Tag: Internal Controls

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Four Key Internal Controls for Compliance

There are four significant controls that every compliance program should have in it. They are: 1) DOA; 2) maintenance of the vendor master file; 3) contracts with third parties; and 4) movement of cash/currency.

  1. Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the U.S. would be required inside your company.
  2. Your vendor master file can be one of the most powerful preventative control tools largely because payments to fictitious vendors are one of the most common occupational frauds.
  3. Your contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control.
  4. Your controls over the disbursements of funds and movement of should include such methods accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans or advances.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption.

 Three key takeaways:

1. Remember the top four internal controls for an effective compliance program.

2. Effective internal controls should do more than protect but also prevent internal program violations.

3. Effective internal compliance controls are good financial controls.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Discipline and Rigor In Your Internal Controls

New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within a company’s operations. There is a clear need for rigor in your internal controls protocols. Adherence to that rigor can increase operationalization around the internal controls a company should consider, including gifts, travel, and entertainment expenses. Brooks said, “Building and maintaining order … requires toughness of mind and rigid discipline to serve your own work properly.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way toward detecting and, more importantly, preventing an FCPA violation from occurring.

Some of the key areas of Internal Control focus should be:

·       The Delegation of Authority (DOA)

Petty cash disbursements

·       Travel

·       P-Cards

·       Employee Expense Reports

·       Corporate checks and wire transfers, such as check requests, purchase orders, or vendor invoices.

·       Gifts and business entertainment

Three key takeaways:

1. You must maintain rigor around your internal controls.

2. Controls against fraud can also help to prevent corruption.

3. Building and maintaining good internal controls requires rigor.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – What Are Internal Controls?

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. Internal controls expert Joe Howell has said that internal controls are systematic measures, such as reviews, checks and balances, methods, and procedures instituted by an organization that performs several different functions. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes the diversion of company assets, such as by unauthorized sales discounts or receivables write-offs, as well as the distribution of assets.

Three key takeaways:

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. There are multiple FCPA enforcement actions that demonstrate the enforcement spotlight on internal controls.
Categories
31 Days to More Effective Compliance Programs

Day 23 – Assessing Compliance Internal Controls

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law, such as Sarbanes-Oxley (SOX)? Cristina Revelo said she would start with questions like “How often would something be manually approved? How often are controls skipped, what is the level of approvals that you have, and what is your documentation? What are the reasons, and are you documenting how often a certain department requires those overrides?” While it could indicate a company lacks a culture of compliance or everything is an emergency, it might mean something else. It might mean that your internal controls must be evaluated and recalibrated. In the FCPA Resource Guide and the Update to the Evaluation of Corporate Compliance Programs, the Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, a co-founder of Visual Risk IQ, calls it continuous controls monitoring.

However, many compliance professionals, particularly lawyers, think once control is in place, it’s set in stone and there forever. This derives from the unfortunate fact that, once again, many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program, can and should be continually monitored and improved based on information such as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

 Three key takeaways:

1. An internal control override is not necessarily bad if proper procedure is followed.
2. Internal controls are not set in stone.

3. The key is to have a process for monitoring the controls, taking input literally from each line of defense.

Categories
31 Days to More Effective Compliance Programs

Day 8 – Internal Controls and Compliance

What are internal controls? The best definition I have come across is from Jonathan Marks, who defined internal controls as:
Internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives(s). This, along with continuous auditing, continuous monitoring, and training, reasonably assures: 

  • The achievement of the process objectives linked to the organization’s objectives;
  • Operational effectiveness and efficiency;
  • Reliable (complete and accurate) books and records (financial reporting);
  • Compliance with laws, regulations, and policies; and 
  • The reduction of risk fraud, waste, and abuse, which,
  • Aids in the decline of process and policy variation, leading to more predictive outcomes.

The DOJ and SEC, in the 2020 FCPA Resource Guide, stated:
Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as a controlled environment that covers the tone set by the organi­zation regarding integrity and ethics, risk assessments, and con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services, how the products or services get to market, the nature of its workforce; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.

This was supplemented in the 2020 Update with a pair of pointed questions: whether a company has made a significant investigation into its internal controls and whether they have been tested, then remediated based upon the testing?

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help detect fraud, which could lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there, you can move to see if they are working in practice.

Three key takeaways:

  1. Effective internal controls are required under the FCPA
  2. Internal controls are a critical part of any best practices compliance program
  3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency.
Categories
Everything Compliance

Episode 108 – The ABB Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance which has been honored by W3 as a top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Jonathan Armstrong, Karen Woody, Tom Fox and Matt Kelly on the ABB FCPA Enforcement action. We conclude with our fan fav Shout Outs and Rants section.

1. Matt Kelly looks at the enforcement action from the CCO certification perspective. He has his first recidivist rant by ending the year with a rant about the person he started the year ranting about, Elon Musk. This time it was for the Thursday Night Massacre.

2. Karen Woody looks at the case from the perspective on internal control failures and overrides. She shouts out to Stephen Twitchboss for his music and influence on popular culture.

3. Tom Fox discusses how the DOJ thread a tight needle by rewarding ABB for its attempt to self-disclose, extraordinary cooperation and remediation by not requiring a monitor and giving a discount even through ABB is the first time three-peat offender under the FCPA. He shouts out to Christine McVie, singer and songwriter for Fleetwood Mac who recently passed away.

4. Jonathan Armstrong considers the ABB enforcement action from the UK perspective and opines how a UK judge might consider the company’s recidivism differently than the DOJ did. He rants about ongoing tech scams.

5. Jay Rosen reviews the enforcement action from the perspective of how the bribes were funded. He shouts out to Mike Gabler, winner of Season 43 of Survivor who donated his $1MM winnings to help veterans.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Danske Bank: Part 3 – Compliance Failures

We are exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

How did it start to go wrong?

Interestingly, and most significantly for compliance professionals, the trouble for Danske Bank started with an acquisition. According to the Plea Agreement, “Danske Bank acquired Finland-based Sampo Bank in 2007, including Sampo Bank’s large operation in Estonia. A significant part of Sampo Bank’s Estonia business was providing banking services to non-resident customers, that is, companies and individuals residing outside Estonia, including in Russia. DANSKE BANK knew this was a large part of Sampo Bank’s Estonian business model and continued this business after acquiring Sampo Bank. The non-resident portfolio (“NRP”) was, by far, Danske Bank Estonia’s most lucrative business line, generating, over the life of the branch, over 50% of Danske Bank Estonia’s profits. DANSKE BANK knew that many NRP customers conducted transactions in U.S. dollars, which required Danske Bank Estonia to use U.S. banks and bank accounts to process those transactions. By December 2013, DANSKE BANK knew that the NRP was high-risk because, among other reasons, its customers resided in high-risk jurisdictions, frequently used shell companies to shield the identity of their ultimate beneficial owner or the sender or recipient of transactions, and engaged in suspicious transactions through U.S. banks.”

In addition to a failure of due diligence in the pre-acquisition phase, Danske Bank did nothing post acquisition to make sure the new Estonian branch complied with basic AML. Danske Bank Estonia had an inadequate and ineffective compliance program that applied to all customers. As noted in the Plea Agreement, “Danske Bank Estonia, through its International Banking Group (“IBG”), attracted NRP customers by ensuring that they could transfer large amounts of money through Danske Bank Estonia with very little, if any, oversight or scrutiny. IBG employees conspired with their customers to shield the true nature of their transactions, including by assisting customers to conceal beneficial owners by establishing accounts for known shell companies and sometimes creating shell companies for customers in exchange for a “consulting fee.””

Actual Knowledge of Compliance Failures

To read the settlement documents it is clear that Danske Bank was making so much money laundering its Russian clients that it did everything it could do so to avoid making any changes which would kill the golden goose. As early as 2007, Danske Bank was aware a substantial portion of Danske Estonian branch’s customers were non-residents of Estonia, the NRP accounts, and that many of the NRP customers were from Russia and other former Soviet-bloc countries. These NRP customers’ practices included well-known red flags for potential money laundering, for example, frequent use of offshore LLPs and nominee directors to obscure or conceal beneficial ownership information, use of unregulated intermediaries to carry out transactions on behalf of unknown clients, and ties to jurisdictions with enhanced money laundering risks. Yet both Danske Bank Estonia and the parent Danske Bank maintained that “all is well” (yes cue the Animal House riot scene about now).

It was not as if Danske Bank was unaware of its Estonia branch shortcomings and failures. According to the SEC Complaint, “in 2007, the Danish Financial Supervisory Authority (“Danish FSA”) contacted Danske with concerns it had received from the Bank of Russia about NRP customers allegedly engaged in illicit transactions through Danske Estonia, including money laundering which was discussed by Danske’s Board of Directors in August 2007.” In light of the Danish FSA’s warnings, Danske conducted an internal audit of Danske Estonia’s transactions in 2007. That audit did not assess whether Danske Estonia complied with AML and Know-Your-Customer (KYC) procedures required under applicable laws and regulations, but the audit report provided to Danske management noted that Danske Estonia’s procedures in this area were “thin.” The 2007 audit recommended to Danske management that Danske undertake further investigation of Danske Estonia’s practices to ensure compliance with applicable law. Further, in March and April of the same year, the Estonian FSA had carried out an inspection at Danske Estonia and issued an inspection report on August 16, 2007, which found that the Estonian branch was not compliant with its legal obligations.

These compliance shortcomings were in four general areas. Danske Bank Estonia used foreign consultants and intermediaries to recruit customers and outsourced its legal obligations to conduct due diligence and obtain KYC information to third parties. Second, Danske Bank management knew that Danske Estonia was offering certain high-risk services and products associated with suspicious activity which Danske did not permit other branches to offer. Third, Danske Bank knew that its IT platform was incompatible with Danske’s IT platform. Danske knew or was reckless in not knowing that Danske Estonia could not conduct automated AML or KYC controls, such as automated customer screening and automated transaction monitoring. Fourth, Danske Bank Estonia’s AML and compliance control framework did not adequately mitigate the risks of the NRP portfolio and Danske failed to provide effective supervisory oversight. Danske Estonia’s compliance and AML departments were structured differently than at other Danske branch and reported directly to Danske Estonia’s branch manager with dotted line reporting to Danske’s compliance and AML departments. As a result, Danske Estonia’s compliance and AML functions were not effectively monitored or effectively supervised by Danske.

Tomorrow, the Danske Bank response.

Categories
Daily Compliance News

December 1, 2022 the No Stinking Controls Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you four compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Stories we are following in today’s edition of Daily Compliance News:

  • DHS uses AI to track the drug chain’s supply chain compliance. (WSJ)
  • SBF-no controls at Alameda. (WSJ)
  • DOJ to focus on oligarchs’ service providers. (FT)
  • Reading of judgment in $2bn Mozambique corruption case. (Aljazeera)

Categories
Compliance Into the Weeds

From $34 Billion to $0 in One Week-FTX and Controls

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. In this episode, we consider the recent collapse of the cryptocurrency trading platform FTX. We look at it from a variety of angles. Highlights include:

·       Where does FTX rate in terms of catastrophic business failures?

·       What were the internal control failures?

·       How much fraud was involved?

·       FTX is domiciled outside the US. What does that mean for the review process?

·       Will this lead to regulation over crypto?

 Resources

Matt Levine in Bloomberg on FTX’s balance sheet

Matt Kelly in Radical Compliance

Categories
FCPA Compliance Report

James Koukios on MoFo’s April 2022 Top 10 International Anti-Corruption Developments

In this episode, I visit with fan-fav James Koukios, partner at Morrison & Foerster on the firm’s always great monthly Top 10 International Developments newsletter for April 2022.

Key areas we discuss on this podcast are:

·      The Stericycle FCPA enforcement action.

·      The Roger Ng conviction.

·      Limits of prosecution on FCPA accounting provisions?

·      A World Bank debarment.

 Resources

James Koukios on MoFo.com

MoFo Top 10 International Anti-Corruption Developments for April 2022