Categories
Blog

Travis Howerton on Automating Security & Compliance

Automation in the compliance arena is becoming increasingly ubiquitous. Yet many of the most significant innovations for automation are not found in the anti-bribery/anti-corruption space but in adjacent spaces. That message was once again driven home to me when I had the chance to sit down with Travis Howerton, Co-Founder and Chief Technology Officer (CTO) at RegScale for a podcast interview (Howerton’s interview will post on the Innovation in Compliance Podcast in August.)

What I found most interesting and indeed the most insightful for the compliance professional is that the US government is increasingly turning to automation and AI to meet its security and compliance standards. With the transition of FedRAMP from guidance to law, companies are now required to use it and meet certain cybersecurity standards to do business with the US government. NIST 853 Revision Five addresses regulatory change around privacy with GDPR and other things and includes new control families and changes to existing ones.

As the government continues to revise its standards, the need for automation is becoming increasingly important. The National Institute of Standards and Technology (NIST), a standards body within the federal government, is working with the Open Security Controls Assessment language (OSCAL) team to develop standards. NIST has interacted closely with the OSCAL team, creating an open-source repo on GitHub and building communities of interest. Additionally, NIST works with other government agencies, tool providers, and industry to develop standards.

FedRAMP provides clarity of goal for vendors and customers but is expensive and time consuming to achieve. Cybersecurity is no longer a cost center, but a requirement to do business with the US government. The Department of Defense requires companies to meet certain cybersecurity standards to do business with them. Other agencies are taking similar stances in regard to cybersecurity. Companies are now required to have a compliance program to do business with them. Cybersecurity is now seen as one of the top risks to businesses, causing legal risk, revenue loss, and embarrassment.

The government is driving the need for robust cybersecurity down the supply chain. Cyberattacks can be used for a number of nefarious reasons, including theft of IP. The government is looking to make cybersecurity a requirement in law and contracts and can cancel contracts for cause if not met. Boeing now has the clout to require companies to have a NIST certified or attested cybersecurity program.

NIST 853 Revision Five is the latest version of the government’s standards for cloud services providers. It includes new control families and changes to existing ones. It is expensive to develop a Rev Four package and the government is likely to continue to revise the standards. Third party assessment organizations will have to train up on new families and redo a lot of work to meet the new standards. Cyber hiring metrics in the US show that there is not a surplus of people to meet the increased demand for Rev Five.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations -The Investigative Team

Since 2015, DOJ has put even more pressure on every CCO, compliance practitioner, and indeed company, to get an investigation done quickly, efficiently, and, most importantly, right. This is even more true after the U.S. Supreme Court’s decisions in Digital Realty Trust v. Somers, which limited whistleblower protection and benefits to only those whistleblowers who go to the SEC, rather than initially report internally. What do all these documents tell who should be on your investigation team?

As data collection, retention and preservation are critical elements of any significant internal investigation you will need to have the involvement of your IT function. IT can help put a litigation hold on documents that can help with the preservation of data in other areas of the organization. Further, they can assist with certain other aspects as more facts and circumstances are known.

HR is often an underutilized function for an internal investigator. HR can provide context about employees’ work history. There may be notes in HR areas as diverse as training and exit interviews. HR can also give the investigator some insight regarding the credibility of the individual who might be making the allegation. For example, are they good and trusted employees? How long have they been there? What’s their general demeanor? What’s been the feedback on that particular individual?

Forensic accountants should be a part of your investigation team. Such a skilled set team member can bring an investigative mind that drives them to answer questions about what occurred, when and how it happened, and who was involved. However, most lawyers do not understand how forensic accounting is performed and how they can assist your compliance investigation going forward.

Obviously, the GC would be involved to help protect the attorney-client privilege if for no other reason. Further, an investigation needs to have compliance involved, to understand what compliance program was in place at the time of the incident in question, what procedures submission had, and understand if this truly was a gap in the compliance function or maybe there was an area within the compliance function that was not operating as prescribed, or maybe it was a little bit weak.

 Three key takeaways:

1. HR plays a key but often underused role in internal investigations.

2. The Board of Directors and senior management have different roles.

3. Use your legal department to protect the privilege.

Categories
FCPA Compliance Report

FCPA Compliance Report – Maria D’Avanzo on the Intersection of AI, ChatGPT and Compliance

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In the latest episode of FCPA Compliance Report, Maria D’Avanzo from Traliant returns to discuss the intersection of AI, ChatGPT, and compliance. The recent Federal Trade Commission investigation into OpenAI serves as a reminder of the importance of staying up to date on the latest developments in the field of AI technology and the potential implications of such developments. With AI and Chat GPT being powerful tools that can automate processes and generate content, organizations must implement AI Policies and Training to ensure these technologies’ safe and responsible use. AI Compliance Training is necessary to educate employees on the risks posed by AI technology and to guarantee that their compliance program is robust and effective. Organizations must create a comprehensive policy and provide ongoing training to ensure AI’s safe and responsible use.

Key Highlights:

  • AI and Chat GPT Consequences
  • AI Policy and Training
  • Creating a Policy
  • AI Compliance Training
  • FTC OpenAI Investigation

Resources:

Maria D’Avanzo on LinkedIn

Traliant

Tom Fox

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: BOA Enforcement Action for Bogus Accounts

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds! In this episode, Tom and Matt take up the recent CFTC enforcement action involving Bank of America.

In yet another reminder of the importance of ethical practices within the banking industry, Bank of America recently faced civil charges for misconduct, including a junk fees scheme and opening credit cards for customers without their authorization. This follows in the footsteps of similar misconduct from Wells Fargo in the mid-2010s, which resulted in a hefty $185 million fine. To address the issue, Bank of America has agreed to discontinue its flawed incentive program and develop a compliance plan within 90 days. Banks must remain vigilant in their compliance efforts, capture customer consent and documentation, and have data analytics capabilities, or risk similar fines. Furthermore, this penalty emphasizes the need for banks to keep their practices updated with regulations.

 Key Highlights 

·      Facts of enforcement action

·      BOA penalty

·      BOA remediation

·      Comparisons to Wells Fargo

·      Banks behaving badly

 Resources:

Matt Kelly

LinkedIn

Blog Post in Radical Compliance

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: July 19, 2023 – The Will KPMG Ever Stop Cheating Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories covered in today’s edition:

  • Will diversity in tech end? (WSJ)
  • KPMG was caught cheating for exams again, this time in The Netherlands. (Dutch News)
  • Czechia opposes new EU corruption directive. (Euractiv)
  • Does Singapore have a corruption problem? (FCPA Blog)