2.0If there was one theme from Compliance Week 2016 it was the continued evolution of the Chief Compliance Officer (CCO) role and the compliance profession. Long gone are the days when someone is sent over from a legal department into the compliance department or worse, some lawyer who is just given the title of CCO and this is considered to be a best practice or even sufficient. In the opening keynote presentation, representatives from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) made clear they expect a CCO to know more than simply the laws of anti-corruption, they must actually work to do compliance in an organization. A key metric of doing compliance is the independence of the CCO and compliance function.

The conference was bookended by the keynote session “The Maturing of a Profession: The Rise of Compliance 2.0” which laid out the structural changes that have occurred for the CCO and compliance profession as a whole over the past 10 years or so. The starting point for the compliance profession was when the Sentencing Guidelines were made effective in the early 1990s. Because this function was borne out of essentially a criminal law enactment, in the form of the Sentencing Guidelines, it seemed to make sense at the time to respond with a legalistic approach such as having a General Counsel (GC) also be the CCO or having the compliance function in the legal department. The response to the accounting scandals of the early 2000s led to the passage of the Sarbanes-Oxley Act (SOX), which mandated more robust compliance programs, thereby enhancing the role of the CCO. There were later updates to the Sentencing Guidelines, which also helped to change the structure of compliance.

As with most legalistic approaches, such as those to the Sentencing Guidelines, it began by corporations setting out their internal rules and regulations; first in the form of a Code of Conduct and certainly after Opinion Release 04-02 in 2004 with the implementation of a written compliance program in the form of policies and procedures. Then training, incentives and punishments were put in place. Of course such an approach did not take into account third parties and perhaps that is why the majority of Foreign Corrupt Practices Act (FCPA) cases over the past 12 years have involved third parties.

Yet now the above structure is no longer sufficient. That is reason for the nomenclature of Compliance 2.0 as a true structural change has occurred moving the compliance function out from under the legal department and separating the CCO from the GC. What are the changes in this structural component? The final keynote of Compliance Week 2016 presented five key transformations.

  1. Empowerment

Here the CCO is empowered by charter or Board direction to carry out their duties. A CCO does not have to ask the GC for permission as they are more generally reporting directly to the Board or the Audit Committee of the Board. Further, the CCO position is now a senior corporate level role, often in the C-Suite. In the corporate world titles and position matter and if your position is seen as being on the level of the corporate brass it will give you more weight to carry the day.

  1. Independence

The key change here is the independence of the mandate of compliance from that of the legal department. The legal department has and always will exist to defend the company. It is asked to opine on whether a particular act is legal; in other words can we do it, not should we do it? The compliance function exists to prevent, detect and remediate problems, in other words fix things. The compliance function also differs from the legal function in that it has a non-discretionary escalation of issues through its unfiltered access to a company’s Board of Directors, through a direct reporting line.

  1. Seat at the table

Here the key is that compliance is seen as collaborative with legal and not subordinate. Yet this takes work and agreement by both legal and compliance to carve out their respective roles so that toes are not stepped on or even worse in the corporate world, feelings are not bruised. It also entails both the CCO and the compliance function being involved in the company’s strategic planning meetings so that compliance can be proactive and not simply reactive. Of course this means involvement in risk management meetings, operational reviews and budget reviews, as that is where the corporation sets its priorities.

  1. Line of sight

This is probably the biggest change in the structure of compliance. The CCO and compliance function should be able see into the business functions directly, not through the eyes or even the lens of the legal department. Yet it also means compliance should work towards an understanding through the integration of compliance risk areas for review, with unfettered access to information. It also means the business functions need to report up to compliance through regular reporting channels. Finally, all of this, by necessity requires the tearing down of silos so that compliance has visibility up and down the chain in this line of sight.

  1. Resources

As was made clear by both Andrew Weissmann from the DOJ and Stephen Cohen from the SEC in the opening keynote, the resources made available to the CCO and compliance function are becoming a more key metric for regulatory review. Fortunately this is also a key structural change moving to Compliance 2.0. Resources most generally mean two things: budget and head count.

For budgeting the change in Compliance 2.0 is that the compliance function has its own standalone budget, which should be sufficient to fulfill the compliance mandate. I think that it is beyond obvious to state that a strong compliance budget is always less expensive than a FCPA fine and penalty so the investment is sound. Head count is the corporate term for staffing but here it is more than simply bodies. It requires true subject matter experts (SMEs) either through professional experience or internal training. It also means compliance personnel reporting up to the CCO. If a company uses non-compliance department compliance champions, these folks should at least have dotted line reporting to the CCO.

I have laid out these structural changes in some detail so that you can benchmark your compliance program to see if there are gaps, which you might wish to remediate from a structural perspective. For those of you who did not feel there has not been enough evolution of the compliance function; not to worry as there is a lot more to talk about in Compliance 3.0. Stay tuned…

 

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Chief-Compliance-OfficerAt the Opening Session of Compliance Week 2016, Stephen L. Cohen, Associate Director of Enforcement, Securities and Exchange Commission (SEC) and Andrew Weissmann, Chief of the Department of Justice (DOJ) Criminal Division’s Fraud Section, spoke about their views of what constitutes an effective compliance program under the Foreign Corrupt Practices Act (FCPA). Compliance Week’s Editor-in-Chief Bill Coffin moderated the panel. The majority of the discussion was around the Chief Compliance Officer (CCO) position; specifically the independence of the position, the authority the CCO has in an organization and the resources made available to the CCO.

Weissmann related that many presentations are made to the DOJ in the context of Filip Factors presentations, where a company generally presents evidence of the effectiveness of its compliance program at the time of the incident that led to the criminal investigation. He said that one of the things he thinks is important is how a CCO talks about the company’s compliance program.

He began by noting the initial straw poll showed that 65% of those responding to the first poll said their compliance program could probably pass DOJ muster or needs work. Weissmann viewed this as a positive sign because it demonstrated to him the ongoing evolution a company’s compliance program. He said he would often specifically delve into how a risk assessment had been done and then use that information as a springboard to inquire into whether it actually predicted the FCPA violation(s). It was not surprising to hear Weissmann basically say McNulty Maxim No. 3 (what did you do when you found out about it?) when he said that he would inquire into the company’s response and whether the response was then integrated that into the compliance function.

Cohen also said that he encourages CCOs to come and meet with him early in the SEC investigatory process. He did acknowledge that outside counsel usually hated the idea, obviously because they lose complete control, which they seek to maintain. Yet Cohen thinks that it helps him because it gives him a window into whom he is dealing with in the process. Additionally, as the CCO is generally more attuned to remediating problems, rather than simply protecting the company like outside counsel, a different view can often be obtained through such meetings. I would note from the CCO perspective, this is very valuable as it gives you the ability to begin to win an ally for your remediation program early on in the process.

One of the specific areas that Cohen wants to know about is what are the resources that have been made available to the CCO and what is the level of CCO independence? He is concerned about whether the CCO is appropriately valued and supported in the organization. He specifically asks if the CCO is on the Executive Leadership Team (ELT) or other top group of C-Suite executives. He would also inquire into whether the CCO had visibility into the transaction(s) that may have become the problem issue(s). Not necessarily whether there was a bribe authorized but if the transaction warranted someone violating the FCPA to get the deal done, did the compliance function have visibility into the matter? It is all Cohen’s way of trying to ascertain whether the CCO and compliance function have standing in company to get things done.

Weissmann was asked about individual liability for CCOs under the FCPA. I found this question propitious given my blog posts earlier this week. He said that the DOJ not going after CCOs for criminal liability unless they are a part of bribery scheme or some cover-up. He reiterated that the DOJ is trying to reduce the risk of criminality for violations under the FCPA and indeed that was one of their goals in hiring its new Compliance Counsel, Hui Chen. Chen enables the DOJ to be more robust in evaluating compliance programs of companies that come before the DOJ. He also noted that this new position works to heighten the power of CCO within companies as it gives them a specific advocate at the DOJ during enforcement actions.

Cohen took another approach to responding to the inquiry about CCO liability. He said that he believed there had been approximately 8000 SEC enforcement actions over past 10 years in regulated space involving CCOs. Of all of those cases, only five had involved individual liability actions brought against CCOs. These were along the lines of the FINRA action against Linda Busby I detailed yesterday, where the CCO had a clear regulatory responsibility to implement or enhance a compliance program and failed to do so. Cohen also made the point again that these five SEC enforcement actions were all in regulated industries only, not FCPA cases.

On the question of CCO independence, Weissmann believes this is one indicia of an effective compliance program. He reiterated yet again the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but he is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, Weissmann would want to know if the CCO has ever exercised that right.

Finally, Weissmann turned to the operationalization of compliance. Echoing the remarks of the DOJ Compliance Counsel last fall, he wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of Chen, is compliance operationalized within your organization? Weissmann had an interesting angle on the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Cohen had several questions he would ask to determine the level of CCO independence within an organization. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? He also wanted to know who could terminate the CCO so he might inquire to see if it was the CEO, the Audit Committee of the Board or did the CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

In addition to the foregoing, Cohen had some additional questions he would consider. The first was who could over-rule the decision by a CCO within an organization? He would also inquire into who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?

The remarks of Weissmann and Cohen demonstrated the continued evolution in the thinking of the DOJ and SEC around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ and SEC talk about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the position in their organizations.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

IMG_3289Recidivist behavior is something that the US government is forced to face in Foreign Corrupt Practices Act (FCPA) enforcement from time-to-time. When a company agrees to a Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement (NPA), it always agrees not to engage in the same or similar conduct again. Recently Novartis reported that it is under scrutiny in South Korea for criminal conduct around alleged illegal payments to doctors in the form of excessive payments for scholarly articles or for articles for which payment was made but where the articles were never published in scholarly journals. This is after agreeing to a Cease and Desist Order with the Securities and Exchange Commission (SEC), in March 2016, which read in part, “Respondent Novartis cease and desist from committing or causing any violations and any future violations of Sections 13(b)(2)(A) and 13(b)(2)(B) of the Exchange Act”. Read More

Lear's FoolI conclude my week honoring the 400th anniversary of the death of Shakespeare by using my favorite character in all his work to introduce today’s post. He is The Fool from King Lear. Of Shakespeare’s many theatrical innovations, his transformation of The Fool from the Renaissance Court Jester of songs, music, storytelling, medieval satire and physical comedy to commentator is right up there for me. The Fool became closer to the Greek Chorus. Shakespeare brought the Chorus commentary function back. As noted in Wikipedia, “Where the jester often regaled his audience with various skills aimed to amuse, Shakespeare’s fool, consistent with Shakespeare’s revolutionary ideas about theater, became a complex character who could highlight more important issues. Like Shakespeare’s other characters, the fool began to speak outside of the narrow confines of exemplary morality. Shakespeare’s fools address themes of love, psychic turmoil, personal identity, and many other innumerable themes that arise in Shakespeare”. Read More