Originally published in the October 2014 Journal of Commerce on-line

When have you done enough? Based on a recent exchange in a LinkedIn discussion group, there is real disagreement. Despite that lack of concurrence, two court cases decided in the last few months again drive home the point that proper internal controls are a must. The first is United States v. Trek Leather,  2011-1527, Court of Appeals for the Federal Circuit, 2014 U.S. App. LEXIS 17746, September 16, 2014 Decided. The second is the United States v. C.H. Robinson Co., 2013-1168, Court of Appeals for the Federal Circuit, 760 F.3d 137, 2014 U.S. App. LEXIS 14260, 36 Int’l Trade Rep. (BNA) 469, July 27, 2014 Decided.

In Trek Leather, the appellate court found the President of the company liable for gross negligence in circumstances where he knew the value being declared at time of entry was too low, submitted the documents himself or through third parties to the customs broker, and never corrected the entries.  There doesn’t seem much in doubt about the intentions of the individual involved.  The same cannot be said in the second case. In that case, Robinson was acting as a common carrier to move goods in-bond from Los Angeles to Laredo for export to Mexico. Ultimately, on appeal. Robinson was found liable for the duties and taxes ($106,.407.86) on the goods when it could not establish where they had been delivered. According to the court, the only evidence Robinson could produce as to disposition of the shipments was pedimentos which turned out to be phony. In short, Robinson does not appear to have implemented any internal controls to make sure the shipment was adequately documented as having been delivered as directed.

In the LinkedIn discussion about Trek, one compliance officer made the point of saying, he thought he had done enough to protect himself because he made sure to put in writing whatever he thought needed improvement. Is that really enough? The conundrum every compliance person faces, and, in fact, every employee is when you think something is not being properly done, just what do you do?

Some hold to the proposing never put it in writing! Others think only major points of disagreement should be in writing. Frankly, this is a no win situation. If you put nothing in writing and the inevitable goes wrong, senior management will undoubtedly look at the compliance person as the one responsible and he or she loses his job, and possibly his/her reputation. However, if you put everything in writing, it perhaps protects you from being fired, but that is not assured. At the same time, putting it in writing presents a big hurdle, too. What do you put in writing? To whom do you send it? If the issue is material to the compliance of the company, is there a point at which having put it in writing and not had the material issue you are raising dealt with, should you leave? If so, when?

When Sarbanes-Oxley was first enacted, the Securities and Exchange Commission (SEC) implemented rules that basically required lawyers to make a what was euphemistically referred to as a noisy withdrawal where the lawyer fired the client. In other words, the lawyer was to signal to the SEC the reason for the lawyer withdrawing was related to the misdeeds of the client, the SEC filer.  Do you want to implement something similar if you think the company is going down the wrong path?

Let’s take a couple of examples and see how they play out. Let’s assume the product is being exported and, depending on its configuration or level of sophistication, in some cases it is subject to an export license and in others it is not. You are the Compliance Officer (import and export) for the company and report to the Controller. You find out all the shipments are being exported without benefit of an export license, regardless of their configuration. You take this finding (and you have the documentation to back it up) to the Controller who tells you she will handle it. You check the next few shipments and find the practice continues. What do you do? Do you sit tight, monitor a few more shipments, and when nothing changes, you send the Controller a strongly worded email reminder, and then what? You are the Compliance Officer. The company is publicly traded. You are also the person with ultimate responsibility for export licensing.  What is your next move?

You can go back to the Controller, but suppose the Controller has instructed the export staff to engage in this practice (but won’t discuss it with you)? Do you now go over the Controller’s head? If you do, you are either out of a job or working for someone who will undermine you at every turn.  If the company is large enough, there are other avenues to pursue, including Legal and Human Resources. Eventually, you have to hope you can find the right person to carry forward your concerns to the CEO, unless you are daring enough to do it yourself and have the needed access! What if the CEO does nothing? Does your view of options change if the Controller is the daughter-in-law of the CEO?

On the other hand, if the company is smaller and you are faced with the same dilemma, you may have no place to go. Do you stay? Go? You can bet when the Bureau of Industry and Security comes knocking, the first place the agents visit is your office. Do you turn over your emails and point a finger at someone else? If you do, you just hung a lasso around the company’s neck. It will surely appear to the enforcement folks the company was doing this on purpose. Your own actions will be questioned. Did you do enough? Were you complicit?  Where do you suppose events go from here? Who do you think ends up on the short end of the stick?

While these scenarios sound familiar, what they and the Robinson and Trek cases do is remind everyone yet again, the best defense in any enforcement action is having proper internal controls, which are correctly documents and truly followed. Good internal controls are generally defined as those which the company established based on actual, not wishful, procedures. They are properly documented, there is buy-in by management and staff, and those internal controls are regularly reviewed and updated as warranted. Can you still have rogue employees with their own agendas? Of course, but companies that invest in serious internal controls implement them because they see the value of being compliant. Isn’t that where you would prefer to work? If you don’t work in such a place, what is your exit strategy?