Categories
Daily Compliance News

Daily Compliance News: October 17, 2024 – The RTX Settles Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • RTX settles FCPA and fraud cases. (FT)
  • Mexico ex-Drug Czar to be sentencing for accepting bribes. (Reuters)
  • McKinsey is close to settling its part in the opioid crisis. (Reuters)
  • A Boeing judge wants additional information on Monitor and selection. (Law360)

Categories
Blog

TD Bank: Part 3 – Lessons Learned for Compliance

We continue our exploration of the resolution of the AML/BSA enforcement action involving the TD Bank US (the Bank) wholly owned by the TD Bank Group,  a publicly traded (NYSE: TD) international banking and financial services corporation headquartered in Toronto, Canada. Today, we explore some key lessons learned for the AML compliance professional. We begin with what Attorney Merrick Garland noted: “Three money laundering networks took advantage of TD Bank’s failed anti-money laundering system.”

The 3 Money-Laundering Scheme

The David Scheme

Da Ying Sze, also known as David, used the Bank as a money laundering and unlicensed money transmitting scheme for which he pled guilty in 2022. David conspired to launder and transmit over $653 million, with more than $470 million laundered through TDBNA. He bribed bank employees with over $57,000 in gift cards to facilitate the scheme. David laundered money by depositing large amounts of cash, sometimes exceeding $1 million in a single day, into accounts opened by other individuals. He also instructed bank employees to send wires and issue official checks. The Bank needed to correctly identify David as the person conducting the transactions in over 500 CTRs, which covered more than $400 million in transaction value, despite David directly depositing large cash sums into accounts he allegedly did not control.

Bank Insiders

Five Bank employees provided material assistance to a second money laundering scheme, which laundered millions of dollars from the United States to Colombia. The five individuals, referred to as “TDBNA Insiders,” held various positions within the bank, including Financial Service Representative, Retail Banker, Assistant Store Manager, and Store Supervisor at TDBNA stores in New Jersey and Florida. These insiders helped the money laundering networks by opening accounts and providing dozens of ATM cards used to launder funds through high-volume ATM withdrawals. They also assisted in maintaining these accounts by issuing new ATM cards and overcoming internal controls and freezes on account activity. Through these actions, approximately $39 million was laundered through the bank. Despite significant internal red flags, TDBNA did not identify the insiders’ involvement in the money laundering scheme until law enforcement arrested Insider-1 in October 2023.

Shell Company Scammers

From March 2021 through March 2023, a money laundering organization known as “MLO-1,” which claimed to be involved in the wholesale diamond, gold, and jewelry business, maintained accounts for at least five shell companies at the Bank. These accounts moved approximately $123 million in illicit funds through the bank. The Bank knew these shell companies were connected, sharing the same account signatories. Despite these red flags, The Bank did not file a Suspicious Activity Report (SAR) on MLO-1 until law enforcement notified the bank in April 2022. By then, MLO-1’s accounts had been open for over 13 months and had transferred nearly $120 million through TDBNA.

Lessons Learned

This enforcement action is a sobering reminder of compliance’s critical role in preventing and detecting financial crimes like money laundering. With over $470 million laundered in one scheme, $39 million moved through insiders, and $123 million transferred via shell companies, significant compliance failures occurred.  Of course, these are only a part of the $18.3 trillion in transactions that the Bank does not monitor due to its conscious compliance failures. These incidents underscore the importance of maintaining robust internal controls, employee oversight, and proper reporting mechanisms.

Failing to Detect Obvious Red Flags

In this case, one of the most glaring issues is the bank’s failure to identify the obvious red flags associated with laundering large sums of money. In the case of David, the Bank failed to file accurate CTRs for over $400 million in transactions. David regularly deposited enormous amounts of cash, over $1 million in a single day, into accounts opened by others, yet the bank failed to link him to these transactions.

The key takeaway for compliance professionals is to ensure that their systems are calibrated to flag suspicious activities, especially when transactions exceed certain thresholds. Large cash deposits, frequent activity involving multiple accounts, and nominee account holders should always trigger enhanced due diligence and review. Automated systems must be updated and combined with human oversight to catch these patterns.

The Role of Corrupt Employees in Facilitating Money Laundering

The involvement of the Bank Insiders in the second laundering scheme is a textbook example of how internal corruption can undermine even the most sophisticated compliance programs. These employees assisted money laundering networks by opening accounts, providing ATM cards, and circumventing internal controls and account freezes. In exchange, they received bribes, showing the vulnerability of staff in critical roles.

This scenario mandates why employees must undergo regular anti-bribery and anti-corruption training to reinforce the consequences of accepting bribes and engaging in unethical behavior. In addition, a strong compliance culture should include mechanisms for detecting internal misconduct, such as anonymous reporting systems and independent audits to identify corrupt employees early. Creating ethical guardrails within your organization, alongside frequent checks and balances, can protect against insider threats.

CTRs and SARs Must be a Priority

A key regulatory requirement under the Bank Secrecy Act (BSA) is the filing of Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). The Bank’s failure to file accurate CTRs in David’s case and delayed filing of SARs in the Shell Company Scammers scheme underscores how devastating the consequences can be when compliance teams do not take their regulatory obligations seriously. Even after identifying that shell companies were linked to each other by shared account signatories, the Bank failed to act quickly, allowing nearly $120 million to be laundered through their systems.

The timely filing of CTRs and SARs is not just a best practice; it is a regulatory requirement. Compliance officers must ensure that processes for flagging suspicious activity are effective and swift. Training staff to recognize when CTRs and SARs are needed and implementing systems that automatically flag transactions for review will help ensure compliance with reporting obligations.

Third-Party Risk and Shell Companies: Know Your Customer (KYC) Failures

The shell companies used to launder $123 million demonstrate a significant lapse in the bank’s Know Your Customer (KYC) protocols. The Bank knew the shell companies were linked by the same account signatories yet failed to act for over a year. This gap in KYC enforcement allowed significant funds to pass through without appropriate scrutiny or action.

KYC processes should be foundational to every compliance program. Regular reviews and enhanced due diligence are required when dealing with high-risk entities like shell companies. Compliance professionals should prioritize the identification of ultimate beneficial ownership (UBO) and remain vigilant when patterns suggest potential fraud, even if account openings appear legitimate at first glance. Your KYC protocols must also integrate ongoing monitoring, not just one-time checks.

The Consequences of Ignoring Red Flags

Across all three schemes, the Bank ignored significant internal red flags—whether employees directly deposited large sums of cash, insiders actively assisting in laundering activities, or shell companies linked by shared signatories. Compliance must be more than just a checkbox exercise. Red flags must be taken seriously and escalated quickly to prevent further damage.

Compliance teams must be empowered to act decisively when red flags are raised. This includes having the authority to freeze accounts, file reports, and escalate issues to senior management and regulatory authorities when needed. Additionally, a strong culture of compliance, backed by leadership, should encourage immediate action when suspicious activity is detected.

Monitoring and Auditing: Preventing Future Failures

Finally, this case reveals the importance of ongoing monitoring and regular auditing. In all three schemes, the Bank failed to sufficiently monitor account activities and employees, which allowed the laundering schemes to continue for extended periods. Regular audits and automated transaction monitoring systems are essential to detect and prevent similar issues.

Auditing and monitoring systems should be built into your compliance framework, focusing on high-risk accounts, employees, and geographies. By continuously reviewing and auditing compliance processes, teams can identify gaps early and prevent further exploitation. Technology can be key in monitoring, but human oversight is critical to analyzing more complex behavior patterns.

This enforcement action is a stark reminder of the consequences of weak compliance controls, employee corruption, and failure to act on red flags. For compliance professionals, the lessons from this case are clear: robust internal controls, continuous training, effective KYC procedures, and timely reporting are essential to preventing and detecting money laundering. By learning from these failures, compliance officers can strengthen their programs and ensure their organizations remain vigilant in the fight against financial crime.

I will explore this matter in depth over the next several blog posts. Tomorrow, I will consider the Bank’s culture and flat cost paradigm.

Resources

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Blog

TD Bank: Part 2 – When Profits Trump Compliance: A Recipe for Corporate Disaster

We continue our exploration of the resolution of the AML/BSA enforcement action involving TD Bank US (the Bank), which is wholly owned by TD Bank Group, a publicly traded (NYSE: TD) international banking and financial services corporation headquartered in Toronto, Canada. TD Bank Group is one of the thirty largest banks in the world and the second-largest bank in Canada.

The enforcement action came in with a $3 billion penalty against the Bank, which has pled guilty to charges relating to the Bank Secrecy Act (BSA), which requires financial institutions to maintain programs to detect and report suspicious activity by their customers. The Bank also settled a series of civil investigations by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Federal Reserve, and the Office of the Comptroller of the Currency (OCC), which mandated a Monitor to oversee the building out of the Bank’s compliance program and imposed an asset cap limiting the growth of the Bank’s U.S. retail business as a result of the breakdown of its controls.

This TD Bank case is right up there with Siemens, Petrobras, Odebrecht, Goldman Sachs, and Volkswagen as some of the most basic violations of corporate law we have ever seen. All of the above cases involved bribery and fraud, and the Bank case involved a violation of the most basic requirement of the BSA and the most basic tenets of an anti-money laundering compliance program. Moreover, the Bank’s conduct was not 20 years ago or even 10 years ago, as the conduct began in 2018, and the illegal conduct was right up to this past year. What led to these failures?

Failures at the Top

For the Bank, it all started at the top, where the very senior executives at the Bank decreed that no additional funds would be made available for compliance, compliance updates, or new technological solutions designed to make fulfillment of compliance obligations more efficient. This funding strangulation was termed the “flat cost paradigm” across the Bank’s operations. As a result, the Bank “willfully failed to remediate persistent, pervasive, and known deficiencies in its AML program, including (a) failing to substantively update its transaction monitoring system, which is used to detect illicit and suspicious transactions through the Bank, between 2014 and 2022 despite rapid growth in the volume and risks of the Bank’s business and repeated warnings about the outdated system.”

According to the TD Bank US Holding Company Information, this policy was pursued by the Bank Audit Committee and by the Bank’s Chief Anti-Money Laundering Officer during the relevant period, and the Bank’s BSA Officer both knew there were long-term, pervasive, and systemic deficiencies in the Defendants’ U.S. AML policies, procedures, and controls. This led to the Bank monitoring only approximately 8% of the volume of transactions because it omitted all domestic automated clearinghouse transactions, most check activity, and numerous other transaction types from its automated transaction monitoring system. Due to this failure, the Bank did not monitor approximately $18.3 trillion of transactions between January 1, 2018, through April 12, 2024.

It is not as if the Board of the Bank and its Canadian overlords were unaware of these deficiencies. As far back as 2013, FinCEN and the OCC brought enforcement actions against the Bank for its failures in its AML program. The Bank’s Board of Directors specifically signed off on the resolution of this enforcement action. IN 2018, the OCC characterized the Bank’s “planning, delivery, and execution of AML technology systems and solutions as insufficient. Specifically, the OCC highlighted the delays in implementing multiple AML technology projects and found those delays to be directly linked to nearly all of TDBNA’s outstanding AML program issues.”

Internal Audits at the bank also identified specific deficiencies in the bank’s AML and BSA compliance programs. In 2018, Internal Audit determined that the Bank’s high-risk jurisdiction transaction monitoring scenarios were using an outdated list of high-risk jurisdictions, meaning the bank’s scenarios were not designed to generate alerts on the jurisdictions currently deemed to be high-risk. Again, in 2020, Internal Audit identified AML compliance deficiencies related to the governance and review of transaction monitoring scenarios.

External third-party consultants also identified deficiencies in the Bank’s AML/BSA programs. One consultant “commented that “increased volumes and regulatory requirements” would pressure AML operations to meet demands and deadlines. The same consultant concluded that the Bank’s required testing of its transaction monitoring scenarios— which assessed whether scenarios were adequately capturing suspicious activity— took twice as long as the industry average.” A second consultant noted the Bank had “sub-optimal [transaction monitoring] scenarios” due, in part, to “outdated parameters” that generated a large volume of alerts that limited the Bank’s ability to focus on high-risk customers and transactions.” Finally, a third consultant “identified numerous limitations in the Bank’s transaction monitoring program, including technology barriers to developing new scenarios or adding new parameters to existing scenarios.”

Knowledge at the Bottom

Perhaps the craziest thing about the Bank’s failures in AML/BSA was that everyone was in on the joke: the Board, senior management, Bank employees, and ‘the bad guys.’ One conversation went like this:

AML Technologist: what do the bad guys have to say about us Lol

AML Manager: Easy target

AML Technologist:  damnit

AML Manager: Old scenarios; old CRR; tech agility is poor to react to changes

AML Manager: Bottomline: we have not had a single new scenario added since we first implemented the SAS

Another example cited in the Information was the following: “Other employees, both in AML and retail, consistently commented on the Bank’s instant messaging platform about the Bank’s motto, “America’s Most Convenient Bank,” and directly linked it to the Bank’s approach to AML. For example, a US-AML employee noted that a reason the Bank had not stopped one of the below-referenced money laundering typologies was because “we r the most convenient bank lol.”

Finally, this example from the information section states that “employees at multiple levels understood and acknowledged the likely illegality of David’s activity. In August 2020, one TDBNA store manager emailed another store manager and remarked, “You guys need to shut this down, LOL.” In late 2020, another store manager implored his supervisors (several TDBNA regional managers) to act, noting that “[i]t is getting out of hand, and my tellers are at the point that they don’t feel comfortable handling these transactions.” In February 2021, one TDBNA store employee saw that David’s Network had purchased more than $1 million in official bank checks with cash in a single day and asked, “How is that not money laundering,” to which a back-office employee responded, “oh it 100% is.” “

In his remarks, Attorney General Merrick Garland cited three examples where Bank employees knew money laundering was ongoing.

  1. In February 2021, one TD Bank store employee saw that David’s network had purchased over $1 million in official bank checks with cash in a single day. The employee asked, “How is that not money laundering?” A back-office employee responded, “Oh, it 100% is.”
  2. In a second, separate money laundering scheme, five TD Bank employees conspired with criminal organizations to open and maintain accounts at the bank that were used to launder $39 million to Colombia, including drug proceeds.
  3. In yet a third scheme, a money laundering network maintained accounts at TD Bank for at least five shell companies. It used those accounts to move over $100 million in illicit funds through the bank.

The bottom line is that everyone knows that the Bank facilitated money laundering and BSA violations. Why? The Bank consciously decided not to fund the compliance function or pay for any upgrades or updates, all in the name of its ‘flat cost paradigm.’

I will explore this matter in some depth over the next several blog posts. Tomorrow, I will consider money-laundering schemes.

Resources

 OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Blog

TD Bank: Part 1 – Money Laundering and the China Syndrome

Last week, representatives of the US government announced one of the largest sets of fines and penalties for failures in anti-money laundering ever laid down. It involved TD Bank N.A. and TD Bank US Holding Company. It was over $3 billion in fines and penalties with a restriction in growth until the company gets its compliance act together. However, it is not the fine nor creative penalty that flags this matter but the underlying facts and raw brazen-ness of the 10th largest bank in the United States to either actively engage in an ongoing criminal enterprise or to willfully disregard specific evidence of criminal activity and failure of basic compliance which makes this enforcement action stand out. Employees from the front-line tellers who took in millions of dollars in cash, right up to the Board of Directors, knew the bank’s conduct was illegal or buried their collective heads so far down into the sand that they could have caused the China Syndrome to self-execute.

The regulators and enforcers in this sordid tale include the Department of Justice (DOJ), the Board of Governors of the Federal Reserve Board (FRB), the Treasury Department’s Office of the Comptroller of the Currency (OCC), and Financial Crimes Enforcement Network (FinCEN). According to a DOJ Press Release, TD Bank N.A. (TDBNA) and its parent company TD Bank US Holding Company (TDBUSH) (together with TDBNA, the Bank) pled guilty today. They agreed to pay over $1.8 billion in penalties to resolve the Department of Justice’s (DOJ) investigation into violations of the Bank Secrecy Act (BSA) and money laundering. Finally, TD Bank’s guilty pleas are part of a coordinated resolution with the FRB, the OCC, and FinCEN. With the additional fines and penalties due to these entities, the total fine and penalty is over $3 billion.

TDBNA pled guilty to conspiring to fail to maintain an anti-money laundering (AML) program that complies with the BSA, failing to file accurate Currency Transaction Reports (CTRs), and money laundering. TDBUSH pleaded guilty to causing TDBNA to fail to maintain an AML program that complies with the BSA and to fail to file accurate CTRs.

To add to all the above, the government put a restriction on TD’s growth until it fully remediates its compliance program because, as noted by Matt Kelly in Radical Compliance,  it specified that “TDBNA’s total assets cannot exceed $434 billion without OCC approval, and that approval will not come until TDBNA completes an extensive transformation of its AML compliance program.” Further, Kelly noted that if “TDBNA does not make progress on those compliance program reforms in a timely manner, OCC can reduce that asset cap by another 7 percent, and keep going until TD gets its compliance act togetherIn other words, the longer TD drags its feet on implementing compliance reforms, the tighter the leash around its neck will get.”

How did the Bank get to this point, what can it do to resolve this mess, and what are the lessons learned for the compliance professional, corporate executive, and Board of Directors? Additionally, what is the point of punishment? Will foreign entities always come to the US, open branches, and engage in illegal activities, all in the scramble for the all-mighty dollar? Will corporate executives ever be held liable for intentionally looking the other way or burying their heads in the sand? Several blog posts will explore the answers to these questions and more.

What They Said-Merrick Garland

In a rare appearance by Attorney General Merrick Garland to announce the guilty plea, fine, and penalty, he stated, “Today, TD Bank pled guilty to multiple felonies, including conspiring to violate the Bank Secrecy Act and commit money laundering. TD Bank has also agreed to a $1.8 billion criminal penalty. Combined with civil enforcement actions announced today by other agencies, the United States will impose a total [penalty] of approximately $3 billion against TD Bank. TD Bank created an environment that allowed financial crime to flourish. By making its services convenient for criminals, it became one.

Today, TD Bank became the largest bank in U.S. history to plead guilty to Bank Secrecy Act program failures and the first U.S. bank to plead guilty to conspiracy to commit money laundering. This is also the largest-ever penalty under the Bank Secrecy Act and the first time the Justice Department has assessed a daily fine against a bank. As part of the plea agreement, TD Bank will fundamentally restructure its corporate compliance program at its U.S.-based bank, the 10th largest in the United States. The bank has also agreed to impose a three-year monitorship and a five-year term of probation. While the bank has started its remediation, it will continue to remediate and improve its anti-money laundering compliance program to ensure that it operates lawfully and safely.”

What They Said-Lisa Argentieri

Deputy Assistant Attorney General Nicole M. Argentieri said, “Over the course of a decade, TD Bank placed profits over compliance, prioritizing a “flat cost paradigm” that limited spending across the bank — including on the bank’s anti-money laundering (AML) compliance program, despite growing risks — even while profits soared. The bank knew it had pervasive and systemic deficiencies in its AML program, including a transaction monitoring system that remained stagnant over 10 years despite warnings from regulators, consultants, and even its employees. AML employees joked that the Bank’s failed AML system made TD an “easy target” and a “convenient” bank for bad actors. And they were right. TD’s failed AML compliance program created vulnerabilities that criminals — including TD’s employees — used to launder money through the Bank. All told, three large money laundering networks, two prosecuted by our partners in the District of New Jersey and the third prosecuted in the District of Puerto Rico, laundered over $670 million through TD.

Notably, the Bank did not self-disclose any regulator. Yet after the Bank was notified of the investigation into its conduct, “the Bank provided strong cooperation. For example, TD identified additional misconduct and provided evidence of that misconduct to the department. Some of that evidence helped advance our investigation of individuals, including video surveillance footage TD provided after reviewing hundreds of hours of videotape and materials recovered because TD secured the workplaces of employees involved in misconduct.”

Additionally, and becoming increasingly standard in such resolutions, the culpable entities are engaged in clawbacks. Argentieri noted that the Bank “took steps on its own to hold its employees financially accountable. The Bank clawed back bonuses, including for its CEO and other executives, resulting in a dollar-for-dollar reduction of the Bank’s fine of approximately $2 million.” Yet she emphasized that the Bank’s “resolution marks a first. This is the first time a company has committed to clawing back compensation prospectively. Over the next few months, TD will identify additional compensation it will claw back from its employees. And if the bank is successful during the term of its agreement with the department, the Criminal Division will credit those clawbacks against the fine.”

I will explore this matter in some depth over the next several blog posts. Tomorrow, I will consider how profits over compliance led to disaster.

Resources 

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ 

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Daily Compliance News

Daily Compliance News: October 11, 2024 – The Breaking Up May Be Hard to Do Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Google to try and delay, deflect breakup. (FT)
  • For Ecuador, President and VP barred entry into the US. (Reuters)
  • TD Bank to pay $3bn in penalties. (WSJ)
  • Qantas apologizes for showing R-rated film on flight. (NYT)

Categories
Blog

Deere’s FCPA Enforcement Action: Performing a Root Cause Analysis to Inform Remediation

We recently had a Foreign Corrupt Practices Act (FCPA) enforcement action that reminded me that everything old is new again in anti-corruption compliance. The Securities and Exchange Commission (SEC) FCPA enforcement action involving Deere and Company (Deere) has bribery schemes torn literally from the first decade of the 21st century as they involved gifts, travel, and entertainment. In other words, it was about a low set of hanging fruit that any compliance officer would see. Today, I want to take a multipart look at the case and see what lessons the enforcement action can provide to the 2024 compliance professional.

Compliance Professionals all know the pressure to act swiftly when misconduct is discovered. It is often tempting to jump straight into remediation to address the problem, protect the company, and appease regulators. However, the case of Deere’s recent FCPA enforcement action reminds us that acting without first understanding the root cause of the misconduct can lead to superficial fixes that fail to prevent future violations.

In the Deere enforcement action, the company faced significant penalties due to bribes paid by subsidiaries of Wirtgen Group, which Deere acquired in 2017. Between 2011 and 2017, Wirtgen subsidiaries engaged in corrupt practices, paying bribes to government officials in several countries, including China and India. While Deere eventually addressed the misconduct post-acquisition, its failure to perform robust due diligence and root cause analysis before remediation exposed it to regulatory and reputational damage.

This case highlights the critical need for companies to conduct a thorough root cause analysis before embarking on remediation efforts. In this blog post, we will detail why a root cause analysis should always precede remediation, what the process entails, and how it can protect your company from future enforcement actions and compliance failures.

Understanding the True Nature of the Problem

The first and most obvious reason to conduct a root cause analysis before remediation is to ensure you address the correct problem. In the Deere case, the misconduct stemmed from bribery by Wirtgen subsidiaries, but the real issue wasn’t just the bribery itself—it was the company’s failure to identify and prevent this behavior in the first place. Simply punishing the employees involved or updating internal policies would have been insufficient without understanding why these bribes were paid.

Before designing an effective remediation plan, you must understand why the misconduct occurred. Was it due to weak internal controls? A culture that tolerated unethical behavior? Inadequate training? A failure to perform due diligence on third parties? Each of these potential causes requires a different remediation strategy. If you do not identify the true cause of the problem, your remediation efforts will be superficial and may not prevent future violations. Root cause analysis allows compliance officers to uncover the underlying reasons for misconduct, enabling them to design targeted solutions that address the actual problem—not just the symptoms.

Root Cause Analysis Helps Identify Systemic Issues

One of the biggest risks when dealing with FCPA violations or corporate misconduct is that the issue may not be isolated to one event or individual. Corruption or compliance failures are often systemic, indicating deeper issues within the company’s culture, policies, or risk management framework. If Deere had conducted a more thorough root cause analysis post-acquisition, it could have uncovered broader issues in Wirtgen’s compliance program and taken proactive steps to address those weaknesses company-wide.

Root cause analysis forces you to ask tough questions about your company’s broader compliance infrastructure. Are certain business units, regions, or third-party relationships more misconduct-prone? Are there patterns of behavior that suggest systemic problems? You can implement more effective, company-wide remediation efforts by identifying these systemic issues beyond addressing a single incident.

Regulators Expect a Root Cause Analysis

Regulators, including the DOJ and the Securities and Exchange Commission (SEC), expect companies to conduct thorough root-cause analyses when investigating FCPA violations. The DOJ’s 2024 ECCP explicitly states that prosecutors will consider whether a company has adequately identified and remediated the root causes of misconduct when determining penalties. Additionally, this was specifically called out in the SAP Deferred Prosecution Agreement (DPA) earlier this year, where the DOJ stated, “5. Conducted a root cause analysis of the underlying conduct then remediating those root causes through enhancement of its compliance program;”.

In the Deere enforcement action, part of the company’s challenge was showing regulators that it had addressed the bribes themselves and the underlying reasons that allowed the misconduct to occur. Companies that skip the root cause analysis and rush into remediation without clearly understanding what went wrong will likely face harsher penalties.

Performing a root cause analysis is more than good practice; it has moved to a regulatory expectation. The more comprehensive your analysis, the more likely regulators (DOJ and SEC) are to view your remediation efforts as credible. A company that can demonstrate it understands the root cause of its compliance failures—and has taken meaningful steps to address those causes—is more likely to receive leniency during enforcement actions.

Preventing Recurrence: Moving Beyond Quick Fixes

One of the major pitfalls of jumping into remediation without a root cause analysis is the risk of implementing quick fixes that don’t address the root problem. For example, in the Deere case, if the company had updated its anti-corruption policy without addressing the broader cultural or systemic issues, it would have left the door open for future violations.

Root cause analysis ensures that your remediation efforts are comprehensive and designed to prevent future violations. Instead of focusing solely on policies or individuals, you’re addressing the broader systems and processes that allowed the misconduct to occur. This might involve rethinking your company’s approach to third-party due diligence, improving internal reporting mechanisms, or enhancing employee training programs to emphasize ethical behavior. A quick fix might resolve the immediate problem, but a comprehensive root cause analysis will prevent recurrence and protect your company long-term.

Improving Your Compliance Program Over Time

Root cause analysis is not a reactive tool; it is a mechanism to continuously improve your company’s compliance program. By regularly performing root cause analyses in response to compliance failures or near misses, you can identify trends, weaknesses, and gaps in your existing program. This allows you to make proactive adjustments and improvements, ensuring that your compliance program evolves to meet new risks and challenges.

Compliance is an ongoing process, and root cause analysis is key. By taking the time to understand why compliance failures happen, you can strengthen and improve your program over time. Don’t wait for a major enforcement action to identify weaknesses in your compliance program—use root cause analysis as a tool for continuous improvement.

Building a Culture of Accountability

Finally, one of the most important benefits of conducting a root cause analysis before remediation is that it fosters a culture of accountability. When employees see that the company is taking a thoughtful, thorough approach to addressing misconduct, they’re more likely to trust the compliance function and adhere to ethical standards.

In the Deere case, the company’s failure to identify and address the root causes of Wirtgen’s corrupt practices could have contributed to a culture where employees felt that bribery was tolerated or encouraged. By contrast, companies emphasizing accountability and transparency in their root cause analyses send a clear message: misconduct will be thoroughly investigated, and systemic issues will be addressed.

Building a strong culture of compliance starts with holding people—and processes—accountable. Root cause analysis helps you identify the individuals responsible for misconduct and the broader systems and structures that allowed it to happen. This accountability, in turn, strengthens your compliance culture and reinforces your company’s commitment to ethical behavior.

The Deere FCPA enforcement action powerfully reminds us of the importance of conducting a root cause analysis before proceeding with remediation. Companies need to understand why misconduct occurred before implementing superficial fixes. By taking the time to perform a thorough root cause analysis, compliance professionals can ensure that their remediation efforts are comprehensive, effective, and designed to prevent future violations.

Remember, root cause analysis isn’t just a best practice, as the DOJ has now noted several times in several places and through several different media; it is a regulatory expectation. It’s also a critical tool for improving your compliance program, building a culture of accountability, and protecting your company from future compliance failures. This means that before you rush to fix the problem, ensure you understand it first. Only then can you design a remediation plan that addresses the cause of misconduct and sets your company up for long-term success.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: DOJ Whistleblower Financial Incentive Program

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider the remarks by Principal Deputy Assistant Attorney General Nicole M. Argentieri on the DOJ Corporate Whistleblower Incentive Program and her review of its early results.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The 2024 ECCP Update on Data Access

The award winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the 2024 update to the Department of Justice’s guidelines for corporate compliance programs, focusing on data and data access.

Tom and Matt explore the significance of these updates and whether they stem from companies showing advancements in data analytics or the DOJ recognizing gaps in data access for compliance officers. The discussion highlights the challenges compliance officers face, especially with diverse ERP systems and data silos, and provides insights into how compliance officers can leverage these guidelines to advocate for better data access within their organizations. The episode also breaks down specific questions from the DOJ’s guidelines, offering practical advice on addressing obstacles to data, resources for data access, and data maintenance.

Key Highlights:

  • The Importance of Data Access in Compliance
  • Challenges in Data Access for Compliance Officers
  • DOJ’s Six Key Questions on Data Access
  • Addressing Data Access Impediments
  • Tools and Resources for Data Analytics
  • Communicating with the Board on Data Analytics

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

2024 ECCP on Accessing Data

In the recently released 2024 Update to the Evaluation of Corporate Compliance Programs (2024 ECCP), the Department of Justice (DOJ) has brought new challenges and opportunities for compliance professionals. One of the most significant changes revolves around data access and the role data plays in an effective compliance program. In this blog post, we’ll explore the key takeaways from the updated guidance and what compliance professionals must do to meet these new expectations, especially when gaining and maintaining access to the right data. This is no longer just about best practices; it is now table stakes. Matt Kelly and I explored this question in this week’s Compliance into the Weeds edition.

Now More Than Ever

One of the most notable aspects of the DOJ’s 2024 update is its focus on data access for compliance professionals. The DOJ has made it clear that if you do not have sufficient access to data, you cannot adequately monitor compliance, detect issues, or remediate problems. Compliance officers are no longer given a pass when they say, “I didn’t have access to the data.”

How did we get here? Part of this shift can be attributed to companies that have demonstrated excellence in leveraging data to bolster their compliance programs. Through the heat of DOJ investigations, these businesses have proven that with the right data, compliance officers can detect misconduct more quickly and prevent violations altogether. At the same time, the DOJ recognizes that many companies still struggle to provide their compliance teams with the data they need to do their jobs effectively.

Data Access: From Best Practice to Table Stakes

In prior years, having a robust data analytics program for compliance was considered a gold standard. It was an aspirational goal that companies could work toward. However, as the DOJ has seen companies implement highly effective data programs, what was once a best practice is now table stakes. If your compliance program can’t access the right data in real-time or near-real-time, you’re not just behind the curve—you’re putting your organization at risk.

Compliance officers can now point to this updated guidance and tell senior management: “This isn’t optional anymore.” You need the resources, tools, and support to access and analyze data effectively. The DOJ’s guidance clarifies that if your company faces an investigation, the inability to access relevant data won’t just be an inconvenience; it will be seen as a compliance failure.

The Six Key Questions: A Roadmap for Data Access

The 2024 ECCP includes six specific questions related to data access, which serve as a roadmap for what compliance officers need to ask within their organizations. While a DOJ prosecutor may not ask all six in any given case, companies should be prepared to answer them all. We will break down how compliance professionals should approach each of these questions.

Does Compliance Have Sufficient Access to Data?

The first question asks whether compliance and control personnel have direct or indirect access to relevant data sources for timely and effective monitoring or testing. In other words, can the compliance team get the information they need when they need it?

This can be a major hurdle for many companies, especially those with complex IT ecosystems. If you’ve gone through multiple mergers and acquisitions, chances are you’re dealing with a variety of legacy systems that don’t “talk” to each other. Compliance officers might find themselves chasing down data from various silos across different business units, which can delay their ability to spot red flags.

What You Should Do

  • Map out your data sources. Know where all relevant data resides, from ERP systems to HR software and procurement platforms.
  • Identify bottlenecks. If your compliance team encounters roadblocks when accessing data, document those challenges and bring them to senior management.
  • Collaborate with IT. Ensure that IT systems are integrated and compliance has the tools to pull and analyze data without delay.

Are There Impediments to Accessing Data?

The second question focuses on barriers preventing compliance from accessing data. These barriers could be structural, such as outdated or incompatible systems, or they could be cultural, such as senior management not prioritizing compliance’s data needs.

What You Should Do

  • Address structural and cultural issues: If your company uses disparate systems, work with IT to create a data lake or central repository for key compliance data. Culturally, ensure that leadership understands the importance of compliance’s access to data and empowers the team accordingly.

Does Compliance Have the Tools to Analyze Data?

Once you can access the data, do you have the tools to analyze it effectively? This question goes beyond simply having access to the data—it’s about whether you have the analytics capabilities to make sense of it.

What You Should Do

  • Invest in the right tools. Data access means nothing if you can’t analyze the information. Invest in data analytics platforms, allowing your compliance team to automate risk assessments, flag potential issues, and generate real-time reports.
  • Train your team. Ensure that compliance personnel are trained on how to use these tools effectively. Analytics without insight is just noise.

Is Data Maintained Properly?

The fourth question concerns data maintenance. Is data stored securely, and is it accurate and reliable? The DOJ wants to ensure that companies don’t just pull data from disparate sources without validating its accuracy.

What You Should Do

  • Validate your data. Work with IT to ensure that data is accurate and up-to-date. Compliance teams need to know that the information they are using is reliable.
  • Establish data governance protocols. Set clear guidelines for data maintenance, including how data should be stored, accessed, and updated.

Is the Company Leveraging Data Analytics to Improve Compliance?

This question is at the heart of the DOJ’s updated guidance. It asks whether companies are using data analytics to create efficiencies in compliance operations and to measure the effectiveness of their compliance programs.

What You Should Do

  • Integrate data analytics into your compliance program. Use data to identify risk patterns, monitor employee behavior, and assess the effectiveness of your compliance efforts.
  • Review your analytics strategy regularly to ensure that you’re continually improving how you use data analytics to enhance your compliance program.
  1. How Precise is Your Data?

Finally, the DOJ asks about the precision of your data. This question goes beyond accuracy—it’s about whether you’re getting the right data at the right level of detail.

What You Should Do

  • Refine your data collection efforts. Ensure you collect precise, relevant data that aligns with your compliance needs. Broad, imprecise data won’t help you detect or prevent misconduct.

Communicating the Importance of Data Access to Senior Management

One of the most important takeaways from the 2024 ECCP update is that compliance officers now have a concrete basis to advocate for better data access. This is no longer about wish lists or best practices—it’s a regulatory expectation. Compliance officers must have honest conversations with senior management and the board about the company’s current data capabilities and where improvements are needed.

Companies often invest in technology when a problem arises, only to pull back once the issue is resolved. This cycle leaves compliance teams under-resourced and needing help to keep pace with evolving risks. The 2024 ECCP gives compliance officers the leverage to push for sustained investments in data access and analytics.

The DOJ’s 2024 update to the Evaluation of Corporate Compliance Programs underscores the critical importance of data access and analytics for modern compliance programs. It is no longer enough to have policies in place; compliance officers need the right data at the right time and the tools to analyze it effectively. The questions posed by the DOJ should serve as a guide for structuring your data access strategy and ensuring that your compliance program is up to the task.

By taking proactive steps to improve data access and analytics, compliance professionals can meet regulatory expectations and build stronger, more resilient programs that can detect and prevent misconduct before it escalates into a serious issue.

Categories
Daily Compliance News

Daily Compliance News: October 1, 2024 – The Not a Bribe in NYC Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Eric Adams files for dismissal of bribery allegations. (Bloomberg)
  • Atlas Metric secures funding to simplify ESG reporting. (TechEU)
  • Creating business ethics in Guatamala. (Atlantic Council)
  • Hearing on Boeing/DOJ guilty plea set. (Reuters)