United States: The New Government Procurement Contractor Disclosure Rule: Opening Pandora’s Box For The Inspector General

As you may recall from your high school study of Greek mythology, it was an angry Zeus who ordered the creation of the woman Pandora as part of a punishment for mankind. She was given a large jar (later mistranslated as a box) and instructions from Zeus to keep it closed. But, too curious, she opened it and all the evils, ills, and diseases that mankind had not previously known escaped. It is said, however, that at the very bottom of the box, there lay hope (history has overlooked this aspect of the box's contents).

"Opening Pandora's Box" has become synonymous with exploring and disclosing subjects best avoided. The federal government procurement regulators have recently burdened the government contracting community with the requirement to open Pandora's box in search of violations of the procurement laws. Even the feds are candid enough to call the new Federal Acquisition Regulation (FAR) disclosure rule unveiled last December a "sea change." The rules are much more than that, however, and unlike Pandora's Box there does not seem to be much "hope" at the bottom of this box, only the hope that the contractors can navigate the minefield of vague rules and traps set out by the new rule. What's worse, these new requirements for detailed and prompt confession of evidence of wrongdoing come at the very time the government is vastly stepping up its contracting activity and dollars in response to the economic crisis, and expanding the powers of inspector generals to ferret out the anticipated cornucopia of fraud that eventually oozes forth in the wake of these beneficent and well-funded government programs.

The disclosure rule stems from a May 2007 Department of Justice (DOJ) proposal expressing frustration that Defense Department Contractors "had not kept pace with reforms in self-governance in industries such as banking, securities and healthcare." ¹In other words, as DOJ saw it, the defense contract community had not been rushing in, like some other industries, to voluntarily confess its transgressions. In the new federal enforcement world of "voluntary disclosure" and "non-prosecution agreements" which basically out source the obligation of finding fraud and abuse to the participants themselves, this reticence was unacceptable, and deserving of new regulations putting the shoe on the miscreants' feet. This posture found a sympathetic Congress enraged by repeated examples of contractor fraud, including the debacles in Iraq. Thus, the new hard-line rule was a no brainer from the government's standpoint.

A. THE GENERAL SUSPENSION AND DISCLOSURE REQUIREMENT

Proposed Rules were issued by the FAR Councils² throughout 2008, comments taken, and a final rule was issued with an effective date of December 12, 2008. The Rule itself is clear and straightforward, with two principal components. The new FAR provides that any government contractor, large or small, regardless of the size of the contract (and including commercial-item contractors and small businesses) may be suspended or debarred for:

The look back provisions mean that violations occurring before December 12, 2008 are covered if they occurred on contracts that were either open or that had final payments after December 12, 2005. This provision particularly upset the contracting community, as reflected in their comments, but the Councils held their ground and it stayed in the Final Rule. This language is a potential minefield, as we discuss below. Likewise treacherous are the broad definitions of who is a "principal" and what the terms "knowingly" and "timely" and "credible evidence" may mean. There is ample room here for the government Inspector Generals to roam widely and strike from many angles, as we also discuss below. Disclosure must be made "to the Government" but the actual official is not specified, thus leaving some commentators to suggest strategic disclosure only to contracting officers, not Inspector Generals (IG's) (unless the contract clause requirements, see below, come into play, which do require written disclosure to the appropriate IG as well). IG's throughout the government have eagerly posted forms for disclosures.

B. THE CONTRACT CLAUSE DISCLOSURE REQUIREMENT

The final rule also implements a broad new contract clause—FAR 52.203-13. This clause also requires federal contractors to disclose credible evidence of violations of certain Federal criminal laws and of the False Claims Act. Contractors are also required to have in place a written code of business ethics and conduct, and, most significantly, to have in place a legitimate ethics and compliance and internal control system to detect fraud (small business concerns and commercial item contracts are excluded). 48 C.F.R. Sec. 52.203-13. "Covered" contracts include any contract issued on or after December 12, 2008 that has a value of $5 million or greater, and a performance period of greater than 120 days.

Contractors subject to the contract clause must disclose violations committed by agents and subcontractors, and potential violations by teaming partners, joint venture partners and in general on "any individual...authorized to act on behalf of the organization" as well as subcontractors. This covers a very wide field. The substance of the new "contract clause" must be inserted in any "covered subcontract" issued under the prime contract. This would be again a subcontract having a value greater than $5M and a performance period greater than 120 days. Likewise, subs are required to include it in any lower-tier subcontracts. The contractors' compliance programs and internal control systems must be in place within 90 days of receiving a covered contract. The specifics for the required internal control system, imported in part from the Federal Sentencing Guidelines, represent a major federal step into private corporate governance, as we discuss below.

C. THE IMMEDIATE ISSUE TRIGGERED BY THE LOOK BACK PROVISIONS

It is most likely that in the weeks and months ahead, IG's will grow increasingly eager to find opportunities to robustly enforce the disclosure provisions and contract clause requirements. Like an unpopular party host who expects a big turnout but gets few takers, they will probably be unhappy at the low volume of disclosures that are dialed in by the vast federal contracting community. The sheer magnitude of federal contracts pouring out under the new administration has generated predictions of billions in fraud, and the IG's are waiting for the low-hanging fruit to be disclosed. For sure, any investigations they undertake from now on will not only look at the underlying facts, but will also explore the issue of when did the "principals" at the contractor have "credible evidence" (as the rule describes it) of the wrongdoing, and what did they do about it. The IG's, like all prosecutors, will be anxious to find the so-called "cover-up" cases. Traditionally, such cases are often easier to make than to prove the underlying fraud or false claims cases.⁴

Particularly hazardous for contractors are situations involving possible wrongdoing on old contracts still covered under the new rule. This is so because the clock started ticking on December 12, 2008, the day the final rule took effect, on the IG's determination if disclosure was "timely" for "credible evidence" of wrongdoing on these older contracts.

Thus, government contractors have a stark choice that must be made ASAP: either undertake an immediate review of older or closed but still covered contracts, company-wide, to see if any generated issues may now require disclosure under the new rules; or, alternatively, do nothing, let sleeping dogs lie, and "hope" (like Pandora perhaps did) that the "box" will never be opened. This is risky business, for any IG worth his/her salt will be itching to find evidence that knowledge of apparent wrongdoing was knowingly buried. In recent congressional testimony, the IG for the Department of Defense indicated that, as of mid-April 2009, 14 matters had been disclosed under the new rule. Presumably, these relate to older contracts. Thus, some brave contractors are out in their back yards digging up the bodies, and opening up the box. Everyone else will be held to the same standard. Every whistleblower, or other employee witness, who says they told superiors about the subject wrongdoing months or years ago, will become a potential smoking gun, assuming their evidence was "credible" and was related to or ultimately known by anyone in the company who the IG considers a "principal" under the very flexible definition in the rule. Likewise, disclosure now of matters of potential wrongdoing previously known but undisclosed which would appear to render information disclosed in prior SEC filings incorrect would present a world of issues all its own, apart from the suspension and debarment concerns.

Thus, this "look back" requirement puts the burden on contractors to go through old files, review whistleblower reports again, and inform every potential "principal" throughout the company to do the same, all in search of things no one really wants to find, or knew about and quietly swept under the rug long ago. Moreover, just because the general counsel or compliance officer has no present knowledge of such old matters, the broad definition of a "principal" in the rule means that dozens (or in a large company perhaps hundreds of folks, scattered about everywhere the company does business), are expected to looking into their closets.⁵ The only upside is that the rule requires a "knowing failure" to disclose for penalties to ensue; thus, it does not reach matters that contractors "should have" known about, but rather those for which they know they have "credible evidence" of wrongdoing as defined in the rule. Likewise, the term "credible evidence" was developed for the final rule after complaints about the earlier proposed language "reasonable grounds to believe." This higher standard at least gives the contractor the opportunity to conduct an investigation before deciding whether to disclose—but it does require a real investigation, not just a few phone calls to people who may have information but also a vested interest in the outcome. If that investigation reveals information which can be believed, even if not as yet proven true or false, there is probably enough to require disclosure.

Likewise, the mere fact of a whistleblower complaint (e.g. an ethics hot line call with facially plausible allegations) or qui tam claim does not trigger disclosure, but given the enhanced protection whistleblowers are receiving in the new climate it would be a mistake to summarily dismiss a whistleblower complaint without a thorough, documented investigation, followed by a serious review regarding potential disclosure requirements. Do not forget that as beauty is in the eye of the beholder, what the CEO, in house counsel or outside counsel may believe is less than "credible evidence" may vary dramatically from what an instinctively suspicious IG will later view as "credible."⁶

Perhaps the worst case scenario is for a contractor to make a half-hearted effort to review the matter, decide (perhaps without doing a rigorous analysis using the definitions and commentary provided with the final rule) that the sleeping dogs can be left alone, and then have the matter blow up in their face during a subsequent IG investigation. In this day and age of email documentation, the prosecutors' best friend, it is infinitely easier for an aggressive IG's staff to discover an incriminating trail in such matters. Once uncovered, they will have little sympathy for a company whose counsel, compliance officer, CFO or CEO can be shown to have considered, then rejected, disclosure on a matter which, in their view, crosses the line into mandatory disclosure. While the government might have been lenient in the weeks and several months following enactment of the final rule, those days are waning and the failure to make disclosures regarding past knowledge and acts will receive close scrutiny now.

Contractors need to decide who will be objectively seen by the government in hindsight to be a "principal" at the company, and then make sure each person on that list fully understands what the disclosure requirements mean, not just going forward but for prior matters many of them may have thought were safely tucked away. The scope of potential disclosure is rather breathtaking. The weighty 29 page Supplementary Information appearing on Nov. 12, 2008 in the Federal Register at 73 Fed. Reg. 67064 contains a trove of explanations constituting a form of "legislative history" of the final rule, and should be read carefully.

D. GOVERNMENT CONTRACTORS NEED A CRASH COURSE IN FEDERAL CRIMINAL LAW AND THE CIVIL FALSE CLAIMS ACT

In the disclosure rule, the government has placed a heavy legal burden on its contractors. By dumping on them the responsibility of deciding whether they have "credible evidence" of any violation of Title 18 involving fraud, bribery, conflict of interest or gratuity, or any violation of the civil false claims act, each contractor (few if any of whom have lawyers on staff with a background in criminal law) is expected to determine the meaning of federal law in a wide swath of situations, some of which continue to confound the federal courts themselves.

The word "fraud" appears more than 100 times in Title 18, and the conflict-of-interest laws can be inscrutable as well. The civil false claims act is far more complex than it reads, and is now undergoing expansion due to pending and just passed legislation.

In addition, the government is pressing new theories of liability under the FCA. The new National Procurement Fraud Task Force reported in December 2008 that it had recovered more than $362 million in settlements in the two years since its formation.

As one example of the long reach of the False Claims Act, consider the GSA's Multiple Award Schedules program (MAS). MAS handles over $35 billion per year in government purchases, some 60% of which now consist of services (i.e. not ball point pens). The program requires vendors to give the government the same price it gives its best customers, and to update the government on price changes. Each vendor must certify that the price offered to the government is equal to or better than the price it gives other customers. Last month, GSA contractor NetApp agreed to pay the U.S. $128 million to settle charges (the largest GSA procurement fraud settlement yet). NetApp was charged with failing to give the government "current, accurate and complete information about its commercial sales practices, including discounts offered to other customers, and that NetApp knowingly made false statements to GSA about their sales practices and discounts." The case started with a former NetApp employee-whistleblower, who will receive over $19 million as his share of the settlement.

A prominent plaintiff's firm has a separate web page devoted to finding whistleblowers for GSA best price Qui Tam lawsuits. Under the FCA part of the new disclosure rule, every contractor with GSA is obligated to disclose any "credible evidence" of recent past or present violations of this requirement. Does a sales manager in your Western Division (probably a covered "principal") know that he is giving some other customer a better deal on the widgets you are selling to GSA? Did he decide not to update GSA on some discounts he gave to that other customer? Maybe he decided not to tell the Head of Sales at corporate HQ, or the Chief Compliance Officer, for obvious reasons. Regardless, the GSA's IG is waiting for your company's "timely disclosure" or you face suspension or disbarment.

Then there are the series of "alliance benefit" qui tam cases brought by the DOJ, most recently against EMC Corporation, filed last March, accusing the company of submitting false claims to the United States for IT hardware and services on numerous government contracts since the late 1990's. The DOJ (and the original whistleblowers) claim EMC paid "alliance benefits" to consultants and alliance partners. Payments were made to consultant "systems integrators" who oversaw the projects. The DOJ claims these payments amounted to kickbacks and undisclosed conflict of interest relationships, although the companies denied there were "kickbacks." The case also asserts false statements to GSA about EMC's commercial pricing practices (see preceding paragraph). In 2007, IBM and PriceWaterhouseCoopers settled similar charges for $5.2 million, and other major IT contractors have been sued as well. Regardless of how this all plays out, it simply underscores the myriad of ways in which FCA cases can arise, and the scope of potential disclosure obligations which only escalate as the government finds more ways to claim violations of the act.

E. CONTRACT CLAUSE COMPLIANCE PROGRAM RULES: HERE'S HOW UNCLE SAM THINKS YOU SHOULD BE RUNNING YOUR BUSINESS

As noted above, the new contract clause requires contractors to have in place, within 90 days of receiving a covered contract, an ethics and awareness and compliance program and internal control system. 48 C.F.R. Sec. 52.203-13 (it does not apply to small business concerns or commercial item contracts, except for the need for a code of conduct, which must be in place within 30 days of contract award). The internal control systems contemplated by the contract clause must provide for timely disclosure of violations in connection with "any" government contract, not just those containing the clause. The requirements are said to be "generally consistent" (although not identical with) the standards for sentencing organizations in the U.S. Sentencing Guidelines.

Contractors must have a written code of business ethics and conduct, available to every employee working on the contract. Rejecting commentators who felt such codes are "meaningless" the FAR councils found them highly relevant to provide "a basis for evaluating the firm's responsibility, including special standards of responsibility when appropriate." This rather ethereal language is dangerously vague. It can mean just about anything the government may want it to mean when the contractor is staring down the barrel of a case and the government starts "evaluating" the contractor by reviewing, line by line, the code of conduct to see if the government thinks the contractor has measured up.

The reality is that, apart from the board, the top managers, compliance officers and HR folks, most employees treat codes of conduct somewhere down there with reading the fine print in their health insurance plans. Training programs are important, but most employees are just not cut out to be snitches, especially if they have some exposure themselves. The ethics code gets put in a folder and forgotten, unless trouble erupts later. Then the code's lofty provisions usually don't stand up against the facts of most corporate misconduct scenarios. IG's and prosecutors are trained to look for, and generally happy to find, codes that speak to high aspirations but are routinely ignored in practice, the proverbial "window dressing." Contractors now have to make sure that its code is made available to, and to some extent understood, by every employee working on the contract—even the folks holding up the stop/go signs on a road construction crew. The code should make clear what each employee is to do if they suspect or see a violation of law or company policy, and the company should periodically test to see if these requirements are followed or ignored in practice (and document such testing).

The contract clause also requires an ongoing business ethics awareness and compliance program. This should include "effective training programs." The FAR Councils were careful not to "dictate to contractors what they need to cover in business ethics training." 73 Fed. Reg. at 67,067. Nevertheless, in any subsequent IG investigation, employees will surely be asked how often they received training, what they were taught, and how effective they felt the training was. Perhaps each government contractor should randomly select a few employees at various levels and ask them about the extent and effectiveness of their compliance training. If the answers are not the kind you would want to have elicited in an interview with your IG, it's time to fix the program (or, as the case may be, start one). One hint, taken from the FAR "Supplementary Information"—give training on the areas specified as requiring disclosure, including violations of Title 18, e.g. bribery, fraud and gratuities, which were, according to the FAR councils, "more clearly defined" in the Rule. Id.

The government has also established in the contract clause what it chooses to call "minimum requirements for the Internal Control System." The FAR councils say they "prefer to spell out the elements. This lets the contractors know what is expected." Id. at 67068. In other words, make no mistake, contractors, these are the rules, and you have been warned. Some of the requirements are rather obvious, e.g. assign a high level manager to be responsible for the program and don't hire "principals" whose due diligence discloses have already done things in their careers which would be in conflict with the code (so much for rehabilitation of white collar offenders). Likewise, by this time every contractor, even the small guys, should have some kind of hot line or anonymous reporting system. But the sections of the rule regarding monitoring and auditing to detect criminal conduct, and evaluating the risk of criminal conduct, are concepts that may be foreign to some companies, especially non-public entities. The FAR Councils suggest that "standard business practices" and monitoring which adheres to GAAP principles "should be sufficient."

This explanation does not help much. GAAP is about accounting principles, not about finding fraud. Even in using GAAS (Generally Accepted Auditing Standards) to audit financial statements to give an opinion that they comply with GAAP, auditors are careful to say they are not auditing to find fraud. One thinks the government may be expecting more than any accountant would agree the GAAP requires. One thing auditors do to comply with GAAS is to conduct annual "brainstorming" sessions among the audit team to see if it can predict business areas which (or identify, privately, individuals) who might be susceptible to fraud. Such an exercise would be a good practice for the company's managers to undertake, as well as to routinely inquire of the auditors what their annual sessions identified (if you don't ask, they generally won't tell you). The internal audit function should be directly involved in the process of developing "criminal audit" capabilities, if it has not already done so. If internal auditors are not comfortable with the current system, listen to them, for in any subsequent investigation the IG will certainly be interested in their observations. Risk management should be enlisted to develop a risk assessment focusing on potential fraud vulnerabilities. Risks associated with subcontractors must also be examined. These efforts may be especially difficult for small contractors to accomplish. It will not be enough to tell the IG when the investigation starts that the audit function consisted of asking everyone every now and then if they know of any criminal activity in the company.

The contractor internal control system must also provide for "[f]ull cooperation with any Government agencies responsible for audits, investigations, or corrective actions." FAR 52.203-13 (c)(2)(G). Full cooperation will include full disclosure of information sufficient to identify the offense and who is responsible, and full access to documents and employees. Privileges don't have to be waived, including attorney-client or work product privileges, nor do individuals have to waive Fifth Amendment rights. Of course, the FAR Councils note that "facts are never protected by the attorney-client privilege or work product doctrine." 73 Fed. Reg. at 67077. Clearly, the days of any artful "stonewalling" by slow document production or frustrating access to any individuals are over: "it is also reasonable for investigators and prosecutors to expect that compliant contractors will encourage employees both to make themselves available and to cooperate with the Government investigation." Id. at 67078. The word "compliant" sums it up. The final rule specifically defines "full cooperation" to mean "timely and complete" responses to requests for documents and "access to employees with information." Again, contractors (and your lawyers)-- you have been warned.

The above discussion covers only a few of the many issues and concerns raised by the new rule and contract clause. At a minimum, government contractors (and there are a lot more of you now that the government is in many cases your business partner of last resort in the recession) should be explaining the new rule to management, and putting teams together to implement the new procedures. Making sure all the rules flow down to subcontractors is especially critical. The many traps in these rules remain to be explored. One suspects that as the corps of IG's and their lawyers and investigators learn the ropes of the rule, the pressure to comply to the letter will increase, and before long we will begin to see cases for suspension or disbarment being based on disclosure violations. The best defense is a good, even if imperfect, offense. Plan now, implement now, and document now, your good faith efforts to comply. When in doubt, suck it up and disclose, or be sure you can explain it to a prosecutor's satisfaction why you decided to remain silent. Unfortunately, the ball is now entirely in your court.

Footnotes

1. Letter from Alice Fisher, Asst. Atty. Gen., Crim Division, to Paul Dennett, Administrator, Office of Federal Procurement Policy, OMB (May 23, 2007), available at http://www.usdoj.gov/criminal/npftf/pr/statements/2007/may05-23-07chng-far-propose.dpf.

2. The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (the "Councils") have the right to amend the Federal Acquisition Regulation governing the award and performance of federal contracts.

3. 73 Fed. Reg. 67064; FAR Subpart 9.4.

4. The Supplementary Information states that "[i]t is unlikely that any contractor would be suspended or disbarred absent the determination that a violation had actually occurred" (73 Fed. Reg. 67,078). However, the immediately preceding sentence reads: "The requirement for timely disclosure could in some circumstances be considered a new cause for suspension or disbarment." As a former prosecutor, it is hard for me to believe the IG would willingly walk away from a case where the evidence showed a deliberate, conscious decision to decline disclosure of a situation in which "credible evidence" of a violation existed, even if the facts, when fully reviewed by the IG, ultimately fall short of a viable case. This would be especially true if, for example, some within the company favored disclosure but were overruled by top management for strategic or other unworthy reasons, or where counsel favored disclosure but this advice was not followed.

5. FAR 52.209-5 (par. (a)(2) of the contract clause defines "principal" to mean "officers; directors; owners; partners; and persons having primary management or supervisory responsibilities within a business entity (e.g. general manager; plant manager; head of a subsidiary, division, or business segment, and similar positions)." The Supplementary Information adds this potent caveat: "The Councils note that this definition should be interpreted broadly, and could include compliance officers or directors of internal audit, as well as other positions of responsibility." (emphasis added) (in other words, don't assume the assistant v.p.—one of several hundred—at the branch office in Flagstaff or Fiji—will not be considered a "principal" in the eyes of the IG as soon as it is evident he is the one sitting on the "credible evidence.").

6. Webster's tells us (under the definition of "plausible") the following: "...plausible applies to that which at first glance appears to be true, reasonable, valid, etc. but which may or may not be so...; credible is used of that which is believable because it is supported by evidence, sound logic, etc." On this definition, an allegation that has some evidence supporting it, but some that casts doubt upon it, may well be seen by the IG as constituting "credible evidence." Most certainly, evidence which is rebutted only by denials by the actors, or by claims of lack of intent (such as false entries in books which are claimed to be simply mistakes), would undoubtedly be considered by the government to constitute "credible evidence" until proven otherwise.

Daniel J. Hurson is a former SEC trial attorney and Assistant United States Attorney. He practices securities enforcement and white collar defense law in his own firm in Washington D.C. His email is dan@hursonlaw.com. His website is http://www.hursonlaw.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.