Category: Compliance Programs

Making Smarter Risk Decisions

PriceWaterhouseCoopers published Making Smarter Risk Decisions.

The paper looks at how the most successful organisations define their risk appetite and integrate this appetite into business strategy and culture so that all facets of the business consistently apply the desired risk thresholds, top down, to decision making, an organisation can achieve optimal performance and compliance and avoid investing in redundant or ineffective functions, processes and technology.

One section of the paper addresses risk appetite:

Developing this culture requires leadership to not only define risk appetite and ethical
business standards, but to encourage employees to do the right thing through clear communication of objectives and risk appetite; incentive and reward systems that are aligned to employees “doing the right thing”; and role specific ethics, compliance and risk training programmes. It also requires that management be prepared to take a hard line with employees who don’t “do the right thing”, but not with those employees who truly “do the right thing” and achieve sub-optimal results.

No business deal should ever justify putting your company’s reputation at risk.

Iraq Is Quietly Firing Fraud Monitors

From James Glanz and Riyadh Mohammed of the New York Times: Premier of Iraq Is Quietly Firing Fraud Monitors.

The dismissals, which were confirmed by senior Iraqi and American government officials on Sunday and Monday, have come as estimates of official Iraqi corruption have soared. One Iraqi former chief investigator recently testified before Congress that $13 billion in reconstruction funds from the United States had been lost to fraud, embezzlement, theft and waste by Iraqi government officials.

Iraq, in its earliest days of existence, looks like it headed toward being a kleptocracy and will be another example of the resource course.

Assessing Corporate Culture

Ed Petry of the Ethical Leadership Group put together a two part paper on Assessing Corporate Culture: Assessing Corporate Culture – Part I and Assessing Corporate Culture – Part II.

[There are] specific steps that compliance and ethics officers can take to begin the process of identifying their organizations’ culture including:
• Conduct surveys, focus groups and interviews of employees and third parties to determine what people really think about the organization, what motivates them, what’s rewarded and punished, and what are the “unspoken rules” and corporate stories that they believe best illustrate acceptable and unacceptable behavior;
• Distinguish and describe the important subcultures within the organization; and
• Identify what is really being heard by employees – which may be quite different from the message you and senior management are intending to convey.

You should do deep dives that follow roughly track the elements of the revised Sentencing Guidelines:

  • Is there consistency and clarity within your organization regarding the limits of acceptable behavior?
  • Does the Board and management act in accordance with their responsibilities to build and sustain a commitment to ethics and compliance?
  • Is compliance, ethics or even legal requirements – or the people responsible for them at the company – marginalized?
  • Do performance goals and incentives encourage and put unreasonable pressure on employees to act contrary to ethics and compliance standards?
  • Do employees feel they can ask questions or raise concerns?
  • Is bad conduct tolerated – especially at the senior level?

UK’s Law Commission on Reforming Bribery

The United Kingdom’s Law Commission has published its recommendations in a new report on reforming the bribery laws in the United Kingdom. The LC Report 313 on reforming bribery (.pdf) states:

  1. Bribery has been contrary to the law at least since Magna Carta declared, “We will sell to no man…either justice or right”. Most people have an intuitive sense of what “bribery” is. However, it has proved hard to define in law. The current law is both out-dated and in some instances unfit for purpose.
  2. We propose repeal of the common law offence of bribery, the whole of the 1889,1906 and 1916 Acts, and all or part of a number of other statutory provisions.
  3. These offences will be replaced by two general offences of bribery, and with one specific offence of bribing a foreign public official. In addition, there will be a new corporate offence of negligently failing to prevent bribery by an employee or agent.
  4. In the text below, the precise statutory terms and definitions have not alwaysbeen used. The draft Bill must be consulted for these. Not all of our recommendations and draft clauses are discussed below.

Top Ten Ways to Prevent Employee Theft

From Tracy Coenen of the Fraud Files Blog, Top Ten Ways to Prevent Employee Theft:

1. Education . If employees are aware of fraud and how it happens, they will be your best on-the-job sleuths.

2. Surprise Audits . . .

3. Hotlines . A mechanism for anonymous reporting of fraud encourages employees to look out for the best interests of the company, without fear of reprisal.

4. Assessment of Internal Controls . Companies need to take an honest look at what fraud prevention controls they have in place. They also need to be honest about whether or not those procedures and policies are being followed and whether or not they really work.

5. Background Checks . . .

6. Open Door Policy . Make employees feel that it is okay to discuss concerns with management. And then when they do discuss their concerns, act accordingly. Ask lots of questions, but be supportive.

7. Perception of Fairness . . . .

8. Employee Empowerment . Give employees the authority and confidence to make decisions and take action. The more involved and empowered employees feel, the more likely they are to look out for the best interests of the business.

9. Continuous Improvement . Management should be constantly looking for ways to improve policies and procedures. Fraud prevention is an ongoing, dynamic process that requires continuous evaluation and improvement.

10. Employee Involvement . Your employees are the people who are most aware of areas vulnerable to fraud. Talk to them and ask for their help in securing the company’s assets. Fraud prevention applies to everyone, from the top down.

Fraud Detected More Often At Bankrupt Companies

Bankrupt companies are three times more likely to have been cited for fraud by U.S. regulators, according to a study released on Monday from Deloitte Financial Advisory Services LLP. The study also showed that fraud incidents were much more likely to land a company in bankruptcy court.

Sheila Smith, head of reorganization services at Deloitte said it was not clear whether employees at bankrupt companies are more likely to commit fraud or whether the microscope of bankruptcy makes it easier for regulators to detect it.

See also:

Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer

Fellows of the Ethics Resource Center, Business Roundtable Institute for Corporate Ethics, the Ethics and Compliance Officer Association, the Open Compliance and Ethics Group (OCEG), and the Society of Corporate Compliance & Ethics put together Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer (pdf).

Senior corporate executives are under great pressure to build and maintain strong  organizational ethics programs. The stakes are high for any organization that fails to make ethics a priority and then finds itself embroiled in scandal. Public perceptions—often driven by the media—spoil a company’s reputation and weaken its brand value. Lowered trust among investors can devastate a company’s ability to attract support for growth. Regulators and lawmakers may move swiftly to punish and/or further regulate those who step outside accepted ethical boundaries.

Today, many organizations are choosing to consolidate the critical responsibility for ethics and compliance programs under a chief ethics and compliance officer (CECO). But the specific roles and reporting lines for this relative newcomer among corporatemanagement positions are not always clearly defined;many CECOs report feeling set up for failure due to insufficient authority or inadequate resources.

This paper is intended to serve as the starting point for a dialogue within corporate management circles—particularly among CEOs, boards of directors and the CECOs themselves—about the proper placement, qualifications, and responsibilities for a leader of the corporate ethics and compliance function. This paper also provides resources and identifies additional steps for further examination of this critical management function.

Opening Securities and Futures Accounts from an OFAC Perspective

The Office of Foreign Assets Control published new guidance specific to the securities industry on 11/06/2008: Opening Securities and Futures Accounts from an OFAC Perspective.

A strong OFAC compliance program consists of procedures that are similar to those found in a brokerage firm’s Customer Identification Program (“CIP”). Firms should use risk-based measures for verifying the identity of each new customer who opens an account. In establishing procedures, firms should identify and consider their size (e.g., total assets under management), their location, their customer base, the types of accounts they maintain, the methods by which accounts can be opened (e.g., in person or non face-to-face), and the types of identifying information available for each customer. Firms should also assess risks posed by each customer and transaction, asking questions such as:

  • Is the customer regulated by a Federal functional regulator, widely known, or listed on an exchange?
  • Has the firm had any previous experience with the customer or does it have prior knowledge about the customer?
  • Is the firm facilitating a U.S. person’s investment in a foreign issuer or other company that conducts business in a sanctioned country?
  • Is the customer located in a high-risk foreign jurisdiction that is considered to be poorly regulated or in a known offshore banking or secrecy haven?
  • Is the customer located or does it maintain accounts in countries where local privacy laws, regulations, or provisions prevent or limit the collection of client identification or beneficial ownership information?

Prior to entering into a business relationship with a client, you should screen the new client’s identification information, as well as the customer’s proposed transaction(s), against OFAC’s Specially Designated Nationals and Blocked Persons list (“SDN list”) [which is available at
http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx], and applicable OFAC sanctions programs.

The paper highlights a few key differences between OFAC compliance and CIP requirements. OFAC requires you to look deeper into the beneficial ownership of a client. CIP is limited to the “person that opens a new account.”

The other key difference is that OFAC does not permit you to reallocate your legal liability to a third party such as an introducing firm. OFAC takes the position that you can still be “held liable for any OFAC violations that occur due to the third parties’ negligence.”

Corporate Governance of Public Web Sites

Jane K. Storero and Yelena Barychev of The Legal Intelligencer and Law.com authored an article that the system of reviewing and monitoring information posted on a company Web site should be part of the disclosure controls included in the enterprise-wide risk management system established by the company: Corporate Governance of Public Web Sites.

This article describes methods of effectively complying with the SEC guidance related to company websites: Commission Guidance on the Use of Company Websites (Release 34-58288, August 7, 2008).

That release gave some guidance as to whether a company’s website is a means of public dissemination of information under Regulation FD.

It also addresses how the anti-fraud provisions of the federal securities laws can be applied to a statements made on the internet.  One issue is whether historical information is considered “republished” each time the material is accessed on the company’s website. If they are considered republished, then the company would have a duty to update the materials.

As a general matter, we believe that the fact that investors can access previously posted materials or statements on a company’s web site does not in itself mean that such previously posted materials or statements have been reissued or republished for purposes of the antifraud provisions of the federal securities laws, that the company has made a new statement, or that the company has created a duty to update the materials or statements.

The release also notes that hyperlinks to third party information could be implicated as part of the anti-fraud provisions. The key is the context of the hyperlink. If explicit approval or endorsement is plainly evident, then the hyperlink to a third party statement can be found to be a implicit approval of the statement in the hyperlinked web page.

The release also endorses the use of blogs:

We acknowledge the utility these interactive web site features afford companies and shareholders alike, and want to promote their growth as important means for companies to maintain a dialogue with their various constituencies. As we noted in the Shareholder Forum Release, companies may find these forums “of use in better gauging shareholder interest with respect to a variety of topics,” and the forums “could be used to provide a means for management to communicate with shareholders by posting press releases, notifying shareholders of record dates, and expressing the views of the company’s management and board of directors.”

Statements made on a blog or forum will not be treated any differently than any other statements made by the company for purposes of anti-fraud provisions.

The Implications of Stone v. Ritter

In 1996, Delaware’s Court of Chancery stated in the Caremark case that a director’s duty of good faith includes a duty to attempt to assure that a corporate information and reporting system exists, and that failure to do so may, under some circumstances, render a director liable for losses caused by the illegal conduct of employees. In 2006 the Delaware Supreme Court applied and clarified the Caremark language in the case of Stone v. Ritter.

Rebecca Walker of Walkercompliance.com wrote a summary of the Implications of Stone v. Ritter on Board Oversight of a Compliance Program.

The Stone decision formalizes the discussion that appeared in Caremark regarding potential liability of directors into a holding that directors may be liable for the damages resulting from legal violations committed by employees of a corporation, if directors fail to implement a reporting or information system or controls or fail to monitor such systems. The court places this duty of directors squarely within the duty of loyalty. The decision also provides a view of those factors that the court will use in deciding whether the board oversight of the company’s compliance program was adequate to prevent liability to the directors.