The Astros continue their inexorable march back to the World Series (Take It Back) as the Red Sox hover at .500. Never one to gloat, Tom takes a break to join Jay to discuss both events some of this week’s top compliance and ethics stories which caught their collective eyes.

  1. Uber stumbles at going IPO. What role did its culture, lack of compliance and ethics play? The New York Times Dealbook explore in depth.
  2. Belying those who advocate a paper program compliance defense, DOJ/SEC require compliance programs which actually works. Matt Kelly in Navex’s Ethics and Compliance Matters
  3. What is up with Ephemeral Messaging for Businesses? Avi Gessner, Daniel Foerster and Mengyi Xu consider in NYU’s Compliance and Enforcement Blog.
  4. What criteria should be used to make reparations to victims of corruption? Sam Hickey explores in Global Anti-Corruption Blog.
  5. Hong Kong criminally indicts ex-JP Morgan banker in Princeling case. Harry Cassin reports in the FCPA Blog.
  6. FCPA Unit head Dan Kahn discusses evolution in FCPA enforcement. Clara Hudson reports in GIR (sub req’d)
  7. Mongolia exiled McKinsey. Ian McDougall reports in ProPublica.
  8. Federal judge lambastes SEC for filing on VW nearly 4 years after emissions-testing scandal erupted. David Shepardson reports in the NYT.
  9. What is the fraud risk for non-profits? Jonathan Marks considers in Board and Fraud.
  10. Last week, Tom had a special 5-part podcast series with Don Stern, Managing Director at AMI on Use of Monitors by Defense Counsel. Check out the following: Part 1-Introduction;Part 2-the Nuts and Bolts; Part 3– Case Studies; Part 4-in the Health Care industry; Part 5-Non-Profits and Varsity Blues. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Megaphone,YouTube,  Spotify and Corporate Compliance Insights. The Compliance Podcast Network.
  11. Join Tom at Compliance Week 2019. It is one of the top compliance and ethics conferences of the year. This year, Tom is joined by Jonathan Marks in leading a pre-conference workshop on Sunday afternoon about handling internal investigations and performing a root cause analysis. Monday will include a keynote address from the always popular Hui Chen, Tuesday Preet Bharara. To review the full agenda, see who is speaking or to review the registration information click on the appropriate link. Best of all, if you have read this blog,  you are eligible for a discount on the conference cost. Enter code “TOM300” at checkout to save $300 from your registration.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

I recently had the chance to visit with Travis Miller, General Counsel (GC), and I discuss how the regulatory requirements of the Federal Acquisitions Regulations (FARs) impact access to markets and supply chain compliance. Flow downs are one the things that bedevils compliance practitioners in many disciplines, including supply chain compliance. The most basic question is how far down must you go? FARs compliance is certainly becoming more challenging but Miller sees government contracting and FARs requirements becoming even more challenging. These changes are beyond simply contractual requirements and have moved towards more programmatic requirements on prime contractors. The flow downs make it “equally important on the subs who are servicing them to make sure that they have all the materials and fully secure supply chains in a way that we’ve never really seen come out of any procurement entity, let alone the US government.”

These programmatic changes are in a wide variety of areas including the various modern slavery acts, counterfeiting issues, anti-money laundering (AML), cybersecurity, data privacy demands and, of course, anti-corruption compliance. Some of these are moral and human rights issues, such as the modern slavery initiatives, but others are more national security focused such as a desire to protect US intellectual property (IP) rights. These are most sensitive around military security such as jets, weapons and similar types of products but it can extend out to oil and gas producing technology. The flow downs are critical because this is where many foreign actors will try and penetrate companies that have lesser cybersecurity protections in place.

One need only consider the Target Corporation data security breach to see how this can play out in the real world. Target was hacked through a HVAC vendor. The resulting fallout caused massive losses of data and massive costs to Target. It also massively disrupted the lives of Target customers.

Yet Miller believes that supply chain compliance can respond to these changing government requirements and, when properly executed, can provide a business differentiator to a company. The key is how you enter the relationship with your flow downs. It all begins with a risk assessment to understand where your organization may be vulnerable. From there move to robust due diligence on your third parties. Here, you may want to take more time evaluating your counterparties, third parties, subcontractors, or even those that you are doing business with as customers so that when the time comes and the ink is on the contract, you can move quickly. In the supply chain, the ability to move quickly, to respond quickly is a critical element of not only those down your supply chain, but of the lead company itself.

Miller emphasized, “I always talk to all of my clients, both internal and external that in relations to government contracting, it is a different business. Even if you are producing exactly the same product, it is a different business and should be treated as such. The type of programs you put into place, the way that you manage it, the way that you cost something, the type of employees that you handle top to bottom. It’s just an entirely different business. If you treat all your flow downs the same, I guarantee you’re going to find yourself in a bad place, on the wrong side of an enforcement action because the rules of the game are just so different.”

All of these challenges also create a barrier to market entry and market access. Miller noted that on the one hand, “it means there is a whole lot of work to do if you want to try to sell into or work in that particular market.” However, “the flip side to that is if your organization has established a supply chain compliance program, it’s an awfully sweet spot to be in because your competitors have a whole lot of work to be able to do the same thing that your company is already doing. This means the more you can institutionalize your compliance programs, the more nimble and agile your company will be to respond to a variety of situations.

As a lead organization, you do not want to be purchasing  programs, a bunch of counterfeit goods or devices which fail. Miller said that this “causes consumer distress.” You do not want to allow people to peer into your data and to steal your technology or your IP as that is “foundationally a bad thing.” This is why robust compliance is going to make you a better company. Miller concluded by noting, “being able to institutionalize the compliance programs that make sense across the company is great. Then being able to go a little further, either in a subsidiary, a standalone entity, or in a specific business unit or function that can handle those additional pressures and requirements is what I really see as a best practice and what I would advocate for most.”

You can check out more about Assent Compliance Inc. at their website, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019

In this podcast, data privacy/data security expert Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond. In this episode, I visit with Jonathan Armstrong about a recent enforcement action against Bounty UK Ltd. by the UK data protection regulator. Some of the issues and highlights are:
  1. The enforcement action came out of the Facebook/Cambridge Analytica investigation.
  2. Déjà vu all over again?
  3. Why did the company receive 80% of the highest possible fine?
  4. How does this case mimic the Emma’s Diary enforcement action?
  5. What are the lessons to be learned?
For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Next week, in a five-part podcast series sponsored by Assent Compliance Inc. (Assent), I explore market access for supply chain. During the course of this series, I visit with several members of the Assent team to introduce the topic, consider what market access is, provide an overview of trade compliance, Federal Acquisition Register (FAR) flow downs, the value of continuous monitoring and the origins of laws impacting market access.  I had the chance to discuss continuous monitoring in the supply chain with Jared Connors, Subject Matter Expert in Corporate Social Responsibility (CSR). It turns out that is a key tool to maintaining market access.

Connors began with questionnaires, which he believes have gotten a bad name and even have been called “a four-letter word” in supply chain compliance. Typically, it begins with a company conducting an outreach campaign to collect self-declarations from suppliers to better understand their internal practices and their potential impact for risk assessment. How should a company think through using adverse media for monitoring a supplier evaluation today?

Connors said, the three most often used criticisms he has found are that (1) “questionnaires often get a bad name because of the way they might be administered or how they ask questions because they might not be necessarily getting at the right drivers to understand the internal management procedures and policies of an organization.” This initial criticism is then (2) compounded as often, “a company will not understand the value of the information received from those questionnaires and when comes when questionnaires are not written very effectively.” A final criticism (3) is frequency. Simply put companies are not monitoring their suppliers on a regular basis.

Connors said one of the answers for organizations is to move toward continuous monitoring, “what companies can do is they can be informed of public information against supplier behavior, whether it be directly covering things within the questionnaire or looking at the supplier as a whole by openly reviewing public record sources on the supplier. To see what’s coming out against them, whether it be a credible blog source or an actual media outlet or an NGO report.”

We then turned to some of the information which Connors believes a company can or should screen for in this monitoring process. Connors began by noting that CSR, sustainability or Environmental, Social and Governance (ESG) “cover a lot of areas. Yet the three main focus areas of CSR and ESG are on economic, environmental and social issues.” Connors believes this means you need to “understand what the economic viability of your supplier and how they are impacting their local community.” This would include financial insolvency issues, social issues and labor rights. Under environmental issues, “your organization would need to understand how they are impacting the environment or how their products are viewed also as impacting the environment.” This can be the physical pollution of a river of the makeup of a product such as a battery.

This list of issues makes clear that when you are screening your suppliers, you need to look at a wide variety of risk classifications. Your organization could use a questionnaire and “take those risk categories and turn them into public record reviews for those suppliers.” This could be one way to gain insight into supplier ethics and business behavior. You could also take another approach where you review social media and then see what risk categories might pop up. With the machine learning of an AI-based adverse media program this could allow you to expand the way you review your supply chain.

Connors turned to a couple of examples. The first was around conflict minerals or responsible minerals. Many companies have been reporting on this for several years and collecting data on upstream suppliers such as smelters or refiners. Yet Connors said that your organization might be six to eight layers removed from those level so gathering information on your downstream suppliers has become more of the norm now. Yet without continuous monitoring your organization might miss Office of Foreign Assets Control (OFAC) announcements of adding persons or entities to its sanctions list. If such person or entity had supplied component parts to one of your products and you continued to use that product, you could be in violation of the law.

The second area was in reviewing social media to ascertain if a supplier had complied with the substantive aspects of modern slavery legislation. Connors stated, “You can search a supplier about your expectations as laid out in your Supplier Code of Conduct around recruiting fees, overtime hours, expectations, forced and bonded labor. From there move to use terminology that should be contained within the policy and terminology that may be picked up by a reporter, an NGO may be evaluating labor practices internally. By utilizing the language that is consistent with industry standards, you will have better results searching for supplier behavior because there’s a lot more out there on even some very small companies.”

It turns out continuous monitoring in the supply chain is critical for numerous reasons. Of course legal and regulatory are always at the forefront. But with the ongoing trade disruptions led by the Trump Administration, you need to have such continuous monitoring to maintain market access.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Join Michael Volkov and myself on Friday, May 17  for a nuts and bolts session on how to structure this important component of any best practices compliance department. The webinar is hosted by Hanzo. In this webinar you will learn:

1) Why the intake of a hotline report is a critical start of your investigation protocol.

2) How to effectively set up a triage program for all internal and external reporting.

3) The different levels of investigations you should set up.

4) What type of report you should issue.

5) How and why you should protect the privilege.

The time of the webinar is 2 PM EDT. Registration and additional information is here. Best of all it’s FREE.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019