Tag: DOJ

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Welcome to 2024 Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of topics, including the self-improvement of the Florida Man gone astray.

In the ever-evolving world of regulatory compliance and risk management, challenges are constant, and strategies must be dynamic. Tom highlights the SFO, culture assessments, Key Board issues for 2024 and the McDonald’s Doctrine. Kristy highlights the new law, FEPA, Supply Chains, AI, and checks in on Florida Man. Join Tom Fox and Kristy Grant-Hart as they delve deeper into these issues in this episode of the 2 Gurus Talk Compliance podcast.

Highlights Include:

  1. U.S. Prosecutors Can Charge Foreign Officials With Bribery Under New Provision (WSJ)
  2. New Actions from the White House Highlight the Difficulty of Tracing Forced Labor in Supply Chains (Supply Chain Brain Blog)
  3. Maryland looks to harness AI for government use with executive order (Washington Post)
  4. WorkLife’s definitive guide to what’s in and out for 2024 (WorkLife)
  5. Analysis of failure to exercise duty of oversight by a corporate officer. (D&O Diary)
  6. Key Board issues for 2024. (Compliance and Enforcement)
  7. Are emojis evil? (FCPA Blog)
  8. SFO hammered in the ENRC report. (WSJ)
  9. Why do you need to do a culture assessment? (CCI)
  10. Florida woman sues Hershey for $5 million over ‘deceptive’ Reese’s packaging (ABC News)

 Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 12 – Your Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in a regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal of the creation of your company’s Code of Conduct?

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on a violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be an FCPA internal control violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity that has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.

Three key takeaways:

1. A Code of Conduct is a foundational document in any compliance regime.

2. The substance of your Code of Conduct should be tailored to the company’s culture, to its industry, and to its corporate identity.

3. “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

Categories
Daily Compliance News

Daily Compliance News: January 11, 2024 – The SAP Again Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • FINRA says AI is emerging.  (WSJ)
  • SAP has yet another FCPA enforcement action.  (FCPA Blog)
  • Microsoft OpenAI investment faces EU scrutiny. (Reuters)
  • The SEC approves a new type of Bitcoin fund.  (NYT)
Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Conduct at The Top

The 2022 Monaco Memo emphasized the basic point that the key to every company is culture. The bottom line is that corporate culture matters, and corporate culture that fails to hold individuals accountable or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.

To assist companies in understanding this requirement, the 2023 ECCP sets out inquiries demonstrating that DOJ requirements are more than simply the ubiquitous “tone-at-the-top,” as they focus on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior based on a company’s values and finally, how is such conduct monitored in an organization?

Three key takeaways:

1. Senior management must actually do compliance—not simply talk the talk of compliance but also walk the walk.

2. The DOJ is now actively assessing corporate culture during investigations.

3. Your CEO is a Compliance Ambassador.

 

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 9 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and continuous improvement are two of the most important phrases for any compliance program. These twin concepts were further enshrined in the 2023 Update to the Evaluation of Corporate Compliance Programs (2023 ECCP). In 2023, all companies’ risks changed as we moved from Working From Home to Return To Office and, now, a hybrid model. In addition to this straight-forward change in risk due to working locations, new risks in the form of geopolitical, supply chain, and export control, as well as increased risk due to social media, continue to impact compliance programs.  Your compliance program must be ready to respond to whatever those risks might be going forward.

Continuous improvement runs the gamut in a best practices compliance program, from risk assessments to policies and procedures to periodic testing and review.

Three key takeaways:

1. How have your company’s risks changed over the past year, and how will they change in 2024?

2. What is your process for continuous monitoring and improvement?

3. What sources of information do you use that come from outside your organization?

Categories
Blog

Compliance Program Use of Data Analytics

Matt Galvin, Counsel, Compliance & Data Analytics at the DOJ and one of the experts leading the DOJ’s data analytics initiative, highlighted in another talk, the proactive use of data to generate cases related to the FCPA and emphasized that this is just the beginning. The DOJ expects companies to adopt a similar data-driven approach to compliance. In her speech, Argentieri speech where she stated, “just as we are upping our game when it comes to data analytics, we expect companies to do the same.” This expectation extends beyond simply tracking trainings, policies, and investigations. The DOJ’s focus is on monitoring third parties throughout the lifespan of the relationship, not just during the onboarding process.

This means that  while due diligence and background checks are essential, the real risk of fraud occurs during the actual business transactions with third parties. Companies need to go beyond initial checks and continuously monitor high-risk vendors, contract terms, and other relevant data sources. By mapping risks to data sources and implementing effective tests, companies can identify and prioritize risky transactions. The increasing accessibility and cost-effectiveness of data analytics have made it a viable option for companies of all sizes. It can help companies demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency. The importance of continuous data analysis in compliance programs was highlighted by the Bank of America CFPB enforcement action.

However, implementing a data-driven compliance program comes with its own set of challenges. There is still confusion among the compliance community regarding what data analytics entails and how it should be applied. Data-analytics should be seen as a process-oriented approach rather than treating it as a one-time project. Data analytics should be integrated into the compliance program as a continuous business process, similar to third-party due diligence.

The Bank of America CFPB enforcement action case serves as a reminder of the importance of the use of data analytics in corporate compliance. Bank of America had the necessary data and tools to build an analytics program, but they failed to effectively utilize it, leading to compliance issues. This case highlights the need for companies to not only have data analytics capabilities but also to ensure they are properly implemented and maintained.

While data analytics can be a powerful tool for corporate compliance, there are challenges associated with its use. Companies must navigate the tradeoffs involved in balancing different factors, such as the level of sophistication required, resource allocation, and the potential risks of self-disclosure. Additionally, companies must consider the potential criticism they may face if they fail to effectively utilize their analytics tools in the event of a major compliance violation.

The Argentieri speech highlighted the DOJ’s (and SEC’s) increasing focus on data analytics for corporate compliance highlights the importance of this tool in identifying and addressing corporate misconduct. Companies, especially larger ones, are expected to enhance their data analytics capabilities and may face increased pressure for voluntary self-disclosure. However, companies must also navigate the challenges and tradeoffs associated with data analytics to ensure effective compliance and mitigate risks.

The DOJ’s increasing use of data analytics for proactive enforcement has far-reaching implications. Companies must recognize the importance of adopting a data-driven approach to compliance and invest in the necessary resources and technology. By doing so, they can not only meet the DOJ’s expectations but also improve the effectiveness of their compliance programs and mitigate the risk of fraud.

The DOJ’s increasing use of data analytics for proactive enforcement signifies a significant shift in their approach to combating white-collar crime. Companies must embrace this data-driven approach to compliance, continuously monitor high-risk transactions, and invest in the necessary resources and technology. By doing so, they can demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 8 – Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. For both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to payments to foreign officials, payments to third parties, and hiding bribes in payments to distributors. The 2023 ECCP begins with an admonition to stop wasting time on low-hanging fruit when there are much higher risks in your business operations.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Three key takeaways:

  1. Payroll can be a key to preventing and detecting control
  2. The 2020 Update specified the tie between the corporate compliance function and the corporate payroll function.
  3. Offshore payments remain a key indicator of a red flag.
Categories
Blog

New DOJ M&A Safe Harbor Policy

We continue our review of DOJ initiatives from 2023 and what they may portend for the compliance professional in 2024 and beyond. In October 2023, Deputy Attorney General Lisa Monaco announced a new policy regarding M&A. It is a Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company. Under the policy, the acquiring party will receive a presumption of criminal declination if it promptly and voluntarily discloses criminal misconduct, cooperates with any ensuing investigation, and engages in appropriate remediation, restitution and disgorgement.

The Safe Harbor policy is a clear continuation of the DOJ’s push for corporate voluntary self-disclosure. Monaco outlined efforts by DOJ to increase the benefits to companies that voluntary disclose corporate misconduct rather than those companies that decide not to disclose misconduct. The key for the acquirer company to  obtain the “carrot” DOJ is dangling and poses questions as to the “stick” the DOJ might wield if a self-disclosure does not achieve safe harbor, or more broadly, if an acquirer fails to identify criminal misconduct in the acquisition process, either pre or post-closing. This new Mergers & Acquisitions Safe Harbor Policy clearly demonstrates the DOJ’s interest is to avoid discouraging companies with strong compliance programs from acquiring companies with ineffective compliance programs and/or a history of misconduct.  To the contrary, DOJ is seeking to incentivize an acquiring company to timely disclose misconduct uncovered during the M&A process.

The Key Policy Takeaways are as follows:

  • The acquiring company must disclose criminal misconduct within six months of the transaction closing date.
  • The acquiring company has one year from the closing date to fully remediate the misconduct, including remediation, restitution and disgorgement, where appropriate.
  • Both deadlines are subject to reasonableness and may be extended by prosecutors due to deal complexity and other factors.
  • Misconduct that threatens national security or involves ongoing imminent harm must be immediately disclosed.
  • Misconduct disclosed under the policy will not factor into present or future recidivist analysis for the acquiring company.
  • The acquiring company’s eligibility for a criminal declination will not be impacted by the presence of aggravating factors at the acquired company.
  • The target company can also qualify for self-disclosure benefits, potentially including a declination, if there are no aggravating factors at the target company.
  • The policy does not impact civil merger enforcement.
  • The policy does not apply to misconduct that is otherwise required to be disclosed, already public or otherwise known to the DOJ.

Under this new Mergers & Acquisitions Safe Harbor, which applies across the Department of Justice, companies that promptly and voluntarily disclose criminal misconduct with the Safe Harbor period, and then cooperate with the resulting investigation, engage in timely and appropriate remediation and pay applicable restitution and disgorgement, will receive a presumption of a declination. Once again, the key deadlines are as follows:

  • Companies must disclose misconduct discovered (whether pre-or post-acquisition) at the acquired entity within six (6) months from the date of closing.
  • Companies will then have one year from the date of closing to fully remediate the misconduct.

The 6 month and one-year deadlines are subject to modification depending on the specific circumstances and complexity of the transaction.  The acquired company can also qualify under the Mergers & Acquisition Safe Harbor Policy for voluntary self-disclosure benefits.  Interestingly, DOJ clarified that any misconduct disclosed under the Safe Harbor Policy will not implicate or be counted in any future potential recidivist analysis.

As with most new DOJ policy initiatives, these concepts have been around for some time. As far back as 2008, the DOJ in Opinion Release 08-02 laid out safe harbor concepts in mergers and acquisitions. This Opinion Release was followed by the FCPA Resource Guide, 1st edition, released in 2012 which brought these concepts forward. However, many defense counsel decried the lack of certainty in both of these initiatives. Now under this new Mergers & Acquisition Safe Harbor Policy, the benefits are laid out in black and white.

The DOJ has made clear that under this new Mergers & Acquisition Safe Harbor Policy organizations that do not perform effective due diligence or self-disclose misconduct at an acquired entity will be subject to full successor liability. DOJ’s objective is clear — they do not want to penalize companies with strong compliance programs from acquiring companies with weak compliance programs when they conduct proper due diligence and discover and self-disclose misconduct. With this new policy, the DOJ is encouraging companies to conduct robust pre-acquisition due diligence and post-acquisition integration. Compliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 7 – Compliance Program Use of Data Analytics

Matt Galvin, Counsel, Compliance & Data Analytics at the DOJ and one of the experts leading the DOJ’s data analytics initiative, highlighted in another talk the proactive use of data to generate cases related to the FCPA and emphasized that this is just the beginning. The DOJ expects companies to adopt a similar data-driven approach to compliance. In her speech, Argentieri stated, “Just as we are upping our game when it comes to data analytics, we expect companies to do the same.” This expectation extends beyond simply tracking trainings, policies, and investigations. The DOJ’s focus is on monitoring third parties throughout the lifespan of the relationship, not just during the onboarding process.

The DOJ’s increasing use of data analytics for proactive enforcement signifies a significant shift in their approach to combating white-collar crime. Companies must embrace this data-driven approach to compliance, continuously monitor high-risk transactions, and invest in the necessary resources and technology. By doing so, they can demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency.

Three key takeaways:

1. This also means that data analytics in the compliance function has moved from cutting edge to best practice. It soon may simply mean table stakes for compliance.

2. The DOJ is seeking to incentivize an acquiring company to timely disclose misconduct uncovered during the M&A process.

3. The DOJ has made it clear that under this new Mergers & Acquisitions Safe Harbor Policy, organizations that do not perform effective due diligence or self-disclose misconduct at an acquired entity will be subject to full successor liability.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 6 – DOJ M&A Safe Harbor

In October 2023, Deputy Attorney General Lisa Monaco announced a new policy regarding M&A. It is a Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company. Under the policy, the acquiring party will receive a presumption of criminal declination if it promptly and voluntarily discloses criminal misconduct, cooperates with any ensuing investigation, and engages in appropriate remediation, restitution, and disgorgement.

Under this new Mergers & Acquisitions Safe Harbor, which applies across the Department of Justice, companies that promptly and voluntarily disclose criminal misconduct during the Safe Harbor period and then cooperate with the resulting investigation, engage in timely and appropriate remediation, and pay applicable restitution and disgorgement will receive a presumption of a declination. Once again, the key deadlines are as follows:

  • Companies must disclose misconduct discovered (whether pre-or post-acquisition) at the acquired entity within six (6) months from the date of closing.
  • Companies will then have one year from the date of closing to fully remediate the misconduct.

The 6 month and one-year deadlines are subject to modification depending on the specific circumstances and complexity of the transaction. The acquired company can also qualify under the Mergers & Acquisitions Safe Harbor Policy for voluntary self-disclosure benefits. Interestingly, the DOJ clarified that any misconduct disclosed under the Safe Harbor Policy will not implicate or be counted in any future potential recidivist analysis.

Three key takeaways:

1. The DOJ Mergers & Acquisitions Safe Harbor policy encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company.

2. The DOJ is seeking to incentivize an acquiring company to timely disclose misconduct uncovered during the M&A process.

3. The DOJ has made it clear that under this new Mergers & Acquisitions Safe Harbor Policy, organizations that do not perform effective due diligence or self-disclose misconduct at an acquired entity will be subject to full successor liability.