VimpelCom FCPA case demonstrates significant internal controls failures
Many practitioners focus on prongs one and three—prevention and remediation. However, the detect prong is equally important and not infrequently less utilized. This was most apparent when the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) recently announced a top-10 Foreign Corrupt Practices Act (FCPA) settlement with the Netherlands-based telecommunications company, VimpelCom Ltd.
This settlement was around its nearly 10 bribery schemes to obtain and retain business in Uzbekistan. There were various schemes used to fund bribes to Gulnara Karimova, the eldest daughter of Uzbek President Islam Karimov in exchange for access to the country's telecoms market.
A press release from the DOJ says that,
VimpelCom entered into a deferred prosecution agreement in connection with a criminal information charging the company with conspiracy to violate the anti-bribery and books and records provisions of the FCPA, and a separate count of violating the internal controls provisions of the FCPA. Pursuant to its agreement with the department, VimpelCom agreed to pay a total criminal penalty of $230,163,199.20 to the United States, including $40 million in criminal forfeiture. VimpelCom also agreed to implement rigorous internal controls, retain a compliance monitor for a term of three years and cooperate fully with the department’s ongoing investigation, including its investigation of individuals.
The failure of internal controls to detect any bribery was clear in the multiple bribery schemes used to fund the bribes. These schemes included a fraudulent stock purchase scheme, a scheme involving multimillion dollar payments through front companies to shell companies controls by Ms. Karimova, and fraudulent payments through corrupt third parties and other schemes.
VimpelCom’s internal control failures were numerous and, at the end of the day, very costly. The failures up and down the VimpelCom and Unitel chain are simply mind-boggling. Basic internal controls were lacking or were completely overridden in selecting and using the resellers for services the company did not need nor want.
Further, the company did not have any system for conducting, recording, or verifying due diligence on third parties. The company did not require that consulting agreements or other contracts with third parties be for actual services or have any way to verify services were performed. There was a lack of appropriate controls around payments to single sourced vendors and a failure to audit third parties.
All companies need to closely examine their internal controls surrounding bribery for weaknesses and failures. A misstep here, as seen with too many, can be costly. To learn more about how to prevent and detect bribery, as well as red flags you can watch for, watch Tom Fox's on-demand webinar recording.