Tag: compliance

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Managing 3rd Party After the Contract is Signed

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and contract compliance terms and conditions. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Rank third parties based on a variety of factors including compliance and business performance, length of the relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.
Categories
Creativity and Compliance

What the Heck Are We Doing?

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings and Entertainment, utilizes the entertainment devices that people use to consume information in their everyday, non-work lives, and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies and resources more accessible.

Get ready to tap into the minds of compliance gurus, Tom Fox and Ronnie Feldman, as they dive into how corporate culture impacts compliance. In today’s world, corporate culture is a key element of a best practice compliance program. However, many companies still focus on monitoring, risk assessment, policies, and procedures. Ronnie argues that the main goal of compliance is to stop people from doing bad things and to live up to company values. Discover how to create psychologically safe environments, train leaders to build trust, and use interesting and informative content to make your communication and training more engaging. Learn how middle management can work with compliance to build trust, regain institutional fairness for employees who speak up, and undo the lack of integrity observed in many organizations. Creativity and Compliance invites you to reach out for more information about the philosophy behind their solutions. Listen to the podcast today to take the first step towards a culture of compliance!

Key Highlights

·      The Importance of Corporate Culture in Compliance Programs

·      Addressing social and leadership environments in organizations

·      Promoting Integrity and Institutional Trust

·      Engaging Compliance Training Techniques

Key Quote

“We’re trying to stop people from doing bad things or said in a positive way. We’re trying to help We want our employees to live up to our values. Right?”

Resources:

Ronnie

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Man Chooses the Target

Compliance Man Takes a EuroTrip – Geert Vermeulen on EU Whistleblower Directive

Compliance Man is back for a new season! Get ready for a EuroTrip with Tom Fox and Tim Khasanov-Batirov on their hit podcast, Compliance Man! In this episode, Compliance Man podcast hosts, Tom Fox, and Tim Khasanov-Batirov, speak with a compliance professional and founder of the Integrity Coordinator, Geert Vermeulen, about the challenges of implementing effective whistleblower policies in Europe. They discuss cultural differences, strict requirements on external whistleblowing, and the burden of proof on companies to show that retaliation did not occur. The speakers emphasize the importance of understanding cultural differences and developing precise policies to promote a speak-up culture. The conversation ends with a reflection on the evolution of whistleblower procedures in Europe and thoughts on where things might be headed in the future. This is a must-listen podcast for anyone interested in compliance and corporate culture.

Vermeulen highlights the challenge of implementing the directives into the national laws of member states, which has resulted in differences between states. Each state has its own specifications about what can be reported and what must not be reported. For instance, every state has different rules regarding protection against retaliation.

Here are some tips to help cope with this challenge:

1. Get familiarized with the national laws of the member states where your organization operates.

2. Set up a streamlined procedure and ensure that all employees are aware of the internal complaints and whistleblowing process.

3. Ensure that your whistleblowing process is confidential and that whistleblowers are protected against retaliation. 

Key Highlights

·      Lack of tradition of whistleblowing in Europe

·      Whistleblowing in emerging markets

·      One worldwide whistleblowing program?

·      Whistleblower protection and communication

·      Interplay of EU Whistleblower Directive and GDPR

·      The evolution of whistleblowing in Europe

 Resources

Geert Vermeulen on LinkedIn

The Integrity Coordinator

Tim Khasanov-Batirov on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance and AI

Compliance and AI: Episode 1 – Ant Stevens on Incorporating AI into Your Compliance Program

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? We will explore these three questions in this exciting new podcast, Compliance, and AI. Hosted by Tom Fox, the award-winning Voice of Compliance, this podcast will look at how AI will impact compliance programs into the next decade and beyond. If you want to find out why the future is now, join Tom Fox on this journey to the frontiers of compliance.

In this inaugural episode of Compliance and AI, Tom Fox interviews the CEO and President of 6Clicks, Ant Stevens, who explains that generative AI refers to systems that transform inputs into outputs and generate something obvious, like an image, video, or text. The AI works based on an underlying corpus, a kind of brain or reference point. Generative AI outputs are generated based on a corpus of information, making them an effective tool for companies to improve risk and compliance management.

They discuss the latest version of Generative AI, GPT 3, which allows companies to generate more text, images, and videos. The conversation also delves into the benefits of AI in content creation and policy overview creation. The podcast emphasizes the importance of prompt engineering and human input in decision-making. Stevens shares his belief that we are only scratching the surface of what we can do with artificial intelligence and encourages companies to embrace its potential. Get ready to be empowered and leap into the exciting world of Compliance and AI.

Key Insights

1. Incorporate generative AI into your risk and compliance management systems. Generative AI can help automate the compliance process and reduce human error in tracking and managing compliance requirements.

2. Train employees on how to use generative AI platforms. Employees trained on generative AI platforms can better understand their compliance requirements and reduce the risk of violations.

3. Stay current with the latest developments in generative AI technology. Companies that keep up with the latest advancements in generative AI technology can better understand how it can impact their business operations and take advantage of new opportunities.

If you’re interested in learning more about the potential applications of generative AI in risk and compliance, you should listen to the podcast. Stevens shares his insights into how 6clicks uses generative AI to help companies manage risk and compliance requirements more effectively.

Key Quote

“Generative AI refers to systems that effectively transform inputs into outputs, and the outputs generate something obvious, whether it’s an image or video, a slap of text, something like that.”

Resources

Ant Stevens on LinkedIn

6Clicks

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Revolutionizing Compliance with RegOps

What is RegOps and how will it revolutionize compliance? I recently visited with Anil Karmel to help understand how this concept weds multiple concepts, including data analytics, Design Thinking, AI and other tools to create a powerful mechanism to drive compliance forward.

 The term Reg Ops is coined from the combination of regulation and operations, indicating its focus on streamlining the processes related to policy adoption, regulatory compliance, and risk management. Reg Ops brings a variety of software tools and practices that leverage automation to achieve compliance quickly and efficiently. This approach, with its focus on near real-time and near continuous compliance, is ideal for businesses looking to integrate compliance as part of their core operations without sacrificing productivity. RegOps specifically addresses the unscalable problem of regulatory compliance by incorporating lessons from DevOps. Karmel’s vision was to build a platform that could provide compliant software development continuously and in real-time, thereby changing the compliance landscape. As a result, RegOps introduces a holistic solution that encompasses both human and machine processes for improved efficiency in regulatory compliance.

Chief Compliance Officers (CCOs) and compliance professionals often face the daunting task of keeping up with ever-changing regulations and demonstrating compliance in an efficient and timely manner. The traditional methods for achieving compliance are manual and time-consuming, thus falling short of effectively tackling the increasing complexity of requirements. With the growing significance of compliance in ensuring organizational success, there is a pressing need for a more streamlined and automated approach that can address the compliance challenges at scale. Karmel emphasized the necessity of transforming the way businesses handle compliance. RegOps can do this, providing an evolution of compliance that shifts away from manual processes towards embracing automation and cultural transformation. By learning from the adjacent discipline of DevOps, Karmel and his co-founder Travis Howard developed an automated, real-time solution to help businesses better address compliance challenges, regardless of their size.

One key factor that determines the success of a compliance solution is user experience. It is crucial to develop a system that not only provides seamless communication between machines but also ensures a positive human interaction with the compliance artifacts. By designing the system with the users in mind, the platform becomes more effective and impactful. A RegOps platform should be built around providing a good machine experience for machines to interact and a good human experience for humans to engage with compliance artifacts. The API-centric platform integrates with an organization’s existing tools to gather evidence in near real-time and automates the creation of tickets and real-time reports for any compliance gaps. The user-friendly reporting features cater to stakeholders at various levels, enabling them to trust and rely on the insights derived from the platform.

Regulatory compliance is an ongoing endeavor, and businesses must constantly adapt to changes and improvements in their fields. Thus, adopting a continuous process that facilitates constant refinement of practices is a necessity for successful compliance operations. By liberating businesses from time-consuming manual processes, automated technological solutions enable them to focus on improving their overall compliance outcomes. Karmel’s vision for RegOps revolves around a continuous, real-time compliance journey that is constantly evolving and adapting to users’ needs. RegOps can help provide continuous, scalable solutions that conquer regulatory compliance challenges by harnessing the power of automation and cultural transformation.

As the business landscape evolves, the importance of compliance cannot be understated. Organizations need to embrace new approaches, technology, and cultural shifts in order to stay ahead of the curve when it comes to meeting regulatory requirements. This entails not only adopting automated solutions but also fostering a culture that prioritizes compliance and understands its impact on both the organization and its stakeholders. Compliance can leverage  RegOps in transforming the compliance ecosystem. Karmel highlighted the fact that without this shift in approach, businesses would find themselves lagging behind as regulations and the demonstration of compliance continue to change. By promoting near real-time and near complete compliance solutions, such as the ones offered by RegOps, businesses can triumph over the ever-evolving compliance challenges.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – 3rd Party Compliance Terms and Conditions

The 2020 Resource Guide stated, “In addition to considering a company’s due diligence on third parties, DOJ and SEC also assess whether the company has informed third parties of the company’s compliance program and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal commitments. These can be meaningful ways to mitigate third-party risk.”

You should incorporate appropriate compliance terms and conditions into every contract with third parties. I would suggest that you prepare a template, which can be used as a starting point for your negotiations. The advantages of such a template are several, and they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer; and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

Many do not believe they will get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simple to get a third party to agree to these or similar terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms, many third parties will not fight such a position. There is some flexibility, but the DOJ will require minimum compliance terms and conditions. But the best position I have found is that if a third party agrees with these terms and conditions, they can use that as a market differentiator.

Three key takeaways:

  1. Compliance terms and conditions are mandatory for any best practices compliance program.
  2. A key clause is a right-to-audit clause.
  3. Third parties can favor robust compliance terms and conditions as a market differentiator.
Categories
Compliance Into the Weeds

Microsoft OFAC Enforcement Action

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. In this episode, join Tom and Matt as they delve into Microsoft’s recent sanctions enforcement action with OFAC. They explore what went wrong and how to avoid costly compliance failures, from potential red flags to reseller relationships. But it’s not all doom and gloom as they discuss how Microsoft implemented three lines of defense model for sanctions compliance, setting a benchmark for the industry. With Tom and Matt going into the weeds on the importance of centralization and persistent screening technology, this podcast is a must-listen for any compliance officer looking to stay ahead of the curve. Tune in now to find out more!” 

Key Highlights 

·      Sanctions compliance case involving Microsoft

·      Microsoft’s Sanctions Compliance Model

·      Microsoft’s Sanctions Compliance Program Remediation

·      Sanctions Compliance and OFAC Guidance

·      Impact of Russia invasion on Microsoft operations

 Notable Quote:

“It’s well worth giving the case a good look. So it was, I thought, a great lesson on resellers and the way the hardware and software industry did business.”?

 Resources

Matt  on LinkedIn

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

2022-The Year in FCPA

2022 saw a relatively slow year in Foreign Corrupt Practices Act (FCPA) enforcement actions. Yet, as usual, the cases themselves were packed with much for the compliance professional to digest. Moreover, 2022 was a very significant year for every compliance practitioner and compliance program. My latest book, 2022 – The Year in FCPA – FCPA Enforcement Actions, DOJ Commentary and Key Lessons for Compliance from 2022 reviews the corporate FCPA enforcement actions from the past year and mine them for lessons which can be garnered by the compliance practitioner.

The cases themselves ranged in fine and penalty values from $1.1 billion (Glencore International A.G.) down to $6.3 million (KT Corporation). The Department of Justice (DOJ) FCPA prosecutions involved the following entities: Stericycle Inc. (Stericycle), with an overall fine of $84 million; Glencore, with an overall fine of $1.1 Billion; GOL Linhas Aéreas Inteligentes S.A. (GOL), with an overall fine of $41 million; ABB Ltd. (ABB) with an overall fine of $315 million and, concluding the year, Honeywell UOP, with an overall fine of $160 million. From the Securities and Exchange Commission (SEC) we saw enforcement actions involving the following entities: KT Corp, with a penalty of $6.3 million; Tenaris S.A., with a penalty of $78 million; Oracle Corporation (Oracle), with a penalty of $23 million, and Stericycle, GOL, ABB and Honeywell, with the fine amounts noted above. Finally, Glencore was also fined by the Commodity Futures Trading Commission (CFTC).

The total fines and penalties were $1.396 billion. Under the new monitorship policy, announced in October 2021 and put into practice through the Monaco Memo, there were two cases which  included appointments of Corporate Monitors (Glencore and Stericycle). From the DOJ there were two Declinations. The first involved the French entity Safran S.A. and included a $17 million disgorgement. The second involved the UK entity Jardine Lloyd Thompson Group Holdings Ltd. (JLT) and included a $29 million disgorgement. 2022 saw one individual FCPA trial involving former Goldman Sachs Group Inc. Managing Director Roger Ng, who was convicted for criminally circumventing the firm’s internal controls. The Swedish telecom company Telefonaktiebolaget LM Ericsson (Ericsson) had its monitorship extended for 1 year amidst ongoing investigation they breached the Deferred Prosecution Agreement (DPA) and, finally, the Russian entity Mobile TeleSystems PJSC (MTS) also had its monitorship extended for 1 year.

In the realm of individuals prosecuted there were 24 individual criminal prosecutions and it appeared that individual criminal prosecutions continued at aggressive pace. With the formalization of the Monaco Memo, the DOJ will be targeting more individuals for prosecutions in 2023 so the pace of individual prosecutions will continue and probably increase. In 2022, the majority of the individual prosecution stemmed from prior FCPA actions involving a small number of companies; most notably Petróleos de Venezuela S.A. (PDVSA), Vitol Inc., Odebrecht S.A. and Sargeant Marine Inc. It is significant that the DOJ has continued its use of anti-money laundering (AML) charges, which have a 20-year maximum sentence together with FCPA charges, which have a five-year maximum sentence.

However, 2022 was a very significant year for every compliance practitioner and compliance program. While there was a paucity of corporate FCPA enforcement actions, three actions were significant, with multiple lessons for the compliance professional. In ABB, we learned about the costs of a corrupt culture and recidivism. In Glencore, we saw what happens to a company that engages in worldwide systemic bribery and corruption. Finally, in Stericycle, the company had a culture of corruption burned into the DNA of the LATAM business unit, which was so thorough that it was documented via bribery spreadsheets and analysis of revenue based on payments of bribes in LATAM. Yet even with this corrupt culture, the Stericycle enforcement action demonstrated how a company could take advantage of the discounts available under the FCPA Corporate Enforcement Policy by extensive cooperation and remediation during the pendency of the FCPA investigation, as the company obtained a 25% reduction off the bottom of the applicable US Sentencing Guidelines fine range.

September saw the announcement of a significant refinement of DOJ enforcement policies on the FCPA enforcement and corporate compliance programs. It was encapsulated in the Monaco Memo and a speech by Deputy Attorney General Lisa Monaco announcing the Monaco Doctrine. There was additional commentary by Principal Associate Deputy Attorney General Marshall Miller in a speech and by Assistant Attorney General Kenneth A. Polite. Every compliance professional should know them in detail as they significantly turn the heat up on corporate compliance programs. The Monaco Memo is further clarification and guidance for line prosecutors when considering whether to put a monitor in place. While we have seen these factors in a disparate manner, in disparate places, here they are in writing. Perhaps the greatest significance is that the Memo sets down all these matters in writing, which leads to a blueprint for DOJ thinking and a roadmap for anyone who finds themselves in an FCPA investigation or enforcement action. Finally, the Monaco Memo cemented the new DOJ requirement for CCO certification of compliance programs at the end of a resolution.

The final key event for compliance in 2022 was very much under the radar. The DOJ hired Matt Galvan to help develop data analytics expertise and capability for the FCPA Unit and the Fraud Section. Galvan was most recently the CCO at AB InBev and perhaps the top compliance professional in data analytics for a corporate compliance program. It will be most interesting to see where Galvan and the DOJ take this initiative, but it does portend the increasing use of data analytics in FCPA enforcement and compliance.

What did the year 2022 in FCPA mean for you. Check out 2022-The Year in FCPA now available on Amazon.com.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 3

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we discuss the recent jail time for a Wells Fargo executive, the UK government’s plan to enforcement of anti-corruption and AML violations, due diligence before acquiring a company, and the recent charges against the co-founder of FTX. They also touch on the shift towards valuing a healthier relationship with work and the potential of the Metaverse in the compliance industry. Tune in to hear Tom and Kristy break down the latest compliance news and provide valuable insight into the industry that will keep you ahead of the curve.

 Highlights Include

·      Corporate Ethics and Compliance

·      The Wells Fargo Scandal and Criminal Accountability

·      Uncertainty surrounding CCO certification

·      UK Government’s Fight Against Corporate Crimes

·      COVID and the Future of Work

·      The Importance of Due Diligence in Acquisitions

·      Move into the compliance profession

·      Indictment of Samuel Bankman Fried

 Notable Quotes

1.      “If you buy a company engaging in bribery corruption, you’re not responsible for that. But when you take title and ownership, they are not engaging in broader corruption. It is you are engaging in broader corruption.”

2.     “I just think that flat banning of CHAT GPD is taking away hugely useful business tools to the Italian business sector.”

3.     “It is incredibly rare for a bank officer to be held criminally accountable.

4.     I think we’ll start to see that now move from becoming an extraordinary practice to a best practice to a regular practice to table stakes.

Resources 

1.     Italy Bans ChatGPT

2.     Why have workers given up the office

3.     CCO certifications

4.     Getting your first job in compliance

5.     SBF and the FCPA

6.     Carrie Tolstedt pleads guilty

7.     UK to invest in economic crime enforcement

8.     What is happening to the Metaverse

9.     Flutter settles FCPA enforcement action

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Questionnaire

The next step in the five-step process is the questionnaire. The term ‘questionnaire’ is mentioned several times in the 2020 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to understand better with whom it is doing business. The questionnaire should be mandatory for any third party that desires to work with your company as it mandates the proposed business partner commit to the required information in writing before beginning the due diligence process. Remember, if a third party does not want to fill out the questionnaire or will not fill it out completely, you should not walk but run away from doing business with such a party.

One of the key requirements of any successful compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter, as small businesses can face significant risks and will need more extensive procedures than other businesses facing limited threats. The level of risk that companies face will also vary with the type and nature of the third parties with which they may have business relationships. For example, a company that appropriately assesses that there is no risk of bribery on the part of one group of its third parties will require nothing in the way of procedures to prevent corruption in the context of those relationships. By the same token, the bribery risks associated with reliance on a third-party agent representing a company in negotiations with foreign government officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks.
The questionnaire fills several vital roles in your overall management of third parties. It provides key information you need to know about who you are doing business with and whether they can fulfill your commercial needs. Just as important is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, U.K. Bribery Act, or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three key takeaways:

  1. You must have enough information to fully identify the owners, UBOs, and related parties to determine if there is foreign official involvement.
  2. All commentary on best practices compliance programs requires questionnaires.
  3. If a third party refuses to fully respond to your questionnaire, run and don’t walk away from the proposed relationship.