No company wants to make international headlines due to corruption charges.
But that's the position the multinational telecom giant Ericsson found itself in late last year, when it agreed to pay the second-largest fine in the history of US Foreign Corrupt Practices Act (FCPA) enforcement actions.
Ericsson's mistakes were extremely costly to the company, both in terms of reputational damage and finances: In total, the company paid more than $1 billion in combined fines to the US Securities and Exchange Commission (SEC) and the US Department of Justice (DOJ) to resolve the long-standing FCPA investigation.
It also makes an excellent case study for finance professionals of what to guard against.
While the Ericsson CFO was not implicated in the crimes, the top financial officer still has responsibility for corruption that took place under their watch, according to Allison Borgatti, an attorney with the Philadelphia-based law firm of Archer & Greiner, where she is a member of the firm's White Collar Defense and Corporate Compliance Group.
"The bottom line is that by being the CFO at the senior level of management of an organisation, you have the duty and the responsibility to implement the appropriate programmes to ensure that your company is effective in implementing these protocols to prevent these types of bribes and payoffs from taking place," she said.
Under the FCPA, it's illegal for US businesses and individuals to pay bribes to foreign officials in exchange for business.
The Ericsson FCPA violations were global in scope, involving millions of dollars of bribes to public officials via company offices in China, Djibouti, Indonesia, Kuwait, and Vietnam, according to US authorities.
From 2000 to 2016, US prosecutors believe, Ericsson and its subsidiaries engaged in large-scale bribery schemes to secure lucrative telecommunications contracts from state-owned customers, according to a DOJ press release. The company's corruption violations were systemic and implicated high-level executives, the DOJ said.
"Through slush funds, bribes, gifts, and graft, Ericsson conducted telecom business with the guiding principle that 'money talks'," US Attorney Geoffrey Berman of the Southern District of New York said in the press release. The "guilty plea and surrender of over a billion dollars in combined penalties should communicate clearly to all corporate actors that doing business this way will not be tolerated". (See details of the charges against Ericsson in the sidebar, "The Scheme".)
Ericsson declined to comment for this article. But in a 2019 press release announcing the resolution of the FCPA case, Ericsson President and CEO Börje Ekholm said he was "upset by these past failings", and that the settlement showed that "we have not always met our standards in doing business the right way".
"This episode shows the importance of fact-based decision-making and a culture that supports speaking up and confronting issues," Ekholm said in the release. "We have worked tirelessly to implement a robust compliance programme. This work will never stop." However, that effort came too late to save Ericsson money on the penalties. Tom Fox, a lawyer in Houston who focuses on compliance issues, said, "Cooperating with the government and fixing the problems can give companies huge discounts, but Ericsson didn't self-disclose, so that was off the table. They didn't get full credit for cooperation, and they got no credit for remediation."
The DOJ has recently been cracking down on companies that have failed to produce documents related to FCPA investigations in a timely way, according to an analysis of the Ericsson resolution by the law firm Skadden. In fact, Ericsson was the fifth company in 2019 that received only partial credit due in part to a failure to produce materials in a timely matter, according to Skadden.
"Ericsson's business is a high-risk model, and they should have put procedures into place and invested in a compliance programme long ago to prevent, mitigate, and detect this kind of behaviour," said Jessica Tillipman, assistant dean and professorial lecturer in law at The George Washington University Law School. "Instead they had a paper programme that no one bothered to enforce."
Learning from Ericsson's mistakes
While prosecutors allege Ericsson's misdeeds were massive frauds in terms of duration, scope, and geography, the schemes used to perpetuate that fraud were actually "relatively pedestrian" and should have been preventable with better leadership and internal controls, according to Fox.
"There was a real lack of due diligence, which points either to incompetence or to an intentional act," he said. "You have a husband-wife couple that was not disclosed in one office, and payments of $2 million for work that was never done in another. These are things that controls should have picked up on."
Here are some of the key lessons that CFOs and management accountants can learn from the Ericsson enforcement action:
Always have a second set of eyes
While it's impossible for a CFO of a big multinational to keep tabs on 100,000 employees in multiple locations, they can still be legally responsible for ensuring that their employees and subsidiaries behave ethically and comply with anti-corruption legislation.
"As a CFO, you can't put your head in the sand or engage in what we could say is conscious indifference," said Fox. "If you don't ask the right questions when you see the red flag, in the eyes of US prosecutors, that's the same as being involved."
That's why Fox recommends that CFOs and other finance executives who want to avoid Ericsson's mistakes keep an eye on multimillion-dollar transactions by putting controls in place to apply additional due diligence to transactions over a certain amount, and regularly ask regional executives hard questions about how funds are being used.
"The CFO is the big picture person, so while they might not look into it themselves, they should have in mind what the five highest-risk transactions might be and then direct management accountants to investigate further," he said. "That's where you'd get deep into the weeds, to look at the contracts and make sure services were delivered, that due diligence was performed properly, and so on."
The various Ericsson bribery schemes involved the movement of hundreds of millions of dollars. Given the vast sums involved, the CFO or board members should have been asking tough questions to verify transactions were legitimate, according to Philadelphia-based Jonathan Marks, CPA/CFF, CGMA, firm practice leader in global forensic, compliance, and integrity services at global law firm Baker Tilly Virchow Krause.
Fox said, "The most important lesson is having a second set of eyes, meaning that there is someone involved in oversight. You had $45 million paid out in Indonesia — that's a lot of money. Why wasn't someone asking questions?"
Ensure your company has a good whistle-blower programme
According to the DOJ complaint, Ericsson executives were involved in corruption in multiple locations. For example, in Djibouti, one of the key Ericsson violations flagged by the DOJ was due diligence that failed to disclose a spousal relationship between a vendor and a high-level public official. This suggests managerial override, according to Tillipman.
"Falsifying due diligence to that degree suggests a deliberate cover-up involving multiple individuals — and possibly even senior-level management," she said. "That's where a whistle-blower programme comes in."
A good whistle-blower programme should allow employees a direct line to the company's compliance programme, in case upper-level management is tainted, according to Tillipman. For it to be effective, employees should receive training on how the whistle-blower reporting protocol works. It should also guarantee whistle-blowers protection from retaliation. A good whistle-blower programme is often the only means that employees working under tainted management have to report corruption, according to Fox.
"If there is managerial override and there is no internal reporting system, you are really stuck," Fox said. And while, at least in theory, employees could go directly to the SEC — realistically, it's unlikely that a local employee in an office outside of the US would necessarily know how to do that, he added.
Build a top-down culture of compliance
The fact that so many subsidiaries were engaging in violations of the FCPA over many years suggests a failure on the part of Ericsson's C-suite executives to create a corporate culture of compliance within the company (and its subsidiaries), according to Borgatti.
"There are certain countries that most auditors are aware of where payments to government officials may be routine," she said. "And if you are doing business in environments where this type of behaviour is prevalent, you have to be inordinately cautious at the ground level that your employees are following the laws of the United States."
To ensure that all employees understand their duties and obligations, Borgatti suggests putting all employees through in-depth compliance training — during onboarding and then annually.
Another useful tool is regular outside audits to test the compliance and internal controls of subsidiaries located in higher-risk areas, according to Borgatti.
"There's no boilerplate programme to be in compliance with the FCPA," she said. "You need a customised compliance programme based on the countries and sectors you are working in, and you need to verify that your employees understand it."
Consider self-reporting violations and address issues
Upon learning about an incident of internal corruption, the CFO should consider self-reporting to the SEC, DOJ, or other relevant authorities, according to Borgatti. Companies facing US charges that self-disclose upon discovering incidents of internal corruption, fully cooperate with the authorities, and also show that they are taking appropriate disciplinary action not only qualify for a financial discount on penalties but send a strong message that corruption isn't an acceptable internal practice.
Not only did Ericsson fail to self-report, it also failed to produce information in a timely manner and to discipline those involved.
But it's not always a good idea to self-report in every situation, as it can bring public scrutiny and doesn't always guarantee discounts on fines, according to US-based forensic accountants Howard Scheck, CPA, J.D.; Greg Buchanan, CPA; and Katy Creecy, CPA, who wrote "Uncovering Bribes Hidden in Books and Records", Journal of Accountancy, October 2019. Businesses should make a decision about whether to self-report after talking with legal counsel.
Weeding out misconduct, bad actors
Ericsson got caught in the crosshairs of federal regulators — and paid dearly for its failures. Its mistakes should serve as a warning to other multinational companies to take compliance seriously, to build adequate controls into their operations, and to comply with SEC investigations — which includes dismissing employees responsible for misconduct.
There's a saying about fraud that "a bad apple creates a bad bunch, which leads to a bad crop", according to Marks.
"In the Ericsson case, the only way to change the corporate culture is to eradicate the bad apples. You need to dismiss them, to move them out," he said. "Regulatory bodies are paying much more attention to this."
Here’s a summary of Ericsson’s US Foreign Corrupt Practices Act (FCPA) violations, as outlined by the US Department of Justice (DOJ):
- In Djibouti, an Ericsson subsidiary directed nearly $2.1 million in bribes to high-ranking government officials in order to secure a $23 million telecom contract with a state-owned company. To pull off the scheme, the subsidiary entered into a fake contract with a sham consulting company, and then approved fake invoices to conceal the bribes, according to the DOJ. Additionally, a due diligence report written by an Ericsson employee failed to report that the owner of the sham consulting company was married to a high-ranking government official.
- In China, between 2000 and 2016, an Ericsson subsidiary diverted tens of millions of dollars to consultants and service providers, some of which was used to pay for gifts, travel, and entertainment for Chinese officials, in order to win business from Chinese state-owned customers. To create the slush fund — which subsidiaries allegedly used to continue payments to third parties, allowing them to circumvent Ericsson’s compliance policies — the Ericsson subsidiary created sham contracts, paying a third party $31.5 million for services that were never performed.
- In Vietnam, between 2012 and 2015, an Ericsson subsidiary paid a consulting company more than $4.8 million to create an off-the-books slush fund in order to pay third parties who wouldn’t have passed Ericsson’s due diligence process.
- In Indonesia, between 2012 and 2015, an Ericsson subsidiary made approximately $45 million in payments to a consulting company in order to create off-the-books slush funds, and concealed the payments on Ericsson’s books and records.
- In Kuwait, between 2011 and 2013, an Ericsson subsidiary concealed a $450,000 payment to a consulting company by creating a sham contract and approved invoices for services never performed.
- And finally, an Ericsson subsidiary, Ericsson Egypt LTD, pleaded guilty to a one-count criminal information charge for conspiracy to violate the anti-bribery provisions of the FCPA for paying over $2 million in bribes to public officials in order to win a $20 million contract.
Not only did Ericsson neglect to self-disclose the corruption, it failed to disclose materials to the DOJ related to the corruption allegations in a “timely manner” and also did not take adequate disciplinary measures on employees involved in the misconduct, according to federal prosecutors. Companies that cooperate with FCPA investigations can qualify for “discounts” on fines, according to Tom Fox, a Houston-based lawyer who has more than 34 years of experience advising companies on compliance issues, and the founder of a network of compliance podcasts. Those reductions can be significant: up to 25% of the total fine for remediating; up to 50% for remediation and full cooperation with the investigation; and up to 100% for self-disclosure, remediation, and full cooperation, according to Fox.
However, because it failed to “disclose allegations of corruption with respect to two relevant matters” and did not disclose materials in a timely manner or take adequate disciplinary measures with employees involved, Ericsson did not receive a significant reduction in fines. The company only received a 15% discount under the FCPA Corporate Enforcement Policy for its actions, according to the DOJ.
- "Fraud Red Flags for Third-Party Intermediaries", FM magazine, 6 May 2020
- "Developments in Anti-Bribery and Corruption Enforcement", FVS Eye on Fraud, Spring 2019
- CIMA ethics resources, anti-bribery, cimaglobal.com
FVS Section and CFF credential
For AICPA members, membership in the Forensic and Valuation Services (FVS) Section provides access to specialized resources in the forensic and valuation services discipline areas. Visit the FVS Center at aicpa.org/FVS. Members with a specialization in financial forensics may be interested in applying for the Certified in Financial Forensics (CFF) credential. Information is available at aicpa.org/CFF.
Malia Politzer is a freelance writer based in Spain. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.