In this special five-part podcast series, I have been joined by Mikhail Reider-Gordon, Managing Director of Global Affairs at Affiliated Monitors, Inc. (AMI) the sponsor of this podcast series. We have discussed various aspects of monitorships, including why independence matters, the American Bar Association’s (ABA) Guidelines on Monitors, Gordon’s professorial career at the International Anti-Corruption Academy, cultural differences between international and US domestic monitorships. and the continuing evolution in monitorships. Today, in this concluding Part 5, we consider the continuing evolution in monitorships.
Just as compliance programs and the role of the Chief Compliance Officer (CCO) have evolved, the situations involving a monitor have evolved. We began with a consideration of some of Gordon’s thoughts about how the intersection of law and technology, including privacy, data management and data bias are really driving the conversation with clients around oversight and monitorships. Gordon began with the trend and growth in monitoring entities that have violated data privacy laws. Interestingly, this can come not from any overt or even poor decision on a company’s part or action. It could be from a data breach or it could be they misuse data. Gordon pointed to misuse such as Facebook, under evolving privacy laws. Here Gordon related that “Companies are a little on the back foot.”
The reality is that the modern corporation, profit or non-profit turns on information and, from Gordon’s perspective, “a lot of entities have really not fully incorporated that into their overall compliance program structure. Monitors now are addressing both directly monitoring how an entity is handling their data, are well they are complying either with privacy laws or data security standard; as well as in other forms of monitorship where it is data intensive. There may be a personal identifying information or sensitive corporate information, sensitive IP and trade secrets. All that needs to be considered when monitors are working a company on a monitorship.”
The evolution of monitorships has also occurred around timing. Originally, monitors were brought in at the conclusion of an enforcement action. Now monitors are often brought in during and even before an enforcement action begins on a pro-active basis, to get out ahead of the problem. This can be to see if an issue exists or to remediate the issue before the conclusion of an enforcement action. If it is the former situation, it can help to prevent an enforcement action from even getting off the ground. If the enforcement action has already begun, the pro-active approach can help a company garner a declination or if one cannot be obtained prevent a multi-year, post-settlement monitorship from being mandated.
Gordon noted that through a pro-active monitorship, a company is “demonstrating to the regulator the seriousness. The company is demonstrating that they take this matter seriously, through this preemptive action. It is evidence there is genuine desire to comply with the letter and spirit of law. This means it can have real impact. This can lead regulators to conclude that the company is taking this matter seriously. This can lead regulators to basically conclude that all the resolution agreement needs to provide is to check their homework.”
It is this pro-active approach that allows a company to get out in front of things before a problem gets to a crisis point. Gordon noted, “we operate in a data-driven economy. There are new data privacy and security requirements and challenges up ahead. As a CCO, you may not be quite certain where that fit in to your overall compliance program. You anticipate one breach and you will suddenly find yourself in front of the FTC. That is the perfect opportunity to say maybe a proactive monitor coming in and helping us get a handle on how we ought to be addressing these risks on these problems before the crisis point.”
Gordan believes that such an approach not only has significant operational value but it can put an organization on the right footing with the regulators as it sets the right tone. But even more than simply the regulators (as important as they may be) are other internal and external stakeholders. Using such a pro-active approach, to find out where the vulnerabilities and threats are then reduce them; it leads all such stakeholder to feel like there is a plan for dealing with these ever-evolving laws and social expectations which could impact risk. Gordon concluded with “and that’s invaluable” for any business.