I am excited to announce at Compliance Week 2017 the publication of my latest book 2016-The Year in Corporate FCPA Enforcement: Cardinal and Provident, published by Compliance Week. In it I take a look the most prolific year in FCPA enforcement and what it means for the compliance practitioner.

We have never seen and may well never see again a year of FCPA corporate enforcements as we did in 2016. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) combined twenty-seven corporate enforcement actions and nearly $2.48bn in total fines and penalties, the highest since the statute’s enactment in 1977. The vast majority of that amount, some 90 percent, was generated by a few very large and significant FCPA enforcement actions involving the following entities: VimpelCom, Och-Ziff, Embraer, JPMorgan, Odebrecht/Braskem, and Teva. While these cases all involved substantial, company-wide bribery schemes, which led to their massive penalties, the majority of 2016’s FCPA enforcement actions involved relatively small-to-medium-sized penalties which involved less systemic, routine bribery schemes. Yet these smaller cases usually provided some of the most interesting fact patterns, which can be studied by chief compliance officers (CCOs) and compliance professionals to help prevent and detect bribery in their organizations.

What do these enforcement actions signify? More importantly what are the lessons to be drawn from these cases for compliance going forward? What about the FCPA Pilot Program, what does it portend for the future. Finally I consider the public comments of the regulators around FCPA enforcement and compliance. You can parse the facts and figures but if you want to understand what 2016 means going forward for the compliance profession, this is the book for you. If you are a compliance professional, this is the single must have  book around the the most prolific year in FCPA enforcement history.

You can purchase of copy of the book, from Compliance Week by clicking here.

If you are attending Compliance Week 2017, drop by the Compliance Week booth for an autographed copy!

 

 

In this episode Compliance Week Editor in Chief Bill Coffin discusses the upcoming Compliance Week 2017 Conference May 22-24, 2017 in Washington DC. Coffin highlights the key note speakers and some of the other key topics for the event. He discusses how Compliance Week is an entire experience for attendees, exhibitors, speakers and guests. Best of all, listeners to this podcast can receive a discount to this year’s event. Go to registration and enter discount code CW17TOMFOX.

Today we honor folk-rocker Donovan and his signature song Sunshine Superman, which was profiled in the Wall Street Journal (WSJ) column Anatomy of a Song. The song was a love paean by the singer to “Linda Lawrence, his love interest, the song was recorded in December 1965 and released in July ’66, climbing to #1 in September.” When she first heard the song, while living in Los Angeles she “was home with my best friend Cathy when “Sunshine Superman” came on the radio. At the end, Cathy just looked at me, “Oh my God,” she said, “he still loves you.”” The fairy tale came true in 1971 when they were married.

Yet it was not the romantic angle on the song that intrigued me but the production. Donovan had written it for an acoustic guitar. His producer wanted a more mystic feel so he brought in “Tony Carr’s conga, Spike on acoustic bass and John Paul Jones on electric bass.” Even more amazingly he added a Jimmy Page electric guitar solo later so as Donovan noted, he had one-half of Led Zepplin on his song. It was this interconnectedness in the song’s production which caught my eye and introduces today’s look at the Wells Fargo Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report issued Monday. As I noted yesterday, there are multiple lessons to be garnered by the compliance practitioner from this matter. Today I want to turn to the corporate disciplines of Human Resources (HR), Internal Investigations and Audit as control function failures. I will save my special wrath for the law department and corporate risk management for Thursday.

Donovan’s Sunshine Superman leads as the demonstrative example of the interconnectedness of the Wells Fargo control failures. For the bank, it all started with the decentralized nature of the business units and the control functions which grew up to provide the support for them. The fraudulent conduct engaged in by Wells Fargo was euphemistically called “sales integrity” by the bank and that language was carried over into the investigative report. This decentralized nature did not allow HR to have visibility into the scope and nature of the fraud. This was despite the fact, “Almost all sales integrity cases and issues touched upon some facet of the HR function, including with respect to employee terminations, hiring, training, coaching, discipline, incentive compensation, performance management, turnover, morale, work environment, claims and litigations.” Yet, even within the HR function there was no effort to track or report on the fraud issues.

The second general issue was the deference given to the business units. Of course, the Community Bank unit was making tons of profit for the company but I am sure that had nothing to do with the fact the entire company seemed to employ an ostrich as its symbol. But it was even worse, as the Report noted, “This culture of deference was particularly powerful in this instance since Tolstedt was respected for her historical success at the Community Bank, was perceived to have strong support from the CEO and was notoriously resistant to outside intervention and oversight.”

Finally, was the ‘transactional’ approach to each issue around the fraud. Every control function managed to focus “on the specific employee complaint or individual lawsuit that was before them, missing opportunities to put them together in a way that might have revealed sales practice problems to be more significant and systemic than was appreciated.” The Report specified that HR had all the relevant information but failed to connect the dots. More pointedly, you cannot connect the dots if you are not looking to do so.

The problem at HR was two-fold. The first was that corporate HR had no oversight into problems of sales fraud because it had no oversight into the business unit. The Report stated that Community Bank “was not accustomed to involving Corporate HR in its discussions and decisions and was generally protective and defensive in keeping control of HR-related activities within the line of business.” The business unit controlled or cowed the Community Bank HR, even though the business unit HR was well aware of the sales fraud issues, from as far back as 2002 and “participated in efforts to stem the sales practices.” Yet during this entire period they never had the authority or resolve to do anything.

Internal Investigations was also aware of the sales fraud, apparently as far back as 2002. At least Internal Audit (IA) was not cowed by its reporting to the business unit. IA reported to various corporate functions including Audit, corporate HR and corporate Risk. Rather amazingly in 2004, “Internal Investigations was involved in the work of a sales integrity investigations task force, which also included representatives of Community Bank HR, Community Bank management and the Law

Department.” Internal Investigations called termed the fraudulent sales practices “gaming” and they prepared a report around their findings. The Internal Investigations report pointed to unrealistic sales goals and that employees felt they could not meet the goals without gaming the system. Presciently, the report “warned of the reputational risks for Wells Fargo, specifically, “[i]f customers believe that Wells Fargo team members are not conducting business in an appropriate and ethical manner, it will result in loss of business and can lead to diminished reputation in the community.”” Recall this Internal Investigations report was issued in 2004.

The report also specified there was an “incentive to cheat based on the fear of losing their jobs for not meeting performance expectations.” Internal Investigations also identified another data point which was disregarding. Demonstrating how the bank viewed terminated and departed employees, the company actively fought ex-employee attempts to obtain state of California employment benefits. The Internal Investigations report stated, “Wells Fargo had been losing unemployment insurance cases involving sales integrity terminations, in which judges “made disparaging comments” about the sales incentive system.” Finally, the report even benchmarked competitors which “significantly reduced their sales incentive employee terminations after revising their sales incentive programs.” The report ended by recommending “that Wells Fargo consider similarly reducing or eliminating sales goals for employees and removing the threat of employee termination if goals were not met.”

Internal Investigations did not fail as a control but when their report was forwarded to the then head of the unit, the Chief Auditor, he buried it. While he did report raw numbers to more senior management, he did not include any information on the root cause of the problem. Think about this final point in the context of the Department of Justice’s (DOJ) recently released Evaluation of Corporate Compliance Programs and its emphasis on root cause analyses.

IA comes in for discussion as this corporate function was (1) well aware of the problem, (2) did not believe it to be “an urgent problem” requiring IA to do anything, and most amazingly (3) thought the internal controls in place were working as they were turning up problems which were not the problem of IA to address. IA viewed controls as detect only, not to prevent or provide data to remediate.

The Report stated, “Audit witnesses also said that, as the third line of defense, Audit’s job was to ensure that the control environment established by the first (business) and second (Risk) lines of defense was appropriate. Audit personnel indicated that their focus was on testing the operation of specific processes and the processes’ effectiveness at managing the risks they were designed to control, but that they did not generally investigate root causes of risks; according to the witnesses, that task rests with the business, which they said has greater familiarity with the risk environment, better access to operational data and both proximity to and responsibility for its employees’ actions.”

If it seems like the inmates were running the asylum, remember those folks over in the Community Bank business unit were making money hand over fist for the bank. But the Report also demonstrates the interconnectedness of not only the sales fraud but its actual knowledge by multiple corporate functions with Wells Fargo. As none of these functions took responsibility for doing anything it appears the true culture of the bank was NMP as in Not My Problem. 

To listen to a YouTube version of Donovan signing Sunshine Superman, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

In this episode I visit with Brandon Essig, a former DOJ prosecutor when the Yates Memo was released. He discusses the impact of the Yates Memo inside the DOJ and the triage that prosecutors use on cases in response. For Brandon’s blog post on the topic on Linkedin, click here.

The state of New York’s Department of Financial Services (DFS) issued the first state-level regulations on cybersecurity for financial institutions with its Cybersecurity Requirements for Financial Services Companies release, which became effective March 1, 2017. The  Press Release, issued contemporaneously with the regulations, state they were designed to protect “financial services industry and consumers from the ever-growing threat of cyber-attacks”, further, “The final regulation requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”

The regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. Companies have a sliding scale of time to fully comply with the new regulation, from as little as 18 months to up to two years for some requirements. The new regulation provides important protections to prevent and avoid cyber breaches, including:

  • Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
  • Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
  • Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
  • Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet four goals: “(a) detect Cybersecurity Events; (b) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (c) recover from Cybersecurity Events and restore normal operations and services; and (d) fulfill applicable regulatory reporting obligations.”

There should be a written policy, approved by the entity’s Board of Directors, for cybersecurity. It must be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

The regulation requires the creation of a Chief Information Security Officer (CISO) position, who reports to the Board of Directors. There must be corresponding Board level reporting outlet for the CISO. Interestingly, the CISO is required to report, in writing, no less than annually to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The CISO and the cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there must be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks or threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If the financial services company allows a third-party service provider to have access to or hold its data, it must perform an evaluation of that third-party in the following areas: (1) identification and risk assessment of the third-party; (2) minimum cybersecurity practices required to be met by third-party in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party; and (4) periodic assessment of third-party based on the risk they present and the continued adequacy of their cybersecurity practices. There is also a training and ongoing monitoring requirement for company employees.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

This risk should be addressed through the following process. Start with determining the segment involved by questioning business units about type and criticality of third-party services. Then triage due diligence based on risk tiers. Next determine the scope by assigning relevant controls based on the data and systems touched by each vendor and calculate the inherent risk of each relationship. From there collect and gather vendor questionnaire responses and supporting documentation as well as vendor system security intelligence as evidence for the assessment of control effectiveness. Following this assess where you are through review of collected information to confirm the required controls are in place and evaluate the design and operational effectiveness of each control. Remediate by making the needed changes, track your progress and report on the residual risk and remediation to support stakeholders responsible for risk acceptance. On an ongoing basis monitor controls, risk factors and Service Level Agreements (SLAs) and alert when remediation, re-segmentation or assessment refreshes are needed.

InfoSec and cybersecurity issues are becoming more paramount and a higher level of risk for every corporation. If you hold information and data your company is at risk. The financial and reputational cost can be huge. Now a breach could be a regulatory cost. It would be better if you got ahead of this issue rather than chasing from behind to catch up after a breech.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017