2012 Chief Legal Officer Leadership Forum (San Francisco)
May 3, 2012
EVP, Secretary & General Counsel
Ingram Micro, Inc.
"Partner Compliance Due Diligence: A Proposal for an Industry-Wide Approach”
[Scott]: I would like to welcome Jim LaRosa, President, Client Services from Juristaff’s alternative law firm division. He will be introducing our next session of the day.
[Jim LaRosa]: Thank you, Scott. I want to thank everyone from Argyle for putting on another great event. This is my third CLO event this year. I’ve been in Dallas and New York and now here. A topic that has been consistent in all three of these events is FCPA compliance. In one way or another, it comes up several times a day. It is obviously an issue that corporate legal departments are dealing with more and more.
In my business we place project attorneys with corporate legal departments. I’m hearing numerous requests for FCP attorneys from my clients, particularly on the international side, and especially within the last 12 to 24 months. It’s an issue that I’m seeing regularly. My clients are continually telling me about the frustration that they’re dealing with in the amount of resources that they’re spending with regard to the diligence and compliance regarding the FCPA compliance.
Earlier today, one of our other speakers said that Larry Boyd here has the gold standard in helping the industry standardize a diligence approach. It’s my pleasure to introduce Larry Boyd. Larry is the Executive Vice President, Secretary and General Counsel at Ingram Micro, Inc. Lily, from his legal department, had already described the company, and I think she did a pretty good job of it. I will say they are the world’s largest technology distributor. They had 15,000 associates with them and their subsidiaries. According to Lily, they did $36 billion in revenue in 2011.
Larry has been with Ingram since the year 2000. He took his current position in 2004. Prior to that, he was a litigator and a partner at Gibson Dunn for 22 years. Larry has gained both his undergraduate and law degree from Stanford. Without further ado, let me bring on board Larry Boyd.
[Larry Boyd]: Thank you, Jim. It’s good to be here this afternoon, and thank you for sticking around. I appreciate it. Before we get started, I’d like to go off topic for a second. The last bunch that was up here talked about [inaudible] or electronic board portals for boards. You know you’re having one of those “we’re not in Kansas anymore” moments when you look at your e-mail – this happened to me about three weeks ago, I was on the road, looked at my e-mail and saw that my corporate paralegal had sent out an e-mail to all of the members of our board. Our youngest board member is 49, the oldest one is about 74, and most of them are bunched up there in the mid- to late-60s.
The e-mail said, “Dear members of the board, we just wanted to let you know that you can go to iTunes and download the latest iPad app for BoardVantage.” It’s a different world now, but there’s a plug for BoardVantage. It does work. It’s a great tool.
The folks here at Argyle were nice enough to host a dinner last night for the speakers. At the dinner, the fellow next to me said, “Okay, GC of Ingram Micro, what keeps you up at night?” I had no hesitation in responding, “Foreign corrupt practices act,” FCPA. Obviously, we’ve had a lot of front page news on the FCPA in the last two weeks at the expense of Wal-Mart. As far as I’m concerned, there was a piece of news almost as significant as that that hasn’t gotten much notice.
There was an announcement on April 25th by the Department of Justice. It announced that a former managing director at Morgan Stanley was pleading guilty to violations of the Foreign Corrupt Practices Act. This was someone who had been active for them in China. According to the guilty plea and the announcement, this gentleman had used some of Morgan Stanley’s money to line his own pockets, as well as those of a rather cooperative Chinese government official who was a buddy of his in some real estate deals that Morgan Stanley was involved in in China.
The announcement was really significant, not for what it said or for what was happening, but for what wasn’t happening. Morgan Stanley was not entering into a non-prosecution agreement or a deferred prosecution agreement with the Justice Department because of these crimes. The press release instead went out of its way to laud Morgan Stanley’s compliance program. It talked about all the times this fellow who had just pled guilty had been trained on the FCPA in the seven years he’d been at Morgan Stanley, and the number of FCPA trainings that Morgan Stanley had given in China during that same period of time. They talked about their internal controls and their policies, the monitoring and follow up that Morgan Stanley did to see whether or not people understood their policies and whether or not they were following them.
The announcement said that the Justice Department recognizes that these crimes happened despite the best efforts of Morgan Stanley and thus declined to prosecute. Now, if you follow the Justice Department press releases you know that they have lots of public hangings, but very seldom do they ever have a public coronation. So hat’s off to Morgan Stanley. They obviously have a great compliance program, and good for them. If you’re of a cynical frame of mind like I am, though, I will tell you that I suspect that this announcement by the Justice Department had as much to do with the effort that the U.S. Chamber of Commerce has been mounting over the last 18 months to try to get Congress to amend the Foreign Corrupt Practices Act as it does with Morgan Stanley’s good conduct.
One of the things the Chamber has been trying to do is get Congress to amend the act so that it contains a formal affirmative defense for corporations that have effective and adequate compliance programs. If a rogue employee or rogue business unit goes off and does something that they’re not supposed to do, you fire them as soon as you find out. It’s against policy, it’s against training, it’s against everything that your company believes in, and yet human nature is human nature and stuff happens.
Under the U.K. Bribery Act, under Italy’s Bribery Act, under Germany’s Bribery Act you have a formal affirmative defense. The U.S. Justice Department is only committed to taking your compliance program into effect or into account at the penalty phase of resolving a Foreign Corrupt Practices Act problem through the federal sentencing guidelines. That’s something that the Chamber has been trying to address, and the Justice Department has been saying, “We don’t think the act needs to be amended.”
Stay tuned on that. I digress a bit. We’ll get back to Morgan Stanley, and we’ll get back to the components of an effective compliance program.
Ingram Micro is a tech distributor. We don’t make anything; we just sell lots of tech products that are made by some of the companies that are in this room and a lot of companies that are here in the valley. We encounter the same risks that are really common to the tech industry. We have frequent interactions with government officials just to get the products into the country, maybe to get them registered under the right duty regime or the right tax regime. It’s no secret that in the developing world some of your best customers – in fact, sometimes some of your only customers for expensive tech products – are the government.
There are other countries – China, for instance – where many private companies have a strong public component, either in their ownership or in their control. These are state-owned enterprises, so we’re dealing with the government in the developing world all the time.
There’s been a lot of focus over the last couple of years by both the Department of Justice and by the Securities and Exchange Commission on the tech sector. If you follow the FCPA, you know that one of the things the DOJ has been doing is industry sweeps. If they find a problem with one company in a particular industry, they start asking questions of other companies in that same industry. Whether those companies are suspected of doing anything wrong or not, they’ll say, “We found out that so-and-so has been having problems with how they handle their marketing funds. How do you handle your marketing funds?”
During the summer of 2010, I think Chuck DeRoss from the Justice Department was actually doing the rubber chicken circuit in Asia. He went to compliance conferences in Shanghai, Singapore, Kuala Lumpur and basically preached the gospel that, “Hey, we have our eye on you and we have our eye on the tech sector out here because we understand that you have lots of flexibility in your pricing. We see last minute adjustments in pricing and ways of creating funds of money. We think that’s a fertile ground for corruption, so we have our eye on that.”
There is thus a lot of focus by the regulators on the tech industry.
We have pretty clear guidance through the federal sentencing guidelines. We have the OECD convention on bribery and corruption. We have the new U.K. Bribery Act. As a component of an effective compliance program, they talk about the obligation of U.S. companies to police their sales channel, to know your customer, to in effect be responsible for what third parties you’re [inaudible] with them one way or another. They may be acting as your consultant or your agent or they may be an entirely independent customer of yours. All you’re doing is selling them a product, but maybe on a government deal they came to you at the last minute and said, “I have to have a price adjustment. You have to drop this price another 5% or another 3% because that’s what the government ministry is expecting in order to buy these 10,000 laptops.”
You go ahead and make the adjustment, and you find out six months later that that price drop wasn’t passed along to the ministry; it was passed along to the minister. In the eyes of the DOJ, you’ve just been complicit in a bribe. Even though you didn’t know anything about it, that’s the way that the FCPA is being enforced today by our regulators.
It’s a big eye opener, and it’s a big problem.
Take the GE InVision case. InVision failed to develop an adequate process to select and train its sales agents and distributors. It conducted little, if any, investigation into their backgrounds. It also provided no formal training or education, and it failed to establish a program to monitor its foreign agents and distributors for compliance with the FCPA.
Now, the idea of giving training to your customers in Thailand about the FCPA, of following up and monitoring what they do after the sale and during the sale, that’s all well and good if you’re an oil and gas company. It’s fine if you’re working with one agent or one consultant in Saudi Arabia or Nigeria. If you haven’t adequately vetted that company, if you haven’t given them training, if you haven’t set expectations with them about what you expect from them in terms of compliance with our laws, or if you don’t monitor what that one agent is doing in working for you, maybe you deserve what happens to you then if they engage in bribery.
What if you have thousands of customers and agents? For instance, Cisco has 65,000 channel partners worldwide. The AllianceONE partner program for HP, 5,000. Ingram Micro, my company, has over 180,000 customers worldwide. I can’t begin to vet, do background checks, and train and monitor the activities of 180,000 customers. It would bankrupt Ingram Micro.
What do you do?
Well, obviously you have to engage in a risk-based approach. For ourselves, more than half of those 180,000 customers are in North America and western and northern Europe. Those are not areas of great risks for the FCPA or for bribery and corruption in general. Not that it doesn’t happen, but I have thousands of customers in Latin America and in Asia, and those are areas of great risk.
How do I do diligence on thousands of customers?
Furthermore, my problems are not unique. We have competitors here in the United States who are active overseas. They have the same concerns. Cisco, HP, Lenovo, IBM. They sell through me to a lot of people, a lot of companies in Asia and in Latin America and in the Middle East and in Africa. They sell direct. They have their own distributors or sub-distributors that they use. Sometimes, some of the same customers are some distributors that Ingram Micro uses.
We’re all interested in finding out information about those companies, but there are literally thousands of them. Reality starts to look something like this. You can take that first line and move it out right and left, turn the four or five there into scores of major tech manufacturers. You can take the middle blue line and blow it out by hundreds or by thousands. You can just imagine what the yellow line looks at the bottom. All of those other lines are just crossing.
You have a lot of different companies asking a lot of the same companies for the same information, in some cases asking them to take the same training from the same online training company, SEI Global or someone like that.
Think about this individualized approach to conducting diligence, and to knowing your customer that the Justice Department and the SEC wants us to do? What does that portend for an individual company that’s trying to do it? Let me give you an example, and it’s a personal example to Ingram Micro.
About two years ago, one of the major software companies came to us with a questionnaire. They are a great customer of ours and we deeply respect them. They have a great compliance program, at least in my opinion. They’re really trying to do the right thing. As I said, they came to us with a new compliance diligence questionnaire that they were rolling out. They wanted us to fill it out just the same as they wanted all of our competitors to fill it out. They were also taking it down levels below us and contacting major customers of theirs in places like Asia and asking them to fill it out as well.
When we finally put it all together and sent it back to the vendor, the main questionnaire response was 28 pages long. That’s single spaced. It had separate addenda and supplements and attachments for each of the 20-plus countries around the world where we sold that vendors products. The final product was about this thick, and our chief operating officer had to read through each page with me and make sure it was correct before we signed off on it and sent it off.
Fortunately, they let us pass on the online training that was a part of their program. They acknowledged the fact that they realized we already did a lot of our own training, and that if our people didn’t understand their obligations under the FCPA, none of their customers certainly would. They didn’t think we’d necessarily benefit from the training. We appreciated being able to pass on that.
Let me give you another example of another great company.
About two years ago, two-and-a-half years ago HP decided, for the same reasons that this other company started up their questionnaire – it’s all being driven by fear of prosecution under the FCPA. HP contacted all of its customers worldwide and said, “We want you to take online compliance training. You only have to nominate one person from your company to take it.” One person out of 15,000 at Ingram Micro. There were a lot of companies out in Asia, for instance, and Latin America that got the same invitation.
We want you to take this training. You need this if you’re going to continue as a HP certified customer. By the way, you get to pay us $150 for the privilege of taking the training.
The backlash that poor HP got on this was just overwhelming. They had people all over the world telling them, “Are you guys out of your minds? I don’t understand why you want us to take this training. I’m not going to waste my time on it. I’m certainly not going to pay you for the privilege of doing it.”
They cancelled the thing, rolled it out, and tried to do something else. This is the sort of resistance that you run into. I will tell you that for Ingram Micro and companies similarly situated, the obligation to try to do deep background checks is a competitive disadvantage. This is also the case for compliance and diligence on your partners, as well as the people that you want to sell product to that you want to try to get to buy product from you instead of your competitors.
I go to a valued customer in Malaysia and tell them, “I want to know who your owners are. I want to know whether you have anybody in your owners’ families that are in the government. I want to know whether you’ve had any past problems or experiences with bribery or corruption. Have you ever been accused of bribing a foreign minister?” They’re going to look at you and say, “Why are you asking me this? Why would I even tell you this, and you guys from America are really hard to do business with; I’m going to go buy product from ECS, a nice Singapore company. They don’t ask me questions like this.”
It’s a competitive disadvantage. It’s a disadvantage for me and frankly, it’s a disadvantage for a lot of the marketing Silicon Valley companies. HP wants to ask questions of this like this of people in Asia or Latin America. The response they may get is “I don’t have to buy my computers from you. I’ll buy them from Acer. They’re a nice Chinese company. They don’t ask me questions like this.”
It is tough to do what Justice wants us to do. What’s the answer? Well, some of us in the distribution business started asking the question about a year-and-a-half ago or two years ago. “Can we come up with an industry standard? Is there a way to develop an approach so that we can all start asking the same questions, ask them once, and move on?”
To give credit where credit is due, about two years ago the general counsel of Tech Data – they’re the next largest tech distributor in the world – David Vetter called me up and said, “Larry, I just got through completing that questionnaire that I told you about,” it was nice and thick for them, too. “We just got through doing the questionnaire. Would you support me if I went to the GTDC?” That’s our industry trade counsel, the Global Technology Distribution Council. “The steering committee proposed that we all get together and agree on a standard format of diligence questions that we know the vendors want to know from us. We agree that we’re all going to provide that information, and we’ll provide it all into one place and provide it to the major vendors and see if we can get them, through GTDC, to agree they’ll take that and not bother us individually?” I said, “David, that’s a fabulous idea.”
The next GTDC council meeting was going to be out on the west coast. I said I’d go pitch them on that. I said, “I want to go one better. I want to propose to the GTDC that we go to the vendors and say, ‘Look, we should have a common approach. You should want the same information from me that you want from all of my competitors, and we should all want the same information for the folks south of us in the supply chain. To get really efficient on this, we should start putting that information in the same place. We should build a tool for gathering that information, making it accessible to all of us so that we can essentially build a compliance Dun & Bradstreet that all of us can use together. Create more transparency, drive inefficiencies out of the collection process, and have the information available to all.’”
David thought it was a great idea. The GTDC thought it was a great idea. Starting in the fall of 2010 David and I started calling our contacts at various vendors to pitch them on the idea. We asked them to come to an organizational meeting that we were going to have at Ingram Micro in January 2011 to talk about the idea.
Essentially, the model we were going to have was this. Standard template of desired information, where you are able to access the collected information when you need it. The information would be updated automatically by automated databases, politically exposed parties, politically denied parties or denied parties list, things of that nature. The ability to contract through the tool provider to provide online training to your customers if you felt that that was one of the things that you needed to do to adequately vet a particular partner that you wanted to deal with.
The key was that each participant and each user of this database would assess the information and analyze it independently. We weren’t going to have industry approved parties. I didn’t think that we could take that responsibility on. There were competitive reasons why I was a little bit worried about the idea of concerted refusals to deal and that sort of thing.
If all of the information was sitting there, and if a Cisco, an HP, a Lenovo, an IBM, a Tech Data, a Synex, an Ingram Micro could go into the database, look at information that had been collected on particular resellers, consultants, or agents in the third world, and make an independent assessment on whether and on what terms you wanted to do business with that partner, we could start driving cost out of this process of collecting compliance diligence on remote parties.
This is an indicative list of participants that we have right now. I refer to it as a coalition of the willing. Some of the participants have been more active than the others, but I’ll tell you that just about everybody here has been to one or more face-to-face meetings at various places around the country. We’ve spent on occasions a day, day-and-a-half, two days at a time talking about these issues and talking about bringing this idea to fruition.
We had a kickoff meeting in January 2011 at Ingram. We followed that up in April 2011 with a meeting at Tech Data. In the April meeting we reached consensus on our standard database inquiries that we would have. We also agreed on the functionalities that we would want an online tool to have, and we set in motion an RFP process. It started out with 17 service providers that indicated an interest in bidding on the process. We narrowed that down through a formal RFP process in the summer of 2011 to six participants, or six proposed providers.
We had a meeting at the offices of Autodesk here in San Francisco in September of 2011 to go over the short list and agreed to down select from the six to three. We also formed a formal steering committee and charter for our group at that point and continued down the road. We’ve had product demonstrations and proposals from the three providers. We had another meeting in February at the offices of Avnet, where the participants got together. We talked about potential business models and potential pricing models for the tool.
We still have a lot of heavy lifting to do. These are some of the accomplishments we have so far, but what’s left is the final selection from three down to one, negotiation with that service provider. If you’re interested, the three are SAI Global, KPMG and Red Flag Group. They all have interesting proposals and slightly different ways of getting the functionality and getting to where we want them to be to be able to have a contracting party link in to their tool. They provide the desired information, they follow-up with requests, they handle questions and problems that the proposed contracting party may have, they provide online training on the Foreign Corrupt Practices Act and on other types of ethical business issues that we might want that proposed partner to take. They will then house the information and make that data available, update it as necessary, and provide it for our use.
How all of that is going to be priced out? Who’s going to pay for it? It’ll probably be by the drink. Those things are yet to be determined. I would say that the reasonable belief of most of the participants – and there are companies that are participating in this that already are doing it. Microsoft, for instance, has already invested millions of dollars in their own online system for collecting data, for providing training and checking up and doing diligence on partners. They’re participating in this because they think it’s an interesting idea, and because they see the possibilities for having synergies and scope on this thing that will obsolesce their system. They see that it will be cheaper for them to use this common system than use their home grown system. They’re willing to go down that path to see whether it works out that way.
Right now we’re in the process of collecting commitments from the participants for the hiring of a consultant to help us do the final down select to the one provider that we will negotiate with and then start the implementation process. We’re gathering commitments of $10,000. I need $100,000 to retain the consultant and get going with that part of the process. I have commitments for $90,000, so I’m hoping that very shortly I’ll get that tenth person.
I’m hoping that some time in 2012 we’re going to be able to announce that this thing is up. We can say it’s working, and it’s being used and starting to grow.
We have legal advisors who are providing their services gratis to us because they’re excited about the idea. They think it makes a lot of sense. I have talked to lawyers in the FCPA industry. They think this is an interesting idea and to their knowledge, nobody has done this yet. If we can make this thing work and if they can make it work, they’re going to be able to take this show on the road to a lot of other industries where you have multiple levels of distribution and sales. These are very complicated sales channels like the tech sector does for U.S. companies that sell overseas.
This could be a great thing for the pharma industry. It could be a great thing for equipment companies, all sorts of different supply industries. They all have similar problems to the problems that we have in the tech sector.
I hope Ingram Micro will be able to accomplish through this things that we could never be able to do on our own, and could never be able to afford to do on our own. I hope that all the participants in this initiative will be able to obtain better knowledge, have more transparency in the sales channel. I really feel that this is a way for U.S. companies to level the competitive playing field. That’s certainly the case for distributors. We don’t have the leverage that the vendors have. We only sell a desirable product; we don’t make it. If the vendors see that this thing can work for them, they can probably see their way to saying, “If you want to be a Cisco certified reseller in Malaysia, I don’t care who you’re buying your product from, whether you’re buying it from me or someone else. I want you in this database, because I may deal with you directly at some point as well.” When that happens, that playing field gets very level. They can’t run to ECS or to Officer in Brazil or some other local competitor. The resellers will need to get on board with us, get compliant. It becomes a safer world to do business in, and it hopefully becomes a safer world for us to deal with our regulators.
I have time for questions.
[Jim]: What has been the resistance, if any, to any of your people in your group?
[Larry Boyd]: The primary resistance has been from some companies that are already doing this on their own, but I point to Microsoft. As far as I know, Microsoft has a great system on their own, but they see promise in this as well.
Another resistance has simply been, “We’re worried about the expense.” I submit the expense jointly will be a heck of a lot less than the expense individually. Some people are just saying that we can just never begin to do what Justice wants us to do and it’s inertia.
There are also some concerns about concerted activity. I don’t think what we’re trying to do is anti-competitive. I don’t think it’s an anti-trust problem. I think at the end of the day the Justice Department will look at this and say, “Yes, go ahead. I don’t see a problem.”
If not, then I’ll blame it all on [inaudible] because my North American regional counsel used to be an anti-trust lawyer and he tells me he thinks we can get away with this.
We also have been talking to outside counsel who are experts in anti-trust issues. They think we’re okay.
In terms of how we spec’d out the functionalities of the tool, one of the things we will be working with the service provider will necessarily require the shielding of certain types of information and certain levels of information. That’s part of the complexity of the tool and part of the challenge of designing or writing the program. Certainly, I don’t know that we’d ever have pricing information in there, but it’s not going to be visible to other parties. We’re sensitive to those issues and I think we can overcome any particular problems in that area.
The real issue at the end of the day is going to be getting the money together. We think it’s going to cost anywhere from $600,000 to $900,000 to actually build the product and have something that we can start using and populating. It’s going to require some investment certainly above the $10,000 level by the participants.
We also have talked about the original – because you do have the free rider problem – participants being able to earn back some of their investments from subsequent use. If you think about it, if I use the tool to get a particular resellers information in a particular city and a particular country, I’m not the only person that sells tech product to that company. Other users are going to want to come into the database and take a look at the information. They’ll pay for the privilege. I’ll get some of that back. Over time the companies that helped build the thing will get their investment back as others come. It’s like the movie Field of Dreams. We do think if we build it that people will come.
Any other questions?
[Woman]: Hello. Have you spoken with the Department of Justice in collaboration with them in developing this?
[Larry Boyd]: That’s a great question. It is a constant topic of discussion on our steering committee and among the participants. There are two schools of thought on that. Frankly, I’m skeptical about doing that. I’m harkening back to the Morgan Stanley announcement. If the Justice Department is starting to change attitudes and change practices a little bit the same way that the U.S. Chamber and Association of Corporate Counsel did a few years back with respect to the force waivers of the corporate attorney client privilege, we [inaudible] enough pressure to bear that they finally backed off before legislation could be passed. If we start seeing more of an open attitude and less of a “gotcha” mentality from the DOJ, then it might make sense to sit down with them and say, “Hey, guys, this is what we’re planning on doing. What do you think?”
The U.K. enforcement authorities, with respect to their new statute, have expressed openness to sitting down with industry groups or individual companies and talking to them about their compliance programs. Justice has been resistant to that sort of thing, but if we see a different attitude then we may do it. Our concern up until now has been if we go in, chances are if you’ve had to deal with Justice or SEC on this or issues like it in the past, they’ll always see something to criticize in what you’re doing. “Well, that’s okay but you need to do this, too.” They’re never satisfied. We don’t want to build this program then have them tell us, “We’re not satisfied.” We’d rather build this program, make it as good as we can, make it an integral part of each participant’s good compliance program, and let it stand on its own merits. It’s a constant issue.
[Larry Boyd]: I’m personally involved with the Chamber of Commerce on their efforts to amend the FCPA. They had invited me to go back to D.C. to meet with [inaudible] and Robert [inaudible] the early part of last month. They were having a meeting with them to talk about the guidance the DOJ has promised they are going to come out with, in terms of how they’re interpreting and enforcing the FCPA.
The non-Chamber participants got disinvited at the last minute because they didn’t want us. [Inaudible] and [inaudible] didn’t want us there.
ACC is going to be meeting with Justice on May 24th and I’m hoping that I’ll be on that delegation and I’ll be there to talk about this effort. Not to ask their approval, but to use it as an example that this is what responsible companies are trying to do. This is what even companies as big as Microsoft are trying to do, because what you want us to do in terms of resources and expenses is so tough that this is the only way we see we can do it. We’ll see where it gets us.
I’ve had the no time, so I know Larry wants to talk. You get the two Larry’s here at the end of the day. Thank you very much. I appreciate your attention. Good day.
[End of Transcription]
The contents of this session transcript remain the sole property of Argyle Executive Forum, and may not be rented, sold, reproduced or distributed to any outside party. Any unauthorized use represents theft of property for which Argyle Executive Forum will pursue any and all appropriate legal remedies.