death-in-veniceToday, I consider Commissario Guido Brunetti, the lead character in Donna Leon’s murder-mystery series set in Venice. My wife and I took a tour of Brunetti’s Venice with Dr. Toni Sepeda who leads the only Leon authorized tour of the local areas where these great stories take place. Dr. Sepeda is a good friend of the author and intersperses her walking tours with incidents from various stories and quotations which bring to life the soul of the Commissario and the allure of this most beautiful and unique city. I highly recommend both the Leon’s books and Dr. Sepeda’s tour.

I want to use a scene from the Brunetti adventure Death and Judgment where Brunetti investigates a case involving sex trafficking. He determines the identity of the bad guy (or more appropriately bad girl) when she loses her glasses, which find their way to him. He recognizes they are from Carroro eyewear. Signore Carroro keeps scrupulous records and is able to identify the owner and this puts the good Commissario on the road to solving the case.

 

This leads into my continued exploration of the JP Morgan Chase (JPM) and its subsidiary, JPMorgan Securities (Asia Pacific) Limited (JPM-APAC) resolution its Foreign Corrupt Practices Act (FCPA) matter last week. In doing so JPM, secured a Non-Prosecution Agreement (NPA) from the Department of Justice (DOJ) with a penalty of $72MM, agreed to a Cease and Desist Order (Order) from the Securities and Exchange Commission (SEC), with a penalty consisting of profit disgorgement and interest of $135MM, and reached an agreement with the Federal Reserve Bank (Fed) for a Consent Cease and Desist Order (Fed Order) to put in place a best practices compliance program and pay a penalty of $61MM.

Today I will consider the superior result achieved by JPM in its FCPA resolution. Not only did it receive a 25% discount off the bottom of the US Sentencing Guidelines fine range but it received a NPA and not even a Deferred Prosecution Agreement (DPA) and no outside monitor was required of the company going forward. While some of this result is due to having excellent defense counsel, a large part is due to the cooperation by JPM and the remediation engaged in by the company.

While the fines and penalties are higher in this matter than most cases resolved in 2016, the resolution follows the pattern laid out by the FCPA Pilot Program, announced by the DOJ back in April. To recap, a company can receive up to a 50% discount off the bottom end of lowest range under the US Sentencing Guidelines if it (1) self-discloses to the DOJ, (2) provides significant cooperation with the government, (3) extensively remediates the underlying issues which led to the violation and (4) disgorges all profits from its ill-gotten gains. The NPA, Order and Fed Order all lay out how the penalties under this matter follow this framework, even though the case arose far before the implementation of the Pilot Program.

First and foremost, under this Pilot Program framework, the company did not self-disclose the matter to the DOJ or SEC. It was not stated in the NPA or Order how the matter came to the attention of US authorities. However, once the government’s investigation began the NPA noted “the Company received full credit for its… cooperation with the Offices’ investigation, including conducting a thorough internal investigation, making regular factual presentations to the Offices, voluntarily making foreign-based employees available for interviews in the United States, producing documents to the Offices from foreign countries in ways that did not implicate foreign data privacy laws, and collecting, analyzing, and organizing voluminous evidence and information for the Offices.” By the end of the investigation, the company had provided “all relevant facts known to it, including information about the individuals involved” to government authorities. These actions met Prong II of the FCPA Pilot Program.

One can only say that the company engaged in extensive remediation during the pendency of the investigation. According to the NPA the company took the following steps:

  • ended the employment relations with five employees who participated in the misconduct;
  • fired another employee “who failed to identify issues with referral hiring and failed to take appropriate steps to mitigate risks”;
  • disciplined an additional 23 “employees who failed to detect the misconduct, failed to supervise effectively those who were engaged in the misconduct, failed to take appropriate steps to mitigate corruption and compliance risks, and/or who were lower-level employees engaged in the misconduct at the direction of supervisors”;
  • “imposed more than $18.3 million in financial sanctions on former or current employees”;
  • conducted individualized training for remaining employees;
  • adopted “heightened controls related to their hiring programs, including standardizing hiring programs and requiring that every application for a hire be routed through a centralized human resources application process”;
  • more than doubled company resources devoted to compliance, particularly in the Asia-Pacific region; and
  • requiring improved FCPA training;

The SEC Order specifies additional remedial conduct engaged in by the company more geared towards internal controls, specifically around HR and the role of compliance in high risk hires. These remediation actions included:

  • Enhancing its anticorruption compliance program and hiring practices on a global basis,

making changes to its Anti-Corruption Policy to further address the hiring of government

officials’ relatives;

  • Requiring that every hire with the company, including Referral Hires, be routed through a centralized human resources application process;
  • Establishing a control function role for human resources with respect to hiring;
  • Requiring that company’s anticorruption office reviews and approves each hire of a candidate referred by a client, potential client, or government official; and
  • Instituting procedures and practices for the monitoring and auditing of referral hiring.

Although not a part of the DOJ or SEC resolution, but certainly in concert with those two settlements, the Fed Order also had some interesting points about the company’s conduct going forward which certainly contributed to the favorable result achieved by JPM. There would be senior management oversight which would “ensure that senior management periodically reassesses risks associated with the Firm’s Referral Hiring Practices to proactively identify practices vulnerable to legal and reputational risks”; and ensure senior management’s effective oversight of Firm’s Referral Hiring Practices.

There would be a compliance management risk program which would create and implement “written policies and procedures governing the appropriate evaluation of, and processes for, vetting referred candidates consistent with the Firm’s anti-bribery policies and procedures” tying FCPA compliance to Human Resources (HR). Within the HR function itself, there would written policies and procedures designed to ensure compliance with applicable anti-bribery laws and policies within all business lines; and training “regarding appropriate hiring practices and compliance with applicable anti-bribery laws and policies.”

Internal audit was also assigned an enhanced role going forward. It was designated to conduct audits on a regular basis, business of line controls and compliance detection and monitoring processes, “designed to identify and prevent potential misconduct in connection with the Firm’s Referral Hiring Practices”. Moreover, such audits are to be conducted by “qualified parties who are independent of the Firm’s business lines and compliance functions”. There are to be “enhanced escalation procedures for the timely resolution of material audit exceptions and recommendations in connection with the Firm’s Referral Hiring Practices”. Finally, and sounding right out of the COSO 2013 Framework for internal controls, there is to be a “periodic review of risk assessments to ensure emerging risks associated with the Firm’s Referral Hiring Practices”.

Tomorrow I will review the lessons learned from the JPM enforcement action.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

leonard-cohenNow I’ve heard there was a secret chord; That David played, and it pleased the Lord

But you don’t really care for music, do you?; It goes like this

The fourth, the fifth’; The minor fall, the major lift

The baffled king composing Hallelujah

Hallelujah; Hallelujah; Hallelujah;Hallelujah

You might say we need him now more than ever. Unfortunately, we lost him last week as Leonard Cohen passed away at age 82. He was truly one of the greatest song writers during my lifetime. Yesterday I presented my views on why I believe that Foreign Corrupt Practices Act (FCPA) enforcement will continue under the new administration. Today, I want to begin a multi-part series (sorry I don’t know how long it will go) about why compliance will not change under a Trump administration. To do so, and to honor Leonard Cohen, I will begin this series through the lens of Cohen’s most famous work Hallelujah. To say it took some time for the song to become the staple and classic that it is today is an understatement.

In an interview on the New Yorker Radio Hour, Cohen said the song had literally over 200 drafts. At one point it had 80 different verses. As noted in the Life of A Song column in the Financial Times (FT) by David Cheal, the song was “an epic, hymnal composition with biblical allusions (David, Bathsheba and Samson are referenced).” He went on to say that “Cohen later said the song took him two years to write.” Yet when it was released in 1984, it was not a hit. It took John Cale to popularize the song when he included it “in a 1991 Cohen tribute album, I’m Your Fan. Shorn of the clunky accoutrements of Cohen’s version, the song was allowed to shine.”

Yet this is not the version that most people are familiar with today as the explosion of the song’s popularity came from a cover by Jeff Buckley in 1994 “whose exquisitely pure tenor voice, recorded with a churchy echo, seemed ideally suited to the song’s religious themes. Since then, “Hallelujah” has become one of the most covered songs ever, up there with Yesterday and My Way.” However, and at this moment of my life and the life of this country, I find the most exceptional version of Hallelujah to have been the version performed by Kate McKinnon in place of the usual opening monologue on the November 12, 2016 episode of Saturday Night Live (SNL), which you can view by clicking here. It certainly lifted me up, which is what I needed about now.

All of the above speaks to what we in the compliance community need to understand now. It is not the end of the world or even the end of compliance. While I am fairly certain that FCPA enforcement will continue I have no doubt that the compliance profession will continue to grow but flourish. The reason is that good compliance is good business and any process which helps businesses to be more efficient and do business more profitably it is not going to diminish in size or importance.

Just as the song went through multiple reviews, versions and was recorded by several artists before it attained its now iconic status, the compliance profession has evolved as well. John MacKessy, writing in the Finance Professionals’ Post, in a piece entitled “Knowledge of Good and Evil: A Brief History of Compliance, noted that the FCPA and Environmental Protection Act (EPA) “prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.” The next step in the evolution of the compliance profession was the defense procurement scandals from the 1980s, where the industries sales of “$400 hammers and $600 toilet seats” to the US government led to the Defense Industry Initiative (DII). This industry led initiative created “a set of principles endorsing ethical business practices and conduct” within the defense industry for its dealings with the US government.

The next step in the evolution of the compliance profession was the 1992 US Sentencing Guidelines which, for the first time, set out what the government would consider for credit in sentencing of organizations. Many tribute these 1992 Sentencing Guidelines for the creation of the modern compliance profession. These guidelines included credit for “the specific elements of an effective compliance and ethics program. Companies that embarked on such programs would be eligible for more lenient sentences. To qualify as “effective,” a company’s compliance program would not only have to establish standards and procedures to prevent and detect criminal conduct, but would have to actively promote a culture encouraging ethical conduct and compliance with the law. The emendation of those guidelines in 2004 reflected the need for corporate boards to demonstrate knowledge of compliance programs and fulfillment of oversight responsibilities as part of monitoring the effectiveness of companies’ compliance and ethics programs.”

The next major step was the financial accounting frauds and scandals of the late 1990s and early 2000s including Enron, WorldCom and Tyco. These scandals were so wide-ranging, with senior executive participation, if not directing of the corporate fraud that a new legislative response was required and this response was the passage of the Sarbanes-Oxley Act of 2001 (SOX). Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code”, said, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls, and to draw conclusions about their effectiveness…” SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.” This strengthened the compliance professional who was called upon to design these internal controls.

The next major legislation which enhanced the compliance function was the Dodd-Frank Act of 2010, passed in response to the 2008 financial crisis. MacKessy pointed to the downfalls of Bear Stearns and Lehman Brothers as drivers of more compliance because they both “demonstrated the degree to which external risk events can create a loss of confidence resulting in permanent reputational damage and impaired shareholder value.” The legal and legislative response has been that companies should design effective compliance programs which use risk based programs as a basis to design, create and implement effective compliance programs. Joe Howell, Executive Vice President (EVP) for Workiva Inc., has gone further, drawing a straight line from the FCPA to SOX to Dodd-Frank in the development of the compliance function.

All of this means compliance is not going away, no matter what the law enforcement priorities of the new administration. Companies understand that compliance and business ethics have a role in not only driving business strategies and initiatives but that more compliant companies are better run companies and at the end of the day more profitable because they have better controls. MacKessy ends his piece by stating the compliance programs “can provide multiple rewards – from risk mitigation, to reputational enhancement, to business strategy development.”

The compliance profession is where the magic happens in a corporation. Whether it be specific tasks of making sales, vetting relationships or the spade work of creating policies and procedures, it is compliance that drives the discussion of how we should do business. The corporate compliance profession fulfills the business obligation in doing things the right way for, at the end, it will be the compliance profession which implements the requirements of compliance whether those requirements are anti-corruption laws such as the FCPA, the UK Bribery Act, Anti-Money Laundering (AML), export control, anti-trust regulations, or any other regulation that you can name. Equally importantly, the compliance profession is teaching corporations how to evaluate risks and the compliance profession leads that discussion. It is the compliance profession that is the most innovative in not only protecting corporations, but actually helping corporations do business, do business more efficiently, and do business more profitably.

All of this shows compliance has developed over many years and for many reasons. None of this is going away. Tomorrow I will begin to consider the business applications and implication of compliance in more depth (and a couple of numbers from Leon).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

TrainingIn a recent Slate article, entitled “Ethics Trainings Are Even Dumber Than You Think, author L.V. Anderson railed against what she termed box-checking training where companies put on training not to actually train employees but simply to check the box that training has occurred. She also spoke against “dumbed-down nature of most compliance courses”.

Certainly recognizing that inane training is simply that – inane training, Anderson missed the larger picture of what constitutes a best practices compliance program. Training is one part of a larger component of how companies manage their compliance with laws, regulations and, most importantly, the ultimate barometer of their value – their corporate reputation through compliance. The role of compliance in corporations was born in 1992 with the enactment of the US Sentencing Guidelines, which laid out the initial standards for corporate compliance and ethics programs, of which training is one part. It was only after these Sentencing Guidelines were put into effect that corporations moved to create Codes of Conduct to publicly state their values.

These Sentencing Guidelines provide a very general outline of what would constitute an effective compliance program. In the latest amendments to the Sentencing Guidelines, in 2010, the stated purpose of training is to “(6) Training – Conduct effective training programs and otherwise disseminate information to ensure that the board of directors, high level personnel and other employees with substantial authority receive information about the standards, procedures, and other aspects of the compliance program”.

One of the most significant areas of the law, where the government has provided specific guidance on compliance programs including training, is the 2012 publication entitled “FCPA – A Resource Guide to the U.S. Foreign Corrupt Practices Act”, which was issued jointly by the Criminal Division of the Department of Justice (DOJ) and the Enforcement Division of the Securities and Exchange Commission (SEC). This FCPA Resource Guide provided the government’s views on what constituted an effective compliance program under the Foreign Corrupt Practices Act of 1977 (FCPA) in the form of the Ten Hallmarks of an Effective Compliance Program.

Hallmark No. 5, Training and Continuous Advice, which says, in part, “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” This Hallmark goes on to state that training should be appropriate for the risk of the persons being trained and tailored to the situations they might find themselves at risk in for their company.

Whether you consider the language of the Sentencing Guidelines or the much more specific FCPA Resource Guide, the proper context to review ethics and compliance training is as a part of an overall holistic approach to compliance and ethics, compliance can be seen in its proper role as a communication tools. The reason a company puts on compliance training is not to solely stop unethical or non-compliant conduct. The role of training is to communicate the standard of values the company wants to set forth.

The training itself should be tailored to risks involved with those employees receiving the training. My wife works at a major oilfield service company in Houston, as an SAP integration specialist in the IT department. The risk that she could engage in non-compliant, unethical behavior, that could put her company at legal risk, is relatively low. So basic training for her on the company’s ethical values is an appropriate reminder.

However, in the same company there are thousands of employees who are in positions oversees which are at much higher risk for non-compliant behavior, particularly under the FCPA. For those employees more focused, specific and in person training is the preferred method. So more than simply asking is something illegal, such training would focus on the specific requirements under the law, what an employee should do if a foreign government official demands a bribe and how to seek help or report such conduct through the company hotline.

Training is not and never has been the all-encompassing way to stop illegal or even non-compliant, unethical conduct. It should be seen as a part of the overall corporate compliance program. Enron is the prime example that simply having one part, the Enron gold standard Code of Conduct and even training on that Code of Conduct, is not enough. It all starts at the top with the tone from the top. If your top management are crooks, in the case of all the former Enron senior managers who are now convicted felons, that speaks to the tone management creates. No rule, regulation, company policy or certainly compliance training should get in the way of the next deal.

Yet even after management sets an appropriate tone, that tone must be communicated to the employees. A corporate Code of Conduct sets out the general values and the policies and procedures lay the specifics of how employees can comply with laws, regulations and ethical concepts. After this communication, a company must set out appropriate incentives and discipline (carrots and sticks) to reinforce these behaviors. Finally, there should be internal controls baked into to all of this, which not only reinforces these concepts but also allows a corporate compliance department to monitor compliance to hopefully prevent any incidents before they become violations and detect them if they occur.

Anderson does get one thing right. If a company is putting on training simply as “just a form of legal ass-covering” then it is probably the type of company which does not put a high value on doing business either (1) ethically or (2) in compliance with existing laws. That alone puts a company in the Enron zone for compliance. Next, I will take a look at her claims about the dumbing down of compliance training.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

2.0If there was one theme from Compliance Week 2016 it was the continued evolution of the Chief Compliance Officer (CCO) role and the compliance profession. Long gone are the days when someone is sent over from a legal department into the compliance department or worse, some lawyer who is just given the title of CCO and this is considered to be a best practice or even sufficient. In the opening keynote presentation, representatives from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) made clear they expect a CCO to know more than simply the laws of anti-corruption, they must actually work to do compliance in an organization. A key metric of doing compliance is the independence of the CCO and compliance function.

The conference was bookended by the keynote session “The Maturing of a Profession: The Rise of Compliance 2.0” which laid out the structural changes that have occurred for the CCO and compliance profession as a whole over the past 10 years or so. The starting point for the compliance profession was when the Sentencing Guidelines were made effective in the early 1990s. Because this function was borne out of essentially a criminal law enactment, in the form of the Sentencing Guidelines, it seemed to make sense at the time to respond with a legalistic approach such as having a General Counsel (GC) also be the CCO or having the compliance function in the legal department. The response to the accounting scandals of the early 2000s led to the passage of the Sarbanes-Oxley Act (SOX), which mandated more robust compliance programs, thereby enhancing the role of the CCO. There were later updates to the Sentencing Guidelines, which also helped to change the structure of compliance.

As with most legalistic approaches, such as those to the Sentencing Guidelines, it began by corporations setting out their internal rules and regulations; first in the form of a Code of Conduct and certainly after Opinion Release 04-02 in 2004 with the implementation of a written compliance program in the form of policies and procedures. Then training, incentives and punishments were put in place. Of course such an approach did not take into account third parties and perhaps that is why the majority of Foreign Corrupt Practices Act (FCPA) cases over the past 12 years have involved third parties.

Yet now the above structure is no longer sufficient. That is reason for the nomenclature of Compliance 2.0 as a true structural change has occurred moving the compliance function out from under the legal department and separating the CCO from the GC. What are the changes in this structural component? The final keynote of Compliance Week 2016 presented five key transformations.

  1. Empowerment

Here the CCO is empowered by charter or Board direction to carry out their duties. A CCO does not have to ask the GC for permission as they are more generally reporting directly to the Board or the Audit Committee of the Board. Further, the CCO position is now a senior corporate level role, often in the C-Suite. In the corporate world titles and position matter and if your position is seen as being on the level of the corporate brass it will give you more weight to carry the day.

  1. Independence

The key change here is the independence of the mandate of compliance from that of the legal department. The legal department has and always will exist to defend the company. It is asked to opine on whether a particular act is legal; in other words can we do it, not should we do it? The compliance function exists to prevent, detect and remediate problems, in other words fix things. The compliance function also differs from the legal function in that it has a non-discretionary escalation of issues through its unfiltered access to a company’s Board of Directors, through a direct reporting line.

  1. Seat at the table

Here the key is that compliance is seen as collaborative with legal and not subordinate. Yet this takes work and agreement by both legal and compliance to carve out their respective roles so that toes are not stepped on or even worse in the corporate world, feelings are not bruised. It also entails both the CCO and the compliance function being involved in the company’s strategic planning meetings so that compliance can be proactive and not simply reactive. Of course this means involvement in risk management meetings, operational reviews and budget reviews, as that is where the corporation sets its priorities.

  1. Line of sight

This is probably the biggest change in the structure of compliance. The CCO and compliance function should be able see into the business functions directly, not through the eyes or even the lens of the legal department. Yet it also means compliance should work towards an understanding through the integration of compliance risk areas for review, with unfettered access to information. It also means the business functions need to report up to compliance through regular reporting channels. Finally, all of this, by necessity requires the tearing down of silos so that compliance has visibility up and down the chain in this line of sight.

  1. Resources

As was made clear by both Andrew Weissmann from the DOJ and Stephen Cohen from the SEC in the opening keynote, the resources made available to the CCO and compliance function are becoming a more key metric for regulatory review. Fortunately this is also a key structural change moving to Compliance 2.0. Resources most generally mean two things: budget and head count.

For budgeting the change in Compliance 2.0 is that the compliance function has its own standalone budget, which should be sufficient to fulfill the compliance mandate. I think that it is beyond obvious to state that a strong compliance budget is always less expensive than a FCPA fine and penalty so the investment is sound. Head count is the corporate term for staffing but here it is more than simply bodies. It requires true subject matter experts (SMEs) either through professional experience or internal training. It also means compliance personnel reporting up to the CCO. If a company uses non-compliance department compliance champions, these folks should at least have dotted line reporting to the CCO.

I have laid out these structural changes in some detail so that you can benchmark your compliance program to see if there are gaps, which you might wish to remediate from a structural perspective. For those of you who did not feel there has not been enough evolution of the compliance function; not to worry as there is a lot more to talk about in Compliance 3.0. Stay tuned…

 

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Board of DirectorsThe Board of Directors role in the Volkswagen (VW) emissions test scandal is one that is only now being scrutinized. In an article in the New York Times (NYT), entitled “Problems at VW Start at the Boardroom”, James B. Stewart was unremitting in his criticism of the VW Board, when near the beginning of his piece he wrote, “given Volkswagen’s history, culture and corporate structure, the real mystery may be why something like this didn’t happen sooner.” He quoted Markus Roth, a professor at Phillips-University Marburg and expert in European corporate governance, for the following, “It’s been a soap opera ever since it started.”

The VW emissions testing scandal will provide many lessons for Chief Compliance Officer (CCO) or compliance practitioner. Stewart’s scathing article provided today’s focus which is on a Board of Directors in a Foreign Corrupt Practices Act (FCPA) compliance program. A Board’s duty under the FCPA is well known. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first is Hallmark No. 1, which states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. The Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

For the compliance function in an organization, a clear lesson from the VW emissions testing scandal is that the Board must be engaged and asking tough questions from not only senior management but also the CCO or compliance practitioner who report to the Board. But more than simply asking questions, it is important that the CCO share information with rest of management, in advance of the Board meeting, creating transparency. As the CCO works with the General Counsel (GC), outside legal counsel and outside external audit quite closely throughout the year, you must work with them closely during the preparation of the annual compliance report. Lastly, and, from my experience always the one which is most important in any relationship with senior management or the Board, make sure there are NO SURPRISES.

 An approach suggested by Stephen Martin, who runs Baker & McKenzie Compliance Consulting LLC, is 20 questions which reflect the oversight role of directors. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and enable them to dig deeper as necessary. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization. The questions are as follows:

Part I: Understanding the Role and Value of the Compliance Committee

  1. What are the Compliance Committee’s responsibilities and what value does it bring to the board?
  2. How can the Compliance Committee help the board enhance its relationship with management?
  3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

  1. What skill sets does the Compliance Committee require?
  2. Who should sit on the Compliance Committee?
  3. Who should chair the Compliance Committee?

Part III: Directed to the Board

  1. What is the Compliance Committee’s role in building an effective compliance program within the company?
  2. How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?
  3. How long should directors serve on the Compliance Committee?
  4. How can the Compliance Committee assist directors in retiring from the board?

Part IV: Enhancing the Board’s Performance Effectiveness

  1. How can the Compliance Committee assist in director development?
  2. How can the Compliance Committee help the board chair sharpen the board’s overall performance focus?
  3. What is the Compliance Committee’s role in board evaluation and feedback?
  4. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?
  5. Should the Compliance Committee have a role in chair succession?
  6. How can the Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

  1. How can the Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?
  2. What is the Compliance Committee’s role in CCO succession?
  3. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?
  4. How can the Compliance Committee help the board in deciding CCO pay and bonus?

Whichever approach that you employ, the CCO must lay out a clear and logical program for a Board of Directors not only to understand its role in the compliance function but to play an active role. Any best practices compliance program has several moving parts, a CCO to lead the compliance program, a Compliance Department to execute the strategy and an engaged Board of Directors who oversee and participate. It would certainly have been helpful to VW.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015