Next week I will in Washington, D.C. attending Compliance Week’s Fifth Annual Conference.
Let me know if you are attending. [email protected]
Doug Cornelius on compliance for private equity real estate
Next week I will in Washington, D.C. attending Compliance Week’s Fifth Annual Conference.
Let me know if you are attending. [email protected]
I’m in Miami today for Interact 2010. I will try to post my notes from some of the sessions. Here is my agenda for the day:
Steven Harmon, Director of Legal Services, Cisco Systems, will present the state of technology within the legal industry and its role in enabling the in-house legal department to provide exemplary service to its clients while building deep, lasting relationships with outside counsel advisors. Mr. Harmon will explore how to balance collaboration requirements for modern teamwork interaction with internal and extraprise groups with the critical need to enforce accountability, traceability, and security of all legal and regulatory work.
Global legal and regulatory requirements continue to grow and information needs are expanding right along with them. How do we manage the depth and breadth of compliance while ensuring that we know all the risks and have the right controls in place? Today’s forward thinking companies are gaining the control they need, enhancing transparency and enabling compliance efforts to serve the company’s objectives rather than impede them. In this session you will learn tips and techniques for taking compliance from the “Department of No” to the “Department of Know.”
Corporate Communication takes on a whole new meaning in a world of social media, where employees can freely post their views and spread documents, photographs and even videos across the globe with a click of a mouse. Companies that are ahead of the curve not only have established policies regarding use of social media sites by their executives and employees, but also are finding ways to use social media to their competitive advantage. Join our panel to hear about the risks and rewards that a well managed approach to social media can bring.
This panel session explores trends and current best practices to develop and implement a defensible and controlled strategy for legal hold management from both the corporate legal and law firm perspectives.
In recent years the United States has greatly increased efforts to investigate and prosecute FCPA violations, a trend which will likely not change in 2010. As a result, companies must continue to identify high-risk relationships with agents, vendors, and partners as well as focus on the detection, mitigation and prevention of unethical activity. How will recent FCPA violations impact compliance programs? How do companies know if they have implemented effective anti-corruption programs? How will due diligence programs be augmented to include FCPA compliance?
During this session we will review recent FCPA violations and discuss developments in FCPA enforcement. The panelists will give their perspectives on recent developments as well as discuss their experiences and challenges in developing and implementing effective global anti-corruption programs.
Scott Giordano, Director of Product Marketing, Mitratech. As companies seek to comprehend and comply with the global proliferation of complex security, privacy and compliance regimes, too often they focus exclusively on specific regulations, standards, laws, and local or industry initiatives. Lost or forgotten are the cultural and business issues that can make or break a program: How do differences in the cultural values of other nations affect program success? How does communication flow throughout the enterprise? How do business requirements drive policy? What education, training and awareness programs work, and how can the company’s strategies leverage those strengths? This panel, led by Scott Giordano of Mitratech, will explore the cultural and business drivers that affect the impact of global security, privacy and compliance program strategies.
I was in the audience for FINRA’s latest educational Program: Implementing Compliance Practices for Social Media.
This program addressed implementation of new guidance that FINRA recently issued in Regulatory Notice 10-06, concerning social media.
Tom Pappas
FINRA does not endorse any particular practice and each firm will have to do things differently. The views in this webinar will not provide a safe harbor.
Joseph Savage
Regulatory Notice 10-06 addresses five different areas:
Recording-Keeping. You need to keep copies of the information you publish, regardless of the form. FINRA is aware that it’s not easy to capture this information when using third-party sites like Facebook. (Tough. Deal with it). You can file screenshots with FINRA.
Suitability responsibilities (Notice to Members 01-23). You are better off not recommending any specific investments.
Types of interactive electronic forums. Generally, postings will be considered advertisement, but interactive postings are a public appearance (so you do not need principal approval). They felt that Twitter posts and Facebook updates would be interactive electronic forums.
Supervision of social media sites (Regulatory Notice 07-59). This should be a risk-based review.
Third-party posts (“Adoption” and “Entanglement”). Generally, third party content is out of your control. But if you arrange for third party content or endorses it, then you may be deemed to have adopted that content and treat it as if you adopted it directly.
The notice is just guidance, not a rule. FINRA is looking at a new rule. See Regulatory Notice 09-55.
Doug Preston & Joanne Rodgers
Doug pointed out the tremendous growth of social media. Regardless of the form and how it works, you need to use the sites in compliance with rules. (The rules are not going to adapt to social media.)
Joanne is doing a pilot with a vendor to help with compliance. They had lots of requests from recruiting and sales to use the tools.
If you use a social media site for personal purposes, can you still list that you work for the financial services company? You can have a “business card rule.” Just post the information on your business card, with no call to action or specific information.
Is this a growth area or just customer pressure? They have no data. Sales really want to use the tools to generate business. They view it more as a lead generation instead of a sales tool. Recruiting is an avid user of social media sites, especially LinkedIn.
Nobody has much data on the cost/benefit of using social media sites.
Doug Preston & Joanne Rodgers
Joanne has just finished a pilot for 25 agents and 25 recruiters. She saw that most of the agents participated in Facebook, more personal than business. The recruiters mostly used LinkedIn. (She did not want to disclose the vendor she used.)
Doug has not opened up the broker side to social media. The bank side does use it. They using some of that learning to build a system for the broker side.
One issue is the level of activity and the additional resources needed to review activity. The tools may be free, but they require people resources and time.
The key is the ability to obtain and retrieve the records and to move the records into your email surveillance program. It’s also important to be able to shut off some of the functionality on social media sites.
Doug Preston & Joanne Rodgers
There are lots of risks. You need to draw a line between sites you control and those run by third parties. You can stuff on a blog you host that you can’t do on a third party blog platform.
You will need new processes and policies. You will need lots of training.
FINRA is ahead of the curve compared to some other regulators in the financial services industry. Insurance regulators have not addressed the use of social media.
One of the big risks is brand/reputation risk. Each of the registered representatives becomes a brand ambassador. If they say some thing bad or embarrassing it affects the company as well as themselves.
What is FINRA looking for? If you are using social media, they will want to see: written procedures, actual supervision, records and procedures.
They did not like LinkedIn recommendations. Registered representatives should not accept the recommendations.
The static versus interactive categories is the toughest one to deal with.
Joseph Savage, Doug Preston, Joanne Rodgers, & Joseph Savage
Questions 8, 9 & 10 in Regulatory Notice 10-06 address the issue of third party posts. You probably should put in a disclaimer if you let third party posts on your site. You should monitor them to make sure there is no inappropriate material (porn, copyright). You also need to monitor complaints.
A reg. rep. “favoriting” something or “liking” something could be considered adopting that third party statement.
The session should be available online in a few weeks.
Tom Pappas (Moderator) is Vice President and Director of FINRA’s Advertising Regulation Department. The department regulates the advertisements, sales literature and correspondence used by FINRA firms. His responsibilities include rule development, management of the filing and surveillance programs and related enforcement activities. He served in the same role at NASD before its 2007 consolidation with NYSE Member Regulation, which resulted in the formation of FINRA. He joined NASD in 1984 and was previously with Davenport & Company LLC. He received a bachelor’s degree from The University of Richmond and an M.B.A. from Virginia Commonwealth University.
Douglas Preston is a Senior Vice President and Compliance Executive at Bank of America Merrill Lynch (BAML), as well as Chief Compliance Officer for Merrill Lynch Professional Clearing Corporation, the firm’s prime brokerage arm. He is also responsible for a number of other compliance areas at the firm, including serving as the Chairman of the firm’s Enterprise Electronic Communications & Media Governance Committee, and leading BAML’s Global Banking & Markets Electronic Communications & Media Compliance team, among other responsibilities. Prior to BAML, Mr. Preston was Senior Special Counsel at NYSE Regulation. In his role at the NYSER, Mr. Preston helped develop and interpret various NYSE rules. He has worked on several major regulatory initiatives, including Regulation SHO, gifts and entertainment and electronic communications (NYSE 07-59), among others. Before joining NYSE, Mr. Preston was the General Counsel and Chief Compliance Officer (CCO) for Santander Investment, SA’s New York investment bank. He was also the CCO of the investment banking arm of the Bank of Nova Scotia, and Associate General Counsel for the Securities Industry Association (now SIFMA). Prior to SIFMA, he worked in private practice, representing financial services entities. Mr. Preston received his J.D. from Fordham University School of Law. He is a member of the Bar of New York, New Jersey, Washington, DC and the U.S. Supreme Court.
Joanne Rodgers is a Vice President of Compliance at New York Life Insurance Company (NYL). She is responsible for managing the sales material review unit, field review unit and market surveillance. Ms. Rodgers has worked at NYL in various roles of compliance for the past 15 years. Prior to joining NYL, she worked as an examiner at NASD. She is a graduate of Franklin & Marshall College with a B.A. in Business Administration.
Joseph P. Savage is a Vice President in FINRA’s Investment Companies Regulation Department. Mr. Savage specializes in a broad range of securities regulatory matters, including investment management, investment company, advertising and broker-dealer issues, and regularly appears at conferences regarding these issues. Prior to joining FINRA, he was an Associate Counsel with the Investment Company Institute and an attorney with the law firms of Morrison & Foerster LLP and Hunton & Williams. Mr. Savage also served as a judicial law clerk for United States District Judge John P. Vukasin of the Northern District of California. Mr. Savage holds a bachelor’s degree from the University of Virginia, a master’s degree from the University of California, Berkeley, and a J.D. from the University of California, Hastings College of the Law, where he served as Note Editor of the Hastings Law Journal.
For those of you stalking me or trying to find out when my house is empty, here are some places I will be this spring:
Mark Fryenburg asked back to his speak to his class: CS 299 Web 2.0: Technology, Strategy, Community. I’m going to tackle personal knowledge management. After all, that is the reason that Compliance Building exists. I’ll be there on the afternoon of March 17. I did a similar presentation to this class last spring.
Rather than the marketing aspects of blogs and web 2.0 tools, I’ll focus on how they can help you as individual in accumulating the knowledge you need to do your job and develop yourself professionally. Hopefully, I can open the eyes of these college students. Don’t assume that the digital generation knows how to use web 2.0 tools any better than you. |
|
In April will be heading down to San Antonio to an ICI Mutual Conference to speak about social media and compliance.
My presentation will focus on the issues that investment companies and investment advisers will have in dealing with social media. This will be my first time in San Antonio. |
|
On May 6, I will be speaking at the Annual Conference for the Association of Legal Administrators.
My topic will be The Social Networking / Web 2.0 Revolution. I’m going to bring my experience as a lawyer, law firm client, legal administrator and user of web 2.0 to give a better understanding of the web can firms and ways that firms can manage the use of web 2.0. |
|
On May 17, I will be down in Miami at Interact 2010: The Legal and Compliance Technology Forum.
I will be on a panel with Kathleen Edmond, Chief Ethics Officer of Best Buy and Janice Innis-Thompson, SVP & Chief Compliance Officer of TIAA-CREF. We will talking about governing social media. The focus will be on ways to monitor, manage and make the most of employee use of web 2.0 tools. |
|
From May 24 to 26, I will be hanging out at the Compliance Week 2010 Conference. I’ll be able to sit back and enjoy the great agenda and leading speakers from the industry and government. I had a great time at this conference last year and met some great people. So I’m going back for more.
There should be some great compliance bloggers there: Francine McKenna of re: The Auditors, Bruce Carton of Securities Docket, Tom Fox of Tfoxlaw’s Blog (he needs a better name for his blog), Alex Howard of SearchCompliance.com, and Compliance Week Editor In Chief Matt Kelly |
|
For a change of pace, I’m speaking at Pax East on March 26 on Bringing up the Next Generation of Geeks.
In my spare time, I’m a contributor to Wired’s Geekdad. The Pax East panel will be composed of a bunch of the GeekDad writers. |
|
You can see my upcoming and past speaking engagement on my speaking engagements page.
Dow Jones and Ethisphere put on a great conference addressing ethics and compliance professionals. The Global Ethics Summit 2010 had a stellar line up of panels and presenters.
As with most conference’s it lacked power and wifi access. Fortunately, my company’s sturdy laptop battery and AT&T wireless access card allowed me to live blog from the sessions. Below are the blog posts that contain my notes from each session.
For pictures, DowJones has published some photos on Flickr: Global Ethics Summit 2010 Photos. There is also a stream of updates on Twitter from the conference: #GlobalEthics.
Since the posts were live from the sessions they are probably riddled with typos and grammatical errors. At least it’s better than my handwriting.
Compliance 2010 – What’s Next?
New challenges abound amid advancing best practices, not to mention the continually escalating rate of enforcement both by U.S. regulators and overseas officials. What’s on the horizon for compliance? This roundtable discussion comprised…Read more »
Working Toward a Healthier Organization: Pfizer’s Compliance Program
There are a number of challenges associated with maintaining integrity as a top priority in a highly competitive global business. But sometimes, despite company’s most earnest efforts to effectively implement compliance metrics and…Read more »
Tone at the Top: The Board’s Role
Understanding and supporting a prudent ethical and compliant tone throughout an organization is a core responsibility of the board of directors. Board actions are more transparent than ever to employees, investors, regulators, media…Read more »
Global Insights into the Anti-Corruption Landscape
Dow Jones Risk & Compliance presents the results of a recent survey of current anti-corruption regulation, emerging trends and the impact on corporations around the world.The speaker was Rupert de Ruig, Managing Director,…Read more »
Doing More with Less: Compliance During Tough Economic Times
Let’s face it: compliance is usually seen as a cost center. While there’s been some good and interesting research about the positive impact on the business of a good ethical culture and brand,…Read more »
Training a Diverse Workforce: Best Practices
Having a code of ethics is not enough to ensure compliance. Training is the vital step that brings these standards to life—effective training helps ensure that key tenets are retained and applied. While…Read more »
Don’t Be Evil: Imagination at Work with Google and GE’s Compliance Programs
General Electric and Google are two very different, yet equally substantial powerhouses with varying businesses to each company’s name. Ensuring compliance with U.S. and foreign regulations while maintaining Google and GE’s respective competitive edges…Read more »
Transparency – What, How Much and When?
How much should a company be disclosing to shareholders, investing communities, regulatory authorities and customers about its compliance program and other ethics-related activities? What risks does a company shoulder when it takes a…Read more »
When the Government Comes Knocking
What’s the best course of action when addressing a regulatory inquiry? Many have suggested that having a better than average compliance program to showcase will certainly help your case. But what are some…Read more »
Does Compliance Matter?
When trouble arises, one of the factors prosecutors consider during an investigation is the existence of a strong compliance program. Recently proposed amendments to the Federal Sentencing Guidelines would formally lower the sentencing…Read more »
I am attending the Global Ethics Summit 2010, hosted by Dow Jones and Ethisphere. Here are my notes, live from this session:
When trouble arises, one of the factors prosecutors consider during an investigation is the existence of a strong compliance program. Recently proposed amendments to the Federal Sentencing Guidelines would formally lower the sentencing range for companies with certain compliance mechanisms in place. But is there enough incentive for companies expending resources, particularly in tough economic times, or will they just get in trouble anyways? And at a time when a company’s brand value is increasingly dependent on intangible assets such as reputation, what are the financial repercussions on compliance? Do companies with ethical reputations really outperform those not known for their good behavior?
Panel:
Jeff noted the importance of a “Speak Up” culture at a company. You need employees to report problems up the chain. Leaders at all level can chill a “Speak Up” culture.
Since Greg’s company is a government contractor, they need to make the government happy or they lose their biggest customer.
Jeff thinks one of the key elements of an effective compliance program. Live training is by far the most effective. (He gives an “F” to the summit because there was not much interaction.) He makes sure that the trainees get lots of documentation and information before the training session. He makes sure that annual training is different each year.
Patricia sees alignment as a key you need to make sure the compliance program is aligned and in the context of the underlying business. Access is key so that people have an open door to ask questions. Analysis is key to make sure that you spot issues. Adjudication needs to be in place so that bad acts are punished. You need to think about how much disclosure you make internally and externally.
Charles emphasized the need for repetition is needed. You need to keep sending out the message. He also though compliance and legal departments should be looked at as profit centers, not cost centers.
Greg emphasized the need to have a way for people to come forward and for the company to know what to do when someone comes forward.
Charles compared the hotline to the moon mission. People complained that going to the moon was a waste of time and money. But there were tremendous collateral benefits from the moon mission. (Love that Tang and Velcro.) The same is true for the hotline. It can provide tremendous insight to the corporate operations even if nothing material as a compliance issues comes from the hotline.
I am attending the Global Ethics Summit 2010, hosted by Dow Jones and Ethisphere. Here are my notes, live from this session:
What’s the best course of action when addressing a regulatory inquiry? Many have suggested that having a better than average compliance program to showcase will certainly help your case. But what are some strategies for engaging with your lawyers in these unique cases? And how distant or directly should a company be involved in the discussions with DOJ or other regulators?
Panel:
Hank started off by sharing his thoughts. It is always good to have a compliance program. When the DOJ comes in, they don’t look at the paper program for compliance, they want to see how it works in execution. The DOJ looks behind the facade. They want to know about training, they want to know what the risks are and how they addressed those risks. Off-the-shelf compliance will not make the DOJ happy.
Eric pointed out the the new Federal Acquisition Regulations require the agency to include ethics and compliance programs as part of their evaluation of potential contractors. Everyone focused on the mandatory disclosure requirements. The government is focused on the due diligence prior to entering into the contract. They want to prevent problems from occurring.
Thomas pointed out that abroad, they think about fear peddling. Largely because the US approach to compliance has not made its way abroad. You need to have integrity, you need effective self-policing and you need to engage in responsible self-reporting. You need to integrate that into the “marrow” of your enterprise.
The problems at Pride came from acquisitions years earlier. Those organizations were not properly integrated into the overall organization.
Hank agreed that enforcement abroad is not as strong as the US. However, the US is no longer the “only sheriff in town.” Enforcement for corporate misdeeds is on the rise and sharply on the rise in some areas and some jurisdictions.
Hank also pointed out that he sees significant differences between the outcomes for companies that self-disclosed as opposed to those who got caught. (It sounds like there is room for some empirical studies on the treatment. Maybe there are some and I have not seen them yet.) Eric agreed that the end result would be dramatically better if they self-disclosed as a government contractor.
Thomas put a challenge back to Ty about how are big laws positioning themselves to really help companies, in-house counsel and compliance officers be better. The days of talking about waiving privilege and whether to report are over. Law firms need to prove their that their advice is an effective part of the compliance program.
Hank chimed in and agreed with Thomas’s take on the use of outside law firms. The DOJ sends FBI agents to interview executives, to seize records and run stings. They are less likely to do so when you self-disclose.
I am attending the Global Ethics Summit 2010, hosted by Dow Jones and Ethisphere. Here are my notes, live from this session:
How much should a company be disclosing to shareholders, investing communities, regulatory authorities and customers about its compliance program and other ethics-related activities? What risks does a company shoulder when it takes a more transparent approach than not, and what are the risks associated with non-disclosure? And, when a possible transgression has been uncovered, when and how is disclosure appropriate, what are the benefits to the company of disclosure in this case, and how should third parties (such as outside counsel) be engaged when doing so?
Panel:
Wendy tells how Fluor uses transparency as a competitive advantage. Public disclosure makes for public identity. You want your employees and customers know that getting down on time is one factor. Getting it done right is the most important goal.
Nancy pointed out that the correlation between to trust and transparency. If people are watching, then you are going to act better. As companies focus on corruption, sustainability and ethical issues in their reporting there will be pressure for others to also report. Transparency helps with commitment and measurement of steps towards compliance.
The panel took on this issue of whether additional disclosure creates more liabilities. There have been some rumblings that there could more liability to the company.
David Andrews pointed out the board has a standard of care that they need to meet. There is a responsibility to get information out to the shareholders. Frankly, if you are doing something good, you should let people know that you are doing something good.
David Howard, wearing the lawyer, pointed out that no compliance program is perfect and issues will fall through the cracks. If you publicize that you have a complete program, you need to be careful that you are not making false statements.
Inevitability what you do today in 2010 will be judged by the standards in place in 2015. You need to stay ahead of the game.
When reporting to the board you need to be careful that you do not overwhelm them with information. You need to highlight issues if you really want their input.
There are two disclosure tests. (1) Do you need to disclose to the shareholders? and (2) Do you need to disclose to the government? The next step after whether you “have to disclose” is “should you disclose?” Theoretically, you will get better treatment if you voluntarily disclose. However, there is no empirical evidence that you actually get treated better. You show your stakeholders that you are committed to doing the right thing. It does not prevent the cost of an expensive and lengthy investigation. You may still be subject to government action even if the sentence is reduced. You also open yourself to civil litigation. You need to make a “gut check.”
I am attending the Global Ethics Summit 2010, hosted by Dow Jones and Ethisphere. Here are my notes from this session:
General Electric and Google are two very different, yet equally substantial powerhouses with varying businesses to each company’s name. Ensuring compliance with U.S. and foreign regulations while maintaining Google and GE’s respective competitive edges in today’s increasingly complex and competitive marketplace can be daunting, to say the least. Brackett Denniston, Senior Vice President and General Counsel for GE, and Andy Hinton, Chief Compliance Officer and Associate General Counsel for Google, compare notes about how each company tackles critical issues, what has worked and what hasn’t and what issues most concern them going forward.
This session was held during lunch so my notes are sparse.
My first observation is that Brackett showed up in a dark suit, white shirt and a blue tie, looking very GE-ish. Andy was dressed in jeans and sport jacket, looking very Google-ish. (Although Andy came from GE and is a self-proclaimed GE disciple.)
Andy uses lots of measurements in his compliance program. He is trying to model the Google program on his experience at GE. GE has a reputation for lots of measurement
It is important to let people know that their jobs are at risk for compliance failure. You don’t want to just find scapegoats. You need to find the real bad actor.
You also need to reward employees for good behavior. It is important to point out the good stuff and the bad stuff.
Response is they key part of the process. Get the facts fast and disclose fast after you have those facts.
Google relies even more on their brand than GE. It’s hard to replace a nuke reactor. It’s easy to switch search engines.
Without your reputation, it’s hard to business. Your company’s reputation is a big part of a company’s value.
Build a case for value. You are better off missing the numbers than creating a reputational risk. Balance the risk and cost of the violation against the small dollar value of the gain from the bad act.
As long as you have board and CEO buy in then you can do a lot with limited resources.
You want to hire and promote people you can trust and that live and breathe the company culture.
The compliance group at Google is not trying to be cutting edge, unlike the rest of the company. The want to be block and tackle.
In regulated enterprises you need to have heightened awareness and a different approach to compliance. And there is more regulatory risk coming. Even China is promulgating thousands of regulations.
You have to be better than merely meeting the base regulations.
I am attending the Global Ethics Summit 2010, hosted by Dow Jones and Ethisphere. Here are my notes, live from this session:
Having a code of ethics is not enough to ensure compliance. Training is the vital step that brings these standards to life—effective training helps ensure that key tenets are retained and applied. While organizations need to take every measure to ensure that employees take training principles and apply them to everyday situations, this oftentimes is easier said than done. What are the best practices in workforce training employed by leading organizations and their training providers? What are they training on, who’s being trained, and how is this training being delivered, communicated and tracked?
Panel:
Stella pointed out that a large percentage of her workforce is not connected tot he company through electronic messages. There is a difference in how you need to communicate with blue collar and white collar workers. Diversity is not just ethnicity and gender. Twitter is not going to reach everybody in your company.
Loren has a diversity with job functions at American Express. They had an enormous job just cataloging all of the compliance programs throughout her organization. They created a toolkit of materials for managers to use. They wanted to make it easier for managers to send the right message.
Howard has taken a risk-based approach to training and compliance at Hewlett-Packard. There is a conflict between centralized training and distributed training. They allow district managers to assign training to employees. There is still a set of required training based on job function. Formal training is just one aspect of compliance training. It’s all of the other messages sent to employees.
The panelists emphasized the need to have face for your compliance program. It’s important to get local champions. You don’t need them to be compliance experts. You need them to be able to spot the issue and be willing to ask the question to the expert, compliance person or legal counsel.
Howard pointed out the need to avoid “compliance training.” You need to have compliance built into business operation training. Training merely to “check the box” will not be effective.
It’s important to remember that not doing something also sends a message. If people do something wrong and do not suffer consequences that sends a message.
A practice note from the panel was to send out messages about the importance of training before the training session. Send out messages about recent failures of anti-money laundering in the news to people before they attend their anti-money laundering training. Training is expensive so you need to maximize the value to the company and the participants. Let them know the importance. Give them tools to help them better understand the issues in the context of your business.
One interesting challenge with training the board of directors is that for board members who sit on multiple boards they get training fatigue.