Tag: DOJ

Categories
FCPA Compliance Report

FCPA Compliance Report – Tom Fox and Michael Volkov Look at Incentives for Self-Disclosure

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes back Michael Volkov as they take a deep dive into the ABB, Albemarle, and SAP FCPA enforcement actions to try and unpack the DOJ’s pivot away from heavy penalties for recidivists to prioritizing self-disclosure above all else.

Volkov’s perspective on the Department of Justice’s (DOJ) FCPA enforcement actions is both critical and analytical, shaped by his extensive experience. He underscores the necessity of transparency and explanation in the factors considered by the DOJ, highlighting its significance to practitioners in the field. Volkov also recognizes the shift in DOJ policy towards data-driven compliance, requiring companies to provide data to substantiate their conclusions and demonstrate their compliance efforts. He further notes the evolving landscape of voluntary disclosure and remediation, suggesting these areas are now pivotal in the DOJ’s enforcement approach. Volkov’s insights reflect a nuanced understanding of the changing dynamics in FCPA enforcement and the imperative for companies to adapt to these shifts.

Key Highlights:

  • Importance of Cooperation in Corporate Enforcement Cases
  • Incentivizing Self-Disclosure in DOJ’s FCPA Enforcement
  • Increased Penalty Reduction for Voluntary Self-Disclosure
  • DOJ’s Evolving Approach to Corporate Penalties
  • Benefits of Voluntary Self-Disclosure in Enforcement

Resources:

Volkov Law Group

Corruption, Crime and Compliance

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Daily Compliance News

Daily Compliance News: February 23, 2024 – The Corruption Tax Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Ohio residents paid the price for FirstEnergy corruption.  (Ohio Capital Journal)
  • The DOJ names the first AI officer. (Reuters)
  • 4-day work week issues. (FT)
  • More child labor in the US. (NYT)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Compliance Into the Weeds

Compliance into The Weeds: To Monitor or Not to Monitor: What is even The Question?

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the seeming inconsistency in approaches to monitoring (or lack thereof) in two recent DOJ enforcement actions involving eBay and SAP.

The Department of Justice’s (DOJ) seemingly inconsistent approach to corporate enforcement and compliance monitoring has been a topic of much debate and confusion. Or has it? This inconsistency is particularly evident in the assignment of compliance monitors and CCO certification, as seen in the contrasting cases of eBay and SAP. Does the DOJ have a contradictory approach? What are the criteria for assigning monitors? Are local U.S. Attorneys may be following their own agendas, leading to this inconsistency. Is there a lack of logic and effectiveness in the DOJ’s policies? To delve deeper into this issue, join Tom Fox and Matt Kelly in this episode of Compliance into the Weeds.

Key Highlights:

  • Effectiveness and Consistency of Compliance Monitors
  • Incentivizing self-disclosure and remediation in corporate enforcement
  • Inconsistent assignment of monitors based on misconduct
  • Inconsistent enforcement practices by U.S. Attorneys

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: February 6, 2024 – The Tweaking DEI Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Companies are tweaking DEI.  (WSJ)
  • Brazil goes after TI. (FT)
  • The DOJ is investigating ADM over accounting irregularities. (Reuters)
  • Using AI for brainstorming. (FT)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
From the Editor's Desk

From The Editor’s Desk – January and February 2024 in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week, unpack some of the top stories that have appeared in Compliance Week over the past month, look at the top compliance stories upcoming for the next month, talk about some sports and generally try to solve the world’s problems.

Tom Fox and Kyle Brasseur are back. In this episode, they look at the Department of Justice’s role in shaping corporate compliance practices through its enforcement actions, setting the tone for companies to voluntarily self-disclose and cooperate. Tom believes that the DOJ is making a concerted effort to highlight what companies are doing right in enforcement actions, particularly in relation to remedial efforts and cooperation. He sees the DOJ’s settlement documents as a clear communication of what they expect from companies going forward. Kyle emphasizes the importance of focusing on the positive aspects of enforcement actions and learning from what companies are doing right to prevent similar situations in the future. He mentions the use of data analytics and the retention of off-channel communications as examples of new expectations from the DOJ. Join Tom Fox and Kyle Brasseur on this episode of From the Editor’s Desk as they delve deeper into the topic of DOJ enforcement actions and corporate compliance practices.

Highlights Include:

  • SAP Enforcement Action
  • CNIL and Amazon’s Excessive Employee Surveillance Violation
  • Exploring Best Practices in Know Your Customer and Anti-Money Laundering Compliance
  • Highlighting Compliance Success in Financial Services
  • Insights from DOJ Enforcement Actions Roundtable
  • Bill Belichick
  • NFL Playoffs
Categories
Everything Compliance

Everything Compliance – Episode 128, The Frozen Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jonathan Armstrong, Matt Kelly, Karen Woody, and Jay Rosen, all hosted by Tom Fox, joining us on this episode to discuss some of the topics they are watching during this extended cold spell across the US.

1. Matt Kelly looks at the tale of two companies, eBay and SAP, and the disparity in whether monitorships were mandated. He shouts out to Saul Dreier and the Holocaust Survivors Band, who recently played a gig at the White House.

2. Tom Fox shouts out to Sir Elton John for winning an Emmy, thus becoming only the 18th person to hold the prestigious EGOT designation.

3. Jonathan Armstrong looks at the new SFO director and his new focus for the beleaguered agency.  He shouts out to Nick Rossi (or whatever name he is using) and his 16 aliases.

4. Jay Rosen takes a deep dive into the SAP Foreign Corrupt Practices Act enforcement action. He shouts out to the Cara Cara naval oranges.

5. Karen Woody looks at the Segway shareholder case and its duty of oversight analysis for an officer. She shouts out to all the folks in Indiana who work and fix things during a deep freeze and those manning homeless shelters.

The members of the Everything Compliance are:

  • Jay Rosen is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly is the Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
  • Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in operationalizing a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to foreign officials, payments to third parties, and hiding bribes in distributor payments.

The 2023 ECCP begins with a warning to stop wasting time on low-hanging fruit when there are much higher risks in your business operations. It states:

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than to more modest and routine hospitality and entertainment?

It then drills down into the payment and payroll systems, stating:

Appropriate Controls—How does the company ensure a proper business rationale for using third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Payment Systems—How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

These questions may not seem new, innovative, or even different from what payroll currently does for an organization. However, the 2023 ECCP demonstrates the role of payroll in compliance. The 2023 ECCP requires that payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, payroll is on the front lines of any attempts to prevent, detect, and remediate anti-corruption compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money, and that money must come from somewhere inside the company. While the Watergate intonation to “follow the money” remains valid in any compliance issue, the 2023 ECCP speaks much more depth about payroll’s responsibility in a corporate compliance program. There must be verifiable controls that not only detect fraudulent payments but also work to prevent any such payments.

Yet when the inquiries are read together, they paint a broader picture than simply tasking payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval and certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain, from the individual employee up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed not only to put a set of brakes in place but also to work to put a second set of eyes on the entire payroll process.

Finally, payment systems have a role in the remediation phase of any best practices compliance program. If a payroll control failure led to or even allowed a compliance violation, what was done to fix the control issue? Here, payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking, or even to your corporate auditors.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, but that the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA and know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is particularly true around offshore payments, generally defined as payments made to a location other than the home domicile of the payee or the area where the services were delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people on the payroll on this issue, they may well pick up the phone and notify compliance when they see a request for payment in a geographic location separate from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a payroll control for such a scenario that notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval, and documentation of the entire process; it operates as both a financial control and a compliance control as well. It strengthens the company’s internal controls to both prevent and detect compliance risks going forward.

There are several specific internal payroll controls that will facilitate a company operationalizing its compliance program, as required under the 2023 ECCP. These controls help keep an eye on the money trail, as the money to pay a bribe is usually hidden in some company expenditures. The four general areas of payroll control should include: 1) segregation of duties; 2) accountability, authorization, and approval; 3) security of assets; and 4) review and reconciliation.

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

Audit. Have either internal or external auditors conducted an annual audit of payroll accuracy?

Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.

• Change the tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking to provide an audit trail.

Expense trend lines. This is your data, and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.

Issue payment reports to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.

Restrict access to records. Prevent unauthorized access to payroll records.

Segregation of duties. You should never allow one person to prepare the payroll, authorize it, and create payments.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Categories
Blog

Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2023 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

As required under the 2023 ECCP, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis? Every time you see a problem as a CCO, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Categories
Blog

Strategic Considerations for Implementing AI in Compliance

What are some of the strategic considerations for implementing AI in compliance? What are the key factors that impact these strategic considerations for implementing AI in compliance, exploring the tradeoffs, challenges, and importance of considering the impact on decision-making.

The first consideration is understanding the impact of AI on the company. AI can affect a company in various ways, from internal operations to the products or services it sells. It is crucial for compliance professionals, CEOs, and compliance functions to take a high-level perspective and identify all the ways AI can impact their organization.

The second consideration is maintaining an inventory of all tools used. This can be challenging, especially when a company uses a mix of homegrown and commercially available tools. However, understanding the tools being used in different parts of the company is essential for fully comprehending the privacy and regulatory risks involved.

The third consideration is understanding the tools for cost efficiency and risk avoidance. Companies need to evaluate the value and usage of AI tools regularly. This evaluation helps in balancing the necessary provision of tools with rigorous data security and risk minimization practices. It also ensures cost efficiencies by avoiding redundant tools and optimizing their usage.

The fourth consideration is involving all business sectors in AI discussions. AI implementation should not be siloed within compliance or any specific department. It requires collaboration and participation from various stakeholders, including the board, operations, and compliance teams. Bringing everyone together in an AI working group or team allows for a holistic and strategic approach to AI implementation.

The fifth consideration is utilizing AI for better data usage in compliance. AI enables compliance professionals to analyze trends and patterns in data effectively. This goes beyond simple automation and moves towards predictive analytics. By leveraging AI, compliance programs can enhance their effectiveness and stay ahead of potential risks.

While implementing AI in compliance brings numerous benefits, there are tradeoffs and challenges to consider. One tradeoff is the need to balance exploration and innovation with rules and regulations. Companies should encourage employees to explore and experiment with AI tools but within a safe environment and with clear guidelines. This ensures that AI is used to benefit the company without causing harm.

Another challenge is the selection of AI tools. With the rapid pace of AI development, companies must carefully evaluate and choose the right tools. The wrong choice can lead to wasted resources and missed opportunities. It is crucial to consider factors such as reliability, controls, and the ability to retrieve data if needed.

The impact of AI implementation on compliance cannot be underestimated. Compliance professionals need to stay updated with the latest AI developments and trends. This requires continuous learning and keeping abreast of industry news and insights. Subscribing to relevant sources, such as AI-focused publications or news platforms, can help compliance professionals stay informed.

Implementing AI in compliance requires strategic considerations and decision-making. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider. Balancing exploration and rules, as well as selecting the right AI tools, are challenges that need to be addressed. By carefully navigating these considerations and challenges, companies can leverage AI to enhance their compliance programs and stay ahead in an ever-evolving regulatory landscape.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 28 – Data-Driven Compliance – From Cutting Edge to Table Stakes

Compliance programs play a crucial role in ensuring that companies adhere to legal and ethical standards. In today’s digital age, where data is abundant and easily accessible, the importance of data-driven compliance programs cannot be overstated. This message was driven home very forcefully in a speech in November by Nicole Argentieri, acting assistant attorney general for the Criminal Division. She stated, “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. It is crucial for compliance professionals to stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

Three key takeaways:

1. Nicole Argentieri, acting assistant attorney general for the Criminal Division, said,  “Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

2. . Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks.

3. Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.