Category: Compliance Programs

SEC Enforcement Update: A Wounded Animal is a Dangerous Animal

securitiesdocket Securities Docket presented this webcast with Michael MacPhail, of Holland & Hart LLP and Patrick Hunnius of White & Case LLP. “In a sharp detour from the era of Chairman Christopher Cox, the SEC under new Chairman Mary Shapiro’s leadership has obtained big budget increases that will be used to increase the number of enforcement lawyers. It has also empowered its staff by streamlining procedures relating to the issuance of formal orders of investigation and negotiating civil penalties with corporations. The staff has responded enthusiastically to the change in regime by bringing an unprecedented number of emergency civil actions, cases involving Foreign Corrupt Practices Act violations, and cases targeting lawyers.” The materials are available on Securities Docket. These are my notes.

Michael MacPhail of Holland & Hart LLP started off by pointing out the beating the enforcement division has taken over the last year. The new administration has brought in some strong new leadership. (and its pissed off and wants some victories.) The SEC is touting its litigation victories and enforcement actions. It wants to be tough and is taking a “Get Tough” approach.

The SEC is also seeking lots of Temporary Restraining Orders. The TRO is ex parte so the company has no chance to present its case at the TRO hearing. The TRO also usually includes an asset freeze. These are “draconian” measures. Since the SEC is limiting funds, they are also limiting the defendants’ access to cash for legal fees. That makes it hard to keep lawyers in place. One example is the Stanford case where his lawyers quit and Stanford now has to defend himself.

How do you avoid a TRO? Talk with the SEC staff and let them know that you have removed the risk factors. Show proof that the bad acts have stopped. Convince the SEC that assets and funds are not moving. Try using escrow accounts and transparent accounts. You will also need to prove that you are actually taking those steps. The Wells Process has started changing from office to office and case to case on the defendants access to information about the case against them.

Patrick took over to focus on enforcement priorities that are likely here to stay and some likely new trends. He pointed out that FCPA enforcement has been on the increase. They are also look at attorneys and other professionals. These are attractive scalps. One of the likely areas of enforcement is the FCPA in the era of Sovereign Wealth Funds and the use of government bailout funds. Many Sovereign Wealth Funds can fall under the definition of foreign controlled enterprise under the FCPA.

There is no clear line of what amount of foreign ownership makes an entity an instrumentality of a foreign government. Majority ownership is probably enough. But minority interests may still be enough. Increased Sovereign Wealth Fund investment activity could transform ordinary business partners into a foreign government instrumentality. For example, 10% of Daimler is owned by a Sovereign Wealth Fund. Another example is the City Center project in Las Vegas which is joint venture of MGM and Dubai World. The owner of that project may be subject to the FCPA. There are very few compliance programs in place to deal with that scenario. You have to be cautious about the foreign government ownership of banks and financial companies. Icelandic banks are probably instrumentalities of a foreign government. Looking inward, Citibank, AIG, and Bank of America could be thought of as instrumentalities of the United States.

The SEC has raised the flag that they are going after gatekeepers, especially if it can be seen that the gatekeepers was heavily involved in the bad acts. Patrick pointed out how lawyers have got dragged into the back-dating of stock options scandal. Patrick looked at two cases. In US v. Collins, the attorney was found to have been involved in drafting loan documents to hide some of the REFCO losses. The attorney was also involved in drafting the SEC disclosure documents and did not disclose the bad things he saw or should have seen. In US v. Offill he worked with his client to get around the registration requirements in order to sell securities. He was accused of being part of a “pump and dump” schemes.

Red Book 2.0 Released by OCEG with the GRC Capability Model

oceg_logo1

The Open Compliance and Ethics Group has released the second version of its Red Book about compliance models. OCEG’s Red Book 2.0 provides a guide for implementing and managing a GRC system or aspect of that system. That means Governance, Risk, and Compliance. Red Book 1, which came out in 2005, focused on “getting the compliance house in order.” This version takes a more holistic approach of incorporating the various elements as part of business processes.

It weighs in at 255 pages so I have lots of reading ahead.

See:

Breaking Down Compliance Silos: The Cost-Effective Approach to Managing Compliance

Michael Rasmussen, President of Corporate Integrity, Julian Parkin, Group Privacy Programme Director at Barclays, and John Kelly, Director at OpenPages, spoke in a webinar on taking a strategic approach to managing compliance. The webinar was sponsored by Compliance Week. These are my notes.

Michael set the stage by asking: Does your organization walk its talk? He equated risk to an iceberg. You have a big chunk of risk awareness visible to many. But 90% of it is below the surface. He equated that 90% to “risk ignorance.” As you might expect with a graphic of an iceberg, he used a Titanic metaphor.

A soloed approach to GRC leads to a lack of visibility, wasted resources, unnecessary complexity, a lack of flexibility, and vulnerability. Compliance is NOT going away. It is a business process that is only increasing in volume and complexity.

barclays

Julian took over and started with a focus on data privacy and operational risk. Many companies come into compliance because they have an “incident.” As a financial institution, they are very concerned with customer data and how their employees treat it. They focused not only on the stored data, but their hardware as well.

Barclays used this great branding tool to reinforce the message. There were several instances where they took a laptop left alone or other data source, leaving just this postcard behind. For them it is important for them to show to their customers that their information is safe with them, just as their money is safe with them.

John took over to display some of his company’s IT solutions for compliance. He pointed out that a spreadsheet fails as a compliance tool because it lacks the audit trail to show what infotmation was known when.

Compliance Policies and Email

email_icon

You should take a look at your computer use and email policies to see how they address three recent cases involving email in the workplace.

The first case involves unauthorized acces: (Van Alstyne v. Electronic Scriptorium, Inc.).  The president of the company had broken into an employee’s personal AOL email account. The employee had occasionally used that email account for business communications. To top off the bad behavior, the president of the company had propositioned the employee before firing her and then accessing that email account.

In the second case (Stengart v. Loving Care [.pdf]), Ms. Stengart resigned from Loving Care and sued the company. Before leaving she e-mailed her lawyer through her personal web-based account from her company-issued computer using the company’s internet access. Loving Care recovered temporary files stored on that computer which contained copies of Stengart’s attorney-client communications. Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation. She asked the trial court to decide whether the e-mail, sent during work hours on a company computer, was protected by the attorney-client privilege. The court held that it was not.

In the third case (Noonan v. Staples), Staples fired sales director Alan S. Noonan  for padding his expense report. Executive Vice President Jay Baitler sent an e-mail to approximately 1,500 employees explaining the reason for the firing. The e-mail contained no untruths, but Mr. Noonan sued for defamation anyhow. Unfortunately for Staples, truth is not a defense in Massachusetts if the challenged statement was communicated with actual malice.

Lessons? What should you have in your company’s computer policy?

First, tell employees that they should not use personal e-mail accounts for purposes of conducting company business.

Second, the company should have a policy that any message sent from a company computer is subject to disclosure and the employees should not have an expectation of privacy.

Third, employees should not access another employee’s files or email accounts, whether they are the company’s or personal.

Fourth, employees should not use email or company computers to send malicious messages.

Finally, make sure you can prove that each employee knows these rules.

See:

Stop Trading on Congressional Knowledge Act

brian_baird

How can you beat the stock market? Become a member of Congress and trade on legislative actions!

You might think that a member of Congress would be prohibited from trading on non-public information that they obtain through their official position. You might be  wrong. Members of Congress and their staff  do not owe any “duty of confidentiality” to Congress. So they can’t be held liable for insider trading based on congressional knowledge. Since they do not have inside knowledge, members of Congress and their staff can share this non-public information with their friends.

Is this a problem? There is a 2004 paper that finds a portfolio that mimics the purchases of U.S. Senators beats the market by 85 basis points per month. Federal law does require Senators to disclose their common stock transfers annually in their Financial Disclosure Reports. But that filing is long after the time of the actual stock transactions.

I will not go into the details of the report other than to note that a few Senators are more active than others. You can reach your own conclusions based on the data.

In these days with a greater focus on transparency, risk and governance, you would think that Congress would close this loophole. In January, U.S. Reps. Louise Slaughter and Brian Baird (pictured) introduced the Stop Trading on Congressional Knowledge Act (the STOCK Act)(H.R. 582). Slaughter and Baird also introduced similar bills in 2006 and 2007, without success.

If this bothers you, maybe you should call, email, or tweet your Congressman or Senator.

See also:

Did Compliance Programs Fail During the Financial Industry Meltdown?

ice_cubes_openphoto

Most people would say yes to this question. I think the answer is more complex. A stand alone compliance program could not prevent the over-exuberance, excessive risk taking, and ethical lapses that lead to the meltdown.

The inspiration for this post came from an article by David Hechler, Risky Business: Did compliance programs fail the test during the financial industry meltdown? for the April edition of Corporate Counsel. Hechler focused on Countrywide Financial Corporation and Tim Mazur, who was an ethics officer at Countrywide. Hechler comes up with three lessons from

  1. Misaligned Compensation Mangles Companies
  2. You Don’t Build an Ethical Culture in a Day (or Year)
  3. Empowerment Is More than a Nice Word

The real problem was a failure of compliance at the structural level, not the program level.

Top-level executive compensation for public companies will be linked to stock performance. There are many people discussing the pros and cons of this approach and how it affects compliance. The more important place to look for misalignment of compensation is front-line employees and mid-level managers.

The examples in the story about Countrywide are a great example. Loan officers at Countrywide were paid higher commission for sub-prime loans than traditional loans. Wrong compensation. Those loans are riskier to the company so they should be less valuable and be subject to a lower commission. (You should also question why commissions would change from one loan product to another.)

The compensation to the loan officer is tied to origination of the loan with no compensation tied to the repayment of the loan. So of course, underwriting standards are going to deteriorate as the pool of good borrowers shrinks and you need to find less qualified borrowers to take on loans.

The managers of these loan officers were also similarly compensated based on origination of the loans so they were going to push for more and more loans regardless of the likelihood of repayment. There is a similarity to this structure and the the structure at Enron. In The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron, the authors paint a picture of Enron focused on origination of deals with little resources or focus on managing the deals.

You can’t build an ethical culture if the structure is not in place. Mazur contends that he did not have enough time to build an ethical culture at Countrywide. Unless he would have been able to change that front-line employee compensation model, I do not think he could have prevented the problems at Countrywide.

You need to align the institutional incentives of your company for a compliant and ethical company. You also need to align the personal incentives for employees throughout the company to match those institutional incentives.

See:

Update: fixed some typos

Betting the Corporation: Compliance or Defiance

Lawrence D. Finder, Ryan D. McConnell & Scott L. Mitchell drafted a paper surveying the sixteen corporate deferred prosecutions and non-prosecution agreements entered into by the Department of Justice in 2008.

Betting the Corporation: Compliance or Defiance? Compliance Programs in the Context of Deferred and Non-Prosecution Agreements – Corporate Pre-Trial Agreement Update – 2008

In 2008, every agreement contained some sort of corporate compliance reform provision – continuing a trend we have seen over the last few years. This trend is the focus of this update. Aside from building on prior observations, this piece attempts to draw empirical observations about the types of compliance programs that come out of corporate pre-trial agreements. The authors recognize there is no one-size fits all template for corporate compliance programs. But by examining compliance programs in the context of DPAs and NPAs, the authors strive to provide a picture of what types of compliance measures are negotiated by the DOJ and corporate targets to resolve internal control and other business deficiencies that resulted in criminal wrongdoing. We hope that this will provide some guidance for attorneys and other professionals who deal with compliance issues.

The authors note that one of the big changes in 2008 was the DOJ’s implementation of a new charging policy. (You can find it at 9-28.000 of the U.S. Attorney’s Manual.) Although the policy is no longer associated with a particular person (like the 2006 McNulty memo, the  2003 Thompson memo and the 1999 Holder memo), the nine factors for charging a corporation are still the same:

  1. the nature and seriousness of the offense;
  2. pervasiveness of wrongdoing;
  3. the company’s history of similar conduct;
  4. the company’s timely and voluntary disclosure;
  5. the existence and effectiveness of a pre-existing compliance program;
  6. the company’s remedial actions;
  7. the collateral consequences (including harm to shareholders) of a conviction;
  8. the adequacy of prosecution of individuals; and
  9. the adequacy of civil or regulatory remedies

There is a new statement in USAM 9-28.200:” In certain instances, it may be appropriate, upon consideration of the factors set forth herein, to resolve a corporate criminal case by means other than indictment. Non-prosecution and deferred prosecution agreements, for example, occupy an important middle ground between declining prosecution and obtaining the conviction of a corporation.”

A second change in 2008 was the issuance of the Morford Memo that addresses the use of corporate monitors, providing guidance on issues that may arise in the selection of a monitor and the monitor’s duties.

2008 STATISTICS:

Total Number of Agreements: 16
Number of Privilege Waivers: 2   (13%)
Number of Agreements with Compliance Monitors: 6   (38%)
Number of Agreements With Compliance Reforms: 16 (100%)

The link above is to a draft copy of the paper. The final version is scheduled to be published in the South Texas  Law Review in May 2009.

Seven Questions to Ask to Optimize Your Compliance Programs

compliance_week_logo

Compliance Week put on a webinar covering Practical Guidance: Seven Questions to Ask to Optimize Your Compliance Programs. Bruce McCuaig, Vice President, Risk and Compliance and Mike Rost, Vice President, Marketing of Paisley presented.

Mike started off with some background of Paisley, then moved onto the “Why?” of Compliance. Companies want to avoid the downside that comes from compliance failures.

Bruce then took over and set forth the seven questions:

  1. Do you have an effective compliance program?
  2. Have you assessed the scope of your compliance program?
  3. Is your compliance program risk-based?
  4. Do you have effective controls over your compliance risks?
  5. Is your compliance program integrated?
  6. Are you leveraging technology to support your compliance program?
  7. Do you have a plan to instill and sustain your compliance program processes?

Effectiveness has a basis in the federal sentencing guidelines. You need to have culture of compliance. You need to be effective in prevention. You need to document standards and procedures. You need to communicate and report. There is a need for continual improvement.

In assessing the scope of your compliance program, you need to look at the laws, standards and regulations that you must comply with. What jurisdictions to you operate in? What subjects do I need to pay attention to? You need to take a top-down risk-based approach to address the scope of your program. You need to find the most significant risks to compliance.

To think about if your compliance program is risk-based, you need to look at the root cause of possible failure. They break it into three pieces. You need to look at behavioral or cultural factors, impact factors and external factors. Behavior focuses on people. Do your people know the rules. Impact factors look at systems and external are things outside your control.

For effective controls you need to know the rules, know the rules have to be followed. You also need to know when the rules are broken. If they are broken they need to be penalized for failure. It is important that employees read and certify that they understand the rules. Where compliance failures are a risk, the regulators expect there to be a dedicated compliance officer. You need to use compliance metrics.

An un-integrated approach has redundancy in testing and documentation, with common activities across business lines. Bruce sees five point of convergence:

  • Shared context in organization and process structure
  • Common language of risk and control
  • Common methodology
  • Enterprise wide reporting
  • GRC convergence technology

Bruce thinks technology is important. You need a library of intelligent information on laws and regulations. You need to manage the life-cycle of the policies and procedures. They are useful to show that everyone has read and affirmed their understanding of the policies.

Bruce labels the four steps of maturity: (1)  reacting, (2)  anticipating, (3) collaborating, and (4) orchestrating.

See also:

Conducting C-Suite Investigations

ethicspoint-logo

EthicsPoint presented a webinar on conducting C-Suite Investigations, with Sally Rhys, BA, MS, CCEP of Business Ethics FocusNo-one wants to believe that allegations against the C-suite (Senior Executives) could be true. But with daily news reports of more cases of illegal and unethical transgressions by senior leaders, we all know that every organization is potentially at risk. It can happen at any time, even in your own organization. Are you prepared to handle such a crisis? These are my notes from the presentation.

sally

Sally Rhys started off with a fraud scenario involving the CFO: A call from someone that she thinks the CFO is overstating earnings and has convincing reports.” What do you do now?

Investigating C-suite involves bigger risks. There are also psychological barriers involving loyalty to the organization and its management. Sally points out the need for a plan:

  1. Secure a sponsor.
  2. Engage a a stakeholder team to act as a sounding board.
  3. Identify the positions which require an investigation protocol.
  4. Create plans for each position that needs a protocol. You may want to have an outside investigator for some positions. You may also want to have a PR plan and methods for dealing with clients, employees and other stakeholders. You also want to well document the steps and the investigation. You also want to be clear about the non-retaliation policy.
  5. Seek board approval. Craft a persuasive message to convince the board to approve a C-suite protocol.
  6. Publish the protocol. Write it down, publish it in the code and make it accessible. Only do this if you are actually going to follow the protocol.

It is good to have some method for quickly determining if there is some basis for the claim. You need to show that take the allegation seriously, but you want to move quickly to respond appropriately.

It is important to show the board where executives go wrong.

The attendees said the most likely chilling effect on a C-Suite investigation is the concern that you will not be supported.  Of the attendees, 46% picked this choice out of the four.

It is important to protect yourself. Make sure you have support of the board or other key stakeholders. Be professional and leave emotions at the door. be respectful and thorough. You need to stay credible.

Sally thought it was important to separate the role of general counsel and the compliance officer/investigator. Of course, you need to have a protocol for yourself/your position.

See also: