Day: February 2, 2023

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Discipline and Rigor In Your Internal Controls

New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within a company’s operations. There is a clear need for rigor in your internal controls protocols. Adherence to that rigor can increase operationalization around the internal controls a company should consider, including gifts, travel, and entertainment expenses. Brooks said, “Building and maintaining order … requires toughness of mind and rigid discipline to serve your own work properly.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way toward detecting and, more importantly, preventing an FCPA violation from occurring.

Some of the key areas of Internal Control focus should be:

·       The Delegation of Authority (DOA)

Petty cash disbursements

·       Travel

·       P-Cards

·       Employee Expense Reports

·       Corporate checks and wire transfers, such as check requests, purchase orders, or vendor invoices.

·       Gifts and business entertainment

Three key takeaways:

1. You must maintain rigor around your internal controls.

2. Controls against fraud can also help to prevent corruption.

3. Building and maintaining good internal controls requires rigor.

Categories
Hidden Traffic Podcast

Japanese Human Rights Due Diligence Guidance with Ben Fouracre

Gwen Hassan welcomes Ben Fouracre, Managing Director and Global Investigations Lead for Asia Pacific and Japan at J.S. Held LLC. Ben has spent 16 years in Japan working with non-Japanese, non-Asian companies to help them develop and execute their compliance strategy. He is an expert in risk, supply chain, labor and environmental issues, as well as anti-corruption, anti-bribery and anti-money laundering, with a focus on human trafficking.  


The biggest focus in Asia has been foreign regulation, such as the FCPA. Many Japanese companies have fallen afoul of these regulations, which has led to the development of compliance departments and training. Companies in the region are now also increasingly focusing on sustainability and the social side of ESG. The Ministry of Economy, Trade and Industry and the Ministry of Foreign Affairs have been pushing for companies to have their own ESG strategy, goals and internal evaluation, and to focus on human rights and foreign policy.

The Japanese government conducted a survey that revealed one in five companies in Japan don’t have guidelines or safeguards related to human rights protection in their supply chains. However, there are some good examples of Japanese companies that are ahead of the curve. The Japanese government issued human rights due diligence guidelines, but there is still a need for proactive measures to be taken to ensure companies are doing what they say.  Although there is no definitive timeline or law in Japan, companies are responding to pressure from stakeholders such as investors, shareholders, customers, and employees to work towards sustainability.

Ben believes that companies must be seen as contributors, not profiteers off environmental and social harm. As such, policies and procedures must be implemented and evolve with the business. In particular, companies need to take a proactive approach to supplier risk profiling. This includes understanding the size, operations, and history of the supplier, their relationship with the company, and any potential risks the company may face from stakeholders when it comes to human rights issues such as child labor and forced labor.

NGOs have been actively raising awareness of issues related to sustainability and social responsibility, Ben points out. To ensure transparency and ethical and socially viable practices, companies should strive to engage in dialogue with NGOs. This allows them to better understand the issues and look for solutions.

Resources

Ben Fouracre on LinkedIn | Email 

J.S. Held LLC

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 4

Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.

I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.

CCO Certification

This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA.  Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.

This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”

Monaco Memo and Changes in the Corporate Enforcement Policy

The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.

The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision.  Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.

Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.

Duty of Oversight

These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

What Does It Mean?

This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming  a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.

The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.

I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.”  Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.

The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.

With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.

Categories
Innovation in Compliance

The Digital Knowledge Graph with Evgeny Likhoded and Vladimir Ershov

This week’s guests are Evgeny Likhoded, CEO and founder, and Vladimir Ershov, Head of Data Science, of Clausematch. They join Tom Fox to talk about a groundbreaking new innovation, the Digital Knowledge Graph in open source. Learn how this game-changer is revolutionizing the way compliance is managed and what it means for industries, companies, and governments around the world.

Evgeny Likhoded is the CEO and founder of Clausematch, a global compliance and regulatory technology company. He started Clausematch to digitize and structure regulation and help regulators to innovate in the space. Jay has worked to solve a common problem in compliance – managing compliance documents and compliance content. He has brought all of the workflow and content management under one platform to provide compliance professionals a way to collaborate on content in real time.

Vladimir Ershov is the head of Data Science at Clausematch. He has been working in the field of data science for four years and previously worked at Apple. Vladimir is passionate about semantic linkage for law documents and was excited to join Clausematch four years ago to continue his work in this field.

You’ll hear them discuss:

  • The process of developing the Clausematch Knowledge Graph took a year with involvement from multiple teams and experts in the regulatory field.The process included discussions with regulatory experts, data preparation, model training and evaluation, and integration with Clausematch’s tools.
  • The key idea behind Clausematch was to capture data in a structured form from the start, allowing for more to be done with the data.
  • Clausematch was pitched to several financial services regulators, including FCA and ADGM, as a platform for tagging regulation text through expert work and machine learning models.
  • The open source Knowledge Graph generated by Clausematch can be used by other companies and regulators to automatically analyze regulations.
  • The structured regulations can also be applied to a financial institution’s internal compliance documents to identify gaps and contradictions in their policies.
  • The Knowledge Graph helps digitize the meaning of regulations. 
  • The models can be used to look for patterns in regulations and to show regulators if internal policies are compliant with regulatory rules.
  • The ultimate goal is a world where every regulation is structured and consumable via API. The release of the Knowledge Graph in open source will help reach the goal faster.
  • Knowledge Graph technology is relevant to compliance technology. Historically, compliance solutions have been focused on formalizing rules and processes into a framework through manual means. Knowledge Graph technology automates the process of structuring data and extracts entities and obligations to form the framework.
  • Neural network models or reinforcement learning agents can be run on top of the extracted graph to look for compliance patterns.
  • The knowledge graph technology will be available on Clausematch.com and GitHub, and a scientific paper with more information will be released.
  • The graph structure is important in compliance due to the need for exact inference in compliance, unlike the correlation approach in language models like GPT.

 

KEY QUOTATIONS: 

“There is a principal flow in the models like ChatGPT and other language models which are based on correlation approach… [but] in the compliance field we need causation, we need exact inference and that’s why the graph structure is extremely important to be able to build the automation for the compliance.” – Vladimir Ershov

 

Resources 

Evgeny Likhoded | LinkedIn 

Vladimir Ershov |  LinkedIn 

Clausematch

Knowledge Graph Information

Categories
Life with GDPR

Cookies, Cookies & More Cookies

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. Data protection has become a priority for many authorities with the French regulator, CNIL,  recently issuing fines and penalties to Microsoft for not complying with the data protection laws. Changes were made to their practices in March 2022, and similar action was taken against Google and Amazon.

In this episode, we discuss the regulatory landscape for cookies which has become difficult for businesses to maneuver, requiring board-level oversight of data privacy, data protection, and data security. Together, these measures are deemed necessary in order to mitigate the biggest risks to organizations. Max Schrems and his pressure group were two of the key adjutants and had filed a substantial number of complaints. This eventually led to a large fine at the end of 2022, announced this month, from CNIL, the French Data Protection Regulator, against Microsoft, for €60 million. This fine highlighted the fact that cookies had been on the agenda for many Data Protection Authorities and the severity of the consequences for not following GDPR requirements. The implications of this case will have a lasting effect on the relations between European Data Protection Authorities and corporations, as well as the resources necessary to stay compliant.

Highlights include:

·      [00:04:16] Microsoft’s Changes to Cookie Practices

·      [00:09:21] Navigating Regulatory Landscapes for Businesses

·      [00:14:21] The Importance of Data Privacy Board Oversight

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Daily Compliance News

February 2, 2023 – The Happy Birthday Mom Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

·       Householder attorney argues trial judge biased.  (Channel 9-Cincinatti)

·       UK government moves to regulate crypto.  (BBC)

·       Musk asks for a Twitter lawsuit to be tossed. (Reuters)

·       UK plunges in 2022 TI-CPI. (Bloomberg)