Categories
Blog

The Week That Was in Compliance – The ECCP: Part 3 – Messaging Apps

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we review another new addition to the ECCP, dealing with messaging apps.

There is not much which seems to excise the regulators in the compliance space as much as messaging apps. The Securities and Exchange Commission (SEC) has brought multiple and very large enforcement actions against regulated industries around their allowing employees to use messaging apps with no corporate oversight. The Department of Justice (DOJ) has been talking about messaging apps for over two years and now incorporated its guidance into the ECCP.

The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a Foreign Corrupt Practices Act (FCPA) enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law…governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” Off the shelf policies will not be sufficient as the company’s management of messaging apps “should be tailored to the corporation’s risk profile and specific business needs.” Not surprisingly the DOJ is also concerned about storage, access and even backups, requiring that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Training and communication of these policies and procedures will also be evaluated and “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

The Messaging Apps

Under the section entitled “Communication Channels”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What electronic communication channels does the company and its employees use, or allow to be used, to conduct business?
  • How does that practice vary by jurisdiction and business function, and why?
  • What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
  • What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
  • What is the rationale for the company’s approach to determining which communication channels and settings are permitted?

Under this section, compliance must delineate which messaging apps a company uses and why. Is it consistent or does it vary country by country? What mechanism has your organization put in place to manage this risk? Finally, how are the communications preserved and what is your rationale for your system?

Policies and Procedures

Under the section entitled “Policy Environment”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
  • What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communications?
  • If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?
  • How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?
  • Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
  • What exceptions or limitations to these policies have been permitted by the organization? If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?

This section presents several areas a compliance professional should look into for their program. Do you have an appropriate set of policies and procedures in place and are they the same for company issued phones and BYOD phones? If not, why not. Do you have a data retention policy in place for messaging apps and their platforms and is it applied consistently (if at all)? Does your organization review business communications through messaging apps or does your organization even have the right to do so? Finally, are messages preserved somewhere?

Under the section entitled “Risk Management”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What are the consequences for employees who refuse the company access to company communications? Has the company ever exercised these rights?
  • Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications? Has the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
  • How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?
  • Is the organization’s approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of the company’s business needs and risk profile?

This  final section might as well have been named ‘consequence management’ but I guess that moniker was already taken. Here the DOJ wants to know what consequences recalcitrant  employees faced for failure to follow the appropriate  policies and procedures.  Moreover, did any employee actions around messaging apps hinder or block internal investigations or regulators queries or attendant responses?  Next, is an appropriate level of internal security being exercised for such communications? Finally, are the company’s action reasonable in the context of its business needs and risk management protocol?

Obviously, there is quite a bit in these three sections every compliance professional will have to consider. But the framework already exists which you can adapt. It is risk assessmentrisk management strategyongoing monitoringongoing improvement. It may take some work but your blueprint to handle these requirements exists.

Join us tomorrow when we conclude our review of the 2023 ECCP.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for business – Pre-acquisition Due Diligence in Mergers and Acquisitions

A company that does not perform adequate due diligence before a merger or acquisition may face legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation and potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the FCPA Resource Guide, 2nd edition, focused many compliance practitioners on the need to engage in robust pre-acquisition due diligence.

The 2020 Update made the need for a robust compliance presence in the pre-acquisition phase even more apparent. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing harm to a business’s profitability and reputation and risking civil and criminal liability.”

Multiple red flags could be raised in this process, which might warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breaches of policies and procedures. A target that is in financial difficulty would bear closer scrutiny. Structurally, this could present issues if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level. From the CCO perspective, if the position did not have Board or CEO access or had no regular reports, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management override of compliance controls, or no consistent consequence management for violations, it could present clear red flags for further investigation.

Three key takeaways: 

  1. Your pre-acquisition due diligence results will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.
Categories
SBR - Authors' Podcast

Brent Cassity – Nightmare Success

Welcome to the Sunday Book Review, the Authors Podcast! On this episode, Tom welcomes Brent Cassity, author of Nightmare Success. Brent has been part of a family company pre-arranging funeral services, and he tells the story of how he ended up there and the invaluable lessons he learned from his experiences. He talks about going into prison with his head held high and learning to take life one day at a time, not make the same mistake twice and find redemption. His book covers loyalty, betrayal, and life behind bars. Brent talks about the mindset to step out of your routine and take risks even if it’s scary. In addition to his book, Brent hosts a podcast called Nightmare Success about facing your worst fears. Join Tom Fox and Brent Cassity as they explore how to overcome adversity.

Key Highlights Include

·      The Transformation: [00:03:56]

·       A Golden Touch in Business and Law [00:07:34}

·      The Power of Handling Difficult Situations with Dignity [00:10:53]

·      The Power of Redemption [00:13:59]

·      Staying Motivated: Taking Life One Day at a Time [00:17:51]

·      Overcoming Fear After Leaving Prison [00:21:13]

·      Coping with Trauma: Navigating Life After Your Worst Fear Becomes a Reality [00:24:38]

Notable Quotes

1.     “And I thought, no matter what happens to me, from this moment, this is my rock bottom moment. My prison moment, I wasn’t even there. Whatever happens to me, I’m going to walk. With some with my head held high, I want my family to be proud of how I’m handling this.”

2.     “You must be humble. You must check out and look around. You know, who’s getting this right? Who’s doing their time the way I want to do my time? To humble yourself, who’s got a prison job that you want? How did they get it? What books are they reading? How did they get those books? What prison routine? What workout routine are they in that I could get in shape and be who I want to be here.”

3.     “Life is unfair and make a difference regardless. This was something Tom and I did. It was like a mind hack for me.”

Resources

Check out Brent Cassity

Check out Brent’s book “Nightmare Success” here

Categories
Everything Compliance - Shout Outs and Rants

Episode 114 – Shout Outs and Rants

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top podcast talk show. In this episode, we have the quartet of Tom Fox, Jonathan Marks, Matt Kelly, and special guest Scott Garland from Affiliated Monitors for our fan fav Shout Outs and Rants edition.

  1. Matt Kelly has a dual rant. He shouts out to the PCAOB for reminding folks that cryptocurrency ‘reserve reports’ are not worth the paper they are printed on. He rants about crypto being a big circular whackadoo.
  2. Jonathan Marks shouts out to the US House of Representatives for overwhelmingly voting to investigate the origins of Covid-19.
  3. Tom Fox looks rants about the Tennessee legislature’s attempt to ban Shakespeare, movies such as Tootie and Some Like It Hot, and politicians such as George Santos, all in the guise of banning drag shows.
  4. Special Guest Scott Garland shouts out to the Department of Justice for their continued evolution in their thinking about compliance and compliance programs.
Categories
Data Driven Compliance

Ryan Hubbs on Building Out a Universe of Risks

Data Driven Compliance, hosted by Tom Fox, is a podcast featuring an in-depth conversation with Ryan Hubbs, Global Anti-Corruption and Fraud Manager at SLB. Ryan explains how internal audits have evolved over the last 5-6 years and how SLB designed dashboards and analytics to cut out manual tasks. He also explains the pre-audit survey used to measure what will come up in the final audit report. Ryan discusses how SLB tracks duplicate payments, agents, and financial, legal, and environmental risks to create a near real-time reporting module. Ultimately, monitoring these risks aims to evaluate which processes and subprocesses are increasing or decreasing in risk. Tom and Ryan share thoughtful insights throughout the podcast and explore ways to enhance your compliance program.

Key Highlights

·      Improving Fraud and Analytics With Internal Audit Reorganization. 05:35

·      Benefits of Pre-Audit Surveys and Programs. 09:20

·      Improving Fraud Detection through Data Dashboards. 12:42

·      Employee Satisfaction Survey Results. 16:21

·      Exploring Financial and Legal Risks in the Risk Universe. 19:35

·      Using Real Risk Data for Near Real-Time Reporting. 23:12

·      The Art of Conversation: Connecting with Ryan. 30:09

Notable Quotes

1.     “What would you do to make the organization better?”

2.     “Let’s automate this stuff. Let’s try to automate this and give others more time to understand the data, whether it be journal entries or fixed assets or inventory.”

3.     “We started sending that out twice a year, asking employees where you see fraud and corruption risks. Where do you see concerns? And you start to pull that data in and into internal audit as well?”

4.    “If you were the boss for the day, what would you do to improve the organization?”

Resources

Ryan Hubbs on LinkedIn

KonaAI

Categories
Innovation in Compliance

Compliance with Data Privacy with Bill Piwonka

Legal GRC focuses on the various activities and responsibilities that people who report to legal must carry out, such as data privacy and breach response. In this week’s show, Tom Fox reconnects with Bill Piwonka, Chief Marketing Officer of Exterro, to discuss compliance with data privacy. They discuss the concept of legal GRC, which is a subcategory of the larger umbrella of GRC. They also explore how Exterro’s legal GRC software can help companies manage their data effectively and efficiently while ensuring compliance.

Prior to Bill Piwonka’s current position at Exterro, he had extensive experience running marketing teams for typically small software companies, helping build them as they grew. His knowledge of both startups and large multinational global organizations, including Intel and Oracle, has given him a unique perspective on the dynamics of different companies. As an expert in compliance and data privacy, Bill’s insights and expertise are invaluable to organizations seeking to improve their compliance programs.

 

Key ideas you’ll hear Tom and Bill discuss:

  • Legal GRC is a subcategory of the larger umbrella of GRC that focuses on the various activities and responsibilities that people who report to legal must carry out, such as data privacy and breach response.
  • Understanding where your data is, who owns it, and what regulations apply to it is crucial to effective data management and compliance.
  • Data governance, data security, and data cleansing are key components of ESG, particularly in the G part, and the management of data is a mandatory step under ESG.
  • Having a data inventory and understanding what regulations apply to that data from a retention perspective and disposition is essential to minimizing risk and ensuring compliance with various regulations.
  • The key to minimizing risk and ensuring compliance is to have the processes and technology that enable you to constantly push the deletion button, in accordance with your retention policy.
  • Extero has broad capabilities in eDiscovery, privacy forensic investigation, incident response, and cybersecurity compliance. Its clients include a wide range of professionals, such as IT, legal ops, GC, compliance, privacy, and HR.
  • Regulatory obligations around data security and document turnover are a significant concern for organizations, and Extero’s eDiscovery product can help clients comply with government agencies’ requirements and store relevant information in their ESI vault.
  • Extero’s consent product can help organizations with obtaining and revoking consent across any medium and demonstrate their compliance.
  • Legal departments are now recognizing the need for people, process, and technology to address issues that are now being enforced, especially on the privacy side. Process orchestration gives legal departments the ability to manage, measure, and optimize their processes and ensure defensibility.
  • Extero’s marketing strategy is to provide high-quality educational content for the people who would ultimately use their products, such as benchmark surveys, case law alerts, and privacy alerts. 

 

KEY QUOTES

“Legal has to be involved in all the different GRC activities.” – Bill Piwonka

 

“You have to have the guts to push the deletion button. When you have the processes and the technology that enable you to constantly push that button, you’re going to minimize your risk and you’re going to ensure compliance across a whole swath of regulations.” – Bill Piwonka

 

“If I can help somebody understand how to optimize a data subject access request process or how to conduct a document review more efficiently, and help them do their jobs more effectively – and I do that for five years – they are more productive, they’re more efficient, and they like the content that we’re creating.” – Bill Piwonka

 

Resources:

Bill Piwonka on LinkedIn | Twitter  

Exterro

Categories
Daily Compliance News

March 14, 2023 – The $27bn In Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

·       Qatar alleged to have spied on Swiss FIFA prosecutor. (Times of Israel)

·       $27bn tax and corruption scandal in Indonesia. (TheStraitsTimes)

·       South African corruption watchdog to clear President Ramaphosa. (NYT)

·       Coal company receives declination. (FCPA Blog)

Categories
Kerrville Weekly News Roundup

Kerrville Weekly News Roundup: March 11

Experience the best of Kerrville’s news and culture with the Kerrville Weekly News Roundup! Bringing you easy to digest analysis on the headlines and top stories of the day, this podcast is hosted by the Co-Founders of the Texas Hill Country Podcast Network – Andrew Gay and Gilbert Paiz. Every week, Andrew and Gilbert explore the latest buzz in news and the most captivating story of the week. They delve into the Doyle School in Kerrville, Texas, covering a documentary highlighting the history of the school, which was a daughter school for African American kids before desegregation. They also discuss the recent premiere of the documentary at Arcadia Live Theatre, and the Historical Downtown Business Alliance event. Join Andrew and Gilbert as they bring you entertaining, enlightening and entertaining stories every week – along with a friendly reminder to stay safe!

The Weekly News Roundup in the Texas Hill Country Hosted by the Cofounders of the Texas Hill Country Podcast Network. [01:03]

Doyle School in Kerrville, Texas – Exploring Its History and Impact on the Community. [04:34]

Event Hosted by Historical Downtown Business Alliance. [08:13]

Stay Safe During the Weekend [11:35]