Decision on Whistleblower Provisions of Sarbanes-Oxley

first_circuit_court_of_appealsA federal court held that a former employee seeking on acted in good faith, but under an objective analysis, his belief that the company was engaged in fraud was not reasonable and upheld termination. Day v. Staples, Inc., 2009 WL 294804 (1st Cir. February 9, 2009)

The employee complained that the company improperly handled regularly customer returns. The company claimed that the employee was terminated for performance reasons not connected to his statements concerning improper conduct.

The Department of Labor administrative law judge dismissed the SOX complaint, as did the federal district court. The district court concluded that the belief that Staples was engaged in accounting fraud was not reasonable.

In this decision, the First Circuit Court of Appeals held that the “reasonable belief” had to be both subjectively  reasonable as well as objectively reasonable.

This is the first decision by the First Circuit under under the whistleblower protection provision of the Sarbanes-Oxley Act (“SOX”), 18 U.S.C. §1514A.

Day’s complaint did not assert any specific violations of securities laws; rather, it stated that he believed certain Staples practices resulted in the “manipulat[ion] [of] accounting data in an unlawful manner that had negative financial ramifications for Staples,” which “defrauded Staples’ shareholders” and violated the Staples Code of Ethics.

The Court stated: “The plain language of SOX does not provide protection for any type of information provided by an employee but restricts the employee’s protection to information only about certain types of conduct. Those types of conduct fall into three broad categories: (1) a violation of specified federal criminal fraud statutes: 18 U.S.C. § 1341 (mail fraud), § 1343 (wire fraud), § 1344 (bank fraud), § 1348 (securities fraud); (2) a violation of any rule or regulation of the SEC; and/or (3) a violation of any provision of federal law relating to fraud against shareholders.”18 U.S.C. §1514A(a)(1)

When the court applied this test to Mr. Day, it found that the he brought his complaints in subjective good faith. However, there was no objectively reasonable basis to believe that the conduct of which Mr. Day complained constituted securities fraud or shareholder fraud. Without an objectively “reasonable belief” that the conduct constituted either securities fraud or shareholder fraud, the court determined that the whistleblower protection provision did not shield the Mr. Day from termination.

The Risk Management Formula That Killed Wall Street

wired-1703Felix Salmon published a great article in Wired that looks at the Recipe for Disaster: The Formula That Killed Wall Street. The article looks at the widespread use of the Gaussian copula function. In assessing the risks in mortgage backed securities.

The theory behind Gaussian copula function tries to overcome the difficulty in assessing the multitude of  correlations among all the risks in a pool of mortgages. David X. Li came up with the Gaussian copula function that instead of waiting to assemble enough historical data about actual defaults, which are rare in the real world, uses historical prices from the Credit Default Swaps market. Li wrote a model that used the price of Credit Default Swaps, rather than real-world default data as a shortcut to determining the correlation between risks. There is an inherent assumption that the CDS markets can price default risk correctly.

I did not do well in my college statistics class. (It was on Friday afternoon, close to happy hour.) But I do remember two concepts. One, correlation does not equal cause and effect. Two, you always need to challenge the underlying assumptions and methodology, because they can have dramatic effects on the data. (and third, do not schedule difficult classes on Friday afternoon.)

According to Felix’s story, Wall Street seemed to miss some of the underlying assumptions in the Gaussian copula function. Since the risk profile was based on the CDS market, the data was only looked as far back as the CDS market existed. That was less than ten years. During that time, home prices did nothing except skyrocket. Unfortunately, the last real estate crash was before that period.

Li’s formula was used to price hundreds of billions of dollars worth of mortgaged-backed securities. As we now see, Wall Street got it wrong.

It looks like I did not waste my time with statistics and that I got the key knowledge. Look closely at correlation to see why things are moving together. Challenge the underlying assumptions and make sure you understand how they effect the end product of your results. Those are good lessons for anyone involved in enterprise risk management.

The 2008 LRN Ethics and Compliance Risk Management Practices Report

lrn_logoLRN published their 2008 LRN Ethics and Compliance Risk Management Practices Report (.pdf) (free registration required)  The report is based on a survey of senior ethics, legal, risk and audit professionals, with 461 completed surveys.

The key findings of the report:

  • Ethics and compliance programs are maturing
  • Companies identify their top two ethics and compliance risks as electronic data protection and data privacy
  • A majority of companies perform formal risk assessments involving multiple functions
  • Companies cite engaging employees and making education more relevant as their top challenges in prevention
  • Detecting violations still presents a significant challenge
  • Multinational companies face bigger challenges at their international regions than at headquarters
  • Few larger companies actively manage ethics and compliance risks within their supplier and partners’ network
  • Lack of resources – budget and staff – continues to be the leading challenge in conducting risk assessments and in implementing prevention programs

LRN conducted a similar survey in 2007, so this report is able to identify trends (to the extent two data points make a trend). I hope that they conduct a survey this year to see if these trends stay true.

“More and more companies are recognizing that ethics and compliance is the new frontier of business strategy. Increasing research demonstrates that forward-looking companies that put in place comprehensive and holistic ethics and compliance programs – i.e., programs that do not simply ensure the organization meet all regulatory requirements but that embed values-based business conduct into their culture – enhance their capabilities to compete in the marketplace. Without the distractions that accompany conflicting ethical viewpoints and goals or concerns over potential and actual rules infractions. Companies should concentrate on the workforce or the management of compliance infractions, companies can thrive through inspiration, motivating employees to be their best. An ethical work environment leads to more productive and profitable organizations.”

The report also pitches the LRN Ethics and Compliance Risk Management Process:

An integral component of enterprise risk management is to holistically build a strong
control environment with a culture of corporate ethics, by defining, preventing, detecting,
responding and evaluating as part of five key steps for building a sustainable compliance risk
management process:

  • Define business ethics and corporate compliance risks to create a comprehensive risk profile.
  • Prevent ethics and compliance lapses/failures with hard and soft controls, including business ethics and corporate compliance training.
  • Detect noncompliance with the law, regulations, company code of ethics and corporate governance practice via multiple reporting methods.
  • Respond swiftly and publicly to allegations and potential violations.
  • Evaluate results and make continuous improvements.

An LRN illustration of their process:

lrn-process

How Not To Fire Someone for Workplace Fraud

Staples fired sales director Alan S. Noonan was fired for padding his expense report. Executive Vice President Jay Baitler sent an e-mail to approximately 1,500 employees explaining the reason for the firing.

The e-mail contained no untruths, but Mr. Noonan sued for defamation anyhow.

Unfortunately for Staples, truth is not a defense in Massachusetts if the challenged statement was communicated with actual malice according to the 1st U.S. Circuit Court of Appeals in its recent decision Noonan v. Staples (posted at JD Supra).

The 1st U.S. Circuit Court of Appeals looked at G. L. c. 231, Section 92, which says that truth is a defense to libel “unless actual malice is proved.” However, in a 1998 case, Shaari v. Harvard Student Agencies, the Supreme Judicial Court ruled that statute unconstitutional as applied to matters of public concern.

See more:

A Benchmarking Survey on Third-Party Codes of Conduct

Society of Corporate Compliance & Ethics

Rebecca Walker of Kaplan & Walker LLP is the author of a report on A Benchmarking Survey on Third-Party Codes of Conduct (register to download) sponsored by The Society of Corporate Compliance and Ethics. The SCCE received survey results from more than 400 compliance professionals on how they deal with third-party compliance policies. As Rebecca point out in the report: “Organizations are also subject to risks of misconduct by virtue of the actions of agents and other third parties who act on their behalf or partner with the organization in some way.”

Among the relevant findings in the survey:

  1. Only 47% of companies disseminate their internal employee code of conduct to to third parties.
  2. Only 26% of companies require that third parties certify to their codes of conduct.
  3. Of those 26%, 92% did not have a threshold as when they required certifications.
  4. Only 17% of organizations have a code of conduct that is applicable to third parties.

Rebecca points out the U.S. Sentencing Guidelines provide incentives to have your compliance programs reach out to third parties:

Sentencing Guideline §8B2.1(4):

(A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

One of the problems with pushing out your compliance program to third parties is that they may have the may have their own which differs with your program. The bigger problem is you setting the compliance standards but not enforcing them. Rebecca offers some ways to extend compliance and ethics requirements to third-parties. These are some highlights:

  • Conduct due diligence regarding business partners’ compliance and ethics programs.
  • Incorporate language into contracts with third parties requiring compliance.
  • Train third parties on the ethics and compliance program or on particular company policies or procedures.

Thanks to Corporate Compliance Insights for pointing out this survey: Third Party Controls Lacking In Ethics and Compliance Expectations Says SCCE Survey.

Ways Webinars Fail

After my webinar with Bruce Carton on Tuesday (Web 2.0: Leveraging new media to Maximize Your Securities and Compliance Practice), I ran across a three part series on Why Webinars Fail from Larry Kilbourne: Content Failures, Format Failures and,  Process Failures.  I hope we did not make too many of these mistakes:

  • Cramming too much into one slide. The unmoving PowerPoint slide becomes like wallpaper on the monitor. (Larry recommends a slide or two per minute.)
  • A presenter simply reading the bullet points. (“Bullet points, if used properly, are the basis for commentary, not the commentary itself.”)
  • Animations and streaming video. (Audience members may not have the internet connection bandwidth to handle them.)
  • Delivering a monologue. (Use a “Charlie Rose” format.)
  • Using the webinar as a sales pitch. (Webinar registrants are prepared to get pitched, but they expect in return to receive information, data, or research that will benefit them.)
  • Live product demos. (Inevitably the product crashes – in real time, in front of an audience.)
  • Lack of preparation. (Unrehearsed webinars generally look unrehearsed.)

Thanks to Stewart Mader for pointing out these articles: Why Webinars Fail To Sustain Attention & How to Fix Them.

Compliance Building Is Now Mobile

To those of you who use mobile devices, I have installed a plugin that makes it easier to read Compliance Building on your mobile device.  It looks great on my iPhone. At some point in the future I will add a little more pizzazz to the color scheme and maybe an image. It also renders quickly on my blackberry. In each case, it shows just the last few blog post headlines and the main navigation pages.

Thanks to Stewart Mader for pointing out the MobilePress plugin for the WordPress blogging platform: Future Changes in 2009: Part 4: iPhone & Mobile Versions.

COBRA Coverage Under ARRA

As part of the enormous stimulus package in the American Recovery and Reinvestment Act of 2009, the federal government included some relief for laid-off employees.

California Labor and Employment Law Blog

Mark Spring discusses the COBRA subsidy in ARRA over at the California Labor and Employment Law Blog: The Stimulus Bill’s Impact on COBRA.

The biggest change to COBRA is a 65% subsidy from the government for certain eligible COBRA participants.  The 65 percent subsidy is advanced by the employer and then recouped by a credit against payroll tax submissions.  The subsidy is available to eligible individuals for up to nine months.

Email Compliance 201

liveofficeLiveOffice presented a webinar on records management issues related to electronic correspondence and archiving. (I missed the Email Compliance 101 session.)

First up was  Christina Rovira, Legal Compliance Advisor at CoreCompliance & Legal Services, Inc. She pointed out that SEC and FINRA require investment advisers and broker-dealers to supervise the business activities of their representatives. There is a fiduciary duty to act in the best interest of the client.

FINRA Rule 3010 requires written supervisory procedures including an annual internal audit. This audit includes a review of correspondence (that means email too). Securities Exchange Act of 1934 Section 17a3 & 17a-4 sets standards for retention. FINRA Rule 07-59 (.pdf) addresses the supervision of electronic communications. Investment Advisers are covered under Rule 204-2 with a laundry list of requirements.

The rules are largely risk-based. So you need to focus on new hires and others under closer supervision. In reviewing the communications you want to develop a search lexicon to try to identify issues in the electronic communication. You also want to make sure you exclude privileged attorney-client documents/correspondence. It may be better to store those is a separate repository. They also emphasized that you need to search the text of the attachments as well as the email itself. Attachments generally have more problems.

What to look for?:

  • discussions of performance without disclosure
  • inclusion of testimonials
  • predictions and projections
  • references to past specific recommendations
  • unbalance discussions of risk/reward
  • disclosure of confidential client information
  • breaches of privacy policy

Archiving functionality is key. You need to be sure that you cannot modify or delete email in the archive.

Privacy is hot button right now. Regulation S-P promulgated under section 504 of the Gramm-Leach-Bliley Act implements notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers. State laws are going further. There is California’s SB1 Financial Information Privacy Act and the Massachusetts has 201 CMR 17.00. That means you need to look for social security numbers, drivers’ license numbers, new account forms and client specific information.

They turned to conflicts of interest and insider trading issues. For example, you should focus on communications between the research desks and trader desks.

The panel also pointed out that you need to look as the communication tools to see whether you can capture the communication. If you can’t capture it, then they cannot use. You must affirmatively prohibit the use of the tool. For example, some social networking sites are a problem. A Blackberry is okay as long as you route it through the company’s email and capture the email in the archive.

R. Anthony Seyboth moved on to give the sales pitch for LiveOffice.

Roundtable Discusses Supply Chain Risks

compliance_week_logo

On Jan. 27, 2009, Compliance Week and Integrity Interactive presented an editorial roundtable focusing on supply chain and vendor management risks. They were kind enough to invite me to participate. There is an article about the roundtable in the next issue of Compliance Week and a copy is available on line: Roundtable Discusses Supply Chain Risks. (subscription required)

One theme from the discussion was a desire for an industry or third party standard for compliance. We all thought it would be great if some industry association or auditing firm could review vendors and give the reliable ones a seal of approval.

Dave Curan, the Chief Executive Officer of Integrity Interactive, recommended that all companies have a separate code of conduct that applies to their suppliers. Many in the audience pointed out that vendors often have there own code of conduct which precipitates a “battle of the codes.”