In this episode Compliance Week Editor in Chief Bill Coffin discusses the upcoming Compliance Week 2017 Conference May 22-24, 2017 in Washington DC. Coffin highlights the key note speakers and some of the other key topics for the event. He discusses how Compliance Week is an entire experience for attendees, exhibitors, speakers and guests. Best of all, listeners to this podcast can receive a discount to this year’s event. Go to registration and enter discount code CW17TOMFOX.

Today we honor folk-rocker Donovan and his signature song Sunshine Superman, which was profiled in the Wall Street Journal (WSJ) column Anatomy of a Song. The song was a love paean by the singer to “Linda Lawrence, his love interest, the song was recorded in December 1965 and released in July ’66, climbing to #1 in September.” When she first heard the song, while living in Los Angeles she “was home with my best friend Cathy when “Sunshine Superman” came on the radio. At the end, Cathy just looked at me, “Oh my God,” she said, “he still loves you.”” The fairy tale came true in 1971 when they were married.

Yet it was not the romantic angle on the song that intrigued me but the production. Donovan had written it for an acoustic guitar. His producer wanted a more mystic feel so he brought in “Tony Carr’s conga, Spike on acoustic bass and John Paul Jones on electric bass.” Even more amazingly he added a Jimmy Page electric guitar solo later so as Donovan noted, he had one-half of Led Zepplin on his song. It was this interconnectedness in the song’s production which caught my eye and introduces today’s look at the Wells Fargo Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report issued Monday. As I noted yesterday, there are multiple lessons to be garnered by the compliance practitioner from this matter. Today I want to turn to the corporate disciplines of Human Resources (HR), Internal Investigations and Audit as control function failures. I will save my special wrath for the law department and corporate risk management for Thursday.

Donovan’s Sunshine Superman leads as the demonstrative example of the interconnectedness of the Wells Fargo control failures. For the bank, it all started with the decentralized nature of the business units and the control functions which grew up to provide the support for them. The fraudulent conduct engaged in by Wells Fargo was euphemistically called “sales integrity” by the bank and that language was carried over into the investigative report. This decentralized nature did not allow HR to have visibility into the scope and nature of the fraud. This was despite the fact, “Almost all sales integrity cases and issues touched upon some facet of the HR function, including with respect to employee terminations, hiring, training, coaching, discipline, incentive compensation, performance management, turnover, morale, work environment, claims and litigations.” Yet, even within the HR function there was no effort to track or report on the fraud issues.

The second general issue was the deference given to the business units. Of course, the Community Bank unit was making tons of profit for the company but I am sure that had nothing to do with the fact the entire company seemed to employ an ostrich as its symbol. But it was even worse, as the Report noted, “This culture of deference was particularly powerful in this instance since Tolstedt was respected for her historical success at the Community Bank, was perceived to have strong support from the CEO and was notoriously resistant to outside intervention and oversight.”

Finally, was the ‘transactional’ approach to each issue around the fraud. Every control function managed to focus “on the specific employee complaint or individual lawsuit that was before them, missing opportunities to put them together in a way that might have revealed sales practice problems to be more significant and systemic than was appreciated.” The Report specified that HR had all the relevant information but failed to connect the dots. More pointedly, you cannot connect the dots if you are not looking to do so.

The problem at HR was two-fold. The first was that corporate HR had no oversight into problems of sales fraud because it had no oversight into the business unit. The Report stated that Community Bank “was not accustomed to involving Corporate HR in its discussions and decisions and was generally protective and defensive in keeping control of HR-related activities within the line of business.” The business unit controlled or cowed the Community Bank HR, even though the business unit HR was well aware of the sales fraud issues, from as far back as 2002 and “participated in efforts to stem the sales practices.” Yet during this entire period they never had the authority or resolve to do anything.

Internal Investigations was also aware of the sales fraud, apparently as far back as 2002. At least Internal Audit (IA) was not cowed by its reporting to the business unit. IA reported to various corporate functions including Audit, corporate HR and corporate Risk. Rather amazingly in 2004, “Internal Investigations was involved in the work of a sales integrity investigations task force, which also included representatives of Community Bank HR, Community Bank management and the Law

Department.” Internal Investigations called termed the fraudulent sales practices “gaming” and they prepared a report around their findings. The Internal Investigations report pointed to unrealistic sales goals and that employees felt they could not meet the goals without gaming the system. Presciently, the report “warned of the reputational risks for Wells Fargo, specifically, “[i]f customers believe that Wells Fargo team members are not conducting business in an appropriate and ethical manner, it will result in loss of business and can lead to diminished reputation in the community.”” Recall this Internal Investigations report was issued in 2004.

The report also specified there was an “incentive to cheat based on the fear of losing their jobs for not meeting performance expectations.” Internal Investigations also identified another data point which was disregarding. Demonstrating how the bank viewed terminated and departed employees, the company actively fought ex-employee attempts to obtain state of California employment benefits. The Internal Investigations report stated, “Wells Fargo had been losing unemployment insurance cases involving sales integrity terminations, in which judges “made disparaging comments” about the sales incentive system.” Finally, the report even benchmarked competitors which “significantly reduced their sales incentive employee terminations after revising their sales incentive programs.” The report ended by recommending “that Wells Fargo consider similarly reducing or eliminating sales goals for employees and removing the threat of employee termination if goals were not met.”

Internal Investigations did not fail as a control but when their report was forwarded to the then head of the unit, the Chief Auditor, he buried it. While he did report raw numbers to more senior management, he did not include any information on the root cause of the problem. Think about this final point in the context of the Department of Justice’s (DOJ) recently released Evaluation of Corporate Compliance Programs and its emphasis on root cause analyses.

IA comes in for discussion as this corporate function was (1) well aware of the problem, (2) did not believe it to be “an urgent problem” requiring IA to do anything, and most amazingly (3) thought the internal controls in place were working as they were turning up problems which were not the problem of IA to address. IA viewed controls as detect only, not to prevent or provide data to remediate.

The Report stated, “Audit witnesses also said that, as the third line of defense, Audit’s job was to ensure that the control environment established by the first (business) and second (Risk) lines of defense was appropriate. Audit personnel indicated that their focus was on testing the operation of specific processes and the processes’ effectiveness at managing the risks they were designed to control, but that they did not generally investigate root causes of risks; according to the witnesses, that task rests with the business, which they said has greater familiarity with the risk environment, better access to operational data and both proximity to and responsibility for its employees’ actions.”

If it seems like the inmates were running the asylum, remember those folks over in the Community Bank business unit were making money hand over fist for the bank. But the Report also demonstrates the interconnectedness of not only the sales fraud but its actual knowledge by multiple corporate functions with Wells Fargo. As none of these functions took responsibility for doing anything it appears the true culture of the bank was NMP as in Not My Problem. 

To listen to a YouTube version of Donovan signing Sunshine Superman, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

In this episode I visit with Brandon Essig, a former DOJ prosecutor when the Yates Memo was released. He discusses the impact of the Yates Memo inside the DOJ and the triage that prosecutors use on cases in response. For Brandon’s blog post on the topic on Linkedin, click here.

The state of New York’s Department of Financial Services (DFS) issued the first state-level regulations on cybersecurity for financial institutions with its Cybersecurity Requirements for Financial Services Companies release, which became effective March 1, 2017. The  Press Release, issued contemporaneously with the regulations, state they were designed to protect “financial services industry and consumers from the ever-growing threat of cyber-attacks”, further, “The final regulation requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”

The regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. Companies have a sliding scale of time to fully comply with the new regulation, from as little as 18 months to up to two years for some requirements. The new regulation provides important protections to prevent and avoid cyber breaches, including:

  • Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
  • Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
  • Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
  • Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet four goals: “(a) detect Cybersecurity Events; (b) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (c) recover from Cybersecurity Events and restore normal operations and services; and (d) fulfill applicable regulatory reporting obligations.”

There should be a written policy, approved by the entity’s Board of Directors, for cybersecurity. It must be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

The regulation requires the creation of a Chief Information Security Officer (CISO) position, who reports to the Board of Directors. There must be corresponding Board level reporting outlet for the CISO. Interestingly, the CISO is required to report, in writing, no less than annually to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The CISO and the cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there must be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks or threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If the financial services company allows a third-party service provider to have access to or hold its data, it must perform an evaluation of that third-party in the following areas: (1) identification and risk assessment of the third-party; (2) minimum cybersecurity practices required to be met by third-party in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party; and (4) periodic assessment of third-party based on the risk they present and the continued adequacy of their cybersecurity practices. There is also a training and ongoing monitoring requirement for company employees.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

This risk should be addressed through the following process. Start with determining the segment involved by questioning business units about type and criticality of third-party services. Then triage due diligence based on risk tiers. Next determine the scope by assigning relevant controls based on the data and systems touched by each vendor and calculate the inherent risk of each relationship. From there collect and gather vendor questionnaire responses and supporting documentation as well as vendor system security intelligence as evidence for the assessment of control effectiveness. Following this assess where you are through review of collected information to confirm the required controls are in place and evaluate the design and operational effectiveness of each control. Remediate by making the needed changes, track your progress and report on the residual risk and remediation to support stakeholders responsible for risk acceptance. On an ongoing basis monitor controls, risk factors and Service Level Agreements (SLAs) and alert when remediation, re-segmentation or assessment refreshes are needed.

InfoSec and cybersecurity issues are becoming more paramount and a higher level of risk for every corporation. If you hold information and data your company is at risk. The financial and reputational cost can be huge. Now a breach could be a regulatory cost. It would be better if you got ahead of this issue rather than chasing from behind to catch up after a breech.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

The stench of corruption continues to bedevil Brazil, even as the clean-up initiated with Operation Car Wash is ongoing. This time, allegations of bribery and corruption have reached one of Brazil’s most prestigious exports, its beef. Two of Brazil’s biggest beef producers are mired in a scandal where they are alleged to have paid bribes to meat inspectors who would sign off on health certificates for beef export.

A Financial Times article by Joe Leahy, entitled “Meat scandal intensifies the corporate stink in Brazil”, states the scandal began “When Flavio Evers Cassou, an employee of the world’s biggest meatpacker, JBS, dropped off a large cooler of meat at a friend’s home last year in southern Brazil, he could not have foreseen the crisis of confidence it would cause in the industry and the country’s wider corporate sector. The friend in question happened to be Maria do Rocio Nascimento, the chief inspector of products of animal origin in Paraná. And the meat, delivered together with some cash, was allegedly a bribe for signing off on health certificates for JBS products, according to a court order detailing the deal. Unbeknown to the pair, federal police officers were secretly filming the drop-off and wiretapping conversations between them and scores of other suspects.”

In addition to obtaining fraudulent health certificates for tainted food, “it is alleged that the officials turned a blind eye while lesser known producers converted putrefied meat into mortadella or illegally ground pig heads into sausages. China, Hong Kong, Japan, the EU, Canada, Egypt and Chile have announced full or partial suspensions of imports of Brazilian meat as a result.” Further, similar allegations have been brought against Brazil’s largest poultry exporter BRF. Both companies say they are cooperating with prosecutors but “vehemently denied the more extravagant allegations, such as that they sold rotten meat or products infected with salmonella bacteria.”

Meat and poultry exports make up almost 1% of the country’s GNP, with an amount of approximately $12.6bn.  Arnaldo Francisco Cardoso, professor of foreign commerce at Mackenzie Presbyterian University in São Paulo, was quoted in the piece, “The cases show very clearly the promiscuous relations between the private sector, public sector employees and the state.” After the Petrobras investigation and the Odebrecht prosecutions, one might think businesses in Brazil would wake up to the new reality that the old way of doing business is long since passed.

This large national industry is now under intense scrutiny for these and other actions. In addition to the above allegations, in “one conversation secretly taped by police, two owners at a smaller meatpacker allegedly discuss illegally putting 2,000 kilogrammes of pigs’ heads into sausage mix.

“It’s prohibited to use meat from the head in sausage,” acknowledged one. “Yes, but it would be only 2,000 kilos to complete the cargo,” said the other, according to the court order. The same company, Peccin, was also alleged to have covered up the smell of rotten meat by adding excess amounts of acid, the court order alleges. Peccin has denied wrongdoing.”

All of these claims have led to taint the entire industry. One commentator, Sérgio de Zen, a researcher into the cattle industry at Brazil’s center of advanced studies in applied economics, said “This issue needs to be resolved fast. China, for example, is a huge importer of Brazilian beef. We cannot replace such a market overnight.” Yet, Leahy noted, “The reputational damage to the industry will linger. Brazilian social media was rife with jokes parodying the scandal, with pictures of toilet rolls being prepared for a barbecue in reference to a police comment that cardboard had made its way into processed meat — a point later disputed by agriculture ministry officials.”

As if all of the above were not bad enough, the poultry exporter BRF, although located in Brazil, has American Depositary Receipts (ADRs) listed in New York. This makes the company subject to the Foreign Corrupt Practices Act (FCPA). While the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) might be willing to allow Brazilian prosecutors to take the lead in this matter, one might well assume that if tainted meat or poultry products or even those products which did not receive the legally required examinations, US regulators would come down very hard on such companies.

These scandals also point toward the need for more robust compliance. Brazilian businesses are beginning to see the advantage of actually doing compliance. Rogerio Jelmayer and Samantha Pearson, reporting in a Wall Street Journal (WSJ) article entitled “Brazil Corruption Scandal Has Companies Rushing to Bulk Up Compliance Ranks”, noted that companies in Brazil are taking this approach in response to the country’s more aggressive enforcement against endemic corruption in commercial businesses. This is partly in response to the allegations and investigations brought forward by Operation Car Wash and the attendant Odebrecht anti-corruption enforcement action. Jorge Abrahão, president of Brazil’s Ethos Institute, a corporate social responsibility organization, said “We are witnessing a big change in Brazil—there is an understanding in society now that whoever doesn’t take the issues of corruption and transparency seriously will not have a place in the market in the future.”

There has been a large rise in the hiring of corporate compliance specialists, Chief Compliance Officers (CCO’s) and the creation of corporate compliance programs. Moreover, companies are now requiring those entities that wish to do business with and through them must have functioning compliance programs. Luís Fernando Martins, of Hays Brasil, “said the recruitment firm saw a rise of around 20-25% in demand for compliance professionals since last year.” Foreign companies operating in Brazil have also started taking compliance issues more seriously after these events and in response to Brazilian companies demand for greater compliance.

Yet the Brazilian meat packing industry does not seem to understand the new paradigm. Leahy ended his piece with the following, “Mr Cassou, the employee of JBS’ Seara, captured the mood in a post on his Facebook page before his arrest. He noted that “ethics is what you do when the whole world is watching. What you do when no one is looking is what is called character”. By his own measure, he and at least part of the industry have a lot of character building to do.”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017