FRA

Forensic Risk Alliance

News

Convention Judiciaire d’Intérêt Public (CJIP) – A Forensic Approach to Fine Calculation

Download the full article here

Téléchargez l’article en français

How are fines calculated under the French Convention Judiciaire d’Intérêt Public (CJIP), particularly in multi-jurisdictional corruption and bribery investigations?

The procedures and penalties behind the French Convention Judiciaire d’Intérêt Public (CJIP) are generating significant interest among companies and the public. In this article, FRA’s Yousr Khalil, partner and head of the Paris office, and senior associate Justin Michel answer two common questions regarding the calculation of penalties:

  1. How is the amount of a fine determined?
  2. Why it is not possible or advisable to predetermine the amount of a fine in multijurisdictional matters?

At the heart of Sapin II – the French anticorruption law introduced in December 2016 – is a procedure called the Convention Judiciaire d’Intérêt Public (CJIP). Similar to a Deferred Prosecution Agreement in the US or UK, it was created to allow the prosecution of corporate crime. An agreement between a company and its prosecutors is made, whereby a CIJP carries an admission of facts, but not guilt. Fines are calculated and, if appropriate, reduced. This procedure allows companies and their advisers to benefit from an agreement with the French prosecutors, le Parquet National Financier (PNF).

1. How to calculate the fine

Three factors are essential:

  • Legal Liability: Identifying the tainted contracts or projects, as only these form the basis of the calculation
  • A unified and principled approach: In an international regulatory litigation case covering many jurisdictions, it is necessary to establish a common and principled methodology agreed by the various authorities
  • The right team to perform the calculation: Collaboration between the forensic accountants and the company’s internal accounting teams is essential to properly reflect the company’s operations in the gain calculation model and related cost elements

2. Why is it not possible nor advisable to pre-determine a fine

  • Risk of subsequent law suits from other competent jurisdictions, shareholders and competitors
  • Risk of undermining cooperation between authorities in reaching one consistent method of calculation
  • Risk of a company ceasing its efforts to conclude a CJIP if the predetermined fine is considered unfavorable (i.e. too high)
  • Based on FRA’s experience with various authorities around the world, fines have never been predetermined as the company’s legal liability must first be established as the basis for a fine calculation

Want to learn more about our expertise?

Contact Us

FRA Sponsors City & Financial Global’s FCA Investigations and Enforcement Summit, 12 February 2020

How to bullet proof the data gathering and review process in a forensic investigation

FRA Partner, Anant Modi, will be speaking at the FCA Investigations and Enforcement Summit on “Developments in forensic investigations – bullet proofing the data gathering and review process”. Drawing on his 25 years of experience in fraud and regulatory investigations, Anant will discuss different categories of data and how to approach them, potential pitfalls in dealing with evidence, and technological advances in the analysis and review of data.

About the Summit

The Financial Conduct Authority (FCA) has made it clear that increasingly severe penalties and sanctions are not enough to prevent and reduce serious misconduct, and it must increase the likelihood of detection. As a consequence, firms may find themselves subject to an investigation for any suspicion of wrongdoing, even if the outcome clears them of any breach.

The FCA is keen to avoid a “culture of fear,” but the introduction and extension of the Senior Managers and Certification Regime (“SMCR”) imposes personal accountability and liability on a much wider group with significant personal implications for those involved. As a result, much needed guidance and clarity is needed on how you can reduce the likelihood of facing regulatory action and mitigate the impact of it on your organisation and senior managers.
Mark Steward, Director of Enforcement and Market Oversight at the FCA, will address the tools available to you when faced with enforcement action, including the latest focus resolution procedures, allowing you to challenge the severity of the penalty while admitting liability.

Register now to attend this event

City & Financial Global

Forensic Risk Alliance leads global forensic investigation, supporting the Airbus €3.6bn global settlement

Téléchargez le communiqué de presse en français

Airbus has announced its agreement to pay penalties of €3.6 billion, in what is reported to be the world’s first simultaneous settlement with four national authorities: the French Parquet National Financier (PNF), UK Serious Fraud Office (SFO), US Department of Justice (DoJ) and US Department of State (DOS).

The global settlement marks the largest foreign corruption settlement of all time and is part of a Convention Judiciaire d’Intérêt Public (CJIP), Deferred Prosecution Agreement (DPA), and Consent Order allowing Airbus to avoid potential criminal prosecution. The final settlements reached were: PNF €2,083 million, SFO €984 million, DOJ €526 million and DOS €9 million, of which €4.5 million may be used for approved remediation and compliance measures.

FRA has been providing forensic accounting, data governance technology solutions and compliance support to Airbus in an extremely complex multinational investigation that covered more than a dozen jurisdictions. The investigation faced extraordinary hurdles, including the production and examination of tens of millions of documents in multiple languages, and navigating the General Data Protection Regulation as well as the French, German and Spanish blocking statutes and national security laws.

Airbus General Counsel John Harrison said,

FRA’s exceptional team, constant professionalism, and market leading technical expertise proved invaluable in helping us navigate the many challenges we overcame to reach this complex settlement. Their vast experience in previous settlements with the same authorities provided unique insight into the complexities of a multi-jurisdictional investigation and ultimately the global resolution. When it mattered most, we had the best possible forensic advisers.

FRA’s data governance and disclosure strategy utilised artificial intelligence and mobile air-gapped data centers. The team worked closely with Airbus’ legal counsel, comprising several law firms, to design the unified review model which assisted and enhanced the legal review. This strategy was central in providing efficient, accurate and timely disclosure to multiple enforcement agencies. The company’s “exemplary” cooperation and remediation efforts were particularly noted across the various settlement agreements resulting in significant reduction of the penalties, including a 50% reduction of the PNF settlement.

FRA’s fine calculation methodology served as the basis for the global settlement across the four authorities. The robustness and accuracy of this methodology was explicitly noted in the UK judgement.

“FRA’s involvement spans nearly four years providing expertise in forensic investigation, data governance, compliance risk assessment and fine calculation.” Toby Duthie, Founding Partner comments. “It’s been a huge collaborative effort, and a privilege to work with Airbus and its elite team of professionals.”

“Managing day-to-day a fully integrated client service team of 70 professionals across many FRA offices in Europe and the United States was a fantastic challenge and working for Airbus was a real honour.” says Yousr Khalil, FRA Paris Partner leading the forensic investigation.

The FRA Partners assisting Airbus were Toby Duthie, Greg Mason, Yousr Khalil, Rik Workman, Charlie Patrick, Simon Taylor, Rob Mason and Trevor Wiles based across the London and Paris offices. Airbus relied on an expert group of white collar and export control practitioners comprising of Dechert (UK); Clifford Chance (France), August Debouzy (France); as well as Paul Hastings and Arnold & Porter (U.S.).

Read the full press release from Airbus

For media enquiries please contact:

Sonal Hirani
SHirani@forensicrisk.com
+44 7850 916094

Responding to Cyber Attacks and Incidents of Data Misuse

How to form a holistic corporate strategy bringing together legal, forensic, cybersecurity and communications perspectives.

In today’s context of public concern over data privacy and proliferating data protection laws, organisations face multifaceted challenges when responding to a cyber incident, whether the incident is data exfiltration or the misuse of data entrusted to companies. Threats could be external or internal, malicious or negligent. The consequences can range from technical to reputational and even criminal (both for the company and its senior managers). To add pressure to this complexity, authorities may expect potential incidents to be reported quickly – namely, the EU GDPR’s 72-hour data breach reporting requirement. Failure to do so could lead to regulatory fines that can apply to any sector and reach amounts that dwarf serious financial crime penalties. What can companies do today to give themselves the best chance of maintaining authority and credibility when – not if – an incident arises?

FRA Partner Simon Taylor joined a panel of legal, cybersecurity and communication experts in London on 23 January, to share his insights with an audience of in-house legal and compliance professionals on the critical elements to piece together when companies respond to cyber incidents.

Assess your In-house Capability

Any organisation with a computer must accept some level of data governance risk, but it is unlikely that all companies have comprehensive in-house crisis management resources standing by in the event that this risk manifests. The threats are multi-faceted: increasingly sophisticated attacks, demanding regulations, intensifying media attention and evolving best practice in risk management. When a crisis hits, you need to assemble a multi-disciplinary response team that extends beyond IT alone, potentially including human resources, finance, internal audit and compliance teams. Given the varying scope of data privacy laws in different jurisdictions, it will likely take a combined effort to respond in a compelling way to the data protection authorities.

Together with the appointment of an internal team, management must carefully consider if the company has the degree of expertise or bandwidth to respond effectively to all aspects of the crisis, particularly if it spans multiple jurisdictions. External counsel may be needed to assess the reporting obligation or highlight potential follow-on litigation, such as class actions. Independent forensic investigation experts can help establish the fact pattern, essential for urgent and well-informed decision-making, while ensuring any internal investigation is performed in a forensically robust manner to withstand regulators’ expectations. Furthermore, Stroz Friedberg VP Heidi Wachs noted that even companies with sophisticated internal IT operations teams might need external cybersecurity specialists to trace the root of an incident and chart an effective plan of action to ensure commercial operations are up and running as quickly as possible.

Cooperate and communicate to mitigate the damage

Whether to clients, the public or the regulator, failure to communicate swiftly can have significant reputational and financial repercussions. In many spheres of alleged corporate wrong-doing companies have the luxury of conducting their internal investigations confidentially – GDPR has changed the game. In the age of GDPR and intense media scrutiny, a company no longer has the option nor the time to investigate in private. Depending on the nature of the compromised data, the GDPR requires that companies report incidents to the respective competent authority and potentially to data subjects as well.

Reducing FinesFRA_JennerandBlock1

It is very early days in the development of a GDPR fine regime to understand and predict an enforcement authority’s approach to the calculation of a financial penalty. The few notices of intention to fine or fines that have been publicised reveal some inconsistency from one jurisdiction to another. The UK ICO’s proposed “mega fines” of 2019 suggest they may be taking a ‘top down’ approach, considering the maximum ceiling of 4% global annual turnover as an initial figure, and working downwards balancing mitigating factors and the need for a deterrent. For example, Jenner & Block’s Kelly Hagedorn and FRA’s Simon Taylor agreed that the UK ICO seemed to be taking any failure to adhere to the 72-hour reporting requirement as a serious aggravating factor in determining penalties in GDPR data breach cases. In other EU jurisdictions where 2019 fines were smaller, regulators may have taken a ‘bottom up’ approach, building up the quantum of the fine based on case-specific factors.

In FRA’s experience with regulatory fines in other areas, a number of discounts and reductions can be negotiated if the company is cooperative and demonstrates that proper technical controls and compliance programmes were in place. As Simon Taylor highlighted, the authorities would be aware of the need to defend their imposed fine robustly should the penalised parties ever challenge it in court, so there is incentive on both sides to negotiate.

Establishing a credible public voice

Instances of corporate data breach and misuse are firmly in the media’s crosshairs. As seen in the recent Travelex ransomware attack, even if a company believes it has fair reason not to report an incident, keeping the matter quiet does not avoid a public furore if journalists interpret a company’s silence as negligent or even dishonest. Portland Communications’ Steve Morris advised companies to establish their own platforms and channels for communicating with the media and public when in crisis mode. Be in charge of the story by being the authoritative source of facts, rather than reacting. The public is much more likely to be forgiving if companies are seen to be transparent and responsible.

Involve the board

If the potential extent of regulatory fines, reputational harm and technical damage to business operations were not enough to draw board members’ attention to cyber incident response planning, the emerging regulatory trend of accountability at the board level should do it. A key milestone is the US Federal Trade Commission’s settlement order (2019), which requires Facebook to “restructure its approach to privacy from the corporate board-level down” and implement mechanisms to ensure executives are accountable for decisions about privacy. There are signs that this mandatory reporting to the board is gradually gaining traction in other jurisdictions.

Build the narrative, starting now

For a company to speak credibly and authoritatively in times of crisis, the fact pattern must be established. At the point an incident is triggered, a high calibre and forensically sound investigation is needed, as has been the case for many years in financial crime compliance. The challenge in cyber attacks and incidents of data misuse is that the timeline for investigation is heavily compressed by GDPR requirements and the need to make public disclosures.

Establishing appropriate ‘technical and organisational measures’ is the best, and only, defence given the inevitability of a cyber breach or the misuse of data. This is an exercise that can begin now and needs to be constantly refreshed. Seek advice from your legal, forensic, cybersecurity and communications experts on proactive risk assessments and contingency planning that can be initiated in advance of a crisis.

The above is a summary of “Responding to Cyber Incidents”, which took place on 23 January 2020 at The Ivy Club, London.

Event Speakers:

Simon Taylor, Partner, FRA
Kelly Hagedorn, Partner, Jenner & Block
Steve Morris, Managing Partner, Portland Communications
Heidi Wachs, Vice President, Stroz Friedberg

Event Moderator:

Paul Feldberg, Partner, Jenner & Block

Responding to cyber attacks

FRA Promotes Tamara Vitagliano to Global Director of Technology Solutions and Forensics

Forensic Risk Alliance (FRA) announced today that Tamara Vitagliano has been promoted to Global Director of Technology Solutions and Forensics, effective immediately.

In her new role, Vitagliano will oversee FRA’s global data processing, digital forensics, and Mobile Discovery Solutions offerings. FRA has six secure global datacenters and more mobile discovery processing solutions deployed globally in the context of fraud investigations, internal investigations, litigation, and other contentious matters than any other firm. Vitagliano will ensure the highest levels of data security, in compliance with global regulations, and will partner closely with FRA’s Data Governance Advisory Services team to offer clients integrated, customized consulting and technology solutions under one roof.

“Tamara Vitagliano is among the most highly qualified and technical women in compliance today,” said Frances McLeod, FRA Co-Founding Partner and Co-Head of its Data Governance Practice. “She not only has expert knowledge of industry leading software, but also has the hands-on experience and business acumen needed to leverage the right tools in their best application to address clients’ unique data governance challenges.”

Vitagliano brings more than 15 years’ experience helping clients around the world leverage innovative technology solutions to manage their most complex data governance and eDiscovery needs. A Relativity Processing Specialist, Relativity Certified User, Certified Public Accountant (CPA), Certified Fraud Examiner (CFE), Certified Anti-Money Laundering Specialist (CAMS) and Certified in Financial Forensics (CFF), Vitagliano is one of the most credentialed and experienced practitioners in the industry. She is particularly expert in complex data collection, processing, review, analysis, and production, and has extensive experience managing and supervising investigations into insider trading, compliance violations and investment fraud, advising counsel on litigation matters, managing eDiscovery and computer forensics projects, and conducting anti-money laundering compliance risk reviews for Latin American clients.

Vitagliano joined FRA in 2015 as an Associate Director in its Forensic Accounting practice, and is based in its Washington, DC office. She earned an Executive MBA from Boston University’s Questrom School of Management, and a BS in Accounting with minors in Computer Information Systems and Spanish from the State University of New York College of Geneseo.