Tag: compliance

Categories
Sunday Book Review

January 8, 2023 – The Top AI and Machine Learning Books for 2023 Edition

In the Sunday Book Review, I consider books that interest the compliance professional, the business executive, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. In today’s edition of the Sunday Book Review, we consider some of the top AI and machine learning books that every compliance professional should read in 2023:

·       Future Ready: The Four Pathways to Capturing Digital Value by Stephanie L. Woerner, Peter Weill, and Ina M. Sebastian

·        Digitalization of Financial Services in the Age of Cloud by Jamil Mina, Armin Warda, Rafael Marins, and Russ Miles

·       Power and Prediction: The Disruptive Economics of Artificial Intelligence by Ajay Agrawal, Joshua Gans, and Avi Goldfarb

·        Practicing Trustworthy Machine Learning by Yada Pruksachatkun, Matthew Mcateer, and Subhabrata Majumdar

Resource

The Enterpriser’s Project- 10 must-read tech books for 2023

Categories
31 Days to More Effective Compliance Programs

Day 4 – Moving Compliance Tone Down Through an Organization

Mike Volkov has said, “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management. A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must articulate the message of ethical values and doing business in compliance and then drive that message from the top down throughout your organization.


What should the tone in the middle be? What should middle management’s role be in the company’s compliance program? This role is critical because most company employees work directly with middle rather than top management. Consequently, they will take their cues from how middle management responds to a situation. Perhaps most importantly, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, employees must have an outlet to express their concerns. Your organization should train middle managers to enhance listening skills by providing training for their “Manager’s Toolkit.” This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important to have organizational justice so that people believe they will be treated fairly. For if there is organizational justice, it engenders perceived procedural fairness, which makes it more likely an employee will be willing to accept a decision that they may not like or disagree with the result.
Even with a great “tone at the top” and a positive “mood in the middle,” you cannot stop. One of the greatest challenges of a compliance practitioner is how to impact the most front-line employees or the “tone at the bottom.” One of the things you can do is assemble a compliance focus group to find out how business is done in the field and if it differs from what your company expects from an ethical and compliance perspective. Begin by assembling a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions to discuss the challenges of doing business ethically and in compliance. Ask them questions about their understanding of your compliance regime. Then categorize the answers into your company’s theory and practice of compliance.
More than ever in 2022, employees came to look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of large, multi-national organizations may never have direct contact with the CEO or senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalize compliance with them.

 Three key takeaways:

1. Tone at the top—direct supervisors become the most important influence on people in the company
2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance
3. Organizational justice is an additional way to help operationalize compliance

Categories
31 Days to More Effective Compliance Programs

Day 3 – Leadership’s Conduct at the Top

DAG Lisa Monaco’s speech in September 2022 announcing the Monaco Memo as articulated in the Monaco Doctrine laid out the very basics of compliance; that the key to every company is culture. She stated, “corporate culture matters. A corporate culture that fails to hold individuals accountable or invest in compliance — or worse that thumbs its nose at compliance — leads to bad results.”

From the enforcement perspective, the DOJ will assess companies for their ethical cultures. From the compliance perspective, the ethical tone of a company and accountability all start at the top and, most specifically, senior management. This requirement is more than simply the ubiquitous “tone-at-the-top,” as it focuses on the conduct of senior management. The DOJ wants to see a company’s senior leadership doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior on a company’s values, and how is such conduct monitored in an organization?

I once had a Chief Executive Officer (CEO) observe the following, “You want me to be the ambassador for compliance.” I immediately said yes, that is exactly what I need you to do. As an “Ambassador of Compliance,” a CEO can fully model the conduct that senior management engages in going forward. Another area a CEO can forcefully engage an entire company is through a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal became public. The video featured Scott Prochazka, CenterPoint Energy President, and CEO. He used the VW scandal to address the culture and values at the company proactively and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with an additional resource, entitled, Manager’s Toolkit—What does Integrity mean to you? that managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, the cost for the video was quite reasonable as it was produced internally.

 Three key takeaways:

1. Senior management must do compliance; not simply talk-the-talk of compliance but also walk-the-walk.

2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.

3. Your CEO as Compliance Ambassador.

Categories
31 Days to More Effective Compliance Programs

Day 2 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and improvement are two of the most important phrases for any compliance program. These twin concepts were perhaps the biggest modifications in the 2020 Update to the Evaluation of Corporate Compliance Programs. In 2021 and 2022, all companies’ risks changed as we moved from Working From Home to Return To Office and now a hybrid work model. Of course the great resignation has also played a part.These changes in our basic work location drove home perhaps the most prescient comment I heard during the pandemic, which was by Jed Gardner, who said, “We have moved from disaster recovery to business continuity to business as usual.” This means that risks will change in ways you may not see at speeds you do not anticipate. Your compliance program must be ready to respond to whatever those risks might be going forward.

In the 2020 Update, the DOJ began to address this from the compliance program perspective with several questions. “Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”

The next area for continuous monitoring and improvement was an area of compliance that is not normally associated with those concepts, Policies, and Procedures. Here questions included “When was the last time your policies and procedures were updated? Perhaps more importantly, under the 2020 Update, what was your process for doing so? Was there any rigor around your process? Did that rigor include incorporating information and data collected through continuous monitoring, real-time monitoring, or continuous access to operational data and information across functions?”

The final area in the 2020 Update for consideration is called Continuous Improvement, Periodic Testing, and Review. The question included the following, “How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular risk areas are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based on lessons learned from its misconduct and/or other companies facing similar risks?”

Three key takeaways:

1. How has your company’s risks changed over the past year?
2. What is your process for continuous monitoring and improvement?
3. What sources of information do you use that come from outside your organization?

Categories
Blog

What 2022 Brought to Compliance

2022 was a very significant year for every compliance practitioner and compliance program. While there was a paucity of corporate FCPA enforcement actions, there were three enforcement actions were significant with multiple lessons for the compliance professional. In ABB, we learned about the costs of a corrupt culture and recidivism, in Glencore, we saw happens to a company which engages in worldwide, systemic bribery and corruption. Finally, in Stericycle, the company had a culture of corruption burned into the DNA of the LATAM business unit which was so thorough that it was documented via bribery spreadsheets and analysis of revenue based on payments of bribes in LATAM. Yet even with this corrupt culture, the Stericycle enforcement action demonstrated how a company can take advantage of the discounts available under the FCPA Corporate Enforcement Policy by extensive cooperation and remediation during the pendency of the FCPA investigation, as the company obtained a 25% reduction off the bottom of the applicable US Sentencing Guidelines fine range.

September saw the announcement of a significant refinement of Department of Justice (DOJ) enforcement policies on the around Foreign Corrupt Practices Act (FCPA) enforcement and corporate compliance programs. It was encapsulated in the Monaco Memo and a speech by Deputy Attorney General Lisa Monaco announcing the Monaco Doctrine. There was also additional commentary by Principal Associate Deputy Attorney General Marshall Miller, in a speech and a speech by Assistant Attorney General Kenneth A. Polite. Every compliance professional should all of them in detail as they significantly turn the heat up on corporate compliance programs.

The Monaco Memo is broken down into four main sections: I. Guidance on Individual Accountability; II. Guidance on Corporate Accountability; III. Independent Compliance Monitorships; and IV. Commitment to Transparency in Corporate Criminal Enforcement. The Monaco Memo is both further clarification and further guidance for line prosecutors when they are considering whether to put a monitor in place. While we have seen these factors in a disparate manner, in disparate places, here they are in writing. Perhaps the greatest significance is that the Memo sets down all these matters in writing which leads to a blueprint for DOJ thinking and a roadmap for anyone who finds themselves in an FCPA investigation or enforcement action.

I see the Monaco Memo and the Miller and Polite Speeches as complimentary releases of information which drive home several key changes in DOJ enforcement. Perhaps changes are too strong, but they these announcements make clear the DOJ is dedicated to individual accountability and prosecution. Corporations will have to reorient their approach to investigations and sharing of information with the DOJ to this new mandate. Next the DOJ is strongly shifting the burden in the investigatory and negotiation phases to make clear the company must come forward with evidence to support lower fines and penalties and greater discounts, particularly in individual financial penalties and incentives, i.e., clawbacks. The Monaco Memo laid out not simply how to avoid a monitor but a program of proactive monitoring which can lead to the prevention of a crime before the FCPA is violation. Finally, the Monaco Memo cemented the new DOJ requirement for CCO certification of compliance programs at the end of a resolution.

The final key event for compliance in 2022 was very much under the radar. It was the DOJ hiring of Matt Galvan to help develop a data analytics expertise and capability for the FCPA Unit and the Fraud Section. Galvan was most recently the CCO at AB InBev and perhaps the top compliance profession in the use of data analytics for a corporate compliance program. It will be most interesting to see where Galvan and the DOJ take this initiative, but it does portend the increasing use of data analytics in FCPA enforcement and compliance.

Categories
Great Women in Compliance

Karina Vollmer – Making Friends and Influencing People

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

One of the most critical aspects of the role of a Compliance Officer is establishing the reputation of the function as being one which is approachable and reliable.  One of the colleagues Mary has admired the most in being successful in this respect, is Karina Vollmer.  The two worked together at Tata Communications in Singapore and take a walk down memory lane to share some thoughts from the past that allow introverts like Mary to learn from extroverts like Karina.

 Karina is originally from Indonesia and takes the opportunity to share with the GWIC audience some of the unique cultural aspects of the country that may impact the role of global compliance officers in multi-national corporations.

As a mother of two and a Chief Compliance Officer, Karina has a lot going on.  Her discussion builds on an earlier podcast episode with Sue Scott (Great Women in Compliance episode #173) where she addresses the common issue of mum/mom guilt.

 The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Compliance Into the Weeds

The Danske Bank AML Enforcement Action

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, we consider the Danske Bank AML enforcement action, and the bank recently pled guilty to money-laundering violations through its Estonia subsidiaries.

Some of the highlights included:

  • The background facts.
  • What did the home bank know and when?
  • Did a tech failure set this all in motion?
  • The Bank’s attempts to hide the violations from US authorities.
  • Why is the US and not Denmark bringing an enforcement action against a Danish bank?
  • What about CCO certification?
  • The role of the Danish monitor.

 Resources

Tom in the FCPA Compliance and Ethics Blog

Matt Kelly in Radical Compliance

Categories
Blog

Danske Bank: Part 3 – Compliance Failures

We are exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

How did it start to go wrong?

Interestingly, and most significantly for compliance professionals, the trouble for Danske Bank started with an acquisition. According to the Plea Agreement, “Danske Bank acquired Finland-based Sampo Bank in 2007, including Sampo Bank’s large operation in Estonia. A significant part of Sampo Bank’s Estonia business was providing banking services to non-resident customers, that is, companies and individuals residing outside Estonia, including in Russia. DANSKE BANK knew this was a large part of Sampo Bank’s Estonian business model and continued this business after acquiring Sampo Bank. The non-resident portfolio (“NRP”) was, by far, Danske Bank Estonia’s most lucrative business line, generating, over the life of the branch, over 50% of Danske Bank Estonia’s profits. DANSKE BANK knew that many NRP customers conducted transactions in U.S. dollars, which required Danske Bank Estonia to use U.S. banks and bank accounts to process those transactions. By December 2013, DANSKE BANK knew that the NRP was high-risk because, among other reasons, its customers resided in high-risk jurisdictions, frequently used shell companies to shield the identity of their ultimate beneficial owner or the sender or recipient of transactions, and engaged in suspicious transactions through U.S. banks.”

In addition to a failure of due diligence in the pre-acquisition phase, Danske Bank did nothing post acquisition to make sure the new Estonian branch complied with basic AML. Danske Bank Estonia had an inadequate and ineffective compliance program that applied to all customers. As noted in the Plea Agreement, “Danske Bank Estonia, through its International Banking Group (“IBG”), attracted NRP customers by ensuring that they could transfer large amounts of money through Danske Bank Estonia with very little, if any, oversight or scrutiny. IBG employees conspired with their customers to shield the true nature of their transactions, including by assisting customers to conceal beneficial owners by establishing accounts for known shell companies and sometimes creating shell companies for customers in exchange for a “consulting fee.””

Actual Knowledge of Compliance Failures

To read the settlement documents it is clear that Danske Bank was making so much money laundering its Russian clients that it did everything it could do so to avoid making any changes which would kill the golden goose. As early as 2007, Danske Bank was aware a substantial portion of Danske Estonian branch’s customers were non-residents of Estonia, the NRP accounts, and that many of the NRP customers were from Russia and other former Soviet-bloc countries. These NRP customers’ practices included well-known red flags for potential money laundering, for example, frequent use of offshore LLPs and nominee directors to obscure or conceal beneficial ownership information, use of unregulated intermediaries to carry out transactions on behalf of unknown clients, and ties to jurisdictions with enhanced money laundering risks. Yet both Danske Bank Estonia and the parent Danske Bank maintained that “all is well” (yes cue the Animal House riot scene about now).

It was not as if Danske Bank was unaware of its Estonia branch shortcomings and failures. According to the SEC Complaint, “in 2007, the Danish Financial Supervisory Authority (“Danish FSA”) contacted Danske with concerns it had received from the Bank of Russia about NRP customers allegedly engaged in illicit transactions through Danske Estonia, including money laundering which was discussed by Danske’s Board of Directors in August 2007.” In light of the Danish FSA’s warnings, Danske conducted an internal audit of Danske Estonia’s transactions in 2007. That audit did not assess whether Danske Estonia complied with AML and Know-Your-Customer (KYC) procedures required under applicable laws and regulations, but the audit report provided to Danske management noted that Danske Estonia’s procedures in this area were “thin.” The 2007 audit recommended to Danske management that Danske undertake further investigation of Danske Estonia’s practices to ensure compliance with applicable law. Further, in March and April of the same year, the Estonian FSA had carried out an inspection at Danske Estonia and issued an inspection report on August 16, 2007, which found that the Estonian branch was not compliant with its legal obligations.

These compliance shortcomings were in four general areas. Danske Bank Estonia used foreign consultants and intermediaries to recruit customers and outsourced its legal obligations to conduct due diligence and obtain KYC information to third parties. Second, Danske Bank management knew that Danske Estonia was offering certain high-risk services and products associated with suspicious activity which Danske did not permit other branches to offer. Third, Danske Bank knew that its IT platform was incompatible with Danske’s IT platform. Danske knew or was reckless in not knowing that Danske Estonia could not conduct automated AML or KYC controls, such as automated customer screening and automated transaction monitoring. Fourth, Danske Bank Estonia’s AML and compliance control framework did not adequately mitigate the risks of the NRP portfolio and Danske failed to provide effective supervisory oversight. Danske Estonia’s compliance and AML departments were structured differently than at other Danske branch and reported directly to Danske Estonia’s branch manager with dotted line reporting to Danske’s compliance and AML departments. As a result, Danske Estonia’s compliance and AML functions were not effectively monitored or effectively supervised by Danske.

Tomorrow, the Danske Bank response.

Categories
Great Women in Compliance

Jacki Cheslow – Bringing Life to a Compliance Program

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

One of the best things about the longevity of the GWIC podcast is that Mary and Lisa get to build some of their own ideas and traditions.  Some are things like “bonus episodes” – a great idea by Mary, the #GWICies, and one of Lisa’s, which is to do her last podcast interview of the year with someone who is not only a leader in the E&C community due to her expertise, but also someone who is always a mentor and support to so many people (including Lisa).

This year, Lisa is speaking with Jacki Cheslow, who was on the podcast a few years back and since then has moved from a large corporate organization, Avis/Budget, to the Institute of Electrical and Electronic Engineers – the IEEE, which is the world’s largest non-profit technical organization.

Jackie talks about her experience with IEEE as a mission-driven organization, which is to develop technology to benefit humanity, and how that influences her role.  She also talks about starting out at IEEE and needed to learn a whole new area, sanctions, which then became even more important than she would have anticipated.

Jacki also shares how she had a bit of imposter syndrome when she started at IEEE,  She provides  valuable insight in how to change one’s mindset from a fixed mindset to a growth mindset and how that can also change one’s view that they are given the opportunity to learn new things as recognition of one’s potential and being open to learning.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Principled Podcast

Season 8 – Episode 12 – Part 2: Geopolitics and the Interconnectedness of Compliance Risks

What you’ll learn on this podcast episode

In this episode of the Principled Podcast, host Susan Divers continues her conversation from Episode 11 with Tom Fox, the founder of the Compliance Podcast Network, on the changing geopolitical landscape and its impact on E&C. Listen in as the two discuss how anti-corruption is a key component of ESG, the consequences of compliance in cybersecurity, and the growing interconnectedness of risks. You can listen to Episode 11 here. 

To learn more, download a copy of Tom Fox’s white paper Never the Same: Five Key Areas in Which Business Will Never Be the Same After the Russian Invasion. 

Guest: Tom Fox

Tom_Fox_grayscale

Tom Fox is literally the guy who wrote the book on compliance with the international compliance best-seller The Compliance Handbook, 3rd edition, which was released by LexisNexis in May 2022. Tom has authored 23 other books on business leadership, compliance and ethics, and corporate governance, including the international best-sellers Lessons Learned on Compliance and Ethics and Best Practices Under the FCPA and Bribery Act, as well as his award-winning series “Fox on Compliance.”

Tom leads the social media discussion on compliance with his award-winning blog, and is the Voice of Compliance, having founded the award-winning Compliance Podcast Network and hosting or producing multiple award-winning podcasts. He is an executive leader at the C-Suite Network, the world’s most trusted network of C-Suite leaders. He can be reached at tfox@tfoxlaw.com.

Host: Susan Divers

Susan_Divers_Principled_Podcast

Susan Divers is the director of thought leadership and best practices with LRN Corporation. She brings 30+ years’ accomplishments and experience in the ethics and compliance arena to LRN clients and colleagues. This expertise includes building state-of-the-art compliance programs infused with values, designing user-friendly means of engaging and informing employees, fostering an embedded culture of compliance, and sharing substantial subject matter expertise in anti-corruption, export controls, sanctions, and other key areas of compliance.

Prior to joining LRN, Mrs. Divers served as AECOM’s Assistant General for Global Ethics & Compliance and Chief Ethics & Compliance Officer. Under her leadership, AECOM’s ethics and compliance program garnered six external awards in recognition of its effectiveness and Mrs. Divers’ thought leadership in the ethics field. In 2011, Mrs. Divers received the AECOM CEO Award of Excellence, which recognized her work in advancing the company’s ethics and compliance program.

Before joining AECOM, she worked at SAIC and Lockheed Martin in the international compliance area. Prior to that, she was a partner with the DC office of Sonnenschein, Nath & Rosenthal. She also spent four years in London and is qualified as a Solicitor to the High Court of England and Wales, practicing in the international arena with the law firms of Theodore Goddard & Co. and Herbert Smith & Co. She also served as an attorney in the Office of the Legal Advisor at the Department of State and was a member of the U.S. delegation to the UN working on the first anti-corruption multilateral treaty initiative.

Mrs. Divers is a member of the DC Bar and a graduate of Trinity College, Washington D.C. and of the National Law Center of George Washington University. In 2011, 2012, 2013 and 2014 Ethisphere Magazine listed her as one the “Attorneys Who Matter” in the ethics & compliance area. She is a member of the Advisory Boards of the Rutgers University Center for Ethical Behavior and served as a member of the Board of Directors for the Institute for Practical Training from 2005-2008. She resides in Northern Virginia and is a frequent speaker, writer and commentator on ethics and compliance topics.