What happens when VimpelCom, the world’s sixth-largest telecommunications company, collides with the daughter of the Uzbekistan president and the U.S. Department of Justice (DOJ)? The answer is $795 million in Foreign Corrupt Practices Act (FCPA) and global anti-bribery, anti-corruption-related fines and penalties.
The U.S. and Dutch, Swedish, Latvian and Swiss authorities have been looking into VimpelCom for several years, probing allegations connected to Uzbekistan and Gulnara Karimova, the daughter of the Uzbek president. It surrounds an alleged conspiracy by VimpelCom and its Uzbek subsidiary, Unitel LLC, to make more than $114 million in bribery payments over six years to a government official in order to enter and continue operating in the Uzbek telecommunications market.
As alleged, those payments, falsely recorded in the company’s books and records, were structured and laundered around the world through bank accounts and assets. This includes a shell company whose beneficial owner was a foreign official. In addition, Unitel provided sponsorships or charitable contributions in Uzbekistan without properly vetting them.
So what are some of the lessons we can learn from the VimpelCom experience?
Most importantly, an organization needs appropriate visibility into its customers, suppliers and other third-party business relationships. Without the means to obtain, track and audit data used to make compliance decisions, companies may fail to comply with global anti-corruption regulations – which puts them at risk for financial, legal and reputational harm.
What is remarkable in the VimpelCom case is that some key decision-makers in VimpelCom or Unitel may have never seen it coming. The fact that Uzbekistan is already very high on the Transparency International Corruption Perceptions Index (currently scoring 153th out of 168 countries) should have set alarm bells ringing in the company’s risk assessment. Moreover, at these levels of transactions, it is astonishing that more effort throughout the organization was not spent on vetting beneficial owners of business partners and the transfer of funds. Regulatory guidance prescribes robust, risk-based vetting of third-party business partners.
Unitel pleaded guilty in the U.S. to conspiracy to violate the anti-bribery provisions of the FCPA. VimpelCom entered into a deferred prosecution agreement, the company being charged with conspiracy to violate the anti-bribery and books and records provisions of the FCPA and violating the internal controls provisions of the FCPA. This case demonstrates the harm done when there are inadequate internal controls, policies and procedures in place to combat corruption.
The second lesson we learn is the fast-growing trend towards multi-agency, trans-national investigations. The investigation into VimpelCom is a multijurisdictional process, with teams from the U.S. Department of Justice, the Securities & Exchange Commission, Internal Revenue Service and the Department of Homeland Security collaborating with law enforcement colleagues within the Netherlands Openbaar Ministrie, the Swedish Prosecution Authority, plus officials in Switzerland, Latvia, Belgium, France, Ireland, Luxembourg and the United Kingdom. This degree of collaboration is making it harder for criminals to conceal bribery and corruption and exposes companies to multi-jurisdictional fines and penalties.
A third lesson is this: Does the VimpelCom scenario suggest that regulators and prosecutors are putting specific industries like telecommunications in their investigative cross-hairs? Not necessarily, but the VimpelCom case simply alerts the regulators to patterns of corruption that they may subsequently follow up on – whatever the industry. Telcos are a higher-risk category because they are frequently state-owned, making the employees government officials. Moreover, telcos are often onboarding new businesses in emerging markets which represent a greater risk of corruption – like Uzbekistan. The lesson here is to have a scalable, risk-based approach when vetting business partners in these markets that will meet the guidelines of regulators.
Solution: Unified corporate compliance program
So how can organizations gain the visibility they need to strengthen fraud protection, assist with regulatory compliance, manage supply and distribution risk and protect their brands?
The answer lies in a robust, risk-based corporate compliance program that takes into account constantly changing regulatory frameworks, reporting requirements and risks posed in different countries. If VimpelCom and its subsidiary had adopted a watertight due-diligence and corporate compliance management strategy, it would have been better protected from corruption. Ultimately, it could have avoided the $795 million fiscal penalties and saved its brand reputation.
Take onboarding, for example. An appropriate compliance process would have helped VimpelCom uncover that the entity it was transacting business with was a Gibraltar-registered company and the business was conducted without the right level of entity verification, due diligence and governance. Obtaining data on business partners gives you visibility into linkage and beneficial ownership of your partner. It also gives you information on PEPs and State Owned/Controlled Entity status. At the same time, it empowers you to make informed business decisions with your partners and internally with your business units, compliance managers as well as a board of directors and outside counsel.
A global beneficial ownership database would have helped visualise share ownership for both corporate entities and for individuals. And screening of the enterprise and individuals against sanctions, PEP lists and adverse media could potentially have alerted senior executives to the connection between Gulnara Karimova, government officials and Unitel LLC.
Simultaneously, having the right governance and internal controls in place helps companies in a similar scenario to VimpelCom benefit from complete visibility into transactions with third parties. Chief compliance officers can report with confidence to the board and outside counsel that this business is what is says it is, is located where it says it is, and is engaged in the type of business it says it does. The result? Reliable, trusted decisions about where to invest.
Like so many companies before it, VimpelCom lacked that holistic visibility into compliance—the consequence being it became subject to the sixth largest FCPA enforcement action in history as well as one of the largest cases ever brought under the Kleptocracy Asset Recovery Initiative. A unified, automated governance, risk and compliance strategy would have helped the business identify the corrupt practices in its Uzbek subsidiary earlier, remain compliant and prevent the subsequent legal, fiscal and reputational damage.
It would have been $795 million better off too.