Spud WebbOn this day 30 years ago, history was made when Spud Webb won the 3rd NBA Slam Dunk contest. Webb joined future Hall-of-Famers Michael Jordan, who won the inaugural contest in 1984, and Dominic Wilkins, who won the second event in 1985, as the Slam Dunk champ. What made Webb’s win so noteworthy? It was his size. He was 5 feet, 9 inches tall and the shortest player in the league at that time. Webb played for 12 seasons in the NBA, mostly with the Atlanta Hawks, but for anyone who tuned in that day, we will never forget when Spud Webb stood the tallest of the all the players.

I thought about Webb, his biggest moment of personal glory and individual responsibility when I read Sunday’s Fair Game column in the New York Times (NYT) by Gretchen Morgenson, entitled “Fixing Banks by Fining the Bankers. Morgenson has written several pieces about the banking scandals coming out of the 2008 financial crisis and beyond, coupled with the lack of personal accountability in all of the settlements with US regulators.

She began her piece with the certain truism, “Ho-hum, another week, another multimillion-dollar settlement between regulators and a behemoth bank acting badly.” The settlement she referenced referred to two financial institutions, Barclay’s and Credit Suisse, who agreed to pay $154.3MM, regarding their misrepresentations to investors around high-frequency trading. But what concerned Morgenson was the following, “As has become all too common in these cases, not one individual was identified as being responsible for the activities. Once again, shareholders are shouldering the costs of unethical behavior they had nothing to do with.”

Morgenson identified the reason behind the continued failings of banks “could not be clearer: Years of tighter rules from legislators and bank regulators have done nothing to fix the toxic, me-first cultures that afflict big financial firms.” She believes it is a failure of banks to change their culture. In her piece she quoted the Chairman of FINRA, Richard Ketchum, who said firms that continue to have violations are because of “poor cultures of compliance”. He finds the opposite to be true stating, “Firms with a strong ethical culture and senior leaders who set the right tone, lead by example and impose consequences on anyone who violates the firm’s cultural norms are essential to restoring investor confidence and trust in the securities industry.”

The rules and regulations of compliance can set down the written standards for employees to follow. Yet for a compliance program to be effective, it is much more than the paper part of the program. Morgenson believes that banks must change their culture to help stop these systemic breakdowns. Yet she did not end her piece there as she explored what regulators can do, more than simply talk, to facilitate this change in culture.

She considered two separate approaches regulators might consider. The first was suggested by Andreas Dombret, a member of the executive board of Deutsche Bundesbank, who noted, “Most companies have codes of ethics, but they often exist only on paper.” To help make the message of doing business ethically and in compliance, he also suggested banking regulators could help encourage a more ethical approach by routinely monitoring how a bank cooperates with the regulatory authorities particularly in an oversight rule. Finally he asked, “How often is the bank the whistle-blower?” He felt this question was important because “Not only to get a lesser penalty but also to show that it won’t accept that kind of behavior. We are seeing more of that.”

These suggestions would seem to be more aligned with an industry with significant oversight, such as banking. So I found the second area she explored more directly applicable to the Foreign Corrupt Practices Act (FCPA. It met her criticisms that it was either the shareholders or perhaps the company D&O insurance carrier who foot the bill for any FCPA violation.

She explored an idea posited by Claire A. Hill and Richard W. Painter, professors at the University of Minnesota Law School, in a new book they published, entitled “Better Bankers, Better Banks”. In this book the law professors urged “making financial executives personally liable for a portion of any fines and fraud-based judgments a bank enters into, including legal settlements. The professors called this “covenant banking.”

This covenant banking plan had some very interesting elements that spoke to the issue of individual v. corporate liability, similar to the discussion compliance professionals have engaged in since the release of the Yates Memo. Morgenson said the covenant banking plan “contains a crucial element, requiring the best-paid bankers in the company to be liable for a fine whether or not they were directly involved in the activities that generated it. Such a no-fault program, the professors argued, would motivate bankers not only to curb their own problematic tendencies but to be on the alert for colleagues’ misbehavior as well.” She quoted the book’s authors stating that this plan would help to change corporate culture as it “discourages bad behavior and its underlying ethos, the competitive pursuit of narrow material gain.”

Moreover, the professors believe, “If bankers aren’t willing to institute a system involving personal liability, regulators and judges could require it as part of their settlements or rulings. Something like covenant banking could be included in nonprosecution agreements. Or a judge overseeing a case in which a company is paying $50 million could require individuals to pay $10 million of that personally.” Finally, “A regulator could give a company the choice of a far lower fine if it were to be paid by managers, not shareholders. A company choosing to pay the higher fine and billing it to the shareholders would have some explaining to do”.

While most banks or non-financial institutions subject to the FCPA might well be reluctant to put such corporate strictures in place, it certainly could be a part of a civil penalty which comes before a court for review and consideration, such as when the Securities and Exchange Commission (SEC) goes to court when filing a Cease and Desist order in a FCPA enforcement action.

The Yates Memo recognized that individual accountability will help to drive compliance with the FCPA. The problem in going after individuals is that it is often difficult to pinpoint any single or series of actions by a senior manager that may have lead to the violation. It can be as nefarious as the General Motors (GM) nod or simply the diffusion of liability was the basis for the original creation of the corporate structure long ago.

Yet, by focusing on corporate culture Morgenson, the banking industry and banking regulators are hitting on a key theme. Paper programs are only that if there is not the culture of compliance set by senior management that the company will follow the rules. I was also intrigued that both FINRA Chairman Ketchum and banker Dombret recognized the business problem which poor cultures of compliance led to, lack of faith in capital markets and the securities industry. If companies will work to enhance culture, they move to addressing this most serious and long-term business issue.

Spud Webb was the first ‘Little Big Man’ in the modern era of the NBA. His 12-year run of success led to players such as the five-foot, five-inch Earl Boykins and five-foot, three-inch Muggsy Bogues. In 2006, 5’9” Nate Robinson of the New York Knicks became the second-shortest player to emerge victorious in the NBA slam-dunk contest. Webb changed NBA culture just as corporate culture can be changed as well.

For a YouTube video clip of Spud Webb at the 1986 Slam Dunk contest, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

7K0A0223Today, we continue our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. These metrics for today’s consideration are:

  • Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
  • Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations.

I think most compliance practitioners understand how a risk assessment fits into the design and creation of a compliance program. Yet Caldwell’s remarks drive home that risk assessments are not a one-time exercise and while she did not remark on the frequency of how often they should be performed, I think the more often the better. However, as a Chief Compliance Officer (CCO) or compliance practitioner, you do not need to perform a full forensic risk assessment to meet the metrics Caldwell has articulated.

Nonetheless, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination and the same is true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

Caldwell’s second metric, that we are also exploring today, is around compliance discipline and incentives. In her remarks Caldwell further inquired, “Is discipline even handed?” and then went on to add, “The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.”

I think most folks understand the need to discipline employees who may have violated the Foreign Corrupt Practices Act (FCPA) or otherwise engaged in bribery and corruption. However, many CCOs and compliance practitioners do not focus as much attention to compliance incentives. I have developed six core principles for incentives, adapted from an article in the Spring 2014 issue of the MIT Sloan Management Review entitled “Combining Purpose with Profits”, and reformulated them for the compliance function in an anti-corruption compliance program.

  • Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
  • Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
  • Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives is to make the incentives visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
  • Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight”, that is any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his numbers for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
  • Compliance incentive alignment works in an oblique, not linear, way. If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
  • Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process.

Obviously this list is not exhaustive. Yet it is now more important than ever that you demonstrate tangible incentives for your employees to gain benefits, both financial and hierarchical, thorough doing business ethically, in compliance with your own Code of Conduct and most certainly in compliance with the FCPA. It is also a requirement that such actions must be documented so they can be demonstrated to the DOJ Compliance Counsel if they come knocking and look to employ the metrics which Caldwell has laid out for us all.

Ongoing risks assessments and incentivizing your compliance program are two of the most under-used tools to move forward your compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2015