Categories
Report from IMPACT 2023

Report from IMPACT 2023 – Andrew Weissmann – Compliance Rules from the DOJ Perspective

ECI’s IMPACT 2023 was one of the leading compliance events in 2023. At this conference, Tom Fox, the Voice of Compliance, was able to visit with several of the speakers, exhibitors, participants, and one group of ethically-minded Girl Scout Troop. In this limited podcast series, Report from IMPACT 2023, Tom explores many of the most cutting-edge topics in ethics and compliance through short podcast episodes. Check out the full series of interviews. You will be enlightened, informed and come away with a fuller and more thorough understanding of the most cutting-edge topics in ethics and compliance. In this episode, Tom visits Andrew Weissmann, former head of the DOJ Fraud Section and current Podcaster and author.

The Department of Justice has been working to ensure that companies understand the rules of the road and what is expected of them to comply with the law. Tom Fox and Andrew Weissmann discussed the evolution of compliance programs from the Department of Justice’s perspective, the dialogue between the Department of Justice and the compliance community, the FCPA Pilot Program, the ABB FCPA Enforcement Action, and the need to use different forms of media to ensure that people are consuming the right information. They highlighted the importance of self-disclosure, extraordinary cooperation, and extraordinary remediation to receive a stunning result from the Department of Justice. Furthermore, they discussed the need to educate people in a variety of ways, such as Twitter, podcasts, articles, and op-eds, to ensure that policies are read and consumed. This podcast episode provides an insightful look into the Department of Justice’s approach to compliance and the need for different forms of media to ensure that people are informed.

Highlights include 

·      Compliance Evolution

·      Compliance Education

·      FCPA Recidivism

Resources 

Andrew Weissmann

Prosecuting Donald Trump podcast

Connect with Tom Fox on Linkedin

ECI

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Board – 20 Questions Directors Should Ask about the Board Compliance Committee

In an area of inquiry entitled Oversight, the 2023 ECCP asks three basic questions which we have explored throughout this chapter:

1. What compliance expertise has been available on the Board of Directors?

2. Have the Board of Directors held executive or private sessions with the compliance function?

3. What types of information has the Board of Directors examined in their exercise of oversight in the area in which the misconduct occurred?

To facilitate the answers to these questions, consider this list of 20 questions to reflect the oversight role of directors. These are questions the Board should ask of both senior management and the Board should ask itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

1. What are the Compliance Committee’s responsibilities and what value does it bring to the Board?

2. How can the Compliance Committee help the Board enhance its relationship with management?

3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

4. What skill sets does the Compliance Committee require?

5. Who should sit on the Compliance Committee?

6. Who should chair the Compliance Committee?

Part III: Directed to the Board

7. What is the Compliance Committee’s role in building an effective compliance program within the company? How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?

8. How long should directors serve on the Compliance Committee?

9. How can the Compliance Committee assist directors in retiring from the Board?

Part IV: Enhancing the Board’s Performance Effectiveness

10. How can the Compliance Committee assist in director development?

11. How can the Compliance Committee help the Board chair sharpen the Board’s overall performance focus?

12. What is the Compliance Committee’s role in Board evaluation and feedback?

13. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?

14. Should the Compliance Committee have a role in chair succession?

15. How can the Compliance Committee help the Board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committee

16. How can the Compliance Committee enhance the Board’s relationship with institutional shareholders and other stakeholders?

17. What is the Compliance Committee role in CCO succession?

18. How can the Compliance Committee foster great technical impact for compliance function?

19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?

20. How can the Compliance Committee help the Board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

 Three key takeaways:

1. The DOJ Evaluation requires active Board of Director engagement around compliance.

2. Board communication on compliance is a two-way street; both inbound and outbound.

3. Has the Board built an effective Compliance Committee for itself?

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 8 – Florida Man

What happens when two top compliance commentators get together? They talk compliance of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, they discuss whether a compliance crisis is coming, a new compliance law in the UK, and why companies may be dialing down their public statements on ESG and DEI. They also delve into a survey on compliance concerns, the importance of preventing corruption in Ukraine, and the creation of a Department of Justice corporate crime database. With exciting stories like a bizarre crime tale and insight into the controversial Wall Street Journal article, this episode will keep you engaged and informed. Don’t miss out on this opportunity to improve your compliance.

Highlights Include

·      Corporate Compliance in a Time of Budget Cuts

·      Preparing for UK’s New Economic Crime Offense

·      Compliance and ESG in corporate culture

·      Managing Unwanted Change in Compliance

·      Legal issues of cryptocurrency exchange

·      Rebuilding Ukraine: Business Opportunities and Corruption

·      Stress-free Workplace Priorities

·      Corporate crime database

·      Florida Man strikes again 

Resources 

1.     Compliance Crisis Coming?

2.     2023 Global Compliance Risk Benchmarking Survey

3.     Managing Unwanted Change

4.     Ukraine and Corruption

5.     DOJ launches corp crime data base

6.    Florida Man Strikes Again (Honorary Darwin Award nominee as well)

7.    How Great Companies Give Their People What They Want

8.    DOJ Drop SBF FCPA Charges

9.    Companies Quiet Diversity Talk

Connect

Kristy Grant-Hart

LinkedIn

Spark Consulting

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Life with GDPR

Life With GDPR – Joe Sullivan Sentence

Tom Fox and Jonathan Armstrong, renowned expert in cyber security, co-host the award-winning Life with GDPR. Matt Kelly and Jonathan Marks join Tom and Jonathan Armstrong on this episode, as they explore the case of former Uber CISO Joe Sullivan and the lessons compliance officers can learn from his lenient sentence. From growing trends of personal accountability to conflict of interests, the hosts provide six tips for chief compliance officers to protect themselves, including rehearsing responses and seeking external advice when necessary. This eye-opening episode also delves into the challenges faced by compliance officers in situations like Etsy’s ransomware scheme and how they must be cautious with threat actors’ demands. Don’t miss out on this insightful episode that will leave you questioning whether Sullivan was unfairly punished and whether executives’ remuneration packages will receive greater scrutiny going forward. Tune in now to Life With GDPR.

 Key Takeaways:

·      The Joe Sullivan Uber Case and Lessons Learned

·      Individual Liability in Corporate Malpractice

·      Compensation and Conflicts of Interest

·      The Challenges of Compliance Officers in Wrongdoing Incidents

 Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program in Training and Communications – Measuring Compliance Training Effectiveness

Since at least 2017, the DOJ has emphasized the need to determine compliance training effectiveness. In the 2020 Update, it stated under the section entitled “Form/Content/Effectiveness of Training” the following questions, How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing? Has the company evaluated how much the training impacts employee behavior or operations?

The DOJ enshrined the importance of determining the effectiveness of your compliance program in its 2020 Evaluation. The 2020 Evaluation demonstrates that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still need help to determine. Both the simple guidelines suggested herein, the more robust assessment, and the results provide you with a start to fulfill the precepts set out in the 2020 Evaluation, but you will eventually need to demonstrate the effectiveness of your compliance training in the future.

Three key takeaways:

  1. You must demonstrate that you have measured the effectiveness of your compliance training.
  2. The DOJ is moving into requiring a demonstration of the effectiveness of compliance training.
  3. You should be moving towards a model of demonstrating compliance training ROI to validate the full operationalization of your compliance training.
Categories
Compliance Into the Weeds

Compliance into the Weeds: A Compliance Response on Messaging Apps

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

Join Tom Fox and Matt Kelly on “Compliance into the Weeds” as they delve into the recent SEC crackdown on messaging apps and improper employee use. The hosts explore the challenges of regulating messaging app use and provide solutions emphasizing the importance of corporate culture and risk management strategies. Hear from experts like the DOJ representative who spoke at Compliance Week 2023 and a defense contractor who offers tech solutions to monitor messaging apps on employees’ phones. With GDPR and FINRA regulations to consider, the podcast presents a comprehensive plan for compliance officers that focuses on effective controls, processes, and consequences for policy infractions. Don’t miss out on this informative podcast highlighting the importance of cultivating relationships with internal audit teams, IT teams, and other control departments to ensure proper compliance measures.

 Key Highlights: 

  • Risk management of employee messaging app usage
  • Tech solution for monitoring employees’ messaging
  • Corporate Culture Approach to Compliance in Financial Firms
  • Compliance Challenges in Monitoring Employee Communications
  • Building Relationships for Effective Compliance Management

 Notable Quotes:

“Assess your risks, put a risk management strategy in place, execute that strategy, train your employees, monitor the effectiveness, and remediate as appropriate.”

“And the tech company CEO said it is in his mind, People the policies, procedures, people and processes a more culture compliance strategy could work, but you would need to convince employees.”

“If they are also violating the policy, that’s bad. And that shows you have a corporate culture problem.”

“If it’s corporate culture, how is this any different than any difficult issue we’ve seen in compliance over the past 15 years?”

Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Phillips FCPA Enforcement Action: Lessons Learned – Part 3

We conclude our exploration of the Koninklijke Philips N.V. (Philips) Foreign Corrupt Practices Act (FCPA) enforcement action involving the Securities and Exchange Commission (SEC), for Phillips actions in China and its Chinese subsidiary, Phillips China. As set out in the SEC Order, Philips was order to “pay disgorgement of $41,126,170, prejudgment interest of $6,047,633, and a civil monetary penalty of $15,000,000” for a total fine and penalty of $62 million. Yesterday we considered the bribery schemes employed by Phillips China. After having reviewed the facts and Order we look at some lessons learned.

Distributors Under the FCPA

This is the third recent FCPA enforcement action involving distributors, following Oracle and Microsoft. Along with those cases, Phillips drives home the message that distributors are a risk under the FCPA. Oracle got into FCPA hot water regarding distributor discounts and marketing reimbursement. Microsoft came to OFAC grief as it did not know to whom its distributors were doing business as some distributors were selling to sanctioned entities. While distributors may not seem to be as high a risk commissioned sales agents, they do present a risk, which must be assessed and then managed with ongoing monitoring and improvements as appropriate. None of these steps were apparent from this FCPA enforcement action or found in the Order.

As noted yesterday, Philips in 2013 had agreed to “enhanced an anti-corruption training program that includes a certification process and a variety of training applications to ensure broad-based reach and effectiveness.” Whatever this training was, it does not seem to have reached China. Effective training is about communications, engagement and demonstrable implementation of the training messaging going forward. Once again Philips China did not seem as if that communications about not engaging in bribery and corruption was taken into its business operations.

Recidivist Behavior Under 2023 Corporate Enforcement Policy

As noted yesterday, in a May 10, 2023 Press Release,  Phillips announced that “The U.S. Department of Justice (DOJ) has closed its parallel inquiry into these matters” and the company intoned that it “fully cooperated with the SEC and DOJ.” Philips also reported that the FCPA matter had “previously been disclosed in Philips’ Annual Reports 2019 through 2022.”

There has been no statement by the Department of Justice (DOJ) regarding Philips. Further there has been no declination regarding Philips publicly announced by the DOJ. Given the strong statement about recidivists by Deputy Attorney General Lisa Monaco in announcing the Monaco Doctrine last September and the need for speed referenced by Kenneth Polite in announcing changes to the Corporate Enforcement Policy in January 2023; one might have expected some statement from the DOJ.

If the DOJ really wants companies to step forward and self-disclose, it would seem that Philips would be a good example to use. Apparently there was not self-disclosure, not extraordinary cooperation and no compliance with the 2013 SEC Order concluding the first Philips FCPA enforcement action. In other words, all the requirements for a company to obtain the significant credit under the 2023 Updated Corporate Enforcement Policy. If you add in Philip’s prior FCPA enforcement action into the mix, it would certainly appear that Phillips’ culture of compliance was lacking, at least along the lines of that aspect of the Monaco Doctrine.

Lessons Learned

With Phillips filing out the trio of recent distributor enforcement actions, it is clear that companies need to start paying more attention to the distributor sales model as a source of risk. Of course, robust due diligence screening is a must but it is only a starting point. Companies need to monitor the relationship after the contract is signed. The Philips FCPA enforcement action points toward the need for robust data analytics particularly around special price discounts with distributors creating excessive distributor margins which could be used to fund improper payments to employees of state-owned enterprises or governmental officials. A data analysis would quickly and efficiently show any special discount or discount beyond the standard range given to distributors. Moreover, regional discounts could be taken into account easily using the data analytics approach.

Additionally the maintenance of adequate books, records, and accounts concerning special price discounts to demonstrate that the discounts were supported by adequate documentation to ensure their business justification and management’s approval of them. This basic step also acts as a basic compliance internal control so that there can not only be oversight of the proposed distributors and any discounts but also creates a documented audit trail if a regulator ever comes knocking.

At this point there is perhaps some head-scratching about the final resolution, if any, regarding Philips given the state of the record as laid out by the Order. However it is clear there are significant lessons for the compliance professional from the Phillips enforcement action around distributors. I hope that at some point there is greater clarity under the 2023 Corporate Enforcement Policy update.

Categories
Blog

Phillips FCPA Enforcement Action: Violations, Remediation and Recidivism – Part 2

We continue our exploration of the Koninklijke Philips N.V. (Philips) Foreign Corrupt Practices Act (FCPA) enforcement action involving the Securities and Exchange Commission (SEC), for Phillips actions in China and its Chinese subsidiary, Phillips China. As set out in the SEC Order, Philips was order to “pay disgorgement of $41,126,170, prejudgment interest of $6,047,633, and a civil monetary penalty of $15,000,000” for a total fine and penalty of $62 million. Yesterday we considered the bribery schemes employed by Phillips China. Today we consider the responses made by Phillips which led to its internal investigation, Phillips remediation and the prior FCPA enforcement action.

A. The FCPA Violations

In the SEC Order, Phillips was not charged with the payment of bribes. Rather, Phillips was charged with a failure of internal controls. Under the FCPA, companies which are issuers are required “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances.”

  1. Transactions are executed in accordance with management’s general or specific authorization;
  2. Transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
  3. Access to assets is permitted only in accordance with management’s general or specific authorization; and
  4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

Philips violated the FCPA “failing to devise and maintain an adequate system of internal accounting controls regarding distributor transactions and the use of these third parties.” Additionally, “Philips’ internal accounting controls were not sufficient to provide reasonable assurances that transactions were executed in accordance with management’s general or specific authorization and that access to assets was permitted only in accordance with management’s general or specific authorization.”

B. Cooperation and Remediation

Interestingly Phillips did not self-disclose this issue. Nor did Phillips appear to engage in any ‘extraordinary” cooperation. This cooperation was noted in the Order as “Philips undertook an internal investigation and regularly shared with Commission staff the facts developed in its inquiry, including facts previously unknown to the staff, and identified and voluntarily provided translations of key non-privileged documents.” I was particularly intrigued by the statement “facts previously unknown to the staff” which would seem to indicate there were some facts which were previously known to the SEC (and not by the way of a self-disclosure.)

Phillips did engage in remediation efforts which were recognized by the SEC. These included:

  • Phillips made structural improvements to its policies and procedures;
  • The company improved its tone at the top and the middle, with a focus on Philips China;
  • Phillips increased accountability for enforcing compliance policies by its business leaders;
  • The company highlighted compliance as a key component of ethical business practices;
  • Phillips terminated or disciplined Philips China employees involved in the conduct;
  • Phillips terminated business relationships with distributors involved in the conduct;
  • The company also improved its internal accounting controls relating to distributors;
  • Phillips improved its ability to monitor its subsidiaries bidding practices and their use of discounts and special pricing; and
  • Finally, Philips has revised its compliance training.

 C. Prior FCPA Enforcement Action

In 2013 (the year before these actions began) Phillips agreed to its first FCPA enforcement action, also involving the SEC (2013 Order). That matter related to the company’s action in Poland. According to the FCPA Blog, “from 1999 to 2007, in at least 30 bids, employees of Philips’ subsidiary in Poland ‘made improper payments to public officials of Polish healthcare facilities to increase the likelihood that public tenders for the sale of medical equipment would be awarded to Philips. The bribes and kickbacks were 3% to 8% of the contract amounts.” In that 2012 enforcement action, “Philips agreed to pay $4.5 million in the settlement, consisting of disgorgement of $3.1 million and prejudgment interest of $1.4 million.” Of course, Phillips also agreed to “cease and desist from committing or causing any violations and any future violations of” the FCPA.

As for the remedial actions taken by Phillips for the 2013 Order it stated, “Philips also retained three law firms and two auditing firms to conduct the investigation and design remedial measures to address weaknesses in its internal controls. Included in changes to internal controls, Philips established strict due diligence procedures related to the retention of third parties, formalized and centralized its contract administration system and enhanced its contract review process, and established a broad-based verification process related to contract payments. In addition, Philips has made significant revisions to its Global Business Principles policies and continually revises the policies to keep them current and relevant. Philips also established and enhanced an anti-corruption training program that includes a certification process and a variety of training applications to ensure broad-based reach and effectiveness.”

Given that the Phillips China bribery scheme started in 2014 does it sound like Phillips took these obligations very seriously. I wonder just where those three law firms and two audit firms were looking when they conducted an investigation and designed “design remedial measures to address weaknesses in its internal controls.”  Finally I am not sure where the company’s “certification process” went after the 2013 Order, but apparently not as far as China.

All this means that Phillips is yet another FCPA recidivist. There was no statement in the 2023 Order that Phillips self-disclosed the illegal conduct in China to the SEC. Nevertheless, Phillips seemed to get the benefit of the doubt from the DOJ. In a May 10, 2023 Press Release,  Phillips announced that “The U.S. Department of Justice (DOJ) has closed its parallel inquiry into these matters” and the company intoned that it “fully cooperated with the SEC and DOJ.” Phillips also reported that the FCPA matter had “previously been disclosed in Philips’ Annual Reports 2019 through 2022.”

There has been no statement by the Department of Justice (DOJ) regarding Phillips. Further there has been no declination regarding Phillips publicly announced by the DOJ. Given the strong statement about recidivists by Deputy Attorney General Lisa Monaco in announcing the Monaco Doctrine last September and the need for speed referenced by Kenneth Polite in announcing changes to the Corporate Enforcement Policy in January 2023; one might have expected some statement from the DOJ.

Or perhaps not. Tomorrow, we conclude with some final thoughts.

Categories
Compliance Week Conference Podcast

Billy Jacobson – A Fireside Chat with Glenn Leon

In this episode of the Compliance Week 2023 Speaker Preview Podcasts series, Billy discusses some of his fireside chats at Compliance Week 2023 with Glenn Leon, head of the Fraud Section at the DOJ, “Confronting Corporate Crime.”

Join Billy as he visits with Glenn Leon for a discussion focused on the priorities for the fraud section and what compliance professionals can expect in the coming year. Hear the DOJ’s perspective on evaluating corporate compliance programs, including implementing the DOJ’s new white-collar policies, such as violations of FCPA, and investigating complex schemes involving health care, securities, and procurement fraud.

I hope you can join me at Compliance Week 2023. This year’s event will be May 15-17 at the JW Marriott in Washington, DC. The line-up of this year’s event is simply first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 18th year, compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. And many others to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 75+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from the two SEC Commissioners, gain insights into the agency’s enforcement areas, and walk away with guidance on remaining compliant within emerging areas such as ESG disclosure, third-party risk management, cybersecurity, cryptocurrency, and more.
  • Bring actionable takeaways from your program from various session types, including ESG, Human Trafficking, Board obligations, and many others, for you to listen, learn and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount of $200 by using code TF200 on the link here.

Categories
Compliance Into the Weeds

Compliance into the Weeds: BAT Sanctions Enforcement Action

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

Tom Fox and Matt Kelly dive into the recent enforcement action against British American Tobacco (BAT) for violating North Korean sanctions. After years of evading sanctions and funneling over $630 million, regulators have imposed the maximum penalty. Join the podcast to understand the scheme enacted by BAT and the consequences of their actions. They also discuss the need for clarity around who is responsible for ensuring compliance with OFAC and the Justice Department for the next 5 years. With potential penalties looming, the consequences senior management could face, and the extent of compliance commitments expected of BAT, this is a case you want to take advantage of. Listen to Tom and Matt make sense of this perplexing case and what it means for companies in countries like North Korea.

Key Highlights:

·      Sanctions enforcement on British American Tobacco

·      The North Korean Scheme of British American Tobacco

·      British American Tobacco’s Sanctions Compliance Penalty and Requirements

·      Legal implications of BAT’s North Korea joint venture

Notable Quotes:

“I almost think we should just name this series, ‘the hits just keep on coming’ as  sanctions is the new FCPA.”

“This is a long-running, complicated scheme involving the highest levels of BAT knew this was going on to evade sanctions risks.”

“Short of Activision Blizzard, this case strikes me as 1 of the most egregious that we have seen in any form of trade control, export control, trade sanctions, FCPA, or other major corporate white collar.”

“They talk about how BAT and its subsidiaries knew full well that US sanctions said you can’t do business with North Korea; they were upset over how BAT publicly announced it.”

 Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn