Tag: compliance

Categories
31 Days to More Effective Compliance Programs

The Corp Controller and Business Ventures

One area not often considered by the CCO as a key part of any compliance regime is the Corporate Controller. The Controller generally has the responsibility to accurately record and report the financial transactions of the company, to design, implement and execute the financial processes and controls of the company to be both effective and efficient, and to safeguard the financial assets of the company. Some of the compliance responsibilities of the Controller include: 1) Designing and implementing internal controls that impact ethics and compliance risks; 2) Accurately recording the financial transactions of the company; and 3) Preventing and detecting fraudulent activity. All of this means, in practical terms the Controller is both being the keeper of the books and records and the implementer of internal controls. Moreover, while many of these internal controls would most probably be viewed financial internal controls, there are additional internal controls which are not financial in nature.

Russ Berland, has noted, “Those guys live really in the battle zone. They are constantly looking at financial transactions. They’re evaluating them. They’re figuring out where things go within the books and records. They are implementing the processes that should be keeping fraud from happening; keeping bribery and corruption from happening.”

These benefits are not a one-way street for compliance as a Controller benefits from a closer relationship with the corporate compliance function as well. They can leverage compliance resources. The compliance function can bring its observations and insights from investigations and emerging risks to the Controller. A closer collaboration will broaden awareness of compliance risks which relate to the company’s financial processes. By more fully integrating compliance into the Controller function a more robust picture of enterprise risk emerges, one which encompasses legal, compliance, ethics, internal controls, financial, business and governance risks.

Three key takeaways: 

  1. CCOs need to integrate the function of the Controller into their compliance regime.
  2. Offshore payments must be flagged for further investigations.
  3. The Controller is both the keeper of the books and records and the implementer of internal controls.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 2: Stephanie Font on Questionnaires and Due Diligence

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Regulatory Compliance Manager from the Volkov Law Group. In this Part 2, I visit with Stephanie Font on the need for evaluation of potential third-party through questionnaires and determination of the necessary due diligence investigations to comply with regulations while navigating using questionnaires to uncover the truth.

What is the importance of understanding regulations and risk factors when creating questionnaires to help with due diligence? Through understanding the risk model and what specific regulations the company needs to comply with, creating effective questionnaires to help with due diligence can become easier. Stephanie also found out that having a due diligence risk management system can automate some of the processes and help flag any potential risk factors. With the help of questionnaires and due diligence, Stephanie was able to learn how to effectively document and investigate potential third parties.

Key Highlights

  • How questionnaires can be used to comply with regulations and inform a risk model.
  • How due diligence investigations can help to uncover risk factors in a potential third party.
  • How a third-party risk management system can automate parts of the process.

 Notable Quotes

 1.     “Knowing what you’re trying to comply with and thinking of those questions that are going to get you there is probably the top thing.”

2.     “Don’t lose your common sense and listen if your gut tells you something’s wrong.”

3.     “Documentation is key to creating an internal audit trail and having something to show to regulators.”

4.     “Know your own risk model and build the risk model into the system to flag any potential risk factors.”

 Resources

Stephanie Font on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Questionnaire and Due Diligence

Are you considering a third-party questionnaire for your organization? With so much debate around what should be asked, and how detailed you should be, it can be hard to know where to start. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the third-party questionnaire and I am joined by Stephanie Font, the director of the Operations Optimization Group at Diligent as we discuss third party questionnaires and due diligence investigations.

With so much debate around what should be asked in your questionnaire and how detailed your questionnaire should be, it can be hard to know where to start. It is important that every compliance professional understand your risk profile to all crafting of the right due diligence process to ensure compliance. Here are the steps you need to follow to also get compliance and  risk.:

  1. Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.
  2. Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.
  3. Documenting: Keeping records of the due diligence investigations to be used in the future.

Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.

The first step to managing third parties is to create a questionnaire to gather basic information about the third party and what regulations need to be complied with. When creating the questionnaire, it is important to understand the organization’s risk model and what it is trying to achieve. The questionnaire should be tailored to the specific risk factors the organization is trying to address, as well as the regulations that need to be complied with. Questions should include items such as the size of the company, where they do business, and the type of relationship they have. Additionally, the questionnaire should ask questions that will alert to any potential risk factors, such as if they do business in a highly sanctioned country. Once the questionnaire is sent and responses are received, the answers can be used to inform the next step of the due diligence process. Your third-party risk management system should automate some of the process by flagging risk factors and indicating what level of investigation is needed. Lastly, it is important to document the process and create an audit trail that can be used for various reasons, such as compliance and internal review.

Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.

The second step of third-party due diligence is the due diligence investigation. This step involves investigating the third party based on their answers to the questionnaire and other risk factors. The best approach to this investigation is to first understand the company’s risk and what it is trying to accomplish. This allows the company to create a risk model and tailor the questionnaire to fit their needs. The questionnaire should include questions about the size of the company, where it does business, and other risk factors that may arise. After the questionnaire is complete, the next step is to assess the risk factors and determine the appropriate level of investigation needed. This could range from a baseline screening for sanctions list and other global databases to an enhanced due diligence investigation which involves boots on the ground to ask questions about the company’s reputation and verify a manufacturing site. Additionally, it is important to document the process to create an audit trail for internal stakeholders and regulators. This process should be tracked in a third-party risk management system to ensure everything is done correctly.

Documenting: Keeping records of the due diligence investigations to be used in the future.

Documenting is an important step in the due diligence process, as it helps to create an audit trail of the activities and decisions that were taken. When it comes to due diligence, it is important to keep records of all investigations that were conducted, as these records can be used in the future to defend any decisions that were taken. This allows for all the necessary information to be stored in a secure location and can even track any changes or updates to the investigations over time. Additionally, the system can be used to flag any potential risks that come up in the investigations, and it can also automate the process of deciding which type of investigation is necessary based on the risk model. Finally, it is important to keep all documents related to the due diligence process, such as the questionnaire, investigation reports, and any other relevant documents, to create an audit trail and ensure that all compliance regulations are met.

Third party due diligence is a crucial part of any compliance program. A thorough questionnaire and a detailed due diligence investigation can help organizations to mitigate risk and ensure compliance with applicable regulations. Additionally, it is important to document the process, as this creates an audit trail that can be used in the future. With the right tools and processes in place, organizations of any size can successfully manage third party risk and create a robust compliance program. With the right information and guidance, you too can create a successful third-party due diligence process for your organization.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Stephanie Font on the podcast series here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Know Your Customer

Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a U.S. company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your organization’s Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA.

There does not have to be a direct bribe or other corrupt payment made by a U.S. company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third-parties. However, as the Fifth Circuit said in US v. Kay, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around.

Three key takeaways:

  1. Non-banking and non-financial service entities need to consider their KYC obligations in the context of FCPA risk.
  2. FinCEN rules on customer due diligence are a good starting point for the non-financial institution.
  3. Ongoing monitoring should be used and the information incorporated into your customer risk profile going forward.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Tying it all Together for Joint Ventures

I want to emphasize again the risks JVs pose under the FCPA. Mike Volkov has stated, “A joint venture requires the integration of disparate company cultures. It can be successful and is usually one of the significant reason for the joint venture itself.” Both parties should assess each other and decide that the JV is a good fit, meaning that each side will benefit. Too much time is spent on looking at the JV partner’s compliance toolbox (i.e., policies, procedures, and controls), and not enough time is spent on identifying compliance strengths and weaknesses. You must bring it all together with one format.

Indeed the 2020 Update to the Evaluation of Corporate Compliance Programs posed the following questions under the category, “Process Connecting Due Diligence to Implementation” What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post- acquisition audits, at newly acquired entities? Remember a “newly acquired entity” can be a joint venture.
Three key takeaways: 

  1. It all starts with a Relationship Manager.
  2. Have company oversight of all JVs. Couple this with a COC for a second set of eyes.
  3. Audit, monitor, and remediate (as appropriate) your JVs on an ongoing basis.
Categories
Blog

The Week That Was in Compliance – The ECCP: Part 4 – Final Thoughts

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we will conclude our multi-part review of this document by some of the other key changes and additions to the document and what it all means for the compliance professional going forward.

 Use of Monitors

In the introduction its states, “Moreover, Criminal Division policies on monitor selection instruct prosecutors to consider, at the time of the resolution, whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems and whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future to determine whether a monitor is appropriate.” This language is a firm reject of the Benzkowski Memo and the prior administration’s reticence to employ monitorships as a tool to ensure compliance with not only the settlement documents but also the creation and implementation of a compliance program.

Internal Compliance Controls

Under Section II, entitled “Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?”, is the new language, “In this regard, prosecutors should evaluate a corporation’s method for assessing and addressing applicable risks and designing appropriate controls to manage these risks.” This simple sentence packs quite a wallop as it mandates a risk assessment, design and implementation of appropriate internal compliance controls and then monitoring of those controls to see if they are managing the risks identified in the risk assessment. Many of these concepts are fleshed out in the ECCP but it is clear this is a minimum expectation from the Department of Justice (DOJ).

Adequate Compensation and Salary/Bonus Review for Compliance

Under Section III, “Does Your Compliance Program Work in Practice”, is the following new language: “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensate those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the Chief Executive Officer (CEO) is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the Chief Compliance Officer (CCO) or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Final Thoughts

This brings us to the end of a series of momentous announcements by the DOJ. While we have not discussed the changes in monitor selection announced by Polite as it largely deals with internal DOJ process, we would note that it will require a more lengthy and rigorous request process for those prosecutors’ seeking monitors, as well as a review process up to perhaps even the DAG. This alone could lengthen out an entire Foreign Corrupt Practices Act (FCPA) enforcement action.

The incentives language, both financial and non-financial, will require a much deeper analysis by a corporate compliance program in the areas of compensation, as well as promotion, than has even been mandated. The first thing I would do as a CCO is go down the hall to speak with the head of Human Resources (HR) to get an understanding of how compensation is based and what factors of doing business ethically and in compliance are reviewed for both salary and discretionary bonus amounts. The same would hold true for promotion into both middle and senior management. All of these will need to have metrics or other auditable frameworks around them so they can be reviewed, tested and data presented to the regulators if they come knocking.

The language around messaging apps needs to be taken to heart by not simply the compliance function but all senior level executives. While the Securities and Exchange Commission (SEC) has garnered the most publicity for its fines levied on regulated industries, the new language of the ECCP makes clear the DOJ is equally concerned about this issue. Woe be it to any company which finds itself in a FCPA investigation or enforcement action where said company does not meet these DOJ requirements. The DOJ will most probably assume a willful failure to meet the strictures of the 2023 ECCP.

Obviously, the Biden Administration DOJ is stepping away from some of the initiatives of the Trump Administration DOJ. However, in other areas this DOJ is building on some of the steps of the prior administration. It is clear the DOJ is continuing to evolve in its thinking about what constitutes a best practices compliance program and will continue to do so. Compliance professionals will need to study these new initiatives and implement their requirements.

Categories
Compliance Into the Weeds

Beneath the Bailout: The Collapse of Silicon Valley Bank

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, Matt and I explore the collapse of Silicon Valley Bank (SBV) and its outcomes. We discuss the consequences if the Federal government fails to bail out Signature Bank in New York and Silicon Valley Bank. The Dodd-Frank Act is examined, and noting that the SBV Chief Risk Officer left 8 months ago and was never replaced is a huge red flag. Will this event cause the Federal Reserve will pause interest rate hikes? Why did Libertarians from the tech industry scream for bailouts? Tom and Matt expertly unpack the complex details within the industry and provide insight and analysis into this relevant and timely industry topic.

 Key Highlights

The Impact of Silicon Bank and SBV’s Failures on the Banking Industry [02:01]

Implications of Unsold Silicon Valley Bank Assets on Taxpayers [05:04]

Challenge of Businesses Dealing with Employee Benefits under Federal Government Regulations [09:04]

Effects of Changes to the Dodd-Frank Act on Midsized Banks [12:54]

The Impact of Regulatory Ease on Business Failures [16:47]

The Reasons Behind Silicon Valley Bank’s Chief Risk Officer Quitting [20:53]

The Impact of Social Media on Interest Rate Decisions by the Federal Reserve [24:52]

 Notable Quotes:

1.     “So those loans brought in maybe 2 or 3 percent interest, but SVP had to pay out interest rates that might be more at 4 percent. That difference undermined the capital structure and the balance sheet of SVB until people started getting skittish, and then they said, Maybe I should pull my money out, which made the bank even more weak, so people got even more skittish.”

2.     “The big issue, which is why the business customer angle is important, is that under FDIC rules, a bank’s deposits are insured up to 250,000 dollars per account.”

3.     “Is it a business if you can never fail? This was not too big to fail. This was we are not going to let anybody fail.”

4.    ” You may not know where your key suppliers, customers, or key third parties are banking. Maybe you have that information. But does that mean you’re going to have to assess the financial health of those financial institutions of your customers? And know if they can pay you for your vendors or third-party suppliers. They can meet their payroll to deliver their services.”

 Resources

Matt  on LinkedIn

Tom on LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for business – Pre-acquisition Due Diligence in Mergers and Acquisitions

A company that does not perform adequate due diligence before a merger or acquisition may face legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation and potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the FCPA Resource Guide, 2nd edition, focused many compliance practitioners on the need to engage in robust pre-acquisition due diligence.

The 2020 Update made the need for a robust compliance presence in the pre-acquisition phase even more apparent. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing harm to a business’s profitability and reputation and risking civil and criminal liability.”

Multiple red flags could be raised in this process, which might warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breaches of policies and procedures. A target that is in financial difficulty would bear closer scrutiny. Structurally, this could present issues if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level. From the CCO perspective, if the position did not have Board or CEO access or had no regular reports, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management override of compliance controls, or no consistent consequence management for violations, it could present clear red flags for further investigation.

Three key takeaways: 

  1. Your pre-acquisition due diligence results will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.
Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 1

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we will consider all things compliance, corporate ethics, ESG, governance, and whatever else is on our minds and the minds of other experts in the field. Kristy and Tom explore all of these topics with expertise and wit.

In this inaugural episode, they discuss the latest compliance trends and news, including two Supreme Court cases that have implications for the compliance profession. They also cover the Department of Justice and whistleblower trends, taking a look at Miranda and Upjohn’s warnings and increasing numbers of whistleblower reports to the SEC. They also dive into an article from the Harvard Law School Forum on corporate governance and discuss the Illinois Biometric law. Join the conversation and discover the latest on compliance and regulations with 2 Gurus Talk Compliance.

Highlights Include

The Role of In-House Attorneys in Communication Between Outside Counsel and Businesses [00:05:17]

Supreme Court Decision on the Future of the CFPB [00:09:11]

Impact of the Colorado Draft Regulation on Artificial Intelligence Compliance Programs [00:13:23]

The Benefits of Automated Data Deletion [00:17:23]

A Miranda component to corporate Upjohn Warnings [00:21:25]

The Obligation of Society to Address Climate Change [00:25:33]

The Benefits of Self-Disclosure in the DOJ Justice System [00:29:18]

The Role of the Board in Overseeing Third Parties in High-Risk Countries [00:33:14]

The Impact of Whistleblowers on the SEC [00:40:54]

White Castle’s Violation of Illinois Biometric Law [00:45:05]

Notable Quotes

  1. The DOJ is urging a federal judge to sanction Google’s parent, Alphabet, for its practice of setting employee chats to auto delete despite promising to preserve records.”
  2. “It goes beyond the specifics of this law, something you and I have talked about for several years now, that the compliance function and the CCO is well perhaps the most well-suited corporate discipline to deal with these new initiatives because it’s the basic framework of compliance that you and I have worked with for 15 years.”
  3. “Most compliance programs just don’t have good frameworks for things like AI or for big data even though we’ve been using that word for a long time.”

Resources

  1. Boards and 3rd Party Risk Oversight
  2. CO Draft AI Rules for Insurance
  3. Miranda Warnings in Corp Investigation
  4. Current whistleblowing landscape
  5. Has the stature of the CCO changed? 
  6. Analysis of the DOJ’s update to the self-disclosure program
  7. Supreme Court considering defunding the CFTC
  8. Trends in state privacy law   
  9. Litigation holds and records retention/Google/DOJ  
  10. Individuals charged – first enforcement action 2023 

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Auditing Joint Ventures

JVs provide many FCPA risks that other types of business relationships do not bring. For instance, the JV may interact with foreign government officials or employees of a state-owned enterprise; then leverage those relationships for an improper benefit relating to contracts, regulatory licenses, permits or customs approvals. It is difficult to regulate a JVs interaction with foreign government officials when your partner is a state-owned enterprise, or where your company is relying on the local company for its local contacts and expertise for business development and/or regulatory knowledge and experience.

The risks are compounded when the U.S. company does not exercise control of the JV. This is further compounded by the fact there is no minimum threshold for a FCPA enforcement action against a U.S. company for the actions of a JV in which it holds an interest. If a company holds something less than majority rights, it must to urge, beg and plead for the majority partner to adhere to anti-corruption compliance standards and controls. Often, these requirements are established in the JV agreement but the success in securing such contract protections depends on the importance of the global company to the JV itself.

Another set of issues comes from the JV when it seeks to retain third-party agents and/or distributors. Depending on the amount of control, the U.S. company usually can impose its set of standards for conducting due diligence of third-party agents and distributors. These risks become more difficult when the JV partner brings a proposed third-party agent or distributor and vouches for the agent or distributor. If the JV partner is a state-owned enterprise, the issues become even more complicated as such a referral creates an obvious red flag for a government-sponsored referral.

Three key takeaways: 

  1. JVs present unique FCPA risks and must be managed accordingly.
  2. Your final report needs to consider the final viewer of the document, potentially the DOJ or SEC.
  3. Be sure to follow up on any red flags raised but not cleared and action items for remediation or additional scrutiny.