Rise Above ‘Why Compliance Programs Fail’ With Behavioral-Based Tips

I recently cracked open my Harvard Business Review to the article on “Why Compliance Programs Fail.” I read with great interest the authors’ theory on how weak, milque-toast metrics can result in check-the-box, paper-only compliance programs. I don’t disagree at all, but I have a few practical suggestions to add.

The authors cite, as have many, the shocking statistic from EY’s 2016 Global Fraud Survey that out of nearly 3,000 executives surveyed, 42 percent said they could justify unethical behavior to meet financial targets. Clearly, something is misaligned. The HBR authors postulate a case for better metrics aligned to strategy. It is a well-reasoned argument with which I do not quibble. But the sentence that captured my interest is this one:

“While many firms continue to see ensuring compliance as a legal exercise, it is really much more a behavioral science.” Continue Reading

In Light of the Brand Memo, Has the Way of Compliance Gone by the Wayside?

After then-U.S. Associate Attorney General Rachel Brand issued a memorandum (known as the “Brand Memo“) in January 2018, which some have interpreted as recanting all reliance on DOJ guidance documents, what’s next? Call me Pollyanna, but I contend that “the way of compliance” is here for good. Pun intended.

First, annual survey results list compliance matters as a high attention area for in-house counsel. This year the executive summary of the Association of Corporate Counsel’s 2018 Chief Legal Survey ranked ethics and compliance obligations as extremely or very important. Whether it be regulatory changes, protecting against data breaches, information privacy, GDPR, or general ethics and compliance, the focus is on keeping up with the compliance obligation. When you are the corporate point-person on all matters regulatory and legal, it is no wonder you stay up at night wondering about the unpredictable. Continue Reading

Countdown to GDPR Deadline: What Your Organization Should Be Doing to Prepare

In late May, the European Union’s new General Data Protection Regulation (GDPR) takes effect, changing the manner in which companies all over the world – not just those in the EU – store and use Europeans’ personal data. GDPR requires any company that collects personal information of European citizens to comply with its data privacy requirements, including:

  • Keeping all records of all personal data processed.
  • Performing data protection impact assessments in cases of high-risk processing activities.
  • Collecting personal information only through opt-in consent of individuals and deleting an individual’s personal data upon request.
  • Notifying individuals within 72 hours of a data security breach.

In order for U.S.-based companies to adequately prepare for GDPR compliance – and avoid massive fines – it is critical to conduct a detailed assessment of the extent to which your organization collects personal data and ensure that proper safeguards are in place throughout all divisions of your organization. Continue Reading

Five Common Compliance Myths

The recently released Society of Corporate Compliance and Ethics 2017 Compliance and Ethics Officer and Staff Salary Survey contains a host of interesting CCO and other compliance personnel compensation information. Also interesting is the survey’s profile data regarding compliance professionals and their companies.

The SCCE is a nonprofit association of more than 5,800 members, including CCOs and their staffs, employed in a wide range of industries. The 2017 survey’s data was derived from 1,376 email responses, which were then distilled down to 444 individuals employed by non-health care providers and responsible for at least 26 percent of their organization’s legal and regulatory risk (i.e., actual compliance personnel rather than personnel with isolated compliance duties).

A review of the survey’s data exposed five common compliance myths. Continue Reading

Digging Into the Details of New FCPA Guidance From the U.S. Justice Department

Over the last 10 years, 143 companies have paid a combined $10.9 billion to resolve Foreign Corrupt Practices Act cases.

That staggering price tag shows the U.S. Department of Justice’s willingness to go after alleged bribery of foreign officials, shoddy bookkeeping, and fraud. In recent years, the DOJ has beefed up its enforcement unit focused on the Foreign Corrupt Practices Act (FCPA), and officials in the Trump administration have made clear that enforcement remains a priority. If you think about FCPA enforcement as a carrot-and-stick approach, the stick isn’t going anywhere.

As for the carrot, the DOJ recently announced changes that give companies even more benefits for self-disclosing violations. The new FCPA corporate enforcement policy expands on a pilot program that had offered mitigation credit for self-disclosures. Continue Reading

The U.S. Justice Department’s Latest Compliance Program Warning

U.S Deputy Attorney General Rod Rosenstein recently announced the Department of Justice’s revised corporate enforcement policy for the Foreign Corrupt Practices Act. The revised policy is based on an FCPA pilot program (in place since April 2016), which provided mitigation credit for voluntary reporting of wrongdoing and specified levels of cooperation and remediation in connection with the resulting investigation.

Much has been made about the new policy provisions that create a presumption of DOJ declination and specify percentage reductions from the U.S. sentencing guidelines in the event that a company self-discloses, cooperates and/or remediates in accordance with specified policy requirements. Certainly, these provisions significantly further the shift toward encouraging company cooperation, as well as continue the focus on holding individuals accountable, and deserve careful attention. Continue Reading

The 12 Days of Compliance

Like a gift that keeps on giving, compliance efforts now can provide long-lasting benefits into the new year.

I have written before about the guidance document from the U.S. Department of Justice that was issued in February of this year regarding compliance programs. More recently, in October, Deputy Attorney General Rod Rosenstein left no doubt in widely reported remarks that “deterrence requires enforcement through penalties decision-makers are unwilling to pay.” Continue Reading

Evolution of the General Counsel: A TerraLex Report

TerraLex recently published The General Counsel Excellence Report 2017, which tracks the continuing evolution of the role of corporate general counsel to encompass important nontraditional areas of focus and responsibilities. TerraLex, a referral network of more than 150 law firms (including Parker Poe) in more than 100 countries, sponsored similar surveys in 2013 and 2015.

The 31-page report makes for interesting reading. For example, it notes that even the GC’s title is changing, with 45 percent of respondents describing their role as “General Counsel” (slightly down from 2015) while more than 20 percent use titles like “Head of Legal,” “Group Head of Legal,” “Head of Legal & Regulatory Affairs” or even “General Counsel, Director of M&A, Strategy and Risk.” The report states that “[i]t is clear … that the exact role of the general counsel is becoming an increasingly difficult one to define.” Continue Reading

Google and Charlottesville Events Raise Questions for Companies Regarding Employee Political Views

Two recent major news stories again involve the intersection of politics with employment law. In the first matter, Google fired a programmer after he posted an internal document criticizing the company’s diversity initiatives. The document explained the employee’s view that biological reasons account in part for the low percentage of female tech workers at Google and comparable companies, and he alleged that the diversity initiatives harmed Google’s business interests.

In the second story, following alt-right protests over removal of a Confederate statue in Charlottesville, a number of online groups began identifying protesters from video and photographs taken at the demonstrations and contacting their employers, demanding that the employees be terminated for white supremacist activities. As of today, news reports indicate that several employers complied with these requests, terminating the employees in question. Continue Reading

Regulatory Considerations as Cryptocurrencies Enter the Mainstream

A faceless currency involved in dealing illegal drugs, selling stolen identity data, offshore gambling, human trafficking, material support to terrorist activity – even before Ross Ulbricht’s 2015 conviction for brokering more than $1 billion in illegal transactions through an online darknet market called Silk Road, the anonymity of using cryptocurrencies has long been the alleged allure for users of the “Dark Web.” Detractors, such as Michael Lewis, author of The Big Short, Moneyball and Liar’s Poker, note the lack of regulation, calling bitcoin “at its heart . . . a libertarian enterprise – anti-government, anti-central authority; for money to really work it needs a central authority behind it.”   In 2015, Washington Post columnist Matt O’Brien called bitcoin a millennial “Ponzi scheme.”

But, like mocha chai lattes, gangsta rap, craft beers and sleeve tattoos, cryptocurrencies are moving from being on the societal fringes to part of the mainstream. Hundreds of vendors accept bitcoin, including Overstock.com, Subway, Microsoft, Reddit, OkCupid, the United States Libertarian Party, CheapAir, Expedia, Wikipedia, certain vendors on Etsy.com, WordPress Whole Foods, Bloomberg.com, MLS soccer’s San Jose Earthquakes, Dish Network, Intuit and MovieTickets.com, just to name a few. Many users are embracing the technology – the number of bitcoin holders reached more than 10 million by the end of 2016. Continue Reading