Tag: SEC

Categories
Daily Compliance News

Daily Compliance News: March 7, 2024 – The Forced Labor Slow Porsche Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Forced labor and Porsches.  (WSJ)
  • Bribery acquittal in London. (FT)
  • The SEC approves weakened climate reporting rules. (NYT)
  • The Hotel California criminal trial was dismissed. (Bloomberg)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
The Woody Report

The Woody Report: Shadow Insider Trading, The Panuwat Case

Welcome to The Woody Report, where, Washington & Lee, School of Law Associate Professor Karen Woody and host Tom Fox discuss issues on white collar crime, compliance issues, international corruption, securities and accounting fraud, and internal corporate investigations. From current events to topical issues to academic research and thought leadership, Karen Woody helps lead the discussion of these issues on the new and exciting podcast. In this episode, Tom and Karen explore the upcoming trial of Matthew Panuwat over claims of Shadow Insider Trading.

The shadow insider trading case involving Matthew Panuwat is a groundbreaking trial that could redefine the boundaries of insider trading. The Securities and Exchange Commission (SEC) is prosecuting Panuwat for allegedly making around $107,000 by trading in Insight, a company similar to his own, Medivation, based on non-public information about Medivation. This case emphasizes the importance of maintaining confidentiality and integrity in the workplace and could impact insider trading liability by addressing shadow trading and its implications for securities laws.

Tom views this case as a significant and novel one brought by the SEC, highlighting the concept of shadow trading, where companies are economically linked in such a way that trading on one company’s information can be considered insider trading in another. On the other hand, Karen Woody aligns with the SEC’s argument that Panuwat’s actions were not right, emphasizing the importance of following insider trading laws and regulations. Check out this most fascinating case.

Key Highlights:

  • Insightful Shadow Trading in Panuwat Trial
  • Redefining Insider Trading through Shadow Trading Practices
  • Expanding Industry-Wide Prohibition on Insider Trading

 Resources:

Karen Woody on LinkedIn

Karen Woody at Washington & Lee, School of Law

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 2, The Need for Speed

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point to a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 2, the Need for Speed. The DOJ expects a company to share information with regulators as quickly as it finds those facts without necessarily knowing how such admissions might affect its overall case and settlement chances.

In a 2023 speech, Assistant Attorney General Kenneth Polite announced the change I called ‘The Need for Speed.’ Polite characterized the change as going from ‘full’ cooperation to ‘extraordinary’ cooperation. He noted the DOJ has differences between corporations and individuals in both investigations and enforcement, but “concerning how we consider cooperation, the lens and framework through which we analyze the level and degree of cooperation aren’t so different.”

Polite named three concepts, “immediacy, consistency, degree, and impact—that apply to cooperation by both individuals and corporations, which will help to inform our approach to assessing what is “extraordinary.”He went on to note that “In assessing the quality of a cooperator’s assistance, we value: when an individual begins to cooperate immediately, and consistently tells the truth; individuals who allow us to obtain evidence we otherwise couldn’t get, like quickly obtaining and imaging their electronic devices or having recorded conversations; cooperation that produces results, like testifying at a trial or providing information that leads to additional convictions.” He emphasized that there are “examples in the individual context.”

Then came the puzzling part. Polite stated, “We know “extraordinary cooperation” when we see it, and the differences between “full” and “extraordinary” cooperation are perhaps more in degree than kind.  To receive credit for extraordinary cooperation, companies must go above and beyond the criteria for full cooperation set in our policies—not just run of the mill, or even gold-standard cooperation, but truly extraordinary.” He stated, “At the same time, the government will not affirmatively direct a company’s internal investigation if it chooses to do one, and companies are often well positioned to know the steps they can take to best cooperate in a particular given case.” He concluded, “And, of course, the facts and circumstances of each case will be unique.”

Perhaps Polite is simply channeling his inner Potter Stewart with his line, ‘We know it…when we see it’. Of course, if two or more people look at the same set of facts, there is always the chance for two or more interpretations. The question then becomes how to define extraordinary cooperation.

It also ties directly into what Deputy Attorney General Lisa Monaco said in announcing the Monaco Doctrine when she stated, “Department prosecutors must gain access to all relevant, non-privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This meant, “to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced promptly to prosecutors.”

In the ABB enforcement action, ABB received credit for extraordinary cooperation based on the following: “(i) promptly providing information obtained through its internal investigation, which allowed the Offices to preserve and obtain evidence as part of their independent investigation; (ii) making regular and detailed factual presentations to the Offices; (iii) voluntarily making foreign-based employees available for interviews in the United States; (iv) producing relevant documents located outside the United States to the Offices in ways that did not implicate foreign data privacy laws; and (v) collecting, analyzing, and organizing voluminous evidence and information that it provided to the Offices, including the translation of certain foreign language documents.”

Some additional insight is found in the SEC Order, which states, “ABB’s cooperation included real-time sharing of facts learned during its internal investigation.”  This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” [emphasis supplied]

Since the SAP enforcement action, extraordinary cooperation has become more difficult to ascertain. While there was no mention of the super duper, extra-credit giving extensive remediation that Kenneth Polite discussed, when SAP began to cooperate, it moved to collaborate extensively. The DPA noted SAP “immediately began to cooperate after South African investigative reports made public allegations of South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is explicit instruction around messaging apps in FCPA enforcement actions.

Albemarle was credited with significant cooperation by the DOJ during the pendency of its investigation. The NPA noted that the company also received credit for its substantial cooperation and extensive and timely remediation. However, there was only a standard list of items relating to this cooperation and nothing on extraordinary collaboration.

We are back where we started; there is a need for speed. However, the only functional definition we have for it comes from the SEC and not the DOJ. As laid out in the SEC Order for ABB, it is a real-time sharing of facts.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending February 24, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. Alexei Navalny was killed in prison. (Bloomberg)
  2. Ohio residents paid the price for FirstEnergy corruption.  (Ohio Capital Journal)
  3. More child labor in the US. (NYT)
  4. A former head of the Bank of China was arrested for corruption. (NikkeiAsia)
  5. The Shadow Insider Trading case goes to trial.  (WSJ)
  6. Former Stericycle executive to plead guilty. (WSJ)
  7. Morgan Stanley is accused of using fake job titles. (FT)
  8. The Wells Fargo Consent Order was terminated. (WaPo)
  9. Deliberations begin in the NRA corruption trial. (The Guardian)
  10. If you can’t answer the question, don’t sit for an interview. (BBC)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance – Episode 129, The Tribute to Navalny Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quintet of Jonathan Armstrong, Jonathan Marks, Matt Kelly, Karen Woody, and Jay Rosen, all hosted by Tom Fox.

  1. Jonathan Armstrong talks about the most recent speech by the new SFO director. He rants about Julian Assange’s inane claims to be a journalist.
  2. Matt Kelly discusses the regulation of AI and looks at the new DFS regs around it. He shouts out to Alexei Navalny, who was murdered for his fight against corruption in Russia.
  3. Karen Woody takes a deep dive into the Panuwat trial and the concept of shadow insider trading. She rants about the senseless gun culture in America.
  4. Jonathan Marks discusses the state criminal charges in the FirstEnergy corruption scandal but then evolves into an epic rant, which he continues in Shout Outs and Rants about failures in corporate governance, internal controls, and gun violence in America. He really outdid himself this week.
  5. Jay Rosen looks at the dearth of DOJ-mandated monitorships and proposes a new concept, the self-monitorship. He shouts out the movie Love on the Spectrum and the Bill Bradley interview.
  6. Tom Fox shouts out to Ben Affleck for his DunKing Super Bowl commercial.

The members of the Everything Compliance are:

Jay Rosen: Jay can be reached at Jay.r.rosen@gmail.com

Karen Woody is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

Matt Kelly, founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

Jonathan Armstrong is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Daily Compliance News

Daily Compliance News: February 15, 2024 – The Lock The Doors Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Elon Musk says Delaware has ‘locked the doors’. (Reuters)
  • OECD at 25.  (The Hill)
  • The SEC is bracing for litigation over climate change regs. (WSJ)
  • $130MM paid to creditors in the Mozambique Tuna Bond corruption scandal. (Spotlight on Corruption)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Compliance Into the Weeds

Compliance into The Weeds: Down The Rabbit Hole on SEC Enforcement Waivers

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt go down a rabbit hole regarding the SEC waiving penalties for messaging app violations.

The Securities and Exchange Commission (SEC) has been making headlines for its crackdown on broker dealers who violate record-keeping rules by using off-channel messaging apps like WhatsApp or Snapchat. This has led to hefty fines, yet the SEC has been granting waivers to these same firms, allowing them to continue operating in the securities world. This paradoxical approach has raised eyebrows, including those of Tom Fox and Matt Kelly. Fox finds the SEC’s actions both curious and concerning. He believes that if a waiver program exists, it should be publicly announced and the reasons for granting waivers should be transparent to ensure appropriate scrutiny. Kelly, on the other hand, expresses surprise and disappointment at the lack of transparency from the SEC, suggesting that the waiver program and its reasons should be made clear to the public. Find out more in this fascinating edition of Compliance into the Weeds.

Key Highlights:

  • SEC Sanctions for Off-Channel Messaging Violations
  • SEC Enforcement and Waivers for Internal Violations
  • Cracking down on Off Channel Communications
  • The Need for Public Announcements in SEC Enforcement

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
Blog

Pre-taliation Protection Extends to Third Parties

The Securities and Exchange Commission (SEC) has been cracking down on companies that engage in pre-taliation, imposing increasing fines. This was evident in the recent case of JP Morgan,  which faced an $18 million sanction for including a pre-taliation clause in their contracts. This enforcement action highlighted companies’ importance in addressing pre-taliation risk by implementing contract language that protects individuals’ rights to report misconduct. Matt Kelly and I recently had the chance to take a deep dive into the decision in a recent episode of Compliance into the Weeds.

Corey Schuster, co-chief of the Asset Management Unit in the SEC Division of Enforcement, said in an SEC Press Release, “Whether retail or otherwise, must be free to report complaints to the SEC without interference. Those drafting or using confidentiality agreements must ensure that they do not include provisions impeding potential whistleblowers.” Gurbir Grewal, Director of the SEC Enforcement Division, added,  “Whether in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing.” Matt noted in his blog post on the case, “SEC enforcement against pre-taliation is not exactly news, since the agency has been filing such cases since 2016 — but until now, those enforcement actions have always been about companies using pre-taliation clauses in contracts with employees. Now we have our first case over pre-taliation against customers — and it came with the biggest pre-taliation fine we’ve ever seen.”

Pre-taliation occurs when a company restricts individuals from speaking out about corporate misconduct to regulators. While previous pre-taliation cases primarily focused on restrictions placed on employees, the JP Morgan securities case marked a significant shift. For the first time, the SEC sanctioned a company for imposing a pre-taliation clause on customers. This expands the range of individuals who may fall victim to pre-taliation and underscores the need for companies to be vigilant in their compliance efforts.

Companies must understand that pre-taliation clauses are problematic, regardless of whether they are included in employment contracts, settlement agreements, or elsewhere. The SEC has clarified that provisions preventing individuals from contacting the SEC with evidence of wrongdoing are unacceptable. Compliance officers must conduct regulatory assessments to understand applicable laws and review contracts for problematic language.

The fines imposed by the SEC for pre-taliation cases have been increasing over time. In the case of JP Morgan securities, the $18 million sanction was the largest fine ever seen for a simple fix. The remediation action required in these cases is relatively straightforward: companies must delete the problematic language from their agreements and inform anyone who signed the old language that they are free to report misconduct to the SEC or any other regulator. While the mechanics of executing this remediation may be challenging for large organizations with contracts stored in different data warehouses, the basic idea remains the same.

It is worth noting that in most pre-taliation cases, companies rarely enforce the pre-taliation clauses. They often become an afterthought, and it is only years later that companies realize their mistake and attempt to rectify it. The SEC’s message is clear: companies must proactively identify and correct problematic language in their contracts to avoid facing significant fines.

The CBRE pre-taliation enforcement action serves as an example of effective remediation practices. CBRE swiftly identified and corrected problematic clauses, updated its code of conduct, and provided training on SEC rules to its compliance team. This proactive approach helped them avoid more severe penalties and garnered praise from the SEC. Here, Kelly noted,

  • Within one month of learning about the SEC investigation, revising all its U.S. severance agreement templates to assure compliance was followed by an audit of similar agreements worldwide, reviewing some 300 templates used by CBRE affiliates in 54 countries.
  • We are updating the CBRE Code of Conduct to add new language against pre-taliation.
  • Training more than 50 members of the compliance team globally on the Rule 21F-17 language added to all relevant templates;
  • They were undertaking a mandatory re-certification process, where more than 100,000 employees worldwide certified that they had reviewed the updated Code of Conduct and attested to their understanding that they were always free to bring concerns to regulators without any advanced notice to CBRE.

Compliance officers face the challenge of balancing various factors when addressing pre-taliation risk. They must consider the impact of state laws, federal whistleblower protection laws, and securities laws that may apply to their company. Conducting a regulatory assessment and thoroughly reviewing contracts can help identify potential areas of concern.

In conclusion, the SEC’s increasing fines for company pre-taliation highlight the importance of compliance and the need for companies to address pre-taliation risk. Companies must eliminate pre-taliation clauses from their contracts and ensure individuals can report misconduct to regulators. Companies can mitigate the risk of facing significant fines and reputational damage by taking proactive measures and conducting thorough assessments.

Categories
Life with GDPR

Life With GDPR: Episode 104 – Solar Winds and Your Mother – Tell The Truth

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. In this episode, they look at the continued fallout from the Solar Winds data breach.

In the complex world of data protection, the General Data Protection Regulation (GDPR) has placed a spotlight on the importance of transparency, honesty, and corporate responsibility. Experts Tom Fox and Jonathan Armstrong bring their unique perspectives to this topic, shaped by their extensive experience in compliance and data protection. Fox emphasizes the potential legal consequences for corporate leaders who fail to disclose vulnerabilities or engage in dishonest practices, while Armstrong highlights the increasing pressure on individuals and corporations to disclose data breaches, with regulators focusing more on individual liability. Both stress the importance of transparency, the potential for litigation, and the role of whistleblowers.

Join Fox and Armstrong as they delve deeper into these issues on this episode of the Life with GDPR podcast.

Key Takeaways:

  • The Importance of Truthfulness in GDPR
  • The Importance of Transparency in Data Breaches
  • Legal risks in data breaches and cybersecurity
  • The Impact of Budget Constraints on Vulnerability Fixes

 Resources:

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here. Check out the Cordery Data Breach Academy here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn