Categories
Blog

Argentieri Speech and 2024 ECCP: Data Access and Data Analytics

Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the DOJ’s approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts.

In her remarks, Argentieri said, “Third, under the updated ECCP, our prosecutors will assess whether a compliance program has appropriate access to data, including to assess its effectiveness. We have added questions about whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology available to compliance and risk management personnel. As part of this assessment, we will also consider whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes they use in their business.”

Her remarks were paired with new language in the 2024 ECCP, which stated:

Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant data sources for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit or delay access to relevant data sources, and if so, what is the company doing to address the impediments? Do compliance personnel know of and have the means to access all relevant data sources reasonably timely? Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs? How is the company managing the quality of its data sources? How does the company measure the accuracy, precision, or recall of any data analytics models it uses?

Proportionate Resource Allocation – How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company? Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?

The speech and the 2024 ECCP put new and additional requirements around a corporate compliance program in the areas of data and data analytics. But how exactly should compliance teams navigate these heightened expectations? Here’s what you must do to ensure your compliance program meets these new standards.

Evaluate Your Data Access to Ensure Unimpeded Access to Relevant Data

The first step in aligning with the DOJ’s expectations is to conduct a comprehensive audit of your current data access. Compliance professionals must ask:

  • Conduct a Data Access Audit. Identify all the critical data sources for monitoring and testing your compliance policies, controls, and transactions. This includes financial transactions, communications, third-party interactions, and other data relevant to your risk profile.
  • Identify and Eliminate Barriers. Once you have a map of your data landscape, scrutinize it for any impediments that may limit or delay access to critical data. These barriers could be technical, such as legacy systems that do not integrate well, or organizational, like departmental silos that restrict data flow. Develop a plan to remove these impediments, whether through technology upgrades, process improvements, or changes in data governance.
  • Educate and Empower Compliance Teams. It is not enough for data to be accessible; your compliance personnel must also have the knowledge and tools to access it effectively. Invest in training programs that enhance data literacy among your team members, ensuring they can navigate and leverage data to its full potential.

The DOJ will scrutinize whether your compliance team has the same data visibility as other business units. If you find gaps, now is the time to bridge them.

Assess Resource Allocation for Data Analytics

Argentieri’s remarks also underscore the importance of resourcing. It is more than having data; your corporate compliance function must have the tools and talent to analyze it effectively. The 2024 ECCP emphasizes the importance of using data analytics tools to create efficiencies in compliance operations and measure the effectiveness of compliance programs.

  • Technology Investment. Are you using advanced analytics tools? Leverage AI and machine learning to proactively identify patterns, anomalies, and potential compliance risks.
  • Invest specifically in Advanced Analytics Tools. Ensure that your compliance program is equipped with state-of-the-art data analytics tools. These tools should be capable of processing large volumes of data, identifying patterns, and flagging potential risks in real-time. Artificial intelligence (AI) and machine learning (ML) can be particularly useful in predictive analytics, helping you stay ahead of emerging risks.
  • Human Resources. Do you have data-savvy compliance professionals on your team? Consider upskilling current staff or hiring data analysts who understand the technical and regulatory landscapes.
  • Benchmark Resources Across the Organization. Start by comparing the assets, resources, and technology available to your compliance and risk management teams with those available in other departments, particularly those focused on capturing market opportunities. Look for any imbalances that could undermine the effectiveness of your compliance efforts.
  • Make a case for compliance. If compliance is underresourced, build a compelling business case for increased investment. Highlight the risks associated with inadequate compliance resources, including the potential for regulatory breaches, reputational damage, and financial losses. Use data to demonstrate how enhanced resources could improve compliance outcomes and protect the organization.

Implement Real-Time Monitoring

The DOJ’s focus on data access and analytics also means that real-time monitoring should be a cornerstone of your compliance strategy. Static, periodic reviews are no longer sufficient.

  • Continuous Data Feeds. Implement systems that provide compliance officers with ongoing, real-time data. This allows for immediate detection of potential issues.
  • Automated Alerts. Set up automated alerts for key risk indicators, such as unusual transaction patterns or policy violations. This ensures that your team can respond to potential breaches before they escalate.
  • Integrate Compliance into Business Strategy. To ensure ongoing support, integrate compliance more closely with business strategy. Show how robust compliance efforts contribute to long-term success, aligning compliance goals with the company’s objectives.

Leverage Data to Assess Compliance Program Effectiveness

The ultimate goal of data access and analytics is to measure and improve the effectiveness of your compliance program. The DOJ is looking for companies that can demonstrate how they use data to inform their compliance efforts.

  • KPIs and Metrics. Develop key performance indicators (KPIs) that track compliance program success. Metrics might include the number of detected compliance incidents, response times, or the effectiveness of training programs.
  • Data-Driven Adjustments. Use data insights to make real-time adjustments to your compliance strategy. If the data shows a particular area of concern, pivot quickly and address it with targeted interventions.
  • Measure the Effectiveness of Analytics Models. Develop metrics to evaluate the performance of your data analytics models. These could include detection rates, false positive/negative ratios, and the speed at which issues are identified and resolved. Review and refine these models to ensure they deliver accurate and actionable insights.

Ensure Transparency and Documentation

Finally, remember that the DOJ will be looking for transparency. Be prepared to demonstrate how you use data, make decisions, and allocate resources.

  • Document, Document, Document. Keep thorough records of your data access, analysis processes, and any adjustments based on data insights.
  • Audit Trails. Maintain clear audit trails that show how data influenced compliance decisions. This will be critical in demonstrating to the DOJ that your program is reactive and proactively leveraging data to prevent compliance failures.
  • Monitor Data Quality. High-quality data is the backbone of effective compliance. Regularly assess the quality of your data sources, checking for accuracy, precision, and recall. Implement data governance frameworks that ensure data integrity and reliability, ensuring your analytics models are based on the best available data.

Finally, under Part III of the 2024 ECCP, in the section entitled, Does the Corporation’s Compliance Program Work in Practice?, the DOJ said prosecutors would pose the following question, “Prosecutors should also assess how the company has leveraged its  data to gain insights into the effectiveness of its compliance program and otherwise sought to  promote an organizational culture that encourages ethical conduct and a commitment to  compliance with the law.”

Coupling that language from the 2024 ECCP with Nicole Argentieri’s speech, you see a clarion call for compliance professionals to elevate their programs through the availability and utilization of data and data analytics to meet the DOJ’s evolving expectations. The message is clear: data is not just a business asset but a compliance imperative. By ensuring unimpeded and robust data access, investing in analytics, implementing real-time monitoring, leveraging data to assess program effectiveness, and achieving resource parity for compliance, your compliance program will meet the DOJ’s standards and drive greater organizational integrity and resilience. In this new era of data-driven compliance, the key to success lies in strategic investment and proactive management.

The stakes have never been higher, but with the right approach, the rewards—reducing risk and increasing trust—are worth the effort.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Argentieri Speech and Updated ECCP – The First Analysis

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the speech by Principal Deputy Assistant Attorney General Nicole M. Argentieri at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute.

Argentieri, revealed substantial updates to the department’s Evaluation guidelines for effective compliance programs, focusing on whistleblower protections and the effectiveness of reporting mechanisms. Matt, reporting live from Dallas, discussed the implications of these updates, especially regarding the DOJ’s increased scrutiny on companies speak-up cultures and the protection of whistleblowers.

Tom and Matt explored the practical steps compliance officers need to take to meet these new DOJ expectations, including ensuring anonymous reporting mechanisms are well-publicized and effectively utilized, fostering a culture that encourages reporting without fear of retaliation, and aligning company policies with the latest external whistleblower protection laws. They also touched on the potential challenges of balancing AI risks with these new guidelines and the broader impact on compliance programs.

Key Highlights:

  • Key focus on enhancing whistleblower protections.
  • Compliance officers must ensure that reporting mechanisms are well-publicized.
  • Importance of aligning internal policies with external whistleblower protection laws to ensure comprehensive employee training.
  • Balancing the challenges of AI risks with the need to adhere to new DOJ guidelines.
  • The practical steps for compliance professionals to align their programs with DOJ’s evolving expectations.

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Argentieri Speech and 2024 ECCP: Whistleblowers and Anti-Retaliation

Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the Department of Justice’s (DOJ) approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts.

In her remarks, Argentieri said, “Second, following the recent announcement of our whistleblower awards program, the ECCP now includes questions designed to evaluate whether companies encourage employees to speak up and report misconduct or employ practices that chill reporting. Our prosecutors will closely consider the company’s commitment to whistleblower protection and anti-retaliation by assessing policies and training, as well as the treatment of employees who report misconduct. We will evaluate whether companies ensure that individuals who suspect misconduct know how to report it and feel comfortable doing so by showing that there is no tolerance for retaliation.”

Her remarks were paired with new language in the 2024 ECCP, which stated:

Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company test whether employees know the hotline and feel comfortable using it? Does the company encourage and incentivize reporting of potential misconduct or violation of company policy? Conversely, does the company use practices that tend to chill such reporting? How does the company assess employees’ willingness to report? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

Commitment to Whistleblower Protection and Anti-Retaliation. Does the company have an anti-retaliation policy? Does the company train employees on internal and external anti-retaliation policies and whistleblower protection laws? To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not? Does the company train employees on internal reporting systems, external whistleblower programs, and regulatory regimes?

The speech and the 2024 ECCP impose new and additional requirements on a corporate compliance program in internal reporting, whistleblower protection, and anti-retaliation. But how exactly should compliance teams navigate these heightened expectations? Here’s what you must do to ensure your compliance program meets these new standards.

The DOJ has made it abundantly clear that companies must have effective, accessible, and well-publicized reporting mechanisms coupled with ironclad whistleblower protections. For compliance professionals, this mandate represents a critical component of a company’s overall compliance program that cannot be overlooked or underestimated. Here is what you need to do to implement these DOJ requirements effectively.

Establish and Maintain an Anonymous Reporting Mechanism

First and foremost, your company must have an anonymous reporting mechanism—commonly known as a hotline. If your company lacks this, it’s time to address this gap immediately.

  • Set Up a Hotline. Implement a reliable, user-friendly, anonymous reporting mechanism. This could be a dedicated phone line, an online portal, or both. The key is to ensure that employees and third parties can report misconduct without fear of exposure.
  • Publicize the Mechanism Effectively. Once in place, make sure everyone knows about it. Publicize the hotline through multiple channels—email announcements, posters in common areas, mentions in training sessions, and inclusion in employee handbooks. The goal is to ensure that no one in the organization can claim ignorance of its existence.
  • Test Awareness and Comfort Levels. Regularly survey employees to gauge their awareness of the hotline and their comfort in using it. This can be done through anonymous questionnaires or during training sessions. The DOJ expects companies to have a hotline that employees know and trust.

Encourage and Incentivize Reporting

A reporting mechanism is only as effective as the culture that surrounds it. Compliance professionals must work to foster an environment where reporting is encouraged and valued.

  • Positive Reinforcement. Encourage reporting by framing it as a positive, company-supportive action. Highlight success stories where reports led to meaningful change or helped the company avoid greater risks. Consider incentivizing reporting through recognition programs or other rewards that align with your company’s culture.
  • Avoid Chilling Practices. Be mindful of practices or policies that might discourage reporting. For example, employees will quickly learn to stay silent if your company has a history of disregarding reports or retaliating against reporters. Review your policies to ensure they don’t inadvertently dissuade reporting and correct any past practices that might have had this effect.
  • Leadership Commitment. The tone from the top is critical. Senior leaders must openly support and advocate for whistleblower protections. This includes publicly acknowledging the importance of reporting misconduct and demonstrating zero tolerance for retaliation. Leaders should actively participate in training sessions and speak about the value of transparency and accountability.
  • Anonymous Reporting Channels. While encouraging open dialogue is important, some employees may feel more comfortable reporting anonymously. Ensure that your organization has robust, confidential reporting channels in place. These might include hotlines, online portals, or third-party reporting services. Make sure these channels are well-publicized and easy to use.

Assess and Act on Internal Reports Thoroughly

The DOJ wants to know that companies take reports seriously. This means evaluating the seriousness of allegations promptly and thoroughly.

  • Rigorous Investigation Process. Ensure that all reports are promptly reviewed and assessed for seriousness. Develop a standardized process for triaging reports based on their nature and potential impact. This should involve clear guidelines for escalating significant issues to senior management or the board.
  • Full Access for Compliance. Your compliance function must have unrestricted access to all reporting and investigative information. This ensures that investigations are conducted independently and without interference and that the compliance team can assess trends, identify systemic issues, and recommend corrective actions.
  • 120 Days. Remember, the new Corporate Whistleblower Awards Pilot Program has a 120-day deadline from when a reporter speaks up in any manner internally. Companies must fully investigate and disclose to the DOJ within that timeline to be eligible for a Declination under the Corporate Enforcement Policy.

Reinforce Whistleblower Policies and Training

The foundation of any effective whistleblower program is a clear, robust policy communicated effectively across the organization.

  • Review and Update Whistleblower Policies. Start by revisiting your existing whistleblower policies. Ensure they clearly outline the process for reporting misconduct, the protections afforded to whistleblowers, and the consequences for retaliatory actions. Update your policies to reflect the latest regulatory guidance and industry best practices.
  • Comprehensive Training Programs. Policies are only effective if employees understand them. Develop and deliver training programs that educate employees on the importance of whistleblowing, the protections they are entitled to, and how to report concerns. This training should be mandatory, regularly updated, and tailored to different levels of the organization, ensuring everyone—from frontline employees to senior executives—understands their role in maintaining a speak-up culture.
  • Regular Communication. Keep whistleblowing at the forefront of your mind by regularly communicating the importance of speaking up. This can be through internal newsletters, town hall meetings, or dedicated campaigns reinforcing the company’s commitment to ethical conduct and employee protection.

Demonstrate Zero Tolerance for Retaliation

An effective compliance program must go beyond just having a hotline—it must actively protect those who use it. A key element of the DOJ’s evaluation will be how companies treat employees who report misconduct. It is critical to ensure there is no tolerance for retaliation.

  • Develop a Strong Anti-Retaliation Policy. Ensure your company has a comprehensive anti-retaliation policy that is clear, enforceable, and well-publicized. This policy should unequivocally state that retaliation against anyone who reports misconduct in good faith will not be tolerated.
  • Swift Action Against Retaliation. Establish clear, enforceable consequences for retaliatory behavior. If an employee experiences retaliation, act quickly to investigate the claim and, if necessary, take disciplinary action against those responsible. Publicize these actions (while maintaining confidentiality) to reinforce the message that retaliation will not be tolerated.
  • Training on Anti-Retaliation Laws. Train employees on your internal anti-retaliation policies and relevant external whistleblower protection laws. This training should be frequent and tailored to different levels of the organization, from entry-level employees to executives.
  • Monitor and Measure. Implement systems to track whistleblower reports and any subsequent actions. Regularly review this data to identify patterns or areas of concern, such as departments with higher rates of reported retaliation. Use this information to refine your policies and training, ensuring continuous improvement in your approach to whistleblower protection.

Build Trust Through Transparency

Trust is the cornerstone of any effective whistleblower program. Employees must know their concerns will be taken seriously and handled with integrity.

  • Transparency in Investigations. When a report is made, ensure the investigation process is transparent, thorough, and impartial. Keep the whistleblower informed (within the bounds of confidentiality) about the investigation’s progress and any resulting outcomes.
  • Fair Treatment of Whistleblowers. Scrutinize how whistleblowers are treated within your organization, especially if they are involved in the misconduct they reported. The DOJ will examine whether whistleblowers are treated fairly and without bias compared to others involved in the same incidents.
  • Celebrate Whistleblowers. Consider recognizing and celebrating employees who come forward with important information. While this can be a sensitive area, public acknowledgment (where appropriate) can reinforce the organization’s value of ethical behavior and speak up.

Evaluate and Improve Continuously

Finally, the DOJ will look for evidence that companies are committed to whistleblower protection and continuously improving their programs.

  • Regular Program Assessments. Conduct periodic assessments of your whistleblower program to ensure it remains effective and aligned with the latest regulatory expectations. This could involve employee surveys, focus groups, or third-party audits.
  • Act on Feedback. Use the insights gained from these assessments to make meaningful changes. Continuous improvement should be a core component of your whistleblower program, whether improving reporting channels, enhancing training, or refining policies.
  • Regular Training on Reporting Mechanisms. Incorporate training on internal reporting systems and external whistleblower programs into your regular compliance training. Employees should know how to report internally and to external regulators if necessary.
  • Assess Training Effectiveness. Regularly assess the effectiveness of this training through quizzes, feedback surveys, or audits. Ensure that employees understand the reporting systems and feel empowered to use them.

Nicole Argentieri emphasized the DOJ’s heightened focus on whistleblower protections within corporate compliance programs. This comes on the heels of the DOJ’s new whistleblower awards program and underscores the critical role of speak-up cultures in identifying and mitigating misconduct. For compliance professionals, this shift means more than just updating policies; it requires a fundamental reassessment of how your organization encourages, protects, and values whistleblowers. Here’s how you can align your compliance program with the DOJ’s expectations.

Her remarks make it clear that the DOJ is placing a renewed emphasis on whistleblower protections as a critical component of corporate compliance programs. For compliance professionals, this is both a challenge and an opportunity. By reinforcing your policies, fostering a culture of speaking up, demonstrating zero tolerance for retaliation, building trust, and committing to continuous improvement, you can meet the DOJ’s expectations and create a more ethical, transparent, and resilient organization.

The 2024 ECCP made it abundantly clear that companies must have robust, accessible reporting mechanisms and unwavering whistleblower protections. For compliance professionals, this means creating a culture that supports and actively encourages reporting. By setting up effective hotlines, fostering a positive reporting culture, ensuring thorough investigations, and protecting whistleblowers from retaliation, your compliance program will meet DOJ standards and contribute to a healthier, more ethical workplace. In today’s regulatory environment, the effectiveness of your reporting mechanism and commitment to whistleblower protection are no longer just best practices—they are imperatives.

Categories
Blog

Argentieri at ABA White Collar Conference: Compliance Programs, Part 2

There were recently two significant speeches by Department of Justice (DOJ) officials at the American Bar Association National Institute on White Collar Crime. The first was by Deputy Attorney General Lisa Monaco. The second was by Acting Assistant Attorney General Nicole Argentieri. They both had important remarks for the compliance professional. I have taken a deep dive into both speeches and what indicates compliance programs, compliance professionals, DOJ expectations, and Foreign Corrupt Practices Act (FCPA) enforcement going forward. We have previously considered the Monaco speech and began exploring the speech by Nicole Argentieri. Today, we conclude with remarks by Argentieri regarding how the DOJ will put these policies into practice and what they mean for compliance professionals and programs going forward.

Robust Compliance

The DOJ has either concluded or is in the middle of an FCPA industry sweep through oil and energy trading companies. In addition to Gunvor, there have been enforcement actions involving Vitol Trading, Glencore, and Freepoint. Argentieri noted that as a part of their resolutions with the DOJ, “each of these trading companies was required to make critical enhancements to their compliance programs to prevent future violations of the FCPA. Companies that take forward-leaning steps on compliance will be better positioned to certify that they have met their compliance obligations at the end of the term of their agreements, as is now required in corporate resolutions with the Criminal Division. These prosecutions also help set the tone for the energy trading industry as a whole — they show that a robust compliance function is critical.”

Corporate Culture

It all begins with corporate culture. The DOJ will assess the corporate culture and a company’s prior misconduct in determining the appropriate form of resolution and the financial penalty. This is where culture becomes critical, particularly for the recidivist, because, as Argentieri noted, “we will not hesitate to require substantial penalties — including, where appropriate, guilty pleas — for companies that show themselves to be repeat offenders.”

Coupling that statement with the superior resolution obtained by ABB and Albemarle shows that the DOJ is serious about corporate culture. The bottom line is that a company can move to a culture of compliance if senior management is committed to the effort. One need only consider the superior result obtained by the first three-time recidivist ABB. Culture is critical, and you must demonstrate that you have assessed and worked to improve your corporate culture.

Clawbacks and Holdbacks

One of the key initiatives brought forward under DAG Monaco’s tenure has been around incentives and consequences. However, under DAG Monaco’s tenure, incentives and consequence management were further refined in the 2023 Evaluation of Corporate Compliance Programs (2023 ECCP). It was also enshrined in the DOJ Compensation Incentives and Clawbacks Pilot Program (Pilot Program), which has two components: (1) incentivization of compliance and (2) disincentives through clawbacks and holdbacks.

Argentieri pointed to the SAP resolution as a key example of how clawbacks and holdbacks can benefit a company. She noted, “Even before its criminal resolution, SAP had adjusted its compensation incentives to align with compliance objectives and reduce corruption risk.” She said, “SAP also took advantage of the second part of the Pilot Program, which allows companies to reduce their fines when they withhold compensation from culpable employees.” The DOJ “reduced SAP’s criminal penalty by over $100,000 for compensation that the company withheld from certain employees.”

However, the pilot program requires a real effort from the company regarding clawbacks and holdbacks. SAP “went to great lengths to defend this corporate decision, including through litigation.’ Argentieri believes that “These actions sent a clear message to other SAP employees—and employees of companies everywhere—that misconduct will have individual financial consequences. This is another example of the company’s remediation that supported our decision to award a 40% fine reduction.”

Before SAP, Albemarle was “the first company to receive a fine reduction under the Pilot Program in an FCPA resolution last year.” While Gunvor did not engage in clawbacks or holdbacks, Argentieri applauded their efforts in incentivizing compensation, relating that “Gunvor had already updated and evaluated its compensation policy better to incentivize compliance with the law and corporate policies.”

Argentieri concluded this section by stating, “All of these policies should send a simple, but strong, message: being a good corporate citizen is not just the right thing to do. It is good business. Those who step up will be able to unlock the benefits afforded by our policies. And those who do not will face stiff punishments. And for companies making the tough decision of whether to disclose, take note — we now have more ways than ever to discover misconduct.”

The Bottom Line

DAG Monaco’s speeches and Nicole Argentieri’s provided significant information for the compliance professional. Both are the DOJ expectations for a best practices compliance program and what a company needs to do if they find themselves under an FCPA investigation. DAG Monaco made four key points: (1) the DOJ will invest the most significant resources in the most serious cases, hold individuals accountable, and pursue tough penalties for repeat offenders absent a significant culture shift and remediation. (2) The Voluntary Self-Disclosure Program is a key component of enforcement and incentives. (3) The DOJ whistleblower bounty program should lead to new referrals to the DOJ. (4) Compliance professionals should be ready to address new, disruptive technologies, such as the rise of AI, through their corporate enforcement programs.

Argentieri emphasized details in compliance programs. It all starts with corporate culture, but companies must strive towards robust compliance programs, including effective internal controls, incentives for employees to work ethically and in compliance, and significant consequences for failure to do so: vigorous internal reporting, triage, and investigative protocols. Compliance professionals and compliance programs have never been more important for companies.

Categories
Blog

Argentieri at ABA White Collar Conference: Corporate Enforcement, Part 1

There were recently two significant speeches by Department of Justice (DOJ) officials at the American Bar Association National Institute on White Collar Crime. The first was by Deputy Attorney General Lisa Monaco. The second was by Acting Assistant Attorney General Nicole Argentieri. They both had important remarks for the compliance professional. Over the next several blog posts, I will review both speeches and what they might indicate for compliance and Foreign Corrupt Practices Act enforcement going forward. Yesterday, I considered the Monaco speech. Today is the speech by Nicole Argentieri.

After reviewing some of the more significant individual prosecutions, Argentieri turned to corporate enforcement, noting, “Corporate accountability is the other side of our white-collar work because companies are the first line of defense against misconduct.” She emphasized the need for “a strong compliance program that is key to preventing corporate crime before it occurs and addressing misconduct when it does occur.” The DOJ’s Corporate Enforcement Policy also encourages “companies to invest in strong compliance functions and to step up and own up when misconduct occurs.” She cited one company that did not have a robust compliance program (or a culture of compliance), Binance, which explicitly communicated its “priorities, telling employees that, when it came to compliance, it was “better to ask for forgiveness than permission.”

In the Foreign Corrupt Practices Act enforcement arena, Argentieri pointed to four cases the DOJ prosecuted over the past 18 months. The companies all entered into corporate resolutions for FCPA violations. This group included Vitol, Glencore, Freepoint, and, most recently, Gunvor. Additionally, the DOJ prosecuted multiple individuals in connection with these cases. She even detailed the multiple bribery schemes involved: “Bribe payments funneled into the pockets of foreign officials through corrupt third-party agents using sham contracts and fake invoices.”

In each organization, there was a decided lack of a culture of compliance. Additionally,  employees exploited gaps in their companies’ internal controls and compliance programs. Personal cell phones and personal email accounts were used, which the organizations seemingly had no access to during the corruption and after the internal investigations. To make payments, internal controls were overridden or ignored to make off-the-books systems not subject to the organization’s standard checks and controls.

Because of the internal control and compliance failures that led to or contributed to the FCPA violations, each of these entities was required to make critical enhancements to their compliance programs to prevent future violations of the FCPA. Argentieri said, “Companies that take forward-leaning steps on compliance will be better-positioned to certify that they have met their compliance obligations at the end of the term of their agreements, as is now required in corporate resolutions with the Criminal Division.”

However, the DOJ’s work done after a settlement with a company is equally important. She clarified that the DOJ will monitor companies after resolution as they make, monitor, and attest to their compliance program and internal controls enhancements. She reported that “twenty-four companies have a market capitalization of more than $1 billion, and 22 are public companies. Over the past decade, hundreds of other companies across a wide range of industries have similarly been subject to compliance obligations in cases brought by the Criminal Division.” This ongoing oversight is not an independent monitorship but to ensure compliance with the resolution documents and to “have a real impact on corporate culture and compliance.”

The DOJ wants good corporate citizens and incentivizes companies to do so in various ways. Beyond enforcement actions are the Evaluation of Corporate Compliance Program (ECCP), the Corporate Enforcement Policy (CEP), the Voluntary Self-Disclosure Program (VSP), and the Compensation Incentives and Clawbacks Pilot Program. Argentieri reported that self-disclosures have increased over the past three years: “In 2023, we received nearly twice as many disclosures as in 2021. We expect this trend to continue as more companies take advantage of the benefits of voluntary self-disclosure and the CEP more generally.”

Argentieri believes that the DOJ has articulated policies that apply transparent criteria for both prosecutors to use and as “guideposts for companies and their counsel to consider when deciding what to do when faced with the prospect of a government investigation. It is a goal of the DOJ “to demonstrate the benefits that await those who voluntarily disclose misconduct.” She concluded this section by stating, “It’s one thing to issue and update policies. It’s another way to change corporate behavior. That is why we track the number of disclosures from companies. I’m proud to announce that early indications are that our policies are bearing fruit.”

Join us tomorrow as we examine how the ECCP, VSD, CEP, and Clawbacks Program have been reflected in recent enforcement actions.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Data Analytics: Day 7 – From Cutting Edge to Table Stakes

Compliance programs play a crucial role in ensuring that companies adhere to legal and ethical standards. In today’s digital age, where data is abundant and easily accessible, the importance of data-driven compliance programs cannot be overstated. This message was driven home very forcefully in a speech in November by Nicole Argentieri, acting assistant attorney general for the Criminal Division.

Anselmo Guevara, manager at VMware, has emphasized the need for companies to have a compliance program that provides visibility into their data at their fingertips. It is no longer sufficient to simply collect data and have someone review and reconcile it. Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks. This proactive approach allows companies to identify and address compliance issues before they escalate.

Data-driven compliance programs have moved from cutting-edge and are now seen as best practices. Soon they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. Compliance professionals must stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

 Three key takeaways:

1. Nicole Argentieri, acting assistant attorney general for the Criminal Division, said,  “Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

2. . Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks.

3. Data-driven compliance programs have moved from cutting-edge and are now seen as best practices. Soon they will simply be table stakes for companies to effectively manage compliance risks.

Categories
Blog

Argentieri on the Use of Data Analytics

Last week, Nicole Argentieri, acting assistant attorney general for the Criminal Division, speaking at the ACI National FCPA reported that the Department of Justice (DOJ) is stepping up its own use of data analytics to identify instances of corporate misconduct, and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and the Securities and Exchange Commission (SEC) are increasingly focusing on data analytics for corporate compliance, signaling higher expectations for larger companies. Both agencies have successfully utilized data analytics in various areas, such as securities and healthcare fraud, and are actively improving their own capabilities in this field.

The DOJ has been using data analytics to uncover cases of corporate misconduct, including violations of the Foreign Corrupt Practices Act (FCPA). Acting Assistant Attorney General Nicole Argentieri, highlighted the department’s efforts to improve its data analytics game and its use of analytics to find cases of corporate misconduct. She stated, “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.” While the DOJ has successfully prosecuted individuals for FCPA violations using data analytics, there is yet to be a high-profile corporate FCPA violation case that has arisen from the department’s own data analytics.

On the other hand, the SEC has a dedicated data analytics team called the EPS team, which has uncovered cases of accounting fraud and insider trading. The SEC’s data-rich environment and lower burden of proof on the civil side have allowed them to successfully prosecute cases using data analytics. This demonstrates that regulators can effectively utilize data analytics to identify corporate misconduct.

The increasing focus on data analytics by the DOJ and SEC has implications for companies. The better a company is at data analytics, the more pressure it may face for voluntary self-disclosure of misconduct. Good data analytics can bring risks or incidents of misconduct to light, and once they are discovered, companies cannot ignore them. The 2023 Evaluation Of Corporate Compliance Programs (2023 ECCP) instructs prosecutors to inquire about a company’s use of data analytics in identifying misconduct. This puts pressure on companies to proactively address and disclose any misconduct they uncover through data analytics.

This also means that data analytics in the compliance function has moved from cutting edge to best practice. It soon may mean simply table stakes for compliance. In the 2020 ECCP, the DOJ mandated the compliance function have access to all corporate data and be able to break through data siloes in their organizations. Any company which does not have a data analytics capability may be in for a long road to hoe if the DOJ or SEC comes knocking.

However, not all companies have sophisticated data analytics programs in place. The DOJ recognizes that smaller firms may not have the same level of resources and expects a certain level of sophistication tailored to a company’s size. Larger companies, especially Fortune 500 companies, are expected to have more sophisticated data analytics capabilities, including business intelligence units and advanced technology. The expectations for more sophisticated analytics are higher for these companies.

The Bank of America CFPB enforcement action case serves as a reminder of the importance of data analytics in corporate compliance. Bank of America had the necessary data and tools to build an analytics program, but they failed to effectively utilize it, leading to compliance issues. This case highlights the need for companies to not only have data analytics capabilities but also to ensure they are properly implemented and maintained. (Matt Kelly took a deep dive into the BoA enforcement action in this week’s edition of Compliance into the Weeds.)

While data analytics can be a powerful tool for corporate compliance, there are challenges associated with its use. Companies must navigate the tradeoffs involved in balancing different factors, such as the level of sophistication required, resource allocation, and the potential risks of self-disclosure. Additionally, companies must consider the potential criticism they may face if they fail to effectively utilize their analytics tools in the event of a major compliance violation.

Argentieri’s speech highlighted the DOJ’s (and SEC’s) increasing focus on data analytics for corporate compliance highlights the importance of this tool in identifying and addressing corporate misconduct. Companies, especially larger ones, are expected to enhance their data analytics capabilities and may face increased pressure for voluntary self-disclosure. However, companies must also navigate the challenges and tradeoffs associated with data analytics to ensure effective compliance and mitigate risks.