Tag: Compliance into the Weeds

Categories
Blog

How Compliance Should Show Up Before the Crisis

Recently, my colleague Matt Kelly wrote a blog post about retaliation against Chief Compliance Officers (CCOs). Matt and I explored it in an episode of the podcast Compliance into the Weeds. Matt’s post and our discussion crystallized one of the frustrations of the CCO role: compliance is often experienced solely by senior management as a late-arriving messenger of bad news. When compliance walks into the room, something has already gone wrong. The tone changes. Defenses go up. Trust narrows.

Yet the most consequential moments for a CCO are precisely those situations where the stakes are highest. A potential regulatory disclosure. A decision about whether to notify a government agency. A moment where delay, missteps, or poor coordination can turn a manageable issue into an enterprise-level crisis. If compliance is only visible in those moments, the relationship with the CEO and executive leadership team is already at a disadvantage.

Interestingly, in our podcast, we explored a technique which might be termed “coaching management ahead of time”. Matt picked up the strategy of using a training borrowed from the cyber world of incident training for a cyber-attack. I see this as a very powerful way not only to communicate compliance but also to train on the specific issues senior management will face if a reportable compliance incident occurs. You could train on such hypotheticals by walking the executive leadership team through them so they understand the process, while also providing training on the specific issues.

I think this approach offers practical, repeatable ways to build trust with senior management before a crisis, so that when compliance raises a serious issue, the function is seen as a stabilizing force, not a source of panic.

The Core Problem: Compliance as the Bearer of Bad News

Many compliance officers do excellent technical work but still struggle to earn executive trust. The reason is not competence. It is timing and framing. Senior leaders often experience compliance in three narrow contexts:

  • An investigation has begun.
  • A whistleblower allegation has escalated; and/or
  • A regulator may need to be notified.

In those moments, compliance is necessarily directive. The CCO must slow decisions down, insist on process, and sometimes recommend outcomes executives would prefer to avoid. Without a foundation of trust, those recommendations can feel punitive or overly conservative. The solution is not softer messaging during crises. The solution is familiarity with the compliance process long before the crisis arrives.

Process Transparency as a Trust-Building Strategy

Trust is built through predictability. Senior executives are far more comfortable with difficult outcomes when they understand the process that leads there. This is where scenario-based training becomes one of the most underused tools in the compliance arsenal. Instead of waiting for a live issue, the CCO can walk the executive leadership team through realistic hypotheticals:

  • A fact pattern that suggests regulatory notification may be required
  • How compliance evaluates credibility and materiality
  • Who is involved at each stage and why
  • What decisions will management be asked to make
  • What actions help, and what actions make things worse

These sessions are not about assigning blame or rehearsing fear. They are about demystifying how compliance operates when the stakes are high.

Why Scenario-Based Training Works With Executives

Scenario-based discussions resonate with executive teams for several reasons. First, they are practical. Executives do not need another policy overview. They want to know what actually happens when something goes wrong. Second, they are respectful of executive time and intelligence. A well-designed hypothetical treats leadership as decision-makers, not students. Third, they normalize compliance involvement.

When executives have already walked through a compliance-led process in a low-pressure setting, that process feels familiar rather than threatening during a real event. Most importantly, scenario-based training reframes compliance from a reactive function to a preparedness function.

The Strategic Role of Informal Engagement

These conversations do not need to occur only in formal training sessions. In fact, some of the most effective trust-building happens outside structured settings.

  • A short walkthrough during an executive offsite.
  • A tabletop discussion over lunch.
  • A casual conversation that begins with, “Let me show you how we would handle this if it ever happened.”

These informal touchpoints matter because they remove fear from the equation. They allow executives to ask questions they might not ask during a live issue. They also allow compliance to show judgment, nuance, and business awareness. This is not a charm offensive. It is a deliberate relationship strategy.

Training on What Not to Do

One of the most valuable elements of scenario-based transparency is the ability to explain mistakes before they occur. Executives often want to help in a crisis. That instinct, while well-intentioned, can create problems. Premature document reviews. Side conversations. Incomplete recollections. Overconfident assurances.

Scenario training allows the CCO to say, in advance, “Here is what helps us protect the company,” and just as importantly, “Here is what can unintentionally make things worse.” When executives understand these boundaries ahead of time, compliance interventions during a real issue feel protective rather than restrictive.

From Messenger of Doom to Stabilizing Force

When compliance has invested in transparency and education, something important shifts. When the CCO later says, “We believe this may require regulatory notification,” that recommendation is no longer heard in isolation. It is understood as part of a known, previously discussed process.

Executives may not like the conclusion, but they trust the path that led there. That trust allows compliance to do its job effectively. It reduces friction. It shortens response time. It improves decision quality. Most importantly, it positions compliance as an advisor whose presence brings structure and clarity to uncertainty.

What Compliance Officers Should Take Away

For compliance officers, the lesson is not about presentation skills or tone management. It is about timing and familiarity. If senior management only experiences compliance during moments of stress, compliance will always feel adversarial. If senior management understands the compliance process before the stress arrives, compliance becomes a stabilizing influence.

Scenario-based training, informal engagement, and process transparency are not “nice to have” activities. They are strategic tools for relationship-building at the highest levels of the organization. The most trusted CCOs are not those who avoid bringing bad news. They are the ones who ensure that when bad news arrives, it is delivered within a framework everyone already understands. That is how compliance earns trust before the crisis and credibility during it.

Categories
Blog

Congress Fills a Corruption Hole: The Foreign Extortion Prevention Act (FEPA)

The compliance community has long recognized the gaping hole in the Foreign Corrupt Practices Act (FCPA). As a supply side law, it criminalizes the payment of bribes, not the demand to pay a bribe or extortion. The gap was recently filled by the Foreign Extortion Prevention Act (FEPA) which extended crucial protections to Americans working abroad and provides the Department of Justice (DOJ) with a potent new tool. By criminalizing both the giving and demanding of foreign bribes, FEPA seeks to level the playing field for American workers while fostering ethical business practices globally. FEPA represents a promising solution to protect Americans working overseas, promote fair business competition, and combat corruption on a global scale. With its potential to bring about meaningful change, FEPA is a vital step in safeguarding American values and interests in the international arena. Sam Rubenfeld, cited to Scott Greytak, the director of advocacy for Transparency International US, for the following, “FEPA is a landmark, bipartisan law that holds the potential to help root out foreign corruption at its source. It is arguably the most sweeping and consequential foreign bribery law in nearly half a century.”

This legislation fills a significant gap in anti-corruption measures and raises important questions about its implications for the enforcement of the Foreign Corrupt Practices Act (FCPA) and the cooperation expected from companies involved in bribery schemes. FEPA, part of the National Defense Authorization Act (NDAA), addresses a long-standing concern among anti-corruption advocates. While the FCPA has been effective in penalizing US companies for offering bribes to foreign officials, there has been a lack of legal mechanisms to hold foreign government officials accountable for accepting these bribes. FEPA now provides prosecutors with the means to pursue such officials.

One of the key aspects of FEPA is that it criminalizes the solicitation or acceptance of bribes by foreign government officials from US entities. This complements the FCPA, which focuses on the offering of bribes by US companies. By targeting both sides of the bribery equation, FEPA aims to create a more comprehensive and effective framework for combating corruption.

However, the implementation of FEPA is not without its challenges. One of the main challenges is the extradition of foreign officials for prosecution, particularly from countries like Russia or China. Extradition processes can be complex and time-consuming, and cooperation from foreign governments may not always be forthcoming. This poses a significant hurdle in holding foreign officials accountable under FEPA.

Another notable feature of FEPA is the introduction of a “name and shame” list. This list is intended to publicly identify, and shame foreign government officials involved in bribery schemes. While this may serve as a deterrent, it could also have unintended consequences. For instance, it may impact Transparency International’s corruption perception indexes, potentially affecting the rankings of countries and their relations with the US. Additionally, it could have implications for US companies operating in those countries, potentially straining foreign relations.

The passage of FEPA raises important considerations for compliance officers and companies. They need to assess how this new law may impact their existing controls and policies. The arrival of FEPA as a tool to combat corruption is undoubtedly a positive development. However, it is crucial to carefully evaluate the potential implications for FCPA prosecutions and the cooperation expected from companies involved in bribery cases.

Compliance officers should also consider the potential changes in the calculus for prosecutors. With FEPA in place, prosecutors may now have the legal means to pursue foreign government officials complicit in bribery schemes. This raises questions about the extent to which companies will be required to assist the DOJ in pursuing FEPA cases alongside FCPA cases. Companies may need to provide testimony and cooperate in the prosecution of foreign officials, potentially impacting the resolution of FCPA violations.

Looking ahead, it is essential for the DOJ to provide clarity on how FEPA will be utilized and what expectations companies should have when caught up in FEPA-related investigations. Transparency and guidance from the Department of Justice will help companies navigate the potential challenges and ensure compliance with the law.

The bottom line is that FEPA represents a significant step in the fight against corruption. By criminalizing the solicitation or acceptance of bribes by foreign government officials from US entities, FEPA fills a crucial gap in anti-corruption measures. However, challenges remain in extraditing foreign officials for prosecution and managing the potential consequences of the “name and shame” list. Compliance officers and companies must carefully consider the implications of FEPA on their operations and update their controls and policies accordingly. With proper guidance and cooperation, FEPA can be a powerful tool in combating corruption and promoting ethical business practices.

Penalties under FEPA include (from Transparency International)

  1. Expanding Legal Protections: FEPA amendment U.S. bribery law (18 U.S.C. § 201) to make it illegal for foreign officials to corruptly demand, seek, receive, or accept bribes under two crucial circumstances:
  • From U.S. individuals or companies.
  • From any person while within the United States, in connection with obtaining or retaining business.
  1. Stringent Penalties: Those found guilty of violating FEPA could face severe consequences, including:
  • Criminal fines of up to $250,000 or three times the value of the bribe, whichever is greater.
  • Prison sentences of up to 15 years.
  1. Transparency and Accountability: FEPA introduces a vital accountability mechanism by requiring the DOJ to publish an annual report. It will include the following:
  • It examines the scale and nature of foreign bribe demands against American companies, shedding light on the extent of the issue.
  • It evaluates the effectiveness of U.S. diplomatic efforts aimed at safeguarding American businesses from foreign bribe demands.
  • It assesses the efforts of foreign governments to prosecute individuals involved in corrupt practices against American interests.

Matt Kelly and I take a deep dive into FEPA on this week’s Compliance into the Weeds. To listen, click here.

Categories
Blog

The Importance of Tailored Policies for Compliance and Risk Management

In compliance and risk management, one size does not fit all. Generic policies and procedures may seem convenient but can lead to compliance risks and potential harm. This is why the Securities and Exchange Commission (SEC) stresses the need for well-designed, tailored policies and procedures in areas such as anti-money laundering (AML) and cybersecurity.

In a recent “Compliance into the Weeds episode,” Tom Fox and Matt Kelly highlighted the importance of tailored policies for compliance, and risk management was discussed in detail. They discussed the case of Deutsche Bank, where the SEC imposed sanctions due to faulty policies. The bank had taken generic policies not specific to their mutual fund obligations and declared them their AML program. This cut-and-paste approach led to compliance risks and inconsistencies that caught the attention of regulators.

The case also serves as a reminder of the potential consequences of misleading marketing practices without proper procedures. The SEC sanctioned DWS $25 million for failures around ESG disclosures and a poor AML program. In both instances, faulty policies and procedures were identified as the root cause of the compliance failures.

The key takeaway from this case is that companies should conduct risk assessments and gap analyses to identify their specific needs and design appropriate policies. A good risk assessment is the foundation for crafting effective policies and procedures. It helps organizations understand their risks, evaluate their controls, and determine the necessary steps to mitigate them.

The impact on employees when designing policies and procedures should be considered. Simply copying and pasting language from regulations without considering the organization’s unique structure, technology, and transactions can lead to confusion and compliance risks. Employees need clear guidance on their duties and responsibilities; generic policies do not provide that clarity.

Compliance officers should create policies and procedures tailored to their organization’s needs and risks to avoid compliance risks and potential harm. Considering the organization’s specific circumstances, resources, and capabilities requires a thoughtful approach. It also requires regular risk assessments, gap analyses, and monitoring of policy effectiveness.

How to do so? The 2020 FCPA Resource Guide, 2nd edition, provided guidance. It stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its Code.” [emphasis supplied] Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures.

Get buy-in from the senior leadership of your company. Your company’s highest level must mandate revising compliance policies and procedures. The CEO, GC, CCO, or all three should demand this effort. Whoever gives the order should be consulted at every step of the revision process of the policies and procedures if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee. It would be best if you had a cross-functional working group that would be ideal to advance your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, and HR; there should also be other functions that represent the company’s domestic and international business units. Finally, there should be functions within the company described, such as finance and accounting, IT, marketing, and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. You must establish a timetable for the revision process and hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates, and preserves all the comments, notes, edits, and decisions during the entire project. In addition to using technology to revise your compliance policies and procedures, you should determine if they will be available in hard copy, online, or both. There must be a distribution plan, mainly if the Code and compliance policies and procedures are only available in hard copy.

Determine translations and localizations. The 2020 FCPA Resource Guide clarified that your compliance policies and procedures must be translated into the local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures regardless of the language.

Develop a plan to communicate the revised policies and procedures. A rollout is always critical because the revised policies and procedures must be communicated to encourage employees to review and use the policies and procedures on an ongoing basis. Your company should use the whole armor of available tools to publicize the revised compliance policies and procedures. This can include a multi-media approach or handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all things compliance, the three most important aspects are “Document, Document, and Document.” However, when you deliver the new or revised policies and procedures, you must document that each employee received them.

Stay on target and budget. It would be best if you worked to set realistic expectations to stay on deadline and within your budget. This is equally applicable to your policies and procedures revision. Also, remember to keep a close watch on your budget so you do not exceed it.

These points are a valuable guide to not only thinking through how to determine if your policies and procedures need updating but also practical steps on how to tackle the problem. You should begin the process now if it has been more than five years since the last updates. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are tradeoffs involved in balancing different factors when designing policies and procedures. Compliance officers need to consider the organization’s staffing, technology, review processes, and the need for human intervention in automated systems. Insufficient resources and inconsistent procedures can lead to compliance gaps and backlogs, increasing the organization’s exposure to compliance risks.

In conclusion, the importance of tailored policies for compliance and risk management cannot be overstated. Generic policies may seem like a quick fix, but they can lead to significant compliance risks and harm. Compliance officers should conduct risk assessments, identify specific needs, and design policies and procedures that address those needs. Employee understanding and guidance are crucial, and policies should be regularly assessed, monitored, and updated as necessary. By taking a tailored approach to compliance and risk management, organizations can minimize their exposure to compliance risks and protect themselves from potential harm.