Prof. Spalding - Spring 2018 Outline
Why study compliance?
Growing job market
Increasing legal incentives for companies
Evolving corporate culture
Evaluation: laws, values, risk areas, cost-benefit analysis;
Prevention: training; internal controls
Detection: monitoring; whistleblowing; investigation
Reaction: investigation; remediation; negotiation
What is compliance?
Here’s one [simplified] definition:
“Corporate compliance is the process of making sure your company and
employees follow the law.”
Is that all? Then why are we acting like it’s new?
Quotes about Corporate Compliance
“A corporate compliance program is generally defined as a formal program specifying
an organization’s policies, procedures, and actions within a process to help prevent
and detect violations of laws and regulations.”
-Corporate Compliance Insights
“Corporate compliance is the system of self-governance established by a business
organization seeking to conform its conduct to the demands of public policy.
Practically speaking, it is the means by which a company transforms its ethical
values into the more tangible reality of ethical conduct.”
-Carole Basri, Corporate Compliance
“Corporate compliance is the process of making sure your company and employees
follow the laws, regulations, standards, and ethical practices that apply to your
-Power DMS
“Corporate compliance refers to the systems a company puts in place to prevent,
detect, and respond to violations of law or of self-defined standards of conduct.”
-Some random prof said that.
Four Dimensions of Compliance:
1. Self-Evaluation
2. Prevention
3. Detection
4. Response
An energy trading company
Largely unregulated industry
Fortune Magazine rated “America’s Most Innovative Company” six consecutive times
from 1996 to 2001
“Creative” accounting:
“Mark-to-market”: future revenue of long-term contracts claimed as present
If profits unrealized, would hide losses through a “SPV” or “SPE” which required
3% independent equity at risk
Audited by Arthur Anderson, one of “Big Five” accounting firms (now only a
“Big Four”)
Investigated by Vinson & Elkins
Neither could identify the violations and dangers
The fallout:
Massive restatement of several years’ financials
Admission that SPVs violated accounting standards
Criminal charges against several executives (various forms of fraud)
Criminal obstruction of justice charge against Arthur Anderson (later
Both Enron and Arthur Anderson collapse
$100 billion lost to investors/pensioners
Passage of Sarbanes-Oxley (2002)
Lawsuits continue
The lesson?
Consider this red flag:
“I am incredibly nervous that we will implode in a wave of
accounting scandals. My eight years of Enron work history will be
worth nothing on my resume.”
Thesis: Enron represents a failing of company culture.
A clever and corrupt company can hide accounting fraud even from
elite accounting and law firms.
Origins of Compliance Programs
Rising Criminalization of Business Conduct
Individual and Entity Liability
Corporate Criminal Liability
1991 U.S. Federal Sentencing Guidelines for for Organizations
1996 Caremark Decision
--> But, an emerging “check the box” mentality
--> Enron and the need for “good faith compliance programs”
Corporate v. civil liability
Different for companies v. individuals?
When will enforcement agency look at compliance program?
Whether to investigate
Whether to penalize (through settlement)
How to penalize
Two phases of compliance
DOJ’s Evaluation of Corporate Compliance Programs
Issued February 2017
Fraud Section’s hiring of Hui Chen
Hired November 2015
Resigns July 2017
“Cognitive dissonance”
What is its legal authority?
Formally, zilch
Practically, huge
Elements and Characteristics of a Compliance Program
I. Conduct or “Tone” at the Top - SELF-EVALUATION and PREVENTION
U.S. Sentencing Guidelines:
“promote an organizational culture that encourages ethical conduct and a
commitment to compliance with the law”
DOJ’s “Evaluation of Corporate Compliance Programs:”
“Conduct at the Top -- How have senior leaders, through their words and
actions, encouraged or discouraged the type of misconduct in question?
What concrete actions have they taken . . . . How has senior leadership
modeled proper behavior to subordinates?”
Examples of bad tone:
Ken Lay, Enron
Jeffrey Immelt, GE
Morgan Stanley: what do you think?
How to measure?
Corporate Social Responsibility (CSR)
Social responsibility is the responsibility of an organization for the impacts
of its decisions and activities on society and the environment, through
transparent and ethical behavior that:
Contributes to sustainable development, including the health and
the welfare of society
Takes into account the expectations of stakeholders
Is in compliance with applicable law and consistent with
international norms of behavior, and
Is integrated throughout the organization and practiced in its
Assorted definitions of Corporate Social Responsibility:
“a corporation's initiatives to assess and take responsibility for the
company's effects on environmental and social wellbeing”
“a corporation's initiatives to assess and take responsibility for the
company's effects on environmental and social wellbeing”
“A company's sense of responsibility towards the community and
environment (both ecological and social) in which it operates.”
“a business approach that contributes to sustainable development by
delivering economic, social and environmental benefits for all
II. Role of Compliance in Company Structure/Management
CSR Factors to Consider:
When does compliance involve doing more than the law requires?
When does compliance involve doing more than preventing the harm of
one’s own conduct, taking affirmative steps in the community?
When is compliance justified through reference to profits (short- or longterm) versus ethics or social welfare?
What do I personally need to feel fulfilled in my work?
Exercises in making the case for CSR:
Identify two talking points based on your case study for persuading
management that the company ought to invest in a CSR initiative,
using the case study as an example.
III. Code of Ethics (a.k.a. Code of Conduct)
Codes of Ethics/Conduct: Setting the Tone
Honorable or hypocritical?
IV. Policies and Procedures
V. Risk Assessment
“The organization shall periodically assess the risk of criminal conduct and shall
take appropriate steps to design, implement, or modify each (of the
components of an effective compliance program) to reduce the risk of criminal
conduct identified through this process.”
“ . . . risk assessments need to be made at all stages of the development,
testing, and implementation of a compliance program to ensure that
compliance efforts are properly focused and effective.”
-U.S. Organizational Sentencing Guidelines
Only look at criminal liability? No.
Criminal liability
Civil liability
Ethical and reputational harm
Distinguish risk assessment from audit:
Risk assessment: looks at business practices in context of applicable
laws to identify risks of legal/ethical violations
Compliance audit: examines the effectiveness of existing compliance
measures (and can include a risk assessment)
Core features:
Identify relevant laws and ethical norms
Identify business practices that create risk of violation
Evaluate likelihood and seriousness of risks
Prioritize risk areas for allocation of company resources
VI. Training and Communications
Training and Communications
Risk-based Training
Communicating about Misconduct
Availability of Guidance
Guidance on what?
Compliance policies for the employee
Sample training template:
VII. Confidential Reporting and Investigation - REPORTING
What is an “investigation?”
Four types:
1. Internal with in-house counsel
2. Internal with outside counsel
3. Independent
4. Government
On the oddity, and yet the pervasiveness, of investigations
Compare to conventional criminal procedure
Considerations in designing and conducting investigations:
Are board, senior execs, or in-house counsel implicated?
How severe are the allegations?
Civil or criminal?
Risk of derivative lawsuit?
Risk of government detection?
VIII. Incentives and Disciplinary Measures - REPORTING
So your investigation revealed a criminal violation.
Now what?
Root cause analysis
Compare: outside of the business context, if you committed a
crime, what would you do?
But if you are a compliance officer, and have discovered
wrongdoing, is the analysis any different?
Would you voluntarily disclose (a.k.a. self-report) your findings
to the government?
What is likelihood government will find out?
What are benefits to self-reporting?
Outcomes of government’s review of a potential violation:
No investigation
Negotiated Settlements with Companies (NPAs and DPAs)
1. Deferred Prosecution Agreements (DPAs)
Charging document filed with court (information v. indictment)
Admit relevant facts (but not necessarily wrongdoing)
Pay a penalty
Maybe a corporate monitor
Two- or three-year deferral period
Expectation of eventual dismissal
Criminal indictment
2. Non-Prosecution Agreements (NPAs)
No filing
Otherwise the same
Generally for less severe violations
Why does the government like these resolutions?
The goal of enforcement:
General Deterrence
Criminal Indictment
Given limited resources, how can the DOJ maximize deterrence?
Think of a ratio: deterrence per dollar.
How to maximize the numerator?
The prosecutor’s dilemma:
To prosecute companies or individuals?
Two questions:
Where is the greatest deterrence value?
Where is the greatest deterrence per dollar value?
Two relevant considerations:
Companies will conduct (and pay for) their own investigations
Companies prefer to settle, while individuals prefer to defend
themselves in court
Based on these two premises, how might the government
construct an enforcement system that maximizes deterrence for the
Internal/independent investigations
Self-reporting (voluntary disclosure)
Cooperation credit
**Only works for companies.
Okay, so now we’re able to go after a whole bunch of companies.
But what is lost in this process?
Deterrence value of individual liability
No judicial scrutiny
A sense of justice
For the defendant: due process
DOJ as judge, jury, and executioner
What is this cooperation credit?
For the public: retributive justice
The DOJ’s response to critiques of enforcement:
The Yates Memo (2015)
The FCPA Pilot Program and resulting Corporate Enforcement
Policy (2016)
IX. Analysis/Remediation of Misconduct - REPORTING
Respond for what purpose?
1. Detect
2. Analyze
3. Discipline
4. Remediate
5. Report*
*Depends on nature of investigation and legal strategy
Note on Facilitation Payments vs. Bribes: On the Virtue of Humility
Eugene Soltes and “Why They Do It”
Consider this question:
Should your firm pay facilitation payments?
Bribes v. facilitation payments:
Corrupting the officials’ discretion
Something you are not entitled to (by law) v. something you are
entitled to (by law)
Ex. Prof is trying to win a big bid. He goes to get a permit,
submits per requirements, government official stalls, says "this
will take weeks, but for $50 I can get it done right now". What
do you do?
Bid = not entitled to by law
Permit = entitled to by law
Problem - cannot get what is entitled because of gov't
official's corruption/laziness
Theory - paying to "facilitate" something you are
technically entitled to (permit) is ok under U.S. law
Routine governmental action
Technically legal under US law, but many companies prohibit
Illegal under UK bribery law (to which many large US companies are
X. Periodic Testing and Review - GO BACK TO THE BEGINNING AND
Sources of federal law/guidance on compliance:
Delaware corporate law: Caremark (1996)
Sarbanes-Oxley (2002)
U.S. Sentencing Guidelines
U.S. Attorneys’ Manual
E.g. the Corporate Enforcement Policy
Deputy U.S. Attorney Memoranda
E.g. the Yates Memo
DOJ Guidance
Next week: HBP - 5 companies that invest in CSR
Talk about aggravating factors!
$22M + $25M in China for contracts, $55M in Russia for medical equipment
The settlement:
$1.8B USD in sanctions from DOJ, SEC, German authorities
$100M USD with World Bank + temporary debarment
Siemens Compliance Brochures
Quarterly compliance reviews
P. 44 -
Trends in the Law of Compliance CLE - April 19, 2018
Speaker: Matthew H. Neels, CRCM, CAMS, CIPP, CRP
Introduction and General Comments
Background & Experience
Banking - heavily regulated
General Comments on Banking Compliance
Compliance, Generally
Subject of Presentation
MHN Background and Experience
Presentation Content
Key Lessons Learned
Compliance as a Career
Basic Questions
What exactly is Compliance?
The state or fact of according with or meeting rules or standards
Regulatory compliance describes the goal that organizations
aspire to achieve
Compliance Risk as Defined by the Comptroller of the Currency
Six Elements
1. You are prohibited from doing something (strict)
2. You have to tell the customer something (disclosures)
3. You have to do something in a certain way (methods)
4. You have to document something (records)
5. You have to do something within a certain amount of time
6. You have to report something to someone (reporting)
Challenges to Defining it
1. Start out with a subjective imprecise definition
2. Numerous stakeholders with differing reqs and expectations
3. Federal v State reqs
4. US v International reqs
5. Franchise reqs
6. Voluntary standards
7. Normal and expected standards and practice
Why is it Important in Today’s Society?
It's the law
Financial sanctions for noncompliance
Personal liability for management, staff, and directors
Individual fines
Loss of job
Loss of resume (if barred from the industry)
Adverse customer impact from failures
Creates franchise risk and potential firm failure
May be forced to sell
May preclude you from being acquired or from merging with other
Reputation risk
How Does it Differ from Other Professions?
Who Relies on Compliance?
Defining your stakeholders – who do you work for?
Desired outcomes
Competing goals and challenges
Setting Up Your Program
Step One: What do you have to comply with and why?
Mechanical Components)
What do you touch?
What are the Internal controls
Policies and procedures
Testing and making improvements
1. Inventory your products and services
2. Asses geographical footprint
3. Define the laws, regulations, and rulings you have to comply with
Federal Sentencing Guidelines!
4. Identify your regulatory audience
Deciding How to Comply
Risk tolerance
Defining and implemenMng your compliance framework
How accountable are you?
Three lines of defense
Does your organization really want to comply?
Tone and the top and management and board commitment
Tone at the middle
Accountability and Consequences
Critical Success Factors
1. Positive Culture of Compliance
2. Statute, Independence and Authority
1. Compliance must be independent of the business
2. Sufficient seniority and authority to execute compliance program
3. Access to executive management and the Board
4. Ability to effectively work with external stakeholders
3. Knowledgable Compliance Office
4. Trust but Verify - An Organization Must Know if it is in Compliance
Three Pillars:
Independent Audits
Reporting Your Results
Dealing with things that break
Root cause assessment
Corrective acMon
Customer remediation
5. Fixing things that go wrong
1. Compliance exceptions are a routing part of busiess
2. Fixing the exceptions
3. Timely and comprehensive self-disclosure to regulators
6. Managing Change
1. Subject matter changes every three years
2. New products, services, processes
3. M&A
7. Showing your work
Documented Program
Record retention is critical
8. Working well with others
A lot of compliance is interpersonal
Are the compliance officers likable?
The profession is growing and CCOs are in high demand
Interesting work environment
Ever changing landscape
Clear nexus to legal
Tremendous network, trade groups, and support
What should you have?
1. Technical expertise - knowledge of laws, rules, regs
Requires self-study
Certifications (CRCM, CAMS, etc.)
Commitment to continuing education
2. Business knowledge
Process knowledge
3. Soft skills
Influence, communication, and persuasion skills
Strong written and verbal skills
Ability to maintain objectivity and independence while working within the
Competing stakeholders
Multi-subject learning
Ocean must work through others to achieve results
The need to “sell” compliance
Occasionally come in contact with criminal behavior
Subject matter turnover – need to relearn everything every three years
Compliance as a Career
Lots of opportunity
More management support than ever before
Intellectually stimulating – requires lifetime learning
An evolving profession
Legal vs Compliance
What kind of certifications?
General banking
Data security
Anti-money laundering
Title VII
Panel 1- AML and the New FinCEN CDD Rule
Speakers: Justin Forsmann (Wells Fargo) and Parth Patel (WealthForge Holdings,
What is the Customer Due Diligence (CDD) Rule?
Financial Crimes Enforcement Network (FinCEN); Dept. of the Treasury
Who is are "covered financial institutions" under the Rule?
(i) Banks;
(ii) brokers or dealers in securities;
(iii) mutual funds; and
(iv) futures commission merchants and introducing brokers in
Four prongs:
(1) Customer identification and verification,
Already an anti-money laundering (AML) requirement
At WealthForge, this process is done by a third-party process
(2) Beneficial ownership identification and verification,
Beginning May 11, 2018, covered financial institutions [3] must
identify and verify the identity of the beneficial owners of all legal
entity customers (other than those that are excluded) at the time a
new account is opened (other than accounts that are exempted)
Publicly-traded entities
Non-statutory trusts (not included in the definition of legal
Why is there an exemption?
Too complex to wrap regulationa round
What impact could there be?
Could be major
Ex. Panama Papers - companies held by a
trust, not likely to disclose who is actually
behind the scenes
There may be other ways to get to the beneficial
owners without traditional transparency
(3) understanding the nature and purpose of customer relationships to
develop a customer risk profile, and
already implicitly required for covered financial institutions to comply
with their suspicious activity reporting requirements
What is a customer risk profile?
Information gathered about a customer at account opening
used to develop a baseline against which customer activity is
assessed for suspicious activity reporting (SAR).
May include self-evident information such as the type of
customer or type of account, service, or product.
May, but need not, include a system of risk ratings or
categories of customers.Uses the data to evaluate suspicious
activity report (SAR)
Evaluate risk against the SAR
(4) ongoing monitoring for reporting suspicious transactions and, on a
risk-basis, maintaining and updating customer information
already implicitly required for covered financial institutions to comply
with their suspicious activity reporting requirements
Panel 2 - Patrick Hanes, WM
Types of Compliance
Pre-existing compliance
Federal enforcement
Cooperation credit - benefit the enforcement authority will give to the
entity that is working to fix its issues
Leniency, generally
But, how lenient? Give us a number.
Remedial compliance
When there is an enforcement action
Both are within the same zone of Corporate Enforcement Policy (Govt Program)
Incorporated into the US Attorney's manual
FCP enforcement
1. Voluntary disclosure
Bringing to the attention of the authorities before the BTH
2. Cooperation
Hopefully following a vol disclosure
Disclosing all evidence of individual wrongdoing
3. Remediation
What are you doing to fix/clean up?
Investing in Compliance
4. Disgourgement
Turning over the ill-gotten gains
1-4 (with no aggravating circumstances) - 50% Penalty reduction from what the
Federal Sentencing Guidelines
We do not have a single example of this to look to
1-4 with Aggravating Circumstances - Up to 50%
2-4: 25% if everything but disclosure
How to design a compliance program in the shadow of looming govt
Design the program to fit YOUR company.
One size does not fit all
Hui Chen - first major Compliance wiz-kid
Compliance program - how do you get culture of compliance into a value add to a
business driven by innovation and creativity?
How to make Compliance Sexy?
Call it a "Best Practice"
Have CCO report to GC
Have paper policy PLUS
"Culture of Success"
Have an impact statemente
Exam Prep:
Memo to client
Client has little to no compliance program
What is it?
What does a compliance program consist of?
Why do you invest in it?
Communicate to a non-lawyer
Talk about sentencing guidelines, but put it in context
Don't focus on lawyer talk/structure?
Write a lot in advance
High level of preparation PLUS
Tailoring to the client you are writing to
Prof HATES "let me show you what I know"
This essay needs to have value to the client
Draw on readings, lectures, examples
No citations, but refer to readings (DO READINGS)
Exam should be
Quality educational experience for you
Magnus opum for what you've learned from this class
Explain to an organization what compliance is and why it's worth
investing in
Boss (GC) doesn't know much about compliance
What is compliance?
Why is it important?
It's the law
Financial sanctions for noncompliance
Personal liability for mgmt (SOX), staff, and directors (Caremark)
Adverse Customer Impact From failures (WellsFargo, Enron, VW)
Create franchise risk and potential firm failure (financial crisis)
Reputation risk (Siemens is forever the poster child for systemic
bribery globally)
Defining what you have to comply with:
1. Inventory your products & services
2. Assess your geographic footprint
3. Define the laws, rulings and regs you have to comply with
4. Identify your regulatory audience
How aggressive is enforcement?
What are the focus areas of the agency
What are the formal and informal interpretation of the law?
Ex. know which industries allow "facilitation payments"
Ex. Yates memo, compliance guidance
Why is it worth investing in?
Framework for a robust compliance program
Critical success factors (8)
1. Positive culture of compliance
2. Stature, independence, and authority
3. Knowledgeable compliance officer
4. Trust but verify - org must know if it is in/out of compliance
5. Fixing things that go wrong
6. Managing change
7. Showing your work
8. Working well with others
DOJ Sentencing Guidelines
Yates Memo
CSR Case Studies
Enron discussion
How to write
Synthesize reading and lecture material
Clear, compact, and accessible way
Draw on real-life examples
Make the business case
Demonstrate conviction and vision
Write something beautiful (prof wants to "feel wowed")
Related flashcards
Create flashcards