I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we consider the various manners in which regulators at all levels, from the federal, to state and local levels, use monitors. We also consider how monitors can be used outside the regulatory context in areas as diverse as mergers and acquisitions, business ventures, IP and licensing.  

Most compliance practitioners are aware of the role monitors play in the Foreign Corrupt Practices Act (FCPA) enforcement arena. However, the use of independent monitors is much broader than simply in criminal or civil enforcement actions involving a Deferred Prosecution Agreement, Non-Prosecution Agreement, Corporate Integrity Agreement or other form of resolution. Federal agencies use monitors for a wide variety of roles to ensure compliance with agreements.

At its most basic level, an independent monitor is a way for the government to extend its reach. Both in terms of lengthening out the time that you have true government oversight and in terms through many of the techniques we discussed earlier:  focus group meetings, review documents, talking senior and middle management. It is a very cost-effective way for federal, state and even local governments to extend out their reach. This cost-effectiveness is driven home by that fact that the cost is not borne by the governmental entity or the regulators. The cost is borne by the entity involved.

Stern pointed to the use of an independent monitor by the Federal Communications Commission (FCC) to ensure that the conditions around anti-competitive and other issues, the FCC approved for the merger between AT&T and Direct TV, were fulfilled. He went on to provide an example where “one of the conditions was  they had to offer a discounted broadband service to certain low-income households. The FCC  wanted access to broadband for low income families, particularly for school kids. The monitor assessed the marketing program on this issue, looking at their efforts to provide discounted broadband, low income households.”

Stern provided another example of regulator use of an independent monitors, this time by a state regulator, the Attorney General of Rhode Island in the area of hospital conversions. This is the situation where a non-profit hospital is purchased by a for profit chain. In such situations, the state attorney general in most states will have to approve that transfer of assets from charitable assets to for-profit assets, applying certain conditions. It could be in the area of recruiting  physicians or requiring the acquiring institutions to keep the mental health services open. You don't have to spend x millions of dollars on new equipment. It is generally around very specific metrics  and it is “increasingly being used by government agencies as a way of not only having confidence that the regulatory decisions are being followed but provides some comfort and confidence to the public knowing that who is looking over the shoulder of the organizations in the public’s interest.”

Yet an independent monitor can be used in non-regulatory areas. One that certainly comes up is pre-acquisition due diligence in the FCPA realm. An independent monitor can be used to assess whether a target or takeover candidate has a robust compliance program. These same concepts also work in the licensing area in pre-acquisition work and even for company which want to test the audit compliance of customers.

The bottom line is independent monitors can come in and look at the system of controls in a wide variety of regulatory and legal areas. This is true because there is no substitute for having somebody independent of the company with some expertise and common sense and practical reality coming in and asking, how are you doing? Stern concluded, “You don't have to do this all the time. It isn't something you need to do even every year, but every once in a while, have somebody come in and take a hard look at how you're doing and then reporting back internally to the company. It is money well spent because you have established that the organization being reviewed has a good program and if you need to fine tune your program in certain ways. Here again, I think that's all to the good.”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

I conclude this five-podcast exploration of working with monitors, where I have been joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. In this final episode we consider lawyers using monitors, most typically where the clients are under investigation for some regulatory issue, such as a Foreign Corrupt Practices Act (FCPA) enforcement action.

Stern said the biggest mistake lawyers make is to wait too long before bringing in an independent monitor. His experience is that if  you wait until after the conclusion of a matter, you have lost valuable time and potentially cost yourself money, in the form or higher fines and penalties, by waiting. The government expects compliance shortcomings to be remediating during the pendency of an investigation. A monitorship can even begin before  self-reporting to the government. This is because a company should want to find the problem before it voluntarily reports the problem to the government. In this manner, the company could receive get the credit for having done so. It also allows the company to package the entire process “in a way to say not only we discovered the problem, not only are we reporting the problem, but we fixed the problem. We did with an independent third party and we may even want to keep that third party with us to independently assess how we do going forward. That's very persuasive to prosecutors and I've certainly seen situations where in some cases it's resulted in a declination or in a significantly diminished” fine and penalty.   

This is using an independent monitor in a pro-active manner which demonstrates how serious the company is about compliance. It can also be a way to demonstrate any illegal conduct may simply have been an outlier and does not reflect the values, culture and the way the company generally does business. This can provide quite a positive story to present to prosecutors, particularly under the new FCPA Corporate Enforcement Policy.

If your company is active in the remediation phase, particularly through an independent monitorship, it is looking at the problem in a holistic approach. It is more than assessing that problem, coming up with some solutions and then implementing the solutions. More importantly an organization is taking that information and looping it back in, in a literally a feedback loop so the companies can improve their compliance program. This is an approach which can be persuasive to regulators.

Stern noted this approach is even more critical for what he called ‘repeat customers’ or recidivist actors. He said government regulators are becoming much more sophisticated in understanding whether a compliance program is simply a paper program. The government wants to know if this a real program. One clear indicia is the feedback loop from an assessment by an independent monitor looping the information back to the company, making changes, testing to see whether the changes are real changes are working changes.

One final area that using an independent monitor is in the area of credibility. One thing I have consistently heard from white-collar practitioners perhaps the most important thing in any FCPA investigation or enforcement action is credibility with the prosecutors. By having a truly independent monitor who is even independent of the outside counsel, who may be heading up an investigation and assessing the compliance program; is one more way to bring that credibility to a, in front of the prosecutors. Stern noted that as the former US Attorney for Massachusetts, your reputation in representing clients before the government is absolutely critical. Having that independence as a monitor can aid a company by giving credibility to their compliance program efforts and this can pay off with real benefits in terms of lesser penalties all the way to a declination.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode Susan Divers, Senior Advisor at LRN returns to talk about LRN’s 2018 Program Effectiveness Report. Divers noted that in 2017, in its Evaluation of Corporate Compliance Programs and new FCPA Corporate Enforcement Policy, the DOJ refocused ethics and compliance programs on outcomes, not procedures. The 2018 Program Effectiveness Report demonstrates that, programs focused on values outperform those based primarily on checklists and rules. Divers believes this has only become more important in the wake of the Weinstien scandal and the #MeToo movements, as sexual harassment scandals continue to erupt in companies with programs that may well have codes of conduct and reporting procedures, but apparently lack traction in preventing and dealing with actual misconduct.

We discuss some of the Report’s key findings the most effective E&C programs – and the ones that meet the 2017 DOJ criteria engage in the following:

• “Operationalize” ethics and compliance using principles and values that inform all organizational decisions, not just those made in a legal or regulatory context.

• Ensure that the company analyzes the root cause of misconduct, rather than simply punishing misconduct.

• Embrace accountability and transparency – even if it means holding senior leaders or successful performers fully accountable for their actions.

• Make sure senior leaders, middle managers and boards of directors are engaged in preventing misconduct, and that the function isn’t left exclusively to lawyers or compliance staff.

• Are continuously reviewed and improved to ensure they remain value-focused and effective in terms of influencing workplace behavior in a positive way.

Those which fall short have the following characteristics:

• Fewer than half of the E&C professionals who responded – 49% – said senior leaders in their company get actively involved in and take responsibility and action in instances of compliance failures.

• Only 38% said their organization’s leaders support appropriate sanctions or penalties on senior-level top performers involved in misconduct.

• Only 43% said leaders consider E&C factors in business and planning decisions such as new business ventures, mergers and operations reviews.

For LRN Corporation’s 2018 Program Effectiveness Report go to: http://pages.lrn.com/2018-program-effectiveness-report.

As we celebrate all things Star Wars on the May the Fourth Be With You edition, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

1. Panasonic settles FCPA enforcement action. Tom spends most of the week on it Background, the Bribery Schemes, a 20% Discountand Lessons Learned. Henry Cutter explores the due diligence and Trace Certification issues in the WSJ Risk and CorruptionJournal as does Kelly Swanson in GIR(sub req’d).
2. Former VW CEO indicted in emissions-testing scandal. Jack Ewing reports in the NYTand Adrienne Roberts and Christina Rogers report in the WSJ. Dick Cassin reports in the FCPA Blog.
3. What does the D&B declination mean for self-disclosure? Clara Hudson explores inGIR(sub req’d).
4. An interesting UK court case considers whether lawyer interviews are privileged when the company agrees to a DPA with the SFO. For an English lawyer perspective, see article in the FCPA Blogby Susan Hawley. For another perspective, see the article by Debevoise & Plimpton lawyers Karolos Seeger, Andrew Lee and Robin Lööf in the NYU Compliance and Enforcement Journal.
5. Are you using data to power your compliance program? If not you are missing the boat say Ren McEachern and Roy Pollitt in the FCPA Blog.
6. Two looks at speaking up in a company. Jonathan Marks on how to win back employees trust so they will use a hotline. From an article in Fraud Magazine, he cross-posted on his blog. Henry Cutter interview Public Service Enterprise Group Inc. CCO Antonio Fernández on building a speak up culture in WSJ Risk and Compliance Journal.
7. Matt Kelly joins us for a special breaking news segment on 5 steps law enforcement officials expect you to engage in if you have a data breach. See Matt’s article in Radical Compliance.
8. What are the GDPR implications for whistleblowing? Vera Cherepanova explores in the FCPA Blog.
9. Another week, another declination, this time for Transocean. Kelly Swanson reports in GIR(sub req’d).
10. Tom announces publication date of his next book, The Complete Compliance Handbook, which will be available on May 21, 2018 on Amazon.com. It is available for PreSale here.
11. Tom has a busy May planned. Join him at Brazil’s largest compliance conference, the 6th International Compliance Congress, held by LEC – Legal, Ethics and Compliance, May 8 to 10, in São Paulo, Brazil. Registration and information here; Hear him speak to the Houston chapter of ACAMS, from 11:30 -2 PM on Thursday May 17^thin Houston on “Driving Compliance and Ethics through Data Analysis”. Information and registration here;and join in a session on Using Frameworks to Prove Compliance Competency at Compliance Week 2018 in Washington DC, May 20-23. Information and registration are here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode of Across the Board, I visit with Preston Pugh and AIysha Hussain from the firm of Miller & Chevalier on their recent paper entitled, “A More Effective Way For Corporate Boards To Respond In A #MeToo World” which they authored with Ian Herbert. In this paper they suggest ways Boards of Directors could begin to address corporate harassment scandals. We use their article as a starting point to explore the roles and responses of Boards to the #MeToo and other corporate scandals.

With these and other scandals putting corporate brands at a fundamental risk, the days of Boards of Directors taking a hands-off approach to what was viewed as fundamentally litigation risks are over. We discuss some of the specific ways a Board can address these matters. Both Pugh and Hussain see #MeToo as compliance issues, not simple employment issues. As such they advocate a much broader remit by the Board. Some of the topics we discuss are:

• Why is this so important for Boards right now?
• Has this changed in the #MeToo era?
• Do you think a Board committee should handle this issue or the full Board?
• Who should report to the Board on this issue?

This timely and topical podcast will help you as a Board member understand how your role has changed as the risks to your organization has evolved.

For more information go to the paper, “A More Effective Way For Corporate Boards To Respond In A #MeToo World”

In this episode of Across the Board, I visit with Preston Pugh and AIysha Hussain from the firm of Miller & Chevalier on their recent paper entitled, “A More Effective Way For Corporate Boards To Respond In A #MeToo World” which they authored with Ian Herbert. In this paper they suggest ways Boards of Directors could begin to address corporate harassment scandals. We use their article as a starting point to explore the roles and responses of Boards to the #MeToo and other corporate scandals.

With these and other scandals putting corporate brands at a fundamental risk, the days of Boards of Directors taking a hands-off approach to what was viewed as fundamentally litigation risks are over. We discuss some of the specific ways a Board can address these matters. Both Pugh and Hussain see #MeToo as compliance issues, not simple employment issues. As such they advocate a much broader remit by the Board. Some of the topics we discuss are:

• Why is this so important for Boards right now?
• Has this changed in the #MeToo era?
• Do you think a Board committee should handle this issue or the full Board?
• Who should report to the Board on this issue?

This timely and topical podcast will help you as a Board member understand how your role has changed as the risks to your organization has evolved.

For more information go to the paper, “A More Effective Way For Corporate Boards To Respond In A #MeToo World”

In this episode, Matt Kelly and I take a continued deep dive the underlying assumptions around the reasons for lack of IPOs by small and mid-cap sized firms. We focus on a speech by SEC Commissioner Robert Jackson recently gave exploring possible reasons why middle market companies aren’t going public. It turns out that the numbers showed that the costs for going public, roughly 7% of the total return has remained constant since the early 90s.

While the Administration has consistently talked about the costs of going public driven by the administrative cost required under Sarbanes-Oxley and Dodd-Frank, it turns out that is only part of the equation. The other part is investment bankers whose fees have not dropped or even become more efficient in nearly 25 years.  We explore the implications from this finding, what it may mean for the SEC’s attempts to bring more small and mid-cap companies into the public market and compliance going forward.

For more see Matt Kelly’s piece More on Declining IPO Trends

In this episode I visit with Morrison and Foerster partner James Koukios on the firm's January and February Top Ten international anti-corruption cases, issues and developments. In this episode we discuss the following:

1. PDVSA and related indictments/issues/enforcement actions and the push from the business community to attack corruption from the demand side, as opposed to a FCPA-supply side. 
2. In February 2018, two FCPA-related civil RICO suits were filed. While FCPA-related plaintiff suits are increasingly common, they more often take the form of shareholder derivative actions or securities fraud class actions. What are the implications if any for the compliance professional?
3. The implications of Digital Realty Trust from the (former) DOJer perspective.This decision may well be a mixed bag for companies with a short term win translating into long-term negative consequences. 
4. Canadian DPA initiative and the working relationship between anti-bribery prosecutors in the US and Canada. 
5. Petrobras shareholder settlement-outlier or harbinger of things to come. We explore if the unique set of facts led to the settlement or will it mean more and similar actions.
6. Declinations in January and February-what if anything do they communicate to the compliance practitioner, particularly in light of the new FCPA Corporate Enforcement Policy announced by the Justice Department in late 2017. 

For further reading see the Morrison and Foerster, Top Ten International Anti-Corruption Developments for January 2018 and Top Ten International Anti-Corruption Developments for February 2018

After being joined by Jay’s girls to celebrate our 100^th  anniversary episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

1. Dun & Bradstreet settles FCPA with first declination under new DOJ FCPA Corporate Enforcement Policy. Dick Cassin reports in the FCPA Blog. Henry Cutter reports in the WSJ Risk and Compliance Journal.
2. Will there ever be transparency in the corporate monitorship process with the DOJ? There will be if Dylan Tokar gets his way. Veronica Root reports in the NYU Compliance and Enforcement Blog.
3. What is ISO 37001 certification worth? Not much in the eyes of SEC FCPA unit chief Charles Cain. Kelly Swanson reports in GIR Investigative(sub req’d)
4. SEC fines Yahoo $35 million for failing to disclose data breach. Dick Cassin reports in the FCPA Blog.
5. Former Justice Department FCPA unit chief Pat Stokes hits back on DOJ requests for statute of limitations tolling. Kelly Swanson reports in GIR Investigative(sub req’d)
6. Starbucks took a huge black eye for its treatment of two African-American men waiting on a friend. Matt Kelly considers from the policy angle in Radical Compliance. Tom considers from the risk management perspective in the FCPA Compliance & Ethics Blog. They debate these and other topics in Episode 79 of Compliance into Weeds.
7. Was Facebook’s monitor(s) asleep on the job? Does FB’s repeat misconduct even matter? Tony Romm explores the former question in the Washington Post. Veronica Root explores the latter question in the NYU Compliance and Enforcement Blog.
8. What is Brady laundering? Dan Portnov explores this question on Grand Jury Target.
9. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in May 2018. It is available for PreSale here.
10. Tom has a busy May planned. Join him at Brazil’s largest compliance conference, the 6th International Compliance Congress, held by LEC – Legal, Ethics and Compliance, May 8 to 10, in São Paulo, Brazil. Registration and information here; Hear him speak to the Houston chapter of ACAMS, from 11:30 -2 PM on Thursday May 17^thin Houston on “Driving Compliance and Ethics through Data Analysis”. Information and registration here;and join in a session on Using Frameworks to Prove Compliance Competency at Compliance Week 2018 in Washington DC, May 20-23. Information and registration are here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode of Countdown to GDPR, Jonathan Armstrong and myself are interviewed by Laura Petrolino, the Chief Client Officer at Arment Dietrich, Inc. on the applicability of GDPR to the professional communications industry. It was a fascinating way to discuss some of the key points of GDPR in the context of one industry/profession. 

Some of the topics we discussed are:

• What are the top three areas where most businesses’ data protocols are currently not GDPR compliant?
• Communicators deal with databases and email lists a lot. If they already have residents of the EU in their database, do they need to get them to re-opt-in, in order to be GDPR compliant?
• Are communications agency owners liable if they are in charge of their client’s email lists or databases, and those databases aren’t GDPR compliant?
• Article 5 says only data needed for the consented exchange is collected. Theoretically, to sign-up to download an eBook the only info really needed is an email address. Often in situations like this, we will collect additional demographic, interest, or industry information in order to create segment lists and further communicate (with content or offers specific to them). Is that no longer OK?
• Along those same lines, if they sign-up to download an eBook and then a few months later we send them a blog post they might be interested or something else, is that against GDPR? How specific do we need to be upon sign-up about anything we might send them in the future?
• Article 5 also says we can only keep the data for the amount of time needed. What type of timelines or guidelines should we use to know how long is too long to keep an email?
• How would you respond to Americans who think the GDPR won’t affect them?
• Anything else communicators should know?

For the communications specialist, you learn a lot about GDPR compliance and data privacy and protection. But the key takeaways should give you a lot to think about as far as how you use data as part of your communications strategy. They include:

1. GDPR is an opportunity to make sure you, your organization, and/or your clients use data in a strategic and effective way.
2. No tactic in absence of a strategy is effective. And more data isn’t necessarily better.
3. GDPR compliance forces smart communications. It’s good for our industry and it’s good for your communications strategy.

Properly viewed GDPR implementation can be business opportunity for the communications professional. 

To see Laura Petrolino's blogs on GDPR for the communications professional check out her musing on SpinSucks:

GDPR Compliance: Everything Communicators Need to Knowand 

The Communicator’s GDPR Checklist and Resource Guide

In this episode, Matt Kelly and I go into the weeds to consider the recent racial incident at Starbucks store in Philadelphia where two African-American males were arrested for criminal trespass while waiting for a third colleague to join them for a business meeting. They had not purchased any products but were not engaging any type of disruptive behavior. They were released with no charges filed.

We consider several points around this incident from the compliance perspective, including the lessons for compliance officers are really about the challenges of policy and procedure at large organizations. The gap between those two requirements is filled by employee judgment — and that is where things went awry. We consider if a single solution, such as  all seats and bathrooms are reserved for patrons who have already purchased a product, create more problems than they solve. We also review the underlying premise of ‘what is Starbucks’ to see if a more robust risk assessment process might have helped identify these gaps.

This week’s discussion is literally torn from recent headlines. It provides an excellent example of the many compliance challenges every business and CCO face.

For more reading, see Matt’s blog post Starbucks and Policy Management Perilsand Tom’s blog post Starbucks and Lessons for the Compliance Practitioner in Risk Management

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision to self-disclose a potential FCPA violation to the Justice Department. Some of the highlights include:

• What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
• What should be in the initial investigation plan they present to the DOJ?
• When should remediation begin and how much information does the government want to know about in this area?
• What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

• When is a company ready to present information to the DOJ that it believes the matter should be closed?
• Whether through declination or charging document?
• How is the final penalty decided? and
• Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision to self-disclose a potential FCPA violation to the Justice Department. Some of the highlights include:

• What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
• What should be in the initial investigation plan they present to the DOJ?
• When should remediation begin and how much information does the government want to know about in this area?
• What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

• When is a company ready to present information to the DOJ that it believes the matter should be closed?
• Whether through declination or charging document?
• How is the final penalty decided? and
• Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

With Wells Fargo about to be fined $1 billion for behaving badly, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

1. Wells Fargo expected to be fined $1 billion for variety of alleged misdeeds. Emily Flitter and Glenn Thrush report in the New York Times.
2. Michael Held, general counsel and executive vice president of the Legal Group at the Federal Reserve Bank of New York, talks about the 3 lines of defense. His remarks are found in the NYU Compliance and Enforcement Blog.
3. New Assistant DAG, Matthew Miner said in private practice he wants to give corporations more breaks on sentencing and cut back on Yates Memo. Will he continue to do so now that he is on the team? Adam Dobrik reports in GIR Investigative(sub req’d)
4. Engaging in bribery and corruption still doesn’t pay as Feds seek 40-month sentence for cooperating Florida telecom exec. Dick Cassin reports in the FCPA Blog.
5. If you lie to the DOJ and you are under a DPA, you are in big trouble, the ZTE experience. See Dick Cassin’s report in the FCPA Blog.
6. Yet another guilty plea in the PdVSA corruption case. This time it was Ceasar Rincon and it was for money-laundering. Henry Cutter reports on it in the Wall Street Journal, Risk and Compliance Journal. See DOJ Press Release. See also Rincon’s Indictment.
7. Will DPAs really work outside the US? Rick Messick explores in theGlobal Anti-Corruption Blog.
8. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. It is available for PreSale here.
9. The Everything Compliance gang is back in Episode 27 with a deep dive into Mark Zuckerberg’s Facebook testimony, the Michael Cohen subpoena and more. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTubeand JDSupra.
10. Tom will be presenting a webinar with Opus Global and Hiperos on the Convergence of ABC and GDPR, next Wednesday, April 25 at 11 AM EDT. The event is at no charge. For registration and additional information, click here. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

This week the gang goes for more of a roundtable Q&A with a couple of topics. We first consider the testimony of Facebook CEO Mark Zuckerberg before Congress and his company’s imbroglio with Cambridge Analytica and then the search warrant issued to Michael Cohen. Stayed tuned to the end for rants in this edition.

1. Matt rants on the sexual scandals surrounding Missouri governor Eric Greitens. 

2. Mike rants on inanity of quarterly FCPA enforcement statistics as being used for anything meaningful.

3. Armstrong rants about the lack of authenticity of American politicians who film advertisements of themselves driving pick-up trucks.

4. Jay gives a shout out and rants about his Boston Red Sox leading the AL.

I give a shout out to invertebrates and the most recent addition from the political class, Paul Ryan.

The members of the Everything Compliance panel include:

• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
• Matt Kelly– Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

In this episode, Matt Kelly and I go meta as we go into the weeds about Weed, in the context of the recent announcement by the administration that it would not prosecute persons or producers in states where marijuana sales are legal. In exchange for this concession, Colorado Senator Corey Gardner says he will lift a hold he placed on all Justice Department nominations since January. We also discuss the recent addition of John Boehner and William Weld as advisory directors to the marijuana producer Acerage and how this changing landscape impacts compliance. 

For more see Matt’s blog post Weed Compromise Moves DOJ Nominees

In March the SEC made its biggest-ever whistleblower award. It gave one person more than $33 million and in the same case split nearly $50 million between two others. The previous high for an SEC award to a single whistleblower was $30 million in 2014. All three whistleblowers were represented by the law firm of Labaton Sucharow and the awards were based upon SEC enforcement actions against Merrill Lynch. Today, I have with me Steve Durham, a partner at the firm to talk about the awards and its implications in light of the recent Supreme Court decision in Digital Realty Trust v. Somers. 

There are several key points to take away from the awards which we discuss. Initially the awards were divided into two separate awards; one to two individuals for $50 million and a second of $33 million to one individual. We discuss what is original information in the eyes of the SEC which can qualify for an award. In the award, the SEC noted the initial two whistleblowers could have received a higher amount if their information had been more timely delivered to the SEC, which is as soon as they were learned of the misconduct. This timing issue is critical not only to help set the amount of the award but also to establish a whistleblower is qualified to receive an award as there were other individuals who stepped forward later with the same or similar information.

We also explore where the SEC is in its overall whistleblower award program. Durham believes there are several large whistleblower awards in the SEC pipeline and that the SEC Whistleblower program has been an overall success. Even with the Congressional attacks on Dodd-Frank, there is no call to reform this part of the law.

With the Red Sox leading the AL with a 10-2 start and back to brawling with the NY Yankees, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

1. Is there a new health care focus coming in FCPA enforcement actions? Joseph Spinelli and Lisa Murtha explore this issue in the FCPA Blog.
2. Mark Zuckerberg testifies before Congress. What are the implications? Sascha Matusak says a wave of litigation is coming on the SCCE Compliance and Ethics.  Ben DiPietro wraps up national coverage on the WSJ Risk and Compliance Journal. Joe Mont explores the potential regulatory aspect in Compliance Week. (Sub Req’d)
3. The SEC awarded more than $2.1 million to a former company insider "whose information led to multiple successful enforcement actions. Dick Cassin reports in the FCPA Blog.
4. Do ‘No-Poach’ agreements violate anti-trust law? Jaclyn Jaeger explores in Compliance Week. (sub req’d)
5. A Navex Global report says that more hotline and whistleblower reports are turning out to be valid after corporate investigations? Henry Cutter reports on the report in the WSJ Risk and Compliance Journal. Carrie Penman considers three key finding on Navex’s Ethics and Compliance Matters
6. Tom Topolski and Eric Feldman talk about how make the relationship between a corporate monitor and corporation work. Check out the SCCE Compliance Perspectives podcast, hosted by Adam Turteltaub.
7. FinCen rules on customer due diligence and ultimate beneficial ownership go into effect on May 11. What are the implications for non-financial institutions? Check out FinCen’s FAQs here.
8. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. It is available for PreSale here.
9. Tom will be leading Convercent Roundtables on using data to drive ethics to the center of business on Houston (April 17) and Dallas (April 18). He will lead discussions on using data to drive ethics into the center of business.
10. The Everything Compliance gang will be back on Thursday April with a deep dive into Mark Zuckerberg’s Facebook testimony, the Michael Cohen subpoena and more. Check it out next Thursday.
11. AMI’s Eric Feldman will be speaking on How Audits Become Investigations at the 2018 Public Service Internal Audit Conference in Singapore, hosted by The Institute of Internal Auditors Singapore, on April 18, 2018. For information and registration, click here.

In this episode of Countdown to GDPR, Jonathan Armstrong, a partner at Cordery Compliance in London and I consider the roles of vendors in GDPR. These roles are both in complying with GDPR and substantively following the regulation itself. The first area is a vendor which is a subject matter expert in the areas of data protection and data privacy.

Armstrong discussed an actual advertisement where a company claimed to be a ‘GDBR’ expert. Leaving aside the copy editing FUBAR, the ad also cited regulatory requirements from preliminary drafts of GDPR which were superseded by the final version of the legislation. He stated, “there's still the difficult thing that corporations out there that are struggling but there are snake oil salesmen who are trying to prey on them and sell them projects that they don't need and not sell them projects that they do need. There is definitely a skills gap. And obviously as we get closer to GDP that gets all the more worrying.”

Beyond this problem of technical competence, vendors present another set of risks under GDPR. Many organizations with literally worldwide operations are concerned with their potential liability for their vendors in the United Kingdom in the EU or in countries under GDPR.  Armstrong noted that the initial inquiry a company should make is who is the data controller and who is the data processor. Under the old rules, data controller was the corporation and the data processors were the vendor. With days of cloud computing and software as a service (SaaS) these lines are more blurred. He noted “as a very general rule the corporation remains liable for everything that it does even if it uses a vendor to process data on its behalf or to manage part of the service.”

GDPR will require a more robust third-party risk management process for vendors. Armstrong explained, “when you are bringing vendors onboard you need to go through a proper process to do due diligence on them. “There are some warning signs to start off with, such as if a vendor says I understand all about GDPR and then talks to you about PPI you should show them the door.”

He went on to add, “If they say you can't have any audit rights. Show them the door. If they say we will not commit to telling you about data breaches within 72 hours. Show them the door. There are various minimum requirements that a vendor has to meet under GDPR and if they don’t, find somebody else.” But simply performing background due diligence is not enough.

You should have an appropriate set of contract terms and conditions around GDPR compliance in your agreement with them.  There should also be “some sort of attestation about what they're doing particularly” around continued GDPR compliance. If certainly would want to know where the data is going to be hosted and if there are ISO 27000 certificates in place for the data centers. Finally, the management of this risk must continue throughout the life-cycle of the third-party relationship with the customer.

In this episode, Matt Kelly and I take a deep dive into the weeds to what drives misconduct at the C-Suite, Senior executive level by considering the most current examples of privilege and arrogance in the current administration, Scott Pruett at the EPA. We consider his actions from the compliance perspective, the HR perspective and corporate governance perspective.

What drives CEOs, C-Suiters and senior executives to engage in behavior which is beyond the pale of corporate norms and acceptability? How can a company deep from hiring a senior executive who will harm its reputation? Find out the answer to these and other questions on Compliance into the Weeds.

See Matt Kelly’s blog post What Drives Misconduct: The EPA Example

In this episode of the FCPA Compliance Report, I visit Hogan Lovells partner Stephanie Yonekura on the always difficult decision on whether a company should self-disclose a potential FCPA violation or even allegations of a potential FCPA violation to the Justice Department. We consider such questions as:

• What should a company do to prepare for a multi-national multi-jurisdictional anti-corruption enforcement action?
• What should a company do to prepare when an internal investigation determines there may be instances of ABC violations in multiple countries, all of which have ABC laws.
• How should a company prepare for self-disclosure? To US authorities only or to multi-jurisdictions at once?
• Do evidentiary standards differ across the globe and how should a company prepare or respond?
• How should a company prepare for multiple fines and penalties from multiple jurisdictions?
• How can a company negotiate one pie in the context of an international anti-corruption enforcement action?

Yonekura is the Former Acting US Attorney for the Central District of California so she brings a wealth of knowledge to the topic. We consider all of these questions and more in light of the new FCPA Corporate Enforcement Policy and whether it has changed the calculus for self-disclosure or not. We also visit on whether the recent lack of monitors required under DOJ/SEC FCPA enforcement actions is an omen of things to come or not.

She ends with one of the great pieces of advice you can receive, “You don’t want to poke the bear, whether there is no bear to be poked.”

With the Astros off to a 6-1 start and the Facebook FUBAR continuing, Jay Rosen and myself take a look at some of the top compliance stories over the past week. 

1. Embraer dodges a shareholder action based on its FCPA violations. Henry Cutter reports in the WSJ Risk and Compliance Journal. Tom considers the decision as a rift in the time space continuum in the FCPA Compliance and Ethics Blog. Kevin LaCroix considers from the more traditional legal angle in the D&O Diary.
2. Facebook continues to either (1) not get it; (2) throw its users under the bus, and/or generally show it has no idea what it is doing going forward, click here. Mark Zuckerberg will explain it all to Congress. Larry Robinson on Fast Company online lays out what the company need to do. Tom explores the tone at the company in Compliance Week (sub req’d)
3. What should you ask in an interview of a compliance professional? Maurice Gilbert, founder at Conselium Search gives some great tips in his eBook, Hiring Compliance Officers available at no charge on Corporate Compliance Insights.
4. Bob Conlin, the CEO at Navex explains why CEO trust is so low. Check out his article here.
5. What is the SEC whistleblower safe harbor rule? Henry Cutter reports in the WSJ Risk and Compliance Journal.
6. Mike Volkov puts on an excellent podcast on how to deal with search warrant on the Corruption, Crime and Compliance podcast.
7. Check out this week’s 5-part podcast series on corporate monitorships with Vin DiCianni and Eric Feldman. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
8. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. It is available for PreSale here.
9. Jonathan Armstrong will be in Houston on April 10 to put on a half-day GDPR workshop. You can find out more and register at the Greater Houston Business and Ethics Roundtable website, org. Tom will host a breakfast meeting with Jonathan on a UK Bribery Act update. For details and registration contact Tom.
10. Tom will be leading Convercent Roundtables on using data to drive ethics to the center of business on Houston (April 17) and Dallas (April 18). He will lead discussions on using data to drive ethics into the center of business.
11. Jay details a webinar hosted by Convercent where AMI SVP Eric Feldman presents a qualitative look on how quickly an ethical scandal can impact a company. To listen, click here. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit Affiliated Monitors at www.affiliatedmonitors.com.

The top compliance roundtable podcast is back with a wrap up of the some of the top compliance stories over the first quarter of 2018. Stayed tuned to the end for rants in this edition. 

1. Matt Kelly considers the moves by the Congress to amend Dodd-Frank, considering the approaches by both the House and the Senate. He explores a couple of interesting side notes. First the Senate bill requires the Department of Treasury consider cybersecurity risks. Second, he notes the lack of movement against the Consumer Financial Protection Board. He also considers the Trump Administration’s claim of regulatory reduction; exploring my question: Is it real or is it Memorex? Matt rants on the manner of the firing of the Secretary of the Department of Veteran’s Affairs. 

2. Mike Volkov considers the recent pronouncements by the Justice Department that it may extend the reach of the declination program first laid out in the new FCPA Corporate Enforcement Policy. Would such an approach work for other laws? If so, which ones are likely candidates? Is this a sop to big business or is there something else going on? What might be the reaction of the Congress? Mike rants on the corruption and conflicts of interest present in the current Administration.

3. Jonathan Armstrong considers the Facebook/Compliance Analytica imbroglio from the UK/EU angle. He discusses where the EU and UK investigations currently lie, what the potential penalties might be, including criminal sanctions and next steps for all involved. It turns out the EU has been investigating Cambridge Analytica for over one year. Armstrong gives a shout out to the SCCE European Compliance and Ethics Institute and rants on travels who still don’t know to bag their liquids and take their shoes off at security in airports. 

4. Jay Rosen considers the current state of monitorships. He begins with a review of monitorships over the past few years to explore whether the Justice Department and SEC cutting back on their use? If so, what are the implications for enforcement and compliance going forward? What are some of the tangible steps a company can take to make the case they do not need a monitor even after a FCPA violation? Jay explains remediation through a proactive monitorship can be a key step. Jay gives a shout out to the state Attorney’s Generals who brought the Emolument Lawsuit against the President. 

I take the opportunity to give a Happy Trails shout out to one of my boyhood heroes; Rusty Staub who recently passed away and rant on the New York Times for waiting almost a full week before running an Obituary on Phillp Kerr. 

The members of the Everything Compliance panel include:

• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
• Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

The golden age of polar exploration lasted from about 1895 to 1912 during which time explorers reached both the North Pole and the South Pole. Yet even today their explorations and expeditions raise admiration and even awe. In this episode, we discuss the race to the South Pole and what leadership lessons may be drawn from it. The three principals we discuss in this episode are Englishmen Ernest Shackleton and Robert Falcon Scott and Norwegian Roald Amundson. In this episode we explore:

• Leaders need a clear strategic focus; 
• Leaders need to be open to innovation;
• Leaders need to rely on their team members (you don't have to do it all); and
• Leaders should forge team bonds.

The Final Word

Perhaps the final word should come from Apsley Cherry-Garrard, a member of Scott’s second expedition, who made the following observation: “For a joint scientific and geographical piece of organization, give me Scott. . . for a dash to the Pole and nothing else, Amundsen: if I am in the devil of a hole and want to get out of it, give me Shackleton every time.”

This week, in a five-part podcast series, I have been exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I have been joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, for our final episode in this series, we consider the always controversial topic of monitorship costs and expenses.

DiCianni noted that in any post-resolution monitorship, the monitor is coming in at the end of a long process. If it was a Foreign Corrupt Practices Act (FCPA) enforcement action, it could have been a years-long process with a lengthy investigation, coupled with an extensive remediation and then long negotiation with the government over the final penalty. Yet there is an approach that a company can use to help the final leg of this process more palpable.

DiCianni breaks the process down into three key areas. The first is the scope of the monitorship. You must understand the settlement documents so that you can fully appreciate the scope of the monitor’s remit and what the government expects from the monitor. DiCianni noted that some resolutions can have a narrow focus, with a finite number of records or other documents to review. With such information, you can work to scope out a range of what your costs might be. Conversely the settlement documents can literally be wide-open, which obviously will have a dramatic impact on potential costs and even estimating.

DiCianni related the next factor to consider is frequency. By this he meant how often is the monitor actually engaging in monitorship activities for the company. Is it daily? Is it weekly? Is it quarterly? The frequency of monitoring will have a significant role on your overall monitorship costs. The final factor to consider is duration. Tied to this question of frequency is the length of the monitorship. How long will the monitorship last, one-year, two-years, three-years or even five years; is a critical element.

The final factor is the experience of the monitor. As we explored in Episode 4 of this series, you really need to have a very direct conversation with monitor candidates to determine if they have the experience to work with other individuals or teams of individuals. Does the monitor understand their role, as prescribed by the four corners of the settlement document(s). Are they going to reinvent the wheel for each new part of the monitorship? DiCianni said, “as they are going along which is going to add to the cost of the monetization so that's a factor that I think companies should consider”. This brings up another important factor on costs is the not only the scope of the monitorship but also the efficiency of the monitor.

DiCianni noted a key document for cost control can be the monitor’s workplan, which lays out the monitor’s anticipated services. This gives the monitor, the company and the government a set of expectations for the tasks to be accomplished. Even though it may turn out to be a preliminary document, it does help to provide a level of certainty. Equally important is for the monitor to understand they do not have to look at everything during the monitorship. You can randomly sample and drill down to test if you need to do so. A monitor does not have to interview all persons in a high-risk location but can select certain employees for a focus group and then perform a round of interviews if required. The workplan and its execution can be a powerful tool to help not only estimate the total cost but also keep them down.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.