Like its namesake, which was the first piloted aircraft to break the sound barrier, X1 values innovation, and speed. The company is laser-focused on fixing problems in new, better and more cost-effective ways. Its software capability has evolved from search & productivity applications into the ability to collect social, media and web content for legal proceedings, as well as the ability to access and act on employee information in a scalable manner without disrupting productivity. CEO of X1, Craig Carpenter, joins Tom Fox on this week’s show to chat about how his company is making data accessible for its clients.
Distributed GRC Solution
Tom asks Craig to talk about X1’s distributed GRC solution. Craig responds that the name itself conveys that the software is wherever the data resides. Distributed GRC is a two-part product, he says. The first part is software that sits on an endpoint such as a laptop. The second part is a command and control layer that allows you to access your data sources and analyze what data is available as well as take action on it. Craig explains how X1 enables social media discovery in a forensically sound fashion. Data can be manipulated today, he comments. So being able to prove that your data is credible and that the chain of custody is accurate, is critical especially in the context of legal proceedings.
Quick Access
Tom comments that X1’s emphasis on speed equates to greater business productivity, efficiency, and profitability. The company was founded for this very reason, Craig agrees. Finding the right information in a timely fashion, and being able to act on it for your productivity purposes, is critical to business.
CFIUS and Preventing Violations
The Department of Justice’s new guidelines require companies to go beyond policies and questionnaires to using technology to validate data. Craig says that X1’s solution is a last mile validation piece. He and Tom discuss how X1 helps its clients comply with CFIUS (The Committee on Foreign Investment in the US) regulations. “Our technology is very effective because we can not only get the server data and some of the structure data as well to ensure that that’s compliant,” Craig comments, “but stuff on laptops and desktops where people work is also compliant. That’s kind of the key hidden element that we’re really good at attacking.”
Resources
X1.com
Amanda and Cailyn talk about our new studio equipment, snow, and the 8 steps to an effective annual risk assessment.
Listen to the episode:
Check out more episodes and full episode videos at ComplianceLine.com, and don’t forget to subscribe on your favorite podcast platform!
What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in the creation of your company’s Code of Conduct?
How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United’s operations at the company’s huge east coast hub at Newark, NJ.
The actions of United’s former CEO, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to its 2016 Non-Prosecution Agreement (NPA) settlement with the DOJ, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.
In the 2012 FCPA Guidance, the DOJ and SEC states:
A company’s Code of Conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.
The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) further specified “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” The Department of Justice (DOJ) Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust Guidance) also specified “If the company has a Code of Conduct, are antitrust policies and principles included in the document?”
Three key takeaways:
- Every formulation of a best practices compliance program starts with a written Code of Conduct.
- The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
- “Document, Document, and Document” your training and communication efforts.
In the Episode, I visit with Ephraim (Fry) Wernick. He is a partner in the Government Investigations and White-Collar Practice Group at Vinson & Elkins LLP in Washington, DC. Mr. Wernick joined V&E in June 2019 after serving 11 years as a federal prosecutor, including most recently as Assistant Chief of the U.S. Department of Justice, Criminal Division’s Fraud Section, where he supervised dozens of FCPA cases, including four of the largest-ever corporate criminal resolutions. Mr. Wernick now represents public and private companies and individuals in connection with government and internal investigations. Mr. Wernick is a graduate of Brown University and the University of Texas School of Law. In this podcast we take a deep dive into the jury instructions in the recent Hoskins FCPA trial. Some of the highlights include:
- What was the procedural history of the Hoskins case leading up to trial?
- The court’s agency instruction required the government to establish three elements: (1) “a manifestation by the principal that the agent will act for it”; (2) “acceptance by the agent of the undertaking”; and (3) “an understanding between the agent and the principal that the principal will be in control of the undertaking.” The court further instructed that “[t]he undertaking consists of the acts or services which the agent performs on behalf of the principal.” Hoskins’ arguments focus primarily on the element of control. Did the DOJ satisfy this element?
- At trial, the DOJ presented evidence that although Hoskins worked for the French parent, for the purposes of his actions around bribery and corruption, he was the agent of the US subsidiary. What was some of evidence presented at trial to show agency? Will it be enough to satisfy the Second Circuit definition in the inevitable appeal?
- At the ACI National Conference, Assistant Attorney General Brian Benczkowski said that the DOJ would analyze each case individually to determine if there was such an agency relationship present. What will the DOJ likely take into account?
- Might there be further clarification from the trial court or Second Circuit?
- Does the DOJ trial win against Hoskins open up wider individual prosecutions under the FCPA for foreign employees of foreign subsidiaries who may never set foot in the US?
Resources
Vinson and Elkins’ firm page on Fry Wernick
In today’s edition of Daily Compliance News:
- Congress takes aim at NCAA. (WSJ)
- Massive Cambridge Analytica document dump. (The Guardian)
- Does Ghosn flight bode no bail for super wealthy going forward? (FT)
- Ex-Ecuador President charged with corruption in absentia. (Brussels Times)
In addition to a company’s senior management, there is a Board of Directors at the top. Yet the role of the Board is different than that of senior management. For the Board of Director, the Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) stated:
Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
The DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust Compliance Program Guidance) was even more explicit in announcing their expectation for robust Board oversight of a corporate compliance function. The Antitrust Compliance Program Guidance stated “For the antitrust compliance program to be effective, those with operational responsibility for the program must have sufficient autonomy, authority, and seniority within the company’s governance structure, as well as adequate resources for training, monitoring, auditing and periodic evaluation of the program. The Antitrust Compliance Program Guidance then went on to ask the following questions: Who has overall responsibility for the antitrust compliance program? Is there a chief compliance officer or executive within the company responsible for antitrust compliance? If so, to whom does the individual report, e.g., the Board of Directors, audit committee, or other governing body? How often does the compliance officer or executive meet with the Board, audit committee, or other governing body? How does the company ensure the independence of its compliance personnel?
Three key takeaways:
- The DOJ Evaluation requires active Board of Director engagement and oversight around compliance.
- Board communication on compliance is a two-way street; both inbound and outbound.
- Does the Board of Directors have a Compliance Expert?
In today’s edition of Sunday Book Review:
- Capital and Ideology by Thomas Piketty
- Sabotage: The Hidden Nature of Finance by Anastasia Nesvetailova and Ronen Palan
- The Bridge: Natural Gas in a Redivided Europe by Thane Gustafson
- Reed Hastings: Building Netflix by Matt Burgess
Mike Volkov, in a blog post entitled “Mood in the Middle Versus Tone at the Top”, said, “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management. A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must articulate the message of ethical values and doing business in compliance and then drive that message from the top down, throughout your organization.
The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) made clear a company must have more than simply good ‘Tone-at-the-Top’; it must move down through the organization from senior management to middle management and into its lower ranks. This means that one task is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. The 2019 Guidance stated:
Shared Commitment – What actions have senior leaders and middle-management stakeholders (e.g., business and operational managers, finance, procurement, legal, human resources) taken to demonstrate their commitment to compliance or compliance personnel, including their remediation efforts? Have they persisted in that commitment in the face of competing interests or business objectives?
This requirement speaks to the greater role of non-compliance functions in fully operationalized compliance program. Indeed, one sign of a mature compliance and ethics program is the extent to which a company’s other corporate disciplines are involved in implementing and then taking forward a compliance solution. This approach can act as a lynch pin in spreading a company’s commitment to compliance throughout the employee base. It can also be used to ‘connect the dots’ in many divergent elements of a corporate compliance and ethics program.
Three key takeaways:
- Tone at the top – direct supervisors become the most important influence on people in the company.
- Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
- Organizational justice is an additional way to help operationalize compliance.
In today’s edition of Daily Compliance News:
- Exxon wins reprieve from OFAC fine. (WSJ)
- Was the fix in for Ghosn to leave Japan? (NYT)
- Barbie tries to cut costs in Supply Chain. (WSJ)
- Oil hits $61 bbl after attack on Iranian General. (Houston Chronicle)