive clinical trials. In the course of conducting a study, many of the center's employees see e-PHI collected on research subjects. Because improper access or release of subjects' e-PHI could jeopardize the outcome of the trial or result in the release of proprietary information regarding the product under study, Research Medical Center implements termination procedures to limit the potential for unauthorized acts by former employees. The procedures include deleting the former employee's password from the system within 24 hours of her last day on the job, requiring employees to return all keys to locks securing study e-PHI, and changing locks when a hostile separation is involved. IV.
Standard: Information Access Management

This standard requires covered entities to have policies and procedures for authorizing access to e-PHI in a manner consistent with the Privacy Standards. A required implementation specification says that where a healthcare clearinghouse is part of a larger organization, the clearinghouse must have policies and procedures in place to protect its e-PHI from unauthorized access by the larger organization. The standard includes two addressable specifications. Under the first specification, covered entities must decide if they should implement policies and procedures to grant members of their workforce access to e-PHI based on workstation, type of transaction, program, or process. The second specification then requires the covered entity to decide whether it's reasonable and appropriate to have formal policies and procedures to evaluate a user's level of access and modify it as needed. Example 12: New Point Ambulatory Surgery Center employs 25 people in various roles. Some employees are clinical staff, such as operating room nurses, and others perform only administrative duties. New Point has a policy that only billing office members may process patient accounts. Nevertheless, the security officer discovers, as part of his security risk analysis, that some employees who aren't billing staff have accessed patient financial records to determine patients' copayment or deductible obligations. Recognizing that the employees' actions violate New Point's minimum necessary policies required by the Privacy Standards and increase the risk that the financial database could be accidentally altered, he decides it's reasonable and appropriate to assign passwords to each of the clinical staff to limit their access to patient medical records and clinical databases.
V.
Standard: Security Awareness Training

All members of a covered entity's staff, including management, must participate in security awareness training. The content of this training may be customized to fit an employee's functions. At a minimum, however, a covered entity has to consider whether its training materials should include information relating to four implementation specification topics, all of which are addressable: security reminders; procedures for guarding against, detecting, and reporting malicious software; procedures for monitoring log-in attempts and reporting log-in discrepancies; and procedures for creating, changing, and safeguarding passwords.
VI.
Standard: Security Incident Procedures

Every covered entity must have policies and procedures to identify, document, and respond to suspected or known security incidents, limit the harmful effects of a known security incident, and document the outcome of the incident. The policies should identify what types of actions would be considered security incidents, the specific process for documenting incidents, and what information should be contained in an incident report. Determinations as to how to respond to security incidents will depend on the covered entity's environment and the e-PHI involved.
VII.
Standard: Contingency Plan

A contingency plan is the only way for a covered entity to protect the availability, integrity, and security of data during an unexpected negative event such as a natural disaster. The contingency plan standard, therefore, requires covered entities to establish, and implement as needed, procedures for responding to an event that damages their systems containing e-PHI. At a minimum, the entity must create and maintain retrievable exact copies of e-PHI, have a recovery plan to restore any lost data, and have an emergency operation plan that enables it to continue critical business processes that protect the e-PHI while operating in emergency mode. In addition, the contingency plan may include a schedule for testing and revising it periodically. Covered entities also may opt to compare the value of certain systems functions to other functions to determine which ones are most critical, and, therefore, most essential to keep operational during an emergency. Example 13: ABC Clearinghouse uses a centrally managed mainframe and server system to process all its customers' standard electronic transactions. To make sure it's prepared to deal with a natural disaster or an emergency event such as a blackout, it keeps an inventory of its critical systems and the maximum length of power outage the systems will tolerate. This inventory guides ABC's purchases of redundant processing facilities that can substitute for its main systems. ABC also performs regular backups of its full system and stores the content at multiple sites in various locations. This keeps its entire backup library from being destroyed during an event at a single location. ABC also runs periodic drills so employees can practice switching from a hypothetically damaged operational facility to a backup system.
VIII.
Standard: Evaluation
The last standard under the Administrative Safeguards is the evaluation standard. This standard requires covered entities to evaluate their security safeguards periodically in order to demonstrate and document their compliance with their security policies and with the Security Standards. The evaluations should be performed on a regular basis, as well as when a covered entity's security environment has changed. For example, a nonroutine evaluation might be warranted to assess the value of a new technology in eliminating or reducing a security risk, or to determine the success of a response to a new security risk. The evaluation does not have to be performed by an external entity. It may be performed by workforce members trained to critique the technical and nontechnical components of a covered entity's security plan.
PHYSICAL SAFEGUARDS
Physical safeguards are security measures to protect a covered entity's electronic information systems, related equipment, and the buildings housing the systems from natural and environmental hazards, and unauthorized intrusion. Covered entities must fulfill four standards. However, because most of the implementation specifications in this category are addressable, covered entities have considerable flexibility in how to comply with the requirements. I.
Standard: Facility Access Controls

The facility access control standard focuses on measures to limit actual physical access to electronic information systems--and the facilities housing them--to those who require access. The Security Standards do not require covered entities to implement any particular policies and procedures; however, covered entities must consider four addressable issues. First, covered entities must determine a contingency plan that sets out how a facility will be accessed during a disaster recovery or while operating in emergency mode. Second, a covered entity must design a facility security plan to shield any buildings housing its electronic systems from unauthorized physical access, tampering, and theft. This plan should take into account situations where a covered entity is not the sole occupant of a building. When appropriate, a covered entity may include measures that have been or would be taken by a third party or other occupant of a building to protect the building's physical security. Covered entities also are expected to consider whether their security risks would be decreased by implementing procedures to control access to facilities or to the actual electronic information systems based on a person's role within the organization. Operationally, role-based access can be difficult. The covered entity must have the ability to maintain a database of user privileges, assign roles appropriate to the users' current functions, and assign appropriate role-based access control to various elements of information based on the need to know. Lastly, covered entities must decide if it's necessary to document repairs and modifications related to security made to the facility building. For example, a covered entity should decide whether it's worthwhile to keep track of changes made to walls, locks, or doors.
II.
Standard: Workstation Use

Workstation use refers to the functions to be performed and physical attributes of the surroundings of a specific workstation, or group of workstations, to maximize the security of the e-PHI stored in the networks the workstations access. Covered entities must implement policies and procedures to address this. For example, their security policies might suggest that workstations should not be unattended, or they may install screen saver software to ensure that the chance to review any information at a workstation would be strictly time-limited. Example 14: Fern Landing, a skilled nursing facility, has workstations positioned throughout its facility. Some of the workstations are located in offices, but most are found on the nursing units and are open to all residents and their visitors. Because the public can easily view the workstations, Fern Landing decides to make it mandatory that all workstations have an automatic logoff.
III.
Standard: Workstation Security

Workstation security requires that covered entities implement physical safeguards to deter unauthorized workstation access. An important physical security measure to protect a workstation might include locking the door to the workstation room or locking the workstation screen.
IV.
Standard: Device and Media Controls

Covered entities must have polices and procedures for receiving and removing hardware and other electronic media that contains e-PHI, into and out of their facilities. They must implement policies that address the final disposition of e-PHI and the hardware or electronic media on which it is stored. Covered entities must also have procedures for removing e-PHI from electronic media before reusing the media. The Security Standards allow a covered entity to determine whether it should have policies or procedures for keeping a record of the movement of hardware or software out of or within its facility, or people moving the items. Likewise, the standards allow a covered entity to decide when it should make a copy of e-PHI before moving the equipment that stores or transmits it.
TECHNICAL SAFEGUARDS
The last category of safeguards a covered entity must implement as part of its security plan to protect the e-PHI in its possession is called Technical Safeguards. These safeguards refer to using certain types of technology to protect e-PHI by further controlling access to it. A covered entity must address five standards and seven implementation specifications. Two of the specifications are required, the remainder are addressable. I.
Standard: Access Control

Access control is a method for a covered entity to ensure that only those individuals and software programs granted access rights under the Administrative Safeguards actually reach the e-PHI they have a right to use.
Generally, access is granted on a "need-to-know" basis. To comply with the access control standard, a covered entity must assign unique names or numbers to its electronic information users so they can be identified when attempting to access e-PHI and tracked throughout their session. Example 15: Palm Hospital is a small community medical center near a resort town that is frequented by celebrities who come to the hospital when they get sick. To prevent unauthorized access to these people, Palm has implemented a four-level access control system. Any employee who needs access to the hospital's electronic systems must be assigned to one of the four access classes. The classes are: Public information: data in this class generally would not include e-PHI but, rather, promotional or educational materials. Internal confidential information: information in this category includes such things as organizational policies, business strategies, or utilization information. Access is granted to the covered entity's members on a need-to-know basis. Confidential patient record information: the data in this class includes routine e-PHI and would be accessible on a need-to-know basis to healthcare providers, oversight agencies, and some outside organizations, such as payers. Highly sensitive patient record information: this class contains e-PHI belonging to certain persons (for example, celebrities visiting the resort town) or of a particular content. Palm Hospital places information related to HIV/AIDS, physical abuse, substance abuse, and psychiatric care at this level. Access is restricted to a smaller subset of users granted access under the "confidential patient record information" level. In addition to regulating access to e-PHI under normal conditions, covered entities must establish procedures for obtaining needed e-PHI during an emergency. Depending on the type of emergency, programmed access controls may not be operable, and access could be denied to even those cleared for access. Guidance should be developed beforehand to help credentialed users gain access to critical systems during emergency conditions. Finally, the access control standard also requires covered entities to decide whether to implement an automatic logoff to terminate an electronic session after a predetermined length of time. They should also consider whether to use encryption as a method to deny access to e-PHI they store and transmit. II.
Standard: Audit Controls

The audit controls standard requires that covered entities be able to examine and record their systems activity. For example, audit controls might track the identities of users, description of e-PHI accessed or access attempts, site/workstation of request, and reason for request. By reviewing audit results, a covered entity can monitor potentially inappropriate or unusual access patterns by particular users or of certain e-PHI. If a covered entity's staff is fully informed about the audit controls in place, they can serve as strong deterrents to e-PHI abuse. The type of audit control system used is not specified and may be based on a covered entity's risk assessment or risk analysis.
III.
Standard: Integrity
This standard requires covered entities to protect e-PHI from improper alteration or destruction. Covered entities should consider whether to implement electronic mechanisms to authenticate that the e-PHI has remained under their control. The goal of this standard is to assure covered entities that the data they use to make decisions and release to others has not been improperly altered or destroyed. Depending on a covered entity's identified level of security risk, it may use errorcorrecting memory, magnetic disc storage systems, digital signatures, or checksum technology.
IV.
Standard: Authentication
This standard requires covered entities to implement systems to verify the identity of users attempting to access e-PHI. Authentication mechanisms include unique user IDs, which are required under the access control standard previously discussed. Other potential systems that may be employed include biometric identification systems, a password system, a personal identification number, and "telephone call-back" or "token" systems.
V.
Standard: Transmission
The last standard under the Technical Safeguards focuses on securing e-PHI during its transmission over a communication network. There are no required implementation specifications; however, covered entities are expected to consider the addressable issues of use of encryption, and implementation of measures to prevent e-PHI from being modified improperly until it is disposed of. As with all of the addressable implementation specifications, covered entities must decide, based on their individual level of risk, whether it's reasonable and appropriate to employ any such mechanisms as part of their overall security plan.
HIPAA PRIVACY ISSUES FOR EMPLOYERS SPONSORING GROUP HEALTH PLANS

INTRODUCTION
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a complex set of rules requires protection of the privacy of certain health information, called protected health information (PHI). These rules apply to covered entities, which are health plans; healthcare clearinghouses, such as billing companies; and those healthcare providers that engage in electronic standard transactions. Although a company may not qualify as a covered entity, it may still be significantly affected by HIPAA in its role as an employer offering its employees a group health plan (GHP). This handbook will explain what a GHP is and the various ways employers offer GHP benefits. It will also cover how one of the HIPAA rules, known as the Privacy Rule, restricts the use and disclosure of PHI by a GHP to the plan sponsor. Finally, it will address how some of the requirements of the Privacy Rule apply to GHPs. This handbook provides a general overview of HIPAA's application to employers sponsoring group health plans. It does not provide legal advice or guidance on how you should act in a particular situation. The HIPAA Privacy Rule is complex and subject to nuances that cannot be completely covered in a brief treatment of this kind. Always consult your internal management and law department about any questions or concerns you may have about the Privacy Rule.
HOW HIPAA AFFECTS EMPLOYERS

I.
Employers Acting as Plan Sponsors Are Not Covered Entities, but GHPs Are
The Privacy Rule applies directly to covered entities. Covered entities are health plans, healthcare clearinghouses, and those healthcare providers that engage in electronic standard transactions, such as filing electronic healthcare claims with health plans. The term "covered entity" does not include employers that act as plan sponsors. Nevertheless, many employers who sponsor GHPs will be affected by the Privacy Rule because GHPs qualify as health plans and therefore are covered entities. The Privacy Rule defines "health plan" to include GHPs, which are employee welfare benefit plans under the Employee Retirement Income and Security Act of 1974 (ERISA). These plans include insured and self-insured plans, to the extent that they provide medical care, that (1) have 50 or more participants or (2) are administered by an entity other than the employer that established and maintains the plan. Therefore, not all GHPs are covered entities. Only GHPs that have more than 50 participants or are administered by an entity other than the plan sponsor (even if they have less than 50 participants) are subject to the Privacy Rule. These entities are known as third-party administrators (TPAs). As discussed below, the Privacy Rule places significant restrictions on the disclosure of PHI by a GHP to a plan sponsor. Example 1: A GHP has 42 participants and is administered by a TPA. Even though the GHP has fewer than 50 participants, because it is administered by an
entity other than the plan sponsor, it qualifies as a GHP under the Privacy Rule. Therefore, the GHP is a covered entity under the Privacy Rule. A.
The different responsibilities of plan sponsors

There are a number of ways plan sponsors offer the benefits of a GHP. The requirements of the Privacy Rule that are applicable to plan sponsors differ based on how the plan is organized and operated. Basically, as we'll explain below, the less a plan sponsor does in administering the plan, the fewer obligations it must meet under the Privacy Rule. Thus, for example, some GHPs are fully insured by a health insurance issuer or a health maintenance organization (HMO). Sponsors of fully insured plans typically don't undertake plan administration activities, except perhaps plan enrollment. These employers won't have that many obligations under the Privacy Rule. Then there are sponsors of self-funded GHPs. These plan sponsors may entrust the day-to-day operations of the plans to TPAs. For instance, the TPA will receive and process claims for payment. However, the plan may retain the right to make the final determination on any appealed claim. Some sponsors of self-insured plans will administer the benefits themselves. Depending on their level of involvement as the plan sponsor, employers may be responsible for (i) issuing Notices of Privacy Practices; (ii) ensuring that their plan documents contain certain privacy protections; (iii) granting individuals their privacy rights; (iv) complying with administrative requirements such as appointing a privacy officer and training employees; and (v) entering into business associate contracts. These obligations are discussed more fully below.
B.
GHPs as covered entities 1. Restrictions on the use and disclosure of PHI

Although GHPs are covered entities, when they provide benefits solely through a health insurance issuer or HMO, the burden of complying with these rules rests with the health insurance issuer or HMO, which is also a covered entity in its own right. In addition, if a GHP uses a TPA and receives only summary health information, it should require the TPA, by contract, to meet the requirements of the Privacy Rule. The requirements of the Privacy Rule can be divided into three main categories. The first category imposes restrictions on the use and disclosure of protected health information. PHI is defined as individually identifiable health information (IIHI) that is transmitted or maintained by a covered entity in any format. At a minimum, this includes all oral, computer-based, and paper-based patient health information. We'll discuss the specifics of restrictions on disclosures of PHI by GHPs in greater detail later. IIHI is any information that is created or received by a covered entity or an employer; and
relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for healthcare provided to an individual; and identifies the patient or can be used to identify the patient who is the subject of the information. IIHI in student records of educational institutions covered by the Family Educational Rights and Privacy Act are not covered by HIPAA. As explained above, employers generally are not covered entities. Additionally, when a covered entity, in its role as an employer, does create or maintain IIHI, that information is not considered PHI. However, IIHI created in its healthcare capacity is PHI. Example 2: An employee of a hospital is treated at the hospital for a stroke. The employee's medical record is PHI under the Privacy Rule because the information was created in its role as a healthcare provider and not an employer. It does not matter that the individual is a member of the hospital's staff. Example 3: An employee of a hospital submits a note from a physician to document sick leave. The physician's note is filed with the hospital's employment record. The IIHI found in the employment record is not PHI because it's maintained by the hospital in its role as an employer. Basically, the Privacy Rule prohibits a covered entity from using or disclosing PHI except as permitted or required by the rule. In general, the Privacy Rule requires disclosure of PHI when requested by the patient or by the U.S. Department of Health and Human Services (HHS) for determining a covered entity's compliance with the Privacy Rule. It permits covered entities to use or disclose PHI without patient permission for treatment, payment, and healthcare operations unless consent is required by state law. Example 4: A plan sponsor uses a health insurance issuer to administer its GHP. A healthcare provider submits a bill to the health insurance issuer, which uses the PHI contained in the bill to pay the claim. This use of PHI is permissible without patient consent unless state law requires it. The Privacy Rule permits a covered entity to use or disclose PHI without an individual's permission for certain public policy-related purposes, such as public health, health oversight, and research, if certain requirements are met. In general, for all other purposes, the Privacy Rule requires patient authorization to use and disclose her PHI. In most circumstances where the use or disclosure of PHI is not permitted or required by the Privacy Rule without individual
authorization, individuals must complete, date, and sign a written authorization for their PHI to be used or disclosed. Authorization forms provided to patients must be written in plain language and must contain the following information: A specific description of the PHI to be used or disclosed The person(s) authorized to use or disclose PHI The person(s) or entities to whom the covered entity may disclose PHI The date on which the authorization expires or an expiration event A description of the patient's right to revoke the authorization and the procedure for doing so A statement that authorized disclosures may be redisclosed to third parties that may not be subject to the Privacy Rule If signed by a personal representative on the patient's behalf, a description of the representative's legal authority A description of each purpose of the authorized use or disclosure A notification stating that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on signing the authorization if such conditioning is prohibited by the Privacy Ruleor, if it is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization Additionally, for marketing authorizations, there must be a statement that a covered entity will receive remuneration for making a disclosure of PHI, if applicable, as well as a statement that the information may be further exchanged for remuneration by the recipient, if applicable. Covered entities must keep copies of all authorizations for at least six years from the time they were created or last in effect, whichever is later. Covered entities must also provide patients with a copy of their signed authorization. Generally, a health plan may not condition enrollment or eligibility for benefits on a person signing an authorization for use or disclosure of PHI. However, GHPs may require individuals to sign authorizations for enrollment and eligibility determinations, as well as for underwriting and risk-rating purposes, if they do so before the individuals enroll in the plan, and as long as the authorization is not to use or disclose psychotherapy notes. 2.
Administrative requirements
The second category of requirements deals with administrative obligations. To supplement the protections of the Privacy Rule, the regulations require covered entities to implement privacy compliance programs. Specifically, covered entities are required to do all of the following:
Designate a privacy officer to oversee the privacy compliance program and accept complaints. Develop written policies and procedures to ensure compliance. Refrain from requiring individuals to waive their rights granted under the Privacy Rule. Train personnel on their policies and procedures. Implement reasonable administrative, technical, and physical safeguards to protect PHI from intentional or unintentional use or disclosure in violation of the rule. Implement reasonable administrative, technical, and physical safeguards to protect PHI against incidental disclosures. A separate HIPAA Security Rule for electronic PHI establishes detailed security requirements for covered entities. Apply appropriate sanctions against workforce members for violations of privacy-related policies and procedures. Establish a procedure for individuals to complain about the entity's privacy practices. Mitigate, to the extent practicable, any harm that results from violations of the privacy policies and procedures. Refrain from retaliating against individuals who exercise their privacy rights. Depending on the employer's degree of involvement in administering the health plan, it may be responsible for complying with these requirements as well. A group health plan does not have to comply with all administrative requirements if it provides health benefits solely though an insurance contract with a health insurance issuer or HMO, and if the plan does not create or receive PHI except for summary information (stripped of identifiers) or information on whether an individual is participating in the plan or has enrolled or disenrolled. A plan that meets this test need not comply with the administrative requirements to have a privacy official, to train staff, to have safeguards, to have a complaint process, to impose sanctions, to mitigate effects of wrongful disclosures, or to have policies and procedures. It must still refrain from retaliatory acts and may not require waiver of right. It must also document any relevant actions. 3.
Privacy rights
The third category of requirements grants individuals certain rights relative to their PHI. Covered entities are required to furnish notices about their privacy practices; allow individuals access to review, and, if necessary, amend their medical records; provide accountings of certain PHI disclosures; and consider requests for special privacy protections. i.
Notice
The Privacy Rule requires that covered entities develop what is referred to as a Notice of Privacy Practices (or "notice") to give to individuals. Notice is a detailed document that outlines how the covered entity uses and discloses PHI, the covered entity's legal obligations to protect PHI, and the rights individuals have under HIPAA. A covered entity must provide a notice that's written in plain language and that contains the following elements: A statement in the header or otherwise prominently displayed that reads, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully." A sufficiently detailed description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make regarding treatment, payment, and healthcare operations, including any significant legal restrictions on such use or disclosure A sufficiently detailed description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written authorization, including any significant legal restrictions on such use or disclosure A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke the authorization A statement of the individual's rights with respect to PHI; a brief description of how he may exercise his right to request restrictions on certain uses and disclosures of PHI (including a statement that the covered entity is not required to agree to a requested restriction, except in some circumstances when the patient paid for care out-of-pocket in full); receive confidential communications of PHI; inspect and copy PHI; amend PHI; receive an accounting of disclosures of PHI; and obtain a paper copy from the covered entity upon request (even if he had previously agreed to receive the notice electronically) A statement that the covered entity is required by law to maintain the privacy of PHI and provide individuals with notice of its legal duties and privacy practices with respect to PHI A statement that the covered entity is required to abide by the terms of the notice currently in effect
A statement, if applicable, that the covered entity reserves the right to change the terms of its notice and make the new terms effective for all PHI that it maintains, and a description of how the covered entity will provide individuals with a revised notice A statement that individuals may complain to the covered entity and to HHS if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint The name, or title, and telephone number of a person or office to contact for further information The date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published If the covered entity intends to engage in any of the following activities, the notice must also include any of the applicable statements that follow: That a group health plan, health insurance insurer, or HMO with respect to a group health plan may disclose PHI to the sponsor of the plan That the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual That the covered entity may contact the individual for fund-raising purposes In its notice, the covered entity may elect to limit uses or disclosures allowable by the rule as long as such limitations don't affect its right to make a required or permitted use or disclosure. If the covered entity applies a change in its more limited uses and disclosures to PHI created or received prior to issuing a revised statement, the notice must include a statement that the covered entity reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The covered entity must also describe how it will provide individuals with a revised notice. A GHP's responsibility to provide notice varies depending on whether the plan benefits are provided through an insurer or HMO and the amount of information it creates and maintains. When GHP benefits are provided through an insurer or HMO, enrollees have a right to receive notice from the insurer or HMO. If, on the other hand, the enrollees do not receive their benefits through an insurer or HMO, then the GHP,
typically through a TPA, will be responsible for providing notice. Plan sponsors that opt to handle the day-to-day administration of their GHP, rather than use a health insurance issuer, HMO, or TPA for these activities, are considered to be furnishing the benefits, and, therefore, must provide notice to all enrollees. Regardless of whether an insurer/HMO, a GHP, or the plan sponsor itself bears the responsibility of distributing notice to its enrollees, the notice must be provided to current subscribers to the plan no later than the date the GHP is expected to be in compliance with the Privacy Standards. Thereafter, the GHP must provide notice to new enrollees at the time of enrollment, and to existing enrollees within 60 days after it makes any material revision to its then effective notice. At least once every three years, the GHP also must remind individuals covered by the plan about the availability of the notice and how to obtain a copy. Notices need only be provided to the named insured. There exists one special situation where a GHP may be required to maintain a notice even though its benefits are furnished through a contract with an insurer or HMO, and the insurer is responsible for providing a notice. If the GHP creates or receives PHI beyond summary information and/or participation and enrollment status information, it must maintain a notice and provide it to any person upon request. GHPs that do not create or receive any additional information are not obligated to have a separate notice apart from the one issued by the insurer or HMO. Example 5: A GHP is funded and administered by a health insurance issuer. The GHP does not create or receive PHI other than summary health information. As such, it does not have to maintain or provide notice. Instead, the health insurance issuer must provide it. ii.
Access
With limited exceptions, including psychotherapy notes and information that may be used in legal proceedings, individuals have a right to inspect and obtain a copy of their own PHI. Individuals aren't entitled to access all PHI, only information held in designated record sets, which includes medical records. Covered entities, including GHPs, must provide access to on-site records within 30 days of a request, but have 60 days to produce records stored off-site. They may charge cost-based fees for copying, but not retrieving, requested PHI. Fees for information in electronic format are limited to labor
costs of responding to the request. A covered entity must provide an individual with access to the PHI in the form or format she requests, if it is readily producible in that form or format. In certain situations, patients have the right to a formal review of the decision denying access to their PHI. These situations usually involve denials based on potential harm to the patient or other people. Reviews of access denials must be performed by a licensed healthcare professional who did not participate in the original decision and who is designated by the covered entity to serve in this capacity. The reviewing healthcare provider must determine, within a reasonable period of time, whether to deny the requested access. The covered entity must provide the patient with written notice of the decision. Example 6: A plan sponsor uses a TPA to administer the benefits of its GHP. An enrollee of the GHP asks the plan sponsor to see her medical claims records. Unless an exception applies, the GHP, administered by the TPA, would need to provide the requested access. Example 7: A plan sponsor administers benefits only through a health insurance issuer and only receives summary health information. An employee of the sponsor asks to see his medical claims. As a covered entity in its own right, the health insurance issuer must provide the employee with the requested access, unless an exception applies. iii.
Amendment
Additionally, individuals may ask covered entities to amend PHI contained in a designated record set, such as a medical record. Amendment requests may be denied if, among other things, the covered entity did not create the PHI or it determines that the disputed information is accurate and complete. Requests for amendments must be formally accepted or denied. Covered entities accepting amendment requests aren't required to remove any PHI, but may if doing so is consistent with applicable laws and record-keeping policies. If an individual asks to add a statement to the record contesting the denial, the covered entity that denied the amendment request must add the statement.
iv.
Accountings
The Privacy Rule requires that covered entities provide individuals, upon their request, with an accounting of PHI disclosures made during the past six years. Disclosures made for treatment, payment, and healthcare operations
purposes don't have to be accounted forunless they're made from electronic health records. In that case, the look-back period for accounting of such disclosures is three years, not six. Individuals have a right to receive one free accounting every 12 months. Disclosures made to national security, intelligence, or law enforcement officials may be omitted from an accounting if inclusion would be reasonably likely to impede the officials' activities. Disclosures made by business associates on a covered entity's behalf must also be accounted for. However, a covered entity isn't required to account for these disclosures directly, but can provide patients a list of business associates who disclosed PHI. v.
Confidential communications
GHPs and other covered entities must also accommodate reasonable requests by individuals to receive communications of PHI by alternative means or at alternative locations.
vi.
Requests for restrictions

Finally, although covered entities must consider individuals' requests for special restrictions on the use or disclosure of their PHI, they are not obligated to agree to such requests. However, if they do, they are then bound by the voluntary restrictions. Covered entities must also restrict the disclosure of PHI to a health plan for treatment or healthcare operations upon request of an individual who fully paid for the services out of pocket.
4.
Breach notification
As we've seen, GHPs and other covered entities must take steps to protect the confidentiality of PHI. But what happens if despite those measures, there's an unauthorized transfer, use, or other breach of the protected information? A breach is unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information. Something compromises the security or privacy of PHI if it poses a significant risk of financial, reputational, or other harm to the individual. Thus, a covered entity may use and document a risk assessment to determine if a breach will cause significant harm to the individual and require notification. In the absence of sufficient risk of harm, a breach is not a breach under the rule.
10
If the breach poses a significant risk of harm to the individual involved, the company must notify the individual of the breach. This notice must include, among other things, a brief description of what happened, the types of PHI involved, and any steps the individual should take. The notice must be given without unreasonable delay, and in any event within 60 days after the breach was discovered or should have been discovered. And in some cases, the company may also have to notify the federal government and local media. Business associates must also notify their covered companies of any breach of PHI they become aware of. Breach notification isn't required, however, if the company has taken certain steps (such as the use of certain approved forms of encryption) to protect the PHI against unauthorized access. It's also not required for the use or disclosure of a limited data set that excludes the individual's birth date and zip code certain inadvertent uses or disclosures of PHI that don't result in a violation of the Privacy Rule the inadvertent disclosure of PHI to someone who isn't likely to be able to retain itfor example, because it was mailed to the wrong address and returned by the Post Office unopened
Vendors of personal health records (PHR)and other PHR-related entities not covered by HIPAAare also subject to breach notification rules issued by the Federal Trade Commission. These rules are similar to those for HIPAA-covered entities, but there are some differences. For example, the non-HIPAA rule may require notification even if there's no evidence of a significant risk of harm from the breach. In any event, both the HIPAA and non-HIPAA notification rules are lengthy and complex. You should be sure to consult your company's law department or other designated party if you have any questions.
THE RESTRICTIONS ON DISCLOSURES OF PHI BY GHPS TO PLAN SPONSORS

I.
The Danger of Inappropriate Sharing of PHI Between a GHP and Its Sponsor
Most GHPs are regulated under ERISA. According to ERISA, although a GHP must be a separate legal entity from its plan sponsor, it usually does not have a corporate presence. In other words, it may not have its own employees and sometimes does not have its own assetsthey may be fully insured or the benefits may be funded through the general assets of the plan sponsor, rather than through a trust. Often, the only tangible evidence of the existence of a GHP
11
is the contractual agreement that describes the rights and responsibilities of covered participants, including the benefits that are offered and the eligible recipients. It is therefore common to see employees of the plan sponsor performing GHP functions. This creates the danger that information that employees of the plan sponsor learn with their "GHP hats" on will be used by the employer for employment-related reasons. For this reason, the Privacy Rule demands that plan sponsors only be permitted access to PHI where certain conditions are met. A.
Disclosures of summary health information

"Summary health information" summarizes claims history, claims expenses, or types of claims experience, with the personal identifiers removed. GHPs, or health insurance issuers or HMOs on behalf of them, are permitted to disclose summary health information to plan sponsors without meeting any special requirements beforehand. To avoid the burdens of the Privacy Rule, this information may be used only for these purposes: Obtaining premium bids from health plans that provide or will potentially provide health insurance coverage under the group health plan Modifying, amending, or terminating the group health plan Additionally, GHPs are free to disclose PHI related to enrollment to plan sponsors. For instance, the GHP may inform the plan sponsor who has enrolled in the plan. A plan sponsor that receives summary health information and enrollment information only will not face major compliance burdens under the Privacy Rule.
B.
Disclosures requiring certain provisions in plan documentation

If disclosures by a GHP to a plan sponsor extend beyond those described above (as is typically the case with self-insured plans), the Privacy Rule requires that plan documents contain certain provisions. Plan documents would include any documents that establish the GHP, outline how it will function, or describe the benefits it offers. 1.
Description of uses and disclosures

First, the plan documents must include a description of the permitted and required uses and disclosures of PHI by the plan sponsor. Generally, the plan sponsor may use only the PHI it receives from a GHP for purposes of the plan administration functions it performs on behalf of the GHP. Plan administration functions generally include payment and healthcare operations (as these terms are defined by the Privacy Rule), such as claims processing, quality review, auditing, monitoring, and management of carve-out plans like vision and dental. Plan administration functions don't include employment-related
12
functions (such as hiring, firing, and promotions) or functions in connection with other benefits such as disability and workers' compensation. Example 8: An employee of a company goes to his doctor and discovers he has hepatitis. Another company employee who works in plan administration informs the president of the company of his illness. The president fires the employee because he fears catching the disease. The disclosure by the plan administration employee to the president violates the Privacy Rule because disclosures are only permitted for plan administration purposes and may not be used in employment decisions. In addition to plan administration functions, a GHP may disclose PHI to a plan sponsor in accordance with a patient authorization. This authorization must be in writing and contain all of the elements previously described under "Restrictions on the use and disclosure of PHI". Example 9: A health insurance issuer that administers a GHP is asked to disclose information to a plan sponsor because the sponsor is advocating on behalf of a particular plan participant and providing assistance in explaining a participant's health plan benefits in the context of a specific claim. As required by the Privacy Rule, an employee authorizes the GHP to share information with the plan sponsor. The health insurance issuer is permitted to disclose the PHI to the plan sponsor because an authorization has been signed by the enrollee. 2.
Certification of plan documents

Second, the plan documents must include a statement that the GHP will disclose PHI to the plan sponsor only when it receives a certification from the sponsor that the plan documents include the required provisions. To eliminate the need for GHPs to review plan documents, the Privacy Rule simply requires the plan sponsor to provide a one-time certification to the GHP. The certification must state that the plan documents incorporate the following specific provisions, and that the plan sponsor agrees to comply with them. The plan sponsor must not further use or disclose the PHI other than as permitted by the plan documents or as required by law ensure that its agents, including subcontractors, will agree to the same restrictions and conditions that apply to the plan sponsor not use or disclose the PHI for employment-related actions or decisions in connection with any other benefit or employee benefit plan of the plan sponsor report to the GHP any use or disclosure it becomes aware of that's inconsistent with the plan documents
13
allow individuals to inspect and obtain copies of PHI about themselves held by the plan sponsor, in accordance with the Privacy Rule allow individuals to amend PHI about themselves held by the plan sponsor, to the extent required by the Privacy Rule provide individuals with an accounting of any disclosures of PHI to the extent required by the Privacy Rule make its internal practices, books, and records related to the use and disclosure of PHI available to HHS for the purposes of auditing the GHP's compliance with the Privacy Rule if feasible, return or destroy all PHI received from the GHP that the sponsor maintains in any form when the information is no longer needed for the purpose for which the disclosure was made, or, if return or destruction is not feasible, limit further uses and disclosures to those purposes that make the destruction infeasible ensure "adequate separation" between the group health plan and the plan sponsor Example 10: A GHP is administered by a TPA, but the plan sponsor's employees perform some administrative functions. The sponsor hasn't certified that it'll make its internal practices, books, and records related to the use and disclosure of PHI available to HHS for the purposes of auditing the GHP's compliance with the Privacy Rule. This use of PHI by the sponsor's employees would be prohibited by the Privacy Rule because the sponsor hasn't produced the appropriate certification. 3.
Separation of GHP records and employees

Finally, the plan documents must demonstrate adequate separation between the GHP and the plan sponsor. This means the documents must describe how the plan sponsor will separate the records and employees of the GHP from other parts of the plan sponsor's operations. In particular, the plan documents must describe the employees or classes of employees (or other persons under control of the plan sponsor) who will be given access to PHI disclosed to the sponsor. The description must include individuals or classes of individuals who receive PHI in the ordinary course of business relating to payment under, healthcare operations of, and other matters of the group health plan, such as auditors, accountants, and health benefits personnel. The documents must also restrict PHI access and use by such employees (or other persons) to the plan administration functions the plan sponsor performs for the GHP. And the documents must provide an effective mechanism for resolving issues of improper access or use of PHI by these personnel or other individuals. In order to implement these provisions of the plan documents, a plan sponsor will have to think carefully about how to separate or
14
firewall off from other parts of the company the individuals who aid or assist in the administration of the GHP in any manner. This means that these employees should not be involved in any other aspect of company human resource activities, or in any role where they would be in a position to make any type of a decision or have input into any type of a decision regarding a fellow employee. It will be critical for these employees to understand the confidential nature of their positions. They should be made aware of the consequences of misusing PHI or disclosing it to anyone in the company who is not involved directly with administering the GHP. Similarly, the plan sponsor will have to take steps to ensure that the PHI it receives through its plan administration activities is not made available to other staff or managers in the company for employment-related decisions, and that other staff or managers do not have access to the data, whether it is stored in paper or electronic format. C.
Minimum necessary
Covered entities and business associates must make reasonable efforts and, when necessary, incur reasonable expenses to limit most uses or disclosures of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure. This principle is known as the minimum necessary requirement, and it applies to GHPs because they are covered entities. As a first step, GHPs and other covered entities should attempt to restrict their use or disclosure of PHI to a "limited data set" (a collection of nonidentifiable data elements). If a limited data set is inadequate for the purposeas will happen oftenthen the minimum necessary requirement should be applied to the identifiable PHI that is to be used or disclosed. If the use or disclosure of PHI is needed, the amount used, disclosed, or requested must be the minimum necessary to accomplish the task at hand. Several rules can help make this determination. First, a covered entity or business associate may not use, disclose, or request an individual's entire medical record, except when the entire record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the disclosure or request. Entities and associates requesting an entire medical record must explain why it's needed. Second, for disclosures and requests made on a routine or recurring basis, covered entities must implement policies and procedures (which may be standard protocols) that limit the PHI disclosed or requested to the minimum amount necessary to accomplish the purpose. For nonroutine or nonrecurring disclosures and requests, covered entities must develop criteria designed to limit the PHI disclosed or requested and then make the minimum necessary determination on a case-by-case basis.
15
Third, for use of PHI, covered entities must implement policies and procedures that identify people or classes of people who need access to PHI to do their jobs, and the types of PHI they need access to limit access to PHI to those people who need it for their jobs
Fourth, the entity disclosing the information is responsible for determining the minimum necessary disclosure. It can't simply rely on the judgment of the entity requesting the information. In some cases, covered entities and business associates can use or disclose PHI without making a minimum necessary disclosure determination. For instance, this determination is not required when the PHI is used or disclosed in connection with treatment of a patient. Minimum necessary determinations are also not required when the disclosure is being made to the patient. The same is true for uses and disclosures made based on an authorization. Minimum necessary determinations are not required for disclosures to HHS or other government agencies that are required by law.
RESTRICTIONS ON DISCLOSURES BETWEEN HEALTH PLAN ISSUERS, HMOS, TPAS, AND PLAN SPONSORS
I.
Business Associate Considerations A. Does a plan sponsor need a business associate agreement with its GHP?
The Privacy Rule prohibits disclosure of PHI to business associates unless the business associate is contractually bound to appropriately safeguard the information and the covered entity properly addresses situations where its business associates fail to comply with their privacy obligations. A business associate is defined under the Privacy Rule as an entity that (1) performs a function involving PHI for or on behalf of a covered entity or (2) provides specified services, such as legal, consulting, and accounting services, that involve the disclosure of PHI to a covered entity. The provisions of a business associate agreement are specified under the Privacy Rule. They require a written agreement that establishes the permitted and required uses and disclosures of PHI and authorizes the termination of the contract if the business associate violates an important term. Additionally, among other requirements, a business associate is required to limit its use and disclosure of PHI to that permitted or required by the contract or required by law use appropriate safeguards report any improper use or disclosure
16
make information available and amend PHI as directed by a covered entity The Privacy Rule includes certain exceptions to the business associate standard that are beneficial for plan sponsors. A business associate agreement is not required for disclosures to a health plan sponsor, such as an employer, by a GHP or the health insurance issuer or HMO that provides the health insurance benefits or coverage for the GHP, if certain conditions are satisfiedthe GHP's documents must appropriately safeguard PHI from unauthorized use or disclosure, or the disclosures must be limited to summary health information. Example 11: A GHP discloses PHI to the plan sponsor for plan administration purposes. The plan documents require the sponsor to restrict its uses and disclosures of PHI to plan administration purposes and report unauthorized uses and disclosures to the GHP. A business associate agreement is not required because the plan documents ensure that PHI was used in accordance with the Privacy Rule. In contrast, a TPA of a GHP would be acting as a business associate of the GHP. Therefore, a GHP that uses a TPA should have a business associate agreement with it. Again, the more the plan sponsor is involved in administering the plan and dealing with PHI, the greater the chances are that it will have to enter into business associate contracts and ensure that its PHI is protected. This is especially true if plan documents have been amended to indicate that a sponsor's agents and subcontractors will agree to the same restrictions and conditions that apply to the plan sponsor. B.
Is a business associate agreement needed between a GHP and a health insurance issuer or HMO that provides benefits under a GHP?
A health insurance issuer or HMO doesn't become a business associate simply by providing health insurance or health coverage to a GHP. The Privacy Rule defines the relationship between the GHP and the health insurance issuer or HMO as an organized healthcare arrangement (OHCA), with respect to the individuals they jointly serve or have served. Thus, these covered entities are permitted to share PHI that relates to the joint healthcare activities of the OHCA. However, if a GHP contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the joint activity of providing insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities, or services.
C.
Restrictions on disclosures by a health insurance issuer or HMO providing benefits to a GHP

A health insurance issuer or HMO that funds and administers the benefits of a GHP is a covered entity under the Privacy Rule. As such, it
17
must follow certain restrictions on the use and disclosure of PHI as described earlier in this handbook. These restrictions will act to restrict disclosure from these entities to the plan sponsor. Example 12: ABC Company sponsors a GHP for its employees. Although the day-to-day operations are managed by a health insurance issuer, ABC still wishes to assist its employees when they dispute claims with the GHP. In order to do this, it must secure an authorization from the employee permitting it to receive information from the health insurance issuer. Without such authorizations, the Privacy Rule prohibits a health insurance issuer from releasing claims-specific details to plan sponsors. II.
Enforcement and Penalties

Under HIPAA, the penalties for violating the Privacy Rule are severe: Depending on the nature of the violation, a civil penalty ranging from $100 to $50,000 per person per violation, and up to $1.5 million per person for violations of a single standard in one year A criminal fine of not more than $50,000 and/or imprisonment of not more than one year for wrongful disclosure of PHI A criminal fine of not more than $100,000 and/or imprisonment of not more than five years if the disclosure is under false pretensesfor example, when a person lies about his identity A criminal fine of not more than $250,000 and/or imprisonment of not more than ten years if a person intends to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm In addition, states can sue to stop HIPAA violations and recover damages on their residents' behalf.
18
HIPAA PRIVACY FOR PHARMACEUTICAL COMPANIES: USING INFORMATION

INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the healthcare industry to adopt, among other things, national standards for electronic healthcare transactions, unique health identifiers, and security. These rules are collectively known as the Administrative Simplification provisions. An important part of the Administrative Simplification provisions is the Privacy Rule. The Privacy Rule establishes comprehensive privacy standards for protected health information (PHI) that individuals and organizations involved in healthcare delivery or payment for healthcare services must follow. Separate HIPAA rules address security requirements for electronic PHI. The Privacy Rule covers all PHIelectronic, written, or oral.. As we'll explain in this handbook, the HIPAA Privacy Rule applies to many individuals and entities that store or transmit PHI. This handbook will help you understand HIPAA's privacy requirements. Following an introductory discussion of how the Privacy Rule applies to pharmaceutical companies, we will address how the rule affects the disclosure of PHI from providers subject to the Rule to pharmaceutical companies. This latter discussion will encompass both uses and disclosures of PHI that require patient permission and those that do not. We will also address HIPAA's impact on state laws that protect the confidentiality of health information. Finally, we will review legal penalties and sanctions for failing to comply with HIPAA. This handbook provides a general overview of the HIPAA Privacy Rule as it relates to pharmaceutical companies. It does not provide legal advice or guidance regarding how you should act in a particular situation that involves the use or disclosure of patient information. HIPAA is a complex law subject to subtleties and nuances that cannot be completely covered in a brief treatment of this kind. Always consult your internal management and law department if you have any questions or concerns about the use or disclosure of patient information. Some changes to the law were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law No: 111-5). These changes will be discussed as appropriate. The changes have variable effective dates, and most await guidance or regulations from the Department of Health and Human Services. Some provisions (e.g., breach notification) are already effective. Interpretations of new provisions are tentative until the Department of Health and Human Services (HHS) issues definitive guidance.
INDIVIDUALS AND ORGANIZATIONS

I.
Covered Entities and Business Associates

The Privacy Rule's legal requirements apply to covered entities and business associates. We explain each of these terms below. A.
Covered entities 1
The Privacy Rule defines covered entities to include certain healthcare providers, as well as all health plans and healthcare clearinghouses. The Privacy Rule applies to pharmaceutical companies both directly (when they qualify as covered entities) and indirectly (when they qualify as business associates of covered providers). Changes made by the HITECH Act will make business associates directly subject to the HIPAA rule. When these changes become effective, the biggest differences will be that business associates will be directly subject to both the HIPAA Privacy Rule and the HIPAA Security Rule. These changes will mean that business associates will be subject to direct enforcement by HHS. Changes to business associate contracts will also be necessary. 1.
A healthcare provider is an individual or organization that (1) is recognized by Medicare as a provider or (2) provides, bills for, or is paid for healthcare services in the normal course of business. Healthcare providers include hospitals, skilled nursing facilities, home health agencies, physicians, outpatient facilities, clinical laboratories, pharmacies, medical equipment suppliers, and other licensed/certified healthcare professionals. The Privacy Rule applies only to healthcare providers that electronically transmit PHI in connection with specified healthcare transactions. Fax transmissions are not electronic transmissions under the rule. Transactions that trigger the Privacy Rule's requirements include healthcare claims (including attachments) and status reports payment and remittance advice determination of eligibility for health plan benefits referral certifications and authorizations first reports of injury health plan enrollment, disenrollment, eligibility for health plan coverage, and premium payments coordination of health benefits Pharmaceutical companies will generally not qualify as covered entities under the Privacy Rule. While they may sometimes provide what are considered healthcare services, they will not be considered covered entities under the rule unless they file electronic healthcare claims or otherwise engage in HIPAA standard transactions. Example 1: Biopharma, a pharmaceutical company, manufactures drugs. It also handles its own sales and marketing. It never engages in electronic standard transactions and does not offer treatment advice related to specific patients. It is not a covered entity under the Privacy Rule because it does not
provide treatment services or engage in electronic standard transactions. Example 2: Biopharma, a pharmaceutical company, contracts with an individual to develop a drug customized to his disease. Once the drug is developed, the company files electronic healthcare claims with the individuals health plan for reimbursement. Here, Biopharma is a covered entity under the Privacy Rule because it provides treatment services and engages in electronic standard transactions. Example 3: Global Pharmaceuticals manufactures drugs and operates a patient assistance program (PAP) that funds drug treatments for financially needy patients. It reviews medical records concerning specific patients and decides whether and how those patients can benefit from its pharmaceuticals. However, it never engages in electronic standard transactions. So, under the Privacy Rule, Global is a healthcare provider because it provides treatment services through its PAP, but it wouldn't qualify as a covered entity because it doesn't engage in electronic standard transactions. Example 4: MediPharma, a pharmaceutical company, manufactures drugs and operates a PAP that funds drug treatments for financially needy patients. It reviews medical records concerning specific patients and decides whether and how those patients can benefit from its pharmaceuticals. MediPharma electronically checks the insurance eligibility of patients applying for the PAP to make sure they are truly in financial need. It is a covered entity under the Privacy Rule because it provides treatment services through its PAP and engages in an electronic standard transaction (determination of eligibility for benefits). Example 5: Worldwide Pharmaceuticals, a pharmaceutical company, runs a mail-order pharmacy that files electronic healthcare claims for the drugs it sells. It is a covered entity under the Privacy Rule because it provides treatment services and engages in electronic standard transactions. If a pharmaceutical company qualifies as a covered entity, a host of obligations under HIPAA are triggered. Covered entities must follow the restrictions on the use and disclosure of PHI discussed below and implement processes so that individuals may exercise the rights (also discussed below) that are granted under HIPAA. Even if a pharmaceutical company does not qualify as a covered entity, the Privacy Rule will affect the flow of PHI to it because most healthcare providers the company does business with will qualify as covered entities. Permissible disclosures of PHI by a covered provider to a pharmaceutical company are discussed below in the discussion on business associates. 2.
Health plans 3
The Privacy Rule applies to health plans. A health plan is an organization that provides and/or pays the cost of medical care. Health plans include health insurance companies, group health plans (such as those offered through an individual's employment), and health maintenance organizations (HMOs). Health plans also include government-administered programs such as Medicare, Medicaid, Department of Veterans Affairs (VA) programs, and TRICARE (Department of Defense) programs. For purposes of the Privacy Rule, health plans do not include workers' compensation or automobile, life, property, and casualty insurers. Health plans also do not include government-funded programs whose primary purpose is not rendering or paying for healthcare serviceseven if it may incidentally provide or pay for some healthcare services 3.
The Privacy Rule applies to healthcare clearinghousespublic or private entities that process or facilitate the processing of healthcare transactions. The most common type of healthcare clearinghouse is a billing company. Healthcare clearinghouses receive PHI from one source, such as a healthcare provider, convert it into a standard format, and transmit the information to another entitysuch as a health insurance companythat pays for the healthcare services. Healthcare clearinghouses can also perform the reverse of that function by converting and transmitting PHI from insurers to healthcare providers. Health plans or healthcare providers that perform these functions are not considered healthcare clearinghouses unless they also perform them for other, unaffiliated organizations.
B.
Hybrid entities
In addition to certain healthcare providers, health plans, and healthcare clearinghouses, the Privacy Rule applies to other types of organizations, including affiliated entities, hybrid entities, and organized healthcare arrangements. Of these, only the hybrid entity is likely to have any relevance to pharmaceutical companies. Hybrid entities are organizations that are involved in non-healthcare activities but also act as a health plan, healthcare clearinghouse, or healthcare provider. Hybrid entities include non-healthcare organizations, such as insurance companies, that offer health insurance plans in addition to other plans, and companies operating on-site health clinics that conduct standard transactions covered by the Privacy Rule. Within a hybrid entity, the healthcare components are covered by the Privacy Rule. Although the Privacy Rule applies only to the healthcare components of the hybrid entity, this type of entity must prevent disclosure of PHI to other non-healthcare divisions within the entity.
Hybrid entities must use safeguards, such as firewalls or other information barriers, to prevent unauthorized access to, or disclosure of, PHI. Example 6: MediPharma, a pharmaceutical company, manufactures drugs and operates a PAP that funds drug treatments for financially needy patients. It reviews medical records concerning specific patients and decides whether and how those patients can benefit from its pharmaceuticals. MediPharma electronically checks the insurance eligibility of patients applying for the PAP to make sure they are truly in financial need. It is a covered entity under the Privacy Rule because it provides treatment services through its PAP and engages in an electronic standard transaction (determination of eligibility for benefits). Because MediPharma has defined itself to be a hybrid entity, only the component that reviews patient records, determines whether patients can benefit, and electronically checks insurance eligibility is a covered entity. Its activities and records must be maintained separately from other MediPharma components. C.
Business associates
Business associates are individuals or organizations that perform services or functions (such as data administration) for a covered entity, or that provide covered entities with legal, accounting, management, consulting, accreditation, financial, or other operational services involving the use or disclosure of PHI. Business associates may perform many different functions, such as claims processing and administration, billing, quality assurance, operations management, and data analysis, on behalf of covered entities. Sometimes, covered entities act as business associates with respect to each other. Even if a business performs a service for a covered entity that involves the use or disclosure of PHI, it will not be considered a business associate if the service does not relate to the use or disclosure of PHI or to a function or activity regulated by the Privacy Rule, such as providing care. Example 7: Big Pharma Company offers consulting services to physician practices. The services are related to billing for its drugs. Physician practices that want to take advantage of this service disclose PHI to Big Pharma, and Big Pharma uses the PHI to provide billing advice. Because Big Pharma receives PHI to provide this service, it is a business associate of the covered physician practices. Example 8: Big Pharma Company sponsors a clinical trial to study the effects of a new drug it is manufacturing. A hospital that's covered by the Privacy Rule agrees to conduct the clinical trial and discloses to Big Pharma PHI concerning patients treated with the drug. Although it receives PHI from the covered hospital, Big Pharma is not a business associate of the hospital because Big Pharma is doing its own independent research and is not conducting a function or activity on behalf of the hospital. The hospital discloses information to Big Pharma under the research disclosure provisions of the rule (discussed later).
Example 9: Big Pharma Company sponsors a clinical trial to study the effects of a new drug it is manufacturing. A hospital agrees to conduct the clinical trial and discloses to Big Pharma PHI concerning patients treated with the drug. Big Pharma provides data management services to the covered hospital in connection with the study. Big Pharma is a business associate of the hospital because it provides it with data management services that involve the disclosure of PHI to Big Pharma. Example 10: Big Pharma Company provides disease management services to a hospital. Because the disease management services relate to a hospital function, Big Pharma receives PHI as a business associate of the covered hospital. The term business associate does not include employees or volunteers of a covered entity. 1.
Requirements of business associate relationships

To share PHI with a business associate, a covered entity must obtain satisfactory assurance that the business associate will comply with the Privacy Rule. Obtaining this satisfactory assurance requires the covered entity to enter into a contract with each business associate that meets these requirements: The contract must establish the permitted and required uses and disclosures of PHI to and by the business associate. This does not mean that every single use or disclosure must be specified; rather, the agreement must discuss the general purposes for which the business associate may use and disclose PHI and the types of persons to whom the business associate is anticipated to make further disclosures. The contract must prohibit the business associate from using or further disclosing the PHI other than as permitted by the contract or as required by law. The contract must require the business associate to implement appropriate safeguards to protect against inappropriate disclosure or use. The Privacy Rule does not specify what qualifies as "appropriate safeguards." This decision is left to the parties. The contract must require that if a business associate becomes aware of any use or disclosure not provided for in the agreement, the business associate must report the violation to the covered entity. Example 11: National Pharma Company offers physician practices consulting services related to billing for its drugs. Physician practices that want to take advantage of these services disclose PHI to National for it to use to provide billing advice. One of Nationals employees discloses to the media PHI it received from a physician practice about a famous actor. National must report this violation of its business associate agreement to the practice.
The contract must require a business associate to ensure that any of its agents and subcontractors who have access to the clients PHI agree to the same conditions and restrictions that apply to the business associate. As a general rule, covered entities must be prepared to provide an individual with an accounting of any disclosures they have made or that were made on their behalf, except those made for the purposes of treatment, payment, or healthcare operations or to people assisting in a patients care. The accounting must generally include disclosures made for the six years before the request and disclosures by a business associate. Business associate contracts must contain provisions that require it to assist the covered entity in meeting its accounting obligations. Example 12: Big Pharma Company offers physician practices consulting services related to billing for its drugs. Physician practices that want to take advantage of these services disclose PHI to Big Pharma for it to use to provide billing advice. Because this is a disclosure for the healthcare operations or payment purposes of the physician practice, the practice does not need to account for the disclosure. For the purpose of determining whether a covered entity is complying with the Privacy Rule, the contract must require a business associate to agree to make available to the Secretary of the Department of Health and Human Services (HHS) its internal books, records, and practices relating to its use and disclosure of PHI. The contract must require that a business associate agree to destroy or return at the end of the agreement, to the extent feasible, all PHI received from the covered entity. The business associate may retain information necessary for the proper management and administration of its business as well as information necessary for it to carry out its own legal responsibilities. Any retained information must remain subject to the protections of the contract. The contract must give the covered entity the right to terminate it if the business associate violates an important term. This is especially important because in certain situations, covered entities may be liable for Privacy Rule violations committed by their business associates. Example 13: Big Pharma Company sponsors a clinical trial to study the effects of a new drug its manufacturing. A covered hospital agrees to conduct the clinical trial and discloses to Big Pharma PHI concerning patients treated with the drug. Big Pharma provides data management services to the covered hospital in connection with the study. The services contract between the two companies gives Big Pharma the right to terminate the relationship if the hospital fails to deliver PHI to it
on a scheduled interval. The hospital, on the other hand, does not have the right to terminate the agreement. This business associate contract does not satisfy the Privacy Rule because the hospital may not terminate the contract if Big Pharma fails to use or disclose PHI appropriately. The contract must contain provisions that require the business associate to assist the covered entity in providing patients access to certain information that the business associate has. Specifically, the Privacy Rule permits patients to have access to certain PHI about themselves in order to review it for accuracy. Generally, the covered entity must act upon a patient's request within 30 days and must, with limited exceptions, make any requested amendments to inaccurate or incomplete information. Specifically, a covered entity must provide a patient with access to "designated record sets." A designated record set is defined as a group of records maintained by a covered entity that (1) consists of medical or billing records about individuals maintained by or for a healthcare provider; (2) consists of enrollment, payment, claims adjudication, and case or medical management records systems maintained by or for a health plan; or (3) is used, in whole or in part, by the entity to make decisions about individuals. While the responsibility for providing access to individuals rests with a covered provider, the parties to a business associate contract may negotiate that the business associate deal directly with individual requests for records in its possession. A covered entity is not required to have a business associate contract with those providers to whom it discloses PHI for treatment purposes. Example 14: Dr. Burnett, a physician in private practice, discloses PHI to Pharmaceuticals-R-Us so that the company can provide him with support and guidance concerning the proper use of its pharmaceuticals with respect to certain patients. Pharmaceuticals-R-Us is not a business associate of Dr. Burnett because disclosures to healthcare providers for treatment purposes don't give rise to a business associate relationship and a business associate contract is not necessary. 2.
Liability for the acts of business associates

A covered entity may fail to meet its Privacy Rule obligations if the covered entity knows about privacy violations by a business associate and fails to take reasonable steps to correct it. While a covered entity does not have to actively monitor its business associates' activities, it must investigate if it learns of possible wrongdoing.
Example 15: Big Pharma Company offers physician practices consulting services related to billing for its drugs. Physician practices that want to take advantage of these services disclose PHI to Big Pharma for it to use to provide billing advice. One of Big Pharmas employees discloses to the media PHI it received from a physician practice about a famous actor. If it learns of the improper disclosure, the practice must take reasonable steps to correct it, such as demanding better controls by Big Pharma over who in the company can access PHI. If the covered entity cannot, through reasonable efforts, correct the business associate's violation of the Privacy Rule, it must terminate the business associate contract. If terminating the business associate contract is not possible or would cause significant hardship to the covered entity, it must report the violation to HHS.
3. Business associate changes in HITECH

HITECH expanded the definition of business associate to include entities that transmit PHI to a covered entity or its business associateand that need access to the PHI on a routine basis. These include, for example, health information exchange organizations, regional health information organizations, and eprescribing gateways. The expanded definition also includes vendors that provide personal health record systems to covered entities. HITECH also makes business associates directly subject to HIPAA's security requirements, including those relating to policies and procedures, risk assessment and management, employee training, and access controls. As a result, business associates will be directly subject to enforcement of the standards by HHS. The HITECH Act made some changes in the privacy area as well. Not only did it add to and expand HIPAA's privacy requirements, but it made business associates legally responsible for complying with themincluding existing and new requirements relating to breach notification the disclosure of PHI when the patient has paid for the related medical item or service out of pocket the minimum necessary rule the need to inform patients of prior disclosures of their PHI the sale or marketing of PHI the right of patients to access their PHI in electronic form
This means that while business associates had been only contractually bound to comply with the privacy rules, they can now be held directly accountable under HIPAAs expanded civil remedies and criminal penalties if they don't comply.
Nevertheless, business associate contracts are still required. In addition, a business associate that knows that a covered entity is violating the Privacy Rule must take reasonable action to end the violation.
PROTECTED HEALTH INFORMATION (PHI)

The Privacy Rule applies to the use and disclosure of PHI by covered entities and business associates. PHI is defined as individually identifiable health information that's transmitted or maintained by a covered entity in any format. At a minimum, this includes all oral, computer-based, and paper-based patient health information. We'll discuss the specifics of PHI in greater detail below. The Privacy Rule also applies to the use and disclosure of PHI relating to deceased individuals, for as long as a healthcare provider or organization maintains this information. However, a change in the rule about the length of HIPAA privacy protection for deceased individuals is pending. I.
Individually Identifiable Health Information

Individually identifiable health information is any information, including genetic information, that is created or received by a covered entity or an employer, identifies the patient or can be used to identify the patient who is the subject of the information, and relates to one of the following: The past, present, or future physical or mental health or condition of an individual The provision of healthcare to an individual The past, present, or future payment for healthcare provided to an individual
PHI does not include individually identifiable health information found in certain education records or in student records held by certain educational institutions. Employment records also aren't considered PHI. II.
De-identified Information and Limited Data Sets

Covered entities and business associates may de-identify PHI by removing, encrypting, or otherwise concealing all individually identifiable information. Properly de-identified PHI is not subject to the Privacy Rule. If de-identified information is subsequently re-identified, however, it reacquires the Privacy Rule's protections. There are two ways to properly de-identify PHI. A covered entity or business associate may remove all identifying characteristics including, but not limited to names addresses (excluding state and the first three zip code digits) dates (excluding year) social security numbers and other identification numbers medical record numbers
10
telephone, fax, and Internet Protocol address numbers e-mail and other Internet addresses health insurance numbers biometrics, including photographs any other form of unique identifier Information relating to gender, race, ethnicity, and marital status is not individually identifiable and doesn't need to be removed. Example 16: Dr. Quinn, a physician in private practice, asks her office manager to de-identify a patient's medical record so that she may submit certain information to a pharmaceutical company. The office manager removes all information he thinks could identify the patient and leaves only the gender, race, and marital status in the chart. In addition, he leaves the patient's photograph in the file because it does not contain her name or any other identifying information on it. However, because the photograph could be used to identify the patient, the office manager failed to properly de-identify this medical record. Even if all identifying characteristics have not been or cannot be removed, it is still possible for PHI to be treated as de-identified. The second way that a covered entity can determine that PHI is not individually identifiable is if a qualified statistician examines the PHI and determines that the risk of reidentification is very small. Additionally, the Privacy Rule allows a covered entity to use or disclose a limited data set for research, public health, and healthcare operations purposes. A limited data set does not include directly identifiable information, but certain identifierssuch as admission, discharge, and service dates; date of death; age; and five-digit zip codemay remain. Before a covered entity may disclose a limited data set, however, it must obtain a data-use or similar agreement from whoever will receive the data. In the agreement, the recipient must promise to limit its use of the data to the original reasons for the disclosure and promise not to attempt to re-identify it or use it to contact the subjects. Example 17: Potent Pharmaceutical Company provides hospitals with patient questionnaires about the effects of its drugs. The hospitals agree to collect the questionnaires from their patients treated with the companys drugs so that Potent can conduct research with the information. The questionnaires don't contain names, addresses, or other directly identifiable information, although some other identifiers, such as gender, remain. Assuming that the questionnaires meet the requirements for limited data sets and that Potent has signed a datause agreement, covered hospitals may disclose the questionnaires to Potent for research purposes without patient permission, provided that the research meets the rules substantive and procedural requirements for research. The specific rules governing the de-identification of PHI and limited data sets are detailed and complex. If you have any questions or concerns about this subject, please consult your company's internal management or law department.
RESTRICTIONS ON USE AND DISCLOSURE OF PHI

I.
General Restrictions
11
The Privacy Rule prohibits a covered entity and its business associates from using or disclosing a patient's PHI for any purpose, unless one of the following occurs: The patient signs a written authorization for the use or disclosure. The patient gives his agreement for the use or disclosure. The use or disclosure is permitted or required by the Privacy Rule without the patient's permission. While this handbook addresses the key elements of and exceptions to the agreement and authorization requirements, it cannot cover every Privacy Rule detail. If you have any questions or concerns about the use or disclosure of PHI, you should immediately contact your company's internal management or law department. II.
The Minimum Necessary Requirement

Covered entities and business associates must limit most uses or disclosures of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure. This principle is known as the minimum necessary requirement. We'll discuss the particulars of this principle in more detail. A.
Determining the minimum necessary amount

In determining the minimum necessary disclosure, a covered entity may want to consider whether the purpose of the use, disclosure, or request can be accomplished with information that is not identifiable. If so, the covered entity should probably not use, disclose, or request PHI, unless one of the exceptions to the minimum necessary requirement (discussed below) applies. In fact, under the HITECH Act, a use, disclosure, or request must be limited to the extent practicable to a limited data set as defined in the existing rule. The minimum necessary standard only applies alternatively if the covered entity needs to make a use, disclosure, or request more extensive than the limited data set. If so, then a broader minimum necessary disclosure is allowable. The burden of making a minimum necessary disclosure falls on the disclosing entity. The Secretary of Health and Human Services is required to issue additional guidance on these issues. Example 18: A researcher is hired by a pharmaceutical company to study the effects of a drug on patients who suffer from a particular disease. The researcher must review certain diagnosis and treatment information about all patients who received the drug for the disease for a five-year period at Community Hospital, and the hospitals Institutional Review Board approves the use of the PHI. Because the goals of the research cannot be accomplished without revealing this PHI, the hospital may disclose it to the researcher, assuming other Privacy Rule requirements are met. Example 19: Day Surgery Center, an ambulatory care facility, gives a patient medication, and the patient breaks out in hives. It contacts the
12
pharmaceutical company that supplied the medication and gives the name of the patient. While the company needs information about what happened when the drug was administered to meet its obligations under applicable law, it does not need the patients name. Because the company does not need the patient's name, disclosing it is not permitted by the Privacy Rule. Example 20: Day Surgery Center, an ambulatory care facility, discovers that it has used infected blood during a surgical procedure. It contacts the pharmaceutical company that supplied the blood and gives the name of the person who received it. Because the company does need the patient's name to meet its legal obligations regarding contacting him, disclosing it is permitted by the Privacy Rule. There are several rules that can provide some guidance for those making a minimum necessary determination. First, a covered entity or business associate may not use, disclose, or request a patient's entire medical record unless the entire record is the minimum amount necessary to accomplish the purpose of the disclosure or request. Disclosure of an entire medical record must be specifically justified as the minimum necessary. Second, for disclosures and requests made on a routine or recurring basis, covered entities must implement policies and procedures that limit the PHI disclosed or requested to the minimum amount necessary to achieve the purpose of the disclosure. For nonroutine or nonrecurring disclosures and requests, covered entities must make the minimum necessary determination on a case-by-case basis. Example 21: Day Surgery Center, an ambulatory care facility, routinely submits PHI to a pharmaceutical company so that the pharmaceutical company can meet an FDA reporting requirement. For routine or recurring disclosures, Day Surgery must establish policies and procedures that identify the minimum amount of PHI that must be included in the disclosures. Third, for uses of PHI, covered entities must implement policies and procedures that identify those members of its workforce who need access to PHI to do their jobs identify the types of PHI to which such people need access limit or control access to PHI to those people who need access to perform their jobs Additionally, the Privacy Rule permits incidental uses and disclosures of PHI that cannot reasonably be prevented, that are limited in nature, and that occur as a by-product of an otherwise permitted use or disclosure under the Privacy Rule, as long as the provider meets the minimum necessary requirement and takes reasonable safeguards to limit such uses and disclosures. For instance, if voices are kept appropriately low, a covered entity will not be held liable if an unauthorized person overhears a conversation about a patients medical condition. Covered
13
entities are also permitted to call out patient names in waiting rooms and to use bedside charts and X-ray light boards that may be visible to passersby. B.
Exceptions to the minimum necessary requirement

In some cases, covered entities and business associates can use or disclose PHI without making a minimum necessary determination. The HITECH Act did not change the exceptions. For instance, determining the minimum PHI necessary isn't required when PHI is requested by or disclosed to a healthcare provider in connection with treatment. Example 22: Dr. Winfield, a primary care physician, calls a pharmaceutical company to ask whether treatment with one of the companys drugs would be beneficial for a particular patient. During the call, Dr. Winfield discusses the patient's current condition. In this situation, the Privacy Rule does not require Dr. Winfield to make a minimum necessary determination before disclosing the patient's PHI, because the PHI is being disclosed in connection with the patient's treatment. Minimum necessary determinations also are not required when disclosing a patient's PHI to the patient himself. Example 23: A pharmaceutical company seeks to sponsor a clinical trial to test the effects of a new drug. A physician practice agrees to work with the company in soliciting patients to sign up for the trial. The practice calls its existing patients who might benefit from the new drug to see if they would be interested in participating. Because this request involves disclosing PHI to a patient who is the subject of it, the physician practice is not required to make a minimum necessary determination before sharing this information with the patient. The same is true for uses and disclosures made pursuant to an authorization. Authorizations are discussed later in this handbook. Example 24: A covered nursing home obtains individual authorization for each of its residents to release PHI to a pharmaceutical company to use for research purposes. The covered nursing home does not have to make a minimum necessary determination before releasing information to the pharmaceutical company. Also, before the HITECH Act, a covered entity could rely, if reasonable, on the minimum necessary determination of the covered entity asking for the disclosure. The HITECH Act, however, changed this rule. Now, a disclosing entity must determine what constitutes the minimum amount of PHI necessary to accomplish the intended purpose of a disclosure. Minimum necessary determinations are not required for disclosures to HHS for determining HIPAA compliance or for disclosures to other government agencies that are required by law.
14
III.
Uses and Disclosures for Treatment, Payment, and Healthcare Operations Purposes
Covered entities may use or disclose PHI for treatment, payment, and healthcare operations purposes without patient permission, unless state or other law provides otherwise. However, except in emergency situations, covered healthcare providers with direct treatment relationships are required to make a good-faith effort to obtain a patients written acknowledgment that she has received the providers notice of privacy practices no later than the time of first service delivery. (Notices of privacy practices will be discussed in more detail later in this handbook.) A direct treatment relationship exists when a healthcare provider provides services directly to the patient. If a direct treatment provider is unable to obtain such an acknowledgment, it must document its goodfaith efforts to do so. Indirect treatment providers are not required to obtain this acknowledgment, but may do so if they choose. (An indirect treatment relationship exists when a healthcare provider provides services to another provider who ordered the services. Examples of indirect healthcare providers include pathologists, radiologists, and specialists who consult with a patient's treating physician.) Health plans must provide a notice at the time of enrollment and every three years thereafter, but need not obtain an acknowledgment. Even when required, the acknowledgment does not have to take a specific form. It may be as simple as the patients initials on a cover sheet to the providers privacy notice or her signature on a list or form. It may also be electronic. Providers faced with patients who refuse to sign or to return the acknowledgment may demonstrate good faith by documenting their efforts and the reasons for failure in the patients record. Example 25: Dr. Maddux, a geriatrician, refers an elderly patient to a pharmaceutical company that directly administers medication to patients and bills for these services. Dr. Maddux and the pharmaceutical company both provide healthcare services to the patient. Both Dr. Maddux and the pharmaceutical company have direct treatment relationships with the patient. As a result, they both are able to use and disclose PHI about her for treatment, payment, and healthcare operations without her permission unless state or other law provides otherwise. However, they must make a good-faith effort to obtain the patients written acknowledgment that she has received the providers notice of privacy practices no later than the time of her first service. A.
Treatment, payment, and healthcare operations

Let's take a closer look at some of the terms we first discussed in connection with the Privacy Rule's application to direct treatment relationships. Treatment includes providing, coordinating, or managing healthcare and related services consultations between healthcare providers relating to a patient
15
patient referrals between healthcare providers Payment includes (but is not limited to) all billing, claims management, reimbursement, and collection activities conducted by or on behalf of the covered entity. It also includes activities by health plans with respect to premium and benefit payments as well as to eligibility and coverage determinations. Healthcare operations include activities related to the covered entity's primary function as a healthcare provider, health plan, or healthcare clearinghouse. Healthcare operations include (but are not limited to) quality assessment and improvement activities accreditation, certification, licensing, or credentialing activities insurance premium rating and other insurance underwriting activities legal, accounting, and audit services business planning and development activities general management, compliance, and administrative activities A covered entity may use or disclose PHI for its own treatment, payment, or healthcare operations. A covered entity may release PHI to any healthcare provider for any treatment activities. It may also release PHI to a covered health plan for the recipients use for payment purposes. A covered entity may also disclose PHI to another covered entity if the recipient needs it for certain healthcare operations purposes, including conducting quality assessment and improvement activities, carrying out population-based analyses related to improving health, and reviewing the competence of healthcare providers. However, these disclosures for health care operations are permitted only to the extent that the recipient has or has had a relationship with the individual whos the subject of the information. If the relationship has ended, disclosure must be limited to data related to the past relationship. These HIPAA rules apply unless state or other law provides otherwise. Example 26: A covered provider uses PHI to calculate drug costs, discounts, or copayments. Such uses are payment activities if performed with respect to a specific individual, and are healthcare operations if performed in the aggregate for a group of individuals. Therefore, they are permissible under HIPAA without patient permission, unless state or other law provides otherwise. Example 27: PharmaCo, a pharmaceutical company, manufactures drugs and operates a patient assistance program (PAP) that funds drug treatments for financially needy patients. A covered physician reviews medical records concerning specific patients and contacts the company to discuss whether and how those patients can benefit from its pharmaceuticals. The physician who contacts the program on behalf of a patient is managing the patients care. The provider would be permitted to make such a treatment disclosure of PHI without patient permission, unless state or other law provides otherwise. IV.
Uses and Disclosures Requiring Patient Authorization 16
Under some circumstances that don't directly relate to healthcare, the Privacy Rule requires written authorization to use and disclose PHI. In the next few sections of the handbook, we'll take a closer look at the situations in which this type of permission is required. A.
General authorization requirements

In general, the Privacy Rule requires PHI to be disclosed when it's requested by the patient and when it's requested by HHS for determining a covered entitys compliance with the Privacy Rule. The rule permits covered entities to use or disclose PHI without patient permission for treatment, payment, and healthcare operations and for certain publicpolicy-related uses and disclosures discussed later in this handbook. In general, for all other purposes, the Privacy Rule requires patient permission to use and disclose PHI about the patient. Covered entities may use and disclose PHI for facility directories and disclose PHI to persons assisting in an individuals care with patient agreement, which may be given verbally. When patient permission is required but verbal agreement is not appropriate, covered entities must secure an authorization from the patient (or the patient's representative) to use or disclose PHI. With proper authorization, disclosures may be made to any individual or organization, healthcare related or not, consistent with the terms of the authorization. Other purposes that are not directly related to healthcare and may require authorization include, but are not limited to certain marketing activities health insurance eligibility or enrollment determinations relating to an individual most employment decisions by current or prospective employers reporting to financial, life insurance, and other institutions Covered entities should develop policies and procedures regarding compliance with the patient authorization requirement. These policies and procedures must also address routine and recurring uses and disclosures of PHI, as well as the minimum necessary disclosure standard. Example 28: Dietary Supplements, a pharmaceutical company, wants to buy a patient list from Dr. Gravida, an obstetrician, for direct product marketing. Because this requested disclosure of PHI is not for treatment, payment, or healthcare operations purposes; for a facility directory; or for people assisting in an individual's care and does not qualify as a publicpolicy-related disclosure, Dr. Gravida may not disclose PHI to Dietary Supplements without each patient's authorization.
B.
Required language
Authorization forms provided to patients must be written in plain language and must contain all of the following information:
17
A specific description of the PHI to be used or disclosed The person(s) authorized to make the requested use or disclosure of the PHI The person(s) or entities to whom the covered entity may disclose PHI The date on which the authorization expires or an event that would cause it to expire A description of the patient's right to revoke the authorization and the procedure for doing so A statement that information disclosed under the authorization may be redisclosed to third parties that may not be subject to the Privacy Rule If signed by a personal representative on the patient's behalf, a description of the representative's legal authority A description of each purpose of the authorized use or disclosure A notification stating that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on signing the authorization if such conditioning is prohibited by the Privacy Rule, or, if it is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization Additionally, for marketing authorizations, there must be a statement that a covered entity will receive remuneration for making a disclosure of PHI, if applicable. Covered entities must keep copies of all authorizations for at least six years from the time they were created or last in effect, whichever is later. If a covered entity seeks an authorization from a patient, it must provide the patient with a copy of the signed authorization. C.
Contingent authorizations
Healthcare providers generally may not condition treatment on the patient signing an authorization. Health plans likewise generally may not condition enrollment or eligibility decisions on a signed authorization. Example 29: Belinda sees Dr. Quasar, an orthopedic surgeon, for treatment of a strained ligament in her knee. Before agreeing to treat Belinda, Dr. Quasar tells her that she has to sign an authorization permitting him to sell her medical information to a pharmaceutical company. Because Dr. Quasar may not condition Belinda's treatment on her signing such an authorization, he has violated the Privacy Rule. There are a few exceptions to this rule. One is that healthcare providers may condition research-related treatment on the patient's authorization to use or disclose PHI for these research purposes. Exceptions such as this are limited, so if you have any questions about their application, make sure to consult your company's internal management or law department. Example 30: XYZ Pharmaceutical Company sponsors a clinical trial to test the efficacy of one of its pharmaceuticals. A covered dialysis company agrees to conduct the trial. It seeks authorizations from its patients to use and disclose PHI for research purposes and explains that they may not participate in the trial without signing the authorization. The
18
dialysis company may do this because the treatment is associated with a clinical trial and the authorization covers the use and disclosure of PHI for research purposes. Additionally, when medical treatment is rendered for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the patient's authorization. Example 31: Dr. Jones agrees with Drug Maker Incorporated to provide employment-related physicals. Because the purpose of the treatment is to provide PHI to Drug Maker, Dr. Jones may condition performing the physicals on receiving the patient's authorization to disclose the results of the exam to the company. D.
Specific applications 1. Psychotherapy notes

Subject to certain exceptions, a covered entity may not use or disclose psychotherapy notes for any purpose without first obtaining the patient's authorization to do so. Psychotherapy notes are notes taken during counseling sessions by a licensed mental healthcare provider, such as a psychiatrist or psychologist, and must be kept separate from the rest of the patient's medical record to receive special treatment under the Privacy Rule. Information relating to prescriptions, modalities of treatment, test results, diagnostic summaries, and certain other items are not considered psychotherapy notes. Exceptions to this rule include the healthcare provider's own use of the notes for treatment purposes, and use or disclosure of them for clinical training, professional oversight activities, or purposes otherwise required by law. Example 32: Dr. Johnson, a psychiatrist, is treating Marcus on an outpatient basis for clinical depression. During each counseling session, Dr. Johnson takes notes on Marcus's complaints, feelings, and observations. Although she uses these notes to form diagnostic opinions and to develop a treatment plan, the notes are kept separate from the rest of Marcus's chart. Dr. Johnson may not use or disclose them without Marcus's express authorization except for use in his treatment, professional training and oversight, and disclosures required by law. 2.
Marketing
In general, a covered entity may use or disclose PHI for marketing purposes only with the patient's authorization. Marketing in this context means a communication about a product or service that encourages people to buy or use the product or service. Marketing also means an arrangement between a covered entity and a third party under which the covered entity discloses PHI to the third party in exchange for
19
payment or other benefit, and the third party uses the PHI to market its products or services. Communications that describe the healthcare providers that participate in the covered entity's network or the benefits available under a health plan aren't considered marketing and therefore don't require authorization. Additionally, communications for treatment of an individual, for case management or care coordination, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care don't fall under the definition of marketing. Additionally, patient authorization isn't required for marketing activities that occur during face-to-face encounters with the patient or concern products or services of nominal value, such as pens or coffee mugs. Example 33: A pharmaceutical representative speaks with doctors in a physician practice about the benefits of a product he sells. The representative leaves the practice with several free samples of the pharmaceutical. Based on that conversation, a physician in the practice recommends to a patient that she switch her medication to the pharmaceutical. This use of PHI by the physician is permissible without patient authorization because it involves recommending an alternative treatment and is therefore not considered marketing. Example 34: An oncology practice sends prescription drug refill reminders to its patients. A pharmaceutical company that manufactures the drugs prescribed by the practice covers the costs of mailing the reminders and the staff time associated with sending them. Because the use and disclosure of PHI for prescription refill reminders is considered treatment, such communications do not qualify as marketing and may be made by the practice without patient authorization. (Note that while HIPAA permits this use, other laws may impact the ability of a pharmaceutical company to offer remuneration to physician practices, and a pending HIPAA rule change might regulate the amount of the remuneration.) The HITECH Act added some additional restrictions and clarifications about use or disclosure of PHI for marketing. One provision requires that a patient authorization for marketing activities must specify whether PHI can be further exchanged for remuneration by the entity receiving the PHI. What this means is not entirely clear, but it is clear that using authorizations for marketing is more difficult. The new requirement does not apply to public health, research, or certain other activities. A second provision addresses the potential overlap between marketing and certain healthcare operations. It says, essentially, that a covered entity cannot justify some types of marketing as a healthcare operation.
20
A third provision addresses prescription communications paid for by a third party. It allows communications, such as prescription reminders, only for current drugs. It appears to prohibit so-called switch letters, encouraging a patient to consider taking a different drug. The language may also affect routine advertising on covered entities' websites. Because of the complexity of these marketing restrictions, you should seek advice before engaging in any marketing activities that might involve the use or disclosure of PHI. 3.
Fund-raising conducted for the benefit of the covered entity

In general, covered entities may use or disclose PHI in connection with their own fund-raising efforts only with the patient's authorization. However, covered entities may use demographic information about a patient for fund-raising purposes for their own benefit without patient authorization. For this purpose, the covered entity may use or disclose only basic patient information, such as name, address, and dates of care. Covered entities may not use PHI for fund-raising purposes that relate to a patient's diagnosis or reason for treatment. Patients must be given the opportunity to prohibit or restrict (opt-out of) any future marketing or fund-raising communications. The HITECH Act requires that the opt-out be clear and conspicuous.
V.
Disclosures to the Patient or Others Assisting in His Care

Under certain circumstances, a covered entity may disclose a patient's PHI to a family member, relative, close personal friend, or other person identified by the patient and assisting in the patients care. In some cases, a covered entity may also disclose PHI to notifyor assist in the notification ofa family member, a personal representative, or another person responsible for the individual's care of the individual's location, general condition, or death. In these situations, covered entities must satisfy specific legal requirements that depend on whether the patient is present and capable of making healthcare decisions. If the patient is present and capable of making these decisions, the covered entity may disclose PHI to a family member or another person assisting in the patients care as long as one of the following is true: The patient agrees to the disclosure. The patient has the opportunity to object to the disclosure and does not. The healthcare provider can, based on professional judgment, reasonably infer from the circumstances that the patient does not object to the disclosure. If the patient is not present, a covered entity may disclose PHI to a person assisting in the patients care if it determines, based on professional judgment, that the disclosure is in the patient's best interest. The same is true for patients who are unable to make healthcare decisions because of incapacity or emergency. Under these circumstances, however, the covered entity may
21
disclose only the PHI that's directly relevant to the person's involvement in the patient's healthcare. Example 35: Donna is hospitalized after falling and hitting her head. A bystander who saw the accident calls Donna's coworker, who rushes to the hospital. When the coworker arrives, Donna is unconscious. Donna's physician may disclose PHI to the coworker if, in the physician's professional judgment, disclosing the information to the coworker is in Donna's best interest. The physician, however, may only disclose the PHI directly related to the coworker's involvement in making decisions about Donna's current treatment. Finally, a covered entity may use or disclose PHI to an entity authorized by law or its charter to assist in disaster relief efforts, for the purpose of coordinating the kinds of disclosures discussed above. The covered entity has to follow the requirements outlined above only to the extent that they do not interfere with the entitys ability to respond to an emergency. VI.
Uses and Disclosures Without Patient Permission

Under limited circumstances, covered entities may also disclose PHI to help further important public policy objectives. In such instances, the covered entity is not required to obtain the patient's permission. A number of public-policy-related disclosures are permissible. Many of these are described below. You should remember that strict requirements must be met before making such disclosures. You should consult your company's internal management or law department before disclosing PHI for public-policy reasons. A.
Public health activities

A covered entity may disclose PHI related to the quality, safety, or effectiveness of products and activities regulated by the Food and Drug Administration (FDA), as long as the recipient of the information is subject to the FDAs jurisdiction and has responsibility for the safety, quality, or effectiveness of the product or activity. Reports are permitted for the following purposes, among others: (1) to collect or report adverse events, product defects or problems, or biological product deviations; (2) to track FDA-regulated products; (3) to enable product recalls, repairs, or replacement, or for lookback by blood and plasma professionals (including locating and notifying individuals who have received contaminated or defective products); or (4) to conduct post-marketing surveillance. Example 36: A covered physician using an FDA-regulated medication sent by a pharmaceutical company finds mold in the medication. Because the pharmaceutical company is regulated by the FDA and is responsible for the quality of this product, and the disclosure relates to the quality and safety of the product, the covered physician may disclose the names of patients who received the medication to the pharmaceutical company without patient permission. This enables the company to recall the product.
22
Example 37: A hospital contacts a pharmaceutical manufacturer to provide a list of patients who prefer a different flavored cough syrup over the manufacturers product. Because this disclosure would not be for a public health activity, it would not be permissible for the hospital to disclose this information under the exception for public health disclosures. A covered entity may also disclose PHI to a public health authority authorized to receive PHI for the purposes of preventing or controlling disease, injury, or disability. Public health authorities typically include state health departments, the Centers for Disease Control and Prevention (CDC), the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Occupational Safety and Health Administration (OSHA), and the Environmental Protection Agency (EPA). A covered entity may disclose PHI to a public health or other governmental authority to report child abuse or neglect. When authorized by law, covered entities may also disclose PHI to people who may have been exposed to a communicable disease. Providers who provide healthcare to an employer's workforce may disclose PHI to employers concerning work-related injuries, for limited purposes, and concerning workplace-injury surveillance activities that may be required by law. B.
Victims of abuse, neglect, or domestic violence

Covered entities may disclose to government authorities, including social or protective service agencies, PHI about an adult patient whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence. If a report of suspected abuse, neglect, or domestic violence is not otherwise required by law but is expressly permitted, the covered entity must reasonably determine, before disclosing the PHI, that the disclosure is necessary to prevent serious harm to the patient or other potential victims. Covered entities must inform the patient, orally or in writing, that it has disclosed PHI to report abuse. There are two exceptions to this. A covered entity does not have to notify the patient if it reasonably believes that informing her would place her at risk of serious physical or emotional harm. A covered entity also does not have to notify an individual's personal representative if it reasonably believes that the representative is responsible for the abuse or neglect.
C.
Health-oversight activities
Covered entities may also disclose PHI to a health-oversight agency or a person acting on its behalf. A covered entity may also use PHI when it is a health-oversight entity itself. Health-oversight activities may include audits; investigations; inspections; licensure or disciplinary actions; and civil, criminal, and administrative proceedings. These disclosures are encouraged because
23
health-oversight activities are intended to safeguard the integrity and quality of public and private healthcare systems and programs. Investigations that target the patient who's the subject of the PHI aren't considered health oversight activities unless they're related to the receipt of healthcare or to claims for public benefits. D.
Judicial and administrative proceedings

Covered entities may disclose PHI pursuant to a court order. Without a formal court order, covered entities may disclose PHI in connection with legal proceedings if specific conditions (generally requiring notice to the individual who is the subject of the PHI) are met. As mentioned earlier, the specific requirements governing disclosure of PHI for public-policy purposes are detailed and complex. Prior to disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information.
E.
Law enforcement
With some limitations, covered entities may also disclose PHI to law enforcement officials in connection with certain law enforcement requests and activities. Generally, these disclosures must relate to a requirement by law for the reporting of wounds or injuries or the mandates of a court order, subpoena, or summons the identification or location of a suspect, fugitive, material witness, or missing person information about the victim of a crime evidence of criminal conduct that occurred on the covered entity's premises disclosures about deceased persons reporting crimes in an emergency Before disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information.
F.
Research
In general, a covered provider must obtain an authorization from a patient to use and disclose the patients PHI for research purposes. Of course, it may use and disclose information that has been de-identified under HIPAA standards without patient permission for any purpose, including research purposes. Additionally, it may use and disclose a limited data set for research purposes without patient permission if the provider enters into a data-use agreement as described earlier in this handbook. Example 38: A pharmaceutical company would like to secure information from physician practices that administer its drugs for the
24
purposes of a research study. No identifiable information will be released. Assuming the physician practices de-identify the data according to the requirements of the Privacy Rule, they may disclose such information to the pharmaceutical company without patient permission. There are three exceptions to the rule that a covered provider must obtain an authorization from a patient to use and disclose the patients PHI for research purposes. First, the Privacy Rule permits a covered entity to use and disclose PHI without individual authorization for the purpose of preparing a research protocol or similar purpose preparatory to researchif the covered entity obtains representations from the researcher that (1) the disclosure of PHI is solely for the purpose of preparing a research protocol or to prepare for research; (2) no PHI will be removed from the premises of the covered entity by the researcher; and (3) the PHI is necessary to the research purposes. Example 39: A pharmaceutical company decides to sponsor a clinical trial and contacts a covered dialysis center to see if it would be a suitable place for the study. A representative of the pharmaceutical company comes to the dialysis center to review its medical records in order to assess whether the trial would be feasible. The company has assured the center that (1) no PHI will be removed from the premises; (2) the PHI will be used only to assess the feasibility of the study; and (3) the PHI is necessary to the research. The dialysis center may disclose PHI to the pharmaceutical company for this purpose without patient authorization. Second, a covered entity may use or disclose PHI of the deceased for research if the researcher represents to the covered entity that the disclosure is solely for research on decedents, if the researcher provides documentation of death (if requested by the covered entity), and if the researcher represents that the PHI is necessary for the research. Third, a covered entity may use or disclose PHI without patient authorization for research if it receives the prior approval of the covered entity's Institutional Review Board (IRB) or a similarly composed body, called a Privacy Board, altering or waiving the authorization requirement. An IRB is a committee that's generally responsible for overseeing research affecting human subjects. In approving the use or disclosure of PHI for medical research purposes, an IRB must determine each of the following: The use or disclosure of PHI involves only minimal risk to the research subjects, including, for instance, that adequate procedures exist to protect PHI from improper use and disclosure. The research cannot practicably be conducted without altering or waiving the authorization requirement. The research cannot practicably be conducted without access to or use of the PHI.
25
When assessing minimal risk as identified in the first criteria, an IRB or Privacy Board would have to consider the following factors: (1) an adequate plan to protect identifiers from improper use and disclosure, (2) an adequate plan to destroy identifiers at the earliest opportunity consistent with the research, unless there is a justification for retention, and (3) the adequacy of written assurances against redisclosure. An IRB or Privacy Board is not limited to considering only these factors, however. The covered entity must obtain documentation of the IRB/Privacy Board's approval of the use of PHI for medical research purposes. This documentation must identify the IRB/Privacy Board, the date of its action, and include a statement that the IRB/Privacy Board determined that its action satisfied the required criteria. Finally, the documentation must include a brief description of the PHI to be used or disclosed in connection with the medical research. Example 40: A pharmaceutical company decides to sponsor a research study and solicits the help of a health system to conduct the trial. The study involves records research only. An IRB finds that because of the large number of medical records involved, the research cannot be conducted without waiver of the authorization requirement. It finds that other waiver criteria are met and therefore waives the authorization requirement. The health system may disclose PHI to the pharmaceutical company without patient permission because an IRB waived the authorization requirement. Example 41: A pharmaceutical company decides to sponsor a clinical trial and solicits the help of a health system to conduct it. The study involves clinical treatment. An IRB finds that because patients will receive the drug being studied as part of the trial, the health system could easily secure an authorization from each of the trial subjects. The IRB therefore finds that the research can be conducted without altering or waiving the authorization requirement. Because the waiver criteria cannot be satisfied, the health system may not disclose PHI to the pharmaceutical company without patient permission. G.
Serious threats to health or safety

Covered entities may use or disclose PHI if they determine that disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public. The disclosure must be made to a person reasonably able to prevent or lessen the threat, including the target of the threat or enforcement officials.
H.
Other public-policy-related disclosures

Finally, covered entities may disclose PHI to serve a number of other public-policy-related purposes. These include disclosures to coroners and medical examiners organ procurement, donation, and transplantation organizations workers' compensation agencies and programs
26
military and intelligence agencies (if the PHI relates to an individual's current or past service) the Secret Service for the protection of the President of the United States any entity when the disclosure is required by law These uses or disclosures of PHI are usually subject to many requirements that must be satisfied prior to the use or disclosure of the information. You should direct any questions or concerns you may have to your company's internal management or law department. VII.
Patient Rights A. Right to receive notice of privacy practices

A covered entity must provide patients with a written notice of its privacy practices. Organized healthcare arrangements and affiliated entities that designate themselves as a single entity may develop a uniform joint notice for all of the entities involved. A covered healthcare provider that has a direct treatment relationship with a patient must make a good-faith effort to obtain a written acknowledgment of the receipt of the notice by the individual. If a covered entity is not able to obtain the acknowledgment, it must document its good-faith efforts and explain the reasons why the acknowledgment was not obtained. In emergency situations, covered entities must provide notice as soon as reasonably possible after the emergency. If a covered entity is not able to obtain written acknowledgement of the notice, it must document its good-faith efforts and explain why the acknowledgement was not obtained. Example 42: Worldwide Pharmaceuticals runs a mail-order pharmacy that files electronic healthcare claims for the drugs it sells. Worldwide is a covered entity under the Privacy Rule because it provides treatment services and engages in electronic standard transactions. As a covered entity, it must provide notice of its privacy practices to each individual who purchases medications from the mail-order pharmacy. The Privacy Rule contains specific instruction on information that must be included in the notice and the manner in which it must be provided. Each of these requirements is discussed in the following sections.
1. Content of notice
A notice of privacy practices must be written in plain language and contain the following required information: A prominently displayed statement that reads, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully." A description of the permitted and required uses and disclosures of PHI that may be made without patient authorization, including at least one example of how the
27
covered entity would use or disclose PHI for each of the following purposes: treatment, payment, and healthcare operations A sufficiently detailed description of each of the other purposes for which uses or disclosures are allowed by HIPAA without the individuals written authorization, including any applicable restrictions imposed by other laws A statement that all other uses and disclosures will be made only with the patients written authorization An explanation of the patients privacy rights, including the right to receive confidential communications; to copy and inspect her PHI; to request an amendment of her PHI; to receive an accounting of certain disclosures of PHI; and to request restrictions on a covered entitys use or disclosure of PHI If the covered entity plans to engage in certain activities, a description of the activitiesfor example, fund-raising, providing appointment reminders or treatment-related information, or, in the case of a group health plan, disclosing PHI to the plan sponsor A description of the covered entitys legal obligations to maintain the privacy of PHI, to abide by the terms of its notice of privacy practices, and to inform patients of any changes to the notice An explanation of the patients right to file a complaint with the covered entity or HHS and a statement that the patient will not be retaliated against for filing a complaint The name or title, along with the telephone number, of a person or office to contact for further information The effective date of the notice Additionally, to the extent that state or other law restricts an otherwise permissible use or disclosure, the notice must reflect the more restrictive law. Also, if a covered entity decides to limit the uses and disclosures of PHI it may make, the covered entity may describe the more limited uses and disclosures in its notice. However, the entity may not restrict the uses and disclosures it is required to make by law or the uses and disclosures it may make to avert a serious threat to the health or safety of an individual or the public. Importantly, for a covered entity to apply a change in a privacy practice that is described in its notice to PHI obtained prior to issuing a revised notice, the covered entity must have reserved the right to do so in its original notice. Example 43: Dr. Smith, a cardiologist, conducts research on behalf of a pharmaceutical company. The notice of privacy practices Dr. Smith uses must include provisions that inform patients that he makes disclosures for research purposes.
28
Covered entities must maintain copies of all issued notices for at least six years from the date they were created or last in effect, whichever is later.
2. Provision of notice
Covered entities must provide notice to all patients, health plan enrollees, and anyone else who requests it. In addition, covered entities must prominently post the notice in their facility or facilities (if they are direct providers with physical service delivery sites), as well as on their websites (if they maintain websites). Covered entities must promptly revise their notice whenever there is a material change in their privacy practices. Covered entities may not implement any material changes in their privacy practices until the effective date of the revised notice. Healthcare providers in direct treatment relationships must provide notice to all patients no later than their first appointment. They may satisfy this requirement by mailing the notice electronically, as long as the patient has agreed to receive the notice in this manner. If a patient's first encounter with a covered entity is electronic, the covered entity must provide notice in electronic form at that time. Healthcare providers in indirect treatment relationships are only required to provide notice if the patient requests it. Electronic notice, such as e-mail, must meet certain additional requirements. Importantly, the patient must agree to accept notice in this form. Electronic notice must state that the patient has a right to receive a paper copy upon request. If e-mail transmission fails, the covered entity must provide the patient with a paper copy of the notice. Example 44: The first time Meg goes to fill a prescription through WebDrugs, a covered Internet pharmacy, WebDrugs must automatically and contemporaneously provide her with the pharmacy's notice of privacy practices. B.
Right to request restriction on uses and disclosures of PHI

A covered entity must allow patients to request restrictions on the use or disclosure of PHI for treatment, payment, and healthcare operations. This right also applies to disclosures made to those assisting in the patient's care, such as family members and friends. Example 45: Andrew requests that Hilltop Hospital never disclose PHI to a pharmaceutical company for treatment purposes. Once Hilltop agrees to such a restriction, it is prohibited from disclosing PHI to a pharmaceutical company for treatment purposes, even if the disclosure would otherwise be allowed under the Privacy Rule.
29
The covered entity, however, is not required to agree to the requested restriction. But if the covered entity accepts the restriction, it must honor the patient's request. The restriction is only binding on the covered entity that agrees to it. A covered entity that agrees to a requested restriction must document the restriction and keep it on file for at least six years from the date it was created or last in effect, whichever is later. If a patient needs emergency treatment and restricted PHI is necessary to a healthcare provider to provide that treatment, a covered entity may use or disclose PHI to the provider. The covered entity must, in this case, request that the healthcare provider refrain from using or disclosing the restricted information further. A change by the HITECH Act requires covered entities to agree to a patient request to restrict disclosures to a health plan for purposes of carrying out payment or healthcare operations if the PHI pertains solely to a healthcare item or service that the patient has paid for out of pocket in full. An individual cannot prevent any such disclosure required by law, however. C.
Receipt of confidential communications

A covered entity must allow a patient to request the means by which and locations where the patient wishes to receive communications of PHI from the covered entity. In addition, it must accommodate reasonable requests to receive this information in different formsfor example, written or electronicor at different locations. All reasonable requests must be accommodated. Covered entities may require the patient to make these requests in writing.
D.
Right of access to PHI 1. Right of access

Patients generally have the right to inspect and copy PHI. A covered entity may require the patient to request access in writing. Exceptions to this right of access include psychotherapy notes, information related to legal proceedings, and certain information related to the operations of clinical laboratories. The right of access exists as long as the covered entity maintains the PHI. In addition, there are certain circumstances in which a covered entity may deny an access request. For example, a covered entity may deny a patient access to his PHI if the access is likely to endanger the life or safety of the patient or someone else. Correctional institutions may deny inmates access to their PHI for health and safety reasons. In addition, a covered entity may temporarily deny an access request when the patient is receiving treatment in an ongoing clinical research trial if the patient
30
agreed to such a restriction. A request may also be denied to protect a confidential source of information. Example 46: Katrina is enrolled in an ongoing clinical trial for a new medication. When she enrolled, the hospital conducting the research informed her that her access would be restricted while she was participating in the trial but would be reinstated after it was completed. Katrina consented to that restriction. During the trial, Katrina requests access to her PHI. The hospital may deny her request, but must provide her with the information after the clinical trial is completed. In certain situations, a patient has the right to a formal review of the decision denying access to PHI. These situations usually involve denials based on potential harm to the patient or others. Reviews of access denials must be performed by a licensed healthcare professional who did not participate in the original decision and who is designated by the covered entity to serve in this capacity. The reviewing healthcare provider must determine, within a reasonable period of time, whether or not to deny the access requested. The covered entity must provide the patient with written notice of the reviewing decision.
2. Provision of access
If a covered entity agrees to grant access, it must try to provide the PHI in the form requested by the patient. If the PHI is not available in this form, the covered entity must produce a legible copy in an agreed-upon form. The HITECH Act added a requirement for information maintained in an electronic health record. A patient has the right to obtain that information from a covered entity in an electronic format. The individual may also direct the covered entity to transmit the information to a designated entity or person, The fee for providing an electronic copy cannot exceed the covered entitys labor cost for responding to the request. A covered entity may provide the patient with a summary of the PHI rather than provide access to it, as long as the patient has agreed in advance to accept a summary. In addition, a covered entity may charge the patient a reasonable fee for the summary. Again, the patient must have agreed to the charge in advance. Patients may also be charged a reasonable fee for copying, including the cost of supplies and labor of copying and postage, if applicable. The fee may not include charges for retrieving, handling, or processing the information.
3. Denial of access
When a covered entity denies an access request, it must give the individual access to any other PHI requested, after excluding PHI for which it has a basis for denial. A denial of access must be in writing and explain the basis for the denial.
31
If applicable, the denial must state that the individual may have the denial reviewed. Finally, it must explain how the patient may file a complaint to the covered entity or to HHS. If the covered entity does not maintain the requested PHI, it must inform the patient where to direct the request for access, if it knows. E.
Right to request amendment of PHI

A covered entity must allow patients the opportunity to request changes to their PHI, for as long as the entity maintains this information. There are certain exceptions to this right. A covered entity may deny this request if it did not create the PHI. If the creator of the PHI is no longer available to act on the request, however, the covered entity must treat the request as though it did create the PHI. A covered entity may deny a request for amendment if it determines that the PHI to which the request applies is accurate and complete. Finally, a covered entity may deny these requests if the patient doesn't have the right to access the information under the Privacy Rule. Covered entities must act on a patient's request within 60 days of receiving it. If the covered entity can't meet this deadline, it may extend the deadline by no more than 30 days after providing notice to the individual of the reason for delay and the date by which it will comply with the request. Upon making its decision, the covered entity must inform the patient whether it will agree to the request. If it does agree, it then must make the amendment and inform the patient, persons identified by her as having received PHI needing the amendment, and persons, including business associates of the covered entity, who might use the information to the detriment of the individual. If a covered entity denies the request, it must state the reasons for the denial in writing. The written denial must also describe the patient's right to submit a statement disagreeing with the denial and the procedures for submitting such a statement, as well as the patient's right to file a complaint with the covered entity and HHS. The denial must also state that if the patient does not submit a statement of disagreement, she may request that the covered entity provide her amendment request whenever it uses or discloses the PHI that's the subject of her request in the future.
F.
Right to receive an accounting of PHI disclosures

Patients generally have the right to receive an accounting of disclosures of their PHI made by a covered entity, including those by or to a business associate. This right generally covers disclosures made within six years preceding the accounting request.
32
However, except as noted below, covered entities don't have to account for disclosures for treatment, payment, or healthcare operations purposes. In addition, the patients right to receive an accounting may be temporarily suspended if the disclosure was made to a health oversight or law enforcement agency and the requested accounting would reasonably impede the agency's activities. The HITECH Act, however, made several changes to these accounting rules. First, the exception for disclosures for treatment, payment, or healthcare operations purposes no longer applies to disclosures made from an electronic healthcare record. However, the obligation to report such disclosures goes back only three years, not six. Second, the Privacy Rule added a new way to provide an accounting to a requesting patient. As before, it can provide a complete accounting to a patient that includes all disclosures made by the covered entity and its business associates. In the alternative, the HITECH Act also allows a covered entity to report only its own disclosures and to provide the requesting patient with a list of names and addresses of business associates. These changes must be implemented between 2011 (for newer systems) and 2014 (for older systems). Many questions about the new accounting requirements remain to be answered by HHS regulations. To comply with the Privacy Rule, an accounting must include a brief statement of the purpose of and basis for the disclosure, the date of the disclosure, the name of the person or entity that received the PHI, and a brief description of the PHI disclosed. For multiple disclosures to the same recipient, a summary addressing all such disclosures is permitted. Example 47: Valley Hospital discloses the same PHI to a pharmaceutical company for public health activities every month. The hospital can account for those disclosures by including in the accounting the date of the first disclosure; the name of the pharmaceutical company and its address; a brief description of the information disclosed; a brief description of the purpose of the disclosures or, if applicable, a copy of the request for such disclosure; the fact that the disclosures were made every month; and the date of the most recent disclosure. If a covered entity has made disclosures of PHI for a particular research purpose for 50 or more patients, the accounting may provide the following information instead of information specific to each and every disclosure made for research purposes: The name of the protocol or other research activity A brief, plain-language description of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records A brief description of the type of PHI disclosed The date or period of time when the disclosures occurred, including the date of the last disclosure during the accounting period
33
The name, address, and telephone number of the entity that sponsored the research (such as a pharmaceutical company) and of the researcher who received the PHI A statement that the PHI may or may not have been disclosed for a particular protocol or other research activity A covered entity has 60 days to respond to a request for an accounting. If it is not able to do so within 60 days, it may request a one-time 30-day extension, as long as it provides the patient with the reason for the delay and the date by which it will provide the accounting. Individuals have a right to receive one free accounting per 12-month period. For each additional request by an individual within the 12-month period, the covered entity may, with prior notice, charge a reasonable, cost-based fee. G.
Right to receive notice of a breach of PHI

As we've seen, patients have the right to be informed of their covered entity's privacy policies. But what happens if despite those policies, there's an unauthorized transfer, use, or other breach of the protected information? The HITECH Act provided the answer to this question. A breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information. Something compromises the security or privacy of PHI if it poses a significant risk of financial, reputational, or other harm to the individual. Thus, a covered entity may use and document a risk assessment to determine if a breach will cause significant harm to the individual and require notification. In the absence of sufficient risk of harm, a breach is not a breach under the rule. If the breach poses a significant risk of harm to the individual involved, the company must notify the individual of the breach. This notice must include, among other things, a brief description of what happened, the types of PHI involved, and any steps the individual should take. The notice must be given without unreasonable delay, and in any event within 60 days after the breach was discovered or should have been discovered. And in some cases, the company may also have to notify the federal government and local media. Business associates must also notify their covered companies of any breach of PHI they become aware of. The breach notification requirement only applies to a breach of unsecured PHI. PHI is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology (such as the use of approved forms of encryption) specified by the Secretary of Health and Human Services in its guidance. The Secretarys initial guidance is at http://edocket.access.gpo.gov/2009/pdf/E9-9512.pdf.
34
Breach notification is also not required for the use or disclosure of a limited data set that excludes the individual's birth date and zip code certain inadvertent uses or disclosures of PHI that don't result in a violation of the Privacy Rule the inadvertent disclosure of PHI to someone who isn't likely to be able to retain itfor example, because it was mailed to the wrong address and returned by the Post Office unopened
Vendors of personal health records (PHR)and other PHR-related entities not covered by HIPAAare also subject to breach notification requirements under the HITECH Act. These rules, issued by the Federal Trade Commission, are similar to those for HIPAA-covered entities, but there are some differences. For example, the non-HIPAA rule may require notification even if there's no evidence of a significant risk of harm from the breach. In any event, both the HIPAA and non-HIPAA notification rules are lengthy and complex. You should be sure to consult your company's law department or other designated party if you have any questions. VIII.
Administrative Requirements
The Privacy Rule imposes numerous administrative requirements on covered entities, which include: A.
Designating privacy personnel

Covered entities must designate a privacy official who has responsibility for the development and implementation of privacy policies and procedures. In addition, covered entities must designate a contact person. The contact person is responsible for receiving privacy-related complaints and providing information on the covered entity's privacy practices. The privacy official may serve as the contact person.
B.
Training
A covered entity must train all members of its workforce on its policies and procedures with respect to PHI within a reasonable time after they join the entity's workforce. Retraining of all members of the workforce is required when a covered entity makes a material change to its privacy policies. Finally, covered entities must document that training has been provided.
C.
Safeguards
Covered entities are also required to establish administrative, technical, and physical safeguards to protect PHI against any improper uses or disclosures. They must also reasonably safeguard PHI to limit incidental uses or disclosures that result from an otherwise permitted or required use or disclosure.
35
The HIPAA Security Rule, applicable to the same covered entities as the Privacy Rule, provides more detail with respect to electronic PHI. Example 48: A covered pharmaceutical company must, under the Privacy Rule, safeguard PHI against improper or inadvertent uses or disclosures. It may, for example, decide to shred documents, require that doors to medical records departments remain locked, and limit personnel in restricted document areas. D.
Complaint process
A covered entity must provide a process individuals can use to file complaints concerning the entitys policies and procedures related to PHI or its compliance with its policies and procedures or the Privacy Rule. All complaints concerning the improper use or disclosure of PHI, as well as the final resolution of complaints, must be documented.
E.
Sanctions
Under the Privacy Rule, a covered entity must develop and enforce sanctions against its employees who fail to follow its policies and procedures related to PHI or who violate the rule. Additionally, the Privacy Rule requires a covered entity to mitigate, to the extent possible, any harmful effect it knows of that has resulted from its or its business associate's use or disclosure of PHI that is in violation of its policies and procedures or of the Privacy Rule.
F.
Intimidating and retaliatory acts

The Privacy Rule prohibits retaliation against patients or any other person who files a complaint with HHS. It prohibits retaliation against individuals for testifying, assisting, or participating in certain investigations, compliance reviews, proceedings, and hearings under the Administrative Simplification provisions of HIPAA. Retaliatory acts are prohibited against anyone opposing any act or practice made unlawful by the Privacy Rule, as long as the person has a good-faith belief that the opposed practice is unlawful and the manner of opposition is reasonable and does not involve an unauthorized disclosure of PHI. HHS also prohibits retaliatory actions against patients who exercise any right granted by the Privacy Rule, including the right to file a complaint with the covered entity.
G.
Waiver of rights
A covered entity may not require individuals to waive their rights to file a complaint with HHS or their other rights under certain sections of the Privacy Rule as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits.
H.
Policies and procedures
36
A covered entity must implement policies and procedures with respect to PHI that are reasonably designed to comply with the standards, implementation specifications, and other requirements of the Privacy Rule, taking into account the size of the covered entity and the nature of the activities undertaken by it that relate to PHI. However, the policies and procedures may not be interpreted to permit or excuse any action that violates the Privacy Rule. Where the covered entity has stated in its notice that it reserves the right to change information practices, the new practice may be applied to information created or collected before its effective date. The Privacy Rule also sets forth the conditions for making changes if the covered entity has not reserved the right to change its practices. Covered entities are required to modify their policies and procedures in a prompt manner to comply with changes in relevant law. Entities are also required to change the notice where the change also affects the practices stated in it. These requirements, however, may not be used by a covered entity to excuse a failure to comply with applicable law. The Privacy Rule also requires that the policies and procedures be maintained in writing, and that any other required communication, action, activity, or designation that must be documented in writing be maintained. The Privacy Rule states that covered entities must retain any required documentation for at least six years (the statute of limitations period for the civil penalties) from the date of its creation or the date when the document was last in effect, whichever is later. HHS notes that this approach is consistent with the one recommended by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance. I.
Exception for certain group health plans

A group health plan that provides benefits solely through an insurance contract with an HMO issuer or an HMO, and that does not create, receive, or maintain PHI other than summary health information or information regarding enrollment and disenrollment, is not subject to the administrative requirements discussed above except for documentation retention requirements relating to plan documents.
IX.
Use of PHI Collected or Created Prior to April 14, 2003

Pursuant to an authorization or other express legal permission obtained prior to April 14, 2003, a covered entity may use or disclose PHI created or received prior to the compliance deadline of April 14, 2003assuming the authorization explicitly permits the use or disclosure and there is no agreed-upon restriction. In addition, a covered entity may use or disclose, for a specific research study, PHI that is created or received either before or after the compliance date (as long as there's no agreed-upon restriction) if the entity has obtained, before the compliance date, an authorization or other express legal permission from a patient to use or disclose PHI for the research study, informed consent to
37
participate in the research, or an IRB waiver of informed consent for the research. Note that uses or disclosures of individually identifiable health information made prior to the compliance date aren't subject to sanctions, even if they were made according to documents or permissions that don't meet the requirements of this rule or were made without permission. The Privacy Rule impacts only the future effectiveness of the previously obtained consents, authorizations, or permissions. X.
Relationship to State Laws

Any state law that is contrary to the federal requirements established under the Administrative Simplification provisions of HIPAA, including the provisions on privacy, is preempted. However, there are several exceptions to this, where a conflicting state law would nevertheless apply instead of the federal requirements. First, there is an exception when HHS determines that a state law is necessary for any one of the following purposes: To prevent fraud and abuse related to the provision of or payment for healthcare To ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation For state reporting on healthcare costs For other purposes serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification is at issue, if HHS determines that the intrusion into privacy is warranted when balanced against the need to be served Second, there is an exception for state laws that regulate the manufacture, registration, distribution, dispensing, or other control of controlled substances. Third, there is an exception for state laws that require the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. Fourth, there is an exception for state laws that require a health plan to report or provide access to information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification. Example 49: A state law requires a provider to disclose data about certain contagious diseases to a public health agency. This law would not be preempted under the Privacy Rule because of the exception for state laws that require data reporting. Finally, the Privacy Rule provides that if a state law relates to the privacy of health information and is more stringent than federal requirements, it is not preempted. In this way, the Privacy Rule creates a floor of federal privacy protection and is not intended to supersede other applicable law that provides greater protection to the confidentiality of health information. B.
When is a provision of state law contrary to an analogous federal requirement?

Under the Privacy Rule, a state law is contrary to a federal privacy requirement when (1) a covered entity would find it impossible to comply
38
with both the state and federal requirements or (2) the provision of state law stands as an obstacle to the accomplishment and execution of the purposes and objectives of the Administrative Simplification provisions, including the Privacy Rule. Example 50: A state law requires patient permission to disclose health information for research purposes. This state law would not be preempted by the Privacy Rule even though the rule allows for disclosures of PHI for research purposes without patient permission in some circumstances, because the law is not contrary to the Privacy Rule. Providers can comply with both laws by securing patient permission. Example 51: A state law does not allow patients access to their medical records, while HIPAA would require access to be given. Because a provider cannot follow both laws, the state law is contrary to HIPAA and therefore preempted by HIPAA. This means the provider must follow HIPAA, the federal law, rather than the state law. C.
What qualifies as state law?

State law, as defined by the Privacy Rule, means a constitution, statute, regulation, rule, common law, or other state action having the force and effect of law.
D.
When does a state law relate to the privacy of health information?

A state law relates to the privacy of health information if it has the specific purpose of protecting the privacy of health information or affects it in a direct, clear, and substantial way.
E.
When is a state law more stringent than a federal requirement?

In general, "more stringent" means providing greater privacy protection. A state law is more stringent than federal law if it establishes greater limitations on disclosures, creates more individual rights with respect to PHI, or provides patients greater access to their PHI than the federal law does.
F.
Administrative determinations
The Privacy Rule sets forth a process under which a state or individual may submit a written request to HHS to make a determination under the first preemption exception discussed above. Exception determinations are effective until either the underlying federal or state laws materially change or the exception is revoked by HHS, based on a determination that the grounds supporting the exception no longer exist.
XI.
39
Under HIPAA, the penalties for violating the Privacy Rule are severe. The penalties were increased by the HITECH Act and now apply to business associates as well as covered entities. Depending on the nature of the violation, a civil penalty ranging from $100 to $50,000 per person per violation, and up to $1.5 million per person for violations of a single standard in one year A criminal fine of not more than $50,000 and/or imprisonment of not more than one year for wrongful disclosure of PHI A criminal fine of not more than $100,000 and/or imprisonment of not more than five years if the disclosure is under false pretensesfor example, when a person lies about his identity A criminal fine of not more than $250,000 and/or imprisonment of not more than ten years if a person intends to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm In addition, states can sue to stop HIPAA violations and recover damages on their residents' behalf.
40
CONFIDENTIALITY UNDER HIPAA: USING INFORMATION

INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the healthcare industry to adopt, among other things, national standards for electronic healthcare transactions, unique health identifiers, and security. These rules are collectively known as the Administrative Simplification provisions. An important part of the Administrative Simplification provisions is the Privacy Rule. The Privacy Rule establishes comprehensive privacy standards for protected health information (PHI) that individuals and organizations involved in healthcare delivery or payment for healthcare services must follow. Separate HIPAA rules address security requirements for electronic PHI. The Privacy Rule covers all PHIelectronic, written, or oral. As we'll explain in this handbook, the HIPAA Privacy Rule applies to many individuals and entities that store or transmit PHI. This handbook will help you understand HIPAA's privacy requirements. Following an introductory discussion of the individuals, organizations, and PHI subject to the Privacy Rule, we will address the range of proper and improper uses and disclosures of PHI under HIPAA. This latter discussion will encompass uses and disclosures of PHI that require patient permission and those that do not. We will also cover other HIPAA privacy requirements, including privacy notices, access and correction rights, and administrative requirements. We will discuss HIPAA's impact on state laws that protect the confidentiality of healthcare information. Finally, we'll review the legal penalties and sanctions for failing to comply with HIPAA. This handbook provides a general overview of the HIPAA Privacy Rule. It does not provide legal advice or guidance regarding how you should act in a particular situation that involves the use or disclosure of patient information. HIPAA is a complex law subject to subtleties and nuances that cannot be completely covered in a treatment of this kind. Always consult your internal management and law department about any questions or concerns you have about the use or disclosure of patient information. Some changes to the law were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law No: 111-5). These changes will be discussed as appropriate. The changes have variable effective dates, and most await guidance or regulations from the Department of Health and Human Services. Some provisions (e.g., breach notification) are already effective. Interpretations of new provisions are tentative until the Department of Health and Human Services (HHS) issues definitive guidance.

I.
Patients
The Privacy Rule protects the confidentiality of certain types of health information known as protected health information (PHI). HIPAA gives individuals a bundle of privacy rights. The rule uses the term individual to refer to those who have
privacy rights. Often, individual means patient. However, those covered by health insurance also have HIPAA privacy rights, and they are not patients in that context. Thats why the term individual is used formally, but for present purposes, the terms individual and patient are interchangeable. Example 1: John is admitted to Mercy Hospital for an appendectomy. The Privacy Rule protects the confidentiality of his PHI and gives him certain rights with respect to this health information. Sometimes, as a result of age or legal incompetence, a patient cannot exercise his or her own privacy rights. In this situation, a personal representative, such as a parent, legal guardian, or other authorized person may act on the patient's behalf and exercise the patient's privacy rights under HIPAA. If a personal representative is authorized generally to make healthcare decisions, then the personal representative may have access to the individuals protected health information regarding healthcare. If the personal representatives authority for healthcare decisions is limited, then the representatives access is similarly limited. Example 2: Miriam has been diagnosed with Alzheimer's disease, a condition that prevents her from understanding her treatment and communicating with her healthcare providers. Miriam's son, Wayne, has been appointed as her legal guardian. As her personal representative, Wayne may exercise Miriams privacy rights on her behalf. Healthcare providers and organizations subject to the Privacy Rule generally must treat a personal representative as the patient's surrogate decision maker. However, if the healthcare provider reasonably determines, using professional judgment, that it is not in a patient's best interest to treat an individual as a personal representative and reasonably believes the individual has abused or will endanger the patient, it may refuse to accept the personal representative's decision-making authority. For a minor (as defined by state law and typically under 18 years old), a parent or legal guardian may generally have access to PHI about the minor, as the minors personal representative when such access is not inconsistent with state or other law. In three situations, the parent or guardian would not be the minors personal representative: 1) when the minor consents to care and the consent of others is not required under state or other applicable law; 2) when the minor obtains care at the direction of a court; or 3) when, and to the extent that, the parent or guardian agrees that the minor and the healthcare provider may have a confidential relationship. However, even in these situations, the parent or guardian may have access to the minors PHI when state or other applicable law requires or permits the access. However, access must be denied when the law prohibits access. When the law is silent, a healthcare provider may exercise professional judgment to the extent allowed by law to grant or deny a parent or guardian access to the minors PHI. The Privacy Rule applies to PHI about deceased individuals, as long as a healthcare provider or organization maintains this information. Decisions regarding the privacy rights of deceased individuals are left to their personal representatives.
II.

Covered entities
The Privacy Rule defines covered entities to include certain healthcare providers, as well as all health plans and healthcare clearinghouses. 1.
A healthcare provider is an individual or organization that is recognized by Medicare as a provider, or any other individual or organization that provides, bills, or is paid for healthcare services in the normal course of business. Healthcare providers include hospitals, skilled nursing facilities, home health agencies, physicians, outpatient facilities, clinical laboratories, pharmacies, medical equipment suppliers, and other licensed/certified healthcare professionals. The Privacy Rule applies only to healthcare providers that electronically transmit PHI in connection with specified healthcare transactions. Fax transmissions are not electronic transmissions under the rule. Transactions that trigger the Privacy Rule's requirements include healthcare claims (including attachments) and status reports payment and remittance advice determination of eligibility for health plan benefits referral certifications and authorizations first reports of injury health plan enrollment, disenrollment, eligibility for health plan coverage, and premium payments coordination of health benefits
Example 3: Mercy Hospital's billing office submits all claim forms to private health insurance companies through a secured Internet connection. The Privacy Rule applies to Mercy Hospital. Example 4: Dr. Lomax, a primary care physician, refers a patient to Dr. Small, a neurosurgeon. In connection with the referral, Dr. Lomax sends an e-mail message to Dr. Small explaining the patient's current condition and need for a specialist evaluation. That e-mail is not one of the standard electronic transactions that, by itself, triggers the Privacy Rule. Therefore, unless Dr. Lomax performs electronically any of the transactions listed above, the Privacy Rule would not apply to Dr. Lomax. However, if Dr. Lomax is an otherwise covered healthcare provider, then the Privacy Rule applies to the e-mail message in his possession.
Healthcare providers that do not electronically transmit PHI in connection with these transactions are still considered covered entities if others perform these transactions and transmit PHI on their behalf. Example 5: Dr. Ransom, a physician in private practice, keeps all his patients' medical records in file cabinets in his office. His staff uses computers only for scheduling purposes. All health insurance claims for payment are submitted on paper claim forms. Dr. Ransom does not have to comply with the Privacy Rule because he does not electronically transmit PHI in connection with any of the transactions. Example 6: Convenient Care is a primary care clinic that does not electronically transmit PHI. Convenient Care recently hired an independent billing company, Fast Pay, to handle its payment claims. Fast Pay submits Convenient Care's bills in electronic form. Under these circumstances, the Privacy Rule applies to Convenient Care because Fast Pay is transmitting PHI on Convenient Care's behalf. 2.
Health plans
The Privacy Rule applies to health plans. A health plan is an organization that provides and/or pays the cost of medical care. Health plans include health insurance companies, group health plans (such as those offered through an individual's employment), and health maintenance organizations (HMOs). Health plans also include government-administered programs such as Medicare, Medicaid, Department of Veterans Affairs (VA) programs, and TRICARE (Department of Defense) programs. For purposes of the Privacy Rule, health plans do not include workers' compensation or automobile, life, property, and casualty insurers. Health plans also do not include government-funded programs whose primary purpose is not rendering or paying for healthcare serviceseven if it may incidentally provide or pay for some healthcare services.
3.
The Privacy Rule applies to healthcare clearinghousespublic or private entities that process or facilitate the processing of healthcare transactions. The most common type of healthcare clearinghouse is a billing company. Healthcare clearinghouses receive PHI from one source, such as a healthcare provider, convert it into a standard format, and transmit the information to another entity, such as a health insurance company, that pays for the healthcare services. Healthcare clearinghouses can also perform the reverse function by converting and transmitting PHI from insurers to healthcare providers.
Health plans or healthcare providers that perform these functions are not considered healthcare clearinghouses unless they also perform them for other, unaffiliated organizations. Example 7: Health Claims Consultants, an independent billing company, processes and submits health insurance claims to health insurance companies on behalf of physicians. In this capacity, Health Claims is a healthcare clearinghouse that is subject to the Privacy Rule because it puts PHI into a standard format and submits the claims to a payor. 4.
Other types of covered entities

In addition to certain healthcare providers, health plans, and healthcare clearinghouses, the Privacy Rule applies to other types of organizations, including affiliated entities, hybrid entities, and organized healthcare arrangements. i.

Affiliated covered entities are two or more legally separate healthcare organizations under common ownership or common control. Common ownership exists if one entity owns at least 5% of another entity. Common control exists if an entity has the direct or indirect power to significantly influence or direct the actions or policies of another entity. The Privacy Rule permits affiliated covered entities to choose to formally designate themselves as a single covered entity to comply with the Privacy Rule. Subject to certain requirements, affiliated entities may share PHI between themselves as if they were a single covered entity. The entities must maintain a written or electronic record of their designation as affiliated covered entities for six years from the later of the date the documentation was created or the date it was last in effect. Example 8: Hospitals, Incorporated owns and operates a chain of acute care hospitals. Each hospital in the chain is considered an affiliated covered entity with respect to other hospitals in the chain. Hospitals, Incorporated's CEO issues a written order to senior management at all affiliated hospitals to treat the hospitals as one organization for purposes of the Privacy Rule. This formal designation as a single, covered entity will generally permit the affiliated hospitals to use and disclose PHI among themselves, subject to meeting additional requirements under the Privacy Rule. Example 9: Integrated Care is a comprehensive healthcare system that operates hospitals, skilled nursing homes, a clinical laboratory, several home health agencies, and a medical equipment supply
company. If Integrated Care designates all of its healthcare companies as a single covered entity, the component companies may use and disclose PHI among themselves, subject to meeting additional requirements under the Privacy Rule. ii.
Hybrid entities
Hybrid entities are organizations that are involved in non-healthcare activities but also act as a health plan, healthcare clearinghouse, or healthcare provider. Hybrid entities include nonhealthcare organizations, such as insurance companies, that offer health insurance plans in addition to other plans, and companies operating onsite health clinics that conduct standard transactions covered by the Privacy Rule. Within a hybrid entity, the healthcare components are covered by the Privacy Rule. Although the Privacy Rule applies only to the healthcare components of the hybrid entity, this type of entity must prevent disclosure of PHI to other nonhealthcare divisions within the entity. Hybrid entities must use safeguards, such as firewalls or other information barriers, to prevent unauthorized access to, or disclosure of, PHI. Example 10: ABC Drug Store offers items commonly found at drugstores such as greeting cards, home products, snacks, and cosmetics. It also has a pharmacy, which files electronic claims. Because the drugstore has a pharmacy that files electronic healthcare claims, it may elect to be treated as a hybrid entity. If it does, the Privacy Rule will apply only to the pharmacy and not to the other operations of the store. Example 11: The Large Corporation establishes an onsite health clinic that files electronic healthcare claims. Because the Large Corporation is primarily a business that provides limited healthcare services, it can be a hybrid entity, with the Privacy Rule applying only to the on-site health clinic and not to other company activities. Hybrid entities are permitted to include in their healthcare components other components that engage in activities that would make them business associates of the organization's healthcare units if the other components were separate entities. If the hybrid entity chooses not to do this, the healthcare components are generally required to obtain individual authorizations before disclosing PHI to a nonhealthcare component.
iii.
An organized healthcare arrangement (OHCA) may be formed between or among legally separate covered entities that integrate their clinical or administrative operations. OHCAs differ from affiliated covered entities in that they are separate covered entities that are not necessarily related to one another through common ownership or control. A common example of an OHCA is a healthcare system that includes different types of healthcare providers, such as a hospital, a medical staff, an ambulatory surgery center, and so on. iv.
Disclosures by group health plans to employers

A number of special rules govern the disclosure of PHI by health plans to plan sponsors. Plan sponsors are typically employers that offer health benefits to their employees. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA. In general, health plan documents must be revised to establish the permitted and required uses of PHI by plan sponsors, appropriately restrict their use of the PHI, and include other requirements. The PHI that may be shared includes PHI in summary form. Example 12: ABC Manufacturing provides health benefits to its employees through a group health plan. The plan documents identify the specific covered benefits for ABC employees and further state that the health plan will share PHI with ABC only as necessary for plan administration purposes. Because the health plan documents fail to require that ABC report uses and disclosures that are inconsistent with the documents to the group health plan, they probably violate the Privacy Rule. A plan sponsor that receives PHI from a health plan must build firewalls or other information barriers that prevent the use of PHI by, or disclosure of PHI to, anyone not involved in the administration of health benefits. Plan sponsors are expressly prohibited from using PHI for employment-related purposes such as hiring, termination, and discipline.
B.
Business associates
Business associates are individuals or organizations that perform services or functions for a covered entity or that provide legal, accounting, management, consulting, accreditation, financial, and other operational services to covered entities that involve the use or disclosure of PHI. Business associates also perform many different functions such as claims processing and administration, billing, quality assurance, operations management, and data analysis on behalf of covered entities.
Sometimes, covered entities act as business associates with respect to each other. The Privacy Rule generally permits covered entities to share PHI with business associates (subject to the "minimum necessary" rule, discussed later) and allows business associates to use or disclose PHI for certain purposes. Example 13: County Hospital hires Quality Associates to help it become an accredited hospital. As part of the accreditation process, County Hospital discloses PHI to Quality Associates. Because Quality Associates receives PHI to provide this service, it is a business associate of County Hospital. Example 14: Golden Years Nursing Home contracts with Global Health Insurance to become a provider in Global's network. Golden Years discloses PHI to Global for payment of claims. While Golden Years and Global are both covered entities, they are not business associates with respect to each other because they are not performing services for each other. Instead, they are performing functions on their own behalf. The term "business associate" does not include employees or volunteers of a covered entity. Additionally, a covered entity does not have to have a business associate contract with the providers to whom it discloses PHI for treatment purposes. Example 15: Dr. Burnett, a physician in private practice, has staff privileges to admit patients to Commonwealth Hospital. Commonwealth discloses PHI to Dr. Burnett for treatment of patients at the hospital. In this situation, Dr. Burnett and Commonwealth Hospital are not business associates with respect to each other. Just because two covered entities participate in an organized healthcare arrangement does not mean they are business associates of one another. Covered entities that participate in an organized healthcare arrangement are permitted to share protected health information for the joint healthcare activities of the arrangement without entering into business associate contracts with each other. 1.

To share PHI with a business associate, a covered entity must obtain satisfactory assurance that the business associate will comply with the Privacy Rule. Obtaining this satisfactory assurance requires covered entities to enter into contracts with their business associates that establish the permitted uses and disclosures of PHI and that meet other requirements. These business associate contracts must prohibit business associates from using or disclosing PHI in any way that violates the Privacy Rule or the business associate contract. These contracts must also provide that the business associate will
use safeguards to prevent the improper use or disclosure of PHI report unauthorized uses or disclosures of PHI to the covered entity require compliance with the terms of the business associate contract by any companies hired by the business associate to assist it in performing functions for the covered entity make PHI available in accordance with the patient access rule make PHI available for amendment, accounting, and audit purposes return or destroy all PHI on termination of the business associate contract, if feasible
Business associate contracts must give the covered entity the right to terminate the contract if the business associate violates an important term of the agreement. A covered entity can be responsible if it learns of a material breach by a business associate and does nothing to cure the breach. Example 16: Physician Associates hires Claims Professionals, an independent billing company, to process all of its private health insurance claims. The contract between the two companies gives Claims Professionals the right to terminate the relationship if Physician Associates fails to pay it on time. Physician Associates, on the other hand, does not have the right to terminate the agreement. This business associate contract does not satisfy the Privacy Rule because it does not provide that Physician Associates may terminate the agreement if Claims Professionals fails to appropriately use or disclose PHI or otherwise comply with privacy requirements. 2.

Covered entities may fail to meet its Privacy Rule obligations if the covered entity knows about privacy violations by their business associates and fails to take reasonable steps to correct it. While a covered entity does not have to actively monitor its business associates' activities, it must investigate if it learns of possible wrongdoing. Example 17: State Hospital hires Care Improvements to monitor the quality of medical care provided to its emergency room patients. Care Improvements decides to sell the names, addresses, and diagnoses of State Hospital's patients to a telemarketing company. If State Hospital does not know that Care Improvements is selling PHI, it probably cannot be held responsible for the Privacy Rule violation. If State Hospital learns of Care Improvements' improper conduct, however, it must take reasonable steps to correct the problem, such as stopping the sale and trying to recover the sold data.
If the covered entity cannot, through reasonable efforts, correct the business associate's violation of the Privacy Rule, it must terminate the business associate contract. If terminating the contract is not possible or would cause significant hardship to the covered entity, it must report the violation to the U.S. Department of Health and Human Services (HHS). Example 18: Clinton Hospital contracts with Auto Audit to have its billing records audited. One day, Clinton's CEO learns that Auto Audit is improperly selling confidential patient information to a pharmaceutical company. Clinton Hospital must require Auto Audit to immediately stop selling patient information and take reasonable steps to fix any damage caused by the improper disclosures. If Auto Audit refuses, Clinton must either terminate the business associate contract or, if that would irreparably harm Clinton's operations, report Auto Audit to HHS.
3.
Business Associate Changes in HITECH

10

The Privacy Rule applies to the use and disclosure of PHI by covered entities and business associates. PHI is defined as individually identifiable health information that is transmitted or maintained by a covered entity in any format. At a minimum, this includes all oral, computer-based, and paper-based patient health information. I.

PHI does not include individually identifiable health information found in certain education records and records of students held by certain educational institutions. Nor does it include individually identifiable health information in employment records. Example 19: Dr. Griffey treats Samantha for a skin condition. Samantha's medical record, which documents all care and services provided by Dr. Griffey, contains individually identifiable health information that is protected under the Privacy Rule. Example 20: City College has educational records that refer to a student's learning disability and the treatment she received. Regardless of the information contained in these records, they do not qualify as individually identifiable health information protected under the Privacy Rule. II.

Covered entities and business associates may de-identify PHI by removing, encrypting, or otherwise concealing all individually identifiable information. Properly de-identified PHI is not subject to the Privacy Rule. If de-identified information is subsequently reidentified, however, it reacquires the Privacy Rule's protections. There are two ways that a covered entity can determine that PHI is not individually identifiable, and therefore properly de-identified. The first way involves a covered entity or business associate removing all identifying characteristics, including (but not limited to)
11
names addresses (except the state and the first three zip code digits) dates (except the year) social security numbers and other identification numbers medical record numbers telephone, fax, and Internet Protocol address numbers e-mail and other Internet addresses health insurance numbers biometrics, including photographs any other form of unique identifier
Age in years, gender, race, ethnicity, and marital status are generally not individually identifiable by themselves. However, if enough nonidentifiable elements are combined, the result may be identifiable. You should use caution and seek advice before releasing any PHI that might appear to be nonidentifiable. Example 21: Dr. Quinn, a physician in private practice, asks her office manager to de-identify a patient's medical record to submit certain information to a pharmaceutical company. The office manager removes all information she thinks could identify the patient and leaves the patient's gender, age, and marital status in the chart. In addition, the office manager leaves the patient's photograph in the file because the picture does not contain her name or any other identifying information. Because photographs can be used to identify an individual, the office manager failed to properly de-identify this medical record. The second way that a covered entity can determine that PHI is not individually identifiable is if a qualified statistician examines the PHI and determines that the risk of reidentification is very small. Additionally, the Privacy Rule allows a covered entity to use or disclose a limited data set for research, public health, and healthcare operations purposes. A limited data set does not include directly identifiable information, but certain identifierssuch as admission, discharge and service dates, date of death, age, and five-digit zip codemay remain. Before a covered entity may disclose a limited data set, it must obtain a data-use or similar agreement from the entity that receives the data. In the agreement, the recipient must promise to limit its use of the data to the original reasons for the disclosure and not attempt to reidentify the information or use it to contact the subject of the information. The specific rules governing the de-identification of PHI are detailed and complex. If you have any questions or concerns about this subject, please consult your company's internal management or law department.

I.
The Privacy Rule prohibits a covered entity and its business associates from using or disclosing a patient's PHI for any purpose, unless one of the following things occurs: The patient signs a written authorization for the use or disclosure.
12
The patient gives his agreement for the use or disclosure. The use or disclosure is permitted or required by the Privacy Rule without the patient's permission.
While this handbook addresses the key elements of, and exceptions to, the agreement and authorization requirements, it cannot cover every Privacy Rule detail. If you have any questions or concerns about the use or disclosure of PHI, you should immediately contact your company's internal management or law department. II.

Covered entities and business associates must limit most uses or disclosures of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure. This principle is known as the minimum necessary requirement. A.

In determining what is minimum necessary disclosure, a covered entity may want to consider whether the purpose of the use, disclosure, or request can be accomplished with information that is not identifiable. If so, the covered entity should probably not use, disclose, or request PHI, unless one of the exceptions to the minimum necessary requirement discussed below applies. The HITECH Act made the use of nonidentifiable information the first choice. The new provision says that a use, disclosure, or request must be limited to the extent practicable to a limited data set as defined in the existing rule. The minimum necessary standard only applies alternatively if the covered entity needs to make a use, disclosure, or request more extensive than the limited data set. If so, then a broader minimum necessary disclosure is allowable. The burden of making a minimum necessary disclosure falls on the disclosing entity. The Secretary of Health and Human Services is required to issue additional guidance. This is a significant tightening of the minimum necessary rule. Example 22: A researcher studies the gender composition of patients who use Carville Hospital's emergency room. The researcher asks the hospital to release summary medical information about all patients who received care in the emergency room for a five-year period. Because the purpose of the disclosure can be accomplished without revealing PHI, Carville should not disclose PHI to the researcher. If the use or disclosure of PHI is needed, the amount used, disclosed, or requested must be the minimum necessary to accomplish the task at hand. Several rules can help make this determination. First, a covered entity or business associate may not use, disclose, or request a patient's entire medical record, unless the entire record is the minimum amount necessary to accomplish the purpose of the disclosure or request. Disclosure of an entire medical record must be specifically justified as the minimum necessary.
13
Example 23: ABC-Accredit is a hospital accreditation organization. ABC asks Memorial Hospital to send patients entire medical records for its accreditation review. Because disclosure of an entire medical record for an accreditation purpose may be the minimum necessary for that purpose, the disclosure is allowable. Example 24: Health Associates, a physician practice, hires a consultant to help it improve its billing and claims processing. Health Associates delivers complete medical charts to the billing consultant for review. Because the consultant does not need entire charts to make its recommendations, delivering them violates the minimum necessary requirement. Second, for disclosures and requests made on a routine or recurring basis, covered entities must implement policies and procedures that limit the PHI disclosed or requested to the minimum amount reasonably necessary to achieve the purpose of the disclosure. For nonroutine or nonrecurring disclosures and requests, covered entities must make the minimum necessary determination on a case-by-case basis. Example 25: Day Surgery Center, an ambulatory care facility, routinely submits claims to health insurance companies for outpatient surgical procedures. For routine or recurring disclosures, Day Surgery must establish policies and procedures that identify the minimum amount of PHI that must be included on claim forms in order to be paid for patient healthcare services. Third, for uses of PHI, covered entities must implement policies and procedures that identify those members of its workforce who need access to PHI to do their jobs identify the types of PHI to which such people need access limit access to PHI to those people who need access to perform their jobs
Additionally, the Privacy Rule permits incidental uses and disclosures of PHI that cannot reasonably be prevented, that are limited in nature, and that occur as a by-product of an otherwise permitted use or disclosure under the Privacy Rule, as long as the provider meets the minimum necessary requirement and takes reasonable safeguards to limit such uses and disclosures. For instance, if voices are kept appropriately low, a covered entity will not be held liable if an unauthorized person overhears a conversation about a patient's medical condition. Covered entities are also permitted to call out patient names in waiting rooms and to use bedside charts, and X-ray light boards that may be visible to passersby. B.
Exceptions
In some cases, covered entities and business associates can use or disclose PHI without making a minimum necessary disclosure determination. The HITECH Act did not change the exceptions. For instance, this determination is not required when the PHI is used or
14
disclosed by a healthcare provider in connection with treatment of a patient. Example 26: Dr. Winfield, a primary care physician, refers a patient to a specialist for additional care. In making the referral, Dr. Winfield discusses the patient's current condition with the specialist and sends her the patient's medical records. In this situation, the Privacy Rule does not require Dr. Winfield to make a minimum necessary determination before disclosing the patient's PHI, because the PHI was disclosed in connection with the treatment of the patient who was the subject of the PHI. Minimum necessary determinations are also not required when the disclosure is being made to the patient. Example 27: Daryl, a medical student, is a patient at Memorial Hospital. He's interested in the care he's receiving and asks to see his medical records. Because this request involves disclosure to a patient who is the subject of the PHI, the hospital is not required to make a minimum necessary determination before releasing the information to Daryl. Also, before the HITECH Act, a covered entity could rely, if reasonable, on the minimum necessary determination of the covered entity asking for the disclosure. The HITECH Act, however, changed this rule. Now, a disclosing entity must determine what constitutes the minimum amount of PHI necessary to accomplish the intended purpose of a disclosure. Example 28: Mary, a patient at University Medical Center, is recovering from a heart attack. In determining whether she's eligible for an extended hospital stay, Mary's health insurance carrier asks University Medical to disclose certain information about her condition. To comply with the Privacy Rule, the health insurance company may request only the minimum amount of Mary's PHI needed to make this eligibility determination, but the medical center is responsible for ensuring that the information it discloses is the minimum amount necessary. Minimum necessary determinations are not required for disclosures to HHS for determining HIPAA compliance or for disclosures to other government agencies that are required by law. III.
Uses and Disclosures for Treatment, Payment, and Healthcare Operations Purposes A. General information
Covered entities may use or disclose PHI for treatment, payment, and healthcare operations purposes without patient permission, unless state or other law provides otherwise. However, except in emergency situations, covered healthcare providers with direct treatment relationships are required to make a good-faith effort to obtain a patient's written acknowledgment of receipt of the provider's notice of privacy practices no later than the time of first service delivery. A direct treatment relationship exists when a healthcare provider provides services directly to the patient. If a direct treatment provider is unable to obtain such an acknowledgment, it must document its good-faith efforts
15
to do so. Indirect treatment providers are not required to obtain this acknowledgment, but may do so if they choose. An indirect treatment relationship exists when a healthcare provider provides services to a provider who ordered the services. Examples of indirect treatment providers include pathologists, radiologists, and specialists who consult with a patient's treating physician. The specific requirements related to the content of the notice of privacy practices are discussed later in this handbook. Health plans must provide a notice at the time of enrollment and every three years thereafter, but need not obtain an acknowledgment. The acknowledgment does not have to take a specific form. It may be as simple as the patient's initials on a cover sheet to the provider's privacy notice or signature on a list or form. The acknowledgment must be in writing, although electronic signatures are permissible. Providers faced with patients who refuse to sign or return the acknowledgment may demonstrate good faith by documenting their efforts and the reasons for failure in the patient's record. Example 29: Dr. Maddux, a geriatrician, refers an elderly patient to a skilled nursing facility. Dr. Maddux and the skilled nursing facility provide healthcare services to the patient during her stay. Both Dr. Maddux and the skilled nursing facility have direct treatment relationships with the patient. As a result, they are both free to use and disclose PHI about the patient for treatment, payment, and healthcare operations without her permission unless state or other law requires it. However, they must make a good-faith effort to obtain the patient's written acknowledgment that she received the provider's notice of privacy practices no later than the time of first service delivery. B.
Treatment, payment, and management of healthcare operations

Let's take a closer look at some of the terms we first discussed in connection with the Privacy Rule's application to direct treatment relationships. Treatment includes providing, coordinating, or managing healthcare and related services consultations between healthcare providers relating to a patient patient referrals between healthcare providers
Payment includes (but is not limited to) all billing, claims management, reimbursement, and collection activities conducted by, or on behalf of, the covered entity. Payment also includes activities by health plans with respect to premium and benefit payments as well as to eligibility and coverage determinations. Healthcare operations include activities related to the covered entity's primary function as a healthcare provider, health plan, or healthcare clearinghouse. Healthcare operations include (but are not limited to)
16
quality assessment and improvement activities accreditation, certification, licensing, or credentialing activities insurance premium rating and other insurance underwriting activities legal, accounting, and audit services business planning and development activities general management, compliance, and administrative activities
A covered entity may use or disclose PHI for its own treatment, payment, or healthcare operations. A covered entity may release PHI to any healthcare provider for any treatment activities. It may also release PHI to a provider or covered health plan for the recipient's use for payment purposes. A covered entity may also disclose PHI to another covered entity for certain healthcare operations purposes of the receiving entity, including conducting quality assessment and improvement activities, carrying out population-based analyses related to improving health, reviewing the competence of healthcare providers, and trying to detect healthcare fraud and abuse. However, these disclosures for healthcare operations are permitted only to the extent that the recipient has or had a relationship with the individual who is the subject of the information. If the relationship has ended, disclosure must be limited to data related to the past relationship. Example 30: Clare has a number of medical conditions that require ongoing physician care. She is currently seeing an allergist for treatment of hay fever and a neurologist for treatment of carpal tunnel syndrome. Thus, each physician may use and disclose Clare's PHI for treating her. Additionally, each provider may use and disclose her PHI for the purpose of receiving payment and, in certain situations, for healthcare operations purposes. IV.
Uses and Disclosures Requiring Patient Authorization

Under some circumstances that do not directly relate to treatment, payment, or healthcare operations, the Privacy Rule requires written authorization to use and disclose PHI. Let's take a closer look at the situations in which this type of permission is required. A.

In general, the Privacy Rule requires disclosure of PHI when requested by the patient and when requested by HHS for determining a covered entity's compliance with the Privacy Rule. It permits covered entities to use or disclose PHI without patient permission for treatment, payment, and healthcare operations and for certain public-policy-related uses and disclosures discussed later in this handbook. For all other purposes, the Privacy Rule requires the patient's permission to use and disclose PHI. Covered entities may use and disclose PHI for facility directories and disclose it to people assisting in an individual's care with patient agreement, which may be given verbally. Where patient permission is required but verbal agreement is not appropriate, covered entities must secure an authorization from the patient (or the patient's representative) to use or disclose PHI. With proper authorization, disclosures may be
17
made to any individual or organization, healthcare related or not, consistent with the terms of the authorization. These other purposes that are not directly related to healthcare and may require authorization include (but are not limited to) certain marketing activities health insurance eligibility or enrollment determinations relating to an individual most employment decisions by current or prospective employers reporting to financial, life insurance, and other institutions
Covered entities should develop policies and procedures regarding compliance with the patient authorization requirement. The policies and procedures must also address routine and recurring uses and disclosures of PHI, as well as the minimum necessary disclosure standard. Example 31: Strollers Company, a manufacturer of baby products, wants to buy a patient list from Dr. Gravida, an obstetrician, for direct product marketing. Because this requested disclosure of PHI is not for treatment, payment, or healthcare operations purposes; for a facility directory; or to someone assisting in an individual's care, and does not qualify as a public-policy-related disclosure, Dr. Gravida may not disclose PHI to Strollers without each patient's authorization. Example 32: National Homes, a construction company, asks Dr. Newton, an orthopedic surgeon, to provide medical information about an employee's back condition. Because this requested disclosure of PHI is not for treatment, payment, or healthcare operations purposes; for a facility directory; or to someone assisting in an individual's care, and does not qualify as a public-policy-related disclosure, Dr. Newton may not disclose the employee's PHI to National without the employee's authorization. B.
Required language
Authorization forms provided to patients must be written in plain language and contain the following information: A specific description of the PHI to be used or disclosed The person(s) authorized to make the requested use or disclosure of the PHI The person(s) or entities to whom the covered entity may disclose the PHI The date on which the authorization expires or an event that would cause the authorization to expire A description of the patient's right to revoke the authorization and the procedure for doing so A statement that information disclosed under the authorization may be redisclosed to third parties that may not be subject to the Privacy Rule If signed by a personal representative on the patient's behalf, a description of the representative's legal authority
18
A description of each purpose of the authorized use or disclosure A notification stating that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on signing the authorization if such conditioning is prohibited by the Privacy Rule, or, if it is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization
Additionally, for marketing authorizations, there must be a statement that a covered entity will receive remuneration for making a disclosure of PHI, if applicable. Covered entities must keep copies of all authorizations for at least six years from the time they were created or last in effect, whichever is later. Covered entities must also provide patients with a copy of their signed authorization. C.
Healthcare providers generally may not condition treatment on the patient signing an authorization. Health plans likewise generally may not condition enrollment or eligibility decisions on a signed authorization. Example 33: Belinda sees Dr. Quasar, an orthopedic surgeon, for treatment of a strained ligament in her knee. Before agreeing to treat Belinda, Dr. Quasar tells her that she has to sign an authorization permitting him to sell her medical information to a pharmaceutical company. Because Dr. Quasar may not condition Belinda's treatment on her signing such an authorization, he has violated the Privacy Rule. There are a few exceptions to this rule. One is that healthcare providers may condition research-related treatment on the patient's authorization to use or disclose PHI for these research purposes. Exceptions such as this are limited, so if you have any questions regarding their application, be sure to consult your company's internal management or law department. Additionally, when medical treatment is rendered for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the patient's authorization. Example 34: Dr. Palau agrees with Great Books Company to provide employment-related physicals. Because the purpose of the treatment is to provide PHI to Great Books, Dr. Palau may condition performing the physicals on receiving the patient's authorization to disclose the results of the exam to the company. Health plans may require individuals to sign authorizations for enrollment and eligibility determinations, as well as for underwriting and risk-rating purposes, before the individual may enroll in the plan as long as the authorization is not to use or disclose psychotherapy notes. Example 35: AllHealth Insurance Company requires all prospective enrollees to sign a written authorization permitting it to use PHI (besides psychotherapy notes) to determine eligibility for health benefits. If a
19
potential enrollee refuses to sign the authorization, AllHealth will not process the application for coverage. In this situation, AllHealth's authorization requirement complies with the Privacy Rule. D.

As we've briefly discussed, subject to certain exceptions, a covered entity may not use or disclose psychotherapy notes for any purpose without first obtaining the patient's authorization to do so. Psychotherapy notes are notes taken during counseling sessions by a licensed mental healthcare provider, such as a psychiatrist or a psychologist, and must be kept separate from the rest of the patient's medical record in order to receive special treatment under the Privacy Rule. Information relating to prescriptions, modalities of treatment, test results, diagnostic summaries, and certain other items are not considered psychotherapy notes. Exceptions to this rule include (but are not limited to) the healthcare provider's own use of the notes for treatment purposes, and use or disclosure for clinical training, professional oversight activities, or purposes otherwise required by law. Example 36: Dr. Johnson, a psychiatrist, is treating Melissa on an outpatient basis for clinical depression. During each counseling session, Dr. Johnson takes notes of Melissa's complaints, feelings, and observations. Although he uses these notes to form diagnostic opinions and develop a treatment plan, they are kept separate from the rest of Melissa's chart. Dr. Johnson may not use or disclose these notes without Melissa's express authorization except for use in her treatment, professional training and oversight, and disclosures required by law.
2.
Marketing
In general, a covered entity may use or disclose PHI for marketing purposes only with the patient's authorization. Marketing in this context consists of a communication about a product or service that encourages people to buy or use the product or service. It can also involve arrangements between a covered entity and a third party under which the covered entity discloses PHI in exchange for payment or another benefit, and the third party uses it to market its products or services. Communications that describe a health-related product or service provided by the covered entity, including communications that describe the healthcare providers that participate in the covered entity's network or the benefits available under a health plan, are not considered marketing and therefore do not require authorization. Communications for treatment of an individual, for case management or care coordination, or to direct or
20
recommend alternative treatments, therapies, healthcare providers, or settings of care also do not fall under the definition of marketing. Additionally, patient authorization is not required for marketing activities that occur during face-to-face encounters with the patient or that concern products or services of nominal value, such as pens or coffee mugs. The HITECH Act added some additional restrictions and clarifications about use or disclosure of PHI for marketing. One provision requires that a patient authorization for marketing activities must specify whether PHI can be further exchanged for remuneration by the entity receiving the PHI. What this means is not entirely clear, but it is clear that using authorizations for marketing is more difficult. The new requirement does not apply to public health, research, or some other activities. A second provision addresses the potential overlap between marketing and some healthcare operations. It says, essentially, that a covered entity cannot justify some types of marketing as a healthcare operation. A third provision addresses prescription communications paid for by a third party. It allows communications, such as prescription reminders, only for current drugs. It appears to prohibit so-called switch letters, encouraging a patient to consider taking a different drug. The language may also affect routine advertising on covered entities' Web sites. Because of the complexity of these marketing restrictions, you should seek advice before engaging in any marketing activities that might involve the use or disclosure of PHI. Example 37: Suburban Hospital opens a new, state-of-the-art cancer treatment center. To advertise the center, Suburban sends letters, printed on its letterhead, to all of Suburban's current and former cancer patients. The letters describe the new services available for treatment of cancer. Suburban's use of PHI without patient authorization is permitted because this activity recommends a setting of care and is therefore not considered marketing. Example 38: Pharmaceutical Company pays a physician to send it a list of all patients on antidepression medication in order to send them letters advertising a new medication the company makes for depression. Because this disclosure by the physician is made for the pharmaceutical company to market its products and services and the physician is paid for the disclosure, the physician would not be permitted to release the PHI without patient authorization, and the authorization would have to specify whether the PHI could be further exchanged for remuneration by Pharmaceutical Company.
21
Example 39: Associated Health Plans, a health insurer, sends a letter to all patients advertising a new medical group that has joined its network. Because this communication describes the participants in a network, it satisfies the Privacy Rule even though it was made without authorization.
3.

In general, covered entities may use or disclose PHI in connection with fund-raising efforts only with the patient's authorization. However, covered entities may use demographic information about a patient for fund-raising purposes for their own benefit without patient authorization. For this purpose, the covered entity may only use or disclose basic patient information, such as the name, address, and dates of care. Covered entities may not use PHI for fund-raising purposes that relates to a patient's diagnosis or reason for treatment. Patients must be given the opportunity to prohibit or restrict (opt.out of) any future marketing or fund-raising communications. The HITECH Act requires that the opt-out be clear and conspicuous. Example 40: Harding Hospital wants to build a state-of-the-art MRI center. To raise money for the center, Harding sends a letter requesting donations to all patients admitted to the hospital over the last five years. The letter describes the benefits of the center and asks each patient to help make this dream a reality. As long as Harding only uses basic patient information to target the letters and gives each patient a clear and conspicuous opportunity to limit future fund-raising requests, it may use PHI for this fund-raising purpose.
V.
Uses and Disclosures Permitted by the Privacy Rule with Individual Agreement
A number of uses and disclosures of PHI are expressly permitted by the Privacy Rule with the patient's agreement. We will discuss each of these in turn. A.
Disclosures to the patient or others assisting in the patient's care

Under certain circumstances, a covered entity may disclose a patient's PHI to a family member, relative, close personal friend, or any other person identified by the patient and assisting in the patient's care. In some cases a covered entity may also disclose PHI to notifyor assist in the notification ofa family member, a personal representative, or another person responsible for the individual's care, of the individual's location, general condition, or death. In these situations, covered entities must satisfy specific legal requirements that depend on whether the patient is present and capable of making healthcare decisions. If the patient is present and capable, the
22
covered entity may disclose PHI to a family member or another person assisting in the individual's care if one of the following is true: The patient agrees to the disclosure. The patient has the opportunity to object to the disclosure and does not object. The healthcare provider can, based on professional judgment, reasonably infer from the circumstances that the patient does not object to the disclosure.
Example 41: Marni is admitted to Southwest Hospital following a heart attack. Dr. Hernandez, Marni's treating cardiologist, stops by to discuss the results of her cardiac stress test. While Dr. Hernandez is speaking with her, Marni's best friend comes by and Marni invites her in. Under these circumstances, Dr. Hernandez can reasonably infer that Marni does not object to the disclosure of her PHI to her best friend given that she invited her friend in. If the patient is not present, a covered entity may disclose PHI to a person assisting in the patient's care if it determines, based on professional judgment, that the disclosure is in the patient's best interest. The same is true for patients who are unable to make healthcare decisions due to incapacity or emergency. Under these circumstances, however, the covered entity may disclose only the PHI that is directly relevant to the person's involvement in the patient's healthcare. Example 42: Don is hospitalized after falling and hitting his head at work. Don's coworker follows the ambulance to the hospital, and when he arrives Don is unconscious. Don's physician may disclose PHI to the coworker if, in the physician's professional judgment, disclosing the information to the coworker is in Don's best interest. The physician, however, may only disclose the PHI directly related to the coworker's involvement in making decisions about Don's current treatment. Finally, a covered entity may use or disclose PHI to an entity authorized by law or its charter to assist in disaster relief efforts for the purpose of coordinating the kinds of disclosures discussed above. The covered entity has to follow the requirements outlined above only to the extent that they do not interfere with the entity's ability to respond to an emergency. B.
Facility directories
Another type of permitted use or disclosure of PHI exists with respect to facility directories, which typically list the name, room number, and general health condition (for example, fair, critical, or stable) of the patient. A telephone number may also be disclosed. If the facility directory also identifies the patient's religious affiliation, this may be disclosed only to clergy. Before including PHI in a facility directory, the covered entity must inform the patient, orally or in writing, of its intent to include the patient in the
23
directory. This notice gives the patient the opportunity to prohibit or restrict this use of PHI, which may be done orally or in writing. In an emergency or if the patient is incapable of making decisions, the covered entity may include the patient's PHI in the directory if the patient has not previously expressed a preference against it and the covered entity reasonably determines that this is in the patient's best interest. Once the patient is able to make this decision, the covered entity must provide an opportunity to object to the continued disclosure of this information. VI.

Under limited circumstances, covered entities may also disclose PHI to help further important public-policy objectives. In such instances, the covered entity is not required to obtain the patient's permission. A number of public-policy-related disclosures are permissible. Many of these are described below. You should remember that strict requirements must be met before making such disclosures. You should consult your company's internal management or law department before disclosing PHI for public-policy reasons. A.

A covered entity may disclose PHI to a public health authority authorized to receive PHI for the purposes of preventing or controlling disease, injury, or disability. Public health authorities typically include state health departments, the Centers for Disease Control and Prevention (CDC), the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Occupational Safety and Health Administration (OSHA), and the Environmental Protection Agency (EPA). With respect to the FDA, a covered entity may disclose PHI to a person subject to its jurisdiction (for example, a drug or device manufacturer) regarding FDA-regulated products or activities for which the person is responsible, for purposes related to the quality, safety, or effectiveness of the FDA-regulated products or activities. A covered entity may disclose PHI to a public health or other government authority to report child abuse or neglect. Covered entities may also disclose PHI, when authorized by law, to people who may have been exposed to a communicable disease. Healthcare providers who provide healthcare to an employer's workforce may disclose PHI to employers concerning work-related injuries, for limited purposes, and workplace-injury surveillance activities that may be required by law.
B.

Covered entities may disclose to government authorities, including social or protective service agencies, PHI about an adult patient the covered entity reasonably believes to be a victim of abuse, neglect, or domestic
24
violence. If a report of suspected abuse, neglect, or domestic violence is not otherwise required by law but is expressly permitted, the covered entity must reasonably determine, before disclosing the PHI, that the disclosure is necessary to prevent serious harm to the patient or other potential victims. Subject to two exceptions, covered entities must inform the patient, orally or in writing, that it has disclosed PHI to report abuse. A covered entity does not have to notify the patient if it reasonably believes that doing so would place her at risk of serious physical or emotional harm. A covered entity also does not have to notify an individual's personal representative if it reasonably believes that the representative is responsible for the abuse or neglect. C.
Health oversight activities

Covered entities may also disclose PHI to a health oversight agency or a person acting on its behalf. Covered entities may also use PHI when the covered entity itself is a health oversight entity. Health oversight activities may include audits; investigations; inspections; licensure or disciplinary actions; and civil, criminal, and administrative proceedings. These disclosures are encouraged because health oversight activities are intended to safeguard the integrity and quality of public and private healthcare systems and programs. Example 43: City Hospital provides healthcare services to Medicare and Medicaid patients. City Hospital may disclose PHI to the Inspector General at the Centers for Medicare and Medicaid for an audit of City Hospitals claims. Investigations that target the patient who is the subject of the PHI and that are unrelated to the receipt of healthcare or claims for public health benefits aren't considered health oversight activities.
D.

Covered entities may disclose PHI pursuant to a court order. Without a formal court order, covered entities may disclose PHI in connection with legal proceedings if specific conditions (generally requiring notice to the individual who is the subject of the PHI) are met. As mentioned earlier, the specific requirements governing disclosure of PHI for public-policy purposes are detailed and complex. Before disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information.
E.
Law enforcement
With some limitations, covered entities may also disclose PHI to law enforcement officials in connection with certain law enforcement
25
requests and activities. Generally, these disclosures must relate to one of the following: A requirement by law for the reporting of wounds or injuries or the mandates of a court order, subpoena, or summons The identification or location of a suspect, fugitive, material witness, or missing person Information about the victim of a crime Evidence of criminal conduct that occurred on the covered entity's premises Disclosures about deceased persons Reporting crimes in an emergency
Before disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information. F.
Research
Some research using health records does not involve the treatment or examination of patients. Rather, this research is limited to the study of medical records and other healthcare data. A covered entity may use or disclose PHI without patient authorization for research if the research receives the prior approval of the covered entity's Institutional Review Board (IRB) or a similarly composed body, called a Privacy Board. An IRB is a committee that's generally responsible for overseeing research affecting human subjects. In approving the use or disclosure of PHI for research purposes, an IRB must determine that the use or disclosure of PHI involves only minimal risk to the research subjects, including, for instance, that adequate procedures exist to protect the PHI from being improperly used or disclosed the research cannot practicably be conducted without using or disclosing the PHI the research cannot practicably be conducted without waiving the authorization requirement
The covered entity must document the IRB/Privacy Board's approval of the use of PHI for research purposes. This documentation must include G. the IRB/Privacy Board's specific determinations the date of the approval a brief description of the PHI to be used or disclosed in connection with the medical research

Covered entities may use or disclose PHI if they determinate that disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public. The disclosure must be made
26
to people reasonably able to prevent or lessen the threat, including the target of the threat or enforcement officials. Example 44: A disturbed patient tells his primary care physician, Dr. Harrington, that he hates his ex-girlfriend and wants to kill her the next time he sees her. If Dr. Harrington warns the ex-girlfriend of the patient's intentions, this disclosure of PHI is probably permissible under the Privacy Rule. H.

Finally, covered entities may disclose PHI to serve a number of other purposes related to public policy. These include disclosures to coroners and medical examiners organ procurement, donation, and transplantation organizations workers' compensation agencies and programs military and intelligence agencies (if the PHI relates to an individual's current or past service) the Secret Service for the protection of the President of the United States any entity when the disclosure is required by law
These uses or disclosures of PHI are usually subject to many requirements that must be satisfied before the information can be used or disclosed. You should direct any questions or concerns you may have to your company's internal management or law department. VII.

Covered entities must provide patients with a written notice of their privacy practices. Organized healthcare arrangements and affiliated entities that designate themselves as a single entity may develop a uniform joint notice for all of the entities involved. In emergency situations, covered entities must provide notice as soon as reasonably possible after the emergency. A covered healthcare provider that has a direct treatment relationship with a patient must make a good-faith effort to obtain a written acknowledgment of the receipt of the notice by the individual. If a covered entity is not able to obtain the acknowledgment, it must document its good-faith efforts and explain the reasons why the acknowledgment was not obtained. Example 45: Joe is brought by ambulance to St. Victoria's emergency room. He is in full cardiac arrest when he arrives. The ER physicians resuscitate Joe and admit him to the hospital for further care. The hospital must present Joe with its notice of privacy practices as soon as reasonably practicable after his condition has stabilized.
27
The Privacy Rule contains specific provisions concerning the information that must be included in the notice and the manner in which notice must be provided.
1.
Content of notice
A notice of privacy practices must be written in plain language and contain the following information: A prominently displayed statement that reads "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully." A description of the permitted and required uses and disclosures of PHI that may be made without patient authorization, including at least one example of how the covered entity would use or disclose PHI for each of the following purposes: treatment, payment, and healthcare operations A sufficiently detailed description of each of the other purposes for which uses or disclosures are allowed by HIPAA without the individuals written authorization, including any applicable restrictions imposed by other laws A statement that all other uses and disclosures will only be made with the patient's written authorization An explanation of the patient's privacy rights, including the patient's right to receive confidential communications; to copy and inspect his PHI; to request an amendment of the PHI; to receive an accounting of certain disclosures of the PHI; and to request restrictions on a covered entity's use or disclosure of the PHI If the covered entity plans to engage in certain activities, a description of the activitiesfor example, provide appointment reminders or treatment-related information, raise funds, or, in the case of a group health plan, disclose PHI to the plan sponsor A description of the covered entity's legal obligations to maintain the privacy of PHI, abide by the terms of its notice of privacy practices, and inform patients of any changes to the notice An explanation of the patient's right to file a complaint with the covered entity or HHS and a statement that he will not be retaliated against for filing it The name, or title, and telephone number of a person or office to contact for further information The effective date of the notice
Additionally, to the extent that state or other law restricts an otherwise permissible use or disclosure, the notice must reflect the more restrictive law. Also, if a covered entity decides to limit the uses and disclosures of PHI it may make, it may describe the more limited uses and disclosures in its notice. However, the entity may not restrict the
28
uses and disclosures it is required to make by law or the uses and disclosures it may make to avert a serious threat to the health or safety of an individual or the public. Importantly, for a covered entity to apply a change in a privacy practice described in its notice to PHI obtained before it issues a revised notice, it must reserve the right to do so in its notice. Example 46: Dr. Smith, an obstetrician, often treats patients with particularly sensitive conditions. He may wish to assure patients that even though the law permits him to disclose information for a wide range of purposes, he will only disclose information in very specific circumstancesfor treatment, payment, and healthcare operations purposes, as required by law, and to avert serious threats to health or safety. Covered entities must maintain copies of all issued notices for at least six years from the date they were created or last in effect, whichever is later.
2.
Provision of notice
Covered entities must provide notice to all patients, health plan enrollees, and anyone else who requests it. In addition, covered entities must prominently post the notice in their facilities and on their websites, if they maintain websites. Covered entities must promptly revise their notice whenever there is a material change in their privacy practices. They may not implement any material changes in their privacy practices until the effective date of the revised notice. Healthcare providers in direct treatment relationships must provide notice to all patients no later than their first appointment. They may also mail the notice electronically, as long as the patient has agreed to receive the notice in this manner. Healthcare providers in indirect treatment relationships are only required to provide notice if the patient requests it. If a patient's first encounter with a covered entity is electronic, the covered entity must provide notice in electronic form at that time. Health plans must provide notice to enrollees at the time of enrollment. If the health plan materially revises its privacy practices, it must notify all enrollees within 60 days of the revision. Health plans must also inform enrollees at least once every three years about the availability of the notice and how to obtain a copy. They may satisfy the initial notice requirement by sending a copy of the notice to the named insured. They do not need to provide notice to each dependent that may be covered under a particular plan.
29
Electronic notice, such as e-mail, must meet certain additional requirements. The patient must agree to accept notice in this form. Electronic notice must state that the patient has a right to receive a paper copy upon request. If e-mail transmission fails, the covered entity must provide a paper copy of the notice to the patient. Example 47: The first time Martina requests to fill a prescription through WebDrugs, a covered Internet pharmacy, WebDrugs must automatically provide her with its notice of privacy practices with the delivered prescription. Example 48: Dr. Checkup, whose office is located in Boston, has hospital staff privileges at Holistic Hospital in neighboring Cambridge. A single notice may cover both Dr. Checkup and Holistic Hospital as long as they're both part of an organized healthcare arrangement. If Dr. Checkup's privacy practices at his private office are different from the hospital's, however, Dr. Checkup must have a separate notice for his office. B.

A covered entity must allow patients to request restrictions on the use or disclosure of PHI for treatment, payment, and management of healthcare operations. This right also applies to disclosures to people assisting in the patient's care, such as family members and friends. Example 49: Catherine requests that Hilltop Hospital never disclose her PHI to Theresa, her sister, who is providing assistance with her care. Once the hospital agrees to this restriction, it is thereafter prohibited from disclosing Catherine's PHI to Theresa, even if the disclosure would otherwise be permissible under the Privacy Rule. The covered entity, however, is not required to agree to the requested restriction. If it does accept the restriction, however, it must honor the patient's request. The restriction is only binding on the covered entity that agrees to it. A covered entity that agrees to a requested restriction must also document the restriction and keep it on file for at least six years from the date it was created or last in effect, whichever is later. If a patient needs emergency treatment and restricted PHI is necessary to a healthcare provider to provide that treatment, a covered entity may use or disclose PHI to the healthcare provider. The covered entity must, however, request that the provider refrain from further using or disclosing the restricted information. A change by the HITECH Act requires covered entities to agree to a patient request to restrict disclosures to a health plan for purposes of carrying out payment or healthcare operations if the PHI pertains solely to a healthcare item or service that the patient has paid for out of pocket in full. An individual cannot prevent any such disclosure required by law, however.
30
C.

A covered entity must allow a patient to request the means by which and locations where she wishes to receive communications of PHI from the covered entity. In addition, covered entities must accommodate requests to receive this information via different means than the way covered entities usually transmit informationfor example, written or electronic, or at different locations. All reasonable requests must be accommodated. Example 50: Sam doesn't want his family members to know about a certain treatment he's undergoing. He may request that his physician communicate with him at his place of employment, by mail to a designated address, or by phone to a designated number, rather than using his home phone number or address. If the covered entity is a health plan, it may require that patient requests to receive PHI at another location be accompanied by a statement that disclosure of this information to the address on file could endanger the patient. Example 51: Jan requests that ABC Health Plan send explanations of benefits about particular services to her work rather than home address because she's concerned that a member of her household might read the document and become abusive toward her. ABC Health Plan must accommodate the request, and may require that Jan state in her request that she could be in danger if the information is sent to her home address. Covered entities may require the patient to make these requests in writing.
D.

Patients generally have the right to inspect and copy PHI that is used to make healthcare or other decisions about them. A covered entity may require the patient to request access in writing. Exceptions to this right of access include psychotherapy notes, information relating to legal proceedings, and certain information related to the operations of clinical laboratories. The right of access exists as long as the covered entity maintains the PHI. In addition, there are certain circumstances in which a covered entity may deny an access request. For example, a covered entity may deny a patient access to his PHI if the access is likely to endanger the life or safety of the patient or someone else. Correctional institutions may deny inmates access to their PHI for health and safety reasons. In addition, a covered entity may temporarily deny an access request when the patient is receiving treatment in an ongoing clinical research trial if the patient
31
agreed to such a restriction. A request may also be denied to protect a confidential source of information. Example 52: Kevin is enrolled in an ongoing clinical trial for a new medication. When he enrolled in the trial, the hospital conducting the research informed him that his access would be restricted while he was participating in the trial but would be reinstated after it was completed. Kevin consented to that restriction. During the trial, Kevin requests access to his PHI. The hospital may deny his request, but must provide him with the information after the clinical trial is completed. In certain situations, patients have the right to a formal review of the decision denying access to their PHI. These situations usually involve denials based on potential harm to the patient or other people. Reviews of access denials must be performed by a licensed healthcare professional who did not participate in the original decision and who is designated by the covered entity to serve in this capacity. The reviewing healthcare provider must determine, within a reasonable period of time, whether or not to deny the requested access. The covered entity must provide the patient with written notice of the decision.
2.
Provision of access
If a covered entity agrees to grant access, it must try to provide the PHI in the form requested by the patient. If the PHI is not available in this form, the covered entity must produce a legible copy in an agreed-upon form. The HITECH Act added a requirement for information maintained in an electronic health record. A patient has the right to obtain that information from a covered entity in an electronic format. The individual may also direct the covered entity to transmit the information to a designated entity or person, The fee for providing an electronic copy cannot exceed the covered entitys labor cost for responding to the request. A covered entity may provide the patient with a summary of the PHI rather than providing access to it, as long as the patient has agreed in advance to accept a summary. In addition, a covered entity may charge the patient a reasonable fee for the summary. Again, the patient must have agreed to the charge in advance. Patients may also be charged a reasonable fee for copying, including the cost of labor and supplies related to copying, and postage if applicable. The fee may not include charges for retrieving, handling, or processing the information.
3.
Denial of access
When a covered entity denies an access request, it must give the individual access to any other PHI requested, after excluding PHI for which the covered entity has a basis for denial. A denial of access must be in writing and explain the basis for the denial.
32
If applicable, the denial must state that the individual may have the denial reviewed. Finally, it must explain how the patient may file a complaint to the covered entity or HHS. If the covered entity does not maintain the requested PHI, it must inform the patient where to direct the request for access if it knows. E.
Right to amend PHI

A covered entity must allow patients the opportunity to request changes to their PHI for as long as it maintains the information. There are certain exceptions to this right. A covered entity may deny this request if it did not create the PHI. If the creator of the PHI is no longer available to act on the request, however, the covered entity must treat the request as though it created the PHI itself. A covered entity may deny a request for amendment if it determines that the PHI to which the request applies is accurate and complete. Finally, covered entities may deny these requests if the patient does not have the right to access the information under the Privacy Rule. Covered entities must act on a patient's request within 60 days of receiving it. If the covered entity is unable to meet this deadline, it may extend the deadline by no more than 30 days after providing notice to the individual of the reason for delay and the date by which it will comply with the request. Upon making its decision, the covered entity must inform the patient whether or not it will agree to the request. If the covered entity agrees to the request, it must then make the amendment and inform the patient, anyone the patient identifies as having received the PHI that needed amending, and persons, including business associates of the covered entity, who might use the information to the detriment of the individual. If a covered entity denies the request, it must state the reasons for the denial in writing. The written denial must also describe the patient's right to submit a statement disagreeing with the denial and the procedures for submitting this statement, as well as the patient's right to file a complaint with the covered entity or HHS. The denial must also state that if the patient does not submit a statement of disagreement, he may request that the covered entity provide his amendment request whenever it uses or discloses in the future the PHI that is the subject of the amendment request.
F.

33
However, except as noted below, covered entities don't have to account for disclosures for treatment, payment, or healthcare operations purposes. In addition, the patients right to receive an accounting may be temporarily suspended if the disclosure was made to a health oversight or law enforcement agency and the requested accounting would reasonably impede the agency's activities. The HITECH Act, however, made several changes to these accounting rules. First, the exception for disclosures for treatment, payment, or healthcare operations purposes no longer applies to disclosures made from an electronic healthcare record. However, the obligation to report such disclosures goes back only three years, not six. Second, the Privacy Rule added a new way to provide an accounting to a requesting patient. As before, it can provide a complete accounting to a patient that includes all disclosures made by the covered entity and its business associates. In the alternative, the HITECH Act also allows a covered entity to report only its own disclosures and to provide the requesting patient with a list of names and addresses of business associates. The new accounting provisions begin to take effect at the beginning of 2011, with implementation delayed until 2014 for older systems. Many questions about the new accounting requirements remain to be answered by HHS regulations. To comply with the Privacy Rule, an accounting must include a brief statement of the purpose of and basis for the disclosure, the date of the disclosure, the name of the person or entity that received the PHI, and a brief description of the PHI disclosed. For multiple disclosures to the same recipient, a summary addressing all such disclosures is permitted. Example 53: Valley Hospital discloses the same PHI to a public health authority for the same purpose every month. The hospital can account for those disclosures by including in the accounting the date of the first disclosure; the public health authority to which the disclosures were made (and its address); a brief description of the information disclosed; a brief description of the purpose of the disclosures or, if applicable, a copy of the request for such disclosure; the fact that the disclosures were made every month; and the date of the most recent disclosure. A covered entity has 60 days to respond to a request for an accounting. If it is not able to provide the accounting within 60 days, it may request a one-time 30-day extension as long as it provides the patient with the reason for the delay and the date by which it will provide the accounting. Individuals have a right to receive one free accounting per 12-month period. For each additional request by an individual within the 12-month period, the covered entity may, with prior notice, charge a reasonable, cost-based fee. G.
34
As we've seen, patients have the right to be informed of their covered entity's privacy policies. But what happens if despite those policies, there's an unauthorized transfer, use, or other breach of the protected information? The HITECH Act provided the answer to this question. A breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information. Something compromises the security or privacy of PHI if it poses a significant risk of financial, reputational, or other harm to the individual. Thus, a covered entity may use and document a risk assessment to determine if a breach will cause a significant harm to the individual and require notification. In the absence of sufficient risk of harm, a breach is not a breach under the rule. If the breach poses a significant risk of harm to the individual involved, the company must notify the individual of the breach. This notice must include, among other things, a brief description of what happened, the types of PHI involved, and any steps the individual should take. The notice must be given without unreasonable delay, and in any event within 60 days after the breach was discovered or should have been discovered. And in some cases, the company may also have to notify the federal government and local media. Business associates must also notify their covered companies of any breach of PHI they become aware of. The breach notification requirement only applies to a breach of unsecured PHI. PHI is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology (such as the use of approved forms of encryption) specified by the Secretary of Health and Human Services in guidance. The Secretarys initial guidance is at http://edocket.access.gpo.gov/2009/pdf/E9-9512.pdf. It's also not required for the use or disclosure of a limited data set that excludes the individual's birth date and zip code certain inadvertent uses or disclosures of PHI that don't result in a violation of the Privacy Rule the inadvertent disclosure of PHI to someone who isn't likely to be able to retain itfor example, because it was mailed to the wrong address and returned by the Post Office unopened
Vendors of personal health records (PHR)and other PHR-related entities not covered by HIPAAare also subject to breach notification requirements under the HITECH Act. These rules, issued by the Federal Trade Commission, are similar to those for HIPAA-covered entities, but there are some differences. For example, the non-HIPAA rule may require notification even if there's no evidence of a significant risk of harm from the breach.
35
In any event, both the HIPAA and non-HIPAA notification rules are lengthy and complex. You should be sure to consult your company's law department or other designated party if you have any questions. VIII.
The Privacy Rule imposes numerous administrative requirements on covered entities, which include:. A.

Covered entities must designate a privacy official who has responsibility for developing and implementing privacy policies and procedures. Covered entities must also designate a contact person, who is responsible for receiving privacy-related complaints and providing information regarding the covered entity's privacy practices. The privacy official may serve as the contact person.
B.
Training
A covered entity must train all members of its workforce on its policies and procedures with respect to PHI within a reasonable time after they join the entity's workforce. Retraining all members of the workforce is required when a covered entity makes a material change to its privacy policies. Finally, covered entities must document that training has been provided.
C.
Safeguards
Covered entities are required to establish administrative, technical, and physical safeguards to protect PHI from being improperly used or disclosed. They must also reasonably safeguard PHI to limit incidental uses or disclosures that result from an otherwise permitted or required use or disclosure. And they must mitigate any harm resulting from a use or disclosure that violates the rule. The HIPAA Security Rule, applicable to the same covered entities as the Privacy Rule, provides more detail with respect to electronic PHI. Example 54: Johnson Medical Practice must, under the Privacy Rule, safeguard PHI against improper or inadvertent uses or disclosures. To do so, it may decide to shred documents, require that doors to medical records departments remain locked, and limit personnel in restricted document areas.
D.
Complaint process
A covered entity must provide a process for individuals to file complaints concerning the covered entity's policies and procedures related to PHI or its compliance with its policies and procedures or the Privacy Rule. All complaints concerning the improper use or disclosure of PHI, as well as the final resolution of the complaint, must be documented.
36
E.
Sanctions
Under the Privacy Rule, a covered entity must develop and enforce sanctions against its employees who fail to follow its policies and procedures related to PHI or who violate the Privacy Rule. The covered entity must also mitigate, to the extent practicable, any harmful effect it knows about of a use or disclosure of PHI in violation of its policies and procedures or of the Privacy Rule by it or a business associate.
F.

The Privacy Rule prohibits retaliating against a patient or any other person who files a complaint with HHS. The rule prohibits retaliating against individuals for testifying, assisting, or participating in certain investigations, compliance reviews, proceedings, and hearings under the Administrative Simplification provisions of HIPAA's Privacy Rule. Retaliatory acts against anyone opposing any act or practice made unlawful by the Privacy Rule are prohibited, as long as the person has a good-faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and doesn't involve an unauthorized disclosure of PHI. HHS also prohibits retaliatory actions against patients who exercise any right granted by the Privacy Rule, including filing a complaint with the covered entity or HHS.
G.
Waiver of rights
H.

A covered entity must implement policies and procedures with respect to PHI that are reasonably designed to comply with the standards, implementation specifications, and other requirements of the Privacy Rule, taking into account its size and the nature of the activities it undertakes that relate to PHI. However, the policies and procedures may not be interpreted to permit or excuse any action that violates the Privacy Rule. When the covered entity has stated in its notice of privacy practices that it reserves the right to change its practices, the new practice may be applied to information created or collected before the effective date of the new practice. The Privacy Rule also sets forth the conditions for making changes if the covered entity has not reserved the right to change its practices. Covered entities are required to modify their policies and procedures in a prompt manner to comply with changes in relevant law. They are also required to change the notice when the change also affects the practices stated in the notice. These requirements, however, may not be used by a covered entity to excuse a failure to comply with applicable law.
37
The Privacy Rule also requires that the policies and procedures be maintained in writing, and that any other required communication, action, activity, or designation that must be documented in writing be maintained. The Privacy Rule states that covered entities must retain any required documentation for at least six years from the date the document was created or the date the document was last in effect, whichever is later. HHS notes that this approach is consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance. I.

A group health plan that provides benefits solely through an insurance contract with an HMO issuer or an HMO, and that does not create, receive, or maintain protected health information other than summary health information or information regarding enrollment and disenrollment, is not subject to the administrative requirements discussed above except for documentation retention requirements relating to plan documents.
IX.

A covered entity may use or disclose PHI created or received prior to the April 14, 2003, compliance date, if it has an authorization or other express legal permission secured before April 14, 2003, assuming that the authorization explicitly permits the use or disclosure and there are no agreed-upon restrictions. In addition, a covered entity may use or disclose, for a specific research study, PHI that is created or received either before or after the compliance date of April 14, 2003 (as long as there is no agreed-upon restriction) if the covered entity has obtained, before the compliance date, an authorization or other express legal permission from a patient to use or disclose PHI for the research study, an informed consent to participate in the research, or an IRB waiver of informed consent for the research. Note that uses or disclosures of individually identifiable health information made before the compliance date are not subject to sanctions, even if they were made pursuant to documents or permissions that do not meet the requirements of the Privacy Rule or were made without permission. The Privacy Rule impacts only the future effectiveness of the previously obtained consents, authorizations, or permissions.
X.

Any state law that is contrary to the federal requirements established under the Administrative Simplification provisions of HIPAA, including the provisions on privacy, is preempted. However, there are several exceptions to this general rule of preemption. First, there is an exception when HHS determines that a state law is necessary for any one of the following purposes: To prevent fraud and abuse related to the provision of or payment for healthcare
38
To ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation For state reporting on healthcare costs For other purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification is at issue, if HHS determines that the intrusion into privacy is warranted when balanced against the need to be served
Second, there is an exception where the state law regulates the manufacture, registration, distribution, dispensing, or other control of controlled substances. Third, there is an exception for state laws that require the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. Fourth, there is an exception for state laws that require a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensing or certification, or individual licensing or certification. Finally, the Privacy Rule provides that a state law that relates to the privacy of health information and is more stringent than federal requirements is not preempted. In this way, the Privacy Rule creates a floor of federal privacy protection and is not intended to supersede other applicable law that provides greater protection to the confidentiality of health information. B.

Under the Privacy Rule, a state law qualifies as contrary to a federal privacy requirement when a covered entity would find it impossible to comply with both the state and federal requirements, or when the provision of state law stands as an obstacle to the accomplishment and execution of the purposes and objectives of the Administrative Simplification provisions, including the Privacy Rule.
C.

D.

A state law relates to the privacy of health information if it has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.
E.

In general, more stringent means providing a greater privacy protection. A state law is more stringent than federal law when the state law establishes greater limitations on disclosures, creates more individual
39
rights with respect to PHI, or provides greater access to PHI for individuals than the federal law. Example 55: A state law requires that patients consent to disclosures of their health information for treatment and/or payment purposes. This law would not be preempted by federal law because by requiring consent for use or disclosure for treatment and/or payment purposes, the law is more protective than federal law. Example 56: Another state law requires a provider to disclose data about certain contagious diseases to a public health agency. This law would not be preempted under the Privacy Rule because of the carveout for state laws that require data reporting. F.
XI.

Under HIPAA, the penalties for violating the Privacy Rule are severe. The penalties were increased by the HITECH Act and now apply to business associates as well as covered entities. Depending on the nature of the violation, a civil penalty ranging from $100 to $50,000 per person per violation, and up to $1.5 million per person for violations of a single standard in one year A criminal fine of not more than $50,000 and/or imprisonment of not more than one year for wrongful disclosure of PHI A criminal fine of not more than $100,000 and/or imprisonment of not more than five years if the disclosure is under false pretensesfor example, when a person lies about his identity A criminal fine of not more than $250,000 and/or imprisonment of not more than ten years if a person intends to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm
In addition, states can sue to stop HIPAA violations and recover damages on their residents' behalf.
40
HIPAA PRIVACY FOR PHARMACEUTICAL COMPANIES: PATIENT RIGHTS

INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the healthcare industry to adopt, among other things, national standards for electronic healthcare transactions, unique health identifiers, and security. These rules are collectively known as the Administrative Simplification provisions. An important part of the Administrative Simplification provisions is the Privacy Rule. The Privacy Rule establishes comprehensive privacy standards for protected health information (PHI) that individuals and organizations involved in healthcare delivery or payment for healthcare services must follow. Separate HIPAA rules address security requirements for electronic PHI. The Privacy Rule covers all PHIelectronic, written, or oral.. As we'll explain in this handbook, the HIPAA Privacy Rule applies to many individuals and entities that store or transmit PHI. This handbook will help you understand HIPAA's privacy requirements. Following an introductory discussion of how the Privacy Rule applies to pharmaceutical companies, we will address how the rule affects the disclosure of PHI from providers subject to the Rule to pharmaceutical companies. This latter discussion will encompass both uses and disclosures of PHI that require patient permission and those that do not. We will also address HIPAA's impact on state laws that protect the confidentiality of health information. Finally, we will review legal penalties and sanctions for failing to comply with HIPAA. This handbook provides a general overview of the HIPAA Privacy Rule as it relates to pharmaceutical companies. It does not provide legal advice or guidance regarding how you should act in a particular situation that involves the use or disclosure of patient information. HIPAA is a complex law subject to subtleties and nuances that cannot be completely covered in a brief treatment of this kind. Always consult your internal management and law department if you have any questions or concerns about the use or disclosure of patient information. Some changes to the law were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law No: 111-5). These changes will be discussed as appropriate. The changes have variable effective dates, and most await guidance or regulations from the Department of Health and Human Services. Some provisions (e.g., breach notification) are already effective. Interpretations of new provisions are tentative until the Department of Health and Human Services (HHS) issues definitive guidance.

I.

Covered entities 1
The Privacy Rule defines covered entities to include certain healthcare providers, as well as all health plans and healthcare clearinghouses. The Privacy Rule applies to pharmaceutical companies both directly (when they qualify as covered entities) and indirectly (when they qualify as business associates of covered providers). Changes made by the HITECH Act will make business associates directly subject to the HIPAA rule. When these changes become effective, the biggest differences will be that business associates will be directly subject to both the HIPAA Privacy Rule and the HIPAA Security Rule. These changes will mean that business associates will be subject to direct enforcement by HHS. Changes to business associate contracts will also be necessary. 1.
A healthcare provider is an individual or organization that (1) is recognized by Medicare as a provider or (2) provides, bills for, or is paid for healthcare services in the normal course of business. Healthcare providers include hospitals, skilled nursing facilities, home health agencies, physicians, outpatient facilities, clinical laboratories, pharmacies, medical equipment suppliers, and other licensed/certified healthcare professionals. The Privacy Rule applies only to healthcare providers that electronically transmit PHI in connection with specified healthcare transactions. Fax transmissions are not electronic transmissions under the rule. Transactions that trigger the Privacy Rule's requirements include healthcare claims (including attachments) and status reports payment and remittance advice determination of eligibility for health plan benefits referral certifications and authorizations first reports of injury health plan enrollment, disenrollment, eligibility for health plan coverage, and premium payments coordination of health benefits Pharmaceutical companies will generally not qualify as covered entities under the Privacy Rule. While they may sometimes provide what are considered healthcare services, they will not be considered covered entities under the rule unless they file electronic healthcare claims or otherwise engage in HIPAA standard transactions. Example 1: Biopharma, a pharmaceutical company, manufactures drugs. It also handles its own sales and marketing. It never engages in electronic standard transactions and does not offer treatment advice related to specific patients. It is not a covered entity under the Privacy Rule because it does not
provide treatment services or engage in electronic standard transactions. Example 2: Biopharma, a pharmaceutical company, contracts with an individual to develop a drug customized to his disease. Once the drug is developed, the company files electronic healthcare claims with the individuals health plan for reimbursement. Here, Biopharma is a covered entity under the Privacy Rule because it provides treatment services and engages in electronic standard transactions. Example 3: Global Pharmaceuticals manufactures drugs and operates a patient assistance program (PAP) that funds drug treatments for financially needy patients. It reviews medical records concerning specific patients and decides whether and how those patients can benefit from its pharmaceuticals. However, it never engages in electronic standard transactions. So, under the Privacy Rule, Global is a healthcare provider because it provides treatment services through its PAP, but it wouldn't qualify as a covered entity because it doesn't engage in electronic standard transactions. Example 4: MediPharma, a pharmaceutical company, manufactures drugs and operates a PAP that funds drug treatments for financially needy patients. It reviews medical records concerning specific patients and decides whether and how those patients can benefit from its pharmaceuticals. MediPharma electronically checks the insurance eligibility of patients applying for the PAP to make sure they are truly in financial need. It is a covered entity under the Privacy Rule because it provides treatment services through its PAP and engages in an electronic standard transaction (determination of eligibility for benefits). Example 5: Worldwide Pharmaceuticals, a pharmaceutical company, runs a mail-order pharmacy that files electronic healthcare claims for the drugs it sells. It is a covered entity under the Privacy Rule because it provides treatment services and engages in electronic standard transactions. If a pharmaceutical company qualifies as a covered entity, a host of obligations under HIPAA are triggered. Covered entities must follow the restrictions on the use and disclosure of PHI discussed below and implement processes so that individuals may exercise the rights (also discussed below) that are granted under HIPAA. Even if a pharmaceutical company does not qualify as a covered entity, the Privacy Rule will affect the flow of PHI to it because most healthcare providers the company does business with will qualify as covered entities. Permissible disclosures of PHI by a covered provider to a pharmaceutical company are discussed below in the discussion on business associates. 2.
Health plans 3
The Privacy Rule applies to health plans. A health plan is an organization that provides and/or pays the cost of medical care. Health plans include health insurance companies, group health plans (such as those offered through an individual's employment), and health maintenance organizations (HMOs). Health plans also include government-administered programs such as Medicare, Medicaid, Department of Veterans Affairs (VA) programs, and TRICARE (Department of Defense) programs. For purposes of the Privacy Rule, health plans do not include workers' compensation or automobile, life, property, and casualty insurers. Health plans also do not include government-funded programs whose primary purpose is not rendering or paying for healthcare serviceseven if it may incidentally provide or pay for some healthcare services 3.
The Privacy Rule applies to healthcare clearinghousespublic or private entities that process or facilitate the processing of healthcare transactions. The most common type of healthcare clearinghouse is a billing company. Healthcare clearinghouses receive PHI from one source, such as a healthcare provider, convert it into a standard format, and transmit the information to another entitysuch as a health insurance companythat pays for the healthcare services. Healthcare clearinghouses can also perform the reverse of that function by converting and transmitting PHI from insurers to healthcare providers. Health plans or healthcare providers that perform these functions are not considered healthcare clearinghouses unless they also perform them for other, unaffiliated organizations.
B.
Hybrid entities
In addition to certain healthcare providers, health plans, and healthcare clearinghouses, the Privacy Rule applies to other types of organizations, including affiliated entities, hybrid entities, and organized healthcare arrangements. Of these, only the hybrid entity is likely to have any relevance to pharmaceutical companies. Hybrid entities are organizations that are involved in non-healthcare activities but also act as a health plan, healthcare clearinghouse, or healthcare provider. Hybrid entities include non-healthcare organizations, such as insurance companies, that offer health insurance plans in addition to other plans, and companies operating on-site health clinics that conduct standard transactions covered by the Privacy Rule. Within a hybrid entity, the healthcare components are covered by the Privacy Rule. Although the Privacy Rule applies only to the healthcare components of the hybrid entity, this type of entity must prevent disclosure of PHI to other non-healthcare divisions within the entity.
Hybrid entities must use safeguards, such as firewalls or other information barriers, to prevent unauthorized access to, or disclosure of, PHI. Example 6: MediPharma, a pharmaceutical company, manufactures drugs and operates a PAP that funds drug treatments for financially needy patients. It reviews medical records concerning specific patients and decides whether and how those patients can benefit from its pharmaceuticals. MediPharma electronically checks the insurance eligibility of patients applying for the PAP to make sure they are truly in financial need. It is a covered entity under the Privacy Rule because it provides treatment services through its PAP and engages in an electronic standard transaction (determination of eligibility for benefits). Because MediPharma has defined itself to be a hybrid entity, only the component that reviews patient records, determines whether patients can benefit, and electronically checks insurance eligibility is a covered entity. Its activities and records must be maintained separately from other MediPharma components. C.
Business associates
Business associates are individuals or organizations that perform services or functions (such as data administration) for a covered entity, or that provide covered entities with legal, accounting, management, consulting, accreditation, financial, or other operational services involving the use or disclosure of PHI. Business associates may perform many different functions, such as claims processing and administration, billing, quality assurance, operations management, and data analysis, on behalf of covered entities. Sometimes, covered entities act as business associates with respect to each other. Even if a business performs a service for a covered entity that involves the use or disclosure of PHI, it will not be considered a business associate if the service does not relate to the use or disclosure of PHI or to a function or activity regulated by the Privacy Rule, such as providing care. Example 7: Big Pharma Company offers consulting services to physician practices. The services are related to billing for its drugs. Physician practices that want to take advantage of this service disclose PHI to Big Pharma, and Big Pharma uses the PHI to provide billing advice. Because Big Pharma receives PHI to provide this service, it is a business associate of the covered physician practices. Example 8: Big Pharma Company sponsors a clinical trial to study the effects of a new drug it is manufacturing. A hospital that's covered by the Privacy Rule agrees to conduct the clinical trial and discloses to Big Pharma PHI concerning patients treated with the drug. Although it receives PHI from the covered hospital, Big Pharma is not a business associate of the hospital because Big Pharma is doing its own independent research and is not conducting a function or activity on behalf of the hospital. The hospital discloses information to Big Pharma under the research disclosure provisions of the rule (discussed later).
Example 9: Big Pharma Company sponsors a clinical trial to study the effects of a new drug it is manufacturing. A hospital agrees to conduct the clinical trial and discloses to Big Pharma PHI concerning patients treated with the drug. Big Pharma provides data management services to the covered hospital in connection with the study. Big Pharma is a business associate of the hospital because it provides it with data management services that involve the disclosure of PHI to Big Pharma. Example 10: Big Pharma Company provides disease management services to a hospital. Because the disease management services relate to a hospital function, Big Pharma receives PHI as a business associate of the covered hospital. The term business associate does not include employees or volunteers of a covered entity. 1.

To share PHI with a business associate, a covered entity must obtain satisfactory assurance that the business associate will comply with the Privacy Rule. Obtaining this satisfactory assurance requires the covered entity to enter into a contract with each business associate that meets these requirements: The contract must establish the permitted and required uses and disclosures of PHI to and by the business associate. This does not mean that every single use or disclosure must be specified; rather, the agreement must discuss the general purposes for which the business associate may use and disclose PHI and the types of persons to whom the business associate is anticipated to make further disclosures. The contract must prohibit the business associate from using or further disclosing the PHI other than as permitted by the contract or as required by law. The contract must require the business associate to implement appropriate safeguards to protect against inappropriate disclosure or use. The Privacy Rule does not specify what qualifies as "appropriate safeguards." This decision is left to the parties. The contract must require that if a business associate becomes aware of any use or disclosure not provided for in the agreement, the business associate must report the violation to the covered entity. Example 11: National Pharma Company offers physician practices consulting services related to billing for its drugs. Physician practices that want to take advantage of these services disclose PHI to National for it to use to provide billing advice. One of Nationals employees discloses to the media PHI it received from a physician practice about a famous actor. National must report this violation of its business associate agreement to the practice.
The contract must require a business associate to ensure that any of its agents and subcontractors who have access to the clients PHI agree to the same conditions and restrictions that apply to the business associate. As a general rule, covered entities must be prepared to provide an individual with an accounting of any disclosures they have made or that were made on their behalf, except those made for the purposes of treatment, payment, or healthcare operations or to people assisting in a patients care. The accounting must generally include disclosures made for the six years before the request and disclosures by a business associate. Business associate contracts must contain provisions that require it to assist the covered entity in meeting its accounting obligations. Example 12: Big Pharma Company offers physician practices consulting services related to billing for its drugs. Physician practices that want to take advantage of these services disclose PHI to Big Pharma for it to use to provide billing advice. Because this is a disclosure for the healthcare operations or payment purposes of the physician practice, the practice does not need to account for the disclosure. For the purpose of determining whether a covered entity is complying with the Privacy Rule, the contract must require a business associate to agree to make available to the Secretary of the Department of Health and Human Services (HHS) its internal books, records, and practices relating to its use and disclosure of PHI. The contract must require that a business associate agree to destroy or return at the end of the agreement, to the extent feasible, all PHI received from the covered entity. The business associate may retain information necessary for the proper management and administration of its business as well as information necessary for it to carry out its own legal responsibilities. Any retained information must remain subject to the protections of the contract. The contract must give the covered entity the right to terminate it if the business associate violates an important term. This is especially important because in certain situations, covered entities may be liable for Privacy Rule violations committed by their business associates. Example 13: Big Pharma Company sponsors a clinical trial to study the effects of a new drug its manufacturing. A covered hospital agrees to conduct the clinical trial and discloses to Big Pharma PHI concerning patients treated with the drug. Big Pharma provides data management services to the covered hospital in connection with the study. The services contract between the two companies gives Big Pharma the right to terminate the relationship if the hospital fails to deliver PHI to it
on a scheduled interval. The hospital, on the other hand, does not have the right to terminate the agreement. This business associate contract does not satisfy the Privacy Rule because the hospital may not terminate the contract if Big Pharma fails to use or disclose PHI appropriately. The contract must contain provisions that require the business associate to assist the covered entity in providing patients access to certain information that the business associate has. Specifically, the Privacy Rule permits patients to have access to certain PHI about themselves in order to review it for accuracy. Generally, the covered entity must act upon a patient's request within 30 days and must, with limited exceptions, make any requested amendments to inaccurate or incomplete information. Specifically, a covered entity must provide a patient with access to "designated record sets." A designated record set is defined as a group of records maintained by a covered entity that (1) consists of medical or billing records about individuals maintained by or for a healthcare provider; (2) consists of enrollment, payment, claims adjudication, and case or medical management records systems maintained by or for a health plan; or (3) is used, in whole or in part, by the entity to make decisions about individuals. While the responsibility for providing access to individuals rests with a covered provider, the parties to a business associate contract may negotiate that the business associate deal directly with individual requests for records in its possession. A covered entity is not required to have a business associate contract with those providers to whom it discloses PHI for treatment purposes. Example 14: Dr. Burnett, a physician in private practice, discloses PHI to Pharmaceuticals-R-Us so that the company can provide him with support and guidance concerning the proper use of its pharmaceuticals with respect to certain patients. Pharmaceuticals-R-Us is not a business associate of Dr. Burnett because disclosures to healthcare providers for treatment purposes don't give rise to a business associate relationship and a business associate contract is not necessary. 2.

A covered entity may fail to meet its Privacy Rule obligations if the covered entity knows about privacy violations by a business associate and fails to take reasonable steps to correct it. While a covered entity does not have to actively monitor its business associates' activities, it must investigate if it learns of possible wrongdoing.
Example 15: Big Pharma Company offers physician practices consulting services related to billing for its drugs. Physician practices that want to take advantage of these services disclose PHI to Big Pharma for it to use to provide billing advice. One of Big Pharmas employees discloses to the media PHI it received from a physician practice about a famous actor. If it learns of the improper disclosure, the practice must take reasonable steps to correct it, such as demanding better controls by Big Pharma over who in the company can access PHI. If the covered entity cannot, through reasonable efforts, correct the business associate's violation of the Privacy Rule, it must terminate the business associate contract. If terminating the business associate contract is not possible or would cause significant hardship to the covered entity, it must report the violation to HHS.
3. Business associate changes in HITECH


The Privacy Rule applies to the use and disclosure of PHI by covered entities and business associates. PHI is defined as individually identifiable health information that's transmitted or maintained by a covered entity in any format. At a minimum, this includes all oral, computer-based, and paper-based patient health information. We'll discuss the specifics of PHI in greater detail below. The Privacy Rule also applies to the use and disclosure of PHI relating to deceased individuals, for as long as a healthcare provider or organization maintains this information. However, a change in the rule about the length of HIPAA privacy protection for deceased individuals is pending. I.

PHI does not include individually identifiable health information found in certain education records or in student records held by certain educational institutions. Employment records also aren't considered PHI. II.

Covered entities and business associates may de-identify PHI by removing, encrypting, or otherwise concealing all individually identifiable information. Properly de-identified PHI is not subject to the Privacy Rule. If de-identified information is subsequently re-identified, however, it reacquires the Privacy Rule's protections. There are two ways to properly de-identify PHI. A covered entity or business associate may remove all identifying characteristics including, but not limited to names addresses (excluding state and the first three zip code digits) dates (excluding year) social security numbers and other identification numbers medical record numbers
10
telephone, fax, and Internet Protocol address numbers e-mail and other Internet addresses health insurance numbers biometrics, including photographs any other form of unique identifier Information relating to gender, race, ethnicity, and marital status is not individually identifiable and doesn't need to be removed. Example 16: Dr. Quinn, a physician in private practice, asks her office manager to de-identify a patient's medical record so that she may submit certain information to a pharmaceutical company. The office manager removes all information he thinks could identify the patient and leaves only the gender, race, and marital status in the chart. In addition, he leaves the patient's photograph in the file because it does not contain her name or any other identifying information on it. However, because the photograph could be used to identify the patient, the office manager failed to properly de-identify this medical record. Even if all identifying characteristics have not been or cannot be removed, it is still possible for PHI to be treated as de-identified. The second way that a covered entity can determine that PHI is not individually identifiable is if a qualified statistician examines the PHI and determines that the risk of reidentification is very small. Additionally, the Privacy Rule allows a covered entity to use or disclose a limited data set for research, public health, and healthcare operations purposes. A limited data set does not include directly identifiable information, but certain identifierssuch as admission, discharge, and service dates; date of death; age; and five-digit zip codemay remain. Before a covered entity may disclose a limited data set, however, it must obtain a data-use or similar agreement from whoever will receive the data. In the agreement, the recipient must promise to limit its use of the data to the original reasons for the disclosure and promise not to attempt to re-identify it or use it to contact the subjects. Example 17: Potent Pharmaceutical Company provides hospitals with patient questionnaires about the effects of its drugs. The hospitals agree to collect the questionnaires from their patients treated with the companys drugs so that Potent can conduct research with the information. The questionnaires don't contain names, addresses, or other directly identifiable information, although some other identifiers, such as gender, remain. Assuming that the questionnaires meet the requirements for limited data sets and that Potent has signed a datause agreement, covered hospitals may disclose the questionnaires to Potent for research purposes without patient permission, provided that the research meets the rules substantive and procedural requirements for research. The specific rules governing the de-identification of PHI and limited data sets are detailed and complex. If you have any questions or concerns about this subject, please consult your company's internal management or law department.

I.
11
The Privacy Rule prohibits a covered entity and its business associates from using or disclosing a patient's PHI for any purpose, unless one of the following occurs: The patient signs a written authorization for the use or disclosure. The patient gives his agreement for the use or disclosure. The use or disclosure is permitted or required by the Privacy Rule without the patient's permission. While this handbook addresses the key elements of and exceptions to the agreement and authorization requirements, it cannot cover every Privacy Rule detail. If you have any questions or concerns about the use or disclosure of PHI, you should immediately contact your company's internal management or law department. II.

Covered entities and business associates must limit most uses or disclosures of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure. This principle is known as the minimum necessary requirement. We'll discuss the particulars of this principle in more detail. A.

In determining the minimum necessary disclosure, a covered entity may want to consider whether the purpose of the use, disclosure, or request can be accomplished with information that is not identifiable. If so, the covered entity should probably not use, disclose, or request PHI, unless one of the exceptions to the minimum necessary requirement (discussed below) applies. In fact, under the HITECH Act, a use, disclosure, or request must be limited to the extent practicable to a limited data set as defined in the existing rule. The minimum necessary standard only applies alternatively if the covered entity needs to make a use, disclosure, or request more extensive than the limited data set. If so, then a broader minimum necessary disclosure is allowable. The burden of making a minimum necessary disclosure falls on the disclosing entity. The Secretary of Health and Human Services is required to issue additional guidance on these issues. Example 18: A researcher is hired by a pharmaceutical company to study the effects of a drug on patients who suffer from a particular disease. The researcher must review certain diagnosis and treatment information about all patients who received the drug for the disease for a five-year period at Community Hospital, and the hospitals Institutional Review Board approves the use of the PHI. Because the goals of the research cannot be accomplished without revealing this PHI, the hospital may disclose it to the researcher, assuming other Privacy Rule requirements are met. Example 19: Day Surgery Center, an ambulatory care facility, gives a patient medication, and the patient breaks out in hives. It contacts the
12
pharmaceutical company that supplied the medication and gives the name of the patient. While the company needs information about what happened when the drug was administered to meet its obligations under applicable law, it does not need the patients name. Because the company does not need the patient's name, disclosing it is not permitted by the Privacy Rule. Example 20: Day Surgery Center, an ambulatory care facility, discovers that it has used infected blood during a surgical procedure. It contacts the pharmaceutical company that supplied the blood and gives the name of the person who received it. Because the company does need the patient's name to meet its legal obligations regarding contacting him, disclosing it is permitted by the Privacy Rule. There are several rules that can provide some guidance for those making a minimum necessary determination. First, a covered entity or business associate may not use, disclose, or request a patient's entire medical record unless the entire record is the minimum amount necessary to accomplish the purpose of the disclosure or request. Disclosure of an entire medical record must be specifically justified as the minimum necessary. Second, for disclosures and requests made on a routine or recurring basis, covered entities must implement policies and procedures that limit the PHI disclosed or requested to the minimum amount necessary to achieve the purpose of the disclosure. For nonroutine or nonrecurring disclosures and requests, covered entities must make the minimum necessary determination on a case-by-case basis. Example 21: Day Surgery Center, an ambulatory care facility, routinely submits PHI to a pharmaceutical company so that the pharmaceutical company can meet an FDA reporting requirement. For routine or recurring disclosures, Day Surgery must establish policies and procedures that identify the minimum amount of PHI that must be included in the disclosures. Third, for uses of PHI, covered entities must implement policies and procedures that identify those members of its workforce who need access to PHI to do their jobs identify the types of PHI to which such people need access limit or control access to PHI to those people who need access to perform their jobs Additionally, the Privacy Rule permits incidental uses and disclosures of PHI that cannot reasonably be prevented, that are limited in nature, and that occur as a by-product of an otherwise permitted use or disclosure under the Privacy Rule, as long as the provider meets the minimum necessary requirement and takes reasonable safeguards to limit such uses and disclosures. For instance, if voices are kept appropriately low, a covered entity will not be held liable if an unauthorized person overhears a conversation about a patients medical condition. Covered
13
entities are also permitted to call out patient names in waiting rooms and to use bedside charts and X-ray light boards that may be visible to passersby. B.
Exceptions to the minimum necessary requirement

In some cases, covered entities and business associates can use or disclose PHI without making a minimum necessary determination. The HITECH Act did not change the exceptions. For instance, determining the minimum PHI necessary isn't required when PHI is requested by or disclosed to a healthcare provider in connection with treatment. Example 22: Dr. Winfield, a primary care physician, calls a pharmaceutical company to ask whether treatment with one of the companys drugs would be beneficial for a particular patient. During the call, Dr. Winfield discusses the patient's current condition. In this situation, the Privacy Rule does not require Dr. Winfield to make a minimum necessary determination before disclosing the patient's PHI, because the PHI is being disclosed in connection with the patient's treatment. Minimum necessary determinations also are not required when disclosing a patient's PHI to the patient himself. Example 23: A pharmaceutical company seeks to sponsor a clinical trial to test the effects of a new drug. A physician practice agrees to work with the company in soliciting patients to sign up for the trial. The practice calls its existing patients who might benefit from the new drug to see if they would be interested in participating. Because this request involves disclosing PHI to a patient who is the subject of it, the physician practice is not required to make a minimum necessary determination before sharing this information with the patient. The same is true for uses and disclosures made pursuant to an authorization. Authorizations are discussed later in this handbook. Example 24: A covered nursing home obtains individual authorization for each of its residents to release PHI to a pharmaceutical company to use for research purposes. The covered nursing home does not have to make a minimum necessary determination before releasing information to the pharmaceutical company. Also, before the HITECH Act, a covered entity could rely, if reasonable, on the minimum necessary determination of the covered entity asking for the disclosure. The HITECH Act, however, changed this rule. Now, a disclosing entity must determine what constitutes the minimum amount of PHI necessary to accomplish the intended purpose of a disclosure. Minimum necessary determinations are not required for disclosures to HHS for determining HIPAA compliance or for disclosures to other government agencies that are required by law.
14
III.
Uses and Disclosures for Treatment, Payment, and Healthcare Operations Purposes
Covered entities may use or disclose PHI for treatment, payment, and healthcare operations purposes without patient permission, unless state or other law provides otherwise. However, except in emergency situations, covered healthcare providers with direct treatment relationships are required to make a good-faith effort to obtain a patients written acknowledgment that she has received the providers notice of privacy practices no later than the time of first service delivery. (Notices of privacy practices will be discussed in more detail later in this handbook.) A direct treatment relationship exists when a healthcare provider provides services directly to the patient. If a direct treatment provider is unable to obtain such an acknowledgment, it must document its goodfaith efforts to do so. Indirect treatment providers are not required to obtain this acknowledgment, but may do so if they choose. (An indirect treatment relationship exists when a healthcare provider provides services to another provider who ordered the services. Examples of indirect healthcare providers include pathologists, radiologists, and specialists who consult with a patient's treating physician.) Health plans must provide a notice at the time of enrollment and every three years thereafter, but need not obtain an acknowledgment. Even when required, the acknowledgment does not have to take a specific form. It may be as simple as the patients initials on a cover sheet to the providers privacy notice or her signature on a list or form. It may also be electronic. Providers faced with patients who refuse to sign or to return the acknowledgment may demonstrate good faith by documenting their efforts and the reasons for failure in the patients record. Example 25: Dr. Maddux, a geriatrician, refers an elderly patient to a pharmaceutical company that directly administers medication to patients and bills for these services. Dr. Maddux and the pharmaceutical company both provide healthcare services to the patient. Both Dr. Maddux and the pharmaceutical company have direct treatment relationships with the patient. As a result, they both are able to use and disclose PHI about her for treatment, payment, and healthcare operations without her permission unless state or other law provides otherwise. However, they must make a good-faith effort to obtain the patients written acknowledgment that she has received the providers notice of privacy practices no later than the time of her first service. A.
Treatment, payment, and healthcare operations

Let's take a closer look at some of the terms we first discussed in connection with the Privacy Rule's application to direct treatment relationships. Treatment includes providing, coordinating, or managing healthcare and related services consultations between healthcare providers relating to a patient
15
patient referrals between healthcare providers Payment includes (but is not limited to) all billing, claims management, reimbursement, and collection activities conducted by or on behalf of the covered entity. It also includes activities by health plans with respect to premium and benefit payments as well as to eligibility and coverage determinations. Healthcare operations include activities related to the covered entity's primary function as a healthcare provider, health plan, or healthcare clearinghouse. Healthcare operations include (but are not limited to) quality assessment and improvement activities accreditation, certification, licensing, or credentialing activities insurance premium rating and other insurance underwriting activities legal, accounting, and audit services business planning and development activities general management, compliance, and administrative activities A covered entity may use or disclose PHI for its own treatment, payment, or healthcare operations. A covered entity may release PHI to any healthcare provider for any treatment activities. It may also release PHI to a covered health plan for the recipients use for payment purposes. A covered entity may also disclose PHI to another covered entity if the recipient needs it for certain healthcare operations purposes, including conducting quality assessment and improvement activities, carrying out population-based analyses related to improving health, and reviewing the competence of healthcare providers. However, these disclosures for health care operations are permitted only to the extent that the recipient has or has had a relationship with the individual whos the subject of the information. If the relationship has ended, disclosure must be limited to data related to the past relationship. These HIPAA rules apply unless state or other law provides otherwise. Example 26: A covered provider uses PHI to calculate drug costs, discounts, or copayments. Such uses are payment activities if performed with respect to a specific individual, and are healthcare operations if performed in the aggregate for a group of individuals. Therefore, they are permissible under HIPAA without patient permission, unless state or other law provides otherwise. Example 27: PharmaCo, a pharmaceutical company, manufactures drugs and operates a patient assistance program (PAP) that funds drug treatments for financially needy patients. A covered physician reviews medical records concerning specific patients and contacts the company to discuss whether and how those patients can benefit from its pharmaceuticals. The physician who contacts the program on behalf of a patient is managing the patients care. The provider would be permitted to make such a treatment disclosure of PHI without patient permission, unless state or other law provides otherwise. IV.
Uses and Disclosures Requiring Patient Authorization 16
Under some circumstances that don't directly relate to healthcare, the Privacy Rule requires written authorization to use and disclose PHI. In the next few sections of the handbook, we'll take a closer look at the situations in which this type of permission is required. A.

In general, the Privacy Rule requires PHI to be disclosed when it's requested by the patient and when it's requested by HHS for determining a covered entitys compliance with the Privacy Rule. The rule permits covered entities to use or disclose PHI without patient permission for treatment, payment, and healthcare operations and for certain publicpolicy-related uses and disclosures discussed later in this handbook. In general, for all other purposes, the Privacy Rule requires patient permission to use and disclose PHI about the patient. Covered entities may use and disclose PHI for facility directories and disclose PHI to persons assisting in an individuals care with patient agreement, which may be given verbally. When patient permission is required but verbal agreement is not appropriate, covered entities must secure an authorization from the patient (or the patient's representative) to use or disclose PHI. With proper authorization, disclosures may be made to any individual or organization, healthcare related or not, consistent with the terms of the authorization. Other purposes that are not directly related to healthcare and may require authorization include, but are not limited to certain marketing activities health insurance eligibility or enrollment determinations relating to an individual most employment decisions by current or prospective employers reporting to financial, life insurance, and other institutions Covered entities should develop policies and procedures regarding compliance with the patient authorization requirement. These policies and procedures must also address routine and recurring uses and disclosures of PHI, as well as the minimum necessary disclosure standard. Example 28: Dietary Supplements, a pharmaceutical company, wants to buy a patient list from Dr. Gravida, an obstetrician, for direct product marketing. Because this requested disclosure of PHI is not for treatment, payment, or healthcare operations purposes; for a facility directory; or for people assisting in an individual's care and does not qualify as a publicpolicy-related disclosure, Dr. Gravida may not disclose PHI to Dietary Supplements without each patient's authorization.
B.
Required language
Authorization forms provided to patients must be written in plain language and must contain all of the following information:
17
A specific description of the PHI to be used or disclosed The person(s) authorized to make the requested use or disclosure of the PHI The person(s) or entities to whom the covered entity may disclose PHI The date on which the authorization expires or an event that would cause it to expire A description of the patient's right to revoke the authorization and the procedure for doing so A statement that information disclosed under the authorization may be redisclosed to third parties that may not be subject to the Privacy Rule If signed by a personal representative on the patient's behalf, a description of the representative's legal authority A description of each purpose of the authorized use or disclosure A notification stating that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on signing the authorization if such conditioning is prohibited by the Privacy Rule, or, if it is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization Additionally, for marketing authorizations, there must be a statement that a covered entity will receive remuneration for making a disclosure of PHI, if applicable. Covered entities must keep copies of all authorizations for at least six years from the time they were created or last in effect, whichever is later. If a covered entity seeks an authorization from a patient, it must provide the patient with a copy of the signed authorization. C.
Healthcare providers generally may not condition treatment on the patient signing an authorization. Health plans likewise generally may not condition enrollment or eligibility decisions on a signed authorization. Example 29: Belinda sees Dr. Quasar, an orthopedic surgeon, for treatment of a strained ligament in her knee. Before agreeing to treat Belinda, Dr. Quasar tells her that she has to sign an authorization permitting him to sell her medical information to a pharmaceutical company. Because Dr. Quasar may not condition Belinda's treatment on her signing such an authorization, he has violated the Privacy Rule. There are a few exceptions to this rule. One is that healthcare providers may condition research-related treatment on the patient's authorization to use or disclose PHI for these research purposes. Exceptions such as this are limited, so if you have any questions about their application, make sure to consult your company's internal management or law department. Example 30: XYZ Pharmaceutical Company sponsors a clinical trial to test the efficacy of one of its pharmaceuticals. A covered dialysis company agrees to conduct the trial. It seeks authorizations from its patients to use and disclose PHI for research purposes and explains that they may not participate in the trial without signing the authorization. The
18
dialysis company may do this because the treatment is associated with a clinical trial and the authorization covers the use and disclosure of PHI for research purposes. Additionally, when medical treatment is rendered for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the patient's authorization. Example 31: Dr. Jones agrees with Drug Maker Incorporated to provide employment-related physicals. Because the purpose of the treatment is to provide PHI to Drug Maker, Dr. Jones may condition performing the physicals on receiving the patient's authorization to disclose the results of the exam to the company. D.

Subject to certain exceptions, a covered entity may not use or disclose psychotherapy notes for any purpose without first obtaining the patient's authorization to do so. Psychotherapy notes are notes taken during counseling sessions by a licensed mental healthcare provider, such as a psychiatrist or psychologist, and must be kept separate from the rest of the patient's medical record to receive special treatment under the Privacy Rule. Information relating to prescriptions, modalities of treatment, test results, diagnostic summaries, and certain other items are not considered psychotherapy notes. Exceptions to this rule include the healthcare provider's own use of the notes for treatment purposes, and use or disclosure of them for clinical training, professional oversight activities, or purposes otherwise required by law. Example 32: Dr. Johnson, a psychiatrist, is treating Marcus on an outpatient basis for clinical depression. During each counseling session, Dr. Johnson takes notes on Marcus's complaints, feelings, and observations. Although she uses these notes to form diagnostic opinions and to develop a treatment plan, the notes are kept separate from the rest of Marcus's chart. Dr. Johnson may not use or disclose them without Marcus's express authorization except for use in his treatment, professional training and oversight, and disclosures required by law. 2.
Marketing
In general, a covered entity may use or disclose PHI for marketing purposes only with the patient's authorization. Marketing in this context means a communication about a product or service that encourages people to buy or use the product or service. Marketing also means an arrangement between a covered entity and a third party under which the covered entity discloses PHI to the third party in exchange for
19
payment or other benefit, and the third party uses the PHI to market its products or services. Communications that describe the healthcare providers that participate in the covered entity's network or the benefits available under a health plan aren't considered marketing and therefore don't require authorization. Additionally, communications for treatment of an individual, for case management or care coordination, or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care don't fall under the definition of marketing. Additionally, patient authorization isn't required for marketing activities that occur during face-to-face encounters with the patient or concern products or services of nominal value, such as pens or coffee mugs. Example 33: A pharmaceutical representative speaks with doctors in a physician practice about the benefits of a product he sells. The representative leaves the practice with several free samples of the pharmaceutical. Based on that conversation, a physician in the practice recommends to a patient that she switch her medication to the pharmaceutical. This use of PHI by the physician is permissible without patient authorization because it involves recommending an alternative treatment and is therefore not considered marketing. Example 34: An oncology practice sends prescription drug refill reminders to its patients. A pharmaceutical company that manufactures the drugs prescribed by the practice covers the costs of mailing the reminders and the staff time associated with sending them. Because the use and disclosure of PHI for prescription refill reminders is considered treatment, such communications do not qualify as marketing and may be made by the practice without patient authorization. (Note that while HIPAA permits this use, other laws may impact the ability of a pharmaceutical company to offer remuneration to physician practices, and a pending HIPAA rule change might regulate the amount of the remuneration.) The HITECH Act added some additional restrictions and clarifications about use or disclosure of PHI for marketing. One provision requires that a patient authorization for marketing activities must specify whether PHI can be further exchanged for remuneration by the entity receiving the PHI. What this means is not entirely clear, but it is clear that using authorizations for marketing is more difficult. The new requirement does not apply to public health, research, or certain other activities. A second provision addresses the potential overlap between marketing and certain healthcare operations. It says, essentially, that a covered entity cannot justify some types of marketing as a healthcare operation.
20
A third provision addresses prescription communications paid for by a third party. It allows communications, such as prescription reminders, only for current drugs. It appears to prohibit so-called switch letters, encouraging a patient to consider taking a different drug. The language may also affect routine advertising on covered entities' websites. Because of the complexity of these marketing restrictions, you should seek advice before engaging in any marketing activities that might involve the use or disclosure of PHI. 3.

In general, covered entities may use or disclose PHI in connection with their own fund-raising efforts only with the patient's authorization. However, covered entities may use demographic information about a patient for fund-raising purposes for their own benefit without patient authorization. For this purpose, the covered entity may use or disclose only basic patient information, such as name, address, and dates of care. Covered entities may not use PHI for fund-raising purposes that relate to a patient's diagnosis or reason for treatment. Patients must be given the opportunity to prohibit or restrict (opt-out of) any future marketing or fund-raising communications. The HITECH Act requires that the opt-out be clear and conspicuous.
V.
Disclosures to the Patient or Others Assisting in His Care

Under certain circumstances, a covered entity may disclose a patient's PHI to a family member, relative, close personal friend, or other person identified by the patient and assisting in the patients care. In some cases, a covered entity may also disclose PHI to notifyor assist in the notification ofa family member, a personal representative, or another person responsible for the individual's care of the individual's location, general condition, or death. In these situations, covered entities must satisfy specific legal requirements that depend on whether the patient is present and capable of making healthcare decisions. If the patient is present and capable of making these decisions, the covered entity may disclose PHI to a family member or another person assisting in the patients care as long as one of the following is true: The patient agrees to the disclosure. The patient has the opportunity to object to the disclosure and does not. The healthcare provider can, based on professional judgment, reasonably infer from the circumstances that the patient does not object to the disclosure. If the patient is not present, a covered entity may disclose PHI to a person assisting in the patients care if it determines, based on professional judgment, that the disclosure is in the patient's best interest. The same is true for patients who are unable to make healthcare decisions because of incapacity or emergency. Under these circumstances, however, the covered entity may
21
disclose only the PHI that's directly relevant to the person's involvement in the patient's healthcare. Example 35: Donna is hospitalized after falling and hitting her head. A bystander who saw the accident calls Donna's coworker, who rushes to the hospital. When the coworker arrives, Donna is unconscious. Donna's physician may disclose PHI to the coworker if, in the physician's professional judgment, disclosing the information to the coworker is in Donna's best interest. The physician, however, may only disclose the PHI directly related to the coworker's involvement in making decisions about Donna's current treatment. Finally, a covered entity may use or disclose PHI to an entity authorized by law or its charter to assist in disaster relief efforts, for the purpose of coordinating the kinds of disclosures discussed above. The covered entity has to follow the requirements outlined above only to the extent that they do not interfere with the entitys ability to respond to an emergency. VI.

Under limited circumstances, covered entities may also disclose PHI to help further important public policy objectives. In such instances, the covered entity is not required to obtain the patient's permission. A number of public-policy-related disclosures are permissible. Many of these are described below. You should remember that strict requirements must be met before making such disclosures. You should consult your company's internal management or law department before disclosing PHI for public-policy reasons. A.

A covered entity may disclose PHI related to the quality, safety, or effectiveness of products and activities regulated by the Food and Drug Administration (FDA), as long as the recipient of the information is subject to the FDAs jurisdiction and has responsibility for the safety, quality, or effectiveness of the product or activity. Reports are permitted for the following purposes, among others: (1) to collect or report adverse events, product defects or problems, or biological product deviations; (2) to track FDA-regulated products; (3) to enable product recalls, repairs, or replacement, or for lookback by blood and plasma professionals (including locating and notifying individuals who have received contaminated or defective products); or (4) to conduct post-marketing surveillance. Example 36: A covered physician using an FDA-regulated medication sent by a pharmaceutical company finds mold in the medication. Because the pharmaceutical company is regulated by the FDA and is responsible for the quality of this product, and the disclosure relates to the quality and safety of the product, the covered physician may disclose the names of patients who received the medication to the pharmaceutical company without patient permission. This enables the company to recall the product.
22
Example 37: A hospital contacts a pharmaceutical manufacturer to provide a list of patients who prefer a different flavored cough syrup over the manufacturers product. Because this disclosure would not be for a public health activity, it would not be permissible for the hospital to disclose this information under the exception for public health disclosures. A covered entity may also disclose PHI to a public health authority authorized to receive PHI for the purposes of preventing or controlling disease, injury, or disability. Public health authorities typically include state health departments, the Centers for Disease Control and Prevention (CDC), the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Occupational Safety and Health Administration (OSHA), and the Environmental Protection Agency (EPA). A covered entity may disclose PHI to a public health or other governmental authority to report child abuse or neglect. When authorized by law, covered entities may also disclose PHI to people who may have been exposed to a communicable disease. Providers who provide healthcare to an employer's workforce may disclose PHI to employers concerning work-related injuries, for limited purposes, and concerning workplace-injury surveillance activities that may be required by law. B.

Covered entities may disclose to government authorities, including social or protective service agencies, PHI about an adult patient whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence. If a report of suspected abuse, neglect, or domestic violence is not otherwise required by law but is expressly permitted, the covered entity must reasonably determine, before disclosing the PHI, that the disclosure is necessary to prevent serious harm to the patient or other potential victims. Covered entities must inform the patient, orally or in writing, that it has disclosed PHI to report abuse. There are two exceptions to this. A covered entity does not have to notify the patient if it reasonably believes that informing her would place her at risk of serious physical or emotional harm. A covered entity also does not have to notify an individual's personal representative if it reasonably believes that the representative is responsible for the abuse or neglect.
C.
Health-oversight activities
Covered entities may also disclose PHI to a health-oversight agency or a person acting on its behalf. A covered entity may also use PHI when it is a health-oversight entity itself. Health-oversight activities may include audits; investigations; inspections; licensure or disciplinary actions; and civil, criminal, and administrative proceedings. These disclosures are encouraged because
23
health-oversight activities are intended to safeguard the integrity and quality of public and private healthcare systems and programs. Investigations that target the patient who's the subject of the PHI aren't considered health oversight activities unless they're related to the receipt of healthcare or to claims for public benefits. D.

Covered entities may disclose PHI pursuant to a court order. Without a formal court order, covered entities may disclose PHI in connection with legal proceedings if specific conditions (generally requiring notice to the individual who is the subject of the PHI) are met. As mentioned earlier, the specific requirements governing disclosure of PHI for public-policy purposes are detailed and complex. Prior to disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information.
E.
Law enforcement
With some limitations, covered entities may also disclose PHI to law enforcement officials in connection with certain law enforcement requests and activities. Generally, these disclosures must relate to a requirement by law for the reporting of wounds or injuries or the mandates of a court order, subpoena, or summons the identification or location of a suspect, fugitive, material witness, or missing person information about the victim of a crime evidence of criminal conduct that occurred on the covered entity's premises disclosures about deceased persons reporting crimes in an emergency Before disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information.
F.
Research
In general, a covered provider must obtain an authorization from a patient to use and disclose the patients PHI for research purposes. Of course, it may use and disclose information that has been de-identified under HIPAA standards without patient permission for any purpose, including research purposes. Additionally, it may use and disclose a limited data set for research purposes without patient permission if the provider enters into a data-use agreement as described earlier in this handbook. Example 38: A pharmaceutical company would like to secure information from physician practices that administer its drugs for the
24
purposes of a research study. No identifiable information will be released. Assuming the physician practices de-identify the data according to the requirements of the Privacy Rule, they may disclose such information to the pharmaceutical company without patient permission. There are three exceptions to the rule that a covered provider must obtain an authorization from a patient to use and disclose the patients PHI for research purposes. First, the Privacy Rule permits a covered entity to use and disclose PHI without individual authorization for the purpose of preparing a research protocol or similar purpose preparatory to researchif the covered entity obtains representations from the researcher that (1) the disclosure of PHI is solely for the purpose of preparing a research protocol or to prepare for research; (2) no PHI will be removed from the premises of the covered entity by the researcher; and (3) the PHI is necessary to the research purposes. Example 39: A pharmaceutical company decides to sponsor a clinical trial and contacts a covered dialysis center to see if it would be a suitable place for the study. A representative of the pharmaceutical company comes to the dialysis center to review its medical records in order to assess whether the trial would be feasible. The company has assured the center that (1) no PHI will be removed from the premises; (2) the PHI will be used only to assess the feasibility of the study; and (3) the PHI is necessary to the research. The dialysis center may disclose PHI to the pharmaceutical company for this purpose without patient authorization. Second, a covered entity may use or disclose PHI of the deceased for research if the researcher represents to the covered entity that the disclosure is solely for research on decedents, if the researcher provides documentation of death (if requested by the covered entity), and if the researcher represents that the PHI is necessary for the research. Third, a covered entity may use or disclose PHI without patient authorization for research if it receives the prior approval of the covered entity's Institutional Review Board (IRB) or a similarly composed body, called a Privacy Board, altering or waiving the authorization requirement. An IRB is a committee that's generally responsible for overseeing research affecting human subjects. In approving the use or disclosure of PHI for medical research purposes, an IRB must determine each of the following: The use or disclosure of PHI involves only minimal risk to the research subjects, including, for instance, that adequate procedures exist to protect PHI from improper use and disclosure. The research cannot practicably be conducted without altering or waiving the authorization requirement. The research cannot practicably be conducted without access to or use of the PHI.
25
When assessing minimal risk as identified in the first criteria, an IRB or Privacy Board would have to consider the following factors: (1) an adequate plan to protect identifiers from improper use and disclosure, (2) an adequate plan to destroy identifiers at the earliest opportunity consistent with the research, unless there is a justification for retention, and (3) the adequacy of written assurances against redisclosure. An IRB or Privacy Board is not limited to considering only these factors, however. The covered entity must obtain documentation of the IRB/Privacy Board's approval of the use of PHI for medical research purposes. This documentation must identify the IRB/Privacy Board, the date of its action, and include a statement that the IRB/Privacy Board determined that its action satisfied the required criteria. Finally, the documentation must include a brief description of the PHI to be used or disclosed in connection with the medical research. Example 40: A pharmaceutical company decides to sponsor a research study and solicits the help of a health system to conduct the trial. The study involves records research only. An IRB finds that because of the large number of medical records involved, the research cannot be conducted without waiver of the authorization requirement. It finds that other waiver criteria are met and therefore waives the authorization requirement. The health system may disclose PHI to the pharmaceutical company without patient permission because an IRB waived the authorization requirement. Example 41: A pharmaceutical company decides to sponsor a clinical trial and solicits the help of a health system to conduct it. The study involves clinical treatment. An IRB finds that because patients will receive the drug being studied as part of the trial, the health system could easily secure an authorization from each of the trial subjects. The IRB therefore finds that the research can be conducted without altering or waiving the authorization requirement. Because the waiver criteria cannot be satisfied, the health system may not disclose PHI to the pharmaceutical company without patient permission. G.

Covered entities may use or disclose PHI if they determine that disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public. The disclosure must be made to a person reasonably able to prevent or lessen the threat, including the target of the threat or enforcement officials.
H.

Finally, covered entities may disclose PHI to serve a number of other public-policy-related purposes. These include disclosures to coroners and medical examiners organ procurement, donation, and transplantation organizations workers' compensation agencies and programs
26
military and intelligence agencies (if the PHI relates to an individual's current or past service) the Secret Service for the protection of the President of the United States any entity when the disclosure is required by law These uses or disclosures of PHI are usually subject to many requirements that must be satisfied prior to the use or disclosure of the information. You should direct any questions or concerns you may have to your company's internal management or law department. VII.

A covered entity must provide patients with a written notice of its privacy practices. Organized healthcare arrangements and affiliated entities that designate themselves as a single entity may develop a uniform joint notice for all of the entities involved. A covered healthcare provider that has a direct treatment relationship with a patient must make a good-faith effort to obtain a written acknowledgment of the receipt of the notice by the individual. If a covered entity is not able to obtain the acknowledgment, it must document its good-faith efforts and explain the reasons why the acknowledgment was not obtained. In emergency situations, covered entities must provide notice as soon as reasonably possible after the emergency. If a covered entity is not able to obtain written acknowledgement of the notice, it must document its good-faith efforts and explain why the acknowledgement was not obtained. Example 42: Worldwide Pharmaceuticals runs a mail-order pharmacy that files electronic healthcare claims for the drugs it sells. Worldwide is a covered entity under the Privacy Rule because it provides treatment services and engages in electronic standard transactions. As a covered entity, it must provide notice of its privacy practices to each individual who purchases medications from the mail-order pharmacy. The Privacy Rule contains specific instruction on information that must be included in the notice and the manner in which it must be provided. Each of these requirements is discussed in the following sections.
1. Content of notice
A notice of privacy practices must be written in plain language and contain the following required information: A prominently displayed statement that reads, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully." A description of the permitted and required uses and disclosures of PHI that may be made without patient authorization, including at least one example of how the
27
covered entity would use or disclose PHI for each of the following purposes: treatment, payment, and healthcare operations A sufficiently detailed description of each of the other purposes for which uses or disclosures are allowed by HIPAA without the individuals written authorization, including any applicable restrictions imposed by other laws A statement that all other uses and disclosures will be made only with the patients written authorization An explanation of the patients privacy rights, including the right to receive confidential communications; to copy and inspect her PHI; to request an amendment of her PHI; to receive an accounting of certain disclosures of PHI; and to request restrictions on a covered entitys use or disclosure of PHI If the covered entity plans to engage in certain activities, a description of the activitiesfor example, fund-raising, providing appointment reminders or treatment-related information, or, in the case of a group health plan, disclosing PHI to the plan sponsor A description of the covered entitys legal obligations to maintain the privacy of PHI, to abide by the terms of its notice of privacy practices, and to inform patients of any changes to the notice An explanation of the patients right to file a complaint with the covered entity or HHS and a statement that the patient will not be retaliated against for filing a complaint The name or title, along with the telephone number, of a person or office to contact for further information The effective date of the notice Additionally, to the extent that state or other law restricts an otherwise permissible use or disclosure, the notice must reflect the more restrictive law. Also, if a covered entity decides to limit the uses and disclosures of PHI it may make, the covered entity may describe the more limited uses and disclosures in its notice. However, the entity may not restrict the uses and disclosures it is required to make by law or the uses and disclosures it may make to avert a serious threat to the health or safety of an individual or the public. Importantly, for a covered entity to apply a change in a privacy practice that is described in its notice to PHI obtained prior to issuing a revised notice, the covered entity must have reserved the right to do so in its original notice. Example 43: Dr. Smith, a cardiologist, conducts research on behalf of a pharmaceutical company. The notice of privacy practices Dr. Smith uses must include provisions that inform patients that he makes disclosures for research purposes.
28
Covered entities must maintain copies of all issued notices for at least six years from the date they were created or last in effect, whichever is later.
2. Provision of notice
Covered entities must provide notice to all patients, health plan enrollees, and anyone else who requests it. In addition, covered entities must prominently post the notice in their facility or facilities (if they are direct providers with physical service delivery sites), as well as on their websites (if they maintain websites). Covered entities must promptly revise their notice whenever there is a material change in their privacy practices. Covered entities may not implement any material changes in their privacy practices until the effective date of the revised notice. Healthcare providers in direct treatment relationships must provide notice to all patients no later than their first appointment. They may satisfy this requirement by mailing the notice electronically, as long as the patient has agreed to receive the notice in this manner. If a patient's first encounter with a covered entity is electronic, the covered entity must provide notice in electronic form at that time. Healthcare providers in indirect treatment relationships are only required to provide notice if the patient requests it. Electronic notice, such as e-mail, must meet certain additional requirements. Importantly, the patient must agree to accept notice in this form. Electronic notice must state that the patient has a right to receive a paper copy upon request. If e-mail transmission fails, the covered entity must provide the patient with a paper copy of the notice. Example 44: The first time Meg goes to fill a prescription through WebDrugs, a covered Internet pharmacy, WebDrugs must automatically and contemporaneously provide her with the pharmacy's notice of privacy practices. B.

A covered entity must allow patients to request restrictions on the use or disclosure of PHI for treatment, payment, and healthcare operations. This right also applies to disclosures made to those assisting in the patient's care, such as family members and friends. Example 45: Andrew requests that Hilltop Hospital never disclose PHI to a pharmaceutical company for treatment purposes. Once Hilltop agrees to such a restriction, it is prohibited from disclosing PHI to a pharmaceutical company for treatment purposes, even if the disclosure would otherwise be allowed under the Privacy Rule.
29
The covered entity, however, is not required to agree to the requested restriction. But if the covered entity accepts the restriction, it must honor the patient's request. The restriction is only binding on the covered entity that agrees to it. A covered entity that agrees to a requested restriction must document the restriction and keep it on file for at least six years from the date it was created or last in effect, whichever is later. If a patient needs emergency treatment and restricted PHI is necessary to a healthcare provider to provide that treatment, a covered entity may use or disclose PHI to the provider. The covered entity must, in this case, request that the healthcare provider refrain from using or disclosing the restricted information further. A change by the HITECH Act requires covered entities to agree to a patient request to restrict disclosures to a health plan for purposes of carrying out payment or healthcare operations if the PHI pertains solely to a healthcare item or service that the patient has paid for out of pocket in full. An individual cannot prevent any such disclosure required by law, however. C.

A covered entity must allow a patient to request the means by which and locations where the patient wishes to receive communications of PHI from the covered entity. In addition, it must accommodate reasonable requests to receive this information in different formsfor example, written or electronicor at different locations. All reasonable requests must be accommodated. Covered entities may require the patient to make these requests in writing.
D.

Patients generally have the right to inspect and copy PHI. A covered entity may require the patient to request access in writing. Exceptions to this right of access include psychotherapy notes, information related to legal proceedings, and certain information related to the operations of clinical laboratories. The right of access exists as long as the covered entity maintains the PHI. In addition, there are certain circumstances in which a covered entity may deny an access request. For example, a covered entity may deny a patient access to his PHI if the access is likely to endanger the life or safety of the patient or someone else. Correctional institutions may deny inmates access to their PHI for health and safety reasons. In addition, a covered entity may temporarily deny an access request when the patient is receiving treatment in an ongoing clinical research trial if the patient
30
agreed to such a restriction. A request may also be denied to protect a confidential source of information. Example 46: Katrina is enrolled in an ongoing clinical trial for a new medication. When she enrolled, the hospital conducting the research informed her that her access would be restricted while she was participating in the trial but would be reinstated after it was completed. Katrina consented to that restriction. During the trial, Katrina requests access to her PHI. The hospital may deny her request, but must provide her with the information after the clinical trial is completed. In certain situations, a patient has the right to a formal review of the decision denying access to PHI. These situations usually involve denials based on potential harm to the patient or others. Reviews of access denials must be performed by a licensed healthcare professional who did not participate in the original decision and who is designated by the covered entity to serve in this capacity. The reviewing healthcare provider must determine, within a reasonable period of time, whether or not to deny the access requested. The covered entity must provide the patient with written notice of the reviewing decision.
2. Provision of access
If a covered entity agrees to grant access, it must try to provide the PHI in the form requested by the patient. If the PHI is not available in this form, the covered entity must produce a legible copy in an agreed-upon form. The HITECH Act added a requirement for information maintained in an electronic health record. A patient has the right to obtain that information from a covered entity in an electronic format. The individual may also direct the covered entity to transmit the information to a designated entity or person, The fee for providing an electronic copy cannot exceed the covered entitys labor cost for responding to the request. A covered entity may provide the patient with a summary of the PHI rather than provide access to it, as long as the patient has agreed in advance to accept a summary. In addition, a covered entity may charge the patient a reasonable fee for the summary. Again, the patient must have agreed to the charge in advance. Patients may also be charged a reasonable fee for copying, including the cost of supplies and labor of copying and postage, if applicable. The fee may not include charges for retrieving, handling, or processing the information.
3. Denial of access
When a covered entity denies an access request, it must give the individual access to any other PHI requested, after excluding PHI for which it has a basis for denial. A denial of access must be in writing and explain the basis for the denial.
31
If applicable, the denial must state that the individual may have the denial reviewed. Finally, it must explain how the patient may file a complaint to the covered entity or to HHS. If the covered entity does not maintain the requested PHI, it must inform the patient where to direct the request for access, if it knows. E.
Right to request amendment of PHI

A covered entity must allow patients the opportunity to request changes to their PHI, for as long as the entity maintains this information. There are certain exceptions to this right. A covered entity may deny this request if it did not create the PHI. If the creator of the PHI is no longer available to act on the request, however, the covered entity must treat the request as though it did create the PHI. A covered entity may deny a request for amendment if it determines that the PHI to which the request applies is accurate and complete. Finally, a covered entity may deny these requests if the patient doesn't have the right to access the information under the Privacy Rule. Covered entities must act on a patient's request within 60 days of receiving it. If the covered entity can't meet this deadline, it may extend the deadline by no more than 30 days after providing notice to the individual of the reason for delay and the date by which it will comply with the request. Upon making its decision, the covered entity must inform the patient whether it will agree to the request. If it does agree, it then must make the amendment and inform the patient, persons identified by her as having received PHI needing the amendment, and persons, including business associates of the covered entity, who might use the information to the detriment of the individual. If a covered entity denies the request, it must state the reasons for the denial in writing. The written denial must also describe the patient's right to submit a statement disagreeing with the denial and the procedures for submitting such a statement, as well as the patient's right to file a complaint with the covered entity and HHS. The denial must also state that if the patient does not submit a statement of disagreement, she may request that the covered entity provide her amendment request whenever it uses or discloses the PHI that's the subject of her request in the future.
F.

32
However, except as noted below, covered entities don't have to account for disclosures for treatment, payment, or healthcare operations purposes. In addition, the patients right to receive an accounting may be temporarily suspended if the disclosure was made to a health oversight or law enforcement agency and the requested accounting would reasonably impede the agency's activities. The HITECH Act, however, made several changes to these accounting rules. First, the exception for disclosures for treatment, payment, or healthcare operations purposes no longer applies to disclosures made from an electronic healthcare record. However, the obligation to report such disclosures goes back only three years, not six. Second, the Privacy Rule added a new way to provide an accounting to a requesting patient. As before, it can provide a complete accounting to a patient that includes all disclosures made by the covered entity and its business associates. In the alternative, the HITECH Act also allows a covered entity to report only its own disclosures and to provide the requesting patient with a list of names and addresses of business associates. These changes must be implemented between 2011 (for newer systems) and 2014 (for older systems). Many questions about the new accounting requirements remain to be answered by HHS regulations. To comply with the Privacy Rule, an accounting must include a brief statement of the purpose of and basis for the disclosure, the date of the disclosure, the name of the person or entity that received the PHI, and a brief description of the PHI disclosed. For multiple disclosures to the same recipient, a summary addressing all such disclosures is permitted. Example 47: Valley Hospital discloses the same PHI to a pharmaceutical company for public health activities every month. The hospital can account for those disclosures by including in the accounting the date of the first disclosure; the name of the pharmaceutical company and its address; a brief description of the information disclosed; a brief description of the purpose of the disclosures or, if applicable, a copy of the request for such disclosure; the fact that the disclosures were made every month; and the date of the most recent disclosure. If a covered entity has made disclosures of PHI for a particular research purpose for 50 or more patients, the accounting may provide the following information instead of information specific to each and every disclosure made for research purposes: The name of the protocol or other research activity A brief, plain-language description of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records A brief description of the type of PHI disclosed The date or period of time when the disclosures occurred, including the date of the last disclosure during the accounting period
33
The name, address, and telephone number of the entity that sponsored the research (such as a pharmaceutical company) and of the researcher who received the PHI A statement that the PHI may or may not have been disclosed for a particular protocol or other research activity A covered entity has 60 days to respond to a request for an accounting. If it is not able to do so within 60 days, it may request a one-time 30-day extension, as long as it provides the patient with the reason for the delay and the date by which it will provide the accounting. Individuals have a right to receive one free accounting per 12-month period. For each additional request by an individual within the 12-month period, the covered entity may, with prior notice, charge a reasonable, cost-based fee. G.

As we've seen, patients have the right to be informed of their covered entity's privacy policies. But what happens if despite those policies, there's an unauthorized transfer, use, or other breach of the protected information? The HITECH Act provided the answer to this question. A breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information. Something compromises the security or privacy of PHI if it poses a significant risk of financial, reputational, or other harm to the individual. Thus, a covered entity may use and document a risk assessment to determine if a breach will cause significant harm to the individual and require notification. In the absence of sufficient risk of harm, a breach is not a breach under the rule. If the breach poses a significant risk of harm to the individual involved, the company must notify the individual of the breach. This notice must include, among other things, a brief description of what happened, the types of PHI involved, and any steps the individual should take. The notice must be given without unreasonable delay, and in any event within 60 days after the breach was discovered or should have been discovered. And in some cases, the company may also have to notify the federal government and local media. Business associates must also notify their covered companies of any breach of PHI they become aware of. The breach notification requirement only applies to a breach of unsecured PHI. PHI is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology (such as the use of approved forms of encryption) specified by the Secretary of Health and Human Services in its guidance. The Secretarys initial guidance is at http://edocket.access.gpo.gov/2009/pdf/E9-9512.pdf.
34
Breach notification is also not required for the use or disclosure of a limited data set that excludes the individual's birth date and zip code certain inadvertent uses or disclosures of PHI that don't result in a violation of the Privacy Rule the inadvertent disclosure of PHI to someone who isn't likely to be able to retain itfor example, because it was mailed to the wrong address and returned by the Post Office unopened
Vendors of personal health records (PHR)and other PHR-related entities not covered by HIPAAare also subject to breach notification requirements under the HITECH Act. These rules, issued by the Federal Trade Commission, are similar to those for HIPAA-covered entities, but there are some differences. For example, the non-HIPAA rule may require notification even if there's no evidence of a significant risk of harm from the breach. In any event, both the HIPAA and non-HIPAA notification rules are lengthy and complex. You should be sure to consult your company's law department or other designated party if you have any questions. VIII.
The Privacy Rule imposes numerous administrative requirements on covered entities, which include: A.

Covered entities must designate a privacy official who has responsibility for the development and implementation of privacy policies and procedures. In addition, covered entities must designate a contact person. The contact person is responsible for receiving privacy-related complaints and providing information on the covered entity's privacy practices. The privacy official may serve as the contact person.
B.
Training
A covered entity must train all members of its workforce on its policies and procedures with respect to PHI within a reasonable time after they join the entity's workforce. Retraining of all members of the workforce is required when a covered entity makes a material change to its privacy policies. Finally, covered entities must document that training has been provided.
C.
Safeguards
Covered entities are also required to establish administrative, technical, and physical safeguards to protect PHI against any improper uses or disclosures. They must also reasonably safeguard PHI to limit incidental uses or disclosures that result from an otherwise permitted or required use or disclosure.
35
The HIPAA Security Rule, applicable to the same covered entities as the Privacy Rule, provides more detail with respect to electronic PHI. Example 48: A covered pharmaceutical company must, under the Privacy Rule, safeguard PHI against improper or inadvertent uses or disclosures. It may, for example, decide to shred documents, require that doors to medical records departments remain locked, and limit personnel in restricted document areas. D.
Complaint process
A covered entity must provide a process individuals can use to file complaints concerning the entitys policies and procedures related to PHI or its compliance with its policies and procedures or the Privacy Rule. All complaints concerning the improper use or disclosure of PHI, as well as the final resolution of complaints, must be documented.
E.
Sanctions
Under the Privacy Rule, a covered entity must develop and enforce sanctions against its employees who fail to follow its policies and procedures related to PHI or who violate the rule. Additionally, the Privacy Rule requires a covered entity to mitigate, to the extent possible, any harmful effect it knows of that has resulted from its or its business associate's use or disclosure of PHI that is in violation of its policies and procedures or of the Privacy Rule.
F.

The Privacy Rule prohibits retaliation against patients or any other person who files a complaint with HHS. It prohibits retaliation against individuals for testifying, assisting, or participating in certain investigations, compliance reviews, proceedings, and hearings under the Administrative Simplification provisions of HIPAA. Retaliatory acts are prohibited against anyone opposing any act or practice made unlawful by the Privacy Rule, as long as the person has a good-faith belief that the opposed practice is unlawful and the manner of opposition is reasonable and does not involve an unauthorized disclosure of PHI. HHS also prohibits retaliatory actions against patients who exercise any right granted by the Privacy Rule, including the right to file a complaint with the covered entity.
G.
Waiver of rights
H.
36
A covered entity must implement policies and procedures with respect to PHI that are reasonably designed to comply with the standards, implementation specifications, and other requirements of the Privacy Rule, taking into account the size of the covered entity and the nature of the activities undertaken by it that relate to PHI. However, the policies and procedures may not be interpreted to permit or excuse any action that violates the Privacy Rule. Where the covered entity has stated in its notice that it reserves the right to change information practices, the new practice may be applied to information created or collected before its effective date. The Privacy Rule also sets forth the conditions for making changes if the covered entity has not reserved the right to change its practices. Covered entities are required to modify their policies and procedures in a prompt manner to comply with changes in relevant law. Entities are also required to change the notice where the change also affects the practices stated in it. These requirements, however, may not be used by a covered entity to excuse a failure to comply with applicable law. The Privacy Rule also requires that the policies and procedures be maintained in writing, and that any other required communication, action, activity, or designation that must be documented in writing be maintained. The Privacy Rule states that covered entities must retain any required documentation for at least six years (the statute of limitations period for the civil penalties) from the date of its creation or the date when the document was last in effect, whichever is later. HHS notes that this approach is consistent with the one recommended by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance. I.

A group health plan that provides benefits solely through an insurance contract with an HMO issuer or an HMO, and that does not create, receive, or maintain PHI other than summary health information or information regarding enrollment and disenrollment, is not subject to the administrative requirements discussed above except for documentation retention requirements relating to plan documents.
IX.

Pursuant to an authorization or other express legal permission obtained prior to April 14, 2003, a covered entity may use or disclose PHI created or received prior to the compliance deadline of April 14, 2003assuming the authorization explicitly permits the use or disclosure and there is no agreed-upon restriction. In addition, a covered entity may use or disclose, for a specific research study, PHI that is created or received either before or after the compliance date (as long as there's no agreed-upon restriction) if the entity has obtained, before the compliance date, an authorization or other express legal permission from a patient to use or disclose PHI for the research study, informed consent to
37
participate in the research, or an IRB waiver of informed consent for the research. Note that uses or disclosures of individually identifiable health information made prior to the compliance date aren't subject to sanctions, even if they were made according to documents or permissions that don't meet the requirements of this rule or were made without permission. The Privacy Rule impacts only the future effectiveness of the previously obtained consents, authorizations, or permissions. X.

Any state law that is contrary to the federal requirements established under the Administrative Simplification provisions of HIPAA, including the provisions on privacy, is preempted. However, there are several exceptions to this, where a conflicting state law would nevertheless apply instead of the federal requirements. First, there is an exception when HHS determines that a state law is necessary for any one of the following purposes: To prevent fraud and abuse related to the provision of or payment for healthcare To ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation For state reporting on healthcare costs For other purposes serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification is at issue, if HHS determines that the intrusion into privacy is warranted when balanced against the need to be served Second, there is an exception for state laws that regulate the manufacture, registration, distribution, dispensing, or other control of controlled substances. Third, there is an exception for state laws that require the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. Fourth, there is an exception for state laws that require a health plan to report or provide access to information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification. Example 49: A state law requires a provider to disclose data about certain contagious diseases to a public health agency. This law would not be preempted under the Privacy Rule because of the exception for state laws that require data reporting. Finally, the Privacy Rule provides that if a state law relates to the privacy of health information and is more stringent than federal requirements, it is not preempted. In this way, the Privacy Rule creates a floor of federal privacy protection and is not intended to supersede other applicable law that provides greater protection to the confidentiality of health information. B.

Under the Privacy Rule, a state law is contrary to a federal privacy requirement when (1) a covered entity would find it impossible to comply
38
with both the state and federal requirements or (2) the provision of state law stands as an obstacle to the accomplishment and execution of the purposes and objectives of the Administrative Simplification provisions, including the Privacy Rule. Example 50: A state law requires patient permission to disclose health information for research purposes. This state law would not be preempted by the Privacy Rule even though the rule allows for disclosures of PHI for research purposes without patient permission in some circumstances, because the law is not contrary to the Privacy Rule. Providers can comply with both laws by securing patient permission. Example 51: A state law does not allow patients access to their medical records, while HIPAA would require access to be given. Because a provider cannot follow both laws, the state law is contrary to HIPAA and therefore preempted by HIPAA. This means the provider must follow HIPAA, the federal law, rather than the state law. C.

D.

A state law relates to the privacy of health information if it has the specific purpose of protecting the privacy of health information or affects it in a direct, clear, and substantial way.
E.

In general, "more stringent" means providing greater privacy protection. A state law is more stringent than federal law if it establishes greater limitations on disclosures, creates more individual rights with respect to PHI, or provides patients greater access to their PHI than the federal law does.
F.
XI.
39
Under HIPAA, the penalties for violating the Privacy Rule are severe. The penalties were increased by the HITECH Act and now apply to business associates as well as covered entities. Depending on the nature of the violation, a civil penalty ranging from $100 to $50,000 per person per violation, and up to $1.5 million per person for violations of a single standard in one year A criminal fine of not more than $50,000 and/or imprisonment of not more than one year for wrongful disclosure of PHI A criminal fine of not more than $100,000 and/or imprisonment of not more than five years if the disclosure is under false pretensesfor example, when a person lies about his identity A criminal fine of not more than $250,000 and/or imprisonment of not more than ten years if a person intends to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm In addition, states can sue to stop HIPAA violations and recover damages on their residents' behalf.
40
CONFIDENTIALITY UNDER HIPAA: PATIENT RIGHTS

INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the healthcare industry to adopt, among other things, national standards for electronic healthcare transactions, unique health identifiers, and security. These rules are collectively known as the Administrative Simplification provisions. An important part of the Administrative Simplification provisions is the Privacy Rule. The Privacy Rule establishes comprehensive privacy standards for protected health information (PHI) that individuals and organizations involved in healthcare delivery or payment for healthcare services must follow. Separate HIPAA rules address security requirements for electronic PHI. The Privacy Rule covers all PHIelectronic, written, or oral. As we'll explain in this handbook, the HIPAA Privacy Rule applies to many individuals and entities that store or transmit PHI. This handbook will help you understand HIPAA's privacy requirements. Following an introductory discussion of the individuals, organizations, and PHI subject to the Privacy Rule, we will address the range of proper and improper uses and disclosures of PHI under HIPAA. This latter discussion will encompass uses and disclosures of PHI that require patient permission and those that do not. We will also cover other HIPAA privacy requirements, including privacy notices, access and correction rights, and administrative requirements. We will discuss HIPAA's impact on state laws that protect the confidentiality of healthcare information. Finally, we'll review the legal penalties and sanctions for failing to comply with HIPAA. This handbook provides a general overview of the HIPAA Privacy Rule. It does not provide legal advice or guidance regarding how you should act in a particular situation that involves the use or disclosure of patient information. HIPAA is a complex law subject to subtleties and nuances that cannot be completely covered in a treatment of this kind. Always consult your internal management and law department about any questions or concerns you have about the use or disclosure of patient information. Some changes to the law were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law No: 111-5). These changes will be discussed as appropriate. The changes have variable effective dates, and most await guidance or regulations from the Department of Health and Human Services. Some provisions (e.g., breach notification) are already effective. Interpretations of new provisions are tentative until the Department of Health and Human Services (HHS) issues definitive guidance.

I.
Patients
The Privacy Rule protects the confidentiality of certain types of health information known as protected health information (PHI). HIPAA gives individuals a bundle of privacy rights. The rule uses the term individual to refer to those who have
privacy rights. Often, individual means patient. However, those covered by health insurance also have HIPAA privacy rights, and they are not patients in that context. Thats why the term individual is used formally, but for present purposes, the terms individual and patient are interchangeable. Example 1: John is admitted to Mercy Hospital for an appendectomy. The Privacy Rule protects the confidentiality of his PHI and gives him certain rights with respect to this health information. Sometimes, as a result of age or legal incompetence, a patient cannot exercise his or her own privacy rights. In this situation, a personal representative, such as a parent, legal guardian, or other authorized person may act on the patient's behalf and exercise the patient's privacy rights under HIPAA. If a personal representative is authorized generally to make healthcare decisions, then the personal representative may have access to the individuals protected health information regarding healthcare. If the personal representatives authority for healthcare decisions is limited, then the representatives access is similarly limited. Example 2: Miriam has been diagnosed with Alzheimer's disease, a condition that prevents her from understanding her treatment and communicating with her healthcare providers. Miriam's son, Wayne, has been appointed as her legal guardian. As her personal representative, Wayne may exercise Miriams privacy rights on her behalf. Healthcare providers and organizations subject to the Privacy Rule generally must treat a personal representative as the patient's surrogate decision maker. However, if the healthcare provider reasonably determines, using professional judgment, that it is not in a patient's best interest to treat an individual as a personal representative and reasonably believes the individual has abused or will endanger the patient, it may refuse to accept the personal representative's decision-making authority. For a minor (as defined by state law and typically under 18 years old), a parent or legal guardian may generally have access to PHI about the minor, as the minors personal representative when such access is not inconsistent with state or other law. In three situations, the parent or guardian would not be the minors personal representative: 1) when the minor consents to care and the consent of others is not required under state or other applicable law; 2) when the minor obtains care at the direction of a court; or 3) when, and to the extent that, the parent or guardian agrees that the minor and the healthcare provider may have a confidential relationship. However, even in these situations, the parent or guardian may have access to the minors PHI when state or other applicable law requires or permits the access. However, access must be denied when the law prohibits access. When the law is silent, a healthcare provider may exercise professional judgment to the extent allowed by law to grant or deny a parent or guardian access to the minors PHI. The Privacy Rule applies to PHI about deceased individuals, as long as a healthcare provider or organization maintains this information. Decisions regarding the privacy rights of deceased individuals are left to their personal representatives.
II.

Covered entities
The Privacy Rule defines covered entities to include certain healthcare providers, as well as all health plans and healthcare clearinghouses. 1.
A healthcare provider is an individual or organization that is recognized by Medicare as a provider, or any other individual or organization that provides, bills, or is paid for healthcare services in the normal course of business. Healthcare providers include hospitals, skilled nursing facilities, home health agencies, physicians, outpatient facilities, clinical laboratories, pharmacies, medical equipment suppliers, and other licensed/certified healthcare professionals. The Privacy Rule applies only to healthcare providers that electronically transmit PHI in connection with specified healthcare transactions. Fax transmissions are not electronic transmissions under the rule. Transactions that trigger the Privacy Rule's requirements include healthcare claims (including attachments) and status reports payment and remittance advice determination of eligibility for health plan benefits referral certifications and authorizations first reports of injury health plan enrollment, disenrollment, eligibility for health plan coverage, and premium payments coordination of health benefits
Example 3: Mercy Hospital's billing office submits all claim forms to private health insurance companies through a secured Internet connection. The Privacy Rule applies to Mercy Hospital. Example 4: Dr. Lomax, a primary care physician, refers a patient to Dr. Small, a neurosurgeon. In connection with the referral, Dr. Lomax sends an e-mail message to Dr. Small explaining the patient's current condition and need for a specialist evaluation. That e-mail is not one of the standard electronic transactions that, by itself, triggers the Privacy Rule. Therefore, unless Dr. Lomax performs electronically any of the transactions listed above, the Privacy Rule would not apply to Dr. Lomax. However, if Dr. Lomax is an otherwise covered healthcare provider, then the Privacy Rule applies to the e-mail message in his possession.
Healthcare providers that do not electronically transmit PHI in connection with these transactions are still considered covered entities if others perform these transactions and transmit PHI on their behalf. Example 5: Dr. Ransom, a physician in private practice, keeps all his patients' medical records in file cabinets in his office. His staff uses computers only for scheduling purposes. All health insurance claims for payment are submitted on paper claim forms. Dr. Ransom does not have to comply with the Privacy Rule because he does not electronically transmit PHI in connection with any of the transactions. Example 6: Convenient Care is a primary care clinic that does not electronically transmit PHI. Convenient Care recently hired an independent billing company, Fast Pay, to handle its payment claims. Fast Pay submits Convenient Care's bills in electronic form. Under these circumstances, the Privacy Rule applies to Convenient Care because Fast Pay is transmitting PHI on Convenient Care's behalf. 2.
Health plans
The Privacy Rule applies to health plans. A health plan is an organization that provides and/or pays the cost of medical care. Health plans include health insurance companies, group health plans (such as those offered through an individual's employment), and health maintenance organizations (HMOs). Health plans also include government-administered programs such as Medicare, Medicaid, Department of Veterans Affairs (VA) programs, and TRICARE (Department of Defense) programs. For purposes of the Privacy Rule, health plans do not include workers' compensation or automobile, life, property, and casualty insurers. Health plans also do not include government-funded programs whose primary purpose is not rendering or paying for healthcare serviceseven if it may incidentally provide or pay for some healthcare services.
3.
The Privacy Rule applies to healthcare clearinghousespublic or private entities that process or facilitate the processing of healthcare transactions. The most common type of healthcare clearinghouse is a billing company. Healthcare clearinghouses receive PHI from one source, such as a healthcare provider, convert it into a standard format, and transmit the information to another entity, such as a health insurance company, that pays for the healthcare services. Healthcare clearinghouses can also perform the reverse function by converting and transmitting PHI from insurers to healthcare providers.
Health plans or healthcare providers that perform these functions are not considered healthcare clearinghouses unless they also perform them for other, unaffiliated organizations. Example 7: Health Claims Consultants, an independent billing company, processes and submits health insurance claims to health insurance companies on behalf of physicians. In this capacity, Health Claims is a healthcare clearinghouse that is subject to the Privacy Rule because it puts PHI into a standard format and submits the claims to a payor. 4.
Other types of covered entities

In addition to certain healthcare providers, health plans, and healthcare clearinghouses, the Privacy Rule applies to other types of organizations, including affiliated entities, hybrid entities, and organized healthcare arrangements. i.

Affiliated covered entities are two or more legally separate healthcare organizations under common ownership or common control. Common ownership exists if one entity owns at least 5% of another entity. Common control exists if an entity has the direct or indirect power to significantly influence or direct the actions or policies of another entity. The Privacy Rule permits affiliated covered entities to choose to formally designate themselves as a single covered entity to comply with the Privacy Rule. Subject to certain requirements, affiliated entities may share PHI between themselves as if they were a single covered entity. The entities must maintain a written or electronic record of their designation as affiliated covered entities for six years from the later of the date the documentation was created or the date it was last in effect. Example 8: Hospitals, Incorporated owns and operates a chain of acute care hospitals. Each hospital in the chain is considered an affiliated covered entity with respect to other hospitals in the chain. Hospitals, Incorporated's CEO issues a written order to senior management at all affiliated hospitals to treat the hospitals as one organization for purposes of the Privacy Rule. This formal designation as a single, covered entity will generally permit the affiliated hospitals to use and disclose PHI among themselves, subject to meeting additional requirements under the Privacy Rule. Example 9: Integrated Care is a comprehensive healthcare system that operates hospitals, skilled nursing homes, a clinical laboratory, several home health agencies, and a medical equipment supply
company. If Integrated Care designates all of its healthcare companies as a single covered entity, the component companies may use and disclose PHI among themselves, subject to meeting additional requirements under the Privacy Rule. ii.
Hybrid entities
Hybrid entities are organizations that are involved in non-healthcare activities but also act as a health plan, healthcare clearinghouse, or healthcare provider. Hybrid entities include nonhealthcare organizations, such as insurance companies, that offer health insurance plans in addition to other plans, and companies operating onsite health clinics that conduct standard transactions covered by the Privacy Rule. Within a hybrid entity, the healthcare components are covered by the Privacy Rule. Although the Privacy Rule applies only to the healthcare components of the hybrid entity, this type of entity must prevent disclosure of PHI to other nonhealthcare divisions within the entity. Hybrid entities must use safeguards, such as firewalls or other information barriers, to prevent unauthorized access to, or disclosure of, PHI. Example 10: ABC Drug Store offers items commonly found at drugstores such as greeting cards, home products, snacks, and cosmetics. It also has a pharmacy, which files electronic claims. Because the drugstore has a pharmacy that files electronic healthcare claims, it may elect to be treated as a hybrid entity. If it does, the Privacy Rule will apply only to the pharmacy and not to the other operations of the store. Example 11: The Large Corporation establishes an onsite health clinic that files electronic healthcare claims. Because the Large Corporation is primarily a business that provides limited healthcare services, it can be a hybrid entity, with the Privacy Rule applying only to the on-site health clinic and not to other company activities. Hybrid entities are permitted to include in their healthcare components other components that engage in activities that would make them business associates of the organization's healthcare units if the other components were separate entities. If the hybrid entity chooses not to do this, the healthcare components are generally required to obtain individual authorizations before disclosing PHI to a nonhealthcare component.
iii.
An organized healthcare arrangement (OHCA) may be formed between or among legally separate covered entities that integrate their clinical or administrative operations. OHCAs differ from affiliated covered entities in that they are separate covered entities that are not necessarily related to one another through common ownership or control. A common example of an OHCA is a healthcare system that includes different types of healthcare providers, such as a hospital, a medical staff, an ambulatory surgery center, and so on. iv.
Disclosures by group health plans to employers

A number of special rules govern the disclosure of PHI by health plans to plan sponsors. Plan sponsors are typically employers that offer health benefits to their employees. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA. In general, health plan documents must be revised to establish the permitted and required uses of PHI by plan sponsors, appropriately restrict their use of the PHI, and include other requirements. The PHI that may be shared includes PHI in summary form. Example 12: ABC Manufacturing provides health benefits to its employees through a group health plan. The plan documents identify the specific covered benefits for ABC employees and further state that the health plan will share PHI with ABC only as necessary for plan administration purposes. Because the health plan documents fail to require that ABC report uses and disclosures that are inconsistent with the documents to the group health plan, they probably violate the Privacy Rule. A plan sponsor that receives PHI from a health plan must build firewalls or other information barriers that prevent the use of PHI by, or disclosure of PHI to, anyone not involved in the administration of health benefits. Plan sponsors are expressly prohibited from using PHI for employment-related purposes such as hiring, termination, and discipline.
B.
Business associates
Business associates are individuals or organizations that perform services or functions for a covered entity or that provide legal, accounting, management, consulting, accreditation, financial, and other operational services to covered entities that involve the use or disclosure of PHI. Business associates also perform many different functions such as claims processing and administration, billing, quality assurance, operations management, and data analysis on behalf of covered entities.
Sometimes, covered entities act as business associates with respect to each other. The Privacy Rule generally permits covered entities to share PHI with business associates (subject to the "minimum necessary" rule, discussed later) and allows business associates to use or disclose PHI for certain purposes. Example 13: County Hospital hires Quality Associates to help it become an accredited hospital. As part of the accreditation process, County Hospital discloses PHI to Quality Associates. Because Quality Associates receives PHI to provide this service, it is a business associate of County Hospital. Example 14: Golden Years Nursing Home contracts with Global Health Insurance to become a provider in Global's network. Golden Years discloses PHI to Global for payment of claims. While Golden Years and Global are both covered entities, they are not business associates with respect to each other because they are not performing services for each other. Instead, they are performing functions on their own behalf. The term "business associate" does not include employees or volunteers of a covered entity. Additionally, a covered entity does not have to have a business associate contract with the providers to whom it discloses PHI for treatment purposes. Example 15: Dr. Burnett, a physician in private practice, has staff privileges to admit patients to Commonwealth Hospital. Commonwealth discloses PHI to Dr. Burnett for treatment of patients at the hospital. In this situation, Dr. Burnett and Commonwealth Hospital are not business associates with respect to each other. Just because two covered entities participate in an organized healthcare arrangement does not mean they are business associates of one another. Covered entities that participate in an organized healthcare arrangement are permitted to share protected health information for the joint healthcare activities of the arrangement without entering into business associate contracts with each other. 1.

To share PHI with a business associate, a covered entity must obtain satisfactory assurance that the business associate will comply with the Privacy Rule. Obtaining this satisfactory assurance requires covered entities to enter into contracts with their business associates that establish the permitted uses and disclosures of PHI and that meet other requirements. These business associate contracts must prohibit business associates from using or disclosing PHI in any way that violates the Privacy Rule or the business associate contract. These contracts must also provide that the business associate will
use safeguards to prevent the improper use or disclosure of PHI report unauthorized uses or disclosures of PHI to the covered entity require compliance with the terms of the business associate contract by any companies hired by the business associate to assist it in performing functions for the covered entity make PHI available in accordance with the patient access rule make PHI available for amendment, accounting, and audit purposes return or destroy all PHI on termination of the business associate contract, if feasible
Business associate contracts must give the covered entity the right to terminate the contract if the business associate violates an important term of the agreement. A covered entity can be responsible if it learns of a material breach by a business associate and does nothing to cure the breach. Example 16: Physician Associates hires Claims Professionals, an independent billing company, to process all of its private health insurance claims. The contract between the two companies gives Claims Professionals the right to terminate the relationship if Physician Associates fails to pay it on time. Physician Associates, on the other hand, does not have the right to terminate the agreement. This business associate contract does not satisfy the Privacy Rule because it does not provide that Physician Associates may terminate the agreement if Claims Professionals fails to appropriately use or disclose PHI or otherwise comply with privacy requirements. 2.

Covered entities may fail to meet its Privacy Rule obligations if the covered entity knows about privacy violations by their business associates and fails to take reasonable steps to correct it. While a covered entity does not have to actively monitor its business associates' activities, it must investigate if it learns of possible wrongdoing. Example 17: State Hospital hires Care Improvements to monitor the quality of medical care provided to its emergency room patients. Care Improvements decides to sell the names, addresses, and diagnoses of State Hospital's patients to a telemarketing company. If State Hospital does not know that Care Improvements is selling PHI, it probably cannot be held responsible for the Privacy Rule violation. If State Hospital learns of Care Improvements' improper conduct, however, it must take reasonable steps to correct the problem, such as stopping the sale and trying to recover the sold data.
If the covered entity cannot, through reasonable efforts, correct the business associate's violation of the Privacy Rule, it must terminate the business associate contract. If terminating the contract is not possible or would cause significant hardship to the covered entity, it must report the violation to the U.S. Department of Health and Human Services (HHS). Example 18: Clinton Hospital contracts with Auto Audit to have its billing records audited. One day, Clinton's CEO learns that Auto Audit is improperly selling confidential patient information to a pharmaceutical company. Clinton Hospital must require Auto Audit to immediately stop selling patient information and take reasonable steps to fix any damage caused by the improper disclosures. If Auto Audit refuses, Clinton must either terminate the business associate contract or, if that would irreparably harm Clinton's operations, report Auto Audit to HHS.
3.
Business Associate Changes in HITECH

10

The Privacy Rule applies to the use and disclosure of PHI by covered entities and business associates. PHI is defined as individually identifiable health information that is transmitted or maintained by a covered entity in any format. At a minimum, this includes all oral, computer-based, and paper-based patient health information. I.

PHI does not include individually identifiable health information found in certain education records and records of students held by certain educational institutions. Nor does it include individually identifiable health information in employment records. Example 19: Dr. Griffey treats Samantha for a skin condition. Samantha's medical record, which documents all care and services provided by Dr. Griffey, contains individually identifiable health information that is protected under the Privacy Rule. Example 20: City College has educational records that refer to a student's learning disability and the treatment she received. Regardless of the information contained in these records, they do not qualify as individually identifiable health information protected under the Privacy Rule. II.

Covered entities and business associates may de-identify PHI by removing, encrypting, or otherwise concealing all individually identifiable information. Properly de-identified PHI is not subject to the Privacy Rule. If de-identified information is subsequently reidentified, however, it reacquires the Privacy Rule's protections. There are two ways that a covered entity can determine that PHI is not individually identifiable, and therefore properly de-identified. The first way involves a covered entity or business associate removing all identifying characteristics, including (but not limited to)
11
names addresses (except the state and the first three zip code digits) dates (except the year) social security numbers and other identification numbers medical record numbers telephone, fax, and Internet Protocol address numbers e-mail and other Internet addresses health insurance numbers biometrics, including photographs any other form of unique identifier
Age in years, gender, race, ethnicity, and marital status are generally not individually identifiable by themselves. However, if enough nonidentifiable elements are combined, the result may be identifiable. You should use caution and seek advice before releasing any PHI that might appear to be nonidentifiable. Example 21: Dr. Quinn, a physician in private practice, asks her office manager to de-identify a patient's medical record to submit certain information to a pharmaceutical company. The office manager removes all information she thinks could identify the patient and leaves the patient's gender, age, and marital status in the chart. In addition, the office manager leaves the patient's photograph in the file because the picture does not contain her name or any other identifying information. Because photographs can be used to identify an individual, the office manager failed to properly de-identify this medical record. The second way that a covered entity can determine that PHI is not individually identifiable is if a qualified statistician examines the PHI and determines that the risk of reidentification is very small. Additionally, the Privacy Rule allows a covered entity to use or disclose a limited data set for research, public health, and healthcare operations purposes. A limited data set does not include directly identifiable information, but certain identifierssuch as admission, discharge and service dates, date of death, age, and five-digit zip codemay remain. Before a covered entity may disclose a limited data set, it must obtain a data-use or similar agreement from the entity that receives the data. In the agreement, the recipient must promise to limit its use of the data to the original reasons for the disclosure and not attempt to reidentify the information or use it to contact the subject of the information. The specific rules governing the de-identification of PHI are detailed and complex. If you have any questions or concerns about this subject, please consult your company's internal management or law department.

I.
The Privacy Rule prohibits a covered entity and its business associates from using or disclosing a patient's PHI for any purpose, unless one of the following things occurs: The patient signs a written authorization for the use or disclosure.
12
The patient gives his agreement for the use or disclosure. The use or disclosure is permitted or required by the Privacy Rule without the patient's permission.
While this handbook addresses the key elements of, and exceptions to, the agreement and authorization requirements, it cannot cover every Privacy Rule detail. If you have any questions or concerns about the use or disclosure of PHI, you should immediately contact your company's internal management or law department. II.

Covered entities and business associates must limit most uses or disclosures of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure. This principle is known as the minimum necessary requirement. A.

In determining what is minimum necessary disclosure, a covered entity may want to consider whether the purpose of the use, disclosure, or request can be accomplished with information that is not identifiable. If so, the covered entity should probably not use, disclose, or request PHI, unless one of the exceptions to the minimum necessary requirement discussed below applies. The HITECH Act made the use of nonidentifiable information the first choice. The new provision says that a use, disclosure, or request must be limited to the extent practicable to a limited data set as defined in the existing rule. The minimum necessary standard only applies alternatively if the covered entity needs to make a use, disclosure, or request more extensive than the limited data set. If so, then a broader minimum necessary disclosure is allowable. The burden of making a minimum necessary disclosure falls on the disclosing entity. The Secretary of Health and Human Services is required to issue additional guidance. This is a significant tightening of the minimum necessary rule. Example 22: A researcher studies the gender composition of patients who use Carville Hospital's emergency room. The researcher asks the hospital to release summary medical information about all patients who received care in the emergency room for a five-year period. Because the purpose of the disclosure can be accomplished without revealing PHI, Carville should not disclose PHI to the researcher. If the use or disclosure of PHI is needed, the amount used, disclosed, or requested must be the minimum necessary to accomplish the task at hand. Several rules can help make this determination. First, a covered entity or business associate may not use, disclose, or request a patient's entire medical record, unless the entire record is the minimum amount necessary to accomplish the purpose of the disclosure or request. Disclosure of an entire medical record must be specifically justified as the minimum necessary.
13
Example 23: ABC-Accredit is a hospital accreditation organization. ABC asks Memorial Hospital to send patients entire medical records for its accreditation review. Because disclosure of an entire medical record for an accreditation purpose may be the minimum necessary for that purpose, the disclosure is allowable. Example 24: Health Associates, a physician practice, hires a consultant to help it improve its billing and claims processing. Health Associates delivers complete medical charts to the billing consultant for review. Because the consultant does not need entire charts to make its recommendations, delivering them violates the minimum necessary requirement. Second, for disclosures and requests made on a routine or recurring basis, covered entities must implement policies and procedures that limit the PHI disclosed or requested to the minimum amount reasonably necessary to achieve the purpose of the disclosure. For nonroutine or nonrecurring disclosures and requests, covered entities must make the minimum necessary determination on a case-by-case basis. Example 25: Day Surgery Center, an ambulatory care facility, routinely submits claims to health insurance companies for outpatient surgical procedures. For routine or recurring disclosures, Day Surgery must establish policies and procedures that identify the minimum amount of PHI that must be included on claim forms in order to be paid for patient healthcare services. Third, for uses of PHI, covered entities must implement policies and procedures that identify those members of its workforce who need access to PHI to do their jobs identify the types of PHI to which such people need access limit access to PHI to those people who need access to perform their jobs
Additionally, the Privacy Rule permits incidental uses and disclosures of PHI that cannot reasonably be prevented, that are limited in nature, and that occur as a by-product of an otherwise permitted use or disclosure under the Privacy Rule, as long as the provider meets the minimum necessary requirement and takes reasonable safeguards to limit such uses and disclosures. For instance, if voices are kept appropriately low, a covered entity will not be held liable if an unauthorized person overhears a conversation about a patient's medical condition. Covered entities are also permitted to call out patient names in waiting rooms and to use bedside charts, and X-ray light boards that may be visible to passersby. B.
Exceptions
In some cases, covered entities and business associates can use or disclose PHI without making a minimum necessary disclosure determination. The HITECH Act did not change the exceptions. For instance, this determination is not required when the PHI is used or
14
disclosed by a healthcare provider in connection with treatment of a patient. Example 26: Dr. Winfield, a primary care physician, refers a patient to a specialist for additional care. In making the referral, Dr. Winfield discusses the patient's current condition with the specialist and sends her the patient's medical records. In this situation, the Privacy Rule does not require Dr. Winfield to make a minimum necessary determination before disclosing the patient's PHI, because the PHI was disclosed in connection with the treatment of the patient who was the subject of the PHI. Minimum necessary determinations are also not required when the disclosure is being made to the patient. Example 27: Daryl, a medical student, is a patient at Memorial Hospital. He's interested in the care he's receiving and asks to see his medical records. Because this request involves disclosure to a patient who is the subject of the PHI, the hospital is not required to make a minimum necessary determination before releasing the information to Daryl. Also, before the HITECH Act, a covered entity could rely, if reasonable, on the minimum necessary determination of the covered entity asking for the disclosure. The HITECH Act, however, changed this rule. Now, a disclosing entity must determine what constitutes the minimum amount of PHI necessary to accomplish the intended purpose of a disclosure. Example 28: Mary, a patient at University Medical Center, is recovering from a heart attack. In determining whether she's eligible for an extended hospital stay, Mary's health insurance carrier asks University Medical to disclose certain information about her condition. To comply with the Privacy Rule, the health insurance company may request only the minimum amount of Mary's PHI needed to make this eligibility determination, but the medical center is responsible for ensuring that the information it discloses is the minimum amount necessary. Minimum necessary determinations are not required for disclosures to HHS for determining HIPAA compliance or for disclosures to other government agencies that are required by law. III.
Uses and Disclosures for Treatment, Payment, and Healthcare Operations Purposes A. General information
Covered entities may use or disclose PHI for treatment, payment, and healthcare operations purposes without patient permission, unless state or other law provides otherwise. However, except in emergency situations, covered healthcare providers with direct treatment relationships are required to make a good-faith effort to obtain a patient's written acknowledgment of receipt of the provider's notice of privacy practices no later than the time of first service delivery. A direct treatment relationship exists when a healthcare provider provides services directly to the patient. If a direct treatment provider is unable to obtain such an acknowledgment, it must document its good-faith efforts
15
to do so. Indirect treatment providers are not required to obtain this acknowledgment, but may do so if they choose. An indirect treatment relationship exists when a healthcare provider provides services to a provider who ordered the services. Examples of indirect treatment providers include pathologists, radiologists, and specialists who consult with a patient's treating physician. The specific requirements related to the content of the notice of privacy practices are discussed later in this handbook. Health plans must provide a notice at the time of enrollment and every three years thereafter, but need not obtain an acknowledgment. The acknowledgment does not have to take a specific form. It may be as simple as the patient's initials on a cover sheet to the provider's privacy notice or signature on a list or form. The acknowledgment must be in writing, although electronic signatures are permissible. Providers faced with patients who refuse to sign or return the acknowledgment may demonstrate good faith by documenting their efforts and the reasons for failure in the patient's record. Example 29: Dr. Maddux, a geriatrician, refers an elderly patient to a skilled nursing facility. Dr. Maddux and the skilled nursing facility provide healthcare services to the patient during her stay. Both Dr. Maddux and the skilled nursing facility have direct treatment relationships with the patient. As a result, they are both free to use and disclose PHI about the patient for treatment, payment, and healthcare operations without her permission unless state or other law requires it. However, they must make a good-faith effort to obtain the patient's written acknowledgment that she received the provider's notice of privacy practices no later than the time of first service delivery. B.
Treatment, payment, and management of healthcare operations

Let's take a closer look at some of the terms we first discussed in connection with the Privacy Rule's application to direct treatment relationships. Treatment includes providing, coordinating, or managing healthcare and related services consultations between healthcare providers relating to a patient patient referrals between healthcare providers
Payment includes (but is not limited to) all billing, claims management, reimbursement, and collection activities conducted by, or on behalf of, the covered entity. Payment also includes activities by health plans with respect to premium and benefit payments as well as to eligibility and coverage determinations. Healthcare operations include activities related to the covered entity's primary function as a healthcare provider, health plan, or healthcare clearinghouse. Healthcare operations include (but are not limited to)
16
quality assessment and improvement activities accreditation, certification, licensing, or credentialing activities insurance premium rating and other insurance underwriting activities legal, accounting, and audit services business planning and development activities general management, compliance, and administrative activities
A covered entity may use or disclose PHI for its own treatment, payment, or healthcare operations. A covered entity may release PHI to any healthcare provider for any treatment activities. It may also release PHI to a provider or covered health plan for the recipient's use for payment purposes. A covered entity may also disclose PHI to another covered entity for certain healthcare operations purposes of the receiving entity, including conducting quality assessment and improvement activities, carrying out population-based analyses related to improving health, reviewing the competence of healthcare providers, and trying to detect healthcare fraud and abuse. However, these disclosures for healthcare operations are permitted only to the extent that the recipient has or had a relationship with the individual who is the subject of the information. If the relationship has ended, disclosure must be limited to data related to the past relationship. Example 30: Clare has a number of medical conditions that require ongoing physician care. She is currently seeing an allergist for treatment of hay fever and a neurologist for treatment of carpal tunnel syndrome. Thus, each physician may use and disclose Clare's PHI for treating her. Additionally, each provider may use and disclose her PHI for the purpose of receiving payment and, in certain situations, for healthcare operations purposes. IV.
Uses and Disclosures Requiring Patient Authorization

Under some circumstances that do not directly relate to treatment, payment, or healthcare operations, the Privacy Rule requires written authorization to use and disclose PHI. Let's take a closer look at the situations in which this type of permission is required. A.

In general, the Privacy Rule requires disclosure of PHI when requested by the patient and when requested by HHS for determining a covered entity's compliance with the Privacy Rule. It permits covered entities to use or disclose PHI without patient permission for treatment, payment, and healthcare operations and for certain public-policy-related uses and disclosures discussed later in this handbook. For all other purposes, the Privacy Rule requires the patient's permission to use and disclose PHI. Covered entities may use and disclose PHI for facility directories and disclose it to people assisting in an individual's care with patient agreement, which may be given verbally. Where patient permission is required but verbal agreement is not appropriate, covered entities must secure an authorization from the patient (or the patient's representative) to use or disclose PHI. With proper authorization, disclosures may be
17
made to any individual or organization, healthcare related or not, consistent with the terms of the authorization. These other purposes that are not directly related to healthcare and may require authorization include (but are not limited to) certain marketing activities health insurance eligibility or enrollment determinations relating to an individual most employment decisions by current or prospective employers reporting to financial, life insurance, and other institutions
Covered entities should develop policies and procedures regarding compliance with the patient authorization requirement. The policies and procedures must also address routine and recurring uses and disclosures of PHI, as well as the minimum necessary disclosure standard. Example 31: Strollers Company, a manufacturer of baby products, wants to buy a patient list from Dr. Gravida, an obstetrician, for direct product marketing. Because this requested disclosure of PHI is not for treatment, payment, or healthcare operations purposes; for a facility directory; or to someone assisting in an individual's care, and does not qualify as a public-policy-related disclosure, Dr. Gravida may not disclose PHI to Strollers without each patient's authorization. Example 32: National Homes, a construction company, asks Dr. Newton, an orthopedic surgeon, to provide medical information about an employee's back condition. Because this requested disclosure of PHI is not for treatment, payment, or healthcare operations purposes; for a facility directory; or to someone assisting in an individual's care, and does not qualify as a public-policy-related disclosure, Dr. Newton may not disclose the employee's PHI to National without the employee's authorization. B.
Required language
Authorization forms provided to patients must be written in plain language and contain the following information: A specific description of the PHI to be used or disclosed The person(s) authorized to make the requested use or disclosure of the PHI The person(s) or entities to whom the covered entity may disclose the PHI The date on which the authorization expires or an event that would cause the authorization to expire A description of the patient's right to revoke the authorization and the procedure for doing so A statement that information disclosed under the authorization may be redisclosed to third parties that may not be subject to the Privacy Rule If signed by a personal representative on the patient's behalf, a description of the representative's legal authority
18
A description of each purpose of the authorized use or disclosure A notification stating that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on signing the authorization if such conditioning is prohibited by the Privacy Rule, or, if it is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization
Additionally, for marketing authorizations, there must be a statement that a covered entity will receive remuneration for making a disclosure of PHI, if applicable. Covered entities must keep copies of all authorizations for at least six years from the time they were created or last in effect, whichever is later. Covered entities must also provide patients with a copy of their signed authorization. C.
Healthcare providers generally may not condition treatment on the patient signing an authorization. Health plans likewise generally may not condition enrollment or eligibility decisions on a signed authorization. Example 33: Belinda sees Dr. Quasar, an orthopedic surgeon, for treatment of a strained ligament in her knee. Before agreeing to treat Belinda, Dr. Quasar tells her that she has to sign an authorization permitting him to sell her medical information to a pharmaceutical company. Because Dr. Quasar may not condition Belinda's treatment on her signing such an authorization, he has violated the Privacy Rule. There are a few exceptions to this rule. One is that healthcare providers may condition research-related treatment on the patient's authorization to use or disclose PHI for these research purposes. Exceptions such as this are limited, so if you have any questions regarding their application, be sure to consult your company's internal management or law department. Additionally, when medical treatment is rendered for the sole purpose of providing information to a third party, the covered entity may condition the treatment on the patient's authorization. Example 34: Dr. Palau agrees with Great Books Company to provide employment-related physicals. Because the purpose of the treatment is to provide PHI to Great Books, Dr. Palau may condition performing the physicals on receiving the patient's authorization to disclose the results of the exam to the company. Health plans may require individuals to sign authorizations for enrollment and eligibility determinations, as well as for underwriting and risk-rating purposes, before the individual may enroll in the plan as long as the authorization is not to use or disclose psychotherapy notes. Example 35: AllHealth Insurance Company requires all prospective enrollees to sign a written authorization permitting it to use PHI (besides psychotherapy notes) to determine eligibility for health benefits. If a
19
potential enrollee refuses to sign the authorization, AllHealth will not process the application for coverage. In this situation, AllHealth's authorization requirement complies with the Privacy Rule. D.

As we've briefly discussed, subject to certain exceptions, a covered entity may not use or disclose psychotherapy notes for any purpose without first obtaining the patient's authorization to do so. Psychotherapy notes are notes taken during counseling sessions by a licensed mental healthcare provider, such as a psychiatrist or a psychologist, and must be kept separate from the rest of the patient's medical record in order to receive special treatment under the Privacy Rule. Information relating to prescriptions, modalities of treatment, test results, diagnostic summaries, and certain other items are not considered psychotherapy notes. Exceptions to this rule include (but are not limited to) the healthcare provider's own use of the notes for treatment purposes, and use or disclosure for clinical training, professional oversight activities, or purposes otherwise required by law. Example 36: Dr. Johnson, a psychiatrist, is treating Melissa on an outpatient basis for clinical depression. During each counseling session, Dr. Johnson takes notes of Melissa's complaints, feelings, and observations. Although he uses these notes to form diagnostic opinions and develop a treatment plan, they are kept separate from the rest of Melissa's chart. Dr. Johnson may not use or disclose these notes without Melissa's express authorization except for use in her treatment, professional training and oversight, and disclosures required by law.
2.
Marketing
In general, a covered entity may use or disclose PHI for marketing purposes only with the patient's authorization. Marketing in this context consists of a communication about a product or service that encourages people to buy or use the product or service. It can also involve arrangements between a covered entity and a third party under which the covered entity discloses PHI in exchange for payment or another benefit, and the third party uses it to market its products or services. Communications that describe a health-related product or service provided by the covered entity, including communications that describe the healthcare providers that participate in the covered entity's network or the benefits available under a health plan, are not considered marketing and therefore do not require authorization. Communications for treatment of an individual, for case management or care coordination, or to direct or
20
recommend alternative treatments, therapies, healthcare providers, or settings of care also do not fall under the definition of marketing. Additionally, patient authorization is not required for marketing activities that occur during face-to-face encounters with the patient or that concern products or services of nominal value, such as pens or coffee mugs. The HITECH Act added some additional restrictions and clarifications about use or disclosure of PHI for marketing. One provision requires that a patient authorization for marketing activities must specify whether PHI can be further exchanged for remuneration by the entity receiving the PHI. What this means is not entirely clear, but it is clear that using authorizations for marketing is more difficult. The new requirement does not apply to public health, research, or some other activities. A second provision addresses the potential overlap between marketing and some healthcare operations. It says, essentially, that a covered entity cannot justify some types of marketing as a healthcare operation. A third provision addresses prescription communications paid for by a third party. It allows communications, such as prescription reminders, only for current drugs. It appears to prohibit so-called switch letters, encouraging a patient to consider taking a different drug. The language may also affect routine advertising on covered entities' Web sites. Because of the complexity of these marketing restrictions, you should seek advice before engaging in any marketing activities that might involve the use or disclosure of PHI. Example 37: Suburban Hospital opens a new, state-of-the-art cancer treatment center. To advertise the center, Suburban sends letters, printed on its letterhead, to all of Suburban's current and former cancer patients. The letters describe the new services available for treatment of cancer. Suburban's use of PHI without patient authorization is permitted because this activity recommends a setting of care and is therefore not considered marketing. Example 38: Pharmaceutical Company pays a physician to send it a list of all patients on antidepression medication in order to send them letters advertising a new medication the company makes for depression. Because this disclosure by the physician is made for the pharmaceutical company to market its products and services and the physician is paid for the disclosure, the physician would not be permitted to release the PHI without patient authorization, and the authorization would have to specify whether the PHI could be further exchanged for remuneration by Pharmaceutical Company.
21
Example 39: Associated Health Plans, a health insurer, sends a letter to all patients advertising a new medical group that has joined its network. Because this communication describes the participants in a network, it satisfies the Privacy Rule even though it was made without authorization.
3.

In general, covered entities may use or disclose PHI in connection with fund-raising efforts only with the patient's authorization. However, covered entities may use demographic information about a patient for fund-raising purposes for their own benefit without patient authorization. For this purpose, the covered entity may only use or disclose basic patient information, such as the name, address, and dates of care. Covered entities may not use PHI for fund-raising purposes that relates to a patient's diagnosis or reason for treatment. Patients must be given the opportunity to prohibit or restrict (opt.out of) any future marketing or fund-raising communications. The HITECH Act requires that the opt-out be clear and conspicuous. Example 40: Harding Hospital wants to build a state-of-the-art MRI center. To raise money for the center, Harding sends a letter requesting donations to all patients admitted to the hospital over the last five years. The letter describes the benefits of the center and asks each patient to help make this dream a reality. As long as Harding only uses basic patient information to target the letters and gives each patient a clear and conspicuous opportunity to limit future fund-raising requests, it may use PHI for this fund-raising purpose.
V.
Uses and Disclosures Permitted by the Privacy Rule with Individual Agreement
A number of uses and disclosures of PHI are expressly permitted by the Privacy Rule with the patient's agreement. We will discuss each of these in turn. A.
Disclosures to the patient or others assisting in the patient's care

Under certain circumstances, a covered entity may disclose a patient's PHI to a family member, relative, close personal friend, or any other person identified by the patient and assisting in the patient's care. In some cases a covered entity may also disclose PHI to notifyor assist in the notification ofa family member, a personal representative, or another person responsible for the individual's care, of the individual's location, general condition, or death. In these situations, covered entities must satisfy specific legal requirements that depend on whether the patient is present and capable of making healthcare decisions. If the patient is present and capable, the
22
covered entity may disclose PHI to a family member or another person assisting in the individual's care if one of the following is true: The patient agrees to the disclosure. The patient has the opportunity to object to the disclosure and does not object. The healthcare provider can, based on professional judgment, reasonably infer from the circumstances that the patient does not object to the disclosure.
Example 41: Marni is admitted to Southwest Hospital following a heart attack. Dr. Hernandez, Marni's treating cardiologist, stops by to discuss the results of her cardiac stress test. While Dr. Hernandez is speaking with her, Marni's best friend comes by and Marni invites her in. Under these circumstances, Dr. Hernandez can reasonably infer that Marni does not object to the disclosure of her PHI to her best friend given that she invited her friend in. If the patient is not present, a covered entity may disclose PHI to a person assisting in the patient's care if it determines, based on professional judgment, that the disclosure is in the patient's best interest. The same is true for patients who are unable to make healthcare decisions due to incapacity or emergency. Under these circumstances, however, the covered entity may disclose only the PHI that is directly relevant to the person's involvement in the patient's healthcare. Example 42: Don is hospitalized after falling and hitting his head at work. Don's coworker follows the ambulance to the hospital, and when he arrives Don is unconscious. Don's physician may disclose PHI to the coworker if, in the physician's professional judgment, disclosing the information to the coworker is in Don's best interest. The physician, however, may only disclose the PHI directly related to the coworker's involvement in making decisions about Don's current treatment. Finally, a covered entity may use or disclose PHI to an entity authorized by law or its charter to assist in disaster relief efforts for the purpose of coordinating the kinds of disclosures discussed above. The covered entity has to follow the requirements outlined above only to the extent that they do not interfere with the entity's ability to respond to an emergency. B.
Facility directories
Another type of permitted use or disclosure of PHI exists with respect to facility directories, which typically list the name, room number, and general health condition (for example, fair, critical, or stable) of the patient. A telephone number may also be disclosed. If the facility directory also identifies the patient's religious affiliation, this may be disclosed only to clergy. Before including PHI in a facility directory, the covered entity must inform the patient, orally or in writing, of its intent to include the patient in the
23
directory. This notice gives the patient the opportunity to prohibit or restrict this use of PHI, which may be done orally or in writing. In an emergency or if the patient is incapable of making decisions, the covered entity may include the patient's PHI in the directory if the patient has not previously expressed a preference against it and the covered entity reasonably determines that this is in the patient's best interest. Once the patient is able to make this decision, the covered entity must provide an opportunity to object to the continued disclosure of this information. VI.

Under limited circumstances, covered entities may also disclose PHI to help further important public-policy objectives. In such instances, the covered entity is not required to obtain the patient's permission. A number of public-policy-related disclosures are permissible. Many of these are described below. You should remember that strict requirements must be met before making such disclosures. You should consult your company's internal management or law department before disclosing PHI for public-policy reasons. A.

A covered entity may disclose PHI to a public health authority authorized to receive PHI for the purposes of preventing or controlling disease, injury, or disability. Public health authorities typically include state health departments, the Centers for Disease Control and Prevention (CDC), the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Occupational Safety and Health Administration (OSHA), and the Environmental Protection Agency (EPA). With respect to the FDA, a covered entity may disclose PHI to a person subject to its jurisdiction (for example, a drug or device manufacturer) regarding FDA-regulated products or activities for which the person is responsible, for purposes related to the quality, safety, or effectiveness of the FDA-regulated products or activities. A covered entity may disclose PHI to a public health or other government authority to report child abuse or neglect. Covered entities may also disclose PHI, when authorized by law, to people who may have been exposed to a communicable disease. Healthcare providers who provide healthcare to an employer's workforce may disclose PHI to employers concerning work-related injuries, for limited purposes, and workplace-injury surveillance activities that may be required by law.
B.

Covered entities may disclose to government authorities, including social or protective service agencies, PHI about an adult patient the covered entity reasonably believes to be a victim of abuse, neglect, or domestic
24
violence. If a report of suspected abuse, neglect, or domestic violence is not otherwise required by law but is expressly permitted, the covered entity must reasonably determine, before disclosing the PHI, that the disclosure is necessary to prevent serious harm to the patient or other potential victims. Subject to two exceptions, covered entities must inform the patient, orally or in writing, that it has disclosed PHI to report abuse. A covered entity does not have to notify the patient if it reasonably believes that doing so would place her at risk of serious physical or emotional harm. A covered entity also does not have to notify an individual's personal representative if it reasonably believes that the representative is responsible for the abuse or neglect. C.
Health oversight activities

Covered entities may also disclose PHI to a health oversight agency or a person acting on its behalf. Covered entities may also use PHI when the covered entity itself is a health oversight entity. Health oversight activities may include audits; investigations; inspections; licensure or disciplinary actions; and civil, criminal, and administrative proceedings. These disclosures are encouraged because health oversight activities are intended to safeguard the integrity and quality of public and private healthcare systems and programs. Example 43: City Hospital provides healthcare services to Medicare and Medicaid patients. City Hospital may disclose PHI to the Inspector General at the Centers for Medicare and Medicaid for an audit of City Hospitals claims. Investigations that target the patient who is the subject of the PHI and that are unrelated to the receipt of healthcare or claims for public health benefits aren't considered health oversight activities.
D.

Covered entities may disclose PHI pursuant to a court order. Without a formal court order, covered entities may disclose PHI in connection with legal proceedings if specific conditions (generally requiring notice to the individual who is the subject of the PHI) are met. As mentioned earlier, the specific requirements governing disclosure of PHI for public-policy purposes are detailed and complex. Before disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information.
E.
Law enforcement
With some limitations, covered entities may also disclose PHI to law enforcement officials in connection with certain law enforcement
25
requests and activities. Generally, these disclosures must relate to one of the following: A requirement by law for the reporting of wounds or injuries or the mandates of a court order, subpoena, or summons The identification or location of a suspect, fugitive, material witness, or missing person Information about the victim of a crime Evidence of criminal conduct that occurred on the covered entity's premises Disclosures about deceased persons Reporting crimes in an emergency
Before disclosing PHI in this context, you should contact your company's internal management and law department to coordinate an appropriate disclosure of information. F.
Research
Some research using health records does not involve the treatment or examination of patients. Rather, this research is limited to the study of medical records and other healthcare data. A covered entity may use or disclose PHI without patient authorization for research if the research receives the prior approval of the covered entity's Institutional Review Board (IRB) or a similarly composed body, called a Privacy Board. An IRB is a committee that's generally responsible for overseeing research affecting human subjects. In approving the use or disclosure of PHI for research purposes, an IRB must determine that the use or disclosure of PHI involves only minimal risk to the research subjects, including, for instance, that adequate procedures exist to protect the PHI from being improperly used or disclosed the research cannot practicably be conducted without using or disclosing the PHI the research cannot practicably be conducted without waiving the authorization requirement
The covered entity must document the IRB/Privacy Board's approval of the use of PHI for research purposes. This documentation must include G. the IRB/Privacy Board's specific determinations the date of the approval a brief description of the PHI to be used or disclosed in connection with the medical research

Covered entities may use or disclose PHI if they determinate that disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public. The disclosure must be made
26
to people reasonably able to prevent or lessen the threat, including the target of the threat or enforcement officials. Example 44: A disturbed patient tells his primary care physician, Dr. Harrington, that he hates his ex-girlfriend and wants to kill her the next time he sees her. If Dr. Harrington warns the ex-girlfriend of the patient's intentions, this disclosure of PHI is probably permissible under the Privacy Rule. H.

Finally, covered entities may disclose PHI to serve a number of other purposes related to public policy. These include disclosures to coroners and medical examiners organ procurement, donation, and transplantation organizations workers' compensation agencies and programs military and intelligence agencies (if the PHI relates to an individual's current or past service) the Secret Service for the protection of the President of the United States any entity when the disclosure is required by law
These uses or disclosures of PHI are usually subject to many requirements that must be satisfied before the information can be used or disclosed. You should direct any questions or concerns you may have to your company's internal management or law department. VII.

Covered entities must provide patients with a written notice of their privacy practices. Organized healthcare arrangements and affiliated entities that designate themselves as a single entity may develop a uniform joint notice for all of the entities involved. In emergency situations, covered entities must provide notice as soon as reasonably possible after the emergency. A covered healthcare provider that has a direct treatment relationship with a patient must make a good-faith effort to obtain a written acknowledgment of the receipt of the notice by the individual. If a covered entity is not able to obtain the acknowledgment, it must document its good-faith efforts and explain the reasons why the acknowledgment was not obtained. Example 45: Joe is brought by ambulance to St. Victoria's emergency room. He is in full cardiac arrest when he arrives. The ER physicians resuscitate Joe and admit him to the hospital for further care. The hospital must present Joe with its notice of privacy practices as soon as reasonably practicable after his condition has stabilized.
27
The Privacy Rule contains specific provisions concerning the information that must be included in the notice and the manner in which notice must be provided.
1.
Content of notice
A notice of privacy practices must be written in plain language and contain the following information: A prominently displayed statement that reads "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully." A description of the permitted and required uses and disclosures of PHI that may be made without patient authorization, including at least one example of how the covered entity would use or disclose PHI for each of the following purposes: treatment, payment, and healthcare operations A sufficiently detailed description of each of the other purposes for which uses or disclosures are allowed by HIPAA without the individuals written authorization, including any applicable restrictions imposed by other laws A statement that all other uses and disclosures will only be made with the patient's written authorization An explanation of the patient's privacy rights, including the patient's right to receive confidential communications; to copy and inspect his PHI; to request an amendment of the PHI; to receive an accounting of certain disclosures of the PHI; and to request restrictions on a covered entity's use or disclosure of the PHI If the covered entity plans to engage in certain activities, a description of the activitiesfor example, provide appointment reminders or treatment-related information, raise funds, or, in the case of a group health plan, disclose PHI to the plan sponsor A description of the covered entity's legal obligations to maintain the privacy of PHI, abide by the terms of its notice of privacy practices, and inform patients of any changes to the notice An explanation of the patient's right to file a complaint with the covered entity or HHS and a statement that he will not be retaliated against for filing it The name, or title, and telephone number of a person or office to contact for further information The effective date of the notice
Additionally, to the extent that state or other law restricts an otherwise permissible use or disclosure, the notice must reflect the more restrictive law. Also, if a covered entity decides to limit the uses and disclosures of PHI it may make, it may describe the more limited uses and disclosures in its notice. However, the entity may not restrict the
28
uses and disclosures it is required to make by law or the uses and disclosures it may make to avert a serious threat to the health or safety of an individual or the public. Importantly, for a covered entity to apply a change in a privacy practice described in its notice to PHI obtained before it issues a revised notice, it must reserve the right to do so in its notice. Example 46: Dr. Smith, an obstetrician, often treats patients with particularly sensitive conditions. He may wish to assure patients that even though the law permits him to disclose information for a wide range of purposes, he will only disclose information in very specific circumstancesfor treatment, payment, and healthcare operations purposes, as required by law, and to avert serious threats to health or safety. Covered entities must maintain copies of all issued notices for at least six years from the date they were created or last in effect, whichever is later.
2.
Provision of notice
Covered entities must provide notice to all patients, health plan enrollees, and anyone else who requests it. In addition, covered entities must prominently post the notice in their facilities and on their websites, if they maintain websites. Covered entities must promptly revise their notice whenever there is a material change in their privacy practices. They may not implement any material changes in their privacy practices until the effective date of the revised notice. Healthcare providers in direct treatment relationships must provide notice to all patients no later than their first appointment. They may also mail the notice electronically, as long as the patient has agreed to receive the notice in this manner. Healthcare providers in indirect treatment relationships are only required to provide notice if the patient requests it. If a patient's first encounter with a covered entity is electronic, the covered entity must provide notice in electronic form at that time. Health plans must provide notice to enrollees at the time of enrollment. If the health plan materially revises its privacy practices, it must notify all enrollees within 60 days of the revision. Health plans must also inform enrollees at least once every three years about the availability of the notice and how to obtain a copy. They may satisfy the initial notice requirement by sending a copy of the notice to the named insured. They do not need to provide notice to each dependent that may be covered under a particular plan.
29
Electronic notice, such as e-mail, must meet certain additional requirements. The patient must agree to accept notice in this form. Electronic notice must state that the patient has a right to receive a paper copy upon request. If e-mail transmission fails, the covered entity must provide a paper copy of the notice to the patient. Example 47: The first time Martina requests to fill a prescription through WebDrugs, a covered Internet pharmacy, WebDrugs must automatically provide her with its notice of privacy practices with the delivered prescription. Example 48: Dr. Checkup, whose office is located in Boston, has hospital staff privileges at Holistic Hospital in neighboring Cambridge. A single notice may cover both Dr. Checkup and Holistic Hospital as long as they're both part of an organized healthcare arrangement. If Dr. Checkup's privacy practices at his private office are different from the hospital's, however, Dr. Checkup must have a separate notice for his office. B.

A covered entity must allow patients to request restrictions on the use or disclosure of PHI for treatment, payment, and management of healthcare operations. This right also applies to disclosures to people assisting in the patient's care, such as family members and friends. Example 49: Catherine requests that Hilltop Hospital never disclose her PHI to Theresa, her sister, who is providing assistance with her care. Once the hospital agrees to this restriction, it is thereafter prohibited from disclosing Catherine's PHI to Theresa, even if the disclosure would otherwise be permissible under the Privacy Rule. The covered entity, however, is not required to agree to the requested restriction. If it does accept the restriction, however, it must honor the patient's request. The restriction is only binding on the covered entity that agrees to it. A covered entity that agrees to a requested restriction must also document the restriction and keep it on file for at least six years from the date it was created or last in effect, whichever is later. If a patient needs emergency treatment and restricted PHI is necessary to a healthcare provider to provide that treatment, a covered entity may use or disclose PHI to the healthcare provider. The covered entity must, however, request that the provider refrain from further using or disclosing the restricted information. A change by the HITECH Act requires covered entities to agree to a patient request to restrict disclosures to a health plan for purposes of carrying out payment or healthcare operations if the PHI pertains solely to a healthcare item or service that the patient has paid for out of pocket in full. An individual cannot prevent any such disclosure required by law, however.
30
C.

A covered entity must allow a patient to request the means by which and locations where she wishes to receive communications of PHI from the covered entity. In addition, covered entities must accommodate requests to receive this information via different means than the way covered entities usually transmit informationfor example, written or electronic, or at different locations. All reasonable requests must be accommodated. Example 50: Sam doesn't want his family members to know about a certain treatment he's undergoing. He may request that his physician communicate with him at his place of employment, by mail to a designated address, or by phone to a designated number, rather than using his home phone number or address. If the covered entity is a health plan, it may require that patient requests to receive PHI at another location be accompanied by a statement that disclosure of this information to the address on file could endanger the patient. Example 51: Jan requests that ABC Health Plan send explanations of benefits about particular services to her work rather than home address because she's concerned that a member of her household might read the document and become abusive toward her. ABC Health Plan must accommodate the request, and may require that Jan state in her request that she could be in danger if the information is sent to her home address. Covered entities may require the patient to make these requests in writing.
D.

Patients generally have the right to inspect and copy PHI that is used to make healthcare or other decisions about them. A covered entity may require the patient to request access in writing. Exceptions to this right of access include psychotherapy notes, information relating to legal proceedings, and certain information related to the operations of clinical laboratories. The right of access exists as long as the covered entity maintains the PHI. In addition, there are certain circumstances in which a covered entity may deny an access request. For example, a covered entity may deny a patient access to his PHI if the access is likely to endanger the life or safety of the patient or someone else. Correctional institutions may deny inmates access to their PHI for health and safety reasons. In addition, a covered entity may temporarily deny an access request when the patient is receiving treatment in an ongoing clinical research trial if the patient
31
agreed to such a restriction. A request may also be denied to protect a confidential source of information. Example 52: Kevin is enrolled in an ongoing clinical trial for a new medication. When he enrolled in the trial, the hospital conducting the research informed him that his access would be restricted while he was participating in the trial but would be reinstated after it was completed. Kevin consented to that restriction. During the trial, Kevin requests access to his PHI. The hospital may deny his request, but must provide him with the information after the clinical trial is completed. In certain situations, patients have the right to a formal review of the decision denying access to their PHI. These situations usually involve denials based on potential harm to the patient or other people. Reviews of access denials must be performed by a licensed healthcare professional who did not participate in the original decision and who is designated by the covered entity to serve in this capacity. The reviewing healthcare provider must determine, within a reasonable period of time, whether or not to deny the requested access. The covered entity must provide the patient with written notice of the decision.
2.
Provision of access
If a covered entity agrees to grant access, it must try to provide the PHI in the form requested by the patient. If the PHI is not available in this form, the covered entity must produce a legible copy in an agreed-upon form. The HITECH Act added a requirement for information maintained in an electronic health record. A patient has the right to obtain that information from a covered entity in an electronic format. The individual may also direct the covered entity to transmit the information to a designated entity or person, The fee for providing an electronic copy cannot exceed the covered entitys labor cost for responding to the request. A covered entity may provide the patient with a summary of the PHI rather than providing access to it, as long as the patient has agreed in advance to accept a summary. In addition, a covered entity may charge the patient a reasonable fee for the summary. Again, the patient must have agreed to the charge in advance. Patients may also be charged a reasonable fee for copying, including the cost of labor and supplies related to copying, and postage if applicable. The fee may not include charges for retrieving, handling, or processing the information.
3.
Denial of access
When a covered entity denies an access request, it must give the individual access to any other PHI requested, after excluding PHI for which the covered entity has a basis for denial. A denial of access must be in writing and explain the basis for the denial.
32
If applicable, the denial must state that the individual may have the denial reviewed. Finally, it must explain how the patient may file a complaint to the covered entity or HHS. If the covered entity does not maintain the requested PHI, it must inform the patient where to direct the request for access if it knows. E.
Right to amend PHI

A covered entity must allow patients the opportunity to request changes to their PHI for as long as it maintains the information. There are certain exceptions to this right. A covered entity may deny this request if it did not create the PHI. If the creator of the PHI is no longer available to act on the request, however, the covered entity must treat the request as though it created the PHI itself. A covered entity may deny a request for amendment if it determines that the PHI to which the request applies is accurate and complete. Finally, covered entities may deny these requests if the patient does not have the right to access the information under the Privacy Rule. Covered entities must act on a patient's request within 60 days of receiving it. If the covered entity is unable to meet this deadline, it may extend the deadline by no more than 30 days after providing notice to the individual of the reason for delay and the date by which it will comply with the request. Upon making its decision, the covered entity must inform the patient whether or not it will agree to the request. If the covered entity agrees to the request, it must then make the amendment and inform the patient, anyone the patient identifies as having received the PHI that needed amending, and persons, including business associates of the covered entity, who might use the information to the detriment of the individual. If a covered entity denies the request, it must state the reasons for the denial in writing. The written denial must also describe the patient's right to submit a statement disagreeing with the denial and the procedures for submitting this statement, as well as the patient's right to file a complaint with the covered entity or HHS. The denial must also state that if the patient does not submit a statement of disagreement, he may request that the covered entity provide his amendment request whenever it uses or discloses in the future the PHI that is the subject of the amendment request.
F.

33
However, except as noted below, covered entities don't have to account for disclosures for treatment, payment, or healthcare operations purposes. In addition, the patients right to receive an accounting may be temporarily suspended if the disclosure was made to a health oversight or law enforcement agency and the requested accounting would reasonably impede the agency's activities. The HITECH Act, however, made several changes to these accounting rules. First, the exception for disclosures for treatment, payment, or healthcare operations purposes no longer applies to disclosures made from an electronic healthcare record. However, the obligation to report such disclosures goes back only three years, not six. Second, the Privacy Rule added a new way to provide an accounting to a requesting patient. As before, it can provide a complete accounting to a patient that includes all disclosures made by the covered entity and its business associates. In the alternative, the HITECH Act also allows a covered entity to report only its own disclosures and to provide the requesting patient with a list of names and addresses of business associates. The new accounting provisions begin to take effect at the beginning of 2011, with implementation delayed until 2014 for older systems. Many questions about the new accounting requirements remain to be answered by HHS regulations. To comply with the Privacy Rule, an accounting must include a brief statement of the purpose of and basis for the disclosure, the date of the disclosure, the name of the person or entity that received the PHI, and a brief description of the PHI disclosed. For multiple disclosures to the same recipient, a summary addressing all such disclosures is permitted. Example 53: Valley Hospital discloses the same PHI to a public health authority for the same purpose every month. The hospital can account for those disclosures by including in the accounting the date of the first disclosure; the public health authority to which the disclosures were made (and its address); a brief description of the information disclosed; a brief description of the purpose of the disclosures or, if applicable, a copy of the request for such disclosure; the fact that the disclosures were made every month; and the date of the most recent disclosure. A covered entity has 60 days to respond to a request for an accounting. If it is not able to provide the accounting within 60 days, it may request a one-time 30-day extension as long as it provides the patient with the reason for the delay and the date by which it will provide the accounting. Individuals have a right to receive one free accounting per 12-month period. For each additional request by an individual within the 12-month period, the covered entity may, with prior notice, charge a reasonable, cost-based fee. G.
34
As we've seen, patients have the right to be informed of their covered entity's privacy policies. But what happens if despite those policies, there's an unauthorized transfer, use, or other breach of the protected information? The HITECH Act provided the answer to this question. A breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information. Something compromises the security or privacy of PHI if it poses a significant risk of financial, reputational, or other harm to the individual. Thus, a covered entity may use and document a risk assessment to determine if a breach will cause a significant harm to the individual and require notification. In the absence of sufficient risk of harm, a breach is not a breach under the rule. If the breach poses a significant risk of harm to the individual involved, the company must notify the individual of the breach. This notice must include, among other things, a brief description of what happened, the types of PHI involved, and any steps the individual should take. The notice must be given without unreasonable delay, and in any event within 60 days after the breach was discovered or should have been discovered. And in some cases, the company may also have to notify the federal government and local media. Business associates must also notify their covered companies of any breach of PHI they become aware of. The breach notification requirement only applies to a breach of unsecured PHI. PHI is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology (such as the use of approved forms of encryption) specified by the Secretary of Health and Human Services in guidance. The Secretarys initial guidance is at http://edocket.access.gpo.gov/2009/pdf/E9-9512.pdf. It's also not required for the use or disclosure of a limited data set that excludes the individual's birth date and zip code certain inadvertent uses or disclosures of PHI that don't result in a violation of the Privacy Rule the inadvertent disclosure of PHI to someone who isn't likely to be able to retain itfor example, because it was mailed to the wrong address and returned by the Post Office unopened
Vendors of personal health records (PHR)and other PHR-related entities not covered by HIPAAare also subject to breach notification requirements under the HITECH Act. These rules, issued by the Federal Trade Commission, are similar to those for HIPAA-covered entities, but there are some differences. For example, the non-HIPAA rule may require notification even if there's no evidence of a significant risk of harm from the breach.
35
In any event, both the HIPAA and non-HIPAA notification rules are lengthy and complex. You should be sure to consult your company's law department or other designated party if you have any questions. VIII.
The Privacy Rule imposes numerous administrative requirements on covered entities, which include:. A.

Covered entities must designate a privacy official who has responsibility for developing and implementing privacy policies and procedures. Covered entities must also designate a contact person, who is responsible for receiving privacy-related complaints and providing information regarding the covered entity's privacy practices. The privacy official may serve as the contact person.
B.
Training
A covered entity must train all members of its workforce on its policies and procedures with respect to PHI within a reasonable time after they join the entity's workforce. Retraining all members of the workforce is required when a covered entity makes a material change to its privacy policies. Finally, covered entities must document that training has been provided.
C.
Safeguards
Covered entities are required to establish administrative, technical, and physical safeguards to protect PHI from being improperly used or disclosed. They must also reasonably safeguard PHI to limit incidental uses or disclosures that result from an otherwise permitted or required use or disclosure. And they must mitigate any harm resulting from a use or disclosure that violates the rule. The HIPAA Security Rule, applicable to the same covered entities as the Privacy Rule, provides more detail with respect to electronic PHI. Example 54: Johnson Medical Practice must, under the Privacy Rule, safeguard PHI against improper or inadvertent uses or disclosures. To do so, it may decide to shred documents, require that doors to medical records departments remain locked, and limit personnel in restricted document areas.
D.
Complaint process
A covered entity must provide a process for individuals to file complaints concerning the covered entity's policies and procedures related to PHI or its compliance with its policies and procedures or the Privacy Rule. All complaints concerning the improper use or disclosure of PHI, as well as the final resolution of the complaint, must be documented.
36
E.
Sanctions
Under the Privacy Rule, a covered entity must develop and enforce sanctions against its employees who fail to follow its policies and procedures related to PHI or who violate the Privacy Rule. The covered entity must also mitigate, to the extent practicable, any harmful effect it knows about of a use or disclosure of PHI in violation of its policies and procedures or of the Privacy Rule by it or a business associate.
F.

The Privacy Rule prohibits retaliating against a patient or any other person who files a complaint with HHS. The rule prohibits retaliating against individuals for testifying, assisting, or participating in certain investigations, compliance reviews, proceedings, and hearings under the Administrative Simplification provisions of HIPAA's Privacy Rule. Retaliatory acts against anyone opposing any act or practice made unlawful by the Privacy Rule are prohibited, as long as the person has a good-faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and doesn't involve an unauthorized disclosure of PHI. HHS also prohibits retaliatory actions against patients who exercise any right granted by the Privacy Rule, including filing a complaint with the covered entity or HHS.
G.
Waiver of rights
H.

A covered entity must implement policies and procedures with respect to PHI that are reasonably designed to comply with the standards, implementation specifications, and other requirements of the Privacy Rule, taking into account its size and the nature of the activities it undertakes that relate to PHI. However, the policies and procedures may not be interpreted to permit or excuse any action that violates the Privacy Rule. When the covered entity has stated in its notice of privacy practices that it reserves the right to change its practices, the new practice may be applied to information created or collected before the effective date of the new practice. The Privacy Rule also sets forth the conditions for making changes if the covered entity has not reserved the right to change its practices. Covered entities are required to modify their policies and procedures in a prompt manner to comply with changes in relevant law. They are also required to change the notice when the change also affects the practices stated in the notice. These requirements, however, may not be used by a covered entity to excuse a failure to comply with applicable law.
37
The Privacy Rule also requires that the policies and procedures be maintained in writing, and that any other required communication, action, activity, or designation that must be documented in writing be maintained. The Privacy Rule states that covered entities must retain any required documentation for at least six years from the date the document was created or the date the document was last in effect, whichever is later. HHS notes that this approach is consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance. I.

A group health plan that provides benefits solely through an insurance contract with an HMO issuer or an HMO, and that does not create, receive, or maintain protected health information other than summary health information or information regarding enrollment and disenrollment, is not subject to the administrative requirements discussed above except for documentation retention requirements relating to plan documents.
IX.

A covered entity may use or disclose PHI created or received prior to the April 14, 2003, compliance date, if it has an authorization or other express legal permission secured before April 14, 2003, assuming that the authorization explicitly permits the use or disclosure and there are no agreed-upon restrictions. In addition, a covered entity may use or disclose, for a specific research study, PHI that is created or received either before or after the compliance date of April 14, 2003 (as long as there is no agreed-upon restriction) if the covered entity has obtained, before the compliance date, an authorization or other express legal permission from a patient to use or disclose PHI for the research study, an informed consent to participate in the research, or an IRB waiver of informed consent for the research. Note that uses or disclosures of individually identifiable health information made before the compliance date are not subject to sanctions, even if they were made pursuant to documents or permissions that do not meet the requirements of the Privacy Rule or were made without permission. The Privacy Rule impacts only the future effectiveness of the previously obtained consents, authorizations, or permissions.
X.

Any state law that is contrary to the federal requirements established under the Administrative Simplification provisions of HIPAA, including the provisions on privacy, is preempted. However, there are several exceptions to this general rule of preemption. First, there is an exception when HHS determines that a state law is necessary for any one of the following purposes: To prevent fraud and abuse related to the provision of or payment for healthcare
38
To ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation For state reporting on healthcare costs For other purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification is at issue, if HHS determines that the intrusion into privacy is warranted when balanced against the need to be served
Second, there is an exception where the state law regulates the manufacture, registration, distribution, dispensing, or other control of controlled substances. Third, there is an exception for state laws that require the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. Fourth, there is an exception for state laws that require a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensing or certification, or individual licensing or certification. Finally, the Privacy Rule provides that a state law that relates to the privacy of health information and is more stringent than federal requirements is not preempted. In this way, the Privacy Rule creates a floor of federal privacy protection and is not intended to supersede other applicable law that provides greater protection to the confidentiality of health information. B.

Under the Privacy Rule, a state law qualifies as contrary to a federal privacy requirement when a covered entity would find it impossible to comply with both the state and federal requirements, or when the provision of state law stands as an obstacle to the accomplishment and execution of the purposes and objectives of the Administrative Simplification provisions, including the Privacy Rule.
C.

D.

A state law relates to the privacy of health information if it has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.
E.

In general, more stringent means providing a greater privacy protection. A state law is more stringent than federal law when the state law establishes greater limitations on disclosures, creates more individual
39
rights with respect to PHI, or provides greater access to PHI for individuals than the federal law. Example 55: A state law requires that patients consent to disclosures of their health information for treatment and/or payment purposes. This law would not be preempted by federal law because by requiring consent for use or disclosure for treatment and/or payment purposes, the law is more protective than federal law. Example 56: Another state law requires a provider to disclose data about certain contagious diseases to a public health agency. This law would not be preempted under the Privacy Rule because of the carveout for state laws that require data reporting. F.
XI.

Under HIPAA, the penalties for violating the Privacy Rule are severe. The penalties were increased by the HITECH Act and now apply to business associates as well as covered entities. Depending on the nature of the violation, a civil penalty ranging from $100 to $50,000 per person per violation, and up to $1.5 million per person for violations of a single standard in one year A criminal fine of not more than $50,000 and/or imprisonment of not more than one year for wrongful disclosure of PHI A criminal fine of not more than $100,000 and/or imprisonment of not more than five years if the disclosure is under false pretensesfor example, when a person lies about his identity A criminal fine of not more than $250,000 and/or imprisonment of not more than ten years if a person intends to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm
In addition, states can sue to stop HIPAA violations and recover damages on their residents' behalf.
40
Doing Business in India: Perspectives through an Ethics & Culture Lens

Government (Regulatory Environment)
Over the past two decades, there has been a considerable attempt to liberalize the economy by simplifying laws governing and regulating Business, but there still remains a large amount of complexity and sometimes conflicting rules to navigate. This complexity combined with opacity in interactions with many of the Government Agencies and Regulatory bodies encourages a rise in intermediaries who seek to facilitate transactions most times with a lack of transparency on the principles adopted (get the work done mindset).
Business Environment (Ecosystem)

There is a vibrant entrepreneurial spirit, robust financial and banking sector and a business climate that encourages foreign investment. But a large number of businesses operate and employment generation happens in unorganized sectors with reduced governance and lax compliance to business, environment and labor laws, including regulatory and tax compliance.
Workforce
A large youth demographic fuelled by rising aspirations and rapid growth opportunities. Interesting dynamic playing out where the older generation in decision making roles in corporations and government are more tolerant of corruption and expedient decision-making while the younger workforce is at times idealistic and frustrated with the eroding moral fabric. At the same time, there is a competitive go-getter environment which many a time creates temptations and pressures to compromise ethics for meeting short term and individual aspirations. Over the past year and more, there is a visible increase in awareness and activism towards doing the right thing and to change the perception of a permissive attitude to business morality but this requires larger efforts to create sustainable change (Anna Hazare movement and State prosecution of large cases of business corruption).
Culture
Comfort and respect for hierarchy, hesitation to speak out especially in the presence of seniors and elders, cultural openness to hospitality and gifting (conflicts with Western thoughts and ways of doing business).
Journeys of Significance
Transforming organizational Culture for Sustainable Strategic Advantage
November 2012
CONFIDENTIAL
What well cover
1. Culture, behaviors and business outcomes 2. What does a culture journey look like? 3. Two journeys:
A young global energy company A 100-year-old global manufacturing company

4. How data-driven, insight-led transformative efforts can elevate behaviors and shape culture
CONFIDENTIAL
Culture counts like never before

A Critical Driver of Behaviors and Business Outcomes Trust, Values, Mission Information, Collaboration, Inspiration, Time Horizon, Speaking Up, Resilience, Operational Efficiency
Enablers Behaviors Outcomes
Innovation, Loyalty, Ethical Behavior, Customer Satisfaction, Reputation, Financial Performance
Source: LRN, The HOW Report, published April 2012
CONFIDENTIAL
A new framework for a new era
CONFIDENTIAL
A rigorous process to assess and transform culture

3-5 Years
Assess, Analyse & Baseline

Gain deep, datadriven insights into, and understanding of Companys culture, governance and leadership behaviors
Envision, Define & Plan

Explore future possibilities for Companys culture Define desired state and potential barriers Map the path for a culture evolution
Catalyze & Inspire

Share assessment findings across Company Bring leaders together to collaborate for change Create models and frameworks for translating values into behavior
Engage & Cascade

Develop and execute against strategy to educate and communicate with Companys people and external stakeholders
Embed & Sustain

Evaluate and address needs for redesign of policies and processes Focus on grassroots activities and tools
PHASE 1
CONFIDENTIAL
PHASE 2
A closer look at Phase 1
CONFIDENTIAL
A global energy companys journey

Diversified global energy company headquartered in the Middle East Created through privatization of government assets and public offering Several years of major acquisitions worldwide New strategy to optimise current assets and achieve organic growth and financial performance Existing LRN Partner for Ethics & Compliance Education
Known Business Challenge

Rapid global growth through opportunistic acquisition has created diverse business units across two major streams Acquired businesses have made differing levels of investment and progress in articulating values, leading to inconsistent standards and behaviors Legacy trust issues from first CEOs tenure still hamper some relationships within and across the organization
Key Question
How can we establish a common, cohesive culture across diverse acquired businesses? How can we align our globally distributed workforce around a common purpose and set of core values? How can we extend trust and foster collaboration to enable business growth and deepen stakeholder relationships? Where can self-governing behaviors improve operational excellence and performance? How can self-governance establish the company as a world player and inspire other national companies?
Highly regulated operations impose significant compliance responsibilities yet rules-based mindset is limiting in many ways Role and responsibilities as an operating arm of the national government, which has a long-term vision for regions economic and social development
CONFIDENTIAL
Highlights of the journey so far

2012
APR MAY JUN JUL AUG SEP OCT
Reshaped senior exec team into new Core Leadership Team with explicit focus on culture
NOV
Plotting 5year culture roadmap for embedding behavioral changes
Partnership Kick-Off
Research into Companys business
Introductory call with senior exec team
Preliminary interviews with executives
23 focus groups and 96 leader interviews conducted across 7 global

locations
Aligned on desired outcomes
HR & LRN tailor culture survey
Created new Chief Strategy Officer role to oversee culture evolution
Enterprise-wide survey of governance, culture and leadership behaviors in 6 languages for over 3,000 employees
Data analysis and synthesis begins
Sharing of findings with senior exec team
Initial review of findings with CEO, CSO
3-day meeting with 70 global leaders & influencers to share findings and align on values
We have employed our iterative, collaborative process throughout this period

8
How insights can elevate behaviors and shape culture

Insights
Identified key strengths as well as some areas of opportunity Committed and proud colleagues give Company inner strength, resilience and energy for growthemployees dedicated to helping create sustainable value While Company is young and still maturing, employees are inspired by new strategy and recognise value of a globally cohesive organization Lack of clarity and alignment of mission, purpose and values across global organization While employees typically feel trusted by managers to do their jobs, there are varying perceptions about how trust is earned and extended across the Company When individuals or business units are extremely focused on achieving their goals, sometimes theyconsciously or unconsciouslyallow their interests to conflict with those of a broader group or the organization as a whole Regional and functional silos, inadequate tools and channels for information sharing and an unclear sense of how to make the best decision for the Company are significant impediments to effectiveness Managers behaviorswhether intentional or notmay be reducing the level of comfort employees feel in sharing information that benefits the larger organization.
Impact
How insights are helping change behaviors and shape culture Focus on mutual value of discretionary effort, recognising and rewarding employees for it Harnessing optimism for the future and excitement about new focus on culture and values Crystallised rejuvenated set of values; seeking to embed these globally to promote harmony, not homogeneity Recognition of the importance of trust (with shared values and commitment to purpose) in driving business outcomes Effort to reconcile interests of Self and organization will be central to building globally unified and cohesive company
Reorganization of senior executive team; increased interactions between business units; creation of Chief Strategy Officer role with responsibility for culture evolution Leadership behavior model and performance evaluation will promote trust, transparency and collaboration with anticipated perceived benefits in innovation and surfacing concerns
CONFIDENTIAL
Next steps and upcoming milestones

Develop culture evolution roadmap for next 5 years (ongoing) Share culture data and insights globally at the regional level in ways that are engaging, locally relevant and make a compelling case for change Create leadership behaviors model which builds on prior work, embeds values, and incorporates insights from culture discovery phase Revise performance evaluation process in alignment with new behaviors framework Transform code of conduct into values-based cornerstone of commitment to ethical and legally compliant behaviors Ethics & Compliance education and leadership development on multiple fronts Et cetera
10
A global manufacturing companys journey

100-year Anniversary Industry leader Significant shifts of revenue and capacity outside the United States Declining core market Moving from just manufacturing to include insights and experiences
Known Business Challenge

Need to accelerate the evolution from product supplier and manufacturer to innovative design and delivery of solutions and align against a new corporate purpose Trying to drive efficiencies through a more integrated global business model, including changes from regional leadership, reporting, and P&L management to global Declining market conditions have placed significant pressures on the business, and required multiple rounds of layoffs and outsourcing impacting the morale of the remaining employees
Key Question
How can we unlock human potential within our employees? What common purpose will inspire our colleagues? How can we evolve from regional to global mindsets and decision making? How will we foster global collaboration? How could we inspire employees at all levels to assume leadership behaviors and be accountable results, outcomes and impact? Can our values and culture differentiate us and drive business growth?
Innovation and leading the market in design trends will be increasingly important
How can we innovate in behaviors that help us to be good innovators? Where can employees change their day-to-day work to deliver new innovations?
11
Highlights of the journey so far

2012
JAN FEB MAR APR MAY
Sharing of findings with senior exec team
JUN
Planning comms. approach and design strategy
JUL
AUG
SEP
OCT
NOV
32 focus groups, 92 leader interviews , and

Partnership Kick-Off Research into business
21 external stakeholder
interviews conducted across 10 global locations
Production of 50+ functional and regional sub-reports of survey data
Communication cascade of findings throughout entire organization managers cascade to direct reports using a simple 3-page communication toolkit
Aligned on desired outcomes
HR & LRN tailor culture survey
Enterprise-wide survey of governance, culture and leadership behaviors in 5 languages for over
Data analysis and synthesis begins
Focus groups to continue discussing the findings with HIPO employees
10,000
employees
Half-day working session with senior exec team to further discuss findings and begin planning a path forward
Half-day working session with senior exec team to begin planning teams to address findings
Half-day working session with senior exec team to develop plan for teams to start prototyping new behaviors
Develop new leadership framework
Teams formed to begin prototyping ways to address areas of opportunity
We have employed our iterative, collaborative process throughout this period

12
How insights can elevate behaviors and shape culture

Insights
Indentified key strengths as well as areas of opportunity Company is amazingly resilient with dedicated employees willing to give extraordinary efforts
Impact
How insights are helping change behaviors and shape culture Celebrating the collective success and legacy, and the emotional connections between employees
Long term focus and staying true to its mission provides foundation for Leaders already feel comfortable making long-term tradeoffs and pursuing strategies with deep reflection and true revolutionary innovation and risk taking and inspires employees potential Familial culture can be leveraged as a strength in marketplace Changing customer and supply chain ecosystem processes to recognize levels of trust and deep relationships removing barriers and ensuring more values-based Clarity of purpose is used as rallying point for teams to engage in deep consideration of why the company exists and changes the mindset for what they do Collaboratively working together and providing new line of sight to the end experience gives everyone better context for communication and decision making Learning to act as virtual teams and be global citizens with the necessary flexibility and awareness for other cultures Balance critical thinking with desired behavioral attributes establishing a think-do-be-type model Identifying opportunities to restore the balance in policies and practices to ensure individual employees regain identity and voice Identifying behaviors that drive highly engaged populations and using these as models for a new leadership framework to be deployed globally
Mission and purpose is now too ambiguous and confusing and employees dont know how to realize it Confusion and stress are created between employees focused on experiences versus those in manufacturing While structural changes were made to go global, leadership behaviors were not changed, resulting in tension in the organization and delayed decision making A shift to critical thinking in efforts to control quality and efficiencies has impacted the ability to innovate and be creative enough to win Many employees believe the company values the team and the corporation more than individual employees as people There are some employees who are highly engaged and they exist across all demographics, giving a base for the future culture
CONFIDENTIAL
13
Next steps and upcoming milestones

Cascading Discovery Phase results through intimate team based discussions, allowing leaders to be leaders and gain 2-way dialogue to role model the desired new behaviors with all employees Established 5 global teams to address specific business issues in ways that prototype and pilot the new behaviors and embed the core values into structural process and organizational changes once proven, pilots will ultimately be scaled throughout the organization Refreshing the corporate purpose and core values, and re-aligning leadership behaviors, business strategy and processes to these Development of new leadership development training based on the new behaviors and corporate purpose/values Direct coaching with senior leaders to help ensure the creation of environments where new behaviors can be seen and experienced rather than taught and demanded Modifications to key policies and procedures to embed core values
14
An emerging point of view
An intentional and strategic focus on culture can bridge gaps and leverage organizational strengths in order to unlock human promise and provide competitive differentiation. The sources of a more inspired, self-governing and innovative culture depend on a deeper understanding of the leadership behaviors that drive critical business outcomes and inspire super-engaged colleagues Where cultural tensions, gaps or areas of opportunity are identified, a set of keystone behaviors, frameworks, and tools are attainable and are essential to enhancing levels of trust and inspiration.
CONFIDENTIAL
15
Single or double line title without division line
CONFIDENTIAL
16
Want to Build Ethical Culture? Play Up the Middle Ted Nunez, Ph.D. Corporate Compliance Insights, 6/29/2012 http://www.corporatecomplianceinsights.com/want-to-build-ethical-cultureplay-up-the-middle/
Most ethics leaders now cite building ethical culture as a major goal of their strategy for program development, and with good reason. Based on data from several National Business Ethics Surveys, the Ethics Resource Center concludes that ethics risk is most effectively reduced by an enterprise-wide cultural approach to ethics that extends beyond a compliance mentality. Culture is the game CECOs are looking to play. Mitigating risk is not the only benefit of a culture strategy. LRNs HOW Reporta validated, cross-industry survey of over 36,000 employees in 18 countriesfound that culture impacts performance and that it can be measured. According to the global study, organizations with selfgoverning cultures outperform those with cultures characterized by either blind obedience (i.e., a strict command-and-control style) or informed acquiescence (i.e., a rules-based, carrot-andstick approach). The HOW Report also found that high trust levels, well-embedded values, and commitment to a purpose-inspired mission are the key enablers of high performance for selfgoverning organizations. Naming the game is one thing, playing it smart is quite another. Many companies have discovered that good tone at the top, a values-based code of conduct, annual ethics training, a helpline, and other essentials of an ethics program are not enough to drive values down into the organization deeply and effect lasting culture change. Whats missing is tone in the middle (TIM), which is shaped by the living example and influential voice of managers. Indeed, when employees are asked who sets the ethical tone for them, most will identify their supervisor, not the CEO or BOD. Surveys show that a majority of misconduct reports are made to managers, while less than 5% are made through the hotline. More than anything else, frontline managements consistency in word and deed sets the tone and shapes the ethical culture of an organization. Research by the Corporate Executive Board shows that employees pay close attention to issues of organizational justice; when employees feel they are treated fairly and respectfully and when managers trust them to do whats right, they are more engaged and productive in their work. Moreover, the work of Albert Bandura in social learning theory as well as more recent behavioral research highlights the importance of role models and social cues in the formation of attitudes and choice of behaviors. In short, managers that walk the talk on mission and values make all the difference. That is why it can pay to play up the middle.
Tone in the Middle

How does building TIM work in practice? Program design includes five essentials: shared vision and purpose, ethical leadership education, coaching and tools, metrics, and recognition. Here we touch briefly on each of these while walking through a sample TIM program roll-out. Creating Shared Vision and Purpose: As part of your buy-in strategy, you want to engage senior management in drafting a charter documentcall it an integrity frameworkthat articulates how the companys core values are manifested in habitual behaviors. Along with your code of conduct and mission/values statement, the integrity framework will be the foundation for all subsequent TIM activity. At the launch event (typically a leader workshop), senior executives need to inspire middle managers with a compelling vision of how a stronger ethical culture will contribute to sustained success. The key message is: Culture matters, and leadership on the front line shapes culture. To shape culture, leaders at our company must be guided at every step by our integrity framework. You can get managers to embrace the message by asking them to share stories of when the company and its people really made good on a core value commitment, despite business pressures. Having the group recall its proudest moments does two things: It energizes people, and it creates a common expectation and desire to act in these kinds of ways more often. A good way to focus your TIM initiative and cascade it effectively is to integrate it with a new code release. At Marsh & McLennan Companies, rewriting and rolling out the corporate code became the occasion for enlisting managers to engage their teams on how and why ethics matters. The ethics team led by Saira Jesrai first conducted focus groups across the diverse, geographically dispersed organization and found that, among other things, employees overwhelmingly wanted to receive the new code directly from their manager, rather than in the mail. Their rationale was both simple and powerful: We want to know whether our manager takes this code stuff seriously or not. Armed with support from senior leadership and an engaging film depicting Marsh managers and employees grappling with risk issues on the job ( go to: Marsh & McLennan Uses Film Talent To Promote The Greater Good ), Jesrai delivered a compelling message and an effective tool to managers, who widely embraced the call to serve as ethics envoys. Manager-led discussions of the award-winning film (which, by the way, did not cost a great deal) brought the new principlesbased code alive for employees and created a sense of common identity for a holding company made up of several strong, well-established brands. A very similar approachalso quite successfulwas taken by Bausch + Lomb a few years back when they developed and rolled out their global code. Ethical Leadership Education: Manager education should unpack the integrity framework, focusing on ethical leadership basics that teach managers to model desired behaviors, encourage a speak up climate and ethical reflection among employees, and deal openly and frankly with
ethics issues as they arise in the workplace. Along with self-assessment and peer coaching, scenario-based discussions and role-play exercises are effective means of developing ethical leadership skills. Coaching and Tools: Managers at every level also need coaching on how to engage their teams around mission and values as well as on how to conduct ethics training sessions. Help managers size up their audience, clarify their objectives, and choose the right teaching approach. Along with coaching, be sure to provide toolkitsmeetings in a boxto help them meet their commitment. Ethical Performance Metrics: As with other performance measures, TIM metrics play a vital role in tracking progress and holding individuals accountable. Clear, actionable benchmarks are particularly helpful for managers who are prone to minimizing or even ignoring the mandate to take an active role in strengthening ethical culture. For example, all managers might be required to communicate specific ethics/integrity messages to their group four times per year, engage them in two interactive sessions annually, and participate in at least one values-based leadership learning event. On a quarterly basis, managers would report their TIM activities to their manager and the ethics office, which would incorporate these benchmarks in an annual report to the Board and senior management. Recognizing Excellence: Whats the best way to recognize ethical performance? Some argue that ethics/integrity KPIs are a sine qua non for an effective TIM program. How else do you get managers to devote precious time and resources to ethics training given other priorities? If metrics arent tied to KPIs and bonus dollars, theyll drop out of the picture. Others argue against tying ethical performance to remuneration. While senior leaders can and should make the case for building ethical culture in ways that help managers see its business value, whats really at stake here is the authenticity of a companys ethical culture. Good companies make it clear from the first hiring discussion onward that upholding high ethical standards is expected of every employee and that all managers have a special duty to set the right tone and lead by example, because that is the character of the company. Moreover, a reliance on KPIs and bonuses to incentivize integrity performance can undermine the intrinsic motivation to do the right thing. Absent financial incentives, how is ethical performance to be recognized and rewarded? Both managers and non-supervisory personnel ought to be publicly recognized when they champion ethics within the organization and demonstrate an inspiring commitment to core values. Whenever employees act in an exemplary fashion to uphold ethical principles in the face of counter pressures, or make good on the mission despite major obstacles, you should celebrate their achievements. Rightly told, hero tales are a powerful tool; you cannot tell enough of them. Earning the respect and esteem of others is a powerful motivator, as is the desire to be part of and contribute meaningfully to something larger than oneself. You can leverage these non-material incentives when enlisting managers to become moral exemplars and ethics envoys.
Marsh, Bausch, and other companies have discovered that playing up the middle is, well, a good play. A TIM strategy builds ethical culture, which can be the key not only to mitigating risks but also enhancing reputation and performance.
Running Head: A PRACTICAL APPROACH TO BUILDING MORAL COMPETENCE
Giving Voice To Values In The Workplace: A Practical Approach to Building Moral Competence Mary C. Gentile, PhD Director, Giving Voice To Values, Babson College
Few business leaders would argue with the proposition that their companies need employees at all levels who are responsible, ethical, and who adhere to the organizations values, policies, and mission statement. This is especially true in the current climate of frequent corporate scandals, financial crises, and ever-growing consumer and investor mistrust. And yet, the time and resources invested in this outcome are often tightly constrained, and the impact of, and return on, even this minimal investment are often hotly debated. Typically organizations try to operationalize their commitment to ethics and values by means of a variety of strategies: recruitment screening efforts; corporate communications directed at both internal and external stakeholders; the creation or outsourcing of anonymous tiplines and ombudsperson resources; internal training programs; establishment of ethics and compliance officer positions and networks, sometimes reporting to the General Counsel office and sometimes reporting directly to the CEO or a dedicated Board Committee (reporting lines being another hotly debated question). Most of these strategies focus upon trying to avoid bringing less than ethical individuals into the organization, or on identifying and dealing with them and the potential fall-out from their actions, once they are there. Training and communication initiatives are the only company investments that are aimed specifically at helping employees, at all levels, to understand what is acceptable behavior and ideally, to help them to act on that knowledge when it is challenged.
However, it is not unusual for major corporations to require only an hour or so of ethics and compliance training per year per employee, and often ethics training is satisfied through online courses provided by outside vendors, with limited customization. This reality highlights the major challenges, for both individual managers and for organizations, around efforts to prepare oneself and other managers for values-driven leadership and ethical behavior in the workplace: Time Dedicated training time around these issues is extremely limited, and even when it does exist, employees may not recognize the return on their investment. Too often they feel this is a kind of empty exercise that, at best, does not necessarily help them to meet the demands put upon them, and, at worst, is a distraction. Consistency It is one thing to communicate about the importance of adhering to codes of conduct and regulatory/legal requirements in an ethics course, but when the pressures on a daily basis are toward short-term profit and maximizing quarterly returns, these messages can seem inconsistent or even hypocritical. Source Training and communication programs are often delivered online or by trainers who do not have regular contact with employees and who dont necessarily understand the personalities, needs, and pressures of the employees. Messages from direct peers and managers will therefore tend to trump, whether they are in line with the ethics training content or not. Relevance Communicating the rules and policies is important and helping employees decide whether a particular action is over the line or not is unquestionably important. However, it does not necessarily help employees to
know what to say and how to say it, in order to ensure that the right thing is done without damaging key working relationships and while still achieving their work objectives. Impact It is difficult to assess the impact of ethics training initiatives. Does a deeper knowledge of the rules and policies lead directly to better compliance? Can peoples behavior really be changed through ethics training, and is that the goal? And if incidences of reported misconduct go up, does that mean that the programs have failed, or does it mean that more employees are taking the rules more seriously and reporting problems? These are some of the primary and ubiquitous challenges of organizational ethics training. They are ubiquitous because they are based in some all-too-familiar assumptions about the purpose and approach to ethics and compliance training that restrain and constrain organizational responses: assumptions about What is being taught; Who is being taught; and How to teach them. However, by flipping or reversing these typical assumptions, managers can get out of this box. A new and innovative approach to values-driven leadership development, Giving Voice To Values, has done just that; it tests many of the key assumptions around ethics education and in so doing can re-energize and revamp organizational and individual managers approach to this challenge. GIVING VOICE TO VALUE The Giving Voice To Values i (Gentile, 2010a) curriculum and pedagogy is housed and supported by Babson College, and was developed with the Aspen Institute Business and Society Program as incubator and as founding partner, along with the Yale School of Management. Drawing on both the actual experience of business practitioners as well as cutting-edge social
science and management research, Giving Voice To Values (GVV) fills a longstanding and critical gap in business training and education. It helps employees and students identify the many ways that individuals can and already do voice their values in the workplace, and it provides the opportunity to script and practice this voice in front of their peers. GVV has been piloted in over 300 educational and executive settings and/or courses on seven continents. In the following pages, the GVV approach will be explained, and learnings from companies who have begun to pilot it or to consider doing so will be shared. THE FIRST FLIP So just how does GVV reverse or flip some of the central assumptions behind ethical training and education? First, consider the traditional focus on What to teach employees. Often when the subject of ethics comes up, someone will say: You know, the clear-cut, right/wrong issues are easy. Its the grey issues, the complex issues the ones that appear to be wrong vs wrong or right vs right where ethics training really needs to provide some guidance. And its true, many ethical challenges are quite complex. But the response to this comment is often to focus ethics training only or primarily on these thorny ethical dilemmas, or even worse, to present more clear-cut scenarios in such a way as to invite respondents to find complexity and ambiguity there, even when it should not exist. For example, a training case may present an employee who is asked for a bribe in order to secure needed operating licenses and doesnt know what to do. The discussion of the scenario will often focus on questions like: Well, is this really a bribe, or could it be considered some sort of facilitating fee? or Does the employee have the information needed to determine what is going on? or Isnt this just the way business is done in this industry or this geographic
location, and perhaps there is no realistic alternative? or Does management want the employee to just look the other way? or If the employee says no, wont the companys competitors just step in and pay the bribe? The discussion becomes one of rehearsing all the reasons why the situation is unclear and why it is so very difficult and personally risky or even futile to try to address it. There are the so-called preemptive rationalizations that prevent employees from even getting to the discussion of how they might avoid the bribe. Nevertheless, somehow the employee is supposed to leave this training discussion emboldened to just step up and speak truth to power, regardless of the concern that it might be a so-called career-limiting move. A situation like the one above is somehow presented as one of those thorny ethical dilemmas, when it is actually not so grey. It is fairly clear that the situation is, in fact, about bribery. The dilemma is not one of ethics but rather one of implementation. For this reason, the Giving Voice To Values approach would present the scenarios differently. Using GVV, the cases shared are typically the so-called black-and-white or clear-cut choices, and the protagonists in the scenarios have already decided what they believe is the right thing to do. The discussion is no longer about whether the situation is over the line or not; instead, the discussion starts from that position and is framed as an action-planning and scripting exercise. Rather than literally rehearsing how to rationalize the less-than-ethical position, GVV starts from the premise that it will be appropriately addressed and focuses the training on that outcome. This is not to say that true ethical dilemmas do not exist. Sometimes one really does have to struggle to figure out what the most appropriate and responsible course of action may be. But in such cases, it is clear that reasonable and intelligent people of good will can legitimately disagree. It is, on the other hand, in addressing the more clear-cut issues where employee training
can make a significant impact. After all, most of the high-profile scandals that hit the front pages of the business press and that lead to an erosion in public trust are, in fact, those more blackand-white violations cases of outright fraud and illegality. So the first GVV flip is one of focus: the idea is to focus training on the clear violations more than on the ambiguous ones. After all, if employees become more skillful and confident in identifying, talking about, and effectively addressing these clear issues, they are bound to be better prepared to address the grey issues as well. THE SECOND FLIP The second assumption of traditional business ethics training that GVV reverses concerns the identification of Who the audience is. Typically, the target for ethics and compliance training is the employee whom the company fears may pose a threat to the companys ethics and violate the relevant laws or policies. The goal is to influence such employees through information about the rules and the potential consequences of transgression, through peer pressure, and through organizational influence. The GVV approach, on the other hand, assumes a different audience and begins from the premise that employees can be mapped on a bell curve. Assume that those individuals who would self-identify as Opportunists defined as those who will always pursue their personal material self-interest, regardless of values map onto one tail end of the bell curve. Similarly, assume that those individuals who self-identify as Idealists defined as those who will always try to act on their values, regardless of the impact on their material self-interest map onto the other tail of the bell curve ii (Dees & Crampton, 1991). Then assume that the majority of the body of employees would fall under the bell and characterize those individuals as Pragmatists
identified as those who would like to act on their values, as long as that did not put them at a systemic disadvantage. That is not to say that they would only act on their values if they were absolutely certain they would succeed, or that they would not pay a price. It simply means that they think they have a chance to be successful, that the deck is not entirely stacked against them. This interpretation is consistent with the research that suggests that one of the most significant deterrents to ethical action within organizations is the concern that it will be futile (Detert, Burris, & Harrison, 2010). Accepting this premised bell curve as a working hypothesis, GVV focuses not so much on the so-called Opportunists. Those are the individuals for whom the recruitment screening initiatives exist in order to try to avoid hiring them in the first place, and for whom the monitoring, reporting, and punishment systems are designed in order to deal with them if and when they do make their way into the organization. An hour of training per year, online or not, is not likely to change those individuals and, in fact, can sometimes simply feed their cynicism. And the GVV approach is less focused upon the Idealists, except that its initiatives will help those individuals to become more effective at values-driven action. Rather, GVV defines its primary audience as the Pragmatists, with the objective of providing them with the tools, the skills, and, importantly, the practice and rehearsal to be who they already want to be, at their best. Framing the target audience in this way allows organizations to focus their training dollars and time on the audience and on the topics that are most likely to make a difference. And it presents ethics and compliance training less as the assertion of a set of prohibited actions, and more as an opportunity to build employee capacity for innovative and effective ethical action. It
is about can-do more than it is about thou-shalt-not. And as organizations that have begun to pilot this approach have seen, it is about building employee capacity for action and leadership around any sort of challenging situation, not exclusively ethical ones. THE THIRD FLIP The third assumption of traditional business ethics training that GVV reverses is about How organizations teach ethics. Typically training responds to this How question with a focus on preparing employees for ethical decision-making: that is, communicating the rules, regulations and policies and then, as described above, inviting them to consider various scenarios in order to decide whether a certain behavior is over the line or not. The assumption is that employees need to learn to answer the question What is the right thing to do? Training is about communicating the information, practicing how employees think through these challenges, and emphasizing the importance of compliance (and the consequences of non-compliance) so that they can make the best choice. The problem with this approach is that it assumes that information about the right thing to do and practice with making ethical decisions is all that the well-intended employee needs, but experience and research both tell us that this is not so. Otherwise ethical and responsible employees may fear the threat of retaliation or they may be concerned that their efforts to do the right thing will not only be risky for their own careers, but also ineffectual in the face of colleagues who would be willing to pick up where they say no. The challenge is not entirely about analysis and decision-making. It is about figuring out how to get the right thing done, even when peers, customers, suppliers, or managers are pressuring one to do otherwise. And importantly, it is about rehearsing the scripts and action
plans that are most likely to be effective, creating a sort of ethical action default and engaging with colleagues in directed peer coaching activities where the goal of the training activity is less about determining what is right but rather about working together to find the most creative and likely effective approaches to the seemingly risky challenge of acting responsibly and insuring ethical outcomes for the organization. In practicing this approach, GVV provides positive examples of times when employees have found effective ways to enact values-based choices and it offers tools for reframing choices and building effective and persuasive arguments, based upon decision-making patterns and biases garnered from behavioral science research (Gentile, 2010a, pp. 170-210). THE GVV THOUGHT EXPERIMENT This shift from a focus on information to a focus upon action is rooted in the GVV Thought Experiment. That is, consider the typical ethics case scenario. A challenge is described, and the case ends with the question: What would you do? This question invites participants to take one of two approaches: either assume the role of the good employee/student and offer the answer the trainer is assumed to want to hear that is, I would do the right thing or play the devils advocate (often framed as the realist) and talk about how its not so clear or its not so easy to comply with the rules. Either approach fuels a sort of cynicism in all but the most idealistic of the employees, and no one walks out of this session with ideas about how to address the situation ethically without metaphorically falling on ones sword. On the other hand, instead of asking What would you do? the GVV Thought Experiment poses the question: Starting from the premise that the case protagonist knows what
10
he or she believes is right and wants to do it, how can they be most effective? What should they say, to whom, in what sequence, and in what context? What data should they gather first? What arguments and objections the Reasons and Rationalization (Gentile, 2010a, pp. 170-210) are they likely to encounter, and then how will they respond to those? And is this something they should do on their own, individual-to-individual, or is this the kind of situation that requires finding allies and collaboration? And so on. Then the training activity is about working together with ones colleagues to develop the literal scripts and action plans that are most likely to succeed, and to engage in a peer coaching experience where employees share their best solutions and work together to make them even better. A template of questions is provided to approach each scenario: What is the values-driven position the protagonist wants to support? What is at risk for all parties involved, individual and organizational, internal and external to the organization, including the case protagonist? What are the predictable Reasons and Rationalizations the objections or push-back the protagonist is likely to encounter when they pursue their objectives? For example, some of the most commonly heard are: This is standard operating procedure; Its not material; Its not my responsibility; and It may be wrong but I dont want to hurt my friend, my colleague, or my boss. Each of these is predictable and vulnerable to counter-arguments that can be rehearsed (Gentile, 2010b). What data, levers, arguments, responses will be most effective in response to these Reasons and Rationalizations?
11
Craft the script and action plan that will be most successful in this situation.
After working together in small groups to address these questions, trainees then present their best approach to the larger group, which engages in a peer coaching activity, providing constructive feedback and input on how to improve the plan. In this way, all participants have the opportunity to craft, practice, and hear as many different approaches to the challenging situation as possible. They have the chance to think creatively, without the specter of appearing unrealistic or nave, about just how one might get the right thing done in such situations. The idea is not to focus on those instances when the infraction has already occurred and when reporting (or even whistle-blowing) is required by law or policy. The idea here is to focus on all the many moments and choices that occur prior to the choice to violate ethics or laws, in an effort to find ways to prevent ending up at that juncture. Finally and ideally, the scenario has a follow-up case (a B case, if you will) that details what the actual protagonist did in order to effectively resolve the situation, with the understanding that there may be many effective approaches depending on the specifics of the challenge. And with this thought experiment, both the Idealists and the Opportunists, as well as and most importantly the Pragmatists, have the occasion to work together to craft a practical and workable approach. They are not required to take an ethical stand, responding to the traditional question of What would you do?, before they even believe there are actual and workable options for action. Instead they are invited to develop those options, and they are provided with tools and examples of how to do so, so that now the decision to comply with their own and the organizations values is experienced as a viable strategy.
12
HOW GVV ADDRESSES THE CHALLENGES OF ORGANIZATIONAL ETHICS TRAINING So given the reframing of the traditional ethics training described above, how does the GVV approach respond to the primary challenges organizations face in this arena? Time GVV helps to address this challenge in several ways. First of all, if one starts from the assumption that the allocation of training time dedicated to ethics and compliance will not change (an assumption that could be fruitfully challenged, however), it becomes even more critical that the limited time spent be focused on objectives that can be influenced in such a time frame and that cannot be achieved as well or better via more economical means (e.g., rules and policies can be shared via written and online communication channels, as opposed to formal presentation in training sessions.) With regard to the first criteria above, it is highly unlikely that an individual who does not care about ethical compliance will be changed by an hours worth of training on an annual basis. However, the sharing of positive examples and empowering stories, and, in particular, skill-building by means of the opportunity to focus upon the application of pre-existing skills and capacities to ethical questions can be a productive endeavor for those Pragmatists and Idealists (described above) if approached properly. For example, the impact of this type of training will be amplified if a standard approach (a template of questions and tools, as mentioned previously) is utilized that can become familiar and is easily referenced in other training programs and
13
managerial conversations, whether or not the topic is ethics-related. For example, Lockheed Martin has been using the GVV approach, adapted for their own organizational challenges, since 2011 and they are now exploring ways to bring the standard action-planning template into their leadership training programs, as well as their ethics and compliance training (www.givingvoicetovalues.org ). Similarly, the GVV approach does not rely upon teaching an entirely new approach to decision-making (as for example, a more philosophical approach might do with its emphasis upon duties, rights, and consequences-based models of analysis). Instead it is about using the same skills that make employees successful in any other area of their activities: e.g., data-based decision-making; an understanding of effective modes of persuasion and influence; sensitivity to the individual needs and preferences of ones target audience; effective use of both quantitative and qualitative arguments; etc. In this way, employees are being asked simply to frame values-based decisions as normal business decisions, rather than as some sort of different animal that requires an entirely new set of priorities and capabilities, thereby amplifying the impact of the time spent on this training (Gentile, 2010a, pp. 72-85). Consistency GVV can counter the perception of inconsistency or even hypocrisy regarding an organizations sincerity concerning its commitment to ethical behavior, because it goes beyond communicating the rules and policies. It offers the chance to examine positive examples of individuals who did, in fact, find ways to address ethical challenges effectively; however, these are regarded not as presentations of heroic action, but rather as displays of strategic solutions to normal business
14
challenges. There is nothing wrong with heroism and moral courage, but when doing the right thing is framed as something that requires such Herculean levels of bravery, it begins to feel out of reach for many employees. Instead, one of the pillars of GVV is that this type of values conflict is a normal part of business dealings a normal part of life, actually so why not approach it as such? Bring the emotional levels down a few notches. Recognize that the challenges in ones particular industry or ones particular functional area, whether it is accounting or marketing or operations, are fairly predictable and that one can prepare for them. Rather than aiming for a grandiose dose of moral courage, focus upon moral competence a matter of skill and rehearsal that is more within ones reach. When framed this way, as normal, it is easier to talk about the normal tensions around cost-saving, time pressures, pursuit of sales, and so on that can appear to be in conflict at least short-term conflict with ethics. Perceiving this conflict does not mean that one is unconcerned about ethics. It simply means that we need to think more creatively, more broadly, and more effectively about how to be both ethical and profitable. Often business leaders and business educators think that the way to address the perceived inconsistency between messages around profitability and messages around ethics is to argue the so-called business case for responsible management: that is, to prove that managing responsibly and ethically is also financially rewarding. GVV, on the other hand, starts from the observation that although one can point to organizations that have been financially successful while behaving ethically, one can
15
also point to organizations that have been financially successful at least in the short term while behaving unethically. The way to address this perceived inconsistency is to focus, then, not on making the case for why one should behave ethically by arguing that it will be lucrative, but rather to focus on figuring out how one can be both ethical and profitable. Name the tension openly and honestly, and rather than arguing that ethics inherently leads to profit (obviously it does not, as there can be ethical firms that are ineffectively managed and do not thrive anyway), it is more credible to provide the opportunity to work collaboratively to figure out how to effectively achieve both outcomes. Source As noted previously, messages from peers and from managers/superiors will tend to trump the messages delivered by training professionals, especially if they are external contractors, or if the messages are delivered via standardized online training programs. Some companies address this issue by using a cascade model of delivery for ethics training, with senior managers training their own direct reports, starting at the top with the CEO and cascading on down the line. Lockheed Martin, for example, uses such an approach to deliver the award-winning GVV scenarios-based training mentioned above. However, such an approach can still be challenged if the senior managers who deliver the program are less than skillful; if they offer conflicting messages when they are not in ethics training mode; and if the messages from those peer colleagues with whom employees have more regular contact are not in alignment.
16
GVV helps to address these concerns in several ways. In addition to the potential benefits of a cascade model of delivery if implemented well, GVV relies upon a peer coaching model. Through the pre-scripting exercises described above, employees have the opportunity to practice communicating with peers as they problem-solve for values-driven action, thereby making it less novel or potentially uncomfortable to talk about these issues from an implementation planning perspective when they work together outside the ethics training context. They have the chance to actually practice, or rehearse, this kind of process; they can come up with the actual words and ways of expressing these concerns in a safe space the laboratory of the GVV Thought Experiment. Additionally, organizations can train their own internal ethics officers (if they have such a role), whether those are line or corporate positions, to use the GVV approach in order to become a network of GVV Peer Coaches, distributed across the company. In this way, other employees can approach these coaches not only to ask whether a particular action is over the line or not, but also to help them to find effective ways to address and hopefully prevent infractions before they happen. Relevance Employees often feel that ethics training is not that useful or effective because it is more about communicating and stressing the importance of the rules than about how to actually enact them. Obviously, the whole idea behind the GVV approach is to respond to this charge. In fact, one of the most common questions (or sometimes objections) to the GVV approach is the observation that it is more about how to be effective in communicating and persuading someone to do the right thing, than it is about identifying the right thing. Guilty as charged! And it is precisely this shift in emphasis from analysis (i.e., determining what is right) to action (i.e., crafting
17
effective ways to get the right thing done) that is the most effective response to the charge that ethics training is not relevant. In fact, GVV is based on the premise that although doing the right thing may be its own reward, it is more desirable to find a way not just to stand up for what is right, but to do so effectively, influencing others along the way and finding strategies that can maximize positive impact. As noted above, it is an approach intended to appeal to Pragmatists. Impact Perhaps one of the most difficult challenges for any sort of ethics training is to assess impact, or, put another way, return on investment. There are many reasons for this. For one thing, there are many different inputs that influence an individuals ethical behavior and any attempt to measure the impacts of a single input will be confounded by the problem of distinguishing correlation from causality. That is, there is a lot of noise in the system and it is difficult to design a measure that will be able to separate out the impacts of the training activity from other factors. On the other hand, with the exception of pure testing of factual knowledge or skill level, this problem is true for most training that focuses upon or includes behavioral factors. In fact, this challenge may be one reason why so much ethics education focuses upon communicating the rules and testing ones memory of them. For example, how does one truly measure the impact of leadership development programs? Or, put another way, does successful completion of a marketing training program insure that all subsequent new product launches will succeed? In other words, it is useful to make sure that ethics training is not held to a higher standard than other educational initiatives.
18
These caveats understood, however, it is still important to make an attempt to assess whether what is being done in the arena of ethics training is worthwhile. GVV addresses this question at three levels. First, the approach itself is based upon existing empirical research from behavioral science as well as cognitive neuroscience, which demonstrates that how one frames an argument can make it feel more actionable and which suggests that rehearsal for action is an effective way to impact behavior (Gentile, 2010a, pp. xxiii-xiv and 170-210). Second, increasingly as the approach has been used, there have been anecdotal reports of individuals who have encountered challenges, remembered the approaches, and applied them effectively. Third, some educators have begun to do pre- and post-course surveys to assess impacts. It is this third approach that provides some important input for managers who want to crack the impact measurement code. Instead of simply measuring input (e.g., How many employees completed the course? How many hours were dedicated to training? etc.) or measuring satisfaction (e.g., asking employees to rate the clarity, relevance, or effectiveness of the instructor and/or the course content), GVV raises the potential to ask questions such as: How many ways could you respond to the arguments that This is just standard operating procedure or Its not material when a colleague asks you to cook the books in order to increase the quarterly sales bonus? And what are they? What kinds of factors would be helpful to consider when you try to change your colleagues mind about exaggerating a new products specifications?
19
How might you be most effective in pushing back on your manager if he or she is pressuring you to understate the time and cost of a project in the written bid to a prospective customer?
How confident do you feel that you would be able to craft an influential and effective action plan to avoid unethical behavior?
These types of questions ones that assess the number and types of strategies, tactics, and arguments employees have available to them for addressing ethical challenges, as well as their felt levels of comfort with them can be asked both pre- and posttraining, to assess whether their skills and options have increased. This type of criteria is measurable and the completion of the assessment is a form of educational intervention in itself, thereby increasing the impact of the program. RECOMMENDATIONS FOR GETTING STARTED For those managers and organizations who want to get started using the GVV approach, there are several things to remember: GVV places the focus on how a manager raises values-based issues in an effective manner what he/she needs to do to be heard and how to correct an existing course of action when necessary (rather than on arguments for whether or not it is necessary to do so in a particular situation); GVV emphasizes the inclusion of positive examples of times when people have found ways to voice and implement their values effectively in the workplace;
20
GVV offers opportunities to construct and practice effective and persuasive responses to frequently heard Reasons and Rationalizations for not acting on ones values;
GVV focuses on the development of skills in providing peer feedback and coaching.
Some initial action steps for those who may want to explore the use of this approach in their organizations include: Background Preparation: Review the curriculum website at
www.GivingVoiceToValues.org for ideas about how to use and adapt the approach. Although the free materials at this site cases, exercises, assessments, readings were developed for use in MBA and undergraduate business education settings, companies have used and/or adapted many of them. Review the book website at www.GivingVoiceToValuesTheBook.com for introductory videos (such as the free 8-minute McKinsey Quarterly interview), interviews, related articles, book excerpts, etc. Training Exercise and Mechanism for Generating GVV Scenarios: Consider using a
modified version of the foundational GVV exercise A Tale of Two Stories (downloadable at www.GivingVoiceToValues.org ) as a mechanism to gather examples that can be developed into customized, organizationally-specific GVV-style case scenarios. This is an especially effective way to gather the positive examples. The exercise involves inviting individuals to recall an instance when they felt directly or indirectly pressured to violate their values in the workplace and they found a way to effectively enact their values. They then answer a set of questions about that story: what motivated them; what made it harder (disablers); what made it easier (enablers);
21
and how they felt about their decision. Then they are asked to recall another story when they faced a values conflict in the workplace and they failed to enact their values, and to answer the same set of questions. Although in an educational context this is used as a group exercise with small and large group debriefs, it will need to be modified for confidentiality and safety issues when used within an organization. For example, it may simply be used as an anonymous written exercise with a random set of employees to generate case examples, or it may be used as a personal reflection exercise followed by a group debrief that uses a standard and disguised set of stories (not those of the individuals in the group). Pilot Test: Consider using some GVV-style scenarios and some of the Curriculum
Readings (available at the websites) to develop a GVV Peer Network: a group of employees who have experienced and mastered the approach and its tools and who can facilitate face-to-face GVV training; who can serve as embedded GVV Peer Coaches; and/or who can help to integrate the GVV methodology into other non-ethics training initiatives (e.g., Leadership, Team Building, etc.). CONCLUSION Most people want to bring their whole selves to work. Yet, experience and research demonstrate that values conflicts will occur during the course of a persons career those times when what we believe and want to accomplish seems in opposition to the demands of clients, peers, bosses, and/or organizations. Focused on emerging leaders in the corporate sector, the GVV curriculum helps people build and practice the understanding and skills they need to recognize, speak, and act on their values when these conflicts arise.
22
The Giving Voice To Values approach to values-driven leadership development is post-decision-making, as Carolyn Woo, the former dean of Mendoza School of Business at Notre Dame University, observed. That is, rather than emphasizing the analytic process figuring out what is right it focuses upon the many instances where employees are already quite aware of whats ethical but may not believe it is feasible to get it done. This set of challenges does not cover the entire realm of ethics, admittedly, but it does address a very large number of them and importantly, the ones that are most likely to be well served by training initiatives. That is, the issues not directly addressed by GVV the ones where reasonable people of good will might legitimately disagree about what is right and ethical are likely to be endlessly discussed in an ethics case discussion but without any conclusive outcome or take-aways for the employees. These can feel like mere academic exercises. On the other hand, GVV addresses the issues where most employees (though not all) would agree that there is indeed a violation of law, ethics, and/or policy, but they still dont know how to do the right thing when colleagues, customers, even bosses are pressuring them to the contrary. This is an area where just understanding what the rules are will not help. Rather, in these instances, providing literal scripts and action plans preferably ones that have actually been used in the organization itself can be a more effective educational offering. Although originally developed for use in management education settings, increasingly individual managers as well as companies have been attracted to the pragmatic and intuitive approach GVV offers for ethics training. GVV is distinguished by its emphasis on action and its plain-spoken acknowledgement that often the challenge is not a matter of employees lack of knowledge concerning the relevant laws or ethical obligations, or of employees who want to be
23
unethical, but rather a matter of inconsistent organizational messages and employees lack of skill and confidence in dealing with them. GVV is all about addressing this concern and helping individuals as well as organizations learn and practice how to voice their values when they know whats right.
For a full explanation of the GVV approach and the research upon which it is based, see Gentile, Mary C. Giving Voice to Values: How to Speak Your Mind When You Know Whats Right (Yale University Press, 2010). See www.GivingVoicetoValues.org for the program curriculum and www.MaryGentile.com for related articles, videos, interviews, etc.
ii
This idea is adapted from Gregory Dees and Peter Crampton, Shrewd Bargaining on the Moral Frontier: Toward a Theory of Morality in Practice, Business Ethics Quarterly, Vol.1, No.2 (April 1991): 135-167.
References Dees, G., & Crampton, P. (1991). Shrewd bargaining on the moral frontier: Toward a theory of morality in practice. Business Ethics Quarterly, 1, (2), 135-167. Detert, J., Burris, E., & Harrison, D. (2010). Debunking four myths about employee silence, Harvard Business Review, vol. 88, no. 6, (June 2010), 26. Gentile, M. (2010a). Giving Voice to Values: How to speak your mind when you know whats right. Place of Publication: Yale University Press. Gentile, M. (2010b). Keeping your colleagues honest. Harvard Business Review, vol. 82, no. 2, (March 2010), 114-117.
Compliance & Ethics

November/December
2012
Professional
a publication of the society of corporate compliance and ethics
Meet Michael Volkov

Shareholder in LeClair Ryans Compliance, Investigations and White Collar Criminal Defense Practice Area; former federal prosecutor
See page 14
Improving your policy management program

Andrea Falcione and Meghan Daniels
30
Website cookie laws bring compliance issues across Europe

Jonathon Armstrong
37
Creative, artful approaches to building trust and shaping ethical culture

Ted Nunez
43
Money laundering 101

Maria Coppinger-Peters
50
This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
Feature
by Ted Nunez, PhD
Creative, artful approaches to building trust and shaping ethical culture

Building ethical culture is a strategic priority and a difficult challenge, but ethics education programs seldom leverage a valuable resource: the arts. We make sense of both our personal and organizational lives primarily through stories, metaphors, and images. Good comedy not only elicits laughter, but also renders us more receptive to messages we typically ignore or dismiss. Deft uses of art in ethics education can serve as an antidote to training fatigue, low morale, groupthink, lack of trust, and other ills that beset a workforce. A particularly effective way to shape ethical culture is by extending trust to employees and enlisting them as active partners in creating ethics learning experiences.
Albert C. Barnes1
ost ethics and compliance (E&C) leaders now cite building ethical culture as a major goal of their strategy for program development, and with good reason. Based on data from several National Business Ethics Surveys, the Ethics Resource Center concludes that ethics risk is most effectively reduced by an enterprisewide cultural approach to ethics that extends beyond a compliance mentality.2 Increasingly,
+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org
Compliance & Ethics Professional November/December 2012 43
Art is not a phase of life apart from worka-day world, to which one may turn in moments of leisure or perhaps in the name of so-called culture, or in a spirit of worship. In the Foundations courses, art is taken out of its usually detached, esoteric world and is linked up with life itself, because all the qualities which give painting its value are those which are found in various phases of everyday life; and art has value only because it expresses those qualities.
culture is at the top of the dance card for chief ethics and compliance officers (CECOs). Mitigating integrity risk is not the only benefit of a strategic turn to culture. LRNs HOW Report (a cross-industry survey of over 36,000 Nunez employees in 18 countries) found that culture impacts performance significantly, and that it can be measured.3 According to the global study, organizations with high trust, mission-oriented, values-based, self-governing cultures outperform those with cultures characterized primarily by either blind obedience (i.e., a strict command-and-control style) or informed acquiescence (i.e., a rules-based, carrot-and-stick approach). Self-governing companies, though rare, had markedly higher levels of innovation, customer satisfaction, employee loyalty, corporate reputation, and financial performance while experiencing less misconduct. Some dances are easier to learn than others. It takes a few years with West Coast swing, a lifetime with Argentine tango (my
Feature
own passion). And like the mastery of tango, the work of culture change can be a long and difficult process. Organizational development experts tell us that significant change within organizations typically takes five or more years. That said, from the HOW Report as well as the track record of Appreciative Inquiry4 and other methods of organizational change that emphasize cultural factors such as mission, vision, and values, we know that success is in fact possibleif not common. When undertaking a culture-change initiative, companies and their E&C teams too seldom tap the power of the arts to shape hearts and minds. Those that do, however, are able to engage and inspire employees more deeply. In the process, they find to their delight that art can serve as an antidote to training fatigue, low morale, groupthink, lack of trust, and other ills that beset a workforce. After briefly presenting a case for more art in business, and specifically in E&C practice, I want to take a closer look at a few recent examples of creative, artful approaches to building trust and shaping ethical culture. Perhaps our own muse may visit us in the process.
Moving pieces
Art deserves more play in the workplace for several reasons, perhaps the most important being that we make sense of both our personal and organizational lives through the stories, metaphors, and images we create and share with one another. Encounters with moving works of art are as vital to human flourishing as the four elements. In meeting the days challenges, art can serve as a tool for change and transformationa kind of testing ground for visualizing alternative situations, forming new attitudes, and adopting different behaviors. Yet the potential of art to move the needle on culturein the direction, say, of a more principled, purpose-driven, and creative way of doing businessremains untapped to a large extent.
Compliance & Ethics Professional November/December 2012
Granted, art isnt entirely absent from the E&C arsenal. When E&C teams share accounts of compliance incidents and their outcomes with the rest of the company, they leverage a venerable genre: the cautionary tale. They also deploy story-based learning modules and vignettes as well as short fiction to heighten risk awareness, illustrate how ethics policies apply on the job, and challenge learners to wrestle with ethical dilemmas. Too often, though, theres little creative license exercised (or allowed). A banal realism prevails, with the result that many employees end up sleepwalking through the exercise. We can and should wake them up with more creative, artful approaches. As with vivid dreams, art can provoke shifts in perception and feeling that yield new insight. What was familiar and dull is seen anew and re-valued, as when we come away from a great film or play with a renewed appreciation for the people in our lives or simply life itself. A good example is our response to a common mechanism at work in comedythe unexpected, jarring juxtapositionwhich not only elicits laughter, but also renders us more receptive to messages we typically ignore or dismiss. A cat on stilts, a man in a dress (pass), zombies roaming the officethese types of arresting images can disrupt our ordinary vision by giving reality a twist, and thereby open us to truths we would otherwise ignore. Comedy often relies on such twists, and when it works, the result can be a genuinely freshand refreshingtake on how things are or appear to be.
Scene from The Working Dead
44 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
Feature
At LRN we recently produced an awareness vignette addressing the topic of trust and speaking up. To convey the serious message that a culture of silence can be deadly in a humorous fashion, creative director Jakob White and his team (of which I was a member) developed a story in which cynical, apathetic office workers (having morphed into gruesome zombies) lurch from cubicle to cubicle, infecting others as two of the staff (for now, safe behind glass in a side room) look on in horror and bemoan the zombification of the workforce. As the scene closes, a narrator asks a haunting question: How lively, or how deadly, is your company culture? Titled The Working Dead, the vignette works through the unexpected, jarring juxtaposition of the monstrous and the mundane and by drawing upon a powerful metaphor. The captivating quality of the piece makes it memorable, and so, too, the message it delivers and the question it poses. Past the humor, viewers are more likely to reflect on their responsibility for building a culture of trust, transparency, and open, honest dialogue.
Helping employees become more thoughtful and adept at applying these values to workplace situations. In their introduction to the exhibit, the organizers explained the programs rationale:
Art appreciation requires critical thinking, critical investigation, deep interpretation, careful consideration and emotional sensitivity. In this way, the disposition we must have toward art at Progressive mirrors the disposition we must have toward our Core Values. After all, artworks, just like values, are only guide posts; it is the privilege of interpreting them and acting on them that affords us the opportunity for greater depth, success and satisfaction in both our personal and professional lives.5
The art of ethics education

Commenting on the aims of his foundations art education program, Albert Barnes said: We teach our students how to learn to see; that is to perceive the meanings in events of everyday life, as well as in paintings, sculpture, music, furniture, objects in wrought iron, trees and flowers.1 Is art appreciation a good analogy and training ground for ethical decision making? At Progressive Insurance, E&C leaders Mike Uth and Cindy Yanasak think so. They worked with their Corporate Art group to design an enterprise-wide art exhibit and ethics education program called Making the Right Choice, which had three aims: Increasing awareness of how principled deliberation is foundational to business success; Celebrating the companys core values; and
Company employees were invited to play the role of art sleuth assigned to investigate the exhibit, which included works by a number of prominent artists. They were provided with questions for consideration for each piece, and afterwards participated in a facilitated discussion. As an example, for Warhols various chromatic takes on Mao Tse Tung, the questions focused on the power of symbols and their impact on our moral lives.
Mao by Andy Warhol
Feature
For Warhols Mao, the organizers asked: What is the role of powerful symbols in guiding our actions and shaping our beliefs? What symbols exert power in your life? What exactly do these symbols represent and how do they affect our ethical choices? Are ethical judgments primarily intellectual or emotional? How does fear affect our ethical choices? How can we deal with fear? Can we successfully apply a value system solely with intellectual commitment and will power, or must we develop a sustaining emotional grounding for ethical behavior? Too often, ethics education is a dull affair, and many employees see little connection between annual compliance training and core business concerns. However, when a companys leadership commits to shaping an ethical culture and extends trust to employees, E&C teams have an opportunity to create powerful peer learning experiences. Progressives program is remarkable not only for its deft use of the arts, but also for its reliance on reflection and dialogue to foster a culture in which serious thoughtnot just lip serviceis given to how and why good ethics is good business. At Solvay North America, the E&C group wanted to strengthen the companys ethical culture by promoting a deeper, more personal embrace of the corporate code and core values. In 2008, the E&C team successfully piloted an Ethics Film Festival (EFF) that engaged large
Compliance & Ethics Professional November/December 2012
Too often, ethics education is a dull affair, and many employees see little connection between annual compliance training and core business concerns.
numbers of employees in the U.S., Canada, and Mexico, and won the Belgium-based companys Innovation Trophy in the category of Management Improvement. According to program leader Carolyn Egbert, the goal of the EFF was to have employees teach their colleagues what the Code really meant at Solvays. We provided a vision and some ground rules, and then let our people take it from there.6 The EFF sponsors invited Solvay employees to submit 3-5 minute videos addressing relevant E&C issues in a thoughtful manner. Hoping for a dozen or so entries, the jury panel received nearly 40. From these, jurors chose ten best in class videos. Categories included best use of humor, best submitted by business unit, and best over-all. Among the topics addressed were bribery, gifts and entertainment, misuse of company resources, and sexual harassment. An Oscar-style celebration for the winning entries was held at a Houston hotel, and many Solvay employees across the globe joined in the fun via webcast. After the celebration event, winning EFF videos were posted on the company Intranet for several months and also became part of the learning library. Solvays EFF pilot shows just how powerful the act of extending trust to employees can be. In a post-EFF culture survey, a high percentage of employees affirmed they had a voice at the company. That is how ethical culture is shaped most effectively: through stories told by the many who feel they have a real say. To unlock this potential, though, E&C leaders have to take a risk and trust that the rankand-file hold creative potential and care about workplace ethics.
46 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
Feature
Its long past time

We know that building ethical culture is a strategic priority and a difficult challenge, but in our educational efforts we tend to turn a blind eye to a natural ally, the arts. The time is long past due, I believe, to end the seclusion of art from business and to bring more creativity into the workplace. Barnes, philosopher and school reformer John Dewey,7 and other progressive visionaries are right: When we weave the arts into the fabric of our homes, our companies, our communities, life becomes a richer and more interesting affair.
1. From a radio address by Barnes in 1922, the year he established his foundation. For more information, see http://www.barnesfoundation.org/about/history/albert 2. Ethics Resource Center: Supplemental Research Brief, 2009 National Business Ethics Survey: The Importance of Ethical Culture: Increasing Trust and Driving Down Risks. Available at http://ethics.org/files/u5/CultureSup4.pdf. 3. LRN whitepaper: The HOW Report: New Metrics for a New Reality: Rethinking the Source of Resiliency, Innovation, and Growth. Available at http://www.lrn.com/leadership-perspectives-whitepapers/ how-report-new-metrics-new-reality-rethinking-source-resiliency. 4. For more information, see http://appreciativeinquiry.case.edu/intro/ whatisai.cfm 5. Progressive Insurance, Making the Right Choice Exhibit Statement, 2011 at their corporate HQ in Mayfield Village, OH as well as several regional offices. 6. P ersonal communication with Carolyn Egbert in a phone call on November 15, 2011. 7. F or more on John Dewey, see http://www.intellectualtakeout.org/ library/dewey/john-dewey-pragmatism-and-progressive-education
Ted Nunez, Ph.D. (ted.nunez@lrn.com) is Principal at Nunez CSR Advisory in Upper Merion, PA. He works with LRN to conduct culture and program assessments, write codes of conduct, develop tone-in-the-middle programs, and design ethics and leadership education solutions for many global companies.
Plan your budget now:
SeatS fill faSt
2013
Academies
Basic Compliance & Ethics
international academies
Brussels, Belgium May 1316
Shanghai, China July 811 So Paulo, Brazil August 2629

take the exam and get certified after this intensive training session
Dubai, UAE December 1619
Learn more at www.corporatecompliance.org/academies

2013-SCCE-Academies_INTLonly_halfpage_ad_4c.indd 1 10/9/12 4:38 PM
Do We Have The Right Metrics?

PRINCIPLE Validity Impact
Metric truly measures what it intends to measure
EXAMPLE
Full cost of non-compliance: this measures legal (settlements and fines) and other costs including cost of business disruption, reputational loss and retention loss Instead of measuring an absolute number, such as the amount of compliance violations, a better metric is to account for the monetary loss averted by early detection of compliance violations Instead of an expensive census-based survey of employee culture, one could measure employee perceptions through statistically relevant samples Metrics should enable cross-company comparisons in order to draw meaningful conclusions. For example, the number of allegations reported per 1000 employees, enabling you to compare across business units or even among industry peers This often is about the presentation of the metric, for example using a heat map or diagram to demonstrate the impact of trade offs or risk events Measures that shed light on potential scenarios through various risk lenses and surface unforeseen risks, considering regulatory changes, current events and company strategy Measures that capture fluctuations over time to facilitate short and long-term trend identification, for example the measurement of helpline data. They only become meaningful when done across time periods.
2011 LRN
LRN Proprietary and Confidential. Not for Redistribution.
Metric links Ethics & Compliance activities to desired results
Practicality
Metrics value warrants the cost of collection of information
Relative Value
Metric expressed in relation to relevant benchmarks
Decision Enabling Predictive
Metric translates data into (risk) information that executives can leverage
Metric provides guidance on readiness to meet future risks
Comparable Over Time

1
Metric captures historical trends in performance
Whats Our Current State? Takeaways from LRNs 2011 E&C Leadership Survey
Frequency of E&C Program Assessment
Annual assessment Every other year As needed 35% 15% 33%
Reporting Trends
Almost half of E&C leaders now report to the Board on a quarterly basis Reports primarily focus on helpline trends, investigations, code violations and risk and regulatory developments Only 29 percent reports on year-over-year effectiveness of the program
Uneven Perceptions of Effectiveness

Around 70 percent of E&C leaders believe that their program is effective in providing compliance oversight and advancing an ethical culture, but Only 45 percent think that their program effectively enables better business decision making.
2
2011 LRN
Elephant in the Room #1
Measuring Activity Can Be Worse Than Not Measuring
We measure what matters.
Tom Peters
Our measures threaten to miniaturize us.
Ethics & Compliance Community
2011 LRN
Elephant in the Room #2
Important things worth measuring are among the most difficult to measure

4
Genuine Commitment Deep Belief Priority at Crunch Time Leadership Commitment Business Outcomes
2011 LRN
What Is Worth Measuring? (1) What Our People Believe Beliefs that matter
Hearts and minds or just increased awareness?
Beliefs that drive behavior

Do our people believe senior management and board make compliance/ethics a priority? What do people believe happens when integrity runs into making the numbers or completing the deal?
2011 LRN
What Is Worth Measuring? (2) What Our People Do

Employee Behavior
Do we know how much misconduct our people actually see in the business? Do we know how much of that is reported? Do we know how much fear there is of retaliation or non action? Do we know whether our people live our core values in their day to day behavior?
Behavior by people with leverage

Senior leadership Management in the middle Front line supervisors and individuals in positions of control Do we know if managers effectively confront and report alleged misconduct?
2011 LRN
What Is Worth Measuring? (3) What Our Colleagues Are Already Measuring
Integrating non-traditional data sources/insights into E&C metrics
Human Resources (performance evaluations; exit interviews; employee surveys) Corporate Responsibility/Sustainability (ethical sourcing data) Corporate Affairs (reputation/stakeholder/community feedqback) F Finance (Risk Committee/SEC 10) Marketing (customer satisfaction and feedback on behavior)
2011 LRN
Measuring Tone From The Top How Do We Know if the CEO Really Means It?
Makes E&C a key business objective Integrates E&C objectives and insights into strategy and planning Holds direct reports accountable for E&C outcomes Communicates E&C successes and failures Holds star performers to high ethical standards Learns and applies E&C lessons
2011 LRN
Measuring Quality & Extent of Board Oversight How Do We Know if the Board Really Means It?
Holds CEO accountable for ethical culture and compliance Devotes significant committee and full board time to ethics and compliance Gives E&C real priority in oversight of operations, compensation, and succession Asks as many How as What questions Takes an active interest in critical investigations Knows the Chief Ethics & Compliance Officer personally Distinguishes between the E&C Program and outcomes in the business
9
2011 LRN
Measuring Tone From The Middle How Do We Know if Mid-Level Managers Translate Corporate Policy into Practice?
Incidence of E&C-related metrics in performance evaluation and promotion decisions Number of business decisions that weigh E&C implications Formal and informal E&C participation in business planning, strategy, operational reviews and ongoing staff meetings Indications of leadership on E&C issues not requiring E&C team "push"
10
2011 LRN
Measuring E&C Integration In The Business Is Ethics & Compliance Cranked into the 'Gears' of the Business?
E&C is a management role not a staff job Business units participate in key decisions about ethics and compliance E&C is part of planning, budgeting, evaluation, development Employees at the grassroots demonstrably

11
Understand the right thing to do Know how and where to get help Feel comfortable coming forward Do, in fact, come forward
2011 LRN
Measuring CECO Clout Is the System Overseen by an Executive Who Matters?

Genuine leverage Formal authority granted by the Board and senior management Controls or influences significant resource allocation to execute necessary initiatives Unfettered and frequent access to the CEO and the Board Has the support and courage to challenge management at any level when necessary
12
2011 LRN
How Do Things Really Work Around Here? Do We Know? What Do Our Metrics Tell Us?
Irrespective of what leadership may say is important or what should happen Specifically related to doing the right thing, living values and keeping the company's promises Essentially asking about the nature of the company's operating system and culture Organizations have been searching for ways to measure culture We now know that culture can be measured
13
2011 LRN
E&C Communitys Culture Stake

E&C professionals have a major stake in measuring and influencing corporate culture
Federal Sentencing Guidelines say so Codes of Conduct are about how we want our people to behave i.e., how the culture manifests in behavior CECOs are day-to-day guardians of company principles and values No way to prevent wrongdoing without a deliberate effort to analyze, understand and positively influence culture
14
2011 LRN
The Ascendancy of Culture and Values

You told us that embedding values in operations is your greatest 2011 priority Diminishing returns of compliance controls leading to employee fatigue and skepticism Perceived failure of rules-based system to prevent global financial crisis Stakeholders demanding valuesbased business behaviors Value chain risk: your reputation hinges on the values and behavior of entities in your value chain/eco-system Regulators focused on corporate culture
15
Source: LRNs 2010 2011 Ethics & Compliance Leadership Survey
Ethics is fundamental to the securities laws, and I believe ethical culture objectives should be central to an effective regulatory compliance program.
Carlo V. di Florio Director, Office of Compliance Inspections and Examinations Securities and Exchange Commission
2011 LRN
New Data: Business Value from Values

Our analysis* of more than 5,000 employee survey responses shows that adopting a values-driven, self-governing culture not only decreases the likelihood of misconduct but also has superior top-line business outcomes, including:
Up to5 x more Innovation Up to 3 x more Employee Loyalty Up to 9 x more Customer Satisfaction Significantly higher levels of Financial Performance
based culture against attributes of rules-based, process driven, command-and-control, and carrot and stick cultures.
* In our methodology we compared the impact of company attributes associated with a values-
16
2011 LRN
The Human Operating System

A Systemic Approach to Adopting Culture as a Strategy
April 2013
CONFIDENTIAL
Embarking on the Journey learning from the past

What Doesnt Work
Treating culture as the soft step-child or a necessary evil Disaggregating business strategy from culture and organization Addressing culture disjointedly and in piecemeal ways Relying on a silver bullet and rushing through implementation Wholesale, top-down, imposed transformation Brushing culture aside to a leader or a champion Relegating culture to a branding and communication initiative Addressing proximate causes (e.g. too many engineers) vs. root causes (e.g. beliefs, values, behaviors)
What Can Succeed

Unified and passionate buy-in and engagement from executives Alignment between business strategy, culture and organization through Chief Strategy Officer coordination and oversight Integrated approach to diagnosing and monitoring culture across the organization Experimenting through pilots Evolution that leverages the best of the existing culture Consistently engaging colleagues in design of desired purpose/values/behaviors Taking an evolutionary and long approach to culture change
2
A framework for building culture systemically

Design and realize an effective Human Operating System
EXPERIENCE Layer for Other Stakeholders
Brand Promise Philanthropy Government Relations Community Relations Contractor/ Labor Relations Supply Chain Mgmt Advocacy
CORE
The Organizations WHY (Purpose) Shared Values Desired Behaviors Business Strategy Desired Impact & Outcomes
EXECUTION Layer in the Business

Organization & Structure Governance & Decision Rights Social Contracts & Relationships Leadership, People & Rewards Inspired Communication Metrics, Tools & Infrastructure
3
Defining the organizations Core

The WHY (Purpose)
Define the organizations raison d'tre, and its unique role in society, business, and the world Identify and clarify the making a difference for all colleagues and leverage it as a source of inspiration and energy Embed values and related exemplar descriptions
Shared Values
Develop communications and colleague engagement activities to deploy the values and bring them to life across the organization Translate the values into observable behaviors that can be communicated, learned, measured, and integrated into the day-to-day business operations Establish Leadership Framework and integrate new self-governance content into leadership development, performance management, talent management and other processes
CORE
Desired behaviors
Business Strategy
Refresh and refine the strategic pillars required to pursue organizations Purpose, and deliver on the vision, adding specific and deliberate elements for culture as a strategy Develop Guiding Principles that help to align the organization and enable achievement of the strategy (e.g. design principles for the execution layer)
Desired Impact & Outcomes
Articulate the business outcomes and human and environmental impacts that will be achieved by pursuing the Purpose and Strategy through the ethos of the organizations values Identify KPIs and leading indicators for the journey
4
Execution considerations on the culture journey

Change Dimensions
organization & Structure

Formal Considerations
Spans & Layers Size Accountability Networked organizations Business processes Human policies (vacation, creative time, etc.) Where decision rights reside: top, middle, bottom Decision making by individual managers versus through assigned councils for strategic topics
Informal Considerations
Informal councils and committees Virtual teaming Initiatives by employees to form communities or interest groups around business topics of interest Local pilots and experiments Failing fast, learning fast Ad hoc and self-forming teams
Governance & Decision Rights
EXECUTION
Social Contracts & Relationships
Expectations of citizenship set of principles and behavioral expectations and accountabilities for serving purpose, and upholding values How we treat each other Inspirational leadership Hiring, talent management Performance & behavior management Rewards and recognition Connection to purpose and values Sense of community and creation Impact of the individual Stories and symbols Social networking tools Ideation & collaborations tools Business Challenges Training & Education Work environment design Progress metrics
Local and team accountability and change Local models as best practices Role modeling exemplary behaviors Self-organizing recognition Mentors, champions and influencers Viral communication Bottom-up inspiration Self-alignment with exemplary narratives Hackathons Conferences & ad hoc gatherings Peer-to-peer learning Local/ virtual solicitation for collaboration Bottom-up space & design concepts
5
Leadership, People & Rewards
Inspired Communication
Metrics, Tools & Infrastructure
CONFIDENTIAL
How external stakeholders experience the journey

Experience Levers
Brand Promise
Descriptions
Leading with our purpose, values and behaviors in the external ecosystem Providing transparency, consistency and predictability of intent and outcomes How we give back to society Where do we want to have impact
How we engage with Governments Openness, transparency and trust How we engage with local communities and civil society Openness, transparency and trust How we engage with our contractors Cultural alignment and trust How we closely partner with our supply chain Engendering trust and driving innovation Communication, narratives and symbols Inspiring significance and meaning across the ecosystem
Competitive Advantage Innovation Goodwill Societal Impact Significance

6
Philanthropy
EXPERIENCE
Government Relations Community Relations Labor/ Contractor Relations Supply-Chain Management
Advocacy
CONFIDENTIAL
(Sample) Framework and Roadmap for culture journey

CORE
The WHY (Purpose) Shared Values Business Strategy Desired behaviors Desired Impact & Outcomes
Initiative 1: Defining and communicating purpose and values Initiative 2: Lead corporate strategy formulation
Initiative 3: Conduct business unit (local) culture, purpose and values meetings
organization & Structure

Initiative 4: Clarify & adapt organizational structure
Governance & Decision Rights

Initiative 5: Identify, pilot and implement enhanced policies, procedures and processes that can have systemic impact on culture Initiative 6: Solidify executive team leadership of the core and culture evolution generally Initiative 7: Revise Code of Ethics to have greater symbolic and practical value in guiding behaviors
Social Contracts & Relationships

Initiative 8: Define and reinforce shared values
Leadership, People & Rewards

Initiative 9: Further embed and deploy culture behaviors and expectations into Talent programs and Performance Management systems Initiative 10: Deploy Talent Acceleration Program to first cohort Initiative 11: Launch International Mobility policy and managed moves
Inspired Communication
Initiative 12: Celebrate culture and values Initiative 13: Update corporate branding to support shared values Initiative 14: Corporate communications campaign to support values
Metrics, Tools & Infrastructure

Initiative 15: Managing, measuring and reporting on Culture Journey
EXPERIENCE
EXECUTION
External Stakeholders
Initiative 16: Assess nature, and quality of external stakeholder relationships, identifying enhancement opportunities
Office of the Chief Strategy Officer (Coordination, Support & Evaluation) Executive Leadership Team (Leadership & Oversight)
7
Some core principles for the Roadmap design

Define SMART Initiatives Specific, Measurable, Attainable, Relevant, Time-bound Ensure that How activities are executed models the desired culture and behaviors Anticipate long-term journeys and continuous engagement (creating readiness for change, followed by dynamic, sustainable change) Demonstrate ability to improve and change through quick wins and tactical actions Inspire all colleagues to contribute and take action to co-create the future Ensure that Business Unit-specific and global initiatives contribute to embedding shared values Align with existing Leadership Framework Reiterate values in light of the purpose The Roadmap is a living and breathing document, to be updated continuously
8
Single or double line title without division line
CONFIDENTIAL
2013 LRN Corporation. All Rights Reserved. 9
Bridge Paper
Developing Ethical Leadership

R. Edward Freeman Lisa Stewart
Featuring a Thought Leader Commentary with Steve Odland, Chairman and CEO, Office Depot, Inc.
2006, Business Roundtable Institute for Corporate Ethics www.corporate-ethics.org Distribution Policy: Bridge Papers may only be displayed or distributed in electronic or print format for non-commercial educational use on a royaltyfree basis. Any royalty-free use of Bridge Papers must use the complete document. No partial use or derivative works of Bridge Papers may be made without the prior written consent of the Business Roundtable Institute for Corporate Ethics. A PDF version of this document can be found on the Institute Web site at: http://www.corporate-ethics.org/pdf/ethical_leadership.pdf Bridge Papers Uniting best thinking with leading business practice.
Contents
Foreword . ...................................................................................................2 What is Ethical Leadership .......................................................................2 Becoming an Ethical Leader . ....................................................................8 Developing Ethical Leaders ......................................................................9 Thought Leader Commentary with Steve Odland ..............................10 About the Authors . ..................................................................................13
Foreword
The Business Roundtable Institute for Corporate Ethics is an independent entity established in partnership with Business Roundtablean association of chief executive officers of leading corporations with a combined workforce of more than 10 million employees and $4 trillion in annual revenuesand leading academics from Americas best business schools. The Institute brings together leaders from business and academia to fulfill its mission to renew and enhance the link between ethical behavior and business practice through executive education programs, practitioner-focused research and outreach. Institute Bridge PapersTM put the best thinking of academic and business leaders into the hands of practicing managers. Bridge PapersTM convey concepts from leading edge academic research in the field of business ethics in a format that todays managers can integrate into their daily business decision making. Developing Ethical Leadership1 is an Institute Bridge PaperTM based on the research of R. Edward Freeman. Weaving his research together with learnings he has garnered from conversations with a host of executives and students during the last 25 years, Freeman creates a framework for developing ethical leadership. The accompanying interview with Steve Odland, Chairman and CEO of Office Depot, Inc. provides a CEO perspective on what it means to be an ethical leader in todays business and social contexts, addressing key topics such as executive compensation and the need to encourage a culture of pushback.

What Is Ethical Leadership?

One typical response to the ethics crisis in business is a clarion call for more ethical leadership, yet there are few explanations of what exactly is meant by the term. Many executives and business thinkers believe that ethical leadership is simply a matter of leaders having good character. By having the right values or being a person of strong character, the ethical leader can set the example for others and withstand any temptations that may occur along the way. Without denying the importance of good character and the right values, the reality of ethical leadership is far more complex and the stakes are much higher. Over the past 25 years, in talking to executives in a number of industries about the problems of how to lead in a world of great changeglobalization, democratization, and incredible technological advanceswe have identified a number of touchstones for the idea of ethical leadership. Our experience is often contrary to the picture of business
Leaders see their constituents as not just followers, but rather as stakeholders striving to achieve that same common purpose...
executives one finds in public discussion where they are often seen as greedy, competitive, and only concerned with compensation. In fact most executives want to be effective in their jobs and to leave their companies and the world a better place, creating value on both fronts for those whose lives they affect.
Business Roundtable Institute for Corporate Ethics
Our view of ethical leadership takes into account not only the leader but also his constituents (followers and key stakeholders), the context or situation that the leader and constituents face, the leaders processes and skills, and the outcomes that result. Leaders are first and foremost members of their own organizations and stakeholder groups. As such, their purpose, vision, and values are for the benefit of the entire organization and its key stakeholders. Leaders see their constituents as not just followers, but rather as stakeholders striving to achieve that same common purpose, vision, and values. These follower and stakeholder constituents have their own individuality and autonomy which must be respected to maintain a moral community. Ethical leaders embody the purpose, vision, and values of the organization and of the constituents, within an understanding of ethical ideals. They connect the goals of the organization with that of the internal employees and external stakeholders. Leaders work to create an open, twoway conversation, thereby maintaining a charitable understanding of different views, values, and constituents opinions. They are open to others opinions and ideas because they know those ideas make the organization they are leading better.
It is important for leaders to tell a compelling and morally rich story, but ethical leaders must also embody and live the story.
empowers leaders to incorporate and be explicit about their own values and ethics. The following list provides a framework for developing ethical leadership. It is based on the observations of and conversations with a host of executives and students over the past 25 years, and on readings of both popular and scholarly business literature. Written from the perspective of the leader, these ten facets of ethical leaders offer a way to understand ethical leadership that is more complex and more useful than just a matter of good character and values. Ethical Leaders: 1. Articulate and embody the purpose and values of the organization. It is important for leaders to tell a compelling and morally rich story, but ethical leaders must also embody and live the story. This is a difficult task in todays business environment where everyone lives in a fishbowlon public display. So many political leaders fail to embody the high-minded stories they tell at election time, and more recently, business leaders have become the focus of similar criticism through the revelations of numerous scandals and bad behaviors. CEOs in todays corporations are really ethical role models for all of society. Following a series of unethical activities by Citigroup employees in Japan in 2004, new CEO Chuck Prince fired several executives, publicly accepted

Characteristics of Ethical Leaders

In todays turbulent world, ethics and values are present at a number of levels for executives and managersleaders who devote their time and energy to leading the process of value creation. This broader concept of ethical leadership
BRIDGE PAPER: Developing Ethical Leadership
Ethical leaders pay special attention to finding and developing the best people
responsibility and bowed apologetically to Japanese officials.2 Not only did Princes message resonate within Japan, but it also signaled a new era of shared responsibility within the culture of Citigroup where every employee was expected to take ownership for their decisions that affected the enterprise. 2. Focus on organizational success rather than on personal ego. Ethical leaders understand their place within the larger network of constituents and stakeholders. It is not about the leader as an individual, it is about something biggerthe goals and dreams of the organization. Ethical leaders also recognize that value is in the success of people in the organization. In 1998, in a bold gesture demonstrating how he valued the companys line employees, Roger Enrico, former Chairman and CEO of PepsiCo, chose to forego all but $1 of his salary, requesting that PepsiCo, in turn, contribute $1 million to a scholarship fund for employees children.3 In a similar manner, the founders of JetBlue began a process of matching, from their salaries, employee donations to a charity. Today, their entire salaries go to the JetBlue Crewmember Catastrophic Plan charity, to assist staff with crises not covered by insurance.4 The point of these examples is not that ethical leaders donate their salaries to charities, but rather that ethical leaders identify and act on levers, such as employee loyalty, that drive organizational success.

3. Find the best people and develop them. This task is fairly standard in different models of leadership. Ethical leaders pay special attention to finding and developing the best people precisely because they see it as a moral imperativehelping them to lead better lives that create more value for themselves and for others. Finding the best people involves taking ethics and character into account in the selection process. Many CEOs have said to us that judging someones integrity is far more important than evaluating their experience and skills. Yet, in many organizations, employees are hired to fill a particular skill need with little regard to issues of integrity. 4. Create a living conversation about ethics, values and the creation of value for stakeholders. Too often business executives think that having a laminated values card in their wallet or having a purely compliance approach to ethics has solved the ethics problem. Suffice it to say that Enron and other troubled companies had these systems in place. What they didnt have was a conversation across all levels of the business where the basics of value creation, stakeholder principles and societal expectations were routinely discussed and debated. There is a fallacy that values and ethics are the soft, squishy part of management. Nothing could be further from the truth. In organizations that have a live conversation about ethics and values, people hold each other responsible and accountable about whether they are really living the values. And, they expect the leaders of the organization to do the
same. Bringing such a conversation to life means that people must have knowledge of alternatives, must choose every day to stay with the organization and its purpose because it is important and inspires them. Making a strong commitment to bringing this conversation to life is essential to do if one is to lead ethically. Most people know the story of Johnson and Johnsons former CEO Jim Burke and the Tylenol product recall in the 1980s in which, at a great short-term financial cost, he pulled all potentially tampered-with products off the shelves, thereby keeping the publics trust intact. The less well-known background to this story, however, is critical to understanding the final outcome. Well before the Tylenol crisis hit, Johnson & Johnson had held a series of challenge meetings all around the world, where managers sat and debated their Credo,
...there must be mechanisms of pushing back to avoid the values becoming stale and dead
a statement of their purpose and principles of who they wanted to be as a company. The conversation about ethics at Johnson & Johnson was alive, and in many ways made Jim Burkes choice about handling the situation clearer than it otherwise would have been. 5. Create mechanisms of dissent. Many executives dont realize how powerful they are simply by virtue of their positions. Psychologists such as Stanley Milgram have long ago demonstrated that most of the time people will obey what they perceive to
be legitimate authority, even if there is no cost for disobedience. To avoid this Authority Trap it is critical to have an established and explicit way for employees to push back if someone thinks that a particular market, region, or internal process is out of line. This needs to be made part of the organizational culture, not just a line item in a compliance program document. Some companies have used anonymous e-mail and telephone processes to give employees a way around the levels of management that inevitably spring up as barriers in large organizations. Many executives also have used skip level meetings where they go down multiple levels in the organization to get a more realistic view of what is actually going on. General Electrics famous workout processwhere workers meet to decide how to fix problems and make the company betterwas a way for front line employees to push back against the established policies and authority of management. All of these processes lead to better decisions, more engaged employees, and an increased likelihood of avoiding damaging mistakes. In a company that takes its purpose or values seriously, there must be mechanisms of pushing back to avoid the values becoming stale and dead. Indeed, many of the current corporate scandals could have been prevented if only there were more creative ways for people to express their dissatisfaction with the actions of some of their leaders and others in the companies. The process of developing these mechanisms of dissent will vary by company, by leadership style, and by culture, but it is a crucial leadership task for value creation in todays business world.
6. Take a charitable understanding of others values. Ethical leaders can understand why different people make different choices, but still have a strong grasp on what they would do and why. Following twentyseven years in South African prisons, Nelson Mandela was still able to see the good in his jailers. After one particularly vicious jailer was being transferred away from Robbins Island because of Mandelas protest and push back, the jailer turned to Mandela and stated I just want to wish you people good luck.5 Mandela interpreted this statement charitably as a sign that all people had some good within them, even those caught up in an evil system. Mandela felt that it was his responsibility to see this good in people and to try and bring it out. One CEO suggested that instead of seeing ethical leadership as preventing people from doing the wrong thing, we need to view it as enabling people to do the right thing. 7. Make tough calls while being imaginative. Ethical leaders inevitably have to make a lot of difficult decisions, from reorienting the companys strategy and basic value proposition to making individual personnel decisions such as working with employees exiting the organization. Ethical leaders do not attempt to avoid difficult decisions by using an excuse of Im doing this for the business. The ethical leader consistently unites doing the right thing and doing the right thing for the business. The idea that ethical leadership is just being nice is far from the truth. Often, exercising moral imagination6 is the most important task. Mohammed Yunus founded the Grameen Bank on such moral imagination.7 By taking the

...one issue common to the recent business scandals was that managers and executives did not understand the limits of putting shareholders first.
standard banking practice of only lending to people with collateral, and turning it on its head, Yunus spawned an industry of micro-lending to the poor. The Grameen Banks motto is that poverty belongs in a museum. In addition to having one of the highest loan repayment rates in the banking industry, the banks program of lending to poor women in Bangladesh to start businesses has helped millions of them to be able to feed themselves. This leadership can just as often take place within the ranks of organizations as it does at the highest CEO and board levels. Several years ago, the CEO of DuPont was implementing a new, stringent company-wide commitment to reduce factory emissions.8 He visited one facility where the plant engineers insisted that such requirements could not be met. The chairman responded that the particular plant would then have to be closedcausing hundreds of job losses. Several weeks later, the plant engineers delivered the news to the CEO that they had figured out how to meet the requirementsand save money. While we dont know the names of the plant engineers who surely spent numerous hours determining how to meet the requirements, we see the results of their leadership and imagination. 8. Know the limits of the values and ethical principles they live. All values have limits, particular spheres in which they do not work as
well as others. The limits for certain values, for instance, may be related to the context or the audience in which they are being used. Ethical leaders have an acute sense of the limits of the values they live and are prepared with solid reasons to defend their chosen course of action. Problems can arise when managers do not understand the limits of certain values. As an example, one issue common to the recent business scandals was that managers and executives did not understand the limits of putting shareholders first. Attempts to artificially keep stock prices high without creating any lasting value for customers and other stakeholderscan border on fanaticism rather than good judgment. Ethics is no different from any other part of our lives: there is no substitute for good judgment, sound advice, practical sense, and conversations with those affected by our actions. 9. Frame actions in ethical terms. Ethical leaders see their leadership as a fully ethical task. This entails taking seriously the rights claims of others, considering the effects of ones actions on others (stakeholders), and understanding how acting or leading in a certain way will have effects on ones character and the character of others. There is nothing amoral about ethical leaders, and they recognize that their own values may sometimes turn out to be a poor guidepost. The ethical leader takes responsibility for using sound moral judgment. But, there is a caution here. It is easy to frame actions in ethical terms and be perceived as righteous. Many have the view that ethics is about universal, inviolable principles that are carved into stone. We need to start with principles and values,
and then work hard to figure out how they can be applied in todays complex global business environment. Principles, values, cultures, and individual differences often conflict. Ethical leadership requires an attitude of humility rather than righteousness: a commitment to ones own principles, and at the same time, openness to learning and to having conversations with others who may have a different way of seeing the world. Ethics is best viewed as an open conversation about those values and issues that are most important to us and to our business. It is a continual discovery and reaffirmation of our own principles and values, and a realization that we can improve through encountering new ideas. 10. Connect the basic value proposition to stakeholder support and societal legitimacy. The ethical leader must think in terms of enterprise strategy, not separating the business from the ethics. Linking the basic raison dtre of the enterprise with the way that value gets created and societys expectations is a gargantuan task. But, the ethical leader never hides behind the excuse of Its just business. Despite intense opposition from a number of groups, Wal-Mart CEO Lee Scott won approval in early 2004 to build a new store in a West Side Chicago neighborhood by listening to and engaging stakeholders who would most benefit by the value that this new store would create.9 Partnering with black community leaders, Wal-Mart appealed to the needs of the community in sections of town where there was a real need for jobs and stores. Ultimately, the support of the community allowed Wal-Mart to win City Councils approval. Wal-Mart also committed to seeking minority subcontractors to build

the facility and to eventually hiring the majority of the stores employees from the local community. Ethical leadership is about raising the bar, helping people to realize their hopes and dreams, creating value for stakeholders, and doing these tasks with the intensity and importance that ethics connotes. That said, there must be room for mistakes, for humor, and for a humanity that is sometimes missing in our current leaders. Ethical leaders are ordinary people who are living their lives as examples of making the world a better place. Ethical leaders speak to us about our identity, what we are and what we can become, how we live and how we could live better.
Ethical leaders speak to us about our identity, what we are and what we can become, how we live and how we could live better.
as well as on yourself. A responsibility principle is a necessary ingredient for managing for stakeholders to be useful in todays business world. Ethical leaders must consider and take responsibility for the effects of their actions on customers, suppliers, employees, communities and other stakeholders. If business were simply concerned with shareholder value, then this responsibility principle would be unnecessary, other than the responsibility to shareholders. To become an ethical leader, commit to asking yourself the following types of questions: (1) What are my most important values and principles? (2) Does my calendarhow I spend my time and attentionreflect these values? (3) What would my subordinates and peers say my values are? (4) What mechanisms and processes have I designed to be sure that the people who work for me can push back against my authority? (5) What could this organization do or ask me to do that would cause me to resign for ethical reasons? (6) What do I want to accomplish with my leadership? (7) What do I want people to say about my leadership when I am gone? (8) Can I go home at the end of the day and tell my children (or a loved one) about my leadership, and use my days work to teach them to be ethical leaders?
Becoming an Ethical Leader

We have been privileged to know many executives that we would classify as ethical leaders. What these executives have in common is a profound and deep sense of ethical principles, values, and character at the core of their leadership. They see their job as making others better, and enabling them to pursue their own hopes and dreams. They are able to get things done in complicated organizations and societies. But, it is their ethical core which pervades their relationships with followers, the skills and processes which they use in leading them, their analysis of the contexts, and their own sense of self. Becoming an ethical leader is relatively simple. It requires a commitment to examining your own behavior and values, and the willingness and strength to accept responsibility for the effects of your actions on others,

Developing Ethical Leaders

The best way for organizations to develop ethical leaders is to engage in some of these questions. Viewing business simultaneously in economic and ethical terms helps to send the message that ethics isnt just an important set of rules not to violate, but that it is an integral part of what it means to work at your organization. There are some concrete steps about how best to develop ethical leaders within the framework that most global businesses find themselves. The first step is to bring life to a conversation about how the organization benefits its stakeholders and about understanding the organizations values. This doesnt need to be a formal program. It could be as elaborate as town hall meetings. Or, as one executive suggested to us, we simply could have an ethics or stakeholders moment at most meetings. Such moments, analogous to safety moments at companies like DuPont, set aside a brief time to raise concerns about the effects of the meeting on key stakeholders, or on a companys values and ethics. Equally, the ethics moment could elaborate on how the conversations and decisions of the meeting were aligned with company values. Many companies have leadership development programs. These programs need to be strengthened by adding the idea of ethical leadership. It is not necessary to use the specific principles we have developed, but companies can make themselves better by engaging participants in a conversation about what they see as ethical leadership.
Executives can develop shared conversations and conceptions of how ethical leadership can be implemented in their particular company. Executives need to figure out how to have challenge meetings, routine processes where anyone in the organization can raise a challenge to whether or not the company is living its values, or its enterprise strategy approach. Without the ability to challenge authority, there can be no such thing as true ethical leadership. Many fear that anarchy would be the result of such a process. Our experience is just the opposite. Values, purposes, principles, an enterprise approachall deliver a disciplined way to think about how to make the business better and more effective, and help to develop pride in the organization.
A Thought Leader Commentary with Steve Odland, Chairman and CEO, Office Depot, Inc.
Q: How do you develop ethical leaders within Office Depot?
Steve Odland: I believe that employees at all levels throughout the organization must demonstrate and exercise ethical leadership every day. Our salespeople, for instance, have to know and believe that we dont sell products to customers that they dont need. Each one of us must work to provide value for our customers and shareholders. In some respects the term ethical leaders is redundantwe really are just developing leaders that are focused on delivering value to our customers every day. Leadership should of course be ethical as well. Development of these qualities is critical, and heres why. In a retail environment like ours, Office Depot in the mind of our customers is their local store and store employees, not me as CEO or our corporate offices. Its whether those local employees are helpful and whether the store has the products that customers need when they need them. Thus, we need to emphasize ethical leadership throughout our organization. To develop ethical leaders, it is important for the ethics codes to be clear, and to ensure that all employees understand what is expected of them. Another critical component to ensuring ethical leadership within the culture is hiring, developing, and promoting those people who will embrace the ethical standards. You can put together elaborate ethics codes, but, in the end, if you hire crooks, they will steal. Q: How do you encourage a culture of pushback within your organization?
10
Steve Odland Odland: At Office Depot, all employees share in the responsibility for creating and maintaining an ethical culture. That effort, of course, starts with the Chief Executive Officer and the Board of Directors demonstrating their commitment to the company values and principles in consistent and concrete ways. I frequently speak to groups of employees about the importance of our company values, about how we want to treat each other, and about what we stand for as a company. The company culture cant just be mine, it has to be all of ours. Employees must be free to push back, to report ethical violations, and to suggest changesall without fear of retribution. Every employees behavior is important to the companys success. We cant always look over their shoulders, so we need to depend on them to do what is right. And we need to put processes and mechanisms in place so that there are people they can turn to when they need support in discussing the difficult situations they
photo: office depot, inc.
may face. They need to know that doing the right thing is best for them and for our company. Every time someone has the fortitude to speak up on behalf of our values, we need to show that this is something we encouragefailure to communicate that we value this feedback could have a chilling effect that does us all harm. Q: This paper mentions that a key principle of ethical leadership is articulating and embodying the purpose and values of the organization. Can you explain how you approach this topic in todays environment where Chief Executives lives are often on public display?
choose to take such a strong leadership position there?
Odland: Several years ago, I had just become the Chief Executive of a company and had moved with my family to a new town. As the 4th of July approached, since we had just moved in, we couldnt find the American flag, so we didnt have it to display. A snippet in the paper noted that I was not patriotic or didnt have a flag out. You will notice if you ever drive by my house now I always have a flag flying. Now Im criticized for not taking it down in the rain, but I know all the regulations on use and abuse of the American flag. First, as CEOs, we live our lives in a fishbowl and I think that we have to understand that. Secondly, we need to understand that we cant subject ourselves or indulge ourselves in the common kinds of human frailties. In todays world, the rules have changed and we all have to adapt to that. Q: Office Depot was one of the first corporate responders to the hurricane Katrina crisis, with a multitude of companies following suit. Why did you
Odland: Similar to our personal lives where we establish trusting relationships over time by treating one another with respect, care and honesty, Office Depot has many relationships with the people of the Gulf Coast whose lives were affected by Hurricane Katrina. Additionally, our company is based in Florida, so our people feel a particular empathy and compassion for the Gulf Coast hurricane victims. In this instance of crisis, ethical leadership meant responding quickly, generously, and with compassion to aid our employees, customers and fellow citizens, just as we would have individually assisted our friends and neighbors in a time of crisis.
Hurricane Katrina is the American Tsunami. We continue to encourage other companies to join us in this massive relief effortnot only to help our fellow citizens, customers and associates who are suffering, but to ensure that our economy can withstand the tremendous impact this storm will have on American business. Our economy is based on the trust we have in each other and in our free market system. In just over a week after Katrina, Business Roundtables Partnership for Disaster Relief collected over $102 million in cash and in-kind donations from more than 89 corporations. Q: How do you view the connection between executive compensation and ethical leadership?
Odland: In a free market society, people are valued for their contributions. Some people in a society value one thing and others value another thing. Interestingly, our society puts a greater value on sports
11
The bricks and the mortar and the brands and all of that, every companys got them. At the end of the day, its the people that matter most.
figures and entertainersthe average major league salary is $14 million; whereas, the average base salary for a Chief Executive Officer is closer to $1 million plus an at-risk bonus. Maybe thats too high; I dont know. If corporate leaders focus on and are successful in creating substantial shareholder value, then having a small percentage of that go to the people who create it doesnt seem out of line. Its when things get really out of whack that there are problems. Theres really no right or wrong answer. I think boards need to use a common sense, values-based approach to determine what is right for their shareholders. Q: How do you distinguish between ethics and morals, and how do you incorporate ethics into your business decisions?
American business today that there is still unethical behavior going on. Thats why we created the Business Roundtable Institute for Corporate Ethics, and thats why were out saying how important it is not only for us, but for everybody and all leaders of business to uphold the highest levels of ethical behavior. I dont know how to say it much more simply than that. Q: How do you assess the ethical leadership within an organization?
Odland: I think ethics are behaviors inspired by right and wrong. I think morals tend to have more of a religious overtone. We all are products of our upbringing and our religious teaching, but I think that we ought to have ethics as the undergirding rules of business. It comes down to the basics of law: dont steal, dont cheat, no fraud. All of the rules and laws that have been passed are simply expressions or variations on those themes. Its frustrating to a lot of us CEOs in
12
Odland: I think today its different and more risky for us as we go through career transitions. You can evaluate all the annual reports and proxies and so forth until your eyes glaze over at night, but at the end of the day, its about the people and values and the company. In my case, I did a lot of research about the people of the company, the employees of the company, and then I insisted on meeting every single one of the directors. Today, the pendulum has swung all the way over from really complacent boards that were friends of the CEO or the chairman to a situation where some boards are made up of people who may or may not understand companies, who may or may not understand business, who may or may not understand the laws and the financial rules. Yet, theyre becoming far more activist, and theyre actually doing some damage to companies. I wanted to make sure that I had a board that had the right ethics, the right values, and with whom I thought I could work as a team in order to create shareholder value. The bricks and the mortar and the brands and all of that, every companys got them. At the end of the day, its the people that matter most.
ABOUT THE AUTHORS

Developing Ethical Leadership
R. EDWARD FREEMAN is the Academic Director of the Business Roundtable Institute for Corporate Ethics. He is the Elis and Signe Olsson Professor of Business Administration at The University of Virginias Darden School of Business Administration and co-Chair of Dardens Olsson Center for Applied Ethics, one of the worlds leading academic centers for the study of ethics. LISA STEWART is Program Manager at the Business Roundtable Institute for Corporate Ethics. Prior to joining the Institute, Stewart planned and managed executive education programs both nationally and internationally for Executive Education at the Darden Graduate School of Business Administration at the University of Virginia.
Thought Leadership Commentary

STEVE ODLAND is Chairman and CEO of Office Depot, Inc. Prior to joining Office Depot, he was Chairman, Chief Executive Officer, and President of AutoZone, the nations largest auto parts and accessories retailer, which he joined in 2001. He is chairman of the Business Roundtables Corporate Governance Task Force and was named top new CEO in 2002 by Bloomberg Markets Magazine. He is a member of the Advisory Council for the Business Roundtable Institute for Corporate Ethics.
13
NOTES
1. This paper is based on research conducted by R. Edward Freeman, Robert Phillips, Jeffrey Harrison, Andrew Wicks, Patricia Werhane, Kirsten Martin, Bidhan Parmar and Margaret Cording. The full academic papers on which it is based can be found in the following sources: Freeman, Phillips, Harrison and Wicks, Managing for Stakeholders, forthcoming book; R. Edward Freeman, Martin, K., Parmar, B., Cording, M., and Werhane, P., Leading Through Values and Ethical Principles, Ronald Burke and Cary Cooper (eds.), Inspiring Leaders, Routledge Publishing. Oxford, UK, 2006; Ethical Leadership and Creating Value for Stakeholders, in R. Peterson and O. Ferrell, Business Ethics: New Challenges for Business Schools and Corporate Leaders, M.E. Sharpe, 2004; Terry L. Price, Understanding Ethical Failures in Leadership, Cambridge University Press, August, 2005. In addition there is a valuable literature here such as: Joanne B. Ciulla, Terry L. Price, & Susan E, Murphy, (Eds.) The Quest for Ethical Leaders: Essays on Leadership Ethics, (forthcoming, Edward Elgar, November 2005); Steven R. Covey, Principal-Centered Leadership, Free Press; October 1, 1992; etc. 2. Information for this section collected from: Carol J. Loomis and Chuck Prince, Tough Questions for Citigroups CEO, Fortune, 29 November 2004; and Timothy L. OBrien and Landon Thomas Jr., Its Cleanup Time at Citi, The New York Times, November 7, 2004. 3. Boss Gives His Salary to Workers Pepsi Chief Funds $1M in Scholarships, Associated Press, March 25, 1998.
4. James Wynbrandt, Flying High: How JetBlue Founder and CEO David Neeleman Beats the CompetionEven in the Worlds Most Turbulent Industry, John Wiley & Sons, Inc., 2004, pp. 221-222. 5. Nelson Mandela, The Long Walk To Freedom: The Autobiography of Nelson Mandela; Back Bay Books, October 1, 1995, p. 462.
6. Patricia H. Werhane, Moral Imagination and Management Decision Making, Oxford University Press, 1999. 7. Mohammed Yunus, founder of the Grameen Bank, spoke at the Ruffin Lecture Series of the Olsson Center for Applied Ethics at the University of Virginias Darden School of Business, November 20, 2004. 8. R. Edward Freeman, Jessica Pierce and Richard H. Dodd, Environmentalism and the New Logic of Business: How Firms Can Be Profitable and Leave Our Children a Living Planet, Oxford University Press, 2000, p. 1.
9. Time, September 5, 2005; pp. 44-49 and on MSNBC.com, Chicago approves its first Wal-Mart: After lengthy debate, city council votes to allow store, The Associated Press, May 26, 2004.
14
For more information on the Business Roundtable Institute for Corporate Ethics please visit or call
Business Roundtable Institute for Corporate Ethics 100 Darden Boulevard Charlottesville, Virginia 22903 (434) 982.2323 info@corporate-ethics.org www.corporate-ethics.org
Visions for the Future

Story Boards Created by Employees
CONFIDENTIAL
Why Explore the Future Together?
engage employees in a dialogue around the mission/ purpose and core values of the organization enable employees to connect with each other around what matters most, and to inspire each other by sharing their hopes and dreams gather clues and insights about how best to integrate and align the organizations mission/purpose and core values identify essential behaviors that support a more inspired, missionoriented, values-based culture and organization
CONFIDENTIAL
How We Construct Visions for the Future
Organize future-focus groups (12-15 participants) across the organization; diverse group composition is best Create collages illustrating the small groups vision for the organizations future, and then describe their collages to the larger group Share the collages across locations and encourage further dialogue (e.g., via social networking tool such as Chatter, Spark, etc.) across boundaries
CONFIDENTIAL
Starter Questions for Creating Future-Focus Collages
What does the world most need that we are uniquely able to provide? What does our organization look like on its best days? As currently formulated, what does our mission/purpose mean, and how meaningful is it to us? What kind of organization do we want to be five years from now? What does the world look like once we have carried out our mission/realized our purpose? How can we unlock the potential in each of us to create and contribute to something bigger than ourselves? How can we inspire each other to be responsible and accountable for making a positive impact toward realizing our mission/purpose? How can we align our diverse workforce around a common purpose and set of values?
Group 1, Board 1
EXAMPLE 1
Wed like to see XXX have a purpose, a goal. We want to know what were doing, where were going, and how we are going to get there. While were at it, we also want to play fair, live life to the fullest, drive growth and build something great. Trust is going to come into play in a big way if we want to get to where we want to be. And were going to get there together- lets shake on that. Were also going to think of the environment as we go along, to make sure we arent doing damage. When were doing our job right, were going to leave the environment in a better condition than we find it. XXX - this is where magic happens, this is where we can be innovative and be the champions. Were ready to raise the bar we need to lower costs, compete within our industry, set ourselves higher expectations on performance all around, including environmental performance.
CONFIDENTIAL
Group 2, Board 1
EXAMPLE 2
We see a future where XXX is winning in the industry and schooling the competition. We are going to be the next big thing, the future game changers, embracing a new kind of power. How do we get there? Our commitment will know no bounds. Well get rich or die trying. Were going to be nimble, flexible and able to change on the fly: dont have to stay on the straight and narrow course. Were going to put diversity as a top priority, and focus on how to be innovative instead of just focusing on the bottom line. Were going to invent our profits. XXX should make money because of us, not in spite of us. We need to have a way to include family and friends on this journey though, and still lead a balanced lifestyle. We also need to have experienced leadership to build hope and show us the way.
CONFIDENTIAL
What Does it Mean to Have an Effective Compliance Program?

An effective program does not mean that a company is expected to be able to detect and stop
every single violation, but it does require a thoughtful and substantial commitment
The November 14, 2012, joint DOJ/SEC FCPA guidance does provide a new compilation of
hallmarks of such a program from prior settlements and statements: Commitment from senior management along with a clear anti-corruption policy Code of Conduct with associated policies and procedures Appropriate oversight, autonomy, and resources Risk assessment-driven program Ongoing training and advice Incentives for self-policing, reporting of potential violations, and contributing to a culture of compliance, as
well as appropriate and effective sanctions for compliance violations and lapses
Due diligence of third-parties including monitoring of third-party payments Confidential reporting and internal investigations Continuous improvement along with periodic testing and review Pre-M&A due diligence of an ethics and compliance program with associated post-M&A integration
A secure and anonymous channel for reporting concerns
The program should apply from the boardroom to the supply room no one should be beyond
its reach
Confidential 2
Executive Summary
20112012 Ethics & Compliance Leadership Survey Report
Table of Contents
Executive Summary Theme 01 Driving Ethics & Compliance in a Volatile Environment Theme 02 Aligning Ethics & Compliance with 2012 Corporate Goals Theme 03 Building More Holistic Internal Governance Theme 04 Making Culture a Corporate Strategy Theme 05 Creating Universal Norms and Values Theme 06 Understanding Risk Blind Spots Theme 07 Addressing Critical Risks Theme 08 Bringing the Code to Life Theme 09 Re-engaging Fatigued Employees Theme 10 Shifting the Tone in the Middle Appendix 3 6 8 11 14 17 19 21 24 27 30 33
20112012 ETHICS & COMPLIANCE LEADERSHIP SURVEY REPORT
2012 LRN CORPORATION. ALL RIGHTS RESERVED.
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Executive Summary
In a year when some of the worlds most influential brands and most powerful executives were caught up in scandals and their aftermathhuge fines, damage to business reputation and even jail termscorporate leaders once again were served notice of the severe consequences of straying from ethical practices. Even as companies small and large devote significant energy and resources to upholding the principles of good behavior and compliance with laws and regulationswhile also acknowledging the real value that ethical culture brings to the bottom linethere remains deep-seated concern over how to get the job done. In a hatch-tightening time of unsteady growth at home and serious economic turbulence abroad, ethics and compliance leaders, like colleagues across their enterprises, are dealing with constraints on the resources needed to carry out their mission. And they are reminded constantly of the challenges of staying competitive and compliant in an exacting, relentless business and regulatory environment. LRNs fifth annual Ethics & Compliance Leadership Survey Report trains a spotlight on what leaders from 175 companies identify as their biggest challenges and how they are rising to meet them. These leaders are charting courses for enterprises of all sizes, but half carry this responsibility for companies with more than 15,000 employees, often spread out around the world. Most have small or modest-sized staffs; nearly one in five are their companys sole ethics and compliance officer. Among the most difficult challenges; ensuring that middle managers commit to ethical conduct as firmly as those in the executive suite, and creating a culture where employees on the front lines are unafraid to speak up when they see or are asked to do something wrong. The global nature of modern business means many are grappling with the added challenge of upholding standards of workforce conduct that are new and unfamiliar in emerging markets with little respect for ethical business practices. This report gleans the collective thoughts and wisdom of these E&C leaders on dealing with challenges old (fatigue with online education) and new (the perils and potential of social media). Overwhelmingly, these leaders view their role as the conscience of their companies, helping to align decision making and conduct with core values, not just serving as the watchdog for compliance with rules and regulations. Based upon the surveys findings, these are LRNs recommendations to the field on what to watch for, how to grapple with increased demands and stretched-thin resources, and how to make E&C an even more vital and integral part of their companys day-to-day life and operations in 2012. Rethink ethics and compliance programs now to stitch them more tightly into how business gets done. Even with tight budgetsor precisely because of the limited resourcesthis is no time to hunker down and pursue business as usual. Ethics chiefs long have lamented that they are peripheral to how and where the real business decisions are made. Unprecedented regulatory activism is driving up compliance risks. Growth, reducing costs and expanding into emerging markets are companies top priorities for 2012; safeguarding ethical
Overwhelmingly, these leaders view their role as the conscience of their companies, helping to align decision making and conduct with core values, not just serving as the watchdog for compliance with rules and regulations.
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
culture and business values are back in the pack. Most ethics and compliance chiefs see the complexity of their companys organizationincluding global operations and the tendency for units to work in silosas the biggest obstacle to building a strong ethical culture. The solution is to embed awareness of and commitment to ethical, legal practice into every corner of the company and make this part of the discussion wherever key strategy decisions are made. Among key recommended actions: Pursue a holistic approach to the governance of business conduct. Find smart efficiencies. Seek tighter coordination of the compliance activities often scattered and shared among internal audit, environmental health and safety, information security, quality control, and other functional areas. Identify ways to pool resources, eliminate overlap and co-manage critical activities. Shift the tone in the middle. Middle managersthe bosses and supervisors on the front lineare the ones E&C leaders should worry about the most. Theyre out in the rough and tumble world where customers are wooed and deals are struck. E&C leaders must find ways to convince the managers in the middle that they truly are the ones who set the bar for ethical conduct. These colleagues must be convinced that a values-based culture is not a barrier to competitive advantage, but the source of competitive advantage, and that conveying this understanding and mindset to the rank and file is part of their job description. The staff further must be unafraid to speak up when they see or sense something they believe is wrong. Changing the tone in the middle isnt easy, but its impossible for a values-based culture to take deep root without it.
Understand the Blind Spots. The standard metrics that ethics and compliance leaders have at their disposaland the ones they regularly report to the Board and CEOare audit findings, calls to helplines, statistics on investigations opened and closed and the sheer number of Code of Conduct violations. But these all are lagging indicators. They reveal whats in the rear view mirror, not whats in the blind spots or lurking around the corner or at the next intersection. No one can foresee everything that will thrust a company into dire, new circumstances. But there are ways to illuminate the blind spots and see around corners where most dangers lurk. Put an early warning system in place. Interview management to identify hidden pockets of risk. Convene employee focus groups and conduct structured interviews in near and far reaches of the enterprise. Canvass customers and suppliers for their insights on how business was and is conducted. Embolden managers and employees alike not to tolerate small aberrations from accepted practices. What starts small and becomes second nature can lead to catastrophe. Concentrate on the Critical Risks. What concerns ethics and compliance leaders most today are the same four things that have most troubled them in the past: conflicts of interest, bribery, gift giving, and gift taking. Bribery is now seen as the second most critical risk, up from No. 4 in 2011, perhaps because so many companies are moving to expand their presence in emerging markets, where there may be more tolerance of and fewer prohibitions against corrupt business practices. With hackers and thieves targeting business and government computer networks alike, data privacy also remains a big concern, albeit no longer the top worry. Attacking these four critical priorities will deliver the biggest dividends. E&C needs to share ownership with Legal for risk identification and mitigation. Most ethics offices still report through the General
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Counsel. The risks are not only at the top or in the sales and procurement offices. Whether its accepting basketball tickets from a contractor, hiring a niece or nephew or steering work to an in-law, every employee in the company may face opportunities and temptations. Formal metrics may underestimate the extent of problems as local managers and HR representatives try to deal with misconduct and redress conflicts on their own without involving headquarters. Effective management training is the answer: you cant get the job done without them, and they cant do it well without your guidance and input. Fight Mission and Method Fatigue. Ethics and compliance professionals, no matter how passionate, must confront the reality that their tool of choice, online education, can only do so much, especially in the small amount of time that most companies allot for education (one to three hours a year). At most companies, eLearning remains the dominant education delivery method. The logistics and expense of sending experts out to train everyone in person are daunting. Less than one-fifth of ethics training is delivered by live instructors in a classroom. Just 6 percent of employees are exposed to experiential learning, such as facilitated group discussions. Fifty-nine percent of E&C leaders cite online education fatigue and the educations lack of relevance to day-to-day work (49 percent) as their biggest impediments. New ways must be found to galvanize employee attention and commitment. Go for quality, not quantity. Vary the means and channels of learning. Encourage peer group discussions. Make lessons shorter but more frequent. Integrate the ethics and compliance training into other workplace education and management training programs. Make it relevantto those in different locations, cultures and jobsso the light bulb goes off and the employee thinks, This really is about me and what I do.
Beyond the bar graphs and pie charts, what the survey tells us is that ethics and compliance leaders are striving to get their message heard, understood and embraced at all levels of the enterprise, not just in boardrooms and executive suites, but out across the workplace from the back office to the showroom. They are seeking to ally and align themselves more closely with Legal, HR, Security, Risk Audit, Environmental Health and Safety, Corporate Social Responsibility, and other components that claim a share of responsibility for managing corporate conduct and reputation. This 2012 survey is published as we approach the 10th anniversary of implementation of the U.S. Sarbanes-Oxley law, which was hailed at the time as a major step toward restoring trust in corporate management and which led to similar legislation in other countries. With hindsight, we know that while Sarbanes-Oxley was important, it was just one step on the path to meaningful and successful ethics and compliance practice. Todays E&C leaders grapple with many traditional concernsbribery, conflicts of interest, and gift giving and takingwhile also addressing newer, more complex challenges such as data protection and privacy. They are stretching limited resources to meet the business imperative of growth, and striving to gain traction for the companys values in new markets where business ethics are often a foreign concept. It is LRNs hope that this fifth Ethics & Compliance Leadership Survey Report will provide relevant insights and remove barriers to effective implementation of a proactive and successful program.
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
01
Key Insights
THEME
Projected2012E&CBudgetTrajectory
Driving Ethics & Compliance in a Volatile Environment
RankedbyPercentageofRespondents 53%
n=172
Challenged to Constantly Adapt. With tight budgets a fact of life, ethics and compliance leaders are challenged by the proliferation of compliance risks, driven by unprecedented regulatory activism as well as rising demands from various stakeholders. Sixty-one percent of survey respondents singled out managing shifting regulatory expectations as a top 2012 priority. Almost two-thirds expressed concern about adapting their E&C programs to changing business needs. The emerging theme is that E&C leaders cannot afford to hunker down and stay the course. The internal and external demands on their time and attention are nearly endless. The status quo is untenable. Instead, they must rethink strategy and execution in order to better safeguard their company against ethical lapses.
I 1 ncr Em ea pl se oy by 2 ee to 5 Inc E r m ea pl se oy b 6 ee y to s 9 Inc E r m ea p lo se In ye by M cre es or as e e Em b pl y1 oy 0 ee or s
The appendix offers a detailed overview of all relevant data collected in the survey.
nc R ha em ng ain to D 5 ec ed E r m ea pl se oy b 6 ee y to D s 9 ec E r m ea pl se oy b ee y s 2
The emerging theme is that E&C leaders cannot afford to hunker down and stay the course.
In c by rea 1 se In % cr 2% ea to se b In 5% y c 6% rea to se b M or In 9% y e cr Th ea an se 1 b 0% y U nc R ha em ng ain e De d cr by ea De 1%se c 2% rea to se De 5%by c 6% rea t se M D o9 by or e % e cr Th ea an se 1 b 0% y
Maintaining the Status Quo. LRNs annual Ethics & Compliance Leadership Survey finds that E&C spending and staffing levels remain largely flat for the third year in a row, unsurprising since most companies continue to hold a tight rein on spending during a period of anemic economic growth. Half the leaders surveyed report that their 2012 E&C budgets remain unchanged, while more than two-thirds foresee no change in the size of their staff. While two companies in five plan to increase spending on ethics and compliance, only a small group expects an increase of more than 10 percent, most notably firms in the consumer goods, health care and retail sectors.
22% 6% 9% 1% 2% 1% 1%
4%
Projected2012E&CStaffingChanges
n=170
15%
9%
2%
2%
1%
1%
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
01
THEME
Driving Ethics & Compliance in a Volatile Environment
2012 Recommendations
Finding Smart Efficiencies. Operating with frozen budgets against a growing to-do list, E&C leaders must become more effective stewards of corporate resources. Opportunities for greater efficiency lie within improved coordination of often fragmented compliance activities throughout the organization, such as internal audit, corporate controls, environmental health and safety, information security, quality, records management, risk assessment, and business continuity. Identify potential synergies through pooling of resources, elimination of overlap and co-management of critical activities. Going Beyond Management as Usual. Despite rising expectations about business conduct, many companies have set a ceiling rather than a floor for minimum ethics and compliance standards and have not yet linked E&C principles to day-to-day business and operational procedures. Treating ethics and compliance primarily as management as usual will yield diminishing returns and, more ominously, expose the company to greater risk. When ethics and compliance are truly effective, they ensure that awareness of and commitment to ethical and legally compliant conduct are fully integrated into the way business gets done. This creates and reinforces the expectation and reality that how business goals are achieved is inseparable from what is achieved. How can companies rethink the foundations of their E&C programs and become more effective? Emphasize the need to integrate ethics and compliance into operational decision making and everyday procedures to drive changes in behavior, avoid inconsistencies and break down silos within the enterprise. Change the mindset that ethics and compliance is merely a defense against misconduct and make clear its vital contribution to high performance. Starting with the Board and senior management, make a thorough airing of the ethical and legal dimensions and ramifications of corporate strategy part of everyday decision making.
Advice for the CEO and Board
There can be diminishing returns on additional investments in compliance controls and processes. Beyond a certain point, compliance activities can actually harm the organization, imposing unnecessary costs and undermining proper conduct. To change behavior and truly move an organization forward, leadership must shift the corporate mindset from compliance to culture and weave expectations about good conduct into how the business operates every day.
When ethics and compliance are truly effective, they ensure that awareness of and commitment to ethical and legally compliant conduct are fully integrated into the way business gets done.
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
02
Key Insights
THEME
Critical2012E&CProgramGoals
Aligning Ethics & Compliance with 2012 Corporate Goals
RankedbyPercentageofRespondents
IncreaseEmployeeComfortwith SpeakingUp StrengthenEthicalLeadership StrengthentheEthicalCulture AdaptEthics&ComplianceProgram toChangingBusinessNeeds PromoteAlignmentBetweenCore ValuesandDay-to-DayOperations BuildaMoreConsistent, GlobalE&CProgram ManageShiftingRegulatory Expectations AggregatePercentage: 5=VeryImportant 4=Important
n=144
73% 68% 66% 64% 62% 61% 61%

Scale: 5=VeryImportant 1=NotImportant
Seeking Global Growth and Innovation. Given the slow rebound from the global economic downturn, two-thirds of E&C professionals indicate that spurring growth is their executive teams top priority. As companies slowly emerge from a difficult period of contraction and cost cutting, they are aggressively seeking opportunities for growth. A majority report that their companies are eyeing expansion in emerging markets. Most companies recognize that relentless innovation is critical for creating long-term value. Almost half say their top priorities include promoting corporate culture and business values, perhaps driven by a need to regain public trust and by the fact that interconnectedness magnifies the effects of business conduct. The Internet holds a mirror up to blemishes wherever they occur. The global economy and web-driven hypertransparency continue to raise ethical expectations, if not behaviors. Promoting an Ethical Culture Remains a Top Priority. Last year, E&C leaders reported that promoting alignment between core values and day-to-day work was their top priority. Again in 2012, we find this continued emphasis on driving culture and values. Increasing employee comfort with speaking up about alleged misconduct is this years most important priority for almost three-quarters of E&C leaders, closely followed by a focus on strengthening ethical leadership. Creating a culture where employees have no fear of speaking up is a perennial challenge for companies, made all the more urgent by the whistleblower provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which created incentives for employees to report allegations of misconduct directly to the U.S. Securities and Exchange Commission.
Top2012CorporatePriorities
Growth Innovation CostReduction EmergingMarkets Expansion CustomerService CultureandBusiness Values EmployeeEngagement LeadershipDevelopment RiskMitigation n=147
67% 53% 52% 52% 43% 43% 41% 39% 37%
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
02
THEME
Addressing Fears of Speaking Up. The importance that E&C leaders place on encouraging employees to break their silence and speak up about misconduct or dishonest business practices strongly suggests that conventional reporting mechanisms and protections against retaliation are not working. E&C leaders can allay employees fears and earn their trust by: Creating and communicating strong support from the top for encouraging employees to speak up when they see wrongdoing or feel uneasy about the propriety of what they are being asked to do. Lip service wont cut it. The company needs strong policies in place that demonstrate a firm organizational commitment to this end, clarify expectations about the reporting and investigations process and emphasize zero tolerance for retaliation. Actively engaging senior management in campaigns stressing the importance of the organizations culture and performance of speaking up when they see something wrong. Regularly spotlighting ethical courage stories of employees who spoke up anonymously about substantiated misconduct and laying out the companys response and resolution of the problem. This not only helps reinforce what is acceptable and unacceptable behavior, but bolsters employees confidence that worrisome conduct will be corrected when they speak up. Educating managers at all levels to treat allegations of misconduct seriously, respond swiftly and effectively, and avoid workplace retaliation, soft or hard.
The HOW Report
LRNs 2012 survey of over 36,000 employees of global companies across a range of industries tested specific hypotheses about the impact of 22 specific governance, culture and leadership characteristics on key business outcomes. The results show that adopting a values-driven, selfgoverning culture not only decreases the likelihood of misconduct but also has top-line business outcomes, including: Up to 6x more innovation Up to 4x more employee loyalty Up to 12x more willingness to recruit friends to work at the company Up to 10x more customer satisfaction Up to 2x stronger financial performance (self-reported)
Source: LRN, The HOW Report: New Metrics for a New Reality: Rethinking the Source of Resiliency, Innovation and Growth
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
02
THEME
Aligning Speaking Up and Spurring Innovation. E&C leaders have a unique opportunity to connect their speaking up initiatives to the corporate imperative of making innovation everybodys job. In this densely connected world, successful products, processes and strategies quickly become commodities, making constant innovation a key ingredient for sustainable growth. Only by inspiring employees to speak up about problems, exercise their ingenuity and introduce new ideas can companies create a culture of trust and risk-taking to drive innovation. E&C speaking up campaigns should not happen in isolation, but become part of a larger effort to encourage openness and unleash creativity and innovation. Companies cannot separate an ethical culture from a high-performance culture. LRNs recent HOW Report, a survey of over 36,000 employees across 18 countries, affirms that a values-based culture does not detract from high performance, but instead provides a competitive advantage. Our research shows a direct correlation between the strength of a values-based, self-governing culture and innovation. Ninety-two percent of organizations that exhibit a values-based culture experience higher levels of innovation than their competition.
Only by inspiring employees to speak up about problems, exercise their ingenuity and introduce new ideas can companies create a culture of trust and risk taking to drive innovation.

Organizations can only thrive with mutual trust among and between executives, managers and staff. Trust drives risk-taking, innovation and growth. Leaders must consistently earn and extend that trust, making employees more comfortable and less reticent about sharing ideas, raising concerns and speaking up about troublesome behavior or business practices.
10
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
03
Key Insights
THEME
Building More Holistic Internal Governance

ToWhomDoestheE&CFunctionDirectlyReport?
n=162
Ongoing Legal Supervision. A sizeable majority of E&C functions (57 percent) continue to report to the office of the General Counsel, but more than 1 in 4 report directly to the CEO or the Audit Committee. Regardless of organizational lines, three-quarters of ethics and compliance leaders consider the functional relationship with Legal critically important to their programs effectiveness, even more than E&Cs relationship with the CEO and the Board of Directors. Increased Importance of Other Partnerships. While still strongly bonded to the legal and audit functions, E&C leaders increasingly are forging strong partnerships with other vital parts of their organizations. Forty-one percent now are convinced that working with Human Resources is critical to the effectiveness of the ethics and compliance program, compared with only 28 percent in the 2011 survey. As companies struggle to adapt to a volatile risk environment, nearly a third of E&C leaders believe that strong collaboration with the Risk function is now critical. Only one in five felt that way a year ago. However, surprisingly few E&C leaders (about one in seven) regard relationships with Environmental and Social Responsibility groups as very important, despite a shared mandate to promote responsible performance.
15%
12% 5% 4% 2% 2% 1% 1%
sk Ri In te rn
11
1%
ud it
Au di C t EO of Co th m e mi Bo tte O th ard e e Ex rC ec -S ut ui iv te es
th er Re H so um ur a ce n s Fi na nc O e C the om r B m o itt ar ee d s
ns Ge el ne /L ra aw l
While still strongly bonded to the legal and audit functions, E&C leaders increasingly are forging strong partnerships with other vital parts of their organizations.
ou
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
al
03
Key Insights
THEME
RangeofE&CMetricsReportedtotheBoard
HelplineandInvestigation DataTrends CodeofConductViolations EducationCompletionRates andCertification RelevantRegulatory Developments Resultsof ComplianceAudits KeyRiskAssessmentand MitigationPlans E&C-RelatedDismissals EthicalCultureSurveyResults Year-Over-YearTrendsonE&C ProgramEffectiveness WeDoNotReportMetrics totheBoard Other
n=141
85% 78% 70% 70% 65% 63% 53% 46% 43% 6% 1%
The Limitations of E&C Metrics. Sixty percent of ethics and compliance leaders report to the Board of Directors four or more times a year. They report primarily on calls to helplines, Code of Conduct violations, investigations and education completion rates, and update the Board on risk and regulatory developments. But the E&C chiefs tend to stick with these top-line metrics. Fewer than half present results of employee ethical culture surveys or report year-over-year trends on the effectiveness of their ethics and compliance programs. While reporting key metrics to the Board has improved transparency into corporate behavior, E&C leaders strongly believe that their current dashboard is inadequate. In a recent LRN poll, five out of six indicated that rethinking how and what they measure could significantly increase the effectiveness of their programs. Their own desire for more and better information meshes with the Boards insistence on strengthening oversight in response to significant governance failures that may have contributed to the financial crisis. Yet few Boardsonly one in 10have an independent director who is a current or former ethics and compliance officer. This exacerbates the already substantial knowledge mismatch with management and creates a bias towards financial controls and compliance versus corporate integrity and responsible conduct as the main levers to foster and sustain ethical practices.
DoesYourBoardIncludeaFormerorPresent E&COfficer?
Yes
n=140
10%
While reporting key metrics to the Board has improved transparency into corporate behavior, E&C leaders strongly believe that their current dashboard is inadequate.
90%
No
12
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
03
THEME
Contrasting E&C and Legal Mandates. Fifty-eight percent of leaders surveyed believe that the primary mandate for the E&C program is to ensure ethical behavior and drive alignment between business conduct and values, not merely to abet legal and regulatory compliance. While most work under the umbrella of Legal, E&C leaders should not dilute their program into a legal support function, but always be the voice for doing the right thing and, when needed, challenge narrowly technical views on whether senior management decisions are legal. In addition, while leaning on Legals expertise on statutes and regulations, E&C leaders should recognize that theirs is first and foremost a managerial role. They should invest heavily in their staffs business partnership competencies, including a more intimate grasp of business strategy and operations. Toward a Single Governance Model. One root cause of the financial crisis was the opaque governance structure of many firms, characterized by diffused ownership for risk, lack of collaboration, and broken information flows that prevented early detection and mitigation of problems. Companies have conditioned themselves to the practice of adding functions and committees to address new risks, resulting in significant organizational complexity, where Legal, Ethics & Compliance, HR, Investor Relations, Security, Risk, Audit, CSR, Sustainability and Safety departments all claim responsibility for managing corporate conduct and reputation. LRN believes that companies are best served by pursuing a systemic, holistic approach to the governance of business conduct. Any further regulatory reform should not be used by companies as an excuse to reinforce compartmentalization, but instead should challenge organizations to shake up existing management practices and create a more integrated model for governing business conduct and ensuring sustainable performance. Almost all business risks are intertwined; seemingly small matters can cascade into a torrent of trouble in both the marketplace and the regulatory arena. Rather than accepting the back seat, E&C leaders must take the lead in rethinking internal governance models and making corporate culture a key strategy for inspiring the right behaviors inside their companies.
Any further regulatory reform should not be used by companies as an excuse to reinforce compartmentalization, but instead should challenge organizations to shake up existing management practices.

Existing management practices cannot keep up with the toxic interplay of volatile risks in todays business environment. Leadership has the responsibility to rethink compartmentalized internal governance approaches and establish an integrated, collaborative model that facilitates and ensures appropriate business conduct.
13
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
04
Key Insights
THEME
The Principal Benefits of Promoting an Ethical Culture
Making Culture a Corporate Strategy
Ranked by Percentage of Respondents

Long-Term Value of the Business Compliance with Rules and Regulations Employee Commitment to Mission and Values Inspiring Principled Performance Employee Engagement in Their Day-to-Day Work Disruptive Innovation and Continuous Business Reinvention We Dont Believe That There Are Benefits
n=137
77% 74% 65% 47% 42% 4% 1%
Culture as a Performance Driver. Three-quarters of E&C leaders believe that an ethical culture does double duty. It contributes to long-term business performance and encourages compliance with rules and regulations. A positive and principled business culture pays immediate dividends by bolstering employee engagement in their day-to-day work and inspiring high performance. Bridging a Disconnect Between Ethics & Compliance and the Business. While ethics and compliance leaders are the standard bearers for ethical business behavior and practices within their organizations, their ability to inspire principled performance and foster a strong ethical culture is limited. Among the barriers: The C-suite is still coming around slowly to the belief that elevating culture and business values is a corporate priority (43 percent in 2012 compared to 41 percent in 2011). One in three E&C leaders feels hamstrung by the lack of appreciation for how ethical culture can be a business driver. By a margin of almost 3 to 2, the leaders said business outcomes carry more weight than ethical behaviors in performance evaluations.
(continued on page 15)
Does Your Company Give Behaviors (e.g., Integrity, Service) the Same Amount of Weight as Business Outcomes in Performance Evaluations?
No Higher Weight to Behaviors
n=155
6%
Yes Same Weight to Behaviors No Lower Weight to Behaviors
43%
52%
14
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
04
Key Insights
THEME

DriversofCultureWithintheOrganization
EthicsandCompliance n=135
Despite high levels of satisfaction with their E&C education and communications programs, fewer than half the leaders believe that these efforts have a high (4 percent) or moderately high (38 percent) impact on employee behavior and ethical decision making. Theres a disconnect between continuing education on ethical behavior and practice and how companies measure and reward job performance; only 40 percent of companies integrate E&C objectives into their performance and compensation reviews. Most E&C leaders lack a seat at the table on promotion decisions. Only one in four CEOs listens to what their E&C chief has to say about the performance of senior managers. Cultures Many Masters. While the C-Suite (74 percent) assumes ownership of corporate culture, other functions, such as Ethics and Compliance (75 percent), Human Resources (54 percent), Operations (46 percent) and Corporate Communications (41 percent), also claim to be key drivers of culture. This fragmentation suggests that companies are struggling to forge a single definition of culturewhether its corporate culture or an ethical cultureand therefore fail to create an integrated approach.
75% 74% 54% 46% 4% 7% 41%
C-Suite
HumanResources Operations (e.g.,BusinessUnitVPs) CorporateCommunications
Other
This fragmentation suggests that companies are struggling to forge a single definition of culturewhether its corporate culture or an ethical cultureand therefore fail to create an integrated approach.
15
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
04
THEME
Identify Cultural Stewards. Simply defined, culture is the sum total of the behaviors of the individuals who make up an organization. And its these very behaviorshow decisions are made, how people are treated, how things really workthat drive important business outcomes. While everyone in the company owns culture, senior leaders need to find common definitions and goals and identify stewards at all levels of the organization. Fragmented ownership of culture can lead to a lack of accountability. Clearly identify who within the firm should steer culture, whether its within the C-Suite or in the hands of a cross-functional committee. Get Deliberate and Intentional About Culture. A strong, purposeful, values-based culture can perform double duty. Culture can help manage downside risk by discouraging unwanted behaviors. Culture can also inspire desirable behaviors that produce sustainable competitive advantages. In other words, organizations can deliver superior business results through principled performance by outbehaving the competition. But an ethical culture is not created by happenstance. It is deliberately crafted at many levels of the organization under the guidance of leaders who hardwire it into the processes and practices by which business gets done. To make ethical considerations truly central to operations, ethics and compliance must expand beyond education and communication to encompass the wide variety of corporate practices, including: Performance appraisals Promotion and recruiting practices What is celebrated, rewarded and punished Customer services Sales training.
Treat the companys ethical culture and values as a deliberate strategy to lead the business and reconnect with employees, customers, suppliers and society. The journey starts by assessing the companys cultural baseline and defining values-based behaviors, then moves towards catalyzing and inspiring new ideas, engaging the workforce, and embedding and sustaining change. Culture, when created intentionally and driven into all the ways business gets done, can create a lasting competitive advantage in the marketplace.
Clearly identify who within the firm should steer culture, whether its within the C-Suite or in the hands of a crossfunctional committee.
16
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
05
Key Insights
THEME
ObstaclestoBuildingaStrongEthicalCulture
Creating Universal Norms and Values
OrganizationalComplexity (e.g.,Global,FunctionalSilos) LackofSupportbyMiddle Management LackofAppreciationof CultureasaBusinessDriver LackofClear Accountability InabilitytoIdentifyWhich IncentivesEnhanceCulture LackofCEO/Board Sponsorship Other
n=131
69% 40% 36% 26% 21% 8% 8%
A Global Focus. Global expansion, most notably in emerging markets, is a top 2012 corporate priority, up from 39 percent to 52 percent in a single year. In step with that development, 61 percent of E&C leaders embrace building a more consistent, global E&C program as a key goal. And with good reasonalmost 70 percent perceive organizational complexity (e.g., global operations and siloed functions) as the biggest obstacle to promoting a company-wide ethical culture. That is a 10-point jump from last years survey. Also troubling are lack of support by middle management (40 percent) and lack of appreciation for culture as a business driver (36 percent). Opportunities and Risks in Emerging Markets. As companies rely more on revenue from international growth, global complexity will only increase, and deviations from corporate standards will become more pronounced. Half the leaders see troubling microcultures in sales, emerging markets and middle management. The E&C risk factors of topmost concern overseas are: Acceptance of corrupt business practices (64 percent) Fear of speaking up (57 percent) Local cultural norms and traditions at variance with how things are done at home (53 percent).
E&CRiskFactorsofMostConcerninEmergingMarkets (e.g.,China,India,Brazil,Russia)
RankedbyPercentageofRespondents 64% 57% 53% 50% 32%
n=129
30%
28%
23%
Home
Executive Summary
01
02
03
04
05
06
07
or Ac ru ce pt pt B a Pr us nce i A act nes of Em Cu ice s p ltu s Sp loy re Lo ea ee W ca ki sF her lC ng ea e U r an ultu p U r d a s Bu eo Tra lN di orm si fT tio s ne h i r s Li s dP ns m O ite pe art d ra ies an Ef tio in f ns In dA ect te d iv U rna he en n re e Re eve lCo nc ss gu nE nt et of la nf rol o s to o r rc Re yS em s ta e C or M ista nda nt po a n r of ra na ce ds te g o W S em fL t o e D an en ca Em oN dar tto l er ot ds gi O ng pe M ra ar te ke in ts
17
08
09
10
Appendix
05
THEME
Creating Universal Norms and Values
Promote Universal Norms and Values. With the increased focus on globalization, the urgency of developing a universal set of values and norms for the company has never been greater. A uniform code of good business behavior sets a consistent framework for making ethical decisions and delivering on qualityboth significantly contributing to a firms reputation and long-term sustainability. The starting point is making sure that the firms values and Code of Conduct are relevant for international audiences and, if they are not, determining how to make them so. Cascading the values and Code through targeted education and communications will help employees to make consistent and ethical decisions, whether in Peoria or Pretoria, Oklahoma City or Osaka. Let the E&C Program Take Root Locally. Partner with ethics champions who have credibility in remote locations. Enlist them to deliver the E&C program locally, and work closely with them to ensure that corporate priorities are congruent. In group meetings, lectures or manager-led training, encourage discussions on ethics and compliance that are tailored to local laws, scenarios, and traditions. However, this is only part of the equation. There must be a two-way dialogue with corporate leaders. Enlist these local ethics champions to provide critical, on-the-ground feedback from employees that can be leveraged for E&C risk assessments and enhanced engagement.
Insights from LRNs The HOW Report:

LRNs recent global survey of over 36,000 employees across 18 countries finds that 88 percent of employees who are comfortable reporting observed misconduct experience a strong values-based culture in their organization and direct work environment.

Evaluate how local operations interpret and act on the companys values and Code of Conduct. Understand that doing the right thing might mean something different in emerging markets compared to developed economies, while there are also substantial differences among emerging markets, most notably Brazil, Russia, India and China. Instead of investing in more compliance controls, focus on building local E&C programs that can bring the companys values and Code of Conduct to life in a relevant manner and provide headquarters with real-time insights on business risks and opportunities.
18
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
06
Key Insights
THEME
Understanding Risk Blind Spots
Top Challenges Associated with Conducting Effective E&C Risk Assessments

Inadequate Resources Integration into Firms Process/Culture Lack of Formal Processes Insufficient Technology Regional Variations Lack of Common Terms and Methodology Lack of Functional Collaboration n=130
46% 40% 34% 23% 23% 20% 20%
Structural Barriers to Effective Risk Management. Ethics and compliance leaders cite inadequate resources, lack of formal processes, and insufficient technologies as the three biggest challenges they face in conducting risk assessments. Such concerns suggest that it is still difficult for many to make a convincing business case for formal, periodic E&C risk evaluations. Forty percent of E&C leaders struggle to integrate risk assessments into their firms procedures and culture, suggesting inadequate cross-enterprise collaboration and an absence of shared accountability across the business for E&C risk awareness, escalation and mitigation. A Distorted View of Risk. Analysis of Audit Findings, Helpline Metrics and Code of Conduct Violations is important, but only paints a partial picture of ethics and compliance risks. Increasingly, in highly dynamic global risk environments, effective E&C risk management involves leveraging a broad range of expertise and perspectives capable of yielding insights that are both strategic and predictive. Only a minority of respondents consider the dynamic nature of business and connect directly with relevant populations to learn about emerging risks. For example, only 39 percent interview management to identify hidden risks; fewer still consider feedback from customers (36 percent) and suppliers (23 percent), who may have valuable insights into the likelihood or actual occurrence of misconduct.
InputsUsedtoAssessE&CRisks
AuditFindings CodeofConductViolations DataAboutReported Misconduct EmployeeReporting LegalProceedings BusinessStrategy& OperationalChanges RegulatoryEnforcementTrends EmployeeSurveys ManagementInterviews CustomerFeedback FinancialPerformanceData SupplierFeedback Other n=131
92% 87% 85% 72% 65% 63% 63% 63% 39% 36% 28% 23% 5%
19
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
06
THEME
Understanding Risk Blind Spots
Create an Early Warning System. While historical data and other lagging indicators matter, they are no substitute for actively learning from the business and current practices. Structured interviews and employee focus groups at multiple locations are the best way to gather real intelligence about emerging risks. Whenever possible, ethics and compliance leaders need to engage front-line managers, subject matter experts and employees at different levels to capture hidden pockets of risk. More importantly, they need to enlist business partners across the organization to act as an early warning system, providing alerts about shifting regulatory expectations and spotlighting ingrained business practices that raise ethical questions in light of changing industry standards. Spot Hidden Drivers of Unethical Conduct. While companies have made significant investments in ethics and compliance programs and risk management capabilities, unethical and noncompliant behavior in business remains widespread. New research suggests that cognitive biases and existing business systems may inadvertently create dangerous blind spots that lead to significant ethical and compliance breakdowns. Max Bazerman and Ann Tenbrunsel, the authors of Blind Spots: Why We Fail to Do Whats Right and What to Do About It (Princeton University Press, 2011), identify five main biases: 1. Ill-Conceived Goals: Companies establish goals and incentives to promote desired organizational behavior, but the same goals may unintentionally drive negative behaviors. 2. Motivated Blindness: Employees overlook the unethical behaviors of colleagues when it is in their self-interest to minimize or ignore them. 3. Indirect Blindness: Employees hold others less accountable for unethical behavior when its carried out through third parties, such as suppliers or vendors. 4. The Slippery Slope: Employees are less able to see others unethical behavior when it develops gradually. 5. Overvaluing Outcomes: Companies sometimes gives a pass to unethical behavior when the outcome is profitable or desirable in other ways. Rather than investing in more controls, E&C leaders should develop training that teaches the importance of ethical decision making and raises awareness of unintentional yet unethical behaviors.
20112012 ETHICS & COMPLIANCE LEADERSHIP SURVEY REPORT 2012 LRN CORPORATION. ALL RIGHTS RESERVED. 20
Whenever possible, ethics and compliance leaders need to engage front-line managers, subject matter experts and employees at different levels to capture hidden pockets of risk.

Leadership must carefully evaluate its own unintentional ethical blind spots in the management of the business, especially in its annual goal setting. To surface these unknown unknowns, it must engage the full organization as an early warning and awareness system.
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
07
Key Insights
THEME
Addressing Critical Risks

KeyE&CRisksIdentifiedinRiskAssessmentProcess
ConflictsofInterest Bribery&Corruption GiftsandEntertainment DataPrivacy ElectronicDataProtection Environment,Health andSafety GovernmentContracting LaborandEmployment TradeControls Antitrust SupplyChain IntellectualProperty RecordsManagement SocialMedia Society,Communityand Government InsiderTrading MoneyLaundering n=131
Electronic Data Protection, Data Privacy, Conflicts of Interest and Bribery & Corruption are the Top 2012 Ethics and Compliance Risks. These areas were the top 2011 and 2010 risks, as well. Why are they so persistent? Conflicts of Interest, including the violation of Gifts and Entertainment policies, are a perennial top risk because every employee in the company may face opportunities and temptations. The wide range of possible conflicts of interest across all industries, from the temptations of gift giving and receiving to the hiring of family and friends, means that employees are making frequent ethicalor unethicaldecisions, sometimes about things they regard as trifles. Even in the absence of major transgressions, the consequence of multiple minor ethical lapses can be a corrosive effect on the corporate culture and may become a gateway to more serious violations. Further complicating matters is the difficulty of setting a universal standard on the issue. What might constitute obvious misbehavior at headquarters or in the home market may be accepted practice in another culture. Indeed, leaders cite the acceptance of corrupt business practices and navigating local cultural norms and traditions as the biggest risk factors in emerging market operations. Bribery & Corruption are considered a top risk by 65 percent of ethics and compliance leaders. That is congruent with the continued, vigorous enforcement of the U.S. Foreign Corrupt Practices Act (FCPA) as well as slow but steady advances internationally in fighting corruption. As welcome as these crackdowns are, they also broaden the scope and severity of corruption and bribery risk for global companies and organizations. The challenge ahead will be to build and maintain effective programs that monitor and capture relevant laws, reconcile differences and, above all, communicate standards, expectations and knowledge to an increasingly diverse workforce.
67% 65% 65% 63% 62% 55% 49% 48% 48% 47% 43% 37% 33% 33% 32% 28% 15%
Scale: 1=LowPriority 5=HighPriority
21
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
07
Key Insights
THEME
Data Privacy and Electronic Data Protection remain top E&C risks as companies grapple with the proper use of employee information and customer data in fast-changing, interconnected regulatory and business environments. The risk of viral and damaging information leaks will only increase as the social media phenomenon intensifies, making even more necessary the need to impress upon employees the importance of safeguards and proper treatment of data. The ongoing cyber attacks against companies across industries also reinforce the gravity of the threats to confidential data. Social Media is currently considered a top risk by only a third of respondents, but is likely to rise in importance over the next few years simply because its use makes organizational and individual behaviors hypertransparent, acting as an amplifier for many other E&C risks, including antitrust and records management. Moreover, as companies increasingly look to social networks to market products and to engage with customers and other stakeholders, this tension between data privacy and the demand for transparency will only deepen.
The risk of viral and damaging information leaks will only increase as the social media phenomenon intensifies, making even more necessary the need to impress upon employees the importance of safeguards and proper treatment of data.
22
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
07
THEME
Develop a Mindset of Shared Risk Accountability. As the risks emanating from relentless business and regulatory change are nearly limitless, E&C leaders and their peers in Legal need to share ownership for risk identification and mitigation. Holding business leaders accountable for E&C risk assessment and management reinforces a culture of responsiveness and drives better operational outcomes because their teams gain a much deeper understanding of risks associated with such core business operations as manufacturing, engineering, research & development and sales. Promote a Culture of Sensitivity about Data Privacy. Data privacy and data protection require fluid and complex standards regarding employee behavior in the treatment of company and customer information. Create a culture of sensitivity through enterprise blogs and manager-led campaigns that clearly explain the intent of the requirements and the consequences of missteps, especially in the exploding social media space. E&C leaders should make clear to employees what is in bounds and what is out of bounds when they use these new channels on behalf of the companyand even provide guidance about references to their employer in personal communications. Unlock Trapped Risk Information. Many allegations of misconduct, specifically those involving bribes and conflict of interest, never reach the E&C office through the helpline or otherwise, but are shared formally or informally with local managers or HR representatives. This critical information remains hidden from view and impervious to systemwide reform because managers often attempt to resolve issues locally. A key tactic to help unlock this information is to launch management training that addresses how to effectively treat, triage and report-up employee concerns. It is critical that employees feel comfortable in raising concerns with, and seek guidance from, their local managers, since this supports a culture of transparency and trust; the point is that managers must recognize when and how to escalate matters or seek guidance themselves.
Create a culture of sensitivity through enterprise blogs and manager-led campaigns that clearly explain the intent of the requirements and the consequences of missteps, especially in the exploding social media space.

Make data privacy, conflicts of interest and corruption risks part of your continuous dialogue with the companys upper echelon. Explain why these risks matter to the performance of the business and how constant sensitivity and ethical decision making can prevent significant breakdowns.
23
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
08
Key Insights
THEME
Bringing the Code to Life
EmployeeApplicationoftheCodeontheJob
n=135
th Mo e st Ti o m f e
ot O Tha fte t n
im
et
Lagging Code Practices. Virtually all major corporations and many smaller ones have adopted codes of conduct of some description; however, it would appear that a large majority still view this as a defensive shieldsatisfying the requirements of the Federal Sentencing Guidelines for Organizations, the Sarbanes-Oxley Act, stock exchange listing requirements and other mandates. Consequently, many Codes are legalistic in content and tone, without meaningful connection to corporate purpose, values and culture. Only 49 percent of E&C leaders say that their Codes are oriented more towards values than rules. This frequently results in employee cynicism and disengagement. It actually increases levels of risk because employees lack practical, readily accessible guidance on the ethical conundrums that routinely confront them.
TheCodesOrientationtoValuesorRules
n=132
So
25%
25%
Al
ay
Limited Effectiveness of the Code of Conduct. As the central and foundational document for any E&C program, the Code of Conduct is the roadmap for and manifestation of company values. It is a living document that should offer both guidance and inspiration. Unfortunately, even if they are printed in abundance and featured on bulletin boards, many of todays Codes are moribund and have only a marginal impact on inspiring the workforce and engaging employees in a dialogue to build and strengthen corporate culture. Only 60 percent of E&C leaders believe their employees regularly apply their understanding of the Code of Conduct on the joba decrease of five percentage points compared to last year. Thirty-five percent say employees sometimes use the Code, and 5 percent say they do so infrequently.
35%
5%
1%
s
es
2%
Su V a by ppo lue R rte s, ul d es Ru Va le lu s es Eq a ua nd lly Su pp or Ru t Va ed les, lu by es y
2%
y Ru le s O nl
Va l
ue s
nl
24
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
08
Key Insights
THEME
TopicsCodeofConductCovers
RankedbyPercentageofRespondents 90% 81% 69% 66% 53% 41%
n=134
Lost in Translation. While companies often pride themselves on promoting universal norms and values across their global operations, most are not doing enough to ensure relevance and understanding of the Code for international audiences. During the development or revision of the Code, less than a quarter of companies enlist smaller regional teams or employees to review and give feedback. Furthermore, only 16 percent deploy regionally based guidance tools (e.g., Q&As, scenarios), and a mere 8 percent provide separate regionally specific guides.
Twenty-two percent of E&C leaders are now using a web-enabled Code to raise awareness and reinforce ethics and compliance, while 69 percent plan to develop one in the near future.
E M thic ak a in lD g e G cis ui io da n E Re nv nc i r sp o e on nm si en bi ta lit l y C om Re m la un In tio ity du ns st ry -S C pe on ci te fic nt Re sp on S si oc bi ia lit l y So ci al M ed ia Re gi on -S C pe on ci te fic nt
Emerging Code Practices. A static document can limit employees application of the Code on the job. Twenty-two percent of E&C leaders are now using a web-enabled Code to raise awareness and reinforce ethics and compliance, while 69 percent plan to develop one in the near future. Another positive trend is the uptick of content that is not focused on traditional compliance topics. Eighty-one percent of participants Codes speak to environmental stewardship, 69 percent address community relations and 90 percent offer ethical decision-making guidance.
17%
EnsuringRelevanceandUnderstandingof theCodeforInternationalAudiences
Translations RegionalSubject MatterReview RegionallyBased Provisions WeDontHave InternationalOperations LocalizationReflecting RegionalCustoms EmployeeFocusGroups RegionallyBased GuidanceTools Region-SpecificGuides (e.g.,PocketGuide) Other n=133
61% 24% 23% 23% 20% 19% 16% 8% 7%
25
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
08
THEME
Collaborate with Employees on Revising the Code. Leaders must go beyond merely rearticulating their corporate values. They must do the hard work of translating these values into new business practices, leadership styles and real individual behaviors. Revising and deploying the Code is a significant opportunity for E&C leaders to transition from rules-based silos to values-based systems. Employees have been conditioned to compliance in a negative way an inconvenient interruption of their supposedly more important, day-to-day business routine. When revising the Code, companies need to enlist these employees in a two-way dialogblogs, focus groups, etc.to collaborate on a universal understanding of how values are translated into consistent, ethical behavior throughout the company. With the right content, presentation and tone, a Code of Conduct provides a prominent symbolic and practical focus on risk awareness, behavioral expectations and outcomes. When the Code is expressed in a way that helps employees clearly understand the critical interrelationships between rules, values and sustainable business performance, the avoidance of criminal misconduct is simply one of the many positive business and societal outcomes. Off the Wall and Into the Hall. In the course of organizational transformation towards a valuesbased culture, even the best newly revised Code may collect dust without a compelling engagement plan that reaches audiences through a diverse set of educational delivery formats and communications channels. Enlist managers not only to deploy the revised Code, but also to make it part of regular business conversations, staff meetings and operational reviews. Innovating with format is another way to put the Code front and center. An interactive, web-enabled Code engages todays employees in ways that a static document cannot. As a supplement to the Code document and E&C program, it is an interactive platform for employees worldwide. Extending knowledge through video vignettes, wikis, blogs, pop-ups and other dynamic content, a webenabled Code allows companies to meet their employees where they are, and bring the Code to life.
Make the Code the key instrument to articulate and communicate the companys core values and standards of business conduct. Ensure that it is relevant for globally disparate operations. Engage the business in a regular and meaningful dialog about applying the Code. Refer to its principles when announcing major corporate decisions and initiatives.
26
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
09
Key Insights
THEME
Re-engaging Fatigued Employees
TopChallengesAssociatedwith ProvidingE&CEducation
n=130
OnlineEducationFatigue RelevanceofEducation toDay-to-DayWork TechnologyConstraints CulturalDifferencesin GlobalLocations LimitedFinancialResources RegulatoryDifferencesin GlobalLocations FunctionalResistance
59% 49% 34% 32% 27% 15% 12%
Losing Your Audience. As E&C education and communications programs remain static and status quo, its not surprising that the efforts of E&C leaders are having a limited impact on galvanizing employee attention and commitment. Many are disengaged. E&C leaders cite relevance of education to day-to-day work and online education fatigue as the top challenges for their education programs. The learning strategy needs to shift from input to output: consider the learning objectives relevant for your audience. Identify the knowledge that is most critical for the learner, and deliver with practical guidance. Online education remains the primary lever at E&C professionals disposal. More than threequarters of companies deploy online education across the employee base. But the time allotted to deploy this education is minimal. More than two-thirds of leaders said they have three hours or less of employee time each year to deliver ethics and compliance education, a small window to impact critical knowledge and reinforce the right behaviors. A Broad Brush. The most common educational strategy, employed by 91 percent of companies, is to rely on standard, enterprise-wide ethics and compliance instructional programs. While companies are focusing more on targeting knowledge to employees compared to last year, only 56 percent of respondents roll out functionally based education, while 58 percent deliver education based on specific job roles.
TargetingE&CEducationandCommunications
n=131
58%
56% 37%
31%
rp W rise id e
io n
Ro le -B as ed
Fu nc t
En te
Ac
t Ba ivity se d
Re
gi o
27
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
09
Key Insights
THEME

PercentageofEmployeesReceivingVarious EducationalDeliveryFormats
Online (e.g.,eLearningModule) Classroom (e.g.,Instructor-Led Sessions) Other ExperientialLearning (e.g.,FacilitatedGroup Discussions) MobileDevices n=130
The Rusty Toolkit. Compared to years past, it is fair to say that employees are experiencing chronic online fatigue. E&C leaders may be relying on online education as a check the box crutch. This sluggishness to adopt innovative delivery methods is evidenced in the fact that only 18 percent receive classroom-based education. Facilitated workshops are even rarer (6 percent). Another telling point is that only 6 percent of E&C leaders are leveraging social media to raise awareness and reinforce ethics and compliance issues. Fewer than half measure the impact of their education and communications efforts on employee behavior and only a third measure organizational impact.
76% 18% 7% 6% 1%
28
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
09
THEME
Engaging and Inspiring Employees. The road to effective and engaging ethics education has an entirely different look these days. Continuously evolving technology and the entrance of a resourceful, more tech-savvy generation into the workforce requires companies to innovate in the delivery of ethics and compliance communications and education content. Below are 10 ways to engage and inspire employees: 1. Integrate: Align all elements and channels together in a collaborative, coordinated package. 2. Offer Variety: To inspire principled behavior, vary the means and channels of learning in a multidimensional approach. 3. Sustain An Environment: Go beyond messages, and provide an atmosphere of principled behavior. 4. Socialize: Create a community and employ the collective intelligence and involvement of others by using social media capabilities. 5. Communicate: Keep your messages front of mind by utilizing online and network technologies, and knowledge services. 6. Promote Experience: Encourage peer group discussions that let colleagues apply what theyve learned and build tone in the middle. 7. Be Positive: Stress dos, not donts. Show how to do the right thing and positively reinforce the right behavior. 8. Entertain: Engage with strong storytelling and consider your audience. Frame the message creatively through suspense, humor and surprise and, above all, with high production quality. 9. Think Short/Deliver Often: Dont do it all at once. Multiple brisk, well-structured lessons or key messages that build on each other convey more information than one long one. They also cement learning by keeping messages top-of-mind and creating knowledge leaders. 10. Get Relevant: Know your audience. Match education to job roles, geography, culture and settings, so colleagues think, This is about me.
20112012 ETHICS & COMPLIANCE LEADERSHIP SURVEY REPORT 2012 LRN CORPORATION. ALL RIGHTS RESERVED. 29

Do not treat ethics and compliance education as a technical requirement, where scale matters more than quality. Innovate and diversify the education experience by leveraging multiple delivery formats. Integrate ethics and compliance training in longstanding workplace education and management development programs.
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
10
Key Insights
THEME
Shifting the Tone in the Middle

BusinessorFunctionalAreasofGreatestConcernin PromotingaStrongEthicalCulture
RankedbyPercentageofRespondents 53% 51% 45%
n=132
The Top Not Affecting the Middle. Fewer than one in four E&C leaders have misgivings about senior managers commitment to demonstrating and promoting ethical conduct, but almost half harbor concerns about middle management, and 40 percent consider the lack of support by middle management among the biggest obstacles to building a strong ethical culture. There can be a crucial disconnect between the message employees hear from the top and what they hear from the person above them. Senior leadership may be saying the right things, but their effectiveness in leading by example is limited. When employees are asked who sets the ethical tone for them, most will identify their immediate supervisor, not the CEO or the Board. That conclusion is reinforced by the finding that many companies (47 percent) do not formally recognize or celebrate acts of ethical leadership. Furthermore, fewer than half (46 percent) leverage team meetings to raise awareness and reinforce ethics and compliance.
28% 21% 20% 19% 13% 11% 11% 8%
When employees are asked who sets the ethical tone for them, most will identify their immediate supervisor, not the CEO or the Board.
Sa er Op le gi e s ng ra M tio n ar s ke in M ts an ag M id Jo em dle in en tV t en tu M re an s ag Se em ni Ac en or co t Fi unt n i Pr an ng/ oc ce an C ur d om em Ex m te un ent rn ic al at A io ffa ns C irs u Se sto rv m ic er es O th In er Te for ch m no ati lo on gy
Em
30
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
10
THEME
Shifting the Tone in the Middle
Managers as Values Exemplars and Ethics Envoys. Many companies have discovered that having a Code of Conduct, annual ethics training, helpline and other standard features of an ethics and compliance program are not enough to drive values deeply down into the organization and affect lasting culture change. Whats often missing is the power and influence of managers. To manage integrity risk well, companies need to take a risk. How so? By trusting managers and employees and putting the responsibility for ethics learningand ethical culture buildinginto their hands. Make a concerted effort to co-opt middle managers to deliver ethics and compliance education with a tone-in-the-middle program that empowers them to act as moral exemplars and ethics envoys to their teams. This is an effective way to advance four organizational goals: 1. Building a stronger ethical culture 2. Mitigating integrity risks 3. Enhancing reputation 4. Improving business performance Face-to-face engagement between managers and employees is the surest way to foster real behavioral change. Whether in team meetings, facilitated discussion or other experiential learning methods, middle managers are the linchpin to moving the companys culture beyond compliance to ingrained habits of self-motivated, values-based action.
Senior executives need to inspire middle managers with a compelling vision of how a stronger ethical culture will contribute to sustained success. Leaders and managers, not E&C staff, are the ones who can best convey this message. They can also break troubling microcultures. Leverage the Power of Example: Managers are the face of the company. Influence with direct reports is substantial. Employees report ethics issues to their managers. The tone managers set makes all the difference. Consider an experiential learning strategy that targets tone-in-the-middle. Invite executives to share stories of leadership in action, making valuesbased decisions despite challenges circumstances.
31
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
About the Contributors

Friso Van der Oord
As Knowledge and Solutions Leader, Friso van der Oord leads all of LRNs Alliances, dedicated online portals to support ethics and compliance leaders, sustainability directors and chief learning officers. In addition, he contributes to the companys thought leadership across various channels and actively participates in the firms governing councils to drive effective execution of company strategy. friso.vanderoord@lrn.com 646.862.2040
Mark Helmkamp
Mark Helmkamp leads LRNs Code of Conduct Services and AIM (Activity & Interactions Mapping), a solution that targets relevant knowledge to employees. As Knowledge and Solutions Leader, he leads advisory services engagements, contributes to the LRNs thought leadership, and participates in one of the firms governing councils to drive effective execution of company strategy. mark.helmkamp@lrn.com 310.209.7016
32
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix
33
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Table of Contents

Chapter 1 Demographics Chapter 2 Budgeting, Staffing and Priorities Chapter 3 Ethics and Compliance Program Management Chapter 4 Culture, Leadership and Values Chapter 5 Risk Assessment and Management Chapter 6 Education and Communications 35 36 38 42 44 46
For additional benchmarking and analysis, visit the Ethics & Compliance AllianceLRNs online portal dedicated to supporting E&C leaders with expert advice and program management toolsat https://eca.lrn.com.
34
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Demographics
SeniorityinRole
GeneralCounsel SeniorMemberof theLegalFunction n=174
PrimaryIndustry
n=174
6% 14% 29%
ChiefEthics& ComplianceOfficer
25%
Other
26%
SeniorMemberof theE&CFunction
Full-Time Employees
Under 2,500 Employees n=174
7,50015,000 Employees
Energy&Utilities Manufacturing Other FinancialServices Insurance Aerospace&Defense Food,Beverage,Tobacco&Agriculture ConsumerProducts&Services Pharmaceuticals&Biotechnology Chemicals Electronics HealthCare Leisure&Hospitality Media,Music,Publishing&Broadcasting Retail BusinessServices Computers Telecommunications Automotive&Transportation Construction&RealEstate Total
16% 14% 13% 7% 7% 6% 6% 5% 5% 3% 3% 2% 2% 2% 2% 2% 2% 2% 1% 1% 100.00%
13% 15% 32%
15,00050,000 Employees
Primary Headquarters
n=174
18% 22%
More Than 50,000 Employees 2,5007,500 Employees
1% Other 1% Asia Pacific 1% Central and South America 90% North America 8% Europe
35
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Budgeting, Staffing and Priorities

Current Size of Annual E&C Budget
n=173
Projected 2012 E&C Budget Trajectory

Ranked by Percentage of Respondents 53%
n=172
More than $1.5M $500K to $1.5M $100K to $250K $250K to $500K Under $100K
31% 22% 17% 16% 14% 6% 22% 9% 1% 2% 1% 1%
4%
Projected2012E&CBudgetAllocation
(NotIncludingSalariesandBenefits)
n=172
Average EducationandCommunications Administration Consultants Technology Investigations TravelandEntertainment RiskManagement Other 27% 14% 9% 8% 8% 7% 6% 5%
Industries with the highest frequency of their budget increases: Energy & Utilities Financial Services Manufacturing Aerospace & Defense Health Care
In c by rea 1 se In % cr 2% ea to se b In 5% y c 6% rea to se b M or In 9% y e cr Th ea an se 10 by % U nc R ha em ng ain e De d cr by ea De 1%se c 2% rea to se De 5%by c 6% rea t se M D o 9 by or e % e cr Th ea an se 10 by %

36
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Budgeting, Staffing and Priorities

Current Number of Full-Time E&C Employees
n=170
Projected 2012 E&C Staffing Changes

n=170
2 to 9 Employees 0 to 1 Employee More Than 50 Employees 10 to 24 Employees 25 to 50 Employees
55% 18% 12% 11% 4% 15%
9%
2%
2%
1%
1%
I 1 ncr Em ea pl se oy by 2 ee to 5 Inc Em re pl ase oy b 6 ee y to s 9 Inc Em re a pl se In oy b M cre ee y or as s e e Em b y pl 1 oy 0 ee or s U nc R ha em 2 ng ain to D ed 5 ec Em re a pl se oy b 6 ee y to D s 9 ec Em re pl ase oy b ee y s
Industries with the highest frequency of employee increases: Aerospace & Defense Financial Services Energy & Utilities Insurance Manufacturing
37
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Ethics and Compliance Program Management

ToWhomDoestheE&CFunctionDirectlyReport?
General Counsel/Law CEO Audit
n=162
Importance of Functional Relationships to the E&C Programs Effectiveness

n=158
96% 92% 89% 87% 83% 73% 59% 56% 53% 49% 44% 41% 40% 37%
Scale: 5 = Very Important 1 = Not Important Responses Aggregated: 4 & 5
15%
12% 5% 4% 2% 2% 1% 1%
sk
Board of Directors Human Resources Risk
1%
it ud
di C t EO of Co th m e mi Bo tte O th ard e e Ex rC ec -S ut ui iv te es
th er Re H so um ur a ce n s Fi na nc O e C the om r B m o itt ar ee d s
ns Ge el ne /L ra aw l
Ri
Finance Corporate Communications Information Technology Corporate Security Environmental Responsibility Marketing & Sales Corporate/Social Responsibility Other
ou
Industries with the highest level of E&C functions that report to the CEO: Health Care Manufacturing Aerospace & Defense Pharmaceutical & Biotechnology Other
Au
In
te
rn
al
38
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

Primary Mandate of the E&C Program
n=156
PerceivedEffectivenessoftheE&CProgram
Ensuring Ethical Behaviors and Alignment with Core Values
n=156
Ensuring Compliance with Rules and Regulations
32%
68%
Corporate Overseer Conscience (e.g.,focusingon (e.g.,promoting controls,risk anethicalculture managementand througheducation investigations) andaddressing employeeconcerns)
AggregatePercentage: 4=High-ModerateEffectiveness 5=HighEffectiveness n=158 I Dont Know
BusinessEnabler (e.g.,providing advice/counsel enablingbetter decisionmaking)
Frequency of E&C Program Assessments

Never Other
Scale: 1=LowEffectiveness 5=HighEffectiveness
5% 8%
4%
Every Other Year
14%
44%
Yearly
Industries that perceive that their E&C program is very effective in corporate conscience: Energy & Utility Manufacturing Financial Services Retail Other
On a Need Basis (e.g., New Legislations, Law Suites)
25%
39
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

Top 2012 Corporate Priorities
Growth Innovation Cost Reduction Emerging Markets Expansion Customer Service Culture and Business Values Employee Engagement Leadership Development Risk Mitigation Cash Management Sustainability Mergers and Acquisitions Other n=147
Critical 2012 E&C Program Goals

Increase Employee Comfort with Speaking Up Strengthen Ethical Leadership Strengthen the Ethical Culture Adapt Ethics & Compliance Program to Changing Business Needs Promote Alignment Between Core Values and Day-to-Day Operations Build a More Consistent, Global E&C Program Manage Shifting Regulatory Expectations Innovate Design and Delivery of E&C Education Build a Stronger Case for E&C as an Enabler of Business Performance Improve E&C Program Measurement Improve Risk Management Capabilities Drive E&C Functional Efficiency Improve Third-Party Oversight and Management Deepen Skills of the E&C Staff Integrate E&C Objectives into the Performance Review and Compensation Process Rewrite the Code of Conduct n=144
67% 53% 52% 52% 43% 43% 41% 39% 37% 34% 34% 24% 6%
73% 68% 66% 64% 62% 61% 61% 57% 49% 48% 48% 48% 47% 42% 40% 29%
Aggregate Percentage : 5 = Very Important 4 = Important Scale: 5 = Very Important 1 = Not Important
40
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

Range of E&C Metrics Reported to the Board
Helpline and Investigation Data Trends Code of Conduct Violations Education Completion Rates and Certification Relevant Regulatory Developments Results of Compliance Audits Key Risk Assessment and Mitigation Plans E&C-Related Dismissals Ethical Culture Survey Results Year-Over-Year Trends on E&C Program Effectiveness We Do Not Report Metrics to the Board Other n=141
Number of Times E&C Leaders Meet with the Board

Ranked by Percentage of Respondents 49% 85% 78% 70% 70% 65% 22% 12% 11% 5% 2%
n=142
63% 53% 46%
lly M Fo or u e Pe r Ti Tha r Y me n ea s r
ua
An
6% 1%
ToneattheTop
QuotetheCodeofConductin SpeecheswithoutProddingor PreparationfromtheGeneral CounselorE&COfficer NoneoftheAbove n=135
Bi
-A
43%
er W U e pd D at o N Bo e th ot ar e d
rly
al
ly
ua
rte
nu
nn
th
51%
33%
BetheFirsttoComplete EthicsandCompliance Training ConnectwiththeEthicsand ComplianceOfficerson SeniorManagement PerformanceandPromotions
30%
27%
41
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Culture, Leadership and Values

The Principal Benefits of Promoting an Ethical Culture
Long-Term Value of the Business Compliance with Rules and Regulations Employee Commitment to Mission and Values Inspiring Principled Performance Employee Engagement in Their Day-to-Day Work Disruptive Innovation and Continuous Business Reinvention We Dont Believe That There Are Benefits n=137
ObstaclestoBuildingaStrongEthicalCulture
OrganizationalComplexity (e.g.,Global,FunctionalSilos) LackofSupportbyMiddle Management LackofAppreciationof CultureasaBusinessDriver LackofClear Accountability InabilitytoIdentifyWhich IncentivesEnhanceCulture LackofCEO/Board Sponsorship Other LackofClearlyStated CorporateValues LackofClearStatement ofEthicalStandards n=131
77% 74% 65% 47% 42% 4% 1%
69% 40% 36% 26% 21% 8% 8% 7% 5%
BusinessorFunctionalAreasofGreatestConcernin PromotingaStrongEthicalCulture
n=132
28% 21% 20% 19% 13% 11% 11% 8%
Sa er Op le gi e s ng ra M tio n ar s ke in M ts an ag M id Jo em dle in en tV t en tu M re an s ag Se em ni Ac en or co t Fi unt n i Pr an ng/ oc ce an C ur d om em Ex m te un ent rn ic al at A io ffa ns C irs u Se sto rv m ic er es O th In er Te for ch m no ati lo on gy
Em
42
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Culture, Leadership and Values

Does Your Company Give Behaviors (e.g., Integrity, Service) the Same Amount of Weight as Business Outcomes in Performance Evaluations?
No Higher Weight to Behaviors
n=155
Approaches for Celebrating Ethical Leadership

We Dont Celebrate Acts of Ethical Leadership Recognition in Company Communication Vehicles n=134
47% 33% 31% 28% 8% 1%
6%
Yes Same Weight to Behaviors No Lower Weight to Behaviors
Recognition in Team Meetings Awards Job Promotions Other
43%
52%
43
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Risk Assessment and Management

KeyE&CRisksIdentifiedinRiskAssessmentProcess
ConflictsofInterest Bribery&Corruption GiftsandEntertainment DataPrivacy ElectronicDataProtection Environment,Health andSafety GovernmentContracting LaborandEmployment TradeControls Antitrust SupplyChain IntellectualProperty RecordsManagement SocialMedia Society,Communityand Government InsiderTrading MoneyLaundering n=131
InputsUsedtoAssessE&CRisks
AuditFindings CodeofConductViolations DataAboutReported Misconduct EmployeeReporting LegalProceedings BusinessStrategy& OperationalChanges RegulatoryEnforcementTrends EmployeeSurveys InternalControlBreakdowns Data&ObservationsAbout CorporateCulture IndustryBenchmarks Country/PoliticalRiskData HumanResourcesData ManagementInterviews CustomerFeedback FinancialPerformanceData n=131
67% 65% 65% 63% 62% 55% 49% 48% 48% 47% 43% 37% 33% 33% 32% 28% 15%
Scale: 5=HighPriority 1=LowPriority ResponsesAggregated:4&5
92% 87% 85% 72% 65% 63% 63% 63% 60% 55% 53% 51% 44% 39% 36% 28% 23% 5%
SupplierFeedback Other
44
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix
Appendix: Risk Assessment and Management

TopChallengesAssociatedwithConductingEffective E&CRiskAssessments
InadequateResources IntegrationintoFirms Process/Culture LackofFormalProcesses InsufficientTechnology RegionalVariations LackofCommonTerms andMethodology LackofFunctional Collaboration NoChallenges InadequateMethodology DontKnow Other n=130
E&CRiskFactorsofMostConcerninEmergingMarkets (e.g.,China,India,Brazil,Russia)
RankedbyPercentageofRespondents 64% 57%
n=129
46% 40% 34% 23% 23% 20% 20%
53%
50% 32%
30%
28%
23%
12% 5% 4%
Home
Executive Summary
01
02
03
04
05
06
07
or Ac ru ce pt pt B a Pr us nce i A act nes of Em Cu ice s p ltu s Sp loy re Lo ea ee W ca ki sF her lC ng ea e U r an ultu p U r d a s Bu eo Tra lN di orm si fT tio s ne h i r s Li s dP ns m O ite pe art d ra ies an Ef tio in f ns In dA ect te d iv U rna he en n re e Re eve lCo nc ss gu nE nt et of la nf rol o s to o r rc Re yS em s ta e C or M ista nda nt po a n r of ra na ce ds te g o W S em fL t o e D an en ca Em oN dar tto l er ot ds gi O ng pe M ra ar te ke in ts
2012 LRN CORPORATION. ALL RIGHTS RESERVED. 45
13%
08
09
10
Appendix
Appendix: Education and Communications

The Codes Orientation to Values or Rules
n=132
TopicsCodeofConductCovers
RankedbyPercentageofRespondents 90% 81% 69% 66% 53% 41% 17%
n=134
25%
25%
2%
Ru Va le lu s es Eq a ua nd lly Su pp or Ru t Va ed les, lu by es Su V a by ppo lue Ru rte s, le d s y
2%
y E M thic ak a in lD g e G cis ui io da n E Re nv nc i r sp o e on nm si en bi ta lit l y C om Re m la un In tio ity du ns st ry -S C pe on ci te fic nt Re sp on S si oc bi ia lit l y So ci al M ed ia Re gi on -S C pe on ci te fic nt
nl
ue
Va l
Ru
le
nl
SatisfactionwithE&CEducationProgram
Strongly Dissatisfied Dissatisfied Strongly Satisfied n=131
Employee Application of the Code on the Job

n=135
2% 35%
8% 10% 53% 27%

th Mo e st Ti o m f e
Satisfied
5%
1%
ay Al w s
es
et
Neutral
So
ot O Tha fte t n
im
46
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

2012 E&C Education and Communications Program Goals
Ranked by Percentage of Respondents 91% 85%
n=130
TargetingE&CEducationandCommunications
n=131
78%
72% 58% 45%
58%
56% 37%
31%
3%
rp W rise id e n Ro le -B as ed on Re in fo rc e S Ab R ta Et nd hi ou ai ar cal t R se d eq Aw s ui ar re en m e e s Ac E nts s co m M un ph ak ta asi e bi ze Re lit y q ui Al r er e R m tS e ta lata ent Re ff A ble s b O quir out De ffe em N ci r sio T Re en ew s e n- s o ts M tin ur ak g ce in Et s f g hi o Sk ca r ills l O th er t Ba ivity se d
n=131
tio
nc
te
Fu
Re
gi
En
Average of Online E&C Education per Employee in 2011

24% 19%
3%
ou rs s ou r s
Ac
3%
M o 10 re H Tha ou n rs
ou r
to
to
to
ou r
47
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

EnsuringRelevanceandUnderstandingof theCodeforInternationalAudiences
Translations RegionalSubject MatterReview RegionallyBased Provisions WeDontHave InternationalOperations LocalizationReflecting RegionalCustoms EmployeeFocusGroups RegionallyBased GuidanceTools Region-SpecificGuides (e.g.,PocketGuide) Other n=133
PercentageofEmployeesReceivingVarious EducationalDeliveryFormats
Online (e.g.,eLearningModule) Classroom (e.g.,Instructor-Led Sessions) Other ExperientialLearning (e.g.,FacilitatedGroup Discussions) MobileDevices n=130
61% 24% 23% 23% 20% 19% 16% 8% 7%
76% 18% 7% 6% 1%
ResponsesAggregated: 4=51%to75% 5=76%to100%
Theme-BasedE&CEducation
Bi-Annually Other WeDoNotRollout Theme-Based Campaigns AsNeeded n=132
7% 11%
6% 30%
Quarterly
18% 29%
OncePerYear
48
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

Top Challenges Associated with Providing E&C Education
n=130
CommunicationChannelsUsedtoRaise AwarenessandReinforcetheE&CProgram
n=131
Online Education Fatigue Relevance of Education to Day-to-Day Work Technology Constraints Cultural Differences in Global Locations Limited Financial Resources Regulatory Differences in Global Locations Functional Resistance Lack of Dedicated Senior Sponsorship Other
59% 49% 34% 32% 27% 15% 12% 9% 7%
Intranet
87% 77% 60% 52% 46% 24% 22% 6% 5%
E-MailCampaigns PrintMaterials (e.g.,QuickReference Guides,Brochures) Newsletters
TeamMeetings
AwardorRecognition Programs Web-Enabled InteractiveCode
SocialMedia
Other
49
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

ImpactofE&CEducationandCommunications onEmployeeDecisionMaking
RankedbyPercentageofRespondents 38% 40%
n=129
Methods to Measure E&C Education and Communications Efforts

Ranked by Percentage of Respondents 77% 75%
n=129
49% 33%
12% 6% 3%
Im E p Be mp ac ha loy t on vi ee or O s rg an iza Im tio pa na ct l pl Ra etio te n s Em Fe p ed lo ba yee ck
at e Im -H pa igh ct at e Im -L pa ow ct Im L pa ow ct
21% 5%
Re T su es lts t In cr Ed Inf eas uc orm e i at a n io l n
Im H pa igh ct
pa
ct
Im
er
at
od
od
od
er
er
om
50
Home
Executive Summary
01
02
03
04
05
06
07
08
09
10
Appendix

Since 1994, LRN has helped over 15 million people at more than 700 companies worldwide simultaneously navigate complex legal and regulatory environments and foster ethical cultures. LRNs combination of practical tools, education, and strategic advice helps companies translate their values into concrete corporate practices and leadership behaviors that create sustainable competitive advantage. In partnership with LRN, companies need not choose between living principles and maximizing profits, or between enhancing reputation and growing revenue: all are a product of principled performance. In 2008, LRN acquired environmental innovation firm GreenOrder. LRN works with organizations in more than 100 countries and has offices in Los Angeles, New York, London, and Mumbai. For more information, visit www.lrn.com, join our community on Facebook at facebook. com/howistheanswer, or call: 800 529 6366 or 646 862 2040.
Contributors
Friso Van der Oord friso.vanderoord@lrn.com 646.862.2040 Mark Helmkamp mark.helmkamp@lrn.com 310.209.7016
Risk Forecast Report 2013
Ethics & Compliance Alliance
Ethics & Compliance Alliance Risk Forecast Report 2013
Contents
Click article name to go to article
Executive Summary 3
Ethics & Compliance Risk Projections for 2013
Greg Triguba
Anti-Corruption and Bribery 9

Global Anti-Corruption 2013
Michael Fine
Antitrust and Competition Law 15

Where is it going in 2013?
Ted Banks
E&C Program Management for 2013 and Beyond 22

The Value of a Self-Governing Culture to Business Success, Sustainability and Significance
Michelle Moyer
Education and Communication Strategies for 2013 26

Effective Approaches to Mitigating Risk
Charles Ruthford
Government Contracting and Relationships 33

Survival Strategies Beyond the Fiscal Cliff
Eric Feldman
Labor and Employment 39

2013 Employment Law Update
Marcia Narine
Privacy and Data Protection 44

2013 Global Risk Perspective
Robert Bond
Records & Information Management for 2013 51

RIM For the Next Generation
Mike Salvarezza
SEC Enforcement Hot Topics and Trends 55

Bradley J. Bondi
Social Media for 2013 62

The views and opinions expressed in this Report (a) are for informational purposes only and are intended to represent only educated forecasts, not predictions of future events; and (b) are not presented for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular legal or regulatory issue. In the case of opinions in this Report presented by a named author, those opinions are held by the individual author and do not necessarily reflect the opinions of that authors employer or firm.
From the Boardroom to the Factory Floor

Michael Connor
Trade Compliance for 2013 67

Current Issues, Risks and Challenges in Export Controls
Marian Ladner
Executive Summary
Ethics & Compliance Risk Projections for 2013
Ethics and compliance risks confronting organizations in 2013 have grown more complex and nuanced than ever before. In the year ahead, executives responsible for managing those risks will need to adapt to a legal and regulatory environment increasingly shaped by an array of economic and political pressures. Keeping pace will require companies to be smart, efficient, and laser-focused on motivating a diverse workforce to do the right thing. Those are the primary themes that emerge in this 2013 Risk Report from the LRN Ethics & Compliance Alliance (ECA), a proprietary information platform for E&C professionals. In the pages that follow, youll find top-level analysis and information on 11 different risk areasfrom antitrust to social media that present day-to-day challenges for most any organization. Our authors are experts in their respective fields, highlighting trends and new developments that have impact on E&C program management. This collection of articles in some ways resembles an ethics and compliance Rorschach test, with each article likely to resonate in different ways within different organizations. The concerns of E&C professionals are diverse: according to the recent LRN Ethics & Compliance Leadership survey (conducted in December, 2012) leaders say their top five risks for 2013 are Data Privacy (74%), Conflicts of Interest (70%), Electronic Data Protection (68%), Bribery and Corruption (62%), and Gifts and Entertainment (60%). Overall, the profile of leading critical risks is generally consistent with what emerged in last years survey.
Key E&C Risks Identified in Risk Assessment Process
N=151
According to the recent LRN Ethics & Compliance Leadership survey, leaders say their top five risks for 2013 are Data Privacy, Bribery and Corruption, Conflicts of Interest, Electronic Data Protection, and Gifts and Entertainment.
Data Privacy Conicts of Interest Electronic Data Protection Bribery and Corruption Gifts and Entertainment Environment, Health, and Safety Labor and Employment Retaliation Supply Chain Records Management Social Media Government Contracting Intellectual Property Antitrust Insider Trading
0% 10% 20%
74% 70% 68% 62% 60% 48% 45% 45% 42% 42% 41% 40% 39% 36% 30%
30% 40% 50% 60% 70% 80%
Ethics & Compliance Alliance Risk Forecast Report 2013 The LRN leadership survey found that in 2013 most E&C leaders appear to be focusing on defensive goals, with an emphasis on improving risk management capabilities and third-party oversight. Encouragingly, however, two-thirds (66 percent) of E&C professionals say they are also striving to promote alignment between core company values and day-to-day operations; a similar percentage aim to increase employee comfort with speaking up about misbehavior. Accomplishing those varied goals will require across-the-board commitments at all levels of a company, which means the job cant be done alone. Compliance and ethics officers have so much on their plates that they can forget how their roles can overlap with others within the organization, observes Marcia Narine, a labor and employment expert writing in this report. Indeed, building organizational bridgesand ethical culturesis never easy. But in 2013 it may be an essential strategy for E&C professionals as they plan for success in the year ahead.
Investigations and Prosecutions

Helping employees and managers understand the implications of their actions is critical, even in areas that might not seem to affect the average worker. For example, ECA expert Ted Banks looks into his crystal ball for 2013 (Antitrust and Competition Law), and advises that given the potentially draconian penalties that can be imposed for a violationcontinued antitrust compliance vigilance is essential. A recent case in point: AU Optronics, a maker of liquid crystal display panels, was convicted in 2012 of price-fixing. Federal prosecutors sought a huge fine ($1 billion) and lengthy prison terms (ten years), but a judge imposed only a $500 million fine on the company, and three-year sentences plus $200,000 fines on convicted executives. Compliance professionals, writes Banks, must approach compliance from the employees point of view. This means communicating in an employees vernacular, not in lawyer-speak. It means explaining how compliance with antitrust laws will benefit the employee and the company. And it also means explaining how violating the antitrust laws will be detected, and an employees job may be lost, and his or her life irreparably damaged. Employees should learn how to do their jobs properly because it is in their interest. If misbehavior does occur, and fellow employees have knowledge of it, how should they react? Brad Bondi (Hot Topics and Trends in SEC Enforcement) points to a need for education on a new whistleblower program authorized under the Dodd-Frank Wall Street Reform and Consumer Protection Act, which he believes has the potential to change the landscape of the SECs enforcement efforts. The program offers whistleblowers who provide original information that leads to an enforcement action from 10 to 30 percent of the SECs monetary recovery. The SEC reports that 3,001 whistleblower tips, complaints, and referrals were received during fiscal year 2012. An important element of the programand one that compliance professionals need to be especially mindful ofis that it specifically allows and incentivizes individuals to utilize internal reporting channels before going to the SEC. Among other provisions, the SEC rules provide that an internal whistleblower
Goals will require acrossthe-board commitments at all levels of a company, which means the job cant be done alone.
Ethics & Compliance Alliance Risk Forecast Report 2013 may be eligible for an award where the company reports to the SEC information received from the whistleblower, or the results of an investigation initiated in response to the whistleblowers information. Politics and a weak economy are factors in the risk profiles of government contractors, according to Eric Feldman (Government Contracting and Relationships). He thinks the polarized U.S. political process has created a near certainty that 2013 will result in substantial challenges for government contractors at the federal, state, and municipal levels, requiring unprecedented dexterity and prudent decision-making to survive and prosper in a new world order. With fewer contracting opportunities, Feldman writes, employees (particularly those in the contract capture process) may feel motivated to ignore or marginalize their company ethics and compliance programs and use whatever information is at their disposaleven prohibited government or competitor acquisition datato give them an edge in the bidding process. The good news is that strong ethics and compliance programs have become a competitive differentiator on government contracts, as agencies can ill afford to deal with ethics and integrity problems in either the bidding or execution phases of mission-critical projects. Says Feldman: Proposals that incorporate ethics assessments, training, and education at the project level provide evidence of commitment to controls and accountability important to government agencies in this new environment.
Ethics and compliance programs have become a competitive differentiator on government contracts, as agencies can ill afford to deal with ethics and integrity problems in either the bidding or execution phases of mission-critical projects.
Global Issues and Enforcement

In his analysis of Anti-Corruption and Bribery, Michael Fine reports that despite enforcement advances in other countries, the U.S. Foreign Corrupt Practices Act (FCPA) continues to drive risk assessment and mitigation planning at most multinational companies. Although the U.K. Bribery Act is beginning to make its mark, speculation that it would displace the FCPA model and require wholesale changes to FCPA-oriented programs has not proven out, writes Fine. The U.S. continues to lead the world in anti-bribery enforcement by a wide margin, according to Fine, with 233 concluded cases and more than 100 open investigations. That number was down slightly in 2012, with the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) showing more selectivity on prosecutions and flexibility on settlement terms. Another notable development was the publication in November of a comprehensive Resource Guide to the FCPA, developed jointly by the DOJ and SEC. For risk managers, the essential message remains the importance of a comprehensive global approach to anti-bribery risk forecasting and compliance, advises Fine. The challenge ahead will be to build and maintain effective global compliance programs that can capture relevant laws, reconcile differencesand, above all, communicate company standards and expectations to an increasingly diverse workforce. For U.S. companies whose business is dependent on international sales, Marian Ladner (Trade Compliance) reports that the Obama Administrations efforts to reform the U.S. export control system remain the dominant theme in the export trade compliance field.
Ethics & Compliance Alliance Risk Forecast Report 2013 With the Presidents reelection, Ladner says, it is expected that the Export Control Reform (ECR) Initiative will now move to the final rule stage, and that export jurisdiction over many items will be transferred from the U.S. State Department to the Commerce Department. For exporters whose products are transferred from State to Commerce jurisdiction, the change will mean much more flexibility in getting those products from the U.S. to their customers abroad. However, the change also shifts a greater compliance burden onto the exporter.
New Media, New Challenges

Executives responsible for ethics and compliance must also address growing complexity brought about by a range of new technologiesespecially mobile devices and cloud computingthat help generate enormous quantities of data, according to ECA expert Mike Salvarezza (Records and Information Management). The dramatic surge of information stored on smart phones, tablets and other PDAs has caused some organizations to abandon efforts to control which devices are used by employees in favor of a BYOD (Bring Your Own Device) approach, according to Salvarezza. But with that flexibility come numerous risks to the records manager, including an inability to access company records that are housed on mobile devices; rapid sharing and proliferation of records from device to device and from one to many people; and co-mingling of business and personal records. Simply put, the ability to manage records may become impossible using traditional methods, writes Salvarezza. To truly be successful in the long term, records management professionals must begin to challenge the very requirements that they are attempting to comply with. These requirements must be carefully re-examined and be subject to overhaul to remove outdated and impossible to achieve compliance requirements. And how many readers of this report are not already users of Facebook, LinkedIn, or Twitter? Michael Connor (Social Media) reports that more than 1.5 billion people around the globe now have an account at a social network site. According to Connor, social media are transforming the very nature of the Internet, from a medium dominated by static web sites to one featuring multiple levels of interaction on platforms like Facebook, Twitter, LinkedIn, and YouTube. Keeping pace with these technologies from a compliance perspective requires attention at all levels of the enterprise. Connor cites a recent survey of senior executives and corporate directors which found that while 90 percent of respondents claim to understand the impact that social media can have on their organization, only 32 percent of their companies monitor social media to detect risks to their business activities. While social media empower users to become their own publishers, developing effective organizational policies for social media can prove challenging. In the U.S., Connor notes, the National Labor Relations Board has focused considerable energy on social media issues, with a series of rulings that have confounded some compliance professionals.
Executives responsible for ethics and compliance must also address growing complexity brought about a range of new technologies especially mobile devices and cloud computing that help generate enormous quantities of data.
Ethics & Compliance Alliance Risk Forecast Report 2013 Robert Bond (Privacy and Data Security) considers what global companies should be doing to mitigate privacy risk, with a particular focus on the Asia-Pacific region and the continued challenges of implementing ethical hotlines in the European Union. Also on the horizon: the EUs pending draft Data Protection Regulation, which Bond says will impose significant compliance obligations on businesses that use equipment in the EU for processing personal data, or are not in the EU but who process EU data subjects or monitor their behavior. According to Bond, a negligent or reckless breach of the Regulation could lead to fines of up two percent of a companys worldwide revenue.
The poor economy has led to a new category of laws that make employers particularly vulnerable.
The Workplace
Whos the boss? Marcia Narine (Labor and Employment) reports that in coming months the U.S. Supreme Court will address that question, perhaps providing a watershed ruling for employers. In the case of Vance v. Ball State University, an African-American kitchen worker alleges that her co-employees actually served in the capacity of her supervisors because they directed her day-to-day activities, and that their actions, including racial epithets and physical threats, created a hostile work environment. Narine cautions that if the Supreme Court relaxes the definition of a supervisor to include co-workers it could fundamentally change the workplace and make it easier for employees to bring legal action against an employer. More broadly, Narine says, the poor economy has led to a new category of laws that make employers particularly vulnerable. For example, a number of states are considering or have passed laws on unemployment discrimination, making it unlawful to refuse to hire someone because they have been out of work for too long. And because of the economy and foreclosure crisis, some states now forbid employers from inquiring about credit during a background check.
Culture and Program Management

While a traditional approach to E&C education and communication may make an organization compliant, its employees are often not prepared to deal with difficult situations, suggests Charles Ruthford (Education and Communication Strategies). He says new research challenges the assumption that, armed with knowledge, a decision-making process, and an awareness of consequences, most people would make rational and proper choices when confronted with ethical challenges. Ruthford argues on behalf of educational programs that are interactive, collaborative, and focused on problem-solving with real-life examples. This new approach to learning and communication will require commitment by senior leaders, involvement of mid-level managers, and individual measurement systems that are aligned with organizational ones, Ruthford writes. It will also be more expensive, but costs will be outweighed by the benefits of engaged employees who will respond in an ethical and compliant manner in difficult situations. For LRNs Michelle Moyer (E&C Program Management), the pressing question is how a company can optimally position itself to operate responsibly in a hyper-connected, hyper-transparent environment over the long term, and not
Ethics & Compliance Alliance Risk Forecast Report 2013 only survive, but thrive. She points to proprietary LRN research which shows that self-governing organizations in some 18 countries experienced higher levels of innovation, employee loyalty, and customer satisfaction; lower levels of misconduct; and superior overall financial performance. The answer, according to Moyer, lies in creating an internal culture that is self-governing; that is, a culture where employees are guided by clearly defined and well-understood principles and values, and are inspired by those values to be leaders and to align around the companys mission, purpose, and business objective because they feel genuinely responsible and accountable for the companys long-term health, welfare, and legacy.
Proprietary LRN research shows that self-governing organizations in some 18 countries experienced higher levels of innovation, employee loyalty, and customer satisfaction; lower levels of misconduct; and superior overall financial performance.
The Year Ahead

Economists these days generally hedge their forecasts pretty carefully. While the business outlook for 2013 seems to be improving, there are huge imponderables that also threaten recovery. Much the same can be said for a risk forecast like this one, especially as it applies to any individual organization. While it is possible to discuss the broad parameters of risk, particular situations often require more detailed examination and discussion. If you and your organization would like to explore these topic areas in more detail or would like to connect with one of our Ethics & Compliance Alliance experts, please dont hesitate to contact us for more information. In the meantime, we invite you to read and consider the expert perspectives in this report and leverage them in support of your ethics, compliance and risk management programs and related initiatives. We are confident you will find them worthwhile and insightful. Best Regards,
Greg Triguba For the LRN Ethics & Compliance Alliance
Greg Triguba
Click here to return to Table of Contents
ECA Risk Forecast Report 2013 Ethics & Compliance Alliance Risk Forecast Ethics Report & Compliance 2013 Alliance Risk Forecast Report 2013
Anti-Corruption and Bribery

Global Anti-Corruption 2013
Michael Fine ECA Expert Panelist Michael Fine is a leading expert in the area of anti-corruption and bribery law and provides advisory support on the effective implementation and management of related compliance programs and infrastructures. Michael is Principal of NXG Global Law & Compliance where his practice focuses on anti-corruption programs, public policy advocacy, regulatory counseling, and the implementation of corporate compliance programs. Prior to establishing NXG Global, Michael served as the Director of Private Sector Initiatives for Transparency International and practiced law at the Firm of Powell, Goldstein, Frazer & Murphy.
The expectation for anti-corruption enforcement in the coming year is more of the same, with continued vigorous enforcement of the Foreign Corrupt Practices Act (FCPA) and still slow but steady advances internationally. Past Risk Forecasts have highlighted the sharp rise in the number and magnitude of FCPA enforcement actions; our message this year is more nuanced. Raw enforcement numbers are down slightly for a second consecutive year, with the more consequential FCPA developments in the details. The year 2012 saw a continued ramping-up of agency enforcement capacity, more selectivity on prosecutions and flexibility on settlement terms, and publication of a detailed FCPA Guide spelling out agency interpretations and priorities. In a word, a maturation of FCPA enforcementwith these trends expected to continue through a second Obama Administration. The global anti-corruption picture remains mixed, with growing caseloads in a few jurisdictions but lagging efforts in many other countries that will continue to invite gap-filling FCPA enforcement.
FCPA Baseline
We begin this years forecast once again with the FCPA, which despite advances elsewhere continues to drive risk assessment and mitigation planning at most multinational companies. Although the U.K. Bribery Act is beginning to make its mark, speculation that it would displace the FCPA model and require wholesale changes to FCPA-oriented programs has not proven out. The U.S. continues to lead the world in anti-bribery enforcement by a wide margin, with 233 concluded cases and more than 100 open investigations, as well as corporate penalties that dwarf those elsewhere.1 As such, the FCPA has remained an essential baseline for most companies even as anti-corruption programs take on a more global tone and nomenclature.
The FCPA has remained an essential baseline for most companies even as anti-corruption programs take on a more global tone and nomenclature.
Enforcement highlights
On the surface, 2012 was a year like most others for FCPA enforcement, with a number of high-profile settlements, notable additions to the corporate investigations docket, and an ongoing focus on criminal prosecutions of individuals. Raw numbers were off for a second year for new cases and settlement amounts, but were still robust by historical standards and consistent with trends described in prior reports. The Department of Justice (DOJ) and
1 Progress Report on Enforcement of the OECD Anti-Bribery Convention, 2012, Transparency International at 37 (Aug. 2012).
Ethics & Compliance Alliance Risk Forecast Report 2013 Securities and Exchange Commission (SEC) continued to add enforcement resources (including more FCPA-dedicated prosecutors) and new cases to the investigations pipeline (most notably for Wal-Mart in Mexico), to advance sectoral enforcement initiatives (particularly in health care), and to target violations by non-U.S. companies. Health care actions accounted for roughly 60% of all dispositions through the first three quarters of 2012, and investigations involving non-U.S. companies continued to feature prominently. Substantial resources were again devoted to individual criminal prosecutions, with a number of successes but also failures. The latter included the dismissal, after a two-year prosecution, of charges against 21 of 22 defendants in the Las Vegas Shot Show case. Highlights from the year included a $54 million settlement with the Japanese Trading Company Marubeni Corporation (probably the last in the long-running TSKJ Bonny Island joint venture investigation), a $60 million settlement with Pfizer (resolving multiple investigations, including one inherited through an acquisition), a $29 million settlement with Eli Lilly (resolving SEC civil action, with an apparent pass on DOJ criminal enforcement), and a $26 million settlement with Swiss-based Tyco International. A number of other major cases were thought to be near settlement at years end, with most speculation focused on French oil giant Total SA (with a $398 million reported reserve) and Avons long-running global investigation. Record fines are also possible in the widening Wal-Mart Mexico investigation, although not for another year or so. All in all, an enforcement record not terribly different in its essentials from 2011or from what we can expect in the coming year. A five-year surge begun in the latter years of the Bush Administration appears to have leveled off, with a normalization of the case load and settlement activity at still high but more stable levels. These raw figures are only one measure of enforcement activity, of course, and could change in response to any number of factors (for example, an upsurge in Dodd-Frank whistleblowing). On the whole, though, they reflect a pattern seen in other enforcement areas following an initial ramp-up period as well as the heightened C-Suite attention generated by the initial case surge and associated advances in prevention efforts at multinational companies. But in other respects 2012 was a very different and more consequential year for FCPA enforcement. We saw the first serious effort in decades to roll back key elements of the FCPA, notable refinements to DOJ and SEC enforcement and settlement practices, publication of a comprehensive FCPA resource guide, and finally a presidential election that secured the current FCPA path for at least another four years.
All in all, an enforcement record not terribly different in its essentials from 2011 or from what we can expect in the coming year.
Legislative challenge
The year began with growing momentum for a package of legislative reforms that would have significantly altered key aspects of the FCPA. As we reported in last years Forecast, this initiative had its origin in a 2010 study commissioned by the U.S. Chamber of Commerce that called for, among other things, an affirmative compliance defense to FCPA liability (similar to the U.K. Bribery Act), a new willfulness requirement, and narrowing of coverage for foreign state-
10
Ethics & Compliance Alliance Risk Forecast Report 2013 owned enterprises. Other provisions would have limited successor liability for pre-acquisition violations (based on a knowledge standard) and parent liability for subsidiary actions.2 Reaction to the proposed amendments was along predictable lines, with strong opposition from the Obama Administration and little prospect of meaningful action in the last Congress. Still, proponents had been optimistic that a new Republican administration might be more sympathetic and had begun laying legislative groundwork for that prospect. The Chamber launched what one close observer described as an intense lobbying campaign that produced, among other early fruits, a supportive congressional hearing on the reforms and letters to the DOJ from several prominent Democrats. By the late spring, the initiative appeared poised for more gains, only to be sidetracked by the Wal-Mart scandal,3 and then in November the Presidents reelection. While the immediate chance for legislative action has passed, probably for another four years, the broader campaign to narrow FCPA enforcement that sparked it has not. Public advocacy efforts will continue into the new year, together with a companion initiative to reshape enforcement through the courts. Illustrative of the latter has been a closely-watched challenge to the governments application of FCPA foreign official status to state-owned companies. (Several district courts have ruled for the government, but the matter is on appeal.) Past efforts to circumscribe FCPA enforcement through the courts have not been successful and prospects for this and similar challenges are probably low, but for the first time the DOJ and SEC are being required to defend their interpretations, a step many consider salutary and overdue. Setting particulars to the side, a larger message from these developments is the fraying of a bipartisan consensus and business support so crucial historically to the FCPAs advanceand by extension global efforts in this area.
Past efforts to circumscribe FCPA enforcement through the courts have not been successful and prospects for this and similar challenges are probably low, but for the first time the DOJ and SEC are being required to defend their interpretations, a step many consider salutary and overdue.
Refinements to enforcement practice

Coincident with the Chamber campaignwhich has been the most farreaching, public and politically successful in the FCPAs 35-year history the past year has seen notable refinements to FCPA enforcement practice. The DOJ and SEC have been more public about declinations (decisions not to prosecute after initiating an FCPA investigation) and the reasons; they have awarded more (or at least clearer) credit to companies for cooperation and quality compliance efforts; and there has been an easing of some settlement conditions (in particular, mandated independent monitors). The DOJ and SEC also have been clearer about not prosecuting de minimis violations, have taken steps to encourage internal reporting by Dodd-Frank whistleblowers, and have been more expansive in advisory guidance.
2 The 2010 study drew on similar restrictive provisions found in the contemporaneous U.K. Bribery Act. For a detailed comparative analysis of the U.K. Bribery Act and FCPA, see Coordinating U.K. Bribery Act & FCPA Compliance on the ECA: https://eca.lrn.com/focus-area-resources/coordinating-U.K.-bribery-and-fcpacompliance. See also UK Bribery Act: Mixed OECD Review Portends Change on the ECA, summarizing concerns about certain of these provisions identified in a March 2012 OECD anti-bribery working group review of U.K. convention efforts. 3 For a discussion of the Wal-Mart Mexico case, see M. Fine, A Teachable Moment: FCPA Lessons from the WalMart Experience, SCCE Compliance & Ethics Professional at 49 (Sept/Oct 2012).
11
Ethics & Compliance Alliance Risk Forecast Report 2013 Speaking at a recent national conference on the FCPA, Assistant Attorney General Lanny Breuer reaffirmed the U.S. commitment to combating corruption around the world, describing FCPA enforcement as one of the DOJs signature achievements and part of a record that has put the U.S. on the right side of history.4 At the same time, there was a recognition that the DOJ and SEC needed to strike an appropriate balance between vigorous and responsible enforcement. As an illustration, Breuer cited the DOJs decision last April not to charge Morgan Stanley directly for an employees bribery because the violation had been self-disclosed, and because the firm had cooperated with the investigation and could point to a rigorous compliance program. In another case, involving potential successor liability, a similar judgment not to prosecute was made based on the pre-acquisition due diligence conducted. In both instances, declinations were publicized to encourage similar proactive efforts by others. Opinions vary on the significance of these caseswhether reflective of systemic change or only a few good apples, so to speakbut at the least they suggest a more nuanced approach to enforcement in the future. For example, while there may be little appetite for a formal compliance program defense, the practical effect from a more robust and public crediting of corporate investments in quality programs may not be very different, especially given the uncertainty and practical challenges associated with a formal Bribery Act-like defense.5 In some cases, this may manifest through declinations that completely shield a company from enforcement action (as for Morgan Stanley); in others, through a substantial penalty deduction (pegged at 30% in one recent settlement) or avoidance of mandated independent monitors (multiple cases in 2012). Likewise, although we are unlikely to see significant changes to the expansive application of FCPA authority that has developed, the more nuanced enforcement posture may shield companies with exemplary prevention efforts as in the successor liability declination mentioned earlier.
The years other notable development was the publication in November of a comprehensive Resource Guide to the FCPA, developed jointly by the DOJ and SEC.
New FCPA guidance

The years other notable development was the publication in November of a comprehensive Resource Guide to the FCPA, developed jointly by the DOJ and SEC. Over a year in the drafting, the 120-page document contains a useful historical overview of the FCPA and Organization for Economic Cooperation and Development (OECD) expansion together with these agencies reading of the law and enforcement priorities. Much of this information had already been available, but not in one place or with the same clarity and detail. Topics addressed range from the definition of a bribe and foreign official to gifts and entertainment, FCPA jurisdiction and the hallmarks of an effective anticorruption program. There are also helpful commentaries and illustrations to make the guidance more concrete.
4 L. Breuer, Speech at 28th National Conference on the FCPA, 16 Nov. 2012 (http://www.justice.gov/criminal/pr/ speeches/2012/crm-speech-1211161.html). 5 U.S. authorities have been reluctant to adopt a formal compliance program defense like the one for adequate procedures in the U.K. Bribery Act in part because of the practical difficulty of judging adequacy in a particular context. Most FCPA prosecutions have involved large or systemic patterns of bribery, often with high-level involvement or knowledge, and how these might be squared with an effective program standard is not immediately obvious. In a U.K. context, the challenge is further compounded by a relative lack of historical experience with compliance practices both in government and the private sector (compared to several decades of trial-and-error advances in the U.S. under the Federal Sentencing Guidelines framework) and uncertainty about how and when judgments about the defense will be made.
12
Ethics & Compliance Alliance Risk Forecast Report 2013 The Guide was developed with several objectives in mind. The initial catalyst was a recommendation from the OECD working group on bribery that the U.S. spell out more clearly its enforcement policies and priorities, with an eye toward a similar push in the future with other OECD countries. As importantly, the yearlong process and resulting document have provided a rebuttal of sorts to the U.S. Chamber reform initiative, elaborating in greater detail the DOJ and SEC position on contested issues, and at the same time countering the criticism that enforcement standards have been too opaque or uncertain. Finally, and most significant from a compliance vantage, the Guide has provided the DOJ and SEC with an opportunity to spell out in greater detail for the business community factors that they consider in deciding whether and how to pursue an enforcement action, evaluating a compliance program, deciding whether to impose a monitor, and choosing among alternative forms of resolution. In the month following release of the Guide, numerous reviews have been published and there is much in these and the document itself worthy of careful review. Some highlights: The Guide provides a detailed listing of elements the DOJ and SEC will consider when evaluating a companys anti-bribery program, acknowledging that no compliance program can ever prevent all criminal activity by a corporations employees, and that meaningful credit will be given for a comprehensive risk-based program implemented in good faith. Commentaries and illustrative examples clarify the standards for determining whether a bribe meets the business purpose test, and when a particular state-owned entity will be considered governmental. There is also helpful (if not new) advice on gifts and entertainment, reaffirming the requirement of corrupt intent for an FCPA violation, and that payments of nominal value (such as a cup of coffee or taxi fare) are not an enforcement priority. There is also some comfort on successor liability (short of a safe harbor) for acquiring companies that have checked diligently for problems in advance, and taken preventive measures after acquisition, plus a reaffirmation that pre-acquisition bribery must have been in violation of the FCPA at the time it occurred. The Guide emphasizes the broad nature of FCPA jurisdiction over non-U.S. companies, reaffirming expansive theories that have been used to reach companies with only nominal territorial contacts (as under correspondent bank jurisdiction) or none at all (on a conspiracy basis).
Although the FCPA remains central to risk assessment and mitigation planning for most international companies, counterpart laws in other jurisdictions merit heightened attention. Chief among these is the U.K. Bribery Act, but other countries (notably Germany) also stand out.
Additional Global Considerations

Although the FCPA remains central to risk assessment and mitigation planning for most international companies, counterpart laws in other jurisdictions merit heightened attention. Chief among these is the U.K. Bribery Act, but other countries (notably Germany) also stand out. Global enforcement efforts continue to lag behind the U.S., with only modest gains over the past year. By one measure, there are still only seven OECD countries with active enforcement, and another dozen rated as moderate.6
6 Progress Report on Enforcement of the OECD Anti-Bribery Convention, 2012, Transparency International at 4 (Aug. 2012).
13
Ethics & Compliance Alliance Risk Forecast Report 2013 Modest as this figure is, it still overstates the actual progress, with countries needing only one active major case and investigation to qualify for moderate enforcement status. On the other hand, formal cases take time to develop and a somewhat more robust picture emerges if one looks instead at investigative activity. A number of lower-ranked countries report relatively high levels of current investigative activity, while others considered active rate less well. Using an investigations measure, those currently most active include, in addition to the U.S. (at 113 active investigations), Germany (43), the U.K. (29), Italy (15), Canada (34), Austria (10), and Australia (8). According to the OECD working group on bribery, at year end 2011 there were approximately 300 ongoing investigations in the 26 signatory states to the anti-bribery convention.7
For risk managers, the essential message remains the importance of a comprehensive global approach to antibribery risk forecasting and compliance.
The U.K. Bribery Act has remained center stage for many global companies, but with a mixed record to this point. A year and a half on, there have been relatively few prosecutions, and these mostly of individuals rather than companies and under pre-Bribery Act statutes. Still, there has been a notable rise in the overall level of activity, with 14 individual convictions through the first three quarters of 2012 and another 11 active foreign bribery cases, and 18 others said to be under consideration. In addition to the first individual conviction under the Bribery Actof a domestic court clerk for traffic court briberythe past year saw civil resolutions in several corporate cases (Oxford Publishing, Abbot Corp.) and the launch of a high-profile defense sector investigation (EADS). Set against this has been a record turnover in the lead enforcement agency, the Serious Fraud Office (SFO), together with ongoing concerns about its authority and resource levels. A March, 2012 OECD working group assessment also gave the U.K. a decidedly mixed review on its antibribery enforcement efforts. Although it credited SFO outreach to the business community, citing its detailed guidance on the adequate procedures defense and the design of effective compliance programs, the report identified a number of gaps in the legal framework that may require further legislation. Chief among these are lingering concerns about the governments ability to hold companies accountable for bribery by an employee or affiliate.8 The law courts have also cast a cloud over SFO authority to settle matters through Deferred Prosecution Agreement (DPA) and other alternative means, although a measure has been introduced in the Parliament to remedy this. Still, the pace of action internationally clearly is picking up and, in the wake of this years FCPA reform debate, there will be even more pressure for OECD partners to step up their own enforcement, and on non-U.S. companies through gap-filling FCPA actions. For risk managers, the essential message remains the importance of a comprehensive global approach to anti-bribery risk forecasting and compliance. Although enforcement in most countries is still spottyand well below U.S. levels even in the most active countriesthere are now important exceptions. And even for the laggards, multinational companies (especially from the U.S.) will remain an appealing early target. The challenge ahead will be to build and maintain effective global compliance programs that can capture relevant laws, reconcile differences (for example, on facilitation payments), and, above all, communicate company standards and expectations to an increasingly diverse workforce.
7 OECD Working Group on Bribery, 2011 Annual Report at 10. These annual reports are summary, and have been criticized for overstating progress, but the more detailed assessments conducted for individual countries can be a valuable resource for risk assessment. The OECD Phase 3 review conducted for the U.K. last April is illustrative, highlights from which are described in an alert on the ECA website (UK Bribery Act: Mixed Review Portends Change). 8 See UK Bribery Act: Mixed Review Portends Change, available on the ECA.
14
Antitrust and Competition Law

Where is it going in 2013?
Ted Banks ECA Expert Panelist Ted Banks is a recognized and leading expert in areas of global antitrust and competition law. Ted is a seasoned attorney and partner in the Law Firm of Scharf Banks Marmor LLC in Chicago, IL, and is President of Compliance & Competition Consultants, LLC. In his practice, Ted concentrates on general corporate and antitrust matters and serves his company clients in development of effective ethics and compliance programs, antitrust and competition compliance initiatives, and records management programs. Formerly, Ted served as Chief Counsel & Senior Director, Global Compliance Policy at Kraft Foods.
Antitrust/competition law compliance programs are commonplace. Nearly every code of conduct has a general antitrust compliance statement. But while the basics of antitrust are unchanged (collusion and abuse of dominance), the specifics of antitrust violations have evolved, as have the techniques available to ensure an effective compliance program. Spending a few minutes thinking about where the law might be going in 2013 can be useful in making sure that your compliance program really is addressing todays risks.
The Second Obama Administration and Antitrust

2013 is beginning with a newly confirmed FTC Commissioner1 and a newly confirmed head of the Antitrust Division.2 One can reasonably expect that the policies established in the first administration will be continued. The government will be more aggressive in its enforcement efforts than was the Bush Administration in areas like mergers. Cartel enforcement, which was aggressive in the past, will continue. The Antitrust Division will utilize its amnesty program as a key enforcement tool, so it will behoove any attorney or compliance officer who detects the possibility of collusion to consider going to the government as quickly as possible. As is discussed below, the position of the Antitrust Division on compliance programs has been one of disdain. Several years ago, it apparently secured an exception from the Federal Sentencing Guidelines (FSG), so that the presence of an effective compliance program will not entitle a company to any sort of reduction of sentence. However, it did require the appointment of a compliance monitor in the AU Optronics case (discussed below), so there may be a recognition that compliance programs have a value after all.
The Antitrust Division will utilize its amnesty program as a key enforcement tool, so it will behoove any attorney or compliance officer who detects the possibility of collusion to consider going to the government as quickly as possible.
Antitrust and Banks

While there is still talk of antitrust concern about too big to fail, it seems that public enforcement against financial institutions will focus on conduct, not size. Private litigation may be the major risk, as shown by the LIBOR cases.3
1 Professor Joshua Wright, who does not have an expansive view of the scope of 5 of the FTC Act, was nominated for the Republican seat previously held by Thomas Rosch. FTC Chairman Jon Leibowitz may also resign soon in 2013, and it would be expected that someone with similar pro-enforcement leanings would be nominated to replace that seat on the Commission. 2 William Baer, former head of the Bureau of Competition at the FTC, was confirmed on December 31,2012, while most of the countrys attention was focused on fiscal cliff negotiations. 3 UBS may be fined more than $1 billion by U.S. and U.K. regulators. Barclays Bank agreed to pay $467 million to settle Libor manipulation allegations.
15
Ethics & Compliance Alliance Risk Forecast Report 2013 If a case can be made that collusion by financial institutions is the cause of consumer pain, then one should expect aggressive pursuit by private parties. Combined with increasing willingness by many courts (particularly state courts) to allow consumers to recover in antitrust cases, the imperative for banks to strongly police their antitrust compliance programs is ever more important. On the public enforcement side, one might expect a mixed bag. The regulators in the United States continue to shut down insolvent financial institutions, and the government needs to find homes for the assets of those banks quickly. In addition, the Federal Reserve has signaled that it wants to continue an easy money policy to provide economic stimulus, so anything that might disrupt the flow of cash into the economy would face internal Administration opposition, regardless of what the antitrust enforcers would want to do. If, however, a credible case can be made that the policies of the largest banks have been working in opposition to the Administrations stimulus policy, that might provide the impetus to attach a large financial institution based on size. The case, however would not be an easy one to bring, and would involve a new approach where financial institutions, by virtue of their size, could behave in a way that was injurious to the economy, if not to competition. If there was a thought to challenge a bank based on its size, it might well be easier to do so in a financial regulatory context, rather than rely on antitrust.
The War against Conspiracies Continues

Public enforcement against cartels continues, with lengthy prison terms and large fines sought. The Department of Justice (DOJ) will proceed against conspiracies that occur outside the United States, when they have a domestic impact. The AU Optronics4 case showed several interesting developments, however. The government sought a huge fine ($1 billion) and lengthy prison terms (ten years), but the judge imposed only $500 million, and three-year sentences of $200,000 fines on the convicted executives. She ruled that the fines sought by the DOJ would cripple the company, and hurt the public by reducing competition. The judge was sensitive to arguments that the individuals had relatively little personal motivation and thought they were doing the right thing vis--vis their company. Part of the sentence of the case did require the appointment of a compliance monitor, which may indicate increased attention by the Antitrust Division to the value of compliance programs. Other defendants in the investigation of price-fixing of LCD displays chose to settle with the government and not go to trial, and they received fines ranging from $30 million to $400 million, under the Guidelines range, based on cooperation with the government. The moral of the story: going to trial is always a risky proposition. The question of whether there was personal motivation was also raised in the prosecution involving bid-rigging of municipal bonds. The sentencing memorandum from the DOJ urged ten-year sentences based on losses that ranged from $5 million to $10 million for each defendant. The memorandum rejected the idea that employees were just trying to help their companies, and that there was no personal motivation. The memorandum noted that there was a great motivation on the part of the employees to keep high-paying jobs.
The Department of Justice (DOJ) will proceed against conspiracies that occur outside the United States, when they have a domestic impact.
4 United States v. AU Optronics Corp., No. 09-cr-0110 (N.D. Cal. June 11, 2012).
16
Economics and Behavior

Antitrust jurisprudence, particularly in the United States, evolved over the last 40 years by reflecting concepts of economics. A debate raged over whether the Chicago-school of economics (reflecting, at least in theory, an analysis of pure market forces) or the Harvard-school (reflecting a more values-based analysis) should guide antitrust enforcement. Meanwhile, some economists started looking at the other factors that influence how people behave. It may not be because they are always trying to maximize their profits, or trying to increase social welfare through behavior that might otherwise be thought of as inefficient. In fact, the realization dawned that disciplines such as psychology could be viewed in conjunction with economics to offer new insights as to how people behave and why, including why they might violate the law.
It behooves all compliance officers to make certain that they understand the forces that drive their company. In the antitrust area, financial incentives for sales may encourage employees to bend the rules in order to collect a bonus.
Effective compliance programs do not just establish rules and give orders. They must approach compliance from the employees point of view. This means communicating in an employees vernacular, not in lawyer-speak. It means explaining how compliance with antitrust laws will benefit the employee and the company. And it also means explaining how violating the antitrust laws will be detected, and an employees job may be lost, and his or her life irreparably damaged. Employees should learn how to do their jobs properly because it is in their interest. And they should learn what not to do, and the consequences of violating these laws. So, it behooves all compliance officers to make certain that they understand the forces that drive their company. In the antitrust area, financial incentives for sales may encourage employees to bend the rules in order to collect a bonus. Employees should be educated about what they cannot do (such as colluding with competitors), and motivated to use their creativity to figure out how to get the job done within the parameters of the law. Companies should recognize outstanding performance not just with money, but with an acknowledgement that each person is important no matter what his or her job, and that all play a part in the success (or failure) of the company.
Employment
Antitrust compliance programs often fail to cover the antitrust risks that might be presented by the activities of human resources departments. While there may be antitrust exemptions for collective bargaining, it is a mistake to assume that anything done with regard to hiring employees is free from antitrust concerns. Actions have been brought by the federal government and the states to challenge non-poaching agreements among companies that might be drawing on the same pool of employees, even if they were not direct competitors.5 The increased aggressiveness of the Department of Labor, combined with the reduced reluctance to attack employment activities under the antitrust laws, signals that the risks of government enforcement here are increasing. Private parties have also brought actions challenging agreements among competitors that allegedly limited their job opportunities or salaries.
5 Cases were brought in 2010 against Google, Apple, Intel, Intuit, Pixar, and Lucasfilm. More recently, United States v. eBay, Inc., No. 12-cv-5859 (N.D. Cal. Nov. 16, 2012), challenged a handshake agreement between eBay and Intuit not to solicit each others employees.
17
Ethics & Compliance Alliance Risk Forecast Report 2013 Compliance officers need to work closely with labor and antitrust lawyers, and with human resources departments, to make sure that none of their practices violate antitrust laws. Common activities, such as salary surveys among companies in the same city or the same industry, should not be undertaken without guidance.
Global Enforcement
The Federal Trade Commission (FTC) and Antitrust Division will continue to cooperate with foreign enforcement agencies and international organizations. Regulation of competition is now a common part of the legal infrastructure of most countries, and while enforcement policy and competence may vary widely outside of the United States, antitrust must be a part of compliance programs wherever a company does business. As in the AU Optronics case, U.S. government enforcement against cartels will take place if there is an impact in the U.S., and private follow-on litigation should be expected. The concept of private antitrust actions is gaining support outside of the United States. Compliance officers of multinational companies must continue to firmly resist the entreaties of overseas managers to allow them to participate in local cartels based on local custom.
Although the new merger guidelines purport to give less weight to the need to define a market, in practice, market definition will continue to be the key determinant of how the government analyzes the competitive impact of a transaction.
Mergers
The Administration is likely to continue its course of challenging mergers that appear to be anticompetitive from a consumer point of view, and will probably continue to give less weight to arguments of efficiency than might have been persuasive in the Bush era. Although the new merger guidelines purport to give less weight to the need to define a market, in practice, market definition will continue to be the key determinant of how the government analyzes the competitive impact of a transaction. Expect to see a willingness to challenge mergers that have already been consummated.6 Political or consumer complaints may also result in the scrutiny of transactions that fall below the reporting threshold, particularly at the FTC. As implementation of the Affordable Care Act rolls out, expect to see continued antitrust enforcement in health care, particularly where prices rise after hospitals or other health care providers merge. What does this mean for compliance officers? Insist on a seat at the table as acquisitions are being considered. When a horizontal competitor is the acquisition target, insist that there be a good explanation as to why the transaction should be allowed to be consummated, in language that you not only an economistcan understand. Of course, make sure that the due diligence of the target includes a review of their compliance programs, and any shortcomings in that area should be flagged in time to put a hold on the transaction progress until all of the risks can be evaluated. The government has shown increased willingness to impose conduct-based remedies in merger transactions, which may require the involvement of the compliance officer to ensure that terms of any settlement are followed.7
6 Polypore International, Inc. v. FTC, 686 F.3d 1208 (11th Cir. 2012). 7 Conduct remedies include firewalls that may limit sharing of certain confidential information or the requirement to license technology to competitors on a fair, reasonable and non-discriminatory (FRAND) basis.
18
Monopolies
The withdrawal of the prior administrations policy statement on Section Two signaled that the Obama administrations approach to monopoly enforcement would be more expansive. Not much has happened in this area recently from the Department of Justice, although the FTC has continued its enforcement against monopolies based on its authority under Section 5 of the FTC Act. In recent years, the FTCs cases that might have been characterized as monopolization cases focused on things like exclusive dealing agreements, and its more recent investigation of Google looked at director interlocks between Google and Apple that might violate Section 8 of the Clayton Act. Prosecutions against monopolistic behavior, whether under Section 2 of the Sherman Act or Section 5 of the FTC Act, often come as a surprise to compliance officers because there is no black-and-white line that can be defined in a code of conduct or antitrust policy. Practices that may have gone on for years, and would never have been the subject of a compliance training program, suddenly become violations. So what does this mean for a compliance officer? Compliance officers (and their antitrust law experts) should look with special scrutiny at products or services where there is a market share in excess of 50 percent. These are the areas that may be most likely to attract enforcement attention from government enforcers (in the United States and other countries) and from private plaintiffs. The risk assessment should specifically examine whether any changes in law or the political environment might signal a need to review business practices. Changes in the structure of the market, such as the failure of a competitor or complaints from customers or suppliers, might also be significant in evaluating the risk in this area.
Patents
The increasing antitrust litigation involving patents may be a sign of the evolution of our economy (and society) to a more technology-based world. But even without trying to make any profound interpretations of this trend, it is important to note the presence of antitrust intruding into the world of patent monopolies. In cases where there seems to be abuse of patent rights where a patent is part of an industry standard (standard essential patent), the government is willing to seek an order compelling the licensing of the patent on fair, reasonable, and non-discriminatory (FRAND) terms Although it does depart from the traditional rule that a patent owner can license a valid patent when, where and how it wishes, it should not come as a huge surprise. If an industry standard has been established, and certain patents are essential to complying with the standard, the standard setting organizations usually require that those patent owners agree to FRAND licensing in the first place. The FTC has required FRAND licensing of patents as a condition to allowing a merger to proceed.8 It also has stated that a patent owner that agrees to FRAND terms and then seeks an injunction for alleged infringement against companies willing to take licenses is violating Section 5 of the FTC Act without a showing that the patent owner acted in bad faith. The European Union, in furtherance of its
8 In re Robert Bosch GmbH, FTC File No. 121-0081, Consent Agreement (Nov. 26, 2012).
The increasing antitrust litigation involving patents may be a sign of the evolution of our economy (and society) to a more technology-based world.
19
Ethics & Compliance Alliance Risk Forecast Report 2013 mission of promoting European integration and the free movement of goods, has stated that it will attack attempts to foreclose access to markets through the use of intellectual property rights. Economists from the DOJ, FTC, and EU Directorate General for Competition have issued suggestions for standard setting organizations (SSOs) that should be noted. They have suggested that 1) FRAND commitments should be binding on subsequent purchasers of the patent; 2) the SSO should have procedures in place to resolve disputes about FRAND licensing; 3) licensees should have the option of licensing a patent on a cash basis instead of only on a cross-licensing basis; and 4) as noted above, limitations should be placed on a FRAND patent holder that seeks to use an injunction to exclude a licensee from the market. What is left unclear, however, is exactly what constitutes FRAND terms. A patent owner whose technology has been incorporated into an industry standard, and who has committed to license the technology on FRAND terms, should be cautioned, at a minimum, not to be greedy. Another area of continued patent concern is the useand possibly the abuse of patent rights in the pharmaceutical industry. The FTC continues to challenge the settlement of patent lawsuits by generic drug manufacturers which result in the payment to the generic manufacturer in exchange for delay in introduction of generic competing products. The results here have been inconsistent,9 and making predictions about liability in this area difficult. The Supreme Court will review these decisions, and, in addition to monitoring court decisions, companies involved in this area need to carefully monitor the relevant political activities, since various legislative proposals are pending to clarify the legal status of these activities. A patent that was obtained by fraud on the Patent & Trademark Office does not get antitrust protection.10 Until recently, challenges against the validity of patents based on fraud were brought by companies facing the threat of patent infringement actions. In Ritz Camera & Image, LLC v. Sandisk Corp.,11 the Federal Circuit ruled that a purchaser of a product, who would not be facing a threat of an infringement action, could bring a claim under the Walker Process fraud approach. There was no requirement that a challenger had to have standing under the patent law to bring a declaratory judgment action for patent invalidity. From a compliance standpoint, the burden falls on patent attorneys to ensure that there is full disclosure of prior art and no misrepresentation to the PTO, but that is hardly anything new. There may be increased litigation from disgruntled purchasers unhappy with high prices of patented goods; so the risk control may be a consideration if, assuming the patent is valid, the pricing for patented goods might be considered excessive by purchasers. Further court cases may flesh-out the parameters of claims made on purchasers, but for now the risk of increased patent-antitrust litigation looms.
Another area of continued patent concern is the use and possibly the abuse of patent rights in the pharmaceutical industry.
Pricing: Maintaining and Discriminating

The Supreme Court has whittled away the antitrust rules against resale price maintenance, and now both minimum resale price maintenance (attempts to limit discounting by resellers) and maximum resale price maintenance (attempts
10 Walker Process Equipment v. Food Machinery & Chemical Corp., 382 U.S. 172 (1965). 11 No. 2012-1183 (C.A.F.C. Nov. 20, 2012).
20
Ethics & Compliance Alliance Risk Forecast Report 2013 to limit price gouging by resellers) are judged under the rule of reason in federal court. Federal enforcement in this area is unlikely, unless the price maintenance allegations come as part of a monopolization or merger case. Private parties may raise these allegations, but it will be difficult to show damages or even get beyond early motion practice. Nevertheless, if a price maintenance policy is adopted, there should be a rationale for the price restraints prepared in advance of any litigation that demonstrates the reasonable, pro-competitive impact of the restraint. State and federal price discrimination laws are still on the books, but the legal risk they pose has been significantly diminished by court decisions that make it increasingly difficult for plaintiffs to win their cases. But particularly where companies sell a branded product to competing wholesalers or retailers, management of pricing differences is important both for limitations of legal risk and for maintaining good relations withand trust byall customers. Antitrust litigation often results from a feeling of being mistreated, even if the facts prove otherwise.
Unlike other compliance programs that meet the effectiveness criteria of the Federal Sentencing Guidelines, you will not get any credit from the Department of Justice in sentencing recommendations based on your antitrust compliance program.
Can you count on your antitrust compliance programs?

Yesand no. Unlike other compliance programs that meet the effectiveness criteria of the Federal Sentencing Guidelines, you will not get any credit from the Department of Justice in sentencing recommendations based on your program. But the goal of compliance programs is to do the right thing in the first place. We may see the passage of whistleblower legislation specifically related to antitrust in 2013, as suggested by the Criminal Antitrust Anti-Retaliation Act, introduced by Senators Leahy and Grassley in July 2012.12 The credit for trying hard is an added bonus. So, notwithstanding the anomalous position of the Antitrust Division, effective antitrust programs are still a must.
Conclusion
While there may be political differences on other areas of regulatory enforcement, in the United States, antitrust enforcement, at least against price fixing, is vigorous, whether there is a Republican or Democrat in the White House. Differences in enforcement philosophy show up primarily in merger policy, and then perhaps in other peripheral areas such as Section 2 or joint venture enforcement. Given the potentially draconian penalties that can be imposed for a violation (e.g. huge fines, lengthy jail terms, large treble damage lawsuits), with little or no ability to use FSG criteria as an offset, continued antitrust compliance vigilance is essential.
12 The bill would create a process to seek instatement, back pay, and damages if an employee were discharged for being a whistleblower with regard to horizontal conspiracy violations. Unlike the False Claims Act, there is no financial reward for antitrust whistleblowers.
21
E&C Program Management for 2013 and Beyond

Michelle Moyer LRN Knowledge Leader Michelle Moyer is an LRN Knowledge Leader and seasoned attorney with deep experience in areas of ethics and compliance programs, education solutions, legal research and analysis and inspirational leadership. Among other key roles, Michelle provides oversight of the LRN Ethics & Compliance Alliance (ECA) and provides invaluable support and subject-matter expertise across a number of the LRN ethics and compliance education solutions. Michelle has served as Legal Counsel for LRN and has been responsible for designing and developing legal and compliance frameworks for a number of the LRN on-line education courses and experiential learning programs that ensure legal concepts are presented in an effective and meaningful manner. Michelle also serves and provides support in a leadership role as a member of the LRN Living How Council.
The Value of a Self-Governing Culture to Business Success, Sustainability and Significance

As the world around us becomes more transparent and interconnected, leaders of organizations have begun to understand that how they do business is as important as the goods they manufacture and the services they provide. Technology now offers every customer, shareholder, employee, business partner, regulatory agency, and public interest group an intimate view into the methods companies use to conduct business; how those methods impact individuals, communities, and the world at large; and what those impacts mean for our future and the future of generations to come. In this environment, if a company is doing the right thing for example, if it is making concrete and impactful efforts to ensure that neither it nor any entity in its supply chain is paying bribes, employing child labor, or dumping harmful chemicals into nearby rivers and streams it is far more likely to be more successful and sustainable than a company that is not so actively and effectively taking steps to operate in legally, socially and environmentally responsible ways. The question then becomes: how can a company optimally position itself to operate responsibly in this hyper-connected, hyper-transparent environment over the long-term, and not only survive, but thrive? The answer for E&C professionals lies in creating programs which foster an organizational culture that is self-governing; that is, a culture in which employees are guided by clearly defined and well-understood principles and values, and are inspired by those principles and values to be leaders and to align around the companys mission, purpose and business objectives because they feel genuinely responsible and accountable for the companys long-term health, welfare and legacy. Developing, implementing and leading programs that exemplify a selfgoverning mindset will catalyze others within the organization to think, feel and behave similarly. Why? Because inspiration is contagious. With a higherpurpose mission, long-range goals, and core values and principles in place to guide behavior and decision-making, the next step that you, as an E&C professional, will need to take is to work with other leaders in the organization to intentionally, rigorously and relentlessly drive the self-governing mindset and associated behaviors into all ethics and compliance efforts, and into the business in general.
How can a company optimally position itself to operate responsibly in this hyper-connected, hypertransparent environment over the long-term, and not only survive, but thrive?
22
Ethics & Compliance Alliance Risk Forecast Report 2013 This process involves (among many other things) developing codes of conduct, policies, procedures, education opportunities and communication strategies that emphasize and incorporate not only legal requirements and other rules that bind the company and its employees, but the values, ethics and broader individual, community and societal considerations that underlie those rules and the companys dedicated and unyielding observance of them. As an example, when developing a policy to communicate the companys stance on bribery and corruption, explain not only that bribery violates laws worldwide, but also that it is arguably the single greatest obstacle to economic and social development in the world because it distorts markets, stifles economic growth, debases democracy, and therefore undermines the very purpose of those laws.
By emphasizing and communicating the companys commitment to behaving with integrity, employees come to know not only the rules, but the soul and spirit that underlie those rules and the broader consequences of their actions.
Similarly, when developing a policy to address harassment, relate not only that harassing behavior can result in legal action against the company, but also that it is morally wrong and creates work environments characterized by lack of professional courtesy and respect, which, if allowed to fester, can lead to wider-spread, equally serious illegal and unethical actions that have the ability to threaten the companys very viability. By emphasizing and communicating the companys commitment to behaving with integrity, employees come to know not only the rules, but the soul and spirit that underlie those rules and the broader consequences of their actions. Put another way, they begin to more conscientiously consider not only what theyre doing, but how theyre doing it. The importance of conducting business by inspiring employees to lead and behave in a self-governing way, and driving self-governance into the companys ethics and compliance efforts and the business in general to reduce risk and increase opportunity, cannot be overstated. The alternative - instituting and commanding support for shortsighted goals and rigid rules through the use of carrots and sticks - is neither stimulating nor engaging nor empowering and is therefore doomed to fail. So, what does a self-governing culture look like? At its core, self-governing organizations exhibit the following characteristics: They aim to positively impact the world rather than pursue only short-term, narrowly-defined, self-interested goals and objectives; They engage in decision-making and goal-setting, utilizing long-term vision; They encourage and facilitate effective coordination and collaboration among different segments of the organization; They ensure that information is shared throughout the organization authentically and transparently; They extend trust; rather than waiting for trust to be earned; They embrace and celebrate employees who voice their concerns and who report behavior they believe to be illegal, unethical, or otherwise contrary to the companys values and principles; They use values and principles, rather than rules, to govern and guide behaviors and decision-making; They engage and impassion employees by inspiring them rather than motivating or coercing them; They enable productive, timely and aligned decision-making through a deliberate system of governance, culture and leadership;
An LRN Thought Leadership Report 23
Ethics & Compliance Alliance Risk Forecast Report 2013 They respond effectively and resiliently to unexpected and even sudden and dramatic shifts in competitive dynamics, economic conditions and societal forces. These characteristics of a self-governing culture have the power to engage and ignite employees to such a tremendous extent that the companys ability to succeed and sustain itself, and to achieve its definition of significance, dramatically increases. The bottom line is this: intentionally, systematically and purposefully nurturing the culture of an organization unlocks its potential to experience and enjoy significant competitive advantage in the marketplace. And, the news gets better: these priceless business benefits can and have been tangibly demonstrated. In 2010 and 2011, LRN conducted groundbreaking research by way of its Governance, Culture and Leadership Assessment. The Assessment is a diagnostic tool that consists of over sixty questions designed to help a company discover and quantify whether and to what extent the characteristics of a self-governing culture are present among employees, and the impact that the presence or absence of those characteristics has on business performance. The research LRN conducted using this tool is known as the Global Governance, Culture and Leadership Assessment, and involved surveying over 36,000 employees from eighteen countries around the world, including Australia, Brazil, China, France, Germany, India, Israel, Japan, Mexico, Russia, Saudi Arabia, Scandinavia, South Africa, Turkey, the United Kingdom and the United States. The findings of this research, which have been captured and summarized in The How Report (see LRNs The How Report at LRN.com), reveal a great deal about the impact that self-governing cultures have on business performance. Among other things, The How Report evidences the following: Self-governance in organizations across the globe is rare. A mere 3% of the 36,280 employees surveyed in the Global Governance, Culture and Leadership Assessment observed high degrees of self-governing behavior among their colleagues. Of note, this remarkably low level of selfgovernance was consistent across every demographic category, including country, industry, economic environment, language and ethnic culture. Self-governing organizations in all eighteen countries involved in the Global Governance, Culture and Leadership Assessment experience higher levels of innovation, employee loyalty and customer satisfaction; lower levels of misconduct; and superior overall financial performance. There is a serious disconnect between the C-suite and the employees they lead. The C-suite, on average, is three times and in some countries even eight times more likely to view their organizations as self-governing, more inspiring and less coercive than the employee population at large. Trust, shared values and a deep understanding of and commitment to a purpose-driven mission are the three most important drivers of selfgoverning behaviors that produce competitive advantage and enhanced business performance. Armed with these and other findings from The How Report, company leaders everywhere have a unique opportunity to unlock the full potential of their employees hearts and minds, and to thereby position the companies they
Self-governing organizations experience higher levels of innovation, employee loyalty and customer satisfaction; lower levels of misconduct; and superior overall financial performance.
24
Ethics & Compliance Alliance Risk Forecast Report 2013 are entrusted to run to enjoy a level of success and significance far beyond that which their less evolved, less self-governing competitors can achieve. And ultimately, over time and through leading by example and manifesting the fruits of self-governance, these organizations will pave the way for others to embark on a similar journey. The wave of self-governance is unstoppable, and ultimately what is best for our future. Our world is threatened by problems that seem more serious, complex and insurmountable than ever before. Hunger, poverty, war, environmental devastation and lack of access to education and basic healthcare continue to threaten the survival of our species and leave us worrying about the state of the world our children will inherit. These problems, and a whole host of others, require levels of creativity, innovation and cooperation among companies and their employees previously unseen; and as evidenced in The How Report, those qualities surface, ignite and catalyze geometrically in self-governing organizations. That said, self-governing organizations and the business benefits they reap dont spontaneously come into being. Creating and maintaining them requires a strategy. So as a company leader, where should you start? Heres what we at LRN recommend:
Self-governing organizations and the business benefits they reap dont spontaneously come into being. Creating and maintaining them requires a strategy.
Challenge your assumptions about governance, culture and leadership. Remember that these are drivers of business performance and that their impact is measurable. Pursue culture as a strategy by measuring it, and then take advantage of its strengths and address opportunities for growth. Extend trust throughout your organization and commit to leadership that inspires. Doing this ignites potential because power is not held and wielded from the top down. Rather, it is shared and used to achieve the mission and purpose of the organization through behaviors guided by universally accepted core values and principles. Embrace transparency. Understand that in todays world, very little remains hidden so it is more important now than ever to have nothing to hide. Help your company protect and maintain its good reputation by taking action to ensure that values and behaviors are aligned with purpose and business strategy. Stay committed, no matter what. The journey to self-governance is not easy. It requires letting go of control and proceeding into the unknown. This can be uncomfortable, especially in times of tumult and change. Keep going. Be deliberate and relentless in your focus on governance, culture and leadership; and continuously develop and implement strategies designed to shift behavior and thereby improve company performance. At the end of the day, a company filled with inspired, empowered, self-governing employees who rally around shared principles and values to serve a higherpurpose mission and who have at their fingertips tools and other methods of support by way of their companys ethics and compliance program and other business processes to help them behave legally, responsibly and ethically under any and all circumstances will enjoy a position of markedly greater strength in the marketplace, and will be able to sustain and differentiate itself and to pursue significance far more easily, organically and effectively than its competition. Given that these results are real and have been proven, shouldnt you embark on the journey?
25
Education and Communication Strategies for 2013

Charles Ruthford ECA Expert Panelist Charles Ruthford is nationally recognized in the ethics profession as a leader in measuring organizational culture, ethics education and ethics program development. With over 22 years of management and 14 years of front-line leadership experience, Charles served as ethics and compliance officer with The Boeing Company where, among other leadership roles, he chaired the Defense Industry Initiative on Business Conduct and Ethics (DII) Survey Team. His deep experience at Boeing included managing executive and senior-level leadership development programs at the Boeing Leadership Center where he was responsible for leadership, business, finance and strategy curricula. Charles retired from Boeing in March 2010.
Effective Approaches to Mitigating Risk

The risks associated with ethics and compliance education and communication may seem minor when compared to the risks of FCPA (Foreign Corrupt Practices Act), ITAR (International Traffic in Arms Regulations), lobbying, or insider trading violation. The reality is that ineffective and outdated education and communication methodologies coupled with complacency from knowing that all employees have received their annual refresher training actually increases the risk of misconduct and violations of law. Recent research in the areas of ethics and culture is shedding new light on how people view themselves in an ethical and compliance context and how they act in actual situations. By looking at how people use decision criteria and tools to help them choose to do the right thing, the research calls into question many of the assumptions weve made in the past about how to influence ethical and compliant behavior. Our traditional approach to ethics and compliance education and communication may have us compliant, yet our employees are not prepared to deal with difficult situations. A reasoning- and rules-based educational focus does not necessarily guarantee proper behavior in such situations. However, when components of emotion and efficacy are added to the reasoning and values focus, employees do, in fact, demonstrate increased ethical and compliance behavior. Your current education and communication approaches are no doubt in alignment with common industry practices. You are not alone in your past assumptions about how to influence employee behavior through training. This report provides a clearer picture about how employees react in stressful situations. The findings may surprise you, and cause you to question your past approaches to ethics and compliance education and communication. The report suggests proven methods and tools that you can use to respond to these new findings and make your education and communication experiences compelling; more importantly, they can lead to behavior change and real compliance within your organization. As an ethics and compliance practitioner, you strive to design and deploy educational experiences and communication events that will influence employee behavior and affect the ethical climate in your organization. One of your responsibilities is to identify and reduce risk. Employees must be prepared to do the right thing when they encounter a difficult situation. For
When components of emotion and efficacy are added to the reasoning and values focus, employees do, in fact, demonstrate increased ethical and compliance behavior.
26
Ethics & Compliance Alliance Risk Forecast Report 2013 organizations to move from a myopic rules-based focus to a more expansive values-based leadership view, there is a need for new approaches and models. This report is designed to help point you in the right direction and mitigate risk in your organization. Compelling education and communication experiences lead to more engaged employees, a greater sense of collaboration, a reduction in organizational risk, and improved business performance. More resources may be required to build and deploy such compelling experiences. This report also helps make the business case with senior leaders for expending additional resources to create and deploy these enhanced and effective experiences.
The Past and Present: Why Are We at Risk?

We had previously assumed that collective moral reasoning or the ethical climate in organizations leads to ethical behavior. While current and past research shows a positive correlation between collective moral reasoning (inputs) and ethical or compliant behavior (outcomes), the correlation isnt all that strong. In the 1980s and 1990s, ethics and compliance practitioners took a cognitive or knowledge-based approach to educating employees. Our assumption was that armed with knowledge, a decision-making process, and an awareness of consequences, people would make rational and proper choices. Our classroom training focused on the rules and expected behaviors. Participants heard a clear explanation of the consequences of misconduct. Case studies and problem solving were used as examples to highlight rules and ethical principles. Employees were directed to their managers or an ethics line if they needed assistance or had an issue to report. Finally the classes provided a five- or six-step ethics decision-making process. These were high-quality classes. They were designed and built by experienced instructional systems design professionals and delivered, in person, by qualified instructors. We heard two common messages from employees about these classes. First they were not shy about telling us they got the ethical principles after the first class, and they asked whether their brains been cleared on the 366th day, requiring them to be refreshed each year. Secondly we heard sarcastic comments about how the individual employees were being punished for the misdeeds of senior management by having to participate in the annual refresher training. As computer and networking technology improved, the classes were transformed into an online format to take advantage of the scalability and efficiency features of the Internet and company intranets. The online format does a good job of conveying information to employees. However this format doesnt necessarily help influence or change behaviors.
The online format does a good job of conveying information to employees. However this format doesnt necessarily help influence or change behaviors.
The Latest Research: Preparing to Meet the Risks

In their 2011 book Blind Spots, professors Max Bazerman (Harvard Business School) and Ann Tenbrunsel (University of Notre Dame) write about how people act against their own ethical values, and how they arent as ethical as they may think they are. The situations the authors describe are more common than you
27
Ethics & Compliance Alliance Risk Forecast Report 2013 might realize. Their research data clearly show how people, when asked about a difficult or confrontational situation, say they will act ethically. This is what they should do. In the real situation, they choose the non-confrontational or easy path, and act unethically. This is what they want to do. When asked to recall how they acted, they engage in a form of revisionist history and describe what they did as ethical. After all, in seeing themselves as ethical people, they couldnt have engaged in unethical behavior. You can imagine how this line of reasoning could move people onto the slippery slope of seeing unethical behavior as actually being ethical. The authors also presented data showing how over 50% of respondents said they would act a certain way when facing a situation, and yet when they actually encountered the situation, none of the respondents acted the way they predicted. Its clear that people intend rather than demonstrate ethical behavior. In the recommendations sections of their book, the authors state that ethics and compliance education and communication, in order to be effective, need to move away from knowledge-based and rational thinking, and toward a behavioral and psychological focus.
To be effective, ethics and compliance education and communications need to focus on intuition and emotion, in addition to facts and consequences.
The second piece of research is from Nobel Prize Laureate Professor Daniel Kahneman. In his 2011 book Thinking Fast and Slow, Professor Kahneman describes two systems in the brain. One system works quickly, using intuition and emotion to guide decisions. The other system works slowly, evaluating situations from a more thoughtful and rational perspective. When it comes to ethical or compliance dilemmas, in which people have a stake in the outcome, they will make their decision in a split second and be guided by their intuition and emotion. They wont even consider using the six-step ethical decisionmaking model. While Professor Kahneman doesnt give specific recommendations for education and training, its easy to see how his research agrees with that of Professors Bazerman and Tenbrunsel. To be effective, ethics and compliance education and communications need to focus on intuition and emotion, in addition to facts and consequences. The third piece of research comes from Professors Anke Arnaud (EmbryRiddle Aeronautical University) and Marshall Schminke (University of Central Florida). In their paper The Ethical Climate and Context of Organizations: A Comprehensive Model, Organizational Science, November/December 2012, the authors describe how adding emotion and efficacy to moral reasoning greatly enhances ethical behavior. In the past, emotion was thought to hinder rational business decision-making. Our earlier management and leadership training and measurement systems stressed the deleterious nature of emotion. The latest research, however, shows how emotion actually enhances rational business decision-making. Professors Anke and Schminke results highlight and confirm previous research concerning ethical efficacy. Ethical efficacy occurs when people believe that the action they are about to take, or the questions they need to raise, will have an effect on ethical behavior, be meaningful, or make a difference within the organization. Their findings go on to say that when collective moral reasoning, collective moral emotion, and collective ethical efficacy are all synchronized, the effects on ethical behavior jump dramatically.
28
An Effective Approach to Ethics and Compliance Education

The steps below will help create the compelling educational and communication experiences that will influence people and cultures at emotional and intuitive levels. 1. Interaction. Experiences need to be interactive in nature. When participants are able to view a situation or case study, and experiment with a number of different solutions to see which one works best, they are able to recognize the best approach. They can incorporate that best solution into their daily activities, and are more likely to react properly when a difficult situation occurs. 2. Collaboration. Compelling education and communication activities need to support collaboration between several participants. People learn best when they have an opportunity to tell stories, listen to others, and consider different or diverse ideas about a situation. By our nature, we humans learn best together. 3. Problem Solving. Research shows that participants rate education and communication activities more effective and satisfying when they employ real-life case studies, solve ethical dilemmas, and engage them in role-playing. 4. Transformation. The activities also need to be transformative. There needs to be time in the activity to discuss concrete examples of how the ethical principles and desired behaviors apply directly to the participant and his or her organization. How will people need to change? 5. Reflection. The transformation process starts to take hold when there is time allocated for reflection. During reflection, participants talk about and possibly write about the individual and organizational changes that are necessary to incorporate the ethical principles and desired behaviors into daily activities. At this point, participants are making choices on how they will act in the future. 6. Learner-Directed Outcomes. Adult learning principles assert that participants report greater satisfaction with the learning activity, and find it more effective, when they can customize the experience to suit their specific needs. One size does not fit all. To be meaningful, the learner needs to be able translate and apply the ethical principles and desired behaviors into his or her context. This is not to be confused with situational ethics, where people modify the ethical principles and desired behaviors to justify unethical acts. 7. Front-Line Management Involvement. Education and communication experiences are most effective and satisfactory when front-line managers lead and have a significant involvement in the activity. Research published by Larkin and Larkin in their 1994 book Communicating Change, Winning Employee Support For New Business Goals, shows that the front-line manager is the person in the organization most trusted by employees. Managements involvement and leadership further solidifies the alignment with values, strategies, and tactics.
Participants report greater satisfaction with the learning activity, and find it more effective, when they can customize the experience to suit their specific needs.
29
Attributes and Results of Education and Communication Approaches

Assumption Ethics and compliance decisionmaking is a split-second process. People unconsciously use emotion and intuition to guide choices Assumption Ethics and compliance decisionmaking is a rational, reasonedthrough process
In both cases, it is assumed that the person making the decision will be personally and significantly affected by the outcome. New Approach to Education Interactive exercises and activities provide opportunity to experiment. Collaboration brings in different ideas and approaches. Problem-solving with real-life examples engages participants. Transformative activities launch change processes that affect emotion and intuition. Reflection promotes how am I going to do this differently in the future thinking. Learner-directed outcomes encourage the learners increasing engagement. Front-line management involvement increases trust and engagement. Results Education and communication experiences are more engaging and compelling, resulting in greater acceptance and retention. Education and communication experiences influence emotion and intuition. Employees are better prepared to deal with difficult situations, because they naturally engage emotion and intuition in decision-making. Risks are reduced. Past Approach to Education Lessons provide knowledge and information about expectations and rules. Examples make consequences for misconduct clear. Exercises promote practicing the concepts. Supplemental materials provide decision-making tools and support mechanisms.
Ethics and compliance decision-making is a split-second process. People unconsciously use emotion and intuition to guide choices.
Results Education and communication experiences provide knowledge and do not affect emotion and intuition. When dealing with difficult situations, employees will still decide based on emotion and intuition, and will not apply the rational decision-making process. The initial assumption of rational decision-making is false. Employees are unprepared for difficult situations and may choose to do the wrong thing based on what they want to do, rather than on what they should do.
30
Tying It All Together

To create and deploy compelling ethics and compliance education and communication experiences, one must obtain support within the organization. These educational experiences will cost more than the traditional methods of the past. The good news is that investment in education and communications activities, along with a focus on values-based leadership, collaboration, engagement, and culture, all produce a positive return on investment. Cultural change does take commitment, persistence, and patience. Once started, positive cultural changes can snowball, and organization members will be more engaged, satisfied, and productive. People will demonstrate ethical behavior, while business performance will improve. Professors John Kotter and James Haskett, in their 1992 book Corporate Culture and Performance, describe tremendous performance improvement in organizations with collaborative environments. To support the educational thrust, additional initiatives to improve commitment, alignment, and involvement are required. While this report focuses on the education and communication initiatives, the other initiatives are briefly described below, with references to other writings and toolkits where practitioners and leaders can learn more. Initiative 1: Setting the Tone. Senior leaders must set the tone in the organizationthat values-based leadership and ethical behavior are the expected norm. They do this through modeling desired ethical behaviors, requiring accountability, and linking decisions to organizational values. More information, tools, and examples describing and supporting leadership action on this first initiative can be found on the LRN Inspirational Leadership Alliance website. Initiative 2: Tone in the Middle. Initiative 1 makes a clear case for guidance, commitment, and action from senior leaders. There is an equally important role to be filled by mid-level leaders and managers. As exemplars of ethical and compliant behavior, team members in the middle are responsible for passing along the values of the culture. More information, tools, and examples can be found in the Tone in the Middle toolkit on the LRN Ethics & Compliance Alliance website. Initiative 3: Establish Measurement Systems. These systems need to measure corporate culture, and offer rewards when the desired values and behaviors are demonstrated. This is a two-pronged initiative. First, a set of metrics and organizational performance measures are required. Aligned with values-based leadership and ethical behavior, these measures need to go beyond financial performance and the sacred net income, free cash flow, and P/E ratio metrics. Second, values and desired ethical behaviors need to be evaluated in manager and employee performance appraisal processes. Are the values and behaviors required to support an ethical culture talked about and used to rate employee and management performance? Are rewards given based on those ratings? The old adage what gets measured gets done is still true.
Values and desired ethical behaviors need to be evaluated in manager and employee performance appraisal processes The old adage what gets measured gets done is still true.
31
Ethics & Compliance Alliance Risk Forecast Report 2013 Initiative 4: Building Compelling Ethics and Compliance Education and Communication Experiences. Now that senior and mid-level managers are setting the proper tone, and individual and organizational performance measuring systems are in place, it is possible to create education and communication experiences that truly are compelling and engaging. The efforts made in creating the educational experiences will stimulate an organization in a positive way. Its also a matter of alignment. When the same messages flow in multiple channels, members of the organization pay more attention and incorporate the messages into their personal models of how the organization is run. The resultcultural change starts to occur.
This new approach to learning and communication will require commitment by senior leaders, involvement of mid-level managers, and individual measurement systems that are aligned with organizational ones.
Summary
Compelling education and communication experiences that can influence people at emotional and intuitive levels can reduce ethics and compliance risk. These experiences will likely cost more to develop, and require more employee time to complete. This new approach to learning and communication will require commitment by senior leaders, involvement of mid-level managers, and individual measurement systems that are aligned with organizational ones. These costs are greatly outweighed, however, by the benefits of engaged employees who will respond in an ethical and compliant manner in difficult situations. They will do so in a collaborative environment, thus significantly reducing organizational risk, while at the same time improving business performance.
32
Government Contracting and Relationships

Eric Feldman ECA Expert Panelist Eric Feldman is recognized for his deep knowledge and expertise in areas of government contracts and relationships. Eric retired from the Central Intelligence Agency (CIA) in 2011 with over 32 years of experience in Inspector General oversight and federal auditing in both the Executive and Legislative branches of government. Eric served in executive positions with the Offices of Inspector General at the Department of Defense, Defense Intelligence Agency, and CIA, and was the longest serving Inspector General of the National Reconnaissance Office (NRO) from 2003 2009.
Survival Strategies Beyond the Fiscal Cliff

The Impact of Federal Budget Cuts Looms Large for Contractors
In the 2012 LRN ECA Risk Forecast, I noted that government contracting requires a sharp calculation of risks versus rewards. Typically, that calculation has come out in favor of companies expending the necessary time and effort to maneuver a minefield of often complex and frustrating regulations in order to reap the financial benefits and stability associated with government contracting. I also predicted that 2011 would be the beginning of a multi-year calibration of the role of government at all levels, and that this process could destabilize the once-predictable environment for government contractors for years to come. Unfortunately, this forecast turned out to be an understatement. Instead of the 2012 sequestration process inspiring cooler heads to prevail, the polarized political process has created a near certainty that 2013 will result in substantial challenges for government contractors at the federal, state, and municipal levels requiring unprecedented dexterity and prudent decision-making to survive and prosper in this new world order.
Is the Fiscal Cliff as Dire as Advertised?

The FY 2012 budget included close to $1 trillion in cuts over 10 years, with $21 billion taking effect last year. The Budget Control Act (BCA) of 2011 requires the federal government to reduce spending by more than an additional $1 trillion by 2021. This amounts to cutting about $109 billion from the budget each year. To accomplish this, the BCA created the Joint Select Committee on Deficit Reduction (the Super Committee).1 Sequestration was the name given to the mandatory, across-the-board spending cuts (totaling about $1.2 trillion) that would occur automatically should the committee fail to compromise. As we know, there was no grand compromise. Through sequestration, budget cuts would be split equally between defense discretionary spending and non-defense mandatory (entitlement) and discretionary (non-entitlement) spending, without an increase in tax revenue. This represents about $55 billion in cuts from both the defense and non-defense budgets every year. 2
The polarized political process has created a near certainty that 2013 will result in substantial challenges for government contractors at the federal, state, and municipal levels requiring unprecedented dexterity and prudent decision-making to survive and prosper in this new world order.
1 Conference Report on H.R. 2112, Consolidated and Further Continuing Appropriations Act, 2012, Congressional Record, November 14, 2011 2 Ousley, Jeff. Sequestration Could Have Serious Consequences for Military Members, Veterans United, August 7, 2012 (www.veteransunited.org)
33
Ethics & Compliance Alliance Risk Forecast Report 2013 Defense spending cuts will be spread across all branches. While some programs may be spared, other sections of the military could see 7-10 percent of their budgets eliminated.3 Non-defense spending cuts are typically program-specific and categorized as either mandatory or discretionary. Most mandatory programs such as Social Security, Medicaid, food stamps, and retirement benefits are currently exempt from reductions. Medicare is the exception, though cuts are capped at 2 percent per year ($11 billion in 2013) and limited to providers and insurers, not beneficiaries. The Government Accountability Office issued a decision on May 21, 2012 that Department of Veterans Affairs spending is exempt from sequestration (with the exception of limited administrative expenses).
Non-defense spending cuts will be accomplished through broad reductions in funding for discretionary programs.
Non-defense spending cuts will be accomplished through broad reductions in funding for discretionary programs. If sequestration occurs, $1.2 trillion in budget cuts will begin on January 2, 2013, and continue through FY 2021.4 The BCA of 2011 also provides a way to avoid sequestration if Congress successfully acts to achieve equivalent deficit reduction savings. If Congress attains less deficit reduction savings than required, sequestration cuts will be reduced by the amount in savings actually realized. For example, if Congress creates $80 billion in alternative deficit reductions, and the plan becomes law, the $1.2 trillion sequestration will be reduced by $80 billion.5 On January 1, 2012, the House passed a series of tax changes and revenue enhancements that avoided the fiscal cliff of across-the-board tax increases (the Senate passed the same bill late into the night of New Years Eve). This bill also delayed sequestration required by the BCA of 2011 by two months, literally kicking the can down the road for the new Congress to deal with in the first quarter of 2013. Although discussions of sequestration tend to be alarming, it may turn out to be the most politically and practically expedient way to avoid a true fiscal crisis. And, of course, Congress retains options to mitigate the effects of across-theboard cuts by: Reprogramming funds after the sequester; Changing the definition of programs, projects and activities (the budget level at which the cuts are implemented); Taking advantage of flexibility within operations and maintenance funds. Because the Office of Management and Budget has declared that war spending is eligible for sequestration, total cuts to operations and maintenance may be spread across a bigger pot of money. It is important to note that sequestration does not affect funds already obligated and it is not intended to affect existing contracts. So if sequestration happens, the world as we know it will not end. Congress, OMB, and the Pentagon will, in fact, have more flexibility than they have been willing to admit. But how will all of this impact government contractors?
3 Ousley, Jeff. 4 Venable.com 5 Martin, Willard. Preparing for Government Sequestration and Budget Cuts, Government Contracts Update, Winter 2012.
34
The Impact of Sequestration on Government Contracting

If sequestration occurs, the Congressional Budget Office estimates defense programs will be cut by 10 percent and non-defense programs will be cut by 8.5 percent in FY 2013. Consequently, contractors should prepare to navigate in an environment of increased competition. Last fall, OMB began issuing agency apportionments for FY 2013. An apportionment is a legally binding order and it forbids an agency from spending more appropriated funds than OMB has allocated. In response, agencies are in the process of evaluating and prioritizing their budgets. Typically, agencies attempt to reduce personnel through attrition to meet budget cuts, but this is not a typical budget cut. Agencies will need to scale back the number and size of new contracts for programs deemed non-critical. Even critical programs will likely be impacted as agencies look for the most efficient ways to utilize reduced funding.
Agencies will need to scale back the number and size of new contracts for programs deemed non-critical. Even critical programs will likely be impacted as agencies look for the most efficient ways to utilize reduced funding.
Regardless of mitigating tactics, it is a certainty that sequestration, or even the threat of it, will impact government spending. Government contractors should therefore consider several possible impacts of budget reductions on the government procurement process: Existing Contracts: Limited funds could cause agencies to reduce the scope and quantity of products or services purchased on existing contracts. Agencies may choose to de-scope the quantity, capability, or breadth of contract performance through change orders, as well as partial, or even complete, contract terminations for convenience. However, outright terminations for convenience require the government to pay recoveries to terminated contractors; these may therefore be used sparingly. Contractors should expect agencies to propose restructuring existing contracts to defer costs to the future. Such restructuring may result in more term contracts, extensions of contract schedules to match funding, and requests for waiver of existing contractor claims. Contractors may see their option periods waived, forcing them to negotiate new contracts at lower prices, and face increasingly price-sensitive competition. New Contracts: It is most likely that government contractors will see a decrease in the number of new contracts awarded, as agencies eliminate programs not absolutely essential to their missions. Types of contracts may also change, with agencies moving away from contract vehicles that place cost and performance risk on the government. For example, agencies are less likely to use cost-reimbursement and labor-hour contracts (previously favorites in the government services arena), instead favoring fixed-price contracts for a greater degree of cost certainty and lower risk. Indefinite Delivery/Indefinite Quantity contracts will also become more attractive for the government because they allow agencies to negotiate at the task order level. In addition, government contractors are already seeing a trend away from best value procurements toward lowest-price, technically acceptable sources. Bid Protests: Stiffer competition for contracts will likely bring an increase in bid protest litigation, particularly from incumbents seeking to extend their performance on contracts, and offerors who need the awards to remain viable players in the government contracting space.
35
Ethics & Compliance Alliance Risk Forecast Report 2013 Procurement Integrity Violations: Intensified competition for fewer contracting opportunities can create a high-risk environment within companies, making them susceptible to employee misconduct, particularly with regard to following the rules of the competitive contracting process. In an effort to win contracts, curb layoffs and staff reductions, employees (particularly those in the contract capture process) may feel motivated to ignore or marginalize their company ethics and compliance programs and use whatever information is at their disposaleven prohibited government or competitor acquisition datato give them an edge in the bidding process. Such ill-advised actions will lead to government investigations, prosecutions, suspensions and debarments, and increase the risk for contracting officials who might be entirely unaware of such behaviors within their companies. State and Municipal Contracting: Although federal budget reductions have an obvious impact on federal contractors, the potential impact on companies that contract at the state and municipal levels should not be ignored. States and municipalities are already reeling from the loss of tax revenue due to the recession. It reasonable to assume that follow-on cuts in federal spending in education, healthcare, transportation and housing, for example, will result in additional reductions in the number and value of contracts administered at state and local levels. Increased competition for fewer contract dollars could result in similar or even more serious problems with procurement fraud, problems less likely to be discovered in a timely manner given the scarcity of oversight resources at these levels of government.
Proposals that incorporate ethics assessments, training, and education at the project level provide evidence of commitment to controls and accountability important to government agencies in this new environment.
How Can Contractors Position Themselves to Weather the Budget Storm?

There are several proactive steps government contractors can take to mitigate the risks of budget cuts, improve their competitive posture, and survive the unpredictable environment that has become the new normal of government contracting: Develop strategies for an increasingly competitive market. It is important for government contractors to consider new ways to make themselves attractive and differentiate themselves from their competitors. Strong ethics and compliance programs, for example, have become a competitive differentiator on government contracts, as agencies can ill afford to deal with ethics and integrity problems in either the bidding or execution phases of mission-critical projects. Regular independent assessments of a contractors ethical culture and ethics & compliance programs can help make the case that a company deserves the public trust. In addition, proposals that incorporate ethics assessments, training, and education at the project level provide evidence of commitment to controls and accountability important to government agencies in this new environment. Be mindful of scope creep. As agencies try to stretch contracting dollars, contractors should verify that their program managers understand the companys obligations under the contract and remind them to notify upper management of any potential expansion of the contract scope
36
Ethics & Compliance Alliance Risk Forecast Report 2013 immediately. If it appears that the government has changed the contract, a company must provide prompt notice of the change and take steps to ensure that it captures the costs associated with the new work. Submit claims early. When a contractor has legitimate claims against the government, it makes sense to try to resolve them as early in the process as possible. This is especially true when the federal budget is tight; a contract with unresolved or unexplained cost overruns makes an easy target for budget watchdogs. If a contractor can establishthrough a request for equitable adjustment or contract claim, for examplethat the government bears responsibility for some or all of the cost growth, the agency may reconsider its plan to terminate a program. At minimum, a valid claim can reduce the likelihood that the government will terminate the contract for default rather than for convenience. Pay attention to quality and performance. It bears repeating that in a tightening budget environment, the quality of contractor performance will be scrutinized and there will be other companies claiming that they can do a better job. Contractors can help themselves by helping agencies document the results achieved, outcomes realized, and reasons why their activities are mission-essential. Contractors should review performance assessments and seek to promptly correct reports that unduly attribute blame to them for matters beyond their control. Adverse assessments not only affect future business, they can weaken arguments for maintaining current budget levels on existing programs. Contractors should understand the circumstances under which they may challenge performance assessments under the Contract Disputes Act. Identify opportunities created as government emphasis shifts. There are some areas in which government spending is likely to increase. For example, the proposed DoD FY 2013 budget increases spending on cyberdefense, intelligence, surveillance, reconnaissance, and space. With the potential cancellation of multiple major programs, DoD focus may shift to more proven, rapidly deployable, commercial technology. It is also widely believed that the second term Obama Administration will increase federal spending on infrastructures that were previously delayed or ignored by the states; thus, contractor opportunities may arise in highway and bridge construction, high-speed rail projects, airport redevelopment, and other job-creating projects. Pay attention to subcontractors and team members. With potential partial terminations and deductive changes, prime contractors are apt to face disputes among subcontractors and team members over remaining work share. Contractors who anticipate these scenarios and address them in teaming agreements and subcontracts will be in a better position to resolve such matters favorably. In addition, contractors should be aware that agencies are paying attention to the activities of their subcontractors, vendors, and suppliers, and exercise effective third-party due diligence to ensure that these team members meet expectations.
Contractors can help themselves by helping agencies document the results achieved, outcomes realized, and reasons why their activities are mission-essential.
37
Ethics & Compliance Alliance Risk Forecast Report 2013 Be ready for increased government oversight. Suspensions and debarments of contractors by government agencies reached an alltime high in 2011, with no signs of abating in 2012. It is likely that decreasing budgets and the increasing importance of contract integrity and performance will drive even more aggressive enforcement of Federal Acquisition Regulations in 2013. For its part, the Defense Contract Audit Agency (DCAA) has more tools than ever to collect monies from contractors, including the ability to withhold payments if the agency finds a significant deficiency in the contractors business systems. Contractors will need to guard against unsupportable payment withholds by DCAA. Finally, the political discourse in 2012 indicated that declining taxpayer tolerance for waste, fraud, and abuse of public funds will continue to drive prosecutorial priorities in 2013 and beyond. Assess the opportunities and risks of international markets. With declining U.S. government budgets, many contractors are setting their sights overseas. While foreign governments and international markets present opportunities, contractors should be aware of potential pitfalls associated with international business, including the complexities of complying with Export Control Laws and the Foreign Corrupt Practices Act, which both the DOJ and SEC are vigorously enforcing. Expect a smaller, less-experienced government workforce. Several years of declining growth in the federal workforce, combined with pay freezes and proposals to change federal retirement and benefits, have taken a toll on many agencies senior staffs. Among those affected is the federal acquisition workforce, which has been predicting for years that inexperience will wreak havoc with the contracting system. Government contractors have already experienced fallout from a less skilled and experienced public contracting workforce. For example, many have received inappropriately disclosed acquisition-sensitive information from inexperienced agency officials, who increasingly rely on contractors to catch these mistakes and serve as their internal control. Tend to corporate ethics and compliance programs: you may need them. An already log-jammed legal system is likely to support the trend toward use of settlements and deferred/non-prosecution agreements to resolve both criminal and civil cases involving contractor misconduct. Many agreements will continue to contain ethics and compliance-related provisions, including requirements for remediation in areas of values-based ethics, internal controls, and ethical culture.
Suspensions and debarments of contractors by government agencies reached an all-time high in 2011, with no signs of abating in 2012.
38
Labor and Employment

2013 Employment Law Update
Marcia Narine ECA Expert Panelist Marcia Narine is a recognized leader in the ethics, compliance, and legal fields with deep experience leading and managing corporate ethics, compliance, and risk management programs and initiatives. Marcia supports our partners across a number of key focus areas to include Labor & Employment, E&C Program Management, Supply Chain, and Privacy. Marcia recently served as vicepresident and deputy general counsel of Ryder System, Inc., a Fortune 500 global transportation and supply chain management solutions company. At Ryder, Marcia oversaw the companys global compliance, business ethics, privacy, government relations, enterprise risk management, corporate responsibility, and labor and employment legal programs. Prior to this role, Marcia served as group director of human resources for Ryders supply chain solutions division. In addition to the above leadership roles, Marcia has recently been appointed by the U.S. Secretary of Labor to serve on the Whistleblower Protection Advisory Committee.
Compliance and ethics officers (CECOs) have so much on their plates that they can sometimes forget how their roles can overlap with others within the organization. As senior members of the leadership team charged with ensuring board members are comfortable with the state of the compliance program, here are the top issues CECOs may want to discuss with the employment lawyers and HR professionals in the organization.
Incentives
HR professionals are experts in designing incentives programs through salaries, bonuses, promotions, and other rewards strategies. Similarly, compliance officers know that incentives are a key component of effective compliance programs under the Sentencing Guidelines.1 The Department of Justice recently issued a 120-page Guidance on the Foreign Corrupt Practices Act.2 While the HR department might not think that bribery issues are within their purview, CECOs and HR professionals know that employees may confide in their managers before they call anonymous hotlines, the law department, or faceless people in compliance whom they have never met. On the flip side, the employee may be disgruntled and bypass the company altogether, going straight to the government to seek a reward under the Dodd-Frank whistleblower program.3 Compliance, legal and HR should work together to ensure that all relevant management and line personnel with exposure to government employees, inspectors, agents, and others in a position to ask for, give, or accept bribes understand the nuances of the DOJs Guidance and the governments expectations. They may not want to give cash incentives to employees for reporting briberywould reporting suspected bribery be more valuable than reporting sexual harassment for example? But a public acknowledgement from the company CEO provides significant intrinsic rewards and can be valued more by employees. Furthermore, incentive programs can backfire. Many companies provide bonuses for individuals or departments if, for example, they have no accidents or injuries within a specific time period. At first blush this would appear to promote a culture of safety. These programs have the added bonus of lowering workers compensation costs. However, in 2012 the Occupational Health
The Department of Justice recently issued a 120-page guidance on the Foreign Corrupt Practices Act.
1 USSG 8B2.1(b)(6) 2 http://www.justice.gov/criminal/fraud/fcpa/guide.pdf 3 http://www.sec.gov/whistleblower. Under the Dodd-Frank whistleblower program, the employee could, under certain circumstances, receive 10-30% of any recovery over $1,000,000 that the SEC receives.
39
Ethics & Compliance Alliance Risk Forecast Report 2013 and Safety Administration (OSHA) reiterated its position that safety incentive programs can be considered acts of discrimination if they provide employees with justification for not reporting legitimate accidents or injuries.4 Its worth examining the training, policy manuals, emails, documentation, recordkeeping, and especially employee perceptions to assess whether the company has vulnerabilities in this area. OSHA recommends rewarding safety training, repairing hazardous workplace conditions, and reporting accidents. Although the company may have been acting in good faith, OSHA has sent memos to regional field offices to step up enforcement in this area of safety incentives that may penalize workers.
The regulatory agenda A number of states are considering or have passed laws on unemployment discrimination making it unlawful to refuse to hire someone because they have been out of work for too long.
Now that the elections are over, cash-strapped state and federal regulatory agencies are moving into high gear in terms of enforcement and collections of fines and penalties. Additionally, state legislatures typically enact new laws that go into effect in January or July. It is critical that CECOs check with their law departments and HR professionals to make sure that they are in compliance with any new laws. The poor economy has led to a new category of laws that makes employers particularly vulnerable. A number of states are considering or have passed laws on unemployment discrimination making it unlawful to refuse to hire someone because they have been out of work for too long. Because of the economy and foreclosure crisis, some states now forbid employers from inquiring about credit during a background check. These kinds of issues can not only subject the company to significant financial liability, but the firm can also suffer reputational harm. In the past two years, a number of states have enacted controversial or particularly onerous laws from a compliance perspective. For example, 17 states have passed guns-in-the-workplace laws, but there are a number of exceptions. Is your workplace one of them? Do your employees travel to such exceptional work sites? Do your employees cross state lines to meet regularly with customers where the laws may be different? With the increase in workplace violence, managers need to be prepared to deal with these issues. Other states have passed medical marijuana laws. But what if some of your workforce is subject to federal drug testing laws? Adding to the complexity, what if your employees live in states that have recently legalized marijuana for recreational use? You will need to make sure that your HR, in-house, and outside legal counsel have thought these issues through and have clearly communicated policies and talking points for managers who may watch local news, or try to interpret the laws themselves by looking to the Internet or other unapproved sources for answers. At the federal level, on December 17, 2012, the Equal Employment Opportunity Commission (EEOC) released its 2013-2016 Strategic Enforcement Plan (SEP). The SEP lists the following priorities: 1) eliminating barriers in recruiting and focusing on practices that steer individuals into specific jobs due to their status
4 http://www.osha.gov/as/opa/whistleblowermemo.html
40
Ethics & Compliance Alliance Risk Forecast Report 2013 into a particular group; 2) protecting vulnerable workers, particularly migrants and immigrants, and specifically focusing on job segregation, human trafficking, disparate pay, and harassment; 3) focusing on the Americans with Disabilities Act, and the employers use of the undue hardship and direct threat defense; 4); reviewing the pregnancy-related limitation both under the ADA and under Title VII of the Civil Right Act; 5) seeking protection for lesbian, gay, bisexual and transgender individuals under Title VII; 6) enforcing equal pay laws; 7) proceeding against employers who use overly broad settlement waivers or engage in retaliation; and 8) preventing harassment through educational outreach and litigation. The EEOC has also indicated that it will continue to consider the use of criminal background checks as a screening tool as a possible violation of Title VII. The EEOC has cited social science statistics indicating that background checks tends to disfavor blacks and Hispanics, who are arrested and convicted at a higher rate than whites. Applications asking for date of birth and pre-employment tests are also red flags for the EEOC. Employers should review their hiring, pay, and promotion practices to ensure that there is a clear connection to documented, bona fide job requirements. The EEOC will continue to aggressively pursue large systemic cases, especially those showing adverse impact. The National Labor Relations Board has also been active in the past year, and its rulings impact non-organized workforces as well. In addition to key social media decisions, which have been covered elsewhere in this publication, the NLRB issued rulings on at-will employment and off-duty access policies. Employers commonly state in employee handbooks that the employees status is at will, meaning that they can be terminated at any time for any reason with or without cause so long as the reason is not unlawful. In two cases this year, the NLRB found that clauses which stated that the at-will status could not be amended, modified or altered in any way were unlawful. Although these may have been cases of in-artful drafting, in a recent speech the Acting General Counsel of the NLRB made it clear that if a worker believes that unionization or a valid collective bargaining agreement cannot alter their at-will status, then the at-will disclaimer could be unlawful. The takeaway for a company is that even if an at-will disclaimer has different words, an employer may need to consider what the reasonable worker might think while reading it. Many employers, particularly those in hospitality or other workplaces open to the public, have a no-access rule, where off-duty workers are not allowed to come on site except under limited circumstances. Under NLRB rules, a no-access rule is valid under only three conditions. The rule must (1) limit access solely with respect to the interior of the employers premises and other working areas; (2) be clearly written and distributed to all employees; and (3) apply to off-duty employees seeking access to the facility for any purpose and not just to those engaging in union activity.5 Finally, the Department of Labor (DOL) has probably been among the busiest regulatory agencies over the past few years, and 2013 promises to be no different. In addition to overseeing OSHA, which was discussed above, the DOL
5 On Friday January 25, 2013, an appellate court ruled that President Obamas recess appointments to the NLRB were unconstitutional which in turn potentially invalidates any rulings handed down during their service. Companies should work with their outside counsel to determine whether the courts actions affect any company policies.
The Acting General Counsel of the NLRB made it clear that if a worker believes that unionization or a valid collective bargaining agreement cannot alter their at-will status, then the at-will disclaimer could be unlawful.
41
Ethics & Compliance Alliance Risk Forecast Report 2013 is responsible for wage and hour compliance under the Fair Labor Standards Act. The Fair Labor Standards Act generally provides that employees must be paid an overtime premium for any hours worked over 40 in a work week, unless they are subject to an exemption. Companies that have not already faced an individual wage and hour claim, or a wage and hour class or collective action, should be working with their HR and legal teams to make sure that they have already commenced an attorney-client protected wage and hour audit to protect themselves from a potential multi-million dollar lawsuit. A number of employers are facing litigation in the state courts as well. But how should organizations prioritize wage and hour audits? It depends on the business model. Organizations using a number of temporary agencies may have joint employer risk. Consider, for example, the temporary worker whose assignment is to replace someone who is out for three months, yet has been at the work site for two years. That temporary worker can claim to be the companys employee. That risk multiplies when a company outsources a major part of its workforce to another company, and it isnt clear who manages what part of the workforce. All companies need to ensure that they have not misclassified their workers as exempt (salaried) rather than non-exempt (hourly). It is critical to look at more than just job descriptions, or what employees say in interviews. Instead auditors must focus on what the employees actually do, remembering that what employees do at one location may be very different than what the employees with the same job title do at another location in a different city, or even down the street. Similarly, what employees do at your company may be different from what employees at your peer companies with the same job title do. Additionally, what employees tell the company auditor that they do may be very different from what they will tell a DOL investigator behind closed doors, or what the investigator will actually see while watching the employee do his or her job. Employers also face increased risk for unpaid overtime with more workers telecommuting, working through lunch, and checking email from home, because they are worried about keeping their jobs. Employers using the salaried non-exempt classification or fluctuating work week should check with their employment counsel, because the Department of Labor stated in 2011 that anyone who pays their employees any bonuses or premiums cannot use the fluctuating work week. The DOLs statements and interpretations of court rulings are not binding. Nonetheless, companies should not ignore the risks and may want to consider basing bonuses on metrics such as performance, productivity, sales, or safety. You should work with counsel and review relevant court decisions in your jurisdiction. Finally, although the national unemployment statistics are getting better, many people still cannot find work, and overqualified people are willing to work as interns with the hopes of gaining full time paid employment. The DOL has very specific rules regarding who qualifies as an unpaid intern, and increasingly, unemployed people who volunteer to work as interns are filing wage-anhour claims.
All companies need to ensure that they have not misclassified their workers as exempt (salaried) rather than non-exempt (hourly).
5 http://www.dol.gov/whd/regs/compliance/whdfs71.htm#.UNOBh4njnAU
42
Whos The Boss?

In the spring or summer of 2013, the Supreme Court will rule on a case that could fundamentally change the workplace. Title VII forbids employers from practicing workplace harassment, discrimination, or retaliation, and from doing so through their agents, which include supervisors. The Court agreed to hear Vance v. Ball State University from the Seventh Circuit, which involves an African-American kitchen worker. Vance alleged that her co-employees actually served in the capacity of her supervisors because they directed her day-to-day activities, and that their actions, including racial epithets and physical threats, created a hostile work environment. Both the lower court and the Seventh Circuit ruled that a supervisor is a person who has the actual authority to take a specific workplace actionsuch as hiring, firing, transferring, demoting, disciplining, or promoting an employee. Currently there is a split in the circuits, with some holding that an employee with the authority to control what a fellow worker does on a daily basis is a supervisor as well. The Supreme Court ruled on vicarious liability in the context of sexual harassment in 1998, but did not rule on the definition of a supervisor. The EEOC has always taken the position that co-workers can subject employers to vicarious liability for harassment and liability. The Vance case could therefore be a watershed ruling for employers.
Although the economy is improving, job applicants who are not hired, or current employees who are disciplined, demoted, passed over for promotion, or terminated will not hesitate to bring legal action against the company.
Conclusion
Although the economy is improving, job applicants who are not hired, or current employees who are disciplined, demoted, passed over for promotion, or terminated will not hesitate to bring legal action against the company. The Supreme Court may make that even easier if it relaxes the definition of a supervisor. Similarly, organizations must contend with the alphabet soup of regulatory agenciesthe EEOC, NLRB, DOL and OSHA have promised aggressive enforcement against companies, and states are enacting new and often confusing regulations. The plaintiffs bar is emboldened by large victories in class and collective actions against employers. 2013 will therefore once again be a busy one for CECOs, and they must stay closely aligned with their colleagues in the HR and legal organizations to make sure that nothing falls through the cracks.
43
Privacy and Data Protection

2013 Global Risk Perspective
Robert Bond ECA Expert Panelist Robert Bond has been a solicitor and notary public of England and Wales for over 30 years, and brings deep expertise and global perspective to our LRN ECA partner audience in areas of privacy and data protection, information security, global ethics and corporate responsibility, social and digital media, e-commerce, and Internet law among other important risk areas. Robert is a widely published author and recognized global authority in his areas of expertise.
This article examines current trends for the next year in Global Data Privacy and Information Security, with a focus on the EU and Asia, and considers what global companies should be doing to manage compliance and mitigate risk. A year ago I looked at the draft EU Data Protection Regulation and it will be revisited here, but in addition, I will look at the increase in privacy law in the Asia-Pacific region and the continued challenges of implementing ethical hotlines in the EU. I recently conducted a survey of multinational corporations as to their key concerns for data privacy compliance, and the greatest concerns in ascending order were: Cyber Crime Consumer Rights Cloud Computing Jurisdictional Issues EU draft Data Protection Regulation Cookie Compliance
This article examines current trends for the next year in Global Data Privacy and Information Security.
Global Data Transfers Other issues of concern included: Managing Subject Access Requests Social Media in the workplace Bring your own device (BYOD) and data security Interestingly, topics that were not particularly mentioned as concerns were: Privacy by Design Screening and monitoring of Employees Data Leakage Data Management Engaging the board While it is not surprising that issues such as data transfers, cookies law, and the EU regulation were high on the list, we do expect that before too long key topics will include:
44
Ethics & Compliance Alliance Risk Forecast Report 2013 Data Security Data Breaches Data Management Managing Consumer Concerns
Data Privacy Laws in Asia-Pacific

Asia Pacific is certainly a region to watch due to its rapid development in privacy laws, particularly in 2012. The Philippines Data Privacy Act, which was signed into law in August, 2012, is the first uniform privacy law for the country. It is a European-style data protection law with procedures to be followed in the collection, processing, and handling of personal information. The Act also sets out the rights of data subjects and creates a National Privacy Commission. Singapore passed its Personal Data Protection Bill in mid-October, 2012. It creates an overarching data protection regime that applies across the economy. Organizations are prohibited from sending marketing messages to Singapore telephone numbers registered on a new Do Not Call Registry (the DNC Registry). A Personal Data Protection Commission is established to promote awareness of data protection and to enforce the bill. The bill is likely to be passed as an Act in early 2013, with a 12-month for the DNC Registry provisions and an 18-month transition period for the rest of the bill. Most of Hong Kongs Personal Data (Privacy) (Amendment) Ordinance 2012 took effect on October 1, 2012. One new requirement is that when data users use personal data, or provide personal data to another for use in direct marketing, they must provide data subjects with prior notice, and obtain their consent or indication of no objection. Moreover, the data users have to take reasonable steps to ensure the security of personal data that they hold, and will also be responsible for any acts performed by any data processors whom they appointed. Another piece of legislation that came in effect on October 1, 2012 is Taiwans Personal Data Protection Law. The definition of personal data has expanded under the new legislation, which applies to all individuals, legal entities, and enterprises collecting personal data. Australia passed the Privacy Amendment (Enhancing Privacy Protection) Bill in late November, 2012. It sets out the Australian Privacy Principles and strengthens the power of the regulator. Another development is Australias consultation on mandatory data breach notification. The deadline to submit response to the discussion paper ended in late November, and the results are due for release in 2013. On December 28 the Peoples Republic of China (the PRC) passed the Resolution Relating to Strengthening the Protection of Information on the Internet (the Resolution). This nationwide, legally binding set of rules follows a series of developments in the PRC, such as the Several Regulations on Standardizing Market Order for Internet Information Services from March, 2012. Although it is brief and limited to electronic personal information, the Resolution obliges Internet service providers and other businesses to adopt necessary security measures to protect personal information, to state the purposes of the collection and to obtain consent from data subjects. It is unclear how the Resolution will be applied.
Asia Pacific is certainly a region to watch due to its rapid development in privacy laws, particularly in 2012.
45
Ethics & Compliance Alliance Risk Forecast Report 2013 Last but not least, on January 1, 2013, Malaysias Personal Data Protection Act 2010, also a European-style legislation, has finally come into force. It is noteworthy for the heavy penalties that it introduces for non-compliant companies. A number of other jurisdictions in the region have introduced or updated their privacy laws in recent years: Macau has a Personal Data Protection Act 2007 which could trace its European origins from the jurisdictions historical links to Portugal. Japans Act on the Protection of Personal Information has been effective since 2005 and provides moderate regulation. The high standard required by South Koreas Personal Information Protection Act 2011 has led to some commentators calling it the strongest law in Asia, if not the world. India issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules in 2011 which widens the scope of its Information Technology Act 2000. Vietnams Law for the Protection of Consumers Right 2010 took effect in July, 2011, and introduces some obligations on the collection of consumer information. Thailand also has a Personal Data Protection Bill in the pipeline. So far, Europe has been shaping global data protection standards. However, as the value of data to businesses continues to grow across a broad range of sectors, the number of non-European countries with privacy laws is also increasing rapidly. The risk of non-compliance is significant, and companies should be aware of developments in jurisdictions beyond Europe.
So far, Europe has been shaping global data protection standards. However, as the value of data to businesses continues to grow across a broad range of sectors, the number of nonEuropean countries with privacy laws is also increasing rapidly.
Ethical Hotlines and EU Data Protection Laws

The use of hotlines and other reporting mechanisms as part of compliance with the Sarbanes-Oxley Act of 2002 (SOX), and anti-bribery and anti-trust laws, must take account of data protection, labor, and human rights legislation in the EU and perhaps other countries. For example, internal company investigations resulting from whistleblower reports or other litigation must now also take into account EU and other country data protection laws, when such matters or discovery involve the acquisition or transfer of personal data to the U.S., or the taking of adverse personnel action in that EU country. Currently at least 14 jurisdictions have published guidance or opinions on the implementation of ethical hotlines in the EU, namely Austria, Belgium, France, Finland, Germany, Hungary, Ireland, Italy, Netherlands, Norway, Portugal, Spain, Sweden, and the UK. Poland has not yet issued an opinion but their regulator, the GIODO (the Polish DPA), is aware of the need to provide guidance.
Current guidance
While the EU Article 29 Data Protection Working Party has issued its own opinion on the topic of whistleblower hotlines, different countries within the EU implement the ED Data Protection directive (the Directive) to a different extent.
46
Ethics & Compliance Alliance Risk Forecast Report 2013 For instance, data protection laws in Hungary are particularly strict and do not implement all of the legal grounds for processing data under the Directive. Some aspects of SOX could therefore be construed as being in conflict with the local law. Nevertheless, new guidance published by the Hungarian Data Protection Authority (DPA) allows companies to run hotlines, albeit with a restricted scope. On the other hand, in countries like Belgium, Finland, Ireland, and Norway no direct conflicts between local laws and SOX requirements exist. Most DPAs have issued guidance assisting companies to set up hotlines which are compliant with their own local laws. Austria did not publish its own guidelines, but rather a statement setting out that it agrees with the Article 29 Data Protection Working Party opinion on whistleblower hotlines. Also Hungary, the Netherlands, and Ireland subscribe to that same Article 29 Opinion.
Filings
Do not forget that the requirement to notify the Data Protection Authority when setting up a whistleblower hotline exists in a number of EU member states including Austria, Belgium, Finland, Spain, and Portugal. However, there is no such formal requirement in Germany, Ireland, Italy, and the UK. While there is not a requirement to notify separately in Hungary, in the light of the stringent Hungarian laws, I would recommend that companies do notify the Hungarian DPA to ensure that the company is fully compliant, not only with SOX, but also with Hungarian legislation. In France, the whistleblowing procedures need to be authorized by the local DPACNIL. In Portugal, a company must obtain special authorization before it can process data through a whistleblower hotline. In Poland, local law requires prior notification to GIODO before any transfer of data outside the European Economic Area, which is very likely when implementing and operating whistleblower hotlines. Italy imposes an obligation for a public notice to be posted on the companys premises notifying of the existence of the hotline. Portugal even goes one step further and prescribes that employees should not only be made aware of all aspects of the scheme, but also the fact that it is voluntary in nature, and that there are no consequences for not reporting. There is an additional requirement in Portugal to inform the employees that abuse of the scheme or use of it in bad faith may expose the offender to disciplinary and legal proceedings. A different type of requirement exists in Switzerland and Poland where employees representatives (or works council if one exists) need to be consulted with regard to the setup of a hotline. Data subjects in general need to be notified when personal data about them is being processed because in some of the continental Europe countries, e.g. France, whistleblowing is directly associated with denunciation, and as such, perceived as morally wrong.
Data subjects in general need to be notified when personal data about them is being processed because in some of the continental Europe countries, e.g. France, whistleblowing is directly associated with denunciation, and as such, perceived as morally wrong.
Restrictions on hotline providers

Data controllers and hotline providers must ensure that they take appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, disclosure, or access, and against all other unlawful forms of processing.
47
Is anonymous reporting allowed?

Out of the countries above, only Spain and Portugal have a straightforward categorical prohibition on anonymous reporting. Belgium and Germany permit anonymous reporting only in very restricted circumstances, and anonymous reporting is discouraged in Portugal, Netherlands, Austria, and Finland.
Limitations on scope of reports

Only a few of the jurisdictions allow setting up of whistleblower hotlines without significant restrictions. Austria and Belgium limit reporting to serious acts, serious irregularities, or crimes, and only in situations where reporting clearly could not take place within the normal line of command. Norway follows similar wording with severe issues and legal offences, including corruption, financial crime, breaches of company ethics code, hazardous working conditions, and harassment. Spain limits the scope of hotlines to substantial breaches that may result in the employee in question being disciplined or dismissed. No reports are permitted relating to general ethical breaches, workplace norms, worker grievances, or minor breaches. Entities that wish to extend the scope of their whistleblower hotlines to include sexual harassment, misconduct regarding protection of the environment, inhuman working conditions, etc., will need to justify in much more detail the legitimacy and need for the proposed processing.
Only a few of the jurisdictions allow setting up of whistleblower hotlines without significant restrictions.
Hungarian guidance on the matter refers to grave violations of company policies, and prohibits use of the system to control employees work performance. Germany limits its scope to criminal offences against the interests of the company (e.g. fraud, misconduct, insider trading), or conduct that violates human rights or environmental interests. France restricts hotlines pre-authorized by CNIL to reporting with regard to internal control in the financial, accounting, banking, and anti-bribery areas. Portugal also restricts reporting to accounting, internal accounting controls, auditing, banking, financial crime, and anti-bribery matters. Whistleblowing schemes for companies internal policies are expressly prohibited. Reporting is also restricted to key management personnel only. Finally, in Sweden, only serious irregularities that concern accounting, internal accounting controls, auditing matters, combating bribery, or banking and financial crime may be reported through whistleblowing channels. However, serious irregularities that concern vital interests of the company, or an individuals life and health, may also be reported. Only employees in management or key positions within the company may be reported.
Understanding and planning to comply with the EU Data Protection Regulation

The intention of the Regulation is to build a stronger and more coherent Data Protection Framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities. However, the Regulation in its
48
Ethics & Compliance Alliance Risk Forecast Report 2013 current draft form imposes significant changes to the way in which businesses will have to comply with Data Protection laws and regulations in the EU. Based on the current version of the Regulation, businesses with entities in Europe that process personal data, use equipment in the EU for processing personal data, or are not in the EU but who process EU data subjects or monitor their behavior, will incur significant compliance obligations. As the Regulation applies to both data controllers and data processors, and dramatically extends the enforcement powers of the regulators and the fines for non-compliance (2% of worldwide revenue for negligent or reckless breach), businesses will need to prepare for investment in EU data protection compliance. The current amended Regulation is expected to be finalized in the spring of 2013, and will likely come into force by the end of 2014. The Regulation applies both to data controllers and data processors that have either legal entities in the EU, or that process personal data of EU data subjects, irrespective of the location of the controller or processor; but the Regulation does not apply where the processing is by an individual purely for personal or household activities. Most of the current definitions of data subject, personal data, and the like, remain the same, except that sensitive personal data now includes genetic and biometric information, Consent is defined as any freely given specific, informed and specific indication of the data subjects consent. Also, personal data breach is now defined with respect to breach of security for which new obligations arise. Fair processing statements or privacy notices will have to be in plain and intelligible language, and drafted with certain data subjects in mind, in particular for any information addressed specifically to a child. In a privacy statement or privacy notice, there needs to be specific information given to a data subject with respect to the nature and purposes of the processing of their data and of their rights, specifically using icons to guide consumers. There are also detailed requirements in relation to profiling and the collection of data via social network services. There are redefinitions of the obligations for the data controller, joint data controllers, and the data processor. In addition, the data processor will have direct liability for compliance, which does not exist in the current regime. While the concept of registration with a data protection authority is limited to prior authorizations for certain data processing and data sharing, there is now a new obligation for the controller and processor to maintain an internal register of compliance, and to make this register available on request to the Data Protection Authority by virtue of its new powers. There are enhanced requirements for data security, and there is a mandatory breach notification procedure for all but small enterprises. There are new details in relation to Privacy Impact Assessments and specific prior authorizations and prior consultations before data processing or data transfers may be permitted. In relation to data transfers, there is considerably more detail on binding corporate rules as a solution to transborder data flows or transborder data transfers.
Businesses with entities in Europe that process personal data, use equipment in the EU for processing personal data, or are not in the EU but who process EU data subjects or monitor their behavior, will incur significant compliance obligations.
Ethics & Compliance Alliance Risk Forecast Report 2013 For the first time, the role of the Data Protection Officer is introduced for all businesses that process data about more than 500 individuals per year. This will require businesses to put in place not only contracts for this new position, but also appropriate training and authority for purposes of compliance. The Data Protection Officer will be the person responsible for maintaining internal compliance registers, and serve as the interface between the business and the regulators. While there are other specific issues, the last one we wanted to mention is in relation to the new powers of enforcement for the Data Protection Authorities who will monitor, audit, provide guidance, hear complaints, conduct investigations, opine on compliance issues, and issue licenses for international data transfers. Furthermore, with respect to breaches of the Regulation, there is a whole new range of penalties and sanctions with fines for minor breaches of 0.5 percent of a businesss annual worldwide turnover, rising to 2 percent of annual worldwide turnover in the case of intentional or negligent breach of the Regulations. While there is no guarantee that the current version of the Regulation will be the final published Regulation, we anticipate that at this stage few significant changes or additions will be made, and therefore we are starting the process of considering the full range of compliance, policies, practices, and procedures that will be necessary for small, medium, and large enterprises, whether operating in a single EU member state or operating globally.
With respect to breaches of the Regulation, there are a whole new range of penalties and sanctions with fines for minor breaches of 0.5 percent of a businesss annual worldwide turnover, rising to 2 percent of annual worldwide turnover in the case of intentional or negligent breach of the Regulations.
50
Records & Information Management for 2013

Mike Salvarezza LRN Knowledge Leader Mike Salvarezza is a tenured and accomplished leader with a career that includes extensive experience in the complementary disciplines of information technology, records and information management and compliance systems, enabling him to succeed in traditionally difficult areas by combining unique perspective and knowledge. Working in the defense industry for nearly a decade, Mike transitioned to a successful career at Altria Group, Inc., where he embraced various positions of increasing responsibility within the IT function to include a role as Group Director, IT, that included responsibility for setting technology standards on a global basis. In his current role, Mike serves as the Chair of the LRN Living HOW Council and People & Principled Performance Council and the LRN Governance System and helps to pioneer, communicate, and integrate knowledge in the areas of legal, compliance, governance and risk; ethical leadership; social responsibility and environmental responsibility.
RIM for the Next Generation

2013 Risk Perspective
Records and Information Management continues to struggle with some fundamental challenges. The rapid advance of technology, the proliferation of mobile devices equipped with numerous data-producing and aggregating apps, the migration to cloud computing infrastructures, and the transformational nature of social media platforms have made the difficulties of managing records more daunting than ever before. Executives responsible for ethics and compliance must now address growing complexity in the management of records and information within their organizations.
The Advance of Technology

Todays businesses rely on technology for virtually everything. Business records are almost exclusively becoming electronic and are generated by numerous devices, systems, and applications. Records Managers who have employed Retention Schedules to detail the appropriate retention periods and records disposition actions are faced with adjusting their thinking to accommodate new and different types of records. Mobile devices are now the business appliance of choice. Smart phones, tablets, and other PDAs are generating and holding more records than ever before. Information Technology functions are now abandoning efforts to control which devices are used by employees in favor of a BYOD (Bring Your Own Device) approach. With this flexibility come numerous risks to the records manager: - Inability to access company records that are housed on mobile devices - Rapid sharing and proliferation of records from device to device and from one to many people. - Difficult and expensive discovery efforts when records are needed for litigation, regulatory review, and other business purposes - Co-mingling of business and personal records - Difficulty in preserving and managing records through their lifecycle when located on mobile devices - Difficulty in gaining compliance with legal hold requirements
Mobile devices are now the business appliance of choice. Smart phones, tablets, and other PDAs are generating and holding more records than ever before.
51
Ethics & Compliance Alliance Risk Forecast Report 2013 Rapid expansion of data requirements, expenses associated with running company data centers, complex infrastructure upgrade projects, and numerous other traditional IT challenges are made even more difficult with the explosion of data volumes and cost pressures on companies whose focus must be on their core business. As a result, many IT departments are electing to move all or part of their infrastructure to the cloud. Cloud computing enables companies to reduce their investment and take advantage of greater infrastructure flexibility over time. For the records manager, associated risks have emerged: - Difficulty in having offsite data managed according to company retention requirements when in a shared environment - Difficulty in accessing records during discovery and other business requests - Difficulty in implementing and achieving compliance with legal hold requests The explosion of social media is transforming the world as we know it. The nature of these platforms is changing the way that people connect, collaborate, and communicate, and it is dramatically changing the way businesses fundamentally operate. More and more, companies are marketing through social media, collaborating with business partners over social media, connecting with customers through social media, and even developing new products based on social media. Many of these interactions constitute business records, and most companies struggle with managing these records. The Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) require that all business records related to financial transactions over any media, including social media, be preserved appropriately. Courts are becoming increasingly interested in social media communications in the context of litigation. Social media platforms encourage casual and informal communication, which is often seen as more authentic compared with carefully managed corporate communications. Professionals using social media to conduct business conversations need to be educated in how to responsibly and respectfully communicate using these media so as not to create enhanced risk. The risks that records managers face from social media are: - Inability to collect and manage company records created and located on social media - Difficulty in searching for and finding appropriate records for litigation, regulatory, or business requirements - The spontaneity and informal nature of social media communications increasing the risk of inappropriate company records - Large and expanding volumes of unstructured data to manage
Professionals using social media to conduct business conversations need to be educated in how to responsibly and respectfully communicate using these media so as not to create enhanced risk.
The Way Forward

Records Management is existentially and has historically been about governance. The efficacy of records management programs has generally depended upon compliance, using the lens of a fear of running afoul of regulations, or suffering legal consequences for poorly managed records.
52
Ethics & Compliance Alliance Risk Forecast Report 2013 The United States Federal Office of Management and Budget (OMB) issued a memorandum in August, 2012, which refers to records management in different terms: Records are the foundation of open government, supporting the principles of transparency, participation, and collaboration. Well-managed records can be used to assess the impact of programs, to improve business processes, and to share knowledge across the Government. Records protect the rights and interests of people, and hold officials accountable for their actions. Permanent records document our nations history. Although this was a document focused on Government agencies, its implications can be extended to the public sector. Executives tasked with managing corporate records must view their programs and services as business enablers, striving to achieve the appropriate controls while creating programs that can work in todays ever-changing world to provide business benefit and advantage. Records managers should implement governance structures that include business leaders in determining how to address records management concerns. The perspective of the business is vital to the creation of workable policies and procedures. Next-generation workers should also be invited to help shape the programs, especially as they relate to the usage of new technologies. In order to manage records in the cloud, records management executives must first address service level agreements and contracts with cloud providers to ensure that records are managed in accordance with company needs, regulatory requirements, and legal obligations. Social media platforms present unique challenges in terms of access and preservation of records. Records managers should investigate emerging management systems technology to capture records and preserve them for records management purposes, but should also be aware of the casual nature of social media communications, which heightens risk for inappropriate records creation. Without discounting the value of effective social media policies and guidelines, extra attention must be placed on education of workers who are engaged with social media platforms from a records management perspective. Advanced search technologies will prove more valuable to records managers than comprehensive records management systems. Search technologies can be very cost-effective alternatives to costly manual searches for records, especially in the context of litigation and document discovery. In complying with their records retention requirements, records managers should consider search technology as a potential alternative to complex, and often ineffective, records management systems based on a repository model.
Records managers should implement governance structures that include business leaders in determining how to address records management concerns. The perspective of the business is vital to the creation of workable policies and procedures.
A Future Challenge:
Looking ahead, records management needs to fundamentally change by challenging the very requirements imposed by the regulators and courts, so that companies may derive financial benefits from more realistic programs which stand a better chance of compliance over time. Simply put, the ability
53
Ethics & Compliance Alliance Risk Forecast Report 2013 to manage records may become impossible using traditional methods with the advent of new technologies that enable the rapid creation of rich content, immediate sharing of data worldwide to thousands of people, and the transformative nature of todays technology platforms. To address this challenge, records management executives, legal professionals, consortiums, and professional organizations must come together to fundamentally re-examine these practices and determine what can be changed, so that compliance with requirements is actually possible, and that businesses can derive value from the financial investments made in managing records. Companies must make a real effort to change the regulations and laws which inform the programs they try to implement. There are serious discussions taking place globally to update various laws and requirements to do just this. Efforts are underway to overhaul the existing and outdated EU Data privacy requirements, and similar efforts are taking place in many other countries as well. Records management executives should strive to help shape these changes in ways that are reasonable and contemporary, and that can withstand the advance of technology for years to come.
To be successful in the long term, records management professionals must begin to challenge the very requirements that they are attempting to comply with, examining those requirements with an eye to overhauling and removing those that are outdated and impossible to achieve.
Conclusion
Government agencies are increasingly focused on addressing the obsolescence of existing policy and law as technology rapidly transforms the world around us. Ethics and Compliance executives in 2013 must remain committed to the governance of records in their companies while addressing significant technology challenges. Funding is necessary for management systems to address the identification, capture, and preservation of company records that exist in the cloud, on mobile devices, and on social media platforms. In order to attain that funding, records management executives must encourage the business to identify the risks and, more importantly, the business benefits associated with properly managing corporate records. To be successful in the long term, records management professionals must begin to challenge the very requirements that they are attempting to comply with, examining those requirements with an eye to overhauling and removing those that are outdated and impossible to achieve.
54
SEC Enforcement Hot Topics and Trends

Bradley J. Bondi ECA Expert Panelist Bradley J. Bondi brings a strong background and expertise to our LRN community in areas of SEC compliance and enforcement, insider trading compliance programs, and internal investigations on a global scale. Brad is a partner at the Law Firm of Cadwalader, Wickersham & Taft, LLP, where he focuses on securities, corporate, and financial laws, and enforcement cases. Prior to joining Cadwalader, Brad was a member of the executive staff of the Securities and Exchange Commission where he served as Counsel to key SEC Commissioners advising on enforcement actions and regulatory rulemaking.

Current Enforcement Activity
The Enforcement Division of the U.S. Securities and Exchange Commission (SEC) continues to aggressively pursue violations of federal securities laws by corporations, financial institutions, and individuals. Compliance and legal personnel must be proactive to ensure that appropriate controls and policies are in place to prevent or catch misconduct. The SEC has been active this year with high-profile enforcement actions and investigations. According to its annual report, the SEC brought 734 enforcement actions this past year, the second highest number ever filed in a fiscal year (and one less than the 735 filed the prior year). Of these actions, 150 were filed in investigations designated as National Priority Cases, representing the Divisions most important and complex mattersan approximately 30 percent increase over 2011. During 2012, the SEC obtained for $3.1 billion in penalties and disgorgement. Much of these enforcement actions relate to conduct preceding or during the financial crisis. For example, during the past year, the SEC initiated enforcement cases relating to the financial crisis against top executives of the two largest government-sponsored entities for allegedly making misleading statements regarding the extent of each companys holdings of subprime mortgage loans; against former investment bankers and traders at a financial institution for allegedly overstating the prices of subprime bonds during the financial crisis; against former executives of a commercial bank for allegedly misleading investors about the size of the banks loan losses during the financial crisis; and against former executives of a bank for allegedly participating in a scheme to understate millions of dollars in losses and mislead investors and Federal regulators during the financial crisis. In addition, the SEC remains active in investigating and bringing actions for insider trading, violations by asset management firms, accounting misconduct, and violations of the Foreign Corrupt Practices Act (FCPA). The current enforcement focus of the SEC is a manifestation of the five specialized enforcement groups that SEC Enforcement Director Robert Khuzami established in late 2009: Asset Management, Market Abuse, Structured and New Products, Foreign Corrupt Practices, Municipal Securities and Pension Funds. With specialized enforcement groups focused on these areas, there undoubtedly will be further investigations and enforcement actions in these areas.
The SEC remains active in investigating and bringing actions for insider trading, violations by asset management firms, accounting misconduct, and violations of the Foreign Corrupt Practices Act (FCPA).
55
Ethics & Compliance Alliance Risk Forecast Report 2013 In addition to having personnel and resources allocated to them, these specialized enforcement groups are armed with new tools under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank or the Act), namely, the ability to offer whistleblowers, who provide original information that leads to an enforcement action, between 10 to 30 percent of the SECs recovery. The year 2012 marked the first ever payout by the SEC to a whistleblower under the Dodd-Frank whistleblower bounty program. This program has the potential to change the landscape of the SECs enforcement efforts.
Emerging Enforcement Trends

Certain trends in SEC enforcement likely will emerge over the next year that will determine the cases the SEC chooses to investigate and bring as enforcement actions. Monitoring these trends will be important as companies strive to remain compliant with federal securities regulations.
Increased Importance of Whistleblowers
The year 2012 marked the first ever payout by the SEC to a whistleblower under the Dodd-Frank whistleblower bounty program. This program has the potential to change the landscape of the SECs enforcement efforts.
As part of Dodd-Frank, Congress created powerful incentives to encourage persons to report (i) potential violations of the federal securities laws to the SEC and (ii) potential violations of the Commodity Exchange Act (CEA) to the Commodity Futures Trading Commission (CFTC). While the Sarbanes-Oxley Act (SOX) encouraged up-the-ladder reporting by employees and allowed for self-policing and self-reporting by companies of potential violations, the Dodd-Frank whistleblower provisions create incentives for external reporting to regulators, thus hindering a companys self-policing efforts. The SECs rules to implement those provisions of the Act that are within the SECs authority raise serious challenges for public corporations, financial services firms, and other companies that are subject to the federal securities laws. Companies can expect an increase in the number of complaints that circumvent internal reporting mechanisms, and that instead, go directly or through plaintiffs lawyers to the government. Under Dodd-Frank and rules passed thereunder, the SEC may award a cash bounty of 10 to 30 percent of recovery to any individual whistleblower who voluntarily provides the SEC with original information derived through independent knowledge of a possible violation of any federal securities law. The information must lead to a successful enforcement action resulting in monetary sanctions exceeding $1 million in order for the bounty to be awarded. While certain legal, compliance, and audit professionals are generally excluded from qualifying as whistleblowers, current and former employees, competitors, vendors, customers, and even wrongdoers (provided the wrongdoer is not convicted of a related crime) all may qualify as whistleblowers under the rule. The SEC has formed the Whistleblower Office in the Division of Enforcement to handle the inflow of tips from whistleblowers, and the agency is actively searching for whistleblowers in certain cases. (The CFTC also passed similar rules for its whistleblower bounty program and took similar actions in establishing a whistleblower office). The SEC estimates that it will receive approximately 30,000 tips, complaints, and referrals submissions each year pursuant to the Dodd-Frank whistleblower provisions.
56
Ethics & Compliance Alliance Risk Forecast Report 2013 Importantly, the SECs whistleblower bounty program specifically allows and incentivizes individuals to utilize internal reporting channels before going to the SEC. The SECs rules seek to accomplish internal reporting in three ways. First, the SEC rules provide that an internal whistleblower may be eligible for an award where the company reports to the SEC information received from the whistleblower or the results of an investigation initiated in response to the whistleblowers information. In those circumstances, all the information reported by the company will be deemed attributable to the internal whistleblower. Second, a whistleblower is deemed to have reported directly to the SEC at the same time he or she has reported internally, so long as the whistleblower voluntarily reports original, independent information to the SEC within 120 days of having first reported the information internally to the company. Third, the SEC will consider whether and to what extent an individual made use of internal compliance procedures when assessing the amount of the bounty. On November 15, 2012, the SEC issued its Second Annual Report on the Dodd-Frank Whistleblower Program (the Report), covering the period between October 1, 2011 and September 31, 2012. The Report, which satisfies congressional reporting obligations found in sections 922(a) and 924(d) of the Dodd-Frank Act, provides insight into the effectiveness of the Commissions whistleblower bounty program,1 the activities of the office charged with administering the program, and the Investor Protection Fund from which bounty payments are made. The issuance of the Report offers an opportunity for companies to understand the focus of the Commissions whistleblower program and to reevaluate their own compliance and internal reporting systems. The SEC made its first whistleblower award in fiscal year 2012. According to the Report, the whistleblower received the maximum award of 30 percent for helping the Commission stop an ongoing multi-million dollar fraud.2 The Report indicates that fines in the judicial action already exceed $1 million, with further judgments and sanctions possible.3 Because the government collected approximately $150,000 by the end of the fiscal year, the Commission was able to pay nearly $50,000 to the whistleblower.4 While the percentage awarded was the maximum of 30 percent, the total dollar amount is relatively modest considering that most securities cases involve hundreds of millions of dollars in fines and penalties, and thus the potential remains for far greater awards than the one discussed in the Report.5 Because few details about the whistleblower, the fraudulent activity involved, or the company have been provided due to confidentiality provisions in the Dodd-Frank Act,6 the larger
Importantly, the SECs whistleblower bounty program specifically allows and incentivizes individuals to utilize internal reporting channels before going to the SEC.
1 For more information on the SECs whistleblower bounty program and best practices for companies dealing with whistleblowers, please see Bradley J. Bondi, Jodi Avergun, Thomas Kuczajda & Steven D. Lofchie, Cadwalader, Wickersham & Taft LLP, The Dodd-Frank Whistleblower Provisions: Considerations for Effectively Preparing for and Responding to Whistleblowers, BUSINESS FRAUD ALERT, May 26, 2011, http://www.cadwalader.com/ PDFs/newsletters/201105263321_BusinessFraudAlert_May_26.pdf. 2 U.S. SEC. & EXCH. COMMN, ANNUAL REPORT ON THE DODD-FRANK WHISTLEBLOWER PROGRAM FISCAL YEAR 2012 8 (2012) [hereinafter ANNUAL REPORT]. 3 Id. 4 Id. 5 Indeed, the amount pales in comparison to the whistleblower award of $104 million announced by the Internal Revenue Service (IRS) on September 11, 2012, in connection with the governments investigation of tax evasion by a Swiss bank. See David Kocieniewski, Whistle-Blower Awarded $104 Million by I.R.S., N.Y. TIMES, Sept. 11, 2012, available at http://www.nytimes.com/2012/09/12/business/whistle-blower-awarded-104-millionby-irs.html. The whistleblower, who was involved in that offense and who served two and a half years in prison, assisted the IRS in collecting over $780 million in fines and penalties from the bank. Id. By contrast, the SECs whistleblower bounty rules do not permit a whistleblower to recover a bounty where the whistleblower was convicted of a related crime. 6 15 U.S.C. 78u-6(h)(2).
57
Ethics & Compliance Alliance Risk Forecast Report 2013 significance of the award is hard to ascertain.7 Interestingly, the SEC also denied another tipper in the same matter an award, reportedly because that persons information did not contribute significantly to the SECs investigation. The Report also provided information on the number of whistleblower tips, complaints, and referrals (TCRs) made during fiscal year 2012. According to the Report, 3,001 TCRs were received by the SECs Office of the Whistleblower during the reporting period.8 Nearly 50% of those TCRs fell within three complaint categories: Corporate Disclosures (18.2%), Offering Fraud (15.5%), and Manipulation (15.2%).9 The 3,001 TCRs came from not only the United States (including all fifty states, the District of Columbia, and Puerto Rico), but forty-nine other countries as well.10 With respect to domestic TCRs, of which there were 2,507, nearly 50% came from six states: California (17.4%), Florida (8.1%), New Jersey (4.1%), New York (9.8%), Texas (6.3%), and Washington (4.1%).11 As for foreign TCRs, nearly 60% of the 324 came from Commonwealth countries,12 with another 8.0% from the Peoples Republic of China.13 Although only one award was paid out in fiscal year 2012, the SECs Office of the Whistleblower posted 143 Notices of Covered Actionnotices of enforcement judgments and orders that imposed monetary sanctions of $1 million or more.14 According to the Report, the Office of the Whistleblower continues to review and process applications for whistleblower awards based on those notices received during fiscal year 2012.15 In response to the new whistleblower bounty program, potentially affected companies should undertake a critical review of internal policies, procedures, and training to determine whether changes should be made. Educating employees on the SEC rules and the important fact that the employee may qualify as a whistleblower even after reporting the information through internal compliance channels are key. Compliance procedures must be clear and easy for employees to understand. Companies should implement an overall risk system that integrates compliance, legal, human resources, internal audit, and external audit to create a risk-
Educating employees on the SEC rules and the important fact that the employee may qualify as a whistleblower even after reporting the information through internal compliance channels are key.
7 ANNUAL REPORT at 8. 8 Id. at 4. 9 Id. at 45. 10 Id. at 5. One hundred and seventy (170) TCRs received in Fiscal Year 2012, representing 5.7% of the total received, were submitted without any geographical information provided. Annual Report at Appendix B: Whistleblower Tips Received by Location United States and its Territories Fiscal Year 2012. 11 Id. at Appendix B: Whistleblower Tips Received by Location United States and its Territories Fiscal Year 2012. 12 While the relatively high percentage of TCRs from Commonwealth countries may suggest a common culture that encourages whistleblowing activity, the number probably reflects the more mundane fact that residents of those countries are more likely to speak English, the language in which Form TCR and the Commission website are written. 13 The relatively high percentage of TCRs from China may be due to the SECs significant focus on issuers from China, and in particular Chinese reverse merger companies listed on U.S. exchanges. See, e.g., Press Release, U.S. Sec. & Exch. Commn, SEC Charges N.Y.-Based Fund Manager and Others With Securities Laws Violations Related to Chinese Reverse Merger Company (July 30, 2012), available at http://www.sec.gov/news/ press/2012/2012-146.htm; Press Release, U.S. Sec. & Exch. Commn, SEC Charges China-Based Company and Others with Stock Manipulation (Apr. 11, 2012), available at http://www.sec.gov/news/press/2012/2012-59.htm; Press Release, U.S. Sec. & Exch. Commn, SEC Approves New Rules to Toughen Listing Standards for Reverse Merger Companies (Nov. 9, 2011), available at http://www.sec.gov/news/press/2011/2011-235.htm; Luis A. Aguilar, Commr, U.S. Sec. & Exch. Commn, Facilitating Real Capital Formation (Apr. 4, 2011), available at http:// www.sec.gov/news/speech/2011/spch040411laa.htm; Scott Eden, China Reverse Mergers Continue Wild Ride, THE STREET, June 23, 2011, http://www.thestreet.com/story/11083003/1/china-reverse-mergers-continue-wildride.html. 14 ANNUAL REPORT at 6, 89. Individuals have 90 days to apply for an award based on the posted notices of covered action. 15 Id. at 9.
58
Ethics & Compliance Alliance Risk Forecast Report 2013 based approach to preventing, detecting, and responding promptly to potential violations. As part of such a system, user-friendly internal reporting mechanisms are essential to encourage employees, agents, and others to bring any potential wrongdoing to the attention of the company. For example, companies should consider: Hotlines. Anonymous and confidential hotlines for employees, contractors, vendors, and customers to report potential securities law violations and other misconduct; Audit. An independent and robust internal audit function and an audit committee with active oversight and involvement in the audit function; Prioritization. Processes and procedures that ensure that internal complaints are prioritized and evaluated quickly, and thoroughly investigated based on risk factors. Results and trends from such complaints should be integrated into the companys assessment of its compliance risks and financial reporting controls; Internal Reporting Requirements. Internal rules that require employees to report any suspected wrongdoing to legal or compliance personnel; and Training. Training programs that credibly reiterate an institutional commitment to integrity and fair dealing, and that clearly set out internal complaint procedures.
Insider Trading
The SECs Market Abuse unit in the Division of Enforcement likely will remain heavily focused on investigations and enforcement actions for insider trading. In 2012, the SEC filed 58 insider trading actions with a focus on financial professionals, hedge fund managers, and corporate insiders. Some of these insider trading actions involved high-profile individuals such as the former global head of McKinsey and Co. The SECs Enforcement Division remains focused on employees and agents (including lawyers and consultants) of public companies who trade on material, nonpublic information gained from their work relationship. Employees are prohibited by law from trading on material, nonpublic information gained from their employment. Similarly, agents and contractors may be liable for insider trading if they violate their confidentiality to the source of the information by trading on material, nonpublic information or providing it to someone else who trades. The SEC remains active in bringing cases where employees and agents illegally capitalize based on their relationship with a company. In addition, the Department of Justice (DOJ) has increased efforts to prosecute inside trading as a crime. The DOJ possesses law enforcement tools such as the use of wiretaps, trap-and-trace devices, confidential informants, search warrants, and grand juries to gather information where the SEC is unable. Of course, the SEC ultimately may use much of this information following a criminal trial. With the presence of criminal prosecutors and federal agents, the stakes could not be higher for companies, financial services firms, and individuals. Companies and financial services firms must establish compliance policies and procedures to address insider trading and interactions with potential tippers, including outside consultants, agents, and expert networks. Effective
Companies and financial services firms must establish compliance policies and procedures to address insider trading and interactions with potential tippers, including outside consultants, agents, and expert networks.
59
Ethics & Compliance Alliance Risk Forecast Report 2013 policies and procedures should address, as applicable: (1) the prevention of selective release of information in violation of Regulation FD (Fair Disclosure); (2) protecting the release of material, nonpublic information, including the use of social networks; (3) the implementation of information barriers between the firms public and private sides; (4) the interaction with expert networks and experts; (5) rules for trading by employees; and (5) the monitoring, surveillance, and supervision of employees with material, nonpublic information. All employees at the company should be trained thoroughly on the laws governing insider trading and the firms policies and procedures. A culture should be created to encourage employees to report to compliance or legal personnel any unusual or problematic activity. Companies should document both the processes implemented and the steps personnel take in compliance with these processes, thereby creating a detailed record of the firms efforts to meet its legal and regulatory obligations.
Foreign Corrupt Practice Act

The SEC, together with the DOJ, continues to be aggressive in pursuing violations of the Foreign Corrupt Practice Act. The DOJ and SEC settled several high profile FCPA matters, and according to news reports, initiated several new investigations. During 2013, the DOJ and SEC are likely to be involved in more investigations stemming from the topple of governments. The recent wave of Arab Spring upheavals that continue to ripple across the southern and eastern shores of the Mediterranean may present the threats common to foreign businesses caught in the midst of revolution, including extortion, nationalization, expropriation, and physical violence against executives and employees. These modern revolutions also pose new challenges to international firms, as evidence or allegations that they engaged in corrupt behavior may be made public through documents in a ransacked government ministry building, or through an incarcerated former official, an enterprising journalist or prosecutor in the new regime, or a whistleblower within the foreign company itself. If such allegations come to the attention of U.S. authorities or other governments, the company could face severe criminal and civil penalties for violations of the Foreign Corrupt Practices Act, among other laws.
During 2013, the DOJ and SEC are likely to be involved in more investigations stemming from the topple of governments. Threats common to foreign businesses caught in the midst of revolution include extortion, nationalization, expropriation, and physical violence against executives and employees.
Corporate Accounting and Internal Controls

In the aftermath of the financial crisis, companies both in the United States and around the globe have struggled to meet investor expectations and remain competitive on the international stage. Faced with challenging financial conditions, companies have focused efforts on essential costcutting measures, while also exploring opportunities in emerging markets and developing new products and services for this decade and beyond. During challenging times, some employees may become tempted to cut corners and engage in fraud. At the same time, regulators, faced with increased scrutiny for their apparent shortcomings prior to and during the financial crisis, have increased investigative and enforcement efforts to combat a perceived growth in corporate fraud. The SEC, in particular, will continue to focus on corporate accounting involving significant accounting judgment such as revenue recognition, capitalization of costs, valuation, and percentage-of-completion accounting.
60
Ethics & Compliance Alliance Risk Forecast Report 2013 For example, in 2012, the SEC charged a financial services firm and three of its senior executives for allegedly participating in an accounting scheme involving life settlements. According to the SEC, the company overstated the value of assets held on the companys books and created the appearance of a steady stream of earnings from brokering life settlement transactions.
The best global companies of today and the future must make corporate integrity and ethics the centerpiece of their culturepermeating every level of the organization, from the board and senior management down to entry level employees in foreign subsidiaries.
Against this backdrop, companies must remain focused on building and maintaining a strong fraud prevention and compliance program. The best global companies of today and the future must make corporate integrity and ethics the centerpiece of their culturepermeating every level of the organization, from the board and senior management down to entry level employees in foreign subsidiaries. Focus must be placed not only on compliance with the law, but compliance with the tenets of honesty, ethics, and the highest levels of integrity. Creating such a culture is not easy, but must become a reality for any organization that hopes to compete on the global stage. A strong anti-fraud program is not only an essential business requirement in todays modern world, it is a crucial factor for regulators when determining sanctions after problems arise. The United States Department of Justice and the Securities and Exchange Commission have written policies that allow for leniency when sanctioning companies that have established and maintained robust compliance programs and internal controls.
Conclusion
This year likely will see an increase in enforcement actions by the SEC. The SEC enters 2013 with the nomination as agency Chairman of Mary Jo White, a former U.S. Attorney with a strong reputation in law enforcement. The SECs Division of Enforcement also is likely to see the benefits of the whistleblower bounty program. The SEC is likely to bring fewer cases this upcoming year relating to the financial crisis and more cases in the area of insider trading, accounting misconduct, and investment management. With this in mind, legal and compliance personnel should be proactive in assessing compliance programs, internal controls, and anti-fraud programs to ensure that proper policies and procedures are in place.
61
Social Media for 2013

From the Boardroom to the Factory Floor
Michael Connor ECA Expert Panelist Michael Connor is a seasoned, awardwinning media executive, entrepreneur and journalist with extensive experience in television, print and the Internet. Michael brings deep expertise to LRN and ECA partners in areas of Social Media management and risk, strategic communication planning, and business ethics. Michael has launched and managed numerous ventures on multiple media platforms in the U.S., Europe and Asia and is a recognized thought leader in the fields of business ethics, corporate responsibility and sustainability.
When you give everyone a voice and give people power, says Facebook founder and CEO Mark Zuckerberg, the system usually ends up in a really good place. The challenge for ethics and compliance professionals, of course, is how to help ensure that the system surrounding social media platforms like Facebook does indeed wind up in a really good place at their companies. While these new technologies present exciting new ways for marketers to reach customers, and for employees to communicate and collaborate with one another, when used improperly they can also present real threats to privacy, reputation, intellectual property, and data security. According to a recent survey by McKinsey, more than 1.5 billion people around the globe now have an account at a social network site, and almost one in five online hours is spent on social networksincreasingly via mobile devices. By 2011, 72 percent of the companies McKinsey surveyed reported using social technologies in their business and 90 percent of those users reported that they are seeing benefits. In addition to a dramatic growth in popularity, social media are transforming the very nature of the Internet, from a medium dominated by static web sites to one featuring multiple levels of interaction on platforms like Facebook, Twitter, LinkedIn and YouTube. And as more people access the Internet via mobile devices, theyre regularly using a plethora of applications (apps) for everything from news and shopping to photography and games. By one estimate, some 98 billion apps will be downloaded by 2015; the current $6.8 billion market for apps is expected to grow to $25 billion within four years. Keeping pace with these technologies from a compliance perspective requires attention at all levels of the enterprise, from the factory floor to the board room.
More than 1.5 billion people around the globe now have an account at a social network site, and almost one in five online hours is spent on social networksincreasingly via mobile devices.
Status Update from the Board

At the senior management and director level, new research suggests, there is often a serious disconnect between executives knowledge about social media and its use at their companies. A 2012 survey of 180 senior executives and corporate directors of North American public and private companies found that while 90 percent of respondents claim to understand the impact that social media can have on their organization, only 32 percent of their companies monitor social media to detect risks to their business activities and 14 percent use metrics from social media to measure corporate performance.
62
Ethics & Compliance Alliance Risk Forecast Report 2013 The surveyconducted by Stanford Universitys Rock Center for Corporate Governance and The Conference Boardalso found that only 24 percent of senior managers and 8 percent of directors surveyed receive reports containing summary information and metrics from social media. About half of the companies do not collect this information at all. The vast majority of respondents (90.7 percent) said their companies have not assigned oversight of social media monitoring to a board committee. Companies that fail to incorporate social media into their business operations miss out on its potential opportunities and also expose themselves to many fundamental risks, the report concluded. Among the risks: ignoring a source of public information from which to gain insight into how stakeholders (customers, employees, suppliers, shareholders, etc.) view a company; being caught offguard in crisis situations; and inadequately controlling proprietary information.
Privacy may well be the leading operational risk regarding social media; as marketers collect more consumer data, theres need for vigilance regarding compliance with federal and state privacy laws.
Privacy Concerns
As companies increasingly turn to social media to market and promote, business units should have appropriate policies and operational guidelines in place. Its also critical to determine to what degree the companys social media projects utilize third-party consultants and agencies, all of whom need to comply with organizational policy. Privacy may well be the leading operational risk regarding social media; as marketers collect more consumer data, theres need for vigilance regarding compliance with federal and state privacy laws. In September, 2012, the U.S. Federal Trade Commission (FTC) published a nonbinding guide to inform mobile application developers on how to best comply with truth-in-advertising and basic privacy principles. The agency noted that once a business begins distributing a mobile application, you become an advertiser, subject to laws and regulation for advertising. Among other recommendations, the FTC says businesses should build privacy considerations in from the start of their development process and collect sensitive information only with consent. In October, 2012 California Attorney General Kamala D. Harris began formally notifying scores of mobile application developers and companies that they are not in compliance with the California Online Privacy Protection Act, which requires operators of online services that collect personally identifiable information from Californians to conspicuously post a privacy policy. In December, the attorney general filed suit against Delta Airlines seeking to enjoin Delta from distributing its app without a privacy policy. She also warned that companies face a fine of $2,500 for each download of an app not in compliance with state law. Childrens privacy is a particular concern, subject in the U.S. to the federal Childrens Online Privacy Protection Act (COPPA) and the FTCs COPPA Rule. A group of 14 child advocacy organizations recently filed a complaint with the FTC charging that six major advertisersincluding McDonalds and Time Warners Cartoon Networkhad violated childrens online privacy laws by asking young visitors to share their experience with branded games with friends by providing their friends email addresses. The FTC issued a staff report in December 2012 examining privacy disclosures and practices of apps
63
Ethics & Compliance Alliance Risk Forecast Report 2013 offered for children. While we think most companies have the best intentions when it comes to protecting kids privacy, we havent seen any progress when it comes to making sure parents have the information they need to make informed choices about apps for their kids. In fact, our study shows that kids apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents, said FTC Chairman Jon Leibowitz. All of the companies in the mobile app space, especially the gatekeepers of the app stores, need to do a better job. Well do another survey in the future and we will expect to see improvement. In Europe, proposed revisions to the European Unions General Data Protection regulation include a proposal that would give consumers the ability to choose what information an app can store on them without losing the ability to use the software.
Employee Online Behavior

Social media empower users to become their own publisherstypically using Facebook, Twitter, or LinkedIn to update the world on their status and opinions, often accompanied by photos or video. Unfortunately, not all employees (including senior executives) are experienced communicators, sometimes resulting in posts that are defamatory to other employees or the company, damaging to the companys reputation, or revealing proprietary or potentially material information. Case in point: In July, 2012 Netflix CEO Reed Hastings boasted in a Facebook post that more than one billion hours of Netflix programming had been viewed in June. In December, the Securities and Exchange Commission sent Netflix a Wells notice saying the agency may file civil claims against the company and Mr. Hastings for violating the Regulation Fair Disclosure (Reg FD) rule. Mr. Hastings says the information he initially disclosed was not material to the company, adding in a subsequent Facebook post: Fascinating social media story. Some companies block workplace access to all or some social media outlets, though blocking is proving less popular, if only because so many employees can access networks on their personal mobile devices. Fewer than 30 percent of large organizations will block employee access to social media sites by 2014, compared with 50 percent in 2010, according to the tech consulting firm Gartner. An effective social media policy should be simple, consistent, and tightlyaligned with a companys Code of Conduct; whatever the company code for in-person encounters, and whatever the rules for general good behavior, they apply in the online world as well. Potential penalties for violations, including dismissal, should be made clear. Developing an effective policy can prove challenging. In the U.S., the National Labor Relations Board (NLRB) has focused considerable energy on social media issues, with a series of rulings emphasizing that corporate guidelines must not violate Section 7 of the National Labor Relations Act (NLRA) by disciplining or firing an employee because the employee was using social media to engage in protected concerted activity, which occurs when two or more employees act together to protest or complain about wages, benefits, or other terms and conditions of employment.
Not all employees (including senior executives) are experienced communicators, sometimes resulting in posts that are defamatory to other employees or the company, damaging to the companys reputation, or revealing proprietary or potentially material information.
64
Ethics & Compliance Alliance Risk Forecast Report 2013 In September, 2012, the NLRB issued its first formal decision on an employers social media policy. It rejected the social media policy developed by retail giant Costco as overly broad and likely to have a chilling effect on employees rights under the NLRA. The ruling (Costco Wholesale Corporation and UFCW Local 371) indicates that the NLRB is following the lead of its general counsel who in June had issued three public memos explaining how social media policies can interfere with employees rights to organize. The general counsel held that a number of corporate social media policiesincluding those of General Motors and Target Brandswere overly broad and violated federal law. However, the NLRBs general counsel also endorsed the social media policy of another retail giantWal-Martand found it entirely lawful, to the extent that in his decision he reproduced the policy in full. Wal-Marts policy, he said, provides sufficient examples of plainly egregious conduct so that employees would not reasonably construe the rule to prohibit Section 7 conduct. On its web site, Wal-Mart also features guidelines directed to consumers for social media engagement. Its absolutely critical that organizations have a social media policy for employees at all levels. The challenge lies in determining what goes into a good policy. And while there are many similarities in the way that different countries and jurisdictions approach these issues, there are also some key differences, so considering the local rules in each case is essential.
Co-branded Employees?
Who owns a social media account that an employee sets up for the purpose of promoting his employers business? Thats an increasingly common, and occasionally litigious, question. The Wall Street Journal reports that more and more co-branded employees are using social media to build a personal, public identitya brand of their ownbased on their work. But when the rules about ownership arent clear, problems can develop. In Eagle v. Morgan, a federal district court for the Eastern District of Pennsylvania addressed the issue of ownership of employer social media accounts by dismissing the complaint of an executive who had launched a LinkedIn account, under her own name, which promoted the company. When her company was purchased by another and her employment terminated, she discovered that her LinkedIn password and account profile had been changed. In December, 2012 a settlement was reached in a highly-publicized case where the mobile phone site PhoneDog sued former employee Noah Kravitz when he left the company, alleging that he took as many as 17,000 of its Twitter followers with him. Terms of the settlement were not disclosed. In announcing it, Kravitz said: If anything good has come of this, I hope its that other employees and employers out there can recognize the importance of social media to companies and individuals both. Good contracts and specific work agreements are important, and the responsibility for constructing them lies with both parties. Work it out ahead of time so you can focus on doing good work togetherthats the most important thing. A number of similar lawsuits regarding ownership of social media accounts are reportedly working their way through the U.S. courts.
Who owns a social media account that an employee sets up for the purpose of promoting his employers business? Thats an increasingly common, and occasionally litigious, question.
65
Looking Ahead
Social media networks are likely here to stayin fact, the process of exchanging information and collaborating on a frequent basis has become so popular that many companies are deploying enterprise social software which adapts Facebook-like and Twitter-like features for workplace use, including employee profiles, activity streams, micro-blogging, discussion forums, wikis, content tagging, rating, and reviewing. By one estimate, the demand for enterprise social software is growing at an annual compound rate of 61 percent, growing from a market of $600 million in 2010 to an estimated $6.4 billion by 2016. Market leading firms include IBM, Jive, Communispace, Telligent, Socialtext, Mzinga, Lithium, and Yammer. These internal social networks are in their early stages, however, and anecdotal evidence suggests that they require considerable attention if theyre to be successful. Depending on its culture, an organization needs to ensure that management and employees are ready for the switch. Is participation optional or mandated? Is the IT department ready and prepared to integrate internal social applications with existing software? Can intellectual property be protected? Whats the return-on-investment? And what are the compliance risks? Founders of tech start-ups often like to refer to their new ventures as disruptive technologies, capable of transforming traditional social and business models. While not all current social media technologies will survive and prosper, its clear that this new phase of communications is really in its earliest stages. For organizations large and small, the social media compliance challengeas Facebooks Mark Zuckerberg has put itis how to give people power while making sure the system thrives and prospers.
By one estimate, the demand for enterprise social software is growing at an annual compound rate of 61 percent, growing from a market of $600 million in 2010 to an estimated $6.4 billion by 2016.
66
Trade Compliance for 2013

Marian Ladner E&C Expert Panelist Marian Ladner is the Managing Partner of the law firm of Ladner & Associates PC. She primarily centers her practice on Regulatory Compliance with import, export and FCPA requirements. Among other key areas of support, Marian helps companies create and streamline strategic sourcing and supply-chain operations, with an emphasis towards minimizing duties through participation in government preference programs, such as NAFTA, FTZs, CBI, GSP, and AGOA. Her practice also specializes in assisting multinational companies build, test, and sustain global import, export and FCPA compliance programs. Throughout her career, Marian has provided legal interpretations and advice nationwide to leading members of the trade community, including multinational importers and exporters, customs brokers, freight forwarders, shippers, and to Customs employees, such as auditors, import specialists, Fines, Penalties, and Forfeitures Officers; agents; and inspectors.
Current Issues, Risks and Challenges in Export Controls

Key challenges in the trade compliance focus area in 2013 will center on changes resulting from the Export Control Reform Initiative and ongoing changes to U.S. sanctions and embargo programs in response to geopolitical developments. The key areas addressed in this article that organizations should be aware of for the coming year and beyond include: Increased compliance responsibility on companies resulting from the movement of goods and technology from State Department to Commerce Department export jurisdiction Enhanced trade sanctions against Iran and the increased liability of U.S. companies for the activities of their foreign subsidiaries Alignment of export compliance programs with U.S. Government enforcement priorities
Export Control Reform Initiative

The Obama Administrations efforts to reform the U.S. export control system remain the dominant theme in the export trade compliance field. More than three years after it was announced, the Export Control Reform (ECR) Initiative continues its slow but steady progress. In 2011, the new License Exception Strategic Trade Authorization (STA) was introduced. It was designed to authorize certain exports of items moved from the U.S. Munitions List (USML) under the International Traffic in Arms Regulations (ITAR) to the Commerce Control List (CCL) under the Export Administration Regulations (EAR). Efforts during 2012 focused on the continued review of the USML to identify items that are candidates for transfer from the rather onerous USML to the EAR. The Bureau of Industry and Security (BIS) at the Commerce Department, which is responsible for administration of dual-use exports under the EAR, and the Directorate of Defense Trade Controls (DDTC) at the State Department, which is responsible for exports of defense articles under the ITAR, are working in close cooperation to conduct the review of the USML under the ECR Initiative. BIS and DDTC have published coordinated proposed rules covering nine of the USML categories. The proposed rules identify items that the Administration believes should be transferred from ITAR jurisdiction to EAR jurisdiction. None of those rules has advanced beyond the proposed stage, but with the Presidents reelection, it is expected that all will now proceed to the final rule stage, and that export jurisdiction over many items will, in fact, be transferred from State to Commerce.
Key challenges in the trade compliance focus area in 2013 will center on changes resulting from the Export Control Reform Initiative and ongoing changes to US sanctions and embargo programs in response to geopolitical developments.
67
Ethics & Compliance Alliance Risk Forecast Report 2013 For exporters whose products are transferred from State to Commerce jurisdiction, the change will mean much more flexibility in getting those products from the U.S. to their customers abroad. However, the change also shifts a greater compliance burden onto the exporter. Most exports under the ITAR require a license from DDTC, meaning the government takes responsibility for vetting transactions and parties to the transactions. In contrast, the EAR provide a variety of export modalities, including exports with no license required, exports under License Exceptions, and exports under validated licenses. Exporters of dual-use items under the EAR are able to self-determine the classification of their products and the appropriate export authorization required. Companies whose products are transferred from State to Commerce jurisdiction will need to ensure they have sufficient and properly trained compliance resources in place to manage the higher degree of export selfdetermination available under the EAR. Another important compliance issue addressed by the ECR Initiative is the definition of the term specially designed. That term is used extensively in the EAR, but with the exception of a limited universe of items subject to control under the Missile Technology Control Regime (MTCR), the term is not defined by the regulations. In a criminal enforcement case that began in the late 1990s and ran through the late 2000s, the Government put forth a definition of specially designed that was at odds with the general understanding of the term that industry believed the Government had been using for decades. The result was a high level of uncertainty over the compliance risk companies were carrying with respect to the export of specially designed items. In 2012, BIS and DDTC published coordinated proposed rules that implement a definition for the term specially designed that would apply not only to the EAR but also the ITAR. While many companies and industry groups have submitted comments suggesting modifications to the proposed definition, the fact that any definition will be available is a step toward greater certainty on the application of export controls and the concomitant diminution of compliance risk. While the Obama Administration has made no official announcement of expected dates of publication for final rules on the transfer of items from the USML to the EAR, or for the establishment of the specially designed definition, all indications are that those rules should begin to emerge near the end of 2012 or early 2013. Additional significant aspects of the ECR Initiative, including establishment of a single control list, a single export control agency, and a single export enforcement agency, will require Congressional action. Prospects for such Congressional action remain uncertain at best.
For exporters whose products are transferred from State to Commerce jurisdiction, the change will mean much more flexibility in getting those products from the U.S. to their customers abroad. However, the change also shifts a greater compliance burden onto the exporter.
OFAC Embargo and Sanctions Programs

The Office of Foreign Assets Control (OFAC) at the Treasury Department is responsible for administering a variety of economic and trade sanctions programs. Those programs are intended to impose restrictions on trade by U.S. persons with countries, organizations or individuals that the U.S. Government has determined pose foreign policy or national security concerns. During 2012, sanctions against Iran were substantially strengthened by OFAC pursuant to a mandate under the Iran Threat Reduction and Syria Humans Rights Act of 2012 (ITRSHRA). Significantly, the ITRSHRA provides that liability will attach to U.S. firms for the actions of their foreign subsidiaries where those
Ethics & Compliance Alliance Risk Forecast Report 2013 actions would be subject to sanctions if performed by a U.S. person. As far as U.S. companies with foreign subsidiaries are concerned, this effectively changes the definition of U.S. person to include foreign subsidiaries for purposes of enforcement of the Iran sanctions. The U.S. embargo on Cuba is the only other OFAC sanctions program that uses a similar definition of the term U.S. person such that the actions of foreign subsidiaries are subject to U.S. penalties. The ITRSHRA also provides that foreign firms and their officers and principals may be subject to U.S. sanctions for involvement in services, insurance and reinsurance services, and shipping related to the energy sector in Iran. Sanctions that were already in place under existing Iran sanctions included: A prohibition on receiving Export-Import Bank credits A prohibition on receiving licenses under various export control regimes A prohibition on receipt of large loans from U.S. financial institutions For financial institutions, restrictions on their ability to deal in U.S. government bonds and to serve as a repository for government funds A prohibition on government procurement from the violating entity A prohibition on transactions in foreign exchange that are subject to the jurisdiction of the United States and in which the sanctioned person has any interest A prohibition on transfers of credit or payments that involve any interest of the sanctioned person through U.S. financial institutions A prohibition on any person from participating in any property transaction with respect to which the sanctioned person has any interest Additional sanctions to restrict imports from the sanctioned party, in accordance with the International Emergency Economic Powers Act Additional sanctions within the ITRSHRA are: A prohibition on U.S. persons investing in or purchasing significant amounts of equity or debt instruments of a sanctioned person A prohibition on visas for entry into the U.S. by corporate officers or principals of, or shareholders with a controlling interest in, a sanctioned entity Imposition of available sanctions on the principal executive officers of any sanctioned person, or on persons performing similar functions and with similar authority Another significant development in 2012, was OFACs relaxation of sanctions against Burma/Myanmar. While the Burmese Sanctions Regulations remain in place, OFAC issued general licenses that permit U.S. persons to engage in most export and import transactions with Burma/Myanmar. Restrictions remain in place on transactions involving jadeite or rubies mined in Burma/Myanmar, as well as on transactions with persons whose property has been blocked by OFAC. Such persons are identified on the Specially Designated Nationals List maintained by OFAC. It is important to remember that OFAC currently maintains nearly total embargoes on trade with Cuba, Iran, and Sudan. Changes have been made to the Cuban embargo in recent years, including implementation of licensing policy changes in 2011 intended to promote people-to-people contact, to support civil society, and to help the free flow of information in Cuba. Those
It is important to remember that OFAC currently maintains nearly total embargoes on trade with Cuba, Iran, and Sudan.
Ethics & Compliance Alliance Risk Forecast Report 2013 policy changes allowed for increased licensing of travel for educational, cultural, religious, and journalistic purposes. They also permitted expanded licensing of remittances by U.S. persons to individuals in Cuba. Despite these modest steps to relax the U.S. embargo on Cuba, that embargo remains comprehensive with only very limited opportunities for the licensing of trade in agricultural products and medicine. OFAC maintains less comprehensive, targeted sanctions on Belarus, Burma, Democratic Republic of the Congo, Iraq, Ivory Coast (Cote dIvoire), Lebanon, Libya, North Korea, Somalia, Syria, Yemen and Zimbabwe. Sanctions are also stabilization efforts in the Balkans, narcotics trafficking, terrorism, undermining Lebanese sovereignty or democratic processes or institutions in Lebanon, the former Liberian regime of Charles Taylor, proliferation of weapons of mass destruction, trade in rough diamonds, and transnational criminal organizations.
OFAC maintains less comprehensive, targeted sanctions on Belarus, Burma, Democratic Republic of the Congo, Iraq, Ivory Coast (Cote dIvoire), Lebanon, Libya, North Korea, Somalia, Syria, Yemen and Zimbabwe.
Export Enforcement Priorities

For several years the Office of Export Enforcement (OEE) at the Commerce Department has focused on three primary areas of concern with respect to export compliance violations: 1. Weapons of mass destruction 2. Terrorism 3. Unauthorized military use Exporters should use these priorities to assist them in focusing their internal compliance resources on areas presenting higher levels of risk of export control violations. While the Government does not expect every commercial company to become expert in chemical/biological/nuclear weapons, terrorism, or foreign military activities, companies must understand if and how their products might be used in any of those activities. Appropriate screening and due diligence procedures need to be in place to review proposed transactions and business partners, to ensure there are no apparent risks of diversion of products to such prohibited activities or parties. While there is no guarantee that products will escape diversion to proscribed activities, despite appropriate screening and due diligence efforts performed by the seller/exporter, the implementation and use of thorough due diligence over the transaction will help reduce risk and provide important mitigation of any potential penalties should such a diversion occur.
Vigilance in a Changing Regulatory Environment

One constant in the export compliance field for many years, but certainly over the past several years, is change. The focus of U.S. export controls 25 years ago was the Soviet Bloc and China. The result was a relatively static regulatory framework of licensing and enforcement priorities. Over the past 15 to 18 years the focus for controls has changed from one that is countrybased to one that is more concerned with individual bad actors. A focus on non-state bad actors coupled with a dual-use export control system demands a high degree of self-regulation by exporters. The resulting challenge for U.S. exporters is maintaining knowledge of the rapidly changing collection of export controls, while at the same time building enough flexibility into their compliance programs and processes to ensure maximum reaction time for vetting business opportunities that allow you to remain competitive in the global marketplace.

Since 1994, LRN has helped over 20 million people at more than 700 companies worldwide simultaneously navigate complex legal and regulatory environments and foster ethical cultures. LRNs combination of practical tools, education, and strategic advice helps companies translate their values into concrete corporate practices and leadership behaviors that create sustainable competitive advantage. In partnership with LRN, companies need not choose between living principles and maximizing profits, or between enhancing reputation and growing revenue: all are a product of principled performance. LRN works with organizations in more than 100 countries and has offices in Los Angeles, New York, London, and Mumbai. For more information, visit www.LRN.com, join our community on Facebook at facebook.com/howistheanswer, or call: 800 529 6366 or 646 862 2040.
The LRN Ethics & Compliance Alliance (ECA) is a leading online solution that provides cutting-edge resources, tools, and practical content across all major ethics and compliance risk areas, including access to leading subject-matter experts for one-on-one collaboration and support. For more information on this valuable solution, please reach out to our LRN ECA Leadership Team at ECA_Management@lrn.com or visit us at www.LRN.com/ethics-compliance-alliance.

Allstate Binder

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Allstate Binder

Încărcat de

Drepturi de autor:

Formate disponibile

Table of Contents

C. April 11th The What

CHAPTER EIGHT - SENTENCING OF ORGANIZATIONS

PART A - GENERAL APPLICATION PRINCIPLES

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

REMEDYING HARM FROM CRIMINAL CONDUCT

Historical Note: Effective November 1, 2004 (see Appendix C, amendment 673).

Order of Notice to Victims - Organizations Apply 5F1.4 (Order of Notice to Victims).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

EFFECTIVE COMPLIANCE AND ETHICS PROGRAM

Historical Note: Effective November 1, 2004 (see Appendix C, amendment 673).

DETERMINING THE FINE - CRIMINAL PURPOSE ORGANIZATIONS

DETERMINING THE FINE - OTHER ORGANIZATIONS

Culpability Score 10 or more 9 8 7 6 5 4 3 2 1 0 or less

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

(4) (5) (6)

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

IMPLEMENTING THE SENTENCE OF A FINE

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

DEPARTURES FROM THE GUIDELINE FINE RANGE

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

PART D - ORGANIZATIONAL PROBATION

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

PART E - SPECIAL ASSESSMENTS, FORFEITURES, AND COSTS

A special assessment is required by statute for each count of conviction.

Forfeiture - Organizations Apply 5E1.4 (Forfeiture).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

Historical Note: Effective November 1, 1991 (see Appendix C, amendment 422).

PART F - VIOLATIONS OF PROBATION - ORGANIZATIONS

Historical Note: Effective November 1, 2004 (see Appendix C, amendment 673).

Better Class Of Board Ethics Education

,merldati()ns! r , 4eYf! q.]Jil'l$ . tp} , d .fq9Uitf4,tin ;b a.

," Ten eyrf!COrrl- ,

education iin ':'i ,."

to think about the ethics and

Education versus training

1. Design a goals-oriented curriculum

. rtt i'ake.(oJ.e hiC;jl d,e; (4 dpn;,;(iiit)So:

viff e'riiit . bo(jrds have re4chedd iff ei .

3. Put on your director's hat

pany and industry;

4. Take cues from the corporate climate

2. Relate to four main areas of board's ethical

A new CEO or new board members will also affect

5. Understand board dynamics

6. Decide who should lead the sessions

'de sandirig :ofit ;':zive issu.::' , " :' "

tf1ts . board:: u.T!"''

7. Decide how much time to allot

8. Don't try to cover a wide range of goals in one

specially for companies just embark

9. Create custom content

a particular boa rd.

. Continued from page 7

10. Assign homework

(9) above, follow-up