The Freeh Report was released last week. It detailed a series of actions and inactions taken by officials at Penn State University (Penn State) which allowed Jerry Sandusky to continue his abuse of young boys from at least 1998 up until the time he was arrested. This incident is the worst scandal involving the American higher education system that I have witnessed in my lifetime. As noted in a New York Times (NYT) articled published on July 13, entitled "In Report, Failures at Every Level of Hierarchy", the Freeh Report found a series of failures all the way up the Penn State chain of command. The article stated, "shortcomings that were the result of any insular and complacent culture in which football was revered, rules were not applied and the balance of power was dangerously out of whack." As bad a situation as the Freeh Report portrays, I believe that there are significant lessons for the Foreign Corrupt Practices Act (FCPA) compliance practitioner and this post will try draw out some of these lessons learned.
I. Insular and Complacent Culture
A. Failure of Top Officials and Role of a Board of Directors
The Freeh Report portrayed the Penn State Board of Trustees, the University equivalent to a corporate Board of Directors, "as passive overseers, so in thrall to the president and the coach that they failed to demand even the barest displays of accountability." Even if the University President actively withheld information from the Board, a Board has the responsibility to ask tough questions. The NYT article quoted Anne Neal, president of the American Council of Trustees and Alumni for the following, "For too long, the boards have been viewed more as boosters that as legal fiduciaries."
In the aftermath of the Wal-Mart scandal, the FCPA Professor opined that the problems Wal-Mart encountered were largely a failure of corporate governance. While I disagree with the FCPA Professor on the quanta of the role of the Wal-Mart Board, I do agree that the Wal-Mart Board did not ask tough questions of its senior management regarding its FCPA compliance. If senior management deceives its own Board that is certainly a big problem but it is also a problem, if the Board never makes the inquiries. In both the Wal-Mart case and the Penn State scandal, it appears the respective Boards abrogated their duties.
B. Reporting of Violations - Anonymous Reporting Hotline
One thing that the Department of Justice (DOJ) has insisted on for several years as a minimum best practice in a FCPA compliance reporting is anonymous reporting and can be found in its current formulation of minimum best practices which reads:
9. Ongoing Advice and Guidance. The Company should establish or maintain an effective system for:
a. Providing guidance to directors, officers, employees, and its agents and business partners, on complying with the Company's anti-corruption compliance policies, including when they need advice on an urgent basis or in any country in which the Company operates;
b. Internal and confidential reporting and protection of those reporting breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies directors, officers, employees; and
c. Responding to such requests and undertaking appropriate action in response to such reports.
There were at least two separate instances where low level employees witnessed Jerry Sandusky abusing children. An incident witnessed by Graduate Assistant Mike McQueary, who did report the incident to his supervisor, Head Coach Joe Paterno. While Paterno did report this incident to the University President, the Freeh Report found that the University President did not report this incident to any police or other authorities. As troubling as this incident is, perhaps more troubling is incident involving Penn State employee Jim Calhoun, a school janitor who witnessed Sandusky abusing a child earlier, in 2000. Although Calhoun told another employee and his supervisor of the incident, not one of these three men reported the incident to the police or other authorities because they were all afraid of losing their jobs. This was after Jerry Sandusky had 'retired' from Penn State in 1999. So they should not have been afraid that Sandusky would threaten them. These men were so afraid of implicating the power of the Penn State football program that they were afraid to report the conduct. Apparently there was no anonymous mechanism for them to do so.
This description makes crystal clear why a company must have an anonymous reporting system. While I firmly believe that most employees will report misconduct if they see it or become aware of it if they care at all about their company, the Penn State situation makes clear that if there is fear and trepidation for such reporting, a system must be put in place to facilitate it. But a company cannot stop there. A company must have both the commitment to non-retaliation and train people on this key company component.
II. Rules Were Not Applied and Compliance with Legal Requirements
One of the laws that has become more widely known in the general populace since the Sandusky scandal broke is the Clery Act. This federal law requires colleges (and universities) "to pull together on crime from a variety of sources and warn the university community about potential threats. The law holds a wide range of college employees - including football coaches - responsible for contributing to the report." While this law has been on the books since 1990 the NYT article said in the Freeh Report that the Penn State officials, "did not know until recently that anyone but the campus police had that obligation, and the police paid little attention to the law until 2007." More damningly, Penn State did not even adopt a plan for complying with this law until 2009 and, when the Sandusky scandal was revealed last fall, the 2009 plan had still not even been adopted by Penn State.
The FCPA has been the law of the land since 1977. However, there are a large number of US companies which have never adopted any compliance program or have one that is so old, it bears little to no resemblance to current minimum best practices. The Clery Act was well known within the academic community just as the FCPA is well known within the US international business community. Simply put you must comply with the law. The legal liability for such failure can be astronomical. It could well lead to personal criminal liability for senior management of a corporation.
III. Where the Balance of Power is Dangerously Out of Whack - When a Football Program Runs a University
I grew up in a small town in Texas. Friday Night Lights was true then and it's true now. My hometown is appended to a major university where football is king on Saturday afternoon. I attended a university in Texas where football is just as big as it was at Penn State during Joe Paterno's tenure. In short, I have lived in a state where the culture of football is a religion and the Head Coach is viewed with near godlike status (that's god with a little 'g'; not the God). Even though I can understand how it might happen, it does not mean that it is right. At a major university, just as in a small town school district, even the head coach is an employee who reports to someone; the University President, the Athletic Director or the School District Administrator. And even in Texas, the primary mission of a University and school district is education, not football.
A football program must be subject to the same rules and regulations as others departments. The Freeh Report noted that the Penn State football program chose not to participate in the "university's efforts to train people in recognizing and reporting violence and sexual abuse." Get that - the football program chose not to even participate in such training, let alone recognize that the same rules applied to it. The NYT article quoted Alison Kiss, Executive Director of the Clery Center for Security on Campus, who said that "In our experience, when an athlete or coach is involved, many times it does get treated differently. We have to change that culture."
In the corporate world, remember Enron, where the traders ran the company. Look at Enron today, oops it doesn't exist anymore and most of its top management went to prison, hmmm what does that tell you? Or for a more contemporary example, how about Barclay's where the traders told the bankers what information to report to set the LIBOR rate. For the compliance practitioner, I think all of this means that your corporate culture must not only be dedicated to doing business legally and ethically but dedication must be translated through constant communication, including training to your employees. I recognize that compliance and ethics training fatigue can set in at some point. But think back to Morgan Stanley and its declination in the Garth Peterson enforcement action. Morgan Stanley had very novel and creative ways to communicate compliance to its employees on a worldwide basis. Even something as simple as an email reminder was cited by the DOJ as evidence of the robustness of Morgan Stanley's compliance program.
The Sandusky scandal and the Freeh Report will reverberate for a long time to come. For the compliance practitioner, there are several lessons learned that you should take away from this terrible and preventable tragedy. If you work in a university environment, I think that Monday morning you need to sit down and read the entire Freeh Report and then hire an outside third party to come in and within the next 30 days assess the university's culture, governance, compliance policies and procedures for protecting our children. Please, for the sake of our children.
Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2012
For more information about LexisNexis products and solutions connect with us through our corporate site.