Categories
Blog

Assessing Communication Compliance: Ephemeral Messaging and Retention

I recently had the opportunity to visit with Alex Cotoia, Regulatory Manager, and Daniela Melendez, an Associate at The Volkov Law Group, on the importance of addressing electronic communications preservation and management in this new age of rapid technological change. They joined penned an article for the Volkov Law Group’s site, Corruption, Crime and Compliance entitled, “Google’s Failure to Preserve Electronic Communications — A Warning to Every Company of a New Reality Surrounding Electronic Data.”

Ephemeral messaging, a method of communication that automatically erases content after a short period of time, is becoming increasingly popular in both personal and business settings. Platforms like Snapchat and Instagram offer features that allow messages to disappear, providing a sense of privacy and security. However, the use of ephemeral messaging in business comes with its own set of challenges and legal implications. Additionally, as both Cotoia and Melendez noted “companies have to devote significant resources and attention to information technology and security, electronic communications and business-generated data, and to overall information security and governance.”

The pointed to a recent case involving Google, where the companies document retention policy for ephemeral messaging was 24 hours, yet a Court Order required such messages be preserved. The Court found Google failed to preserve its chat data, despite a preservation order that directed Google to preserve chat records by changing the default settings for the chat system.  The Court found that Google did not effectively emphasize the importance of those obligations to its employees.

The episode highlighted the concerns raised by the Department of Justice (DOJ) regarding the use of ephemeral messaging for illegal activities, leading to more enforcement actions. This poses challenges for investigations, particularly in the corporate sector. They related that at a “fundamental level, the case underscores the criticality of applying document preservation policies to all media used by an organization’s employees to conduct company business. This echoes guidance provided by the U.S Department of Justice in the context of recent updates to its guidelines concerning the “Evaluation of Corporate Compliance Programs.”  The most recent iteration of those guidelines calls on companies to thoroughly understand the various communication channels—including ephemeral messaging applications—utilized by a company’s employees to conduct business.”

The Google case is as an example of the legal liabilities and sanctions that can result from failing to preserve relevant evidence. In this case, Google was sanctioned by a district judge for failing to preserve employee chat evidence relevant to an antitrust litigation. The employees did not follow the company’s policies regarding document preservation, leading to legal consequences.

The implications of the Google case extend beyond commercial litigation and preservation of evidence. The DOJ’s focus on ephemeral messaging applications in their guidelines for evaluating corporate compliance programs sends a clear message to organizations that they need to adopt or refine their data preservation policies in relation to employee communication.

One of the key considerations for companies is to assess their risk profile and determine whether ephemeral messaging applications are appropriate for conducting business. High-risk industries, such as those prone to corruption, should prohibit the use of these applications due to the potential for concealing illegal activities. On the other hand, companies with lower risk profiles may be more lenient in allowing employees to use ephemeral messaging applications for legitimate business purposes.

The DOJ guidelines also emphasize the need for companies to proactively manage authorized communication channels, monitor and preserve all business-related electronic data, and develop specific policies for employee obligations regarding personal devices and document retention. This requires companies to account for all communication channels, maintain data consistently, and constantly monitor content for any evidence of illegal activity.

The Google case serves as a wake-up call for companies accustomed to more lax preservation policies. It highlights the importance of enforcing existing policies and providing comprehensive training to employees on document preservation. Failure to do so can result in legal consequences and sanctions.

Cotoia and Melendez also reported that they observed “an uptick” in inquiries from clients regarding ephemeral messaging policies and the need for guidance in this area. Companies are seeking advice on how to navigate the challenges and legal implications associated with ephemeral messaging in business.

The use of ephemeral messaging in business presents challenges and legal implications that organizations need to address. It is crucial for companies to refine their data preservation policies, consider the appropriateness of ephemeral messaging for their business, and proactively manage authorized communication channels. By doing so, companies can mitigate the risks associated with ephemeral messaging and ensure compliance with legal requirements.

Categories
Blog

The Continuous Improvement of Corporate Culture

Welcome to a special five-part blog series on building a stronger culture of compliance, sponsored by Diligent. Over this series I have visited with Yvette Hollingsworth-Clark, Viktor Cuijak, Jessica Czeczuga; Michael Parker; and today it is Alexander Cotoia. In this series, we considered what is culture, how to assess culture, putting together a strategy to manage culture based upon this assessment, the monitoring of that strategy going forward. We conclude on how to use this information from your monitoring to engage in continuous improvement of your culture.

Many compliance professionals struggle with the ‘softness’ of culture. However, properly viewed culture can be seen as another type of risk for any organization. Viewed through this lens, culture can then be assessed, managed, monitored and improved as any other business risk. This has become even more important since the announcement in October 2021 by Deputy Attorney General Lisa Monaco, that the Department of Justice would assess corporate culture as a part of corporate compliance enforcement action. In this concluding Part 5, we consider how to continuously improve your compliance program with Alexander Cotoia, from the Volkov Law Group.

Alexander Cotoia, a regulatory compliance manager at the Volkov Law Group, has a rich background in commercial litigation and has spent a significant part of his career as a paralegal before transitioning to an in-house role at Virgin Galactic. Cotoia emphasizes the importance of compliance culture in organizations, believing that a culture promoting compliant behavior reduces the likelihood of ethical lapses or legal violations. He argues that creating a culture of compliance is not only ethically sound but also makes good business sense in today’s era where consumers are well-informed, and employees prioritize alignment with organizational values. Cotoia suggests that organizations should reinforce their values and highlight the economic benefits of compliance to gain buy-in and engagement from employees, while also emphasizing the need for continuous improvement, conducting root cause analysis, and involving various stakeholders to address cultural issues effectively.

At its core, compliance culture is about promoting and encouraging behavior that aligns with ethical and legal standards. It goes beyond simply following rules and regulations; it involves fostering an environment where employees understand the importance of compliance and are committed to upholding it. As Cotoia emphasized, creating a culture of compliance makes good business sense in today’s era, where consumers are more informed than ever before and a new generation of employees are demanding that organizations align with their values.

One key aspect highlighted in the podcast episode is the role of leadership, particularly the CEO, in driving and reinforcing a culture of compliance. Cotoia stressed the importance of CEOs being actively involved in the compliance process, emphasizing the organization’s values, and demonstrating how compliance contributes to the overall success of the organization. By doing so, CEOs can set the tone at the top and inspire employees to embrace compliance as an integral part of their work.

To establish and maintain a culture of compliance, organizations need to employ various tools and strategies. Cotoia discussed the importance of conducting root cause analysis, which involves identifying the underlying causes of non-compliance or ethical lapses. This analysis can be facilitated through anonymous surveys that measure employees’ perception of compliance within the organization and the extent to which compliance concerns are integrated into their daily work. By understanding the root causes, organizations can implement targeted remedial measures to address the identified issues.

Collaboration among stakeholders is also crucial in promoting a culture of compliance. Cotoia emphasized the need for involvement from various departments, such as the financial team, legal, and compliance officers, depending on the specific compliance challenges faced by the organization. By working together, these stakeholders can collectively solve problems and ensure that compliance is embedded throughout the organization.

Monitoring the effectiveness of remedial measures is another critical aspect of compliance culture. Organizations should regularly assess whether the implemented measures are achieving the desired outcomes. This can be done through continuous improvement efforts, such as periodic pulse checks and assessments of employee understanding and engagement with compliance initiatives. If the results indicate that the remedial efforts are not effective, organizations should be willing to revisit the root cause analysis and adjust their approach accordingly.

We also discussed the importance of ongoing communication and collaboration for continuous improvement and alignment with compliance standards. Organizations should foster an environment where employees feel comfortable reporting compliance concerns and where open dialogue is encouraged. This not only helps identify potential issues but also demonstrates the organization’s commitment to addressing them.

In conclusion, the importance of compliance culture in organizations cannot be overstated. It not only minimizes ethical and legal risks but also contributes to the overall success and reputation of the organization. By involving leadership, conducting root cause analysis, collaborating with stakeholders, monitoring effectiveness, and fostering ongoing communication, organizations can create and maintain a culture of compliance that aligns with best practices and meets the expectations of employees and consumers alike. As Alexander Cotoia aptly stated, “Creating a culture of compliance just makes good business sense.”

Tune into Alexander Cotoia on the Diligent podcast series Unlocking Success: The Crucial Role of Culture in a Best Practices Compliance Program.

Categories
Innovation in Compliance

Unlocking Success: The Crucial Role of Culture in Compliance: Part 5 – Alexander Cotoia on the Continuous Improvement of Culture

Welcome to a special series on building a stronger culture of compliance through targeted and effective training sponsored by Diligent. I will visit with Yvette Hollingsworth-Clark, Viktor Culjak, Jessica Czeczuga, Michael Parker, and Alexander Cotoia in this series. Over this series, we will consider what culture is, how to assess culture, putting together a strategy to manage culture based upon this assessment, monitoring that strategy in the future, and using information from your monitoring to improve your culture continuously. In this concluding Part 5, we visit with Alexander Cotoia to discuss a strategy to enhance your compliance program in the future constantly.

Alexander Cotoia, a regulatory compliance manager and consultant at the Volkov Law Group, has a rich background in commercial litigation and has spent a significant part of his career in an in-house role at Virgin Galactic. Alexander strongly emphasizes the importance of compliance culture in organizations, believing that a culture promoting compliant behavior reduces the likelihood of ethical lapses or legal violations. He argues that creating a culture of compliance is not only ethically sound but also makes good business sense in today’s era, where consumers are well-informed and employees prioritize alignment with organizational values. Alexander suggests that organizations should reinforce their values and highlight the economic benefits of compliance to gain employee buy-in and engagement, emphasizing the need for continuous improvement, conducting root cause analysis, and involving various stakeholders to address cultural issues effectively. Join Tom Fox and Alexander Cotoia as they dive deep into how to continuously improve your compliance program in this episode of Unlocking Success: The Crucial Role of Culture in Compliance Best Practices podcast episode.

Key Highlights: 

  • Cultivating CEO Involvement for Compliance Success
  • Improving Corporate Culture through Effective Monitoring
  • Cultivating Compliance Culture through Stakeholder Collaboration

Ready for Purpose-Driven Compliance? Diligent equips leaders with the tools to build, monitor, and maintain an open, transparent ethics and compliance culture. For more information and to book a demo, visit Diligent.com.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Introduction and Key 2022 Enforcement Actions Involving 3rd Parties

Over the month of April, I will consider the risk management of third parties in an operationalized compliance program. As every compliance practitioner knows, third parties still present the highest risk under the FCPA. You must assess whether the company has a business rationale for needing the third party in the transaction, and the risks posed by third parties, including their reputations and relationships, if any, with foreign government officials. You should ensure that contract terms with third parties specifically describe the services to be performed, the third party performing the work, and that its compensation is commensurate with the work provided in that industry and geographical region.   Finally, you must continuously monitor the third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

In this introduction, I visit with Alexander Cotoia, a Regulatory and Compliance Attorney at the Volkov Law Group, to consider how recent FCPA enforcement actions point towards the use cases for a robust third-party risk management system. In 2022, most FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, demonstrating the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

3 Key Takeaways:

1. How can organizations reprioritize third-party risk management as a core compliance function?

2. How can organizations avoid FCPA violations and maximize cooperation credit?

3. How can organizations effectively assess the risks posed by potential business partners?

Check out The Compliance Handbook, 3rd edition, here.

Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 5: Alexander Cotoia on Use Cases

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Associate at the Volkov Law Group. In this Part 5, I visit with Alexander Cotoia, a Regulatory and Compliance Manager at the Volkov Law Group, to consider how recent FCPA enforcement actions point toward the use cases for a robust third-party risk management system.

In 2022, the overwhelming majority of FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

Key Highlights

·      How can organizations reprioritize third-party risk management as a core compliance function?

·      What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

·      How can organizations effectively assess the risks posed by potential business partners?

 Notable Quotes 

1.     “Don’t put yourself in a position of being uncooperative with either the SEC or DOJ. Reassess your framework for third-party risk management holistically and hone in on the nature and quality of the information that’s being collected to objectively evaluate the totality of risks posed by a potential business partner to the organization.”

2.     “You really can’t afford to be complacent, especially as we have a new emerging consideration suspecting sanctions and export controls that have become core enforcement priorities of the federal government.”

3.     “The critical question asked from a functional perspective is, is it adequate to objectively evaluate the totality of risks posed by a potential business partner to the organization?”

4.     “You have to understand that third-party risk, especially as it pertains to anti-bribery and corruption concerns, is a universal constant.”

 Resources

Alexander Cotoia on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program – Key 2022 FCPA Enforcement Actions

From the Foreign Corruption Practices Act (FCPA) enforcement actions in 2022, one clear theme emerges; that is, organizations must reprioritize their third-party risk management programs. Many companies are becoming complacent in this arena, not realizing the potential consequences of not properly assessing their third-party risk management practices. I recently had the opportunity to visit with Alexander Cotoia of the Volkov Law Group to discuss importance of reprioritizing third-party risk management and how organizations can assess the effectiveness of their current practices. We review three 2022 FCPA enforcement actions to explore the importance of proper third-party risk management and how to avoid the potential consequences of not properly assessing these risks. Join us as we explore the details and implications of these enforcement actions and how organizations can reprioritize their compliance programs for the ever-changing dynamics of third-party risk management.

Here are the steps you need to follow to reprioritize your third-party risk management program.:

  1. Understand that third-party risk, especially as it pertains to anti bribery and corruption concerns, is a universal constant and still the highest risk.
  2. Reassess the framework by which third parties are evaluated and objectively evaluate the totality of risks posed by a potential business partner to the organization.
  3. Implement a risk-based approach to third party risk management.
  1. Understanding third-party risk

Understanding that third party risk, especially as it pertains to anti-bribery and corruption, is a universal constant is an important step in the risk management process. As evidenced by three key enforcement actions, ABB Limited, Oracle and GOL Airlines, organizations must evaluate the risks posed by potential business partners and ensure that the information collected is adequate to objectively assess the totality of the risks. Organizations should be aware that the DOJ requires companies to adopt a risk-based approach to third party risk management. To ensure that the organization is compliant with these regulations, they should review their existing practices and be prepared to supplement them if necessary. Additionally, organizations should be aware that they may be given credit for voluntary disclosure and cooperation efforts when faced with potential violations. This may be beneficial when determining penalties and is an important factor to consider when dealing with third party risk.

  1. Reassess your third-party framework

Reassessing the framework by which third parties are evaluated and objectively evaluating the totality of risks posed by a potential business partner to the organization is a critical step in reprioritizing your third-party risk management strategy. This should be approached holistically, focusing on the information being collected and its adequacy in objectively evaluating risks. Organizations should adopt a risk-based approach, as recommended by the DOJ, and not simply have a one size fits all approach. This approach should include due diligence, assessing the potential partner’s reputation and business practices, verifying their legitimacy and background, and understanding their country of origin and its laws. Additionally, organizations should consider the potential partner’s relationship with government officials and whether it could violate any anti-bribery or corruption laws. If any of these issues are identified, organizations should look into it further to ensure that their partner is compliant. By doing this, organizations can ensure that they are not engaging in any activities that could be deemed illegal or unethical. 

  1. Implement a risk-based approach

Implementing a risk-based approach to third party risk management is essential to any organization’s compliance program. This involves assessing the external parties on which an organization relies operationally, and identifying any risks associated with those external parties. This assessment should include evaluating their qualifications and experience to ensure they are able to meet the organization’s expectations. Additionally, organizations should consider conducting background checks on potential external parties, and assessing any potential conflicts of interest that may arise. Once potential external parties have been identified, organizations should consider conducting due diligence to ensure that the external party has not been involved in any fraud, bribery, or other criminal activities. Organizations should also consider developing contracts and compliance policies for external parties and monitoring their activities to ensure compliance. Finally, organizations should consider developing a training program for their external parties to ensure they understand the organization’s expectations and policies. By implementing a risk-based approach to third party risk management, organizations can reduce the risk of an FCPA violation and ensure their organization remains compliant.

Third-party risk management one of the most critical components of any organization’s compliance program. Organizations should take the initiative to reprioritize third-party risk management and assess the effectiveness of their current practices. Through the exploration of three enforcement actions and the introduction of the joint compliance note, this article has highlighted the importance of properly assessing third-party risk and how to best prepare for the ever-changing dynamics of third-party risk management. By implementing a risk-based approach to third party risk management, organizations can protect themselves from potential violations of the FCPA and ensure their organization remains compliant. With the right tools, processes, and dedication you can achieve the same results and protect your organization from costly fines and penalties.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Alexander Cotoia on the podcast series, sponsored by Diligent here.

Check out the Volkov Law Group here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Introduction and Key 2022 Enforcement Actions Involving 3rd Parties

Over the month of April, I will consider the risk management of third-parties in an operationalized compliance program. As every compliance practitioner is aware, third-parties still present the highest risk under the FCPA. You must assess whether the company has a business rationale for needing the third party in the transaction, and the risks posed by third-parties, including their reputations and relationships, if any, with foreign government officials. You should ensure that contract terms with third parties specifically describe the services to be performed, the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Finally you must engage in ongoing monitoring of the third-party relationships, through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

In this introduction, I visit with Alexander Cotoia, a Regulatory and Compliance Attorney at the Volkov Law Group to consider how recent FCPA enforcement actions point towards the use cases for a robust third-party risk management system. In 2022, the overwhelming majority of FCPA related enforcement actions involved third parties and required organizations to reprioritize third party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines and Oracle which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third party risk management.

3 Key Takeaways

1. How can organizations reprioritize third-party risk management as a core compliance function?

2. What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

3.How can organizations effectively assess the risks posed by potential business partners?

Check out The Compliance Handbook, 3rd edition here