CORPORATE COMPLIANCE - WorkFlowy
advertisement
CORPORATE COMPLIANCE Prof. Spalding - Spring 2018 Outline Why study compliance? Growing job market Increasing legal incentives for companies Evolving corporate culture Dimensions: Evaluation: laws, values, risk areas, cost-benefit analysis; Prevention: training; internal controls Detection: monitoring; whistleblowing; investigation Reaction: investigation; remediation; negotiation What is compliance? Here’s one [simplified] definition: “Corporate compliance is the process of making sure your company and employees follow the law.” Is that all? Then why are we acting like it’s new? Quotes about Corporate Compliance “A corporate compliance program is generally defined as a formal program specifying an organization’s policies, procedures, and actions within a process to help prevent and detect violations of laws and regulations.” -Corporate Compliance Insights “Corporate compliance is the system of self-governance established by a business organization seeking to conform its conduct to the demands of public policy. Practically speaking, it is the means by which a company transforms its ethical values into the more tangible reality of ethical conduct.” -Carole Basri, Corporate Compliance “Corporate compliance is the process of making sure your company and employees follow the laws, regulations, standards, and ethical practices that apply to your organization.” -Power DMS “Corporate compliance refers to the systems a company puts in place to prevent, detect, and respond to violations of law or of self-defined standards of conduct.” -Some random prof said that. Four Dimensions of Compliance: 1. Self-Evaluation 2. Prevention 3. Detection 4. Response Enron An energy trading company Largely unregulated industry Fortune Magazine rated “America’s Most Innovative Company” six consecutive times from 1996 to 2001 “Creative” accounting: “Mark-to-market”: future revenue of long-term contracts claimed as present value If profits unrealized, would hide losses through a “SPV” or “SPE” which required 3% independent equity at risk Audited by Arthur Anderson, one of “Big Five” accounting firms (now only a “Big Four”) Investigated by Vinson & Elkins Neither could identify the violations and dangers The fallout: Massive restatement of several years’ financials Admission that SPVs violated accounting standards Criminal charges against several executives (various forms of fraud) Criminal obstruction of justice charge against Arthur Anderson (later overturned) Both Enron and Arthur Anderson collapse $100 billion lost to investors/pensioners Passage of Sarbanes-Oxley (2002) Lawsuits continue The lesson? Consider this red flag: “I am incredibly nervous that we will implode in a wave of accounting scandals. My eight years of Enron work history will be worth nothing on my resume.” Thesis: Enron represents a failing of company culture. A clever and corrupt company can hide accounting fraud even from elite accounting and law firms. Origins of Compliance Programs Rising Criminalization of Business Conduct Individual and Entity Liability Corporate Criminal Liability 1991 U.S. Federal Sentencing Guidelines for for Organizations 1996 Caremark Decision --> But, an emerging “check the box” mentality --> Enron and the need for “good faith compliance programs” Corporate v. civil liability Different for companies v. individuals? When will enforcement agency look at compliance program? Whether to investigate Whether to penalize (through settlement) How to penalize Two phases of compliance Pre-existing Remedial DOJ’s Evaluation of Corporate Compliance Programs Issued February 2017 Fraud Section’s hiring of Hui Chen Hired November 2015 Resigns July 2017 “Cognitive dissonance” What is its legal authority? Formally, zilch Practically, huge Elements and Characteristics of a Compliance Program I. Conduct or “Tone” at the Top - SELF-EVALUATION and PREVENTION U.S. Sentencing Guidelines: “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law” DOJ’s “Evaluation of Corporate Compliance Programs:” “Conduct at the Top -- How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken . . . . How has senior leadership modeled proper behavior to subordinates?” Examples of bad tone: Ken Lay, Enron Jeffrey Immelt, GE Morgan Stanley: what do you think? How to measure? Deloitte: http://deloitte.wsj.com/riskandcompliance/2013/04/11/10ways-to-measure-the-tone-at-the-top/ Corporate Social Responsibility (CSR) Social responsibility is the responsibility of an organization for the impacts of its decisions and activities on society and the environment, through transparent and ethical behavior that: Contributes to sustainable development, including the health and the welfare of society Takes into account the expectations of stakeholders Is in compliance with applicable law and consistent with international norms of behavior, and Is integrated throughout the organization and practiced in its relationships. Assorted definitions of Corporate Social Responsibility: “a corporation's initiatives to assess and take responsibility for the company's effects on environmental and social wellbeing” “a corporation's initiatives to assess and take responsibility for the company's effects on environmental and social wellbeing” “A company's sense of responsibility towards the community and environment (both ecological and social) in which it operates.” “a business approach that contributes to sustainable development by delivering economic, social and environmental benefits for all stakeholders.” II. Role of Compliance in Company Structure/Management CSR Factors to Consider: When does compliance involve doing more than the law requires? When does compliance involve doing more than preventing the harm of one’s own conduct, taking affirmative steps in the community? When is compliance justified through reference to profits (short- or longterm) versus ethics or social welfare? What do I personally need to feel fulfilled in my work? Exercises in making the case for CSR: Identify two talking points based on your case study for persuading management that the company ought to invest in a CSR initiative, using the case study as an example. III. Code of Ethics (a.k.a. Code of Conduct) Codes of Ethics/Conduct: Setting the Tone Honorable or hypocritical? IV. Policies and Procedures V. Risk Assessment “The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each (of the components of an effective compliance program) to reduce the risk of criminal conduct identified through this process.” “ . . . risk assessments need to be made at all stages of the development, testing, and implementation of a compliance program to ensure that compliance efforts are properly focused and effective.” -U.S. Organizational Sentencing Guidelines Only look at criminal liability? No. Criminal liability Civil liability Ethical and reputational harm Distinguish risk assessment from audit: Risk assessment: looks at business practices in context of applicable laws to identify risks of legal/ethical violations Compliance audit: examines the effectiveness of existing compliance measures (and can include a risk assessment) Core features: Identify relevant laws and ethical norms Identify business practices that create risk of violation Evaluate likelihood and seriousness of risks Prioritize risk areas for allocation of company resources VI. Training and Communications Training and Communications Risk-based Training Communicating about Misconduct Availability of Guidance Guidance on what? Compliance policies for the employee Sample training template: https://www.business-anticorruption.com/compliance-training/code-of-conduct-learning-course VII. Confidential Reporting and Investigation - REPORTING What is an “investigation?” Four types: 1. Internal with in-house counsel 2. Internal with outside counsel 3. Independent 4. Government On the oddity, and yet the pervasiveness, of investigations Compare to conventional criminal procedure Considerations in designing and conducting investigations: Are board, senior execs, or in-house counsel implicated? How severe are the allegations? Magnitude Civil or criminal? Risk of derivative lawsuit? Risk of government detection? VIII. Incentives and Disciplinary Measures - REPORTING So your investigation revealed a criminal violation. Now what? Internally: Root cause analysis Discipline Remediate Externally? Compare: outside of the business context, if you committed a crime, what would you do? But if you are a compliance officer, and have discovered wrongdoing, is the analysis any different? Would you voluntarily disclose (a.k.a. self-report) your findings to the government? What is likelihood government will find out? What are benefits to self-reporting? Outcomes of government’s review of a potential violation: No investigation Declination Negotiated Settlements with Companies (NPAs and DPAs) 1. Deferred Prosecution Agreements (DPAs) Charging document filed with court (information v. indictment) Admit relevant facts (but not necessarily wrongdoing) Pay a penalty Maybe a corporate monitor Two- or three-year deferral period Expectation of eventual dismissal Criminal indictment 2. Non-Prosecution Agreements (NPAs) No filing Otherwise the same Generally for less severe violations Why does the government like these resolutions? The goal of enforcement: General Deterrence Criminal Indictment Given limited resources, how can the DOJ maximize deterrence? Think of a ratio: deterrence per dollar. How to maximize the numerator? The prosecutor’s dilemma: To prosecute companies or individuals? Two questions: Where is the greatest deterrence value? Where is the greatest deterrence per dollar value? Two relevant considerations: Companies will conduct (and pay for) their own investigations Companies prefer to settle, while individuals prefer to defend themselves in court Based on these two premises, how might the government construct an enforcement system that maximizes deterrence for the dollar? Internal/independent investigations Self-reporting (voluntary disclosure) Cooperation credit DPAs/NPAs **Only works for companies. Okay, so now we’re able to go after a whole bunch of companies. But what is lost in this process? Deterrence value of individual liability No judicial scrutiny A sense of justice For the defendant: due process DOJ as judge, jury, and executioner What is this cooperation credit? For the public: retributive justice The DOJ’s response to critiques of enforcement: The Yates Memo (2015) The FCPA Pilot Program and resulting Corporate Enforcement Policy (2016) IX. Analysis/Remediation of Misconduct - REPORTING Respond for what purpose? 1. Detect 2. Analyze 3. Discipline 4. Remediate 5. Report* *Depends on nature of investigation and legal strategy Note on Facilitation Payments vs. Bribes: On the Virtue of Humility Eugene Soltes and “Why They Do It” Consider this question: Should your firm pay facilitation payments? Bribes v. facilitation payments: Corrupting the officials’ discretion Something you are not entitled to (by law) v. something you are entitled to (by law) Ex. Prof is trying to win a big bid. He goes to get a permit, submits per requirements, government official stalls, says "this will take weeks, but for $50 I can get it done right now". What do you do? Bid = not entitled to by law Permit = entitled to by law Problem - cannot get what is entitled because of gov't official's corruption/laziness Theory - paying to "facilitate" something you are technically entitled to (permit) is ok under U.S. law Routine governmental action Technically legal under US law, but many companies prohibit Illegal under UK bribery law (to which many large US companies are subject X. Periodic Testing and Review - GO BACK TO THE BEGINNING AND START ALL OVER AGAIN (CONCLUSION) Sources of federal law/guidance on compliance: Delaware corporate law: Caremark (1996) Sarbanes-Oxley (2002) U.S. Sentencing Guidelines U.S. Attorneys’ Manual E.g. the Corporate Enforcement Policy Deputy U.S. Attorney Memoranda E.g. the Yates Memo DOJ Guidance Ikigai https://cdn-images-1.medium.com/max/1600/1*qNNzYd3SE1Z09d_IaJOdGA.jpeg Next week: HBP - 5 companies that invest in CSR Siemens Talk about aggravating factors! $22M + $25M in China for contracts, $55M in Russia for medical equipment sales... The settlement: $1.8B USD in sanctions from DOJ, SEC, German authorities $100M USD with World Bank + temporary debarment Siemens Compliance Brochures Quarterly compliance reviews P. 44 - Trends in the Law of Compliance CLE - April 19, 2018 Keynote Speaker: Matthew H. Neels, CRCM, CAMS, CIPP, CRP Introduction and General Comments Background & Experience Banking - heavily regulated General Comments on Banking Compliance Compliance, Generally Outline Subject of Presentation MHN Background and Experience Presentation Content Key Lessons Learned Compliance as a Career Basic Questions What exactly is Compliance? Definition The state or fact of according with or meeting rules or standards Regulatory compliance describes the goal that organizations aspire to achieve Compliance Risk as Defined by the Comptroller of the Currency Six Elements 1. You are prohibited from doing something (strict) 2. You have to tell the customer something (disclosures) 3. You have to do something in a certain way (methods) 4. You have to document something (records) 5. You have to do something within a certain amount of time (timeliness) 6. You have to report something to someone (reporting) Challenges to Defining it 1. Start out with a subjective imprecise definition 2. Numerous stakeholders with differing reqs and expectations 3. Federal v State reqs 4. US v International reqs 5. Franchise reqs 6. Voluntary standards 7. Normal and expected standards and practice Why is it Important in Today’s Society? It's the law Financial sanctions for noncompliance Personal liability for management, staff, and directors Individual fines Loss of job Loss of resume (if barred from the industry) Adverse customer impact from failures Creates franchise risk and potential firm failure May be forced to sell M&A May preclude you from being acquired or from merging with other entity Reputation risk How Does it Differ from Other Professions? Legal Accounting Who Relies on Compliance? Defining your stakeholders – who do you work for? Desired outcomes Competing goals and challenges Setting Up Your Program Step One: What do you have to comply with and why? Mechanical Components) What do you touch? What are the Internal controls Policies and procedures Sustainability Testing and making improvements 1. Inventory your products and services 2. Asses geographical footprint 3. Define the laws, regulations, and rulings you have to comply with Federal Sentencing Guidelines! 4. Identify your regulatory audience Deciding How to Comply Risk tolerance Defining and implemenMng your compliance framework How accountable are you? Three lines of defense Culture Does your organization really want to comply? Tone and the top and management and board commitment Access Resources Reliance Support Tone at the middle Accountability and Consequences Critical Success Factors 1. Positive Culture of Compliance 2. Statute, Independence and Authority 1. Compliance must be independent of the business 2. Sufficient seniority and authority to execute compliance program 3. Access to executive management and the Board 4. Ability to effectively work with external stakeholders 3. Knowledgable Compliance Office 4. Trust but Verify - An Organization Must Know if it is in Compliance Three Pillars: Monitoring Testing Independent Audits Reporting Your Results Dealing with things that break Root cause assessment Corrective acMon Reporting Customer remediation 5. Fixing things that go wrong 1. Compliance exceptions are a routing part of busiess 2. Fixing the exceptions 3. Timely and comprehensive self-disclosure to regulators 6. Managing Change 1. Subject matter changes every three years 2. New products, services, processes 3. M&A 4. 7. Showing your work Documented Program Auditable Professional Record retention is critical 8. Working well with others A lot of compliance is interpersonal Are the compliance officers likable? Opportunities The profession is growing and CCOs are in high demand Interesting work environment Ever changing landscape Clear nexus to legal Tremendous network, trade groups, and support What should you have? 1. Technical expertise - knowledge of laws, rules, regs Requires self-study Certifications (CRCM, CAMS, etc.) Commitment to continuing education 2. Business knowledge Products Indistry Process knowledge Technology 3. Soft skills Influence, communication, and persuasion skills Strong written and verbal skills Diplomacy Ability to maintain objectivity and independence while working within the business Challenges Competing stakeholders Multi-subject learning Ocean must work through others to achieve results The need to “sell” compliance Occasionally come in contact with criminal behavior Resources Subject matter turnover – need to relearn everything every three years Compliance as a Career Lots of opportunity More management support than ever before Intellectually stimulating – requires lifetime learning An evolving profession Legal vs Compliance Legal Interpret Compliance Enforcement What kind of certifications? General banking Data security Anti-money laundering Employment OFCCP EEOC Title VII Panel 1- AML and the New FinCEN CDD Rule Speakers: Justin Forsmann (Wells Fargo) and Parth Patel (WealthForge Holdings, LLC) What is the Customer Due Diligence (CDD) Rule? https://www.federalregister.gov/documents/2016/05/11/201610567/customer-due-diligence-requirements-for-financial-institutions Authority: Financial Crimes Enforcement Network (FinCEN); Dept. of the Treasury Who is are "covered financial institutions" under the Rule? (i) Banks; (ii) brokers or dealers in securities; (iii) mutual funds; and (iv) futures commission merchants and introducing brokers in commodities. Four prongs: (1) Customer identification and verification, Already an anti-money laundering (AML) requirement At WealthForge, this process is done by a third-party process (2) Beneficial ownership identification and verification, Beginning May 11, 2018, covered financial institutions [3] must identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted) Exceptions: Publicly-traded entities Non-statutory trusts (not included in the definition of legal entity) Why is there an exemption? Too complex to wrap regulationa round What impact could there be? Could be major Ex. Panama Papers - companies held by a trust, not likely to disclose who is actually behind the scenes There may be other ways to get to the beneficial owners without traditional transparency (3) understanding the nature and purpose of customer relationships to develop a customer risk profile, and already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements What is a customer risk profile? Information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting (SAR). May include self-evident information such as the type of customer or type of account, service, or product. May, but need not, include a system of risk ratings or categories of customers.Uses the data to evaluate suspicious activity report (SAR) Evaluate risk against the SAR (4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements Panel 2 - Patrick Hanes, WM Types of Compliance Pre-existing compliance Federal enforcement Cooperation credit - benefit the enforcement authority will give to the entity that is working to fix its issues Leniency, generally But, how lenient? Give us a number. Remedial compliance When there is an enforcement action Both are within the same zone of Corporate Enforcement Policy (Govt Program) Incorporated into the US Attorney's manual FCP enforcement REQUIREMENTS 1. Voluntary disclosure Bringing to the attention of the authorities before the BTH 2. Cooperation Hopefully following a vol disclosure Disclosing all evidence of individual wrongdoing 3. Remediation What are you doing to fix/clean up? Involves: Termination Investing in Compliance 4. Disgourgement Turning over the ill-gotten gains BENEFITS 1-4 (with no aggravating circumstances) - 50% Penalty reduction from what the Federal Sentencing Guidelines We do not have a single example of this to look to 1-4 with Aggravating Circumstances - Up to 50% 2-4: 25% if everything but disclosure DEALING WITH A "COMPLIANCE CRISIS" How to design a compliance program in the shadow of looming govt interaction Design the program to fit YOUR company. One size does not fit all Hui Chen - first major Compliance wiz-kid Compliance program - how do you get culture of compliance into a value add to a business driven by innovation and creativity? How to make Compliance Sexy? Call it a "Best Practice" Have CCO report to GC Have paper policy PLUS "Culture of Success" Have an impact statemente Exam Prep: Memo to client Client has little to no compliance program What is it? What does a compliance program consist of? Why do you invest in it? Communicate to a non-lawyer Talk about sentencing guidelines, but put it in context Don't focus on lawyer talk/structure? Write a lot in advance High level of preparation PLUS Tailoring to the client you are writing to APPLY APPLY APPLY Prof HATES "let me show you what I know" This essay needs to have value to the client Draw on readings, lectures, examples No citations, but refer to readings (DO READINGS) Exam should be Quality educational experience for you Magnus opum for what you've learned from this class Explain to an organization what compliance is and why it's worth investing in Boss (GC) doesn't know much about compliance What is compliance? Why is it important? It's the law Financial sanctions for noncompliance Personal liability for mgmt (SOX), staff, and directors (Caremark) Adverse Customer Impact From failures (WellsFargo, Enron, VW) Create franchise risk and potential firm failure (financial crisis) Reputation risk (Siemens is forever the poster child for systemic bribery globally) Defining what you have to comply with: 1. Inventory your products & services 2. Assess your geographic footprint 3. Define the laws, rulings and regs you have to comply with 4. Identify your regulatory audience How aggressive is enforcement? What are the focus areas of the agency What are the formal and informal interpretation of the law? Ex. know which industries allow "facilitation payments" Ex. Yates memo, compliance guidance Why is it worth investing in? Avoid... Gain... Incentives Obligations Framework for a robust compliance program Critical success factors (8) 1. Positive culture of compliance 2. Stature, independence, and authority 3. Knowledgeable compliance officer 4. Trust but verify - org must know if it is in/out of compliance 5. Fixing things that go wrong 6. Managing change 7. Showing your work 8. Working well with others Use DOJ Sentencing Guidelines Yates Memo CSR Case Studies Enron discussion Siemens Podcasts How to write Synthesize reading and lecture material Clear, compact, and accessible way Draw on real-life examples Make the business case Demonstrate conviction and vision Write something beautiful (prof wants to "feel wowed")
