Robert Meyers is the Channel Solutions Architect for One Identity, a software company that helps organizations establish an identity-centric security strategy. Tom Fox welcomes him to this week’s show to talk about compliance, data privacy, and employee data issues.
The Role of One Identity
“Most companies forget about employees, and this gets impacted by GDPR,” Robert says. His role at One Identity allows him to explain to companies where they can fit identity protections for employees. He also helps companies with their logging systems to prevent them from sending out sensitive information into their log store. Robert adds that he also works as a consultant for partners and helps with privileged access management.
Data Has a Life Cycle
“Data itself should have a life cycle,” Robert emphasizes. The concept of never deleting anything and keeping copies of everything is a bad idea. Data discipline and data management governance expects that you remove data at an appropriate time. Robert iterates that data privacy and data protection have to be integrated with operations because if it isn’t, it won’t be dealt with at all. In response to Tom’s question on who owns Compliance, Robert says that it has to be the Chief Operating Officer.
What’s Next
Tom asks Robert what businesses should expect to happen around data privacy between now and 2023. Robert says that there will be more risk assessment. Most breaches conducted within organizations are internal. He advocates for greater enforcement of laws and regulations as well as more legislation.
Resources
OneIdentity.com
Robert Meyers | Twitter, LinkedIn
Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.
There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.
Three key takeaways:
- A Level I due diligence should only be used where there is a low risk of corruption.
- A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
- Level III due diligence is deep dive, boots on the ground investigation.
Categories
Episode 047–Steven Butera
On this episode of The Ethics Experts, Gio welcomes Steve Butera, Director of Compliance, QI, and Privacy at Pathways Health & Community Support, to the show! They discuss the “why” of compliance, the complexity of it, and how to start E&C from the interview process.
In this episode, CSS’s Executive Director Jackie Hallihan sits down with Senior Consultant Adam DiPaolo to read the tea leaves on 2021. The compliance duo discusses changes to the SEC itself to regulations, rule-making, examination and enforcement trends and how to prepare for the predictability and unpredictability of compliance in the new year.
A CSS RegTech podcast series on moving from a tactical to strategic approach to regulatory compliance. The global regulatory space is complex and fragmented. Financial firms can address this problem through tactical responses to regulatory deadlines or think more strategically on how to optimize their compliance data, operations and technology. The CSS weekly podcast features regulatory experts, former Chief Compliance Officers, cybersecurity specialists, industry partners and RegTech collaborators to help prepare investment management firms for changes on the regulatory horizon. For more information on CSS, visit: www.cssregtech.com
About Our Guest Speakers:
Jackie Hallihan is the Co-Executive Director of CSS’s Compliance Services team and has over 25 years’ regulatory and risk management experience. She was the founder of National Regulatory Services (NRS) which started the compliance resource business and served as its President for over 20 years. She also founded the National Society of Compliance Professionals (NSCP), a non-profit organization for compliance officers, staff and lawyers serving the compliance industry. It now boasts over 2000 memberships. Jackie has been a leading speaker to compliance professionals, including in-house training programs and various other industry association conferences, and has received numerous industry awards. Jackie also serves as Director, Clerk of the New England Broker Dealer Investment Adviser Association (NEBDIAA), a non-profit organization, incorporated in 1997. The purpose of NEBDIAA is to provide a forum for the professional exchange of information among investment advisers, broker dealers, and persons who provide services to investment advisers and broker dealers, and to direct communication among its members which will improve their ability to serve the needs of their respective clients. The forum will help NEBDIAA’s members meet the increased regulatory demands placed on investment advisers, broker dealers, and persons who provide services to investment advisers and broker dealers.
Adam DiPaolo CISA, CRISC is a Section 13 Reporting Manager, Senior Consultant and Associate General Counsel, designing practical solutions to manage regulatory challenges faced by hedge funds, private equity funds, funds of funds, and other investment advisers. In addition to providing compliance services such as annual compliance program reviews, risk assessments and acquisition due diligence, Adam established Section 13 reporting capabilities and EDGAR filing agent services for CSS’s Ascendant compliance services division. He drafts and maintains corporate filings ranging from Forms ADV and PF to Forms 13F and 13H.
The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.
Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.
Three key takeaways:
- Have a strategic approach to third-party risk management.
- Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
- Managing the relationship is where the real work begins.
As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:
- Business Justification by the Business Sponsor;
- Questionnaire to Third-party;
- Due Diligence on Third-party;
- Compliance Terms and Conditions, including payment terms; and
- Management and Oversight of Third Parties After Contract Signing.
Three key takeaways:
- Use the full 5-step process for third party management.
- Make sure you have business development involvement and buy-in.
- Operationalize all steps going forward by including business unit representatives.
In today’s edition of Sunday Book Review:
- Parting the Waters by Taylor Branch
- Judgment Days by Nick Kotz
- The Speech by Gary Younge
- Killing the Dream by Gerald Posner