One does not have to look very far in the business world
to come across the phrase "Know Your Customer." A company certainly needs to
know if an entity that it may sell products or provide services to will pay for
those items. Running a Dun & Bradstreet credit check is routinely performed
to ascertain if a counter-party is a good credit risk. But how much more should
a company do in regards to its customers? Clearly banks, other financial
institutions and even casinos need to assess a customer from the perspective of
anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt
Practices Act (FCPA) or UK Bribery Act that would suggest that customers should
go through background scrutiny from the anti-bribery/anti-corruption compliance
I thought about internal controls regarding due diligence
requirements on customers, effective compliance programs and third party
validation of credentials when reading an article in June issue of Wired
Magazine, entitled "Drugstore Cowboy", by Jake Pearson. I found this
article to be a very cautionary tale for those companies which need to consider
just whom they are doing business with or for. The story involved an undercover
sting operation by the US government against Google. The operation involved a
convicted felon, one David Whitaker, who convinced law enforcement authorities
that Google had assisted him, in violation of its own internal protocols and US
laws, to sell illegal "black market steroids and human growth hormones" online.
Whitaker told federal officials that "Google employees had actively helped him
advertise his business, even though he made no attempt to hide its illegal
nature." Based upon his experience, Whitaker believed that Google must be
"helping other rogue Internet pharmacies too."
On paper, it appeared from the article that Google has a
systems designed to ferret out sites which used words or had other indicia that
they were selling illegal drugs. There was an initial screening by a Google
sales representative. There was an automated program which searched for key
words that might indicate illegal drugs were being sold. There was a review of
the website itself to see of other factors were present which might show that
illegal products were being sold. Finally, Google used a third party
verification service, to attest that any site selling pharmaceutical products
was properly licensed.
Based upon his experiences, the government set Whitaker
up with an alias, fake company, bank account and phone lines and then monitored
and watched him to see if his claims were true. He was told to see if Google
would actively assist him to sell advertising for a non-existent company called
"SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no
doctor's prescription." The plan that Whitaker used was straightforward.
The chilling thing I found in this article was it
reported that in each one of the false scenarios, Whitaker was reported to have
explained to the Google representative the true nature and purpose of the site.
All of the information that Whitaker conveyed made clear that these sites were
designed to sell drugs which are illegal in the US, without a doctor's
prescription. In just over the span of three months, the undercover operation
spent over $200,000 with Google.
Google ended up settling with the US government for a
fine of $500 million. Although Pearson did not quote the US Assistant District
Attorney, who headed the investigation and enforcement action, Peter Neronha,
was quoted as telling the Wall Street Journal (WSJ) the "culpability went far
higher than the sales reps that Whitaker worked with. Indeed, he said, some of
the company's most powerful executives were aware that illegal pharmacies were
advertising on the site." Google itself would not comment for the Pearson
From the account in the Pearson piece it would appear
that Google had a system in place to check and make sure that it was not
advertising sites which sold illegal drugs but that system, both human and
automated, was worked around. For the anti-corruption compliance practitioner,
I think that there are several key lessons which can be learned from this tale.
Train, Train, Train. If
you sell services, which can be used to facilitate illegal conduct, you need to
train your sales force to watch out for signs of that illegal activity. The
initial Google sales representative who was contacted by Whitaker should have
been the first line of prevention to stop the issue before it came up for the
Monitor, Monitor, Monitor.
There should be several types of monitoring. If a business name comes through
your system and it is rejected, there should be a monitoring mechanism in place
to note if it reappears later or is approved through some other means, as was
done in this situation. Similarly, if the name of a business owner comes up in
connection with another company, there needs to a mechanism in place to perform
a cross check. The sales representatives should also be monitored to determine
if they are manipulating the system.
Incentives, Incentives, Incentives.
While not discussed in the Pearson article, what do you want to bet that the
Google sales representatives were compensated, at least in part, with a
commission based upon the number of GoogleAds that they sold? If your
compensation structure or other incentive structure rewards people who use
shortcuts, then there will always be employees who take them.
Audit, Audit, Audit.
Remember the part of the story about how the Google sales representative would
advise Whitaker how to scrub his website of key words, search terms and other
information which would indicate that it was selling illegal pharmaceuticals
only to reinsert those on the site after the scrubbed site had been approved?
You need to audit to determine if any illegal conduct has begun after the
contract is signed. And if you do not have audit rights, you have a very slim
chance of actually performing an audit.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2013
For more information about LexisNexis
products and solutions connect with us through our corporate site.