FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report





All Episodes
Now displaying: Page 1
Aug 18, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive the implications from President Trump’s tweet on Friday, August 17th about quarterly financial reporting by public companies.

Some of the highlights from this podcast are:

  1. What was the reason behind the tweet?
  2. Is this simply an attempt to require less transparency in financial reporting?
  3. Would a longer financial reporting cycle allow companies to plan to the longer term?
  4. Would this negatively impact short-sellers?

We unpack of all these points and consider the SEC’s response going forward.

For more reading: see Wall Street Journal Article, “The End of Quarterly Reporting? Not Much to Cheer About”.

See NYT Dealbook article, “Trump Asks S.E.C. to Study Quarterly Earnings Requirements for Public Firms”.

Aug 17, 2018

Jay is on an Alaskan Disney cruise with the family. Through the prism of Trump’s attacks on the US free press and their robust response, Tom takes a solo look at some of the top compliance stories from the past week. Jay returns next week.

  1. What is the role of a free press in the fight against bribery and corruption? I explore in an article for Compliance Week (Sub req’d)
  2. In his final column at the Wall Street Journal, Ben DiPietro, writes about how social activism prioritizes push for integrity, inclusion. In the WSJ Risk and Compliance Journal.
  3. Where is the Tesla board of directors? The SEC has issued a subpoena to them. Tom discusses in the FCPA Compliance Blog. Emily Glazer reports in the WSJ. More on the infamous ‘funding secured’ tweet on Compliance Week. (Sub req’d)
  4. Why is it stupid to become to the US to (1) demand and (2) accept a bribe? Sam Rubenfeld expains in the WSJ Risk and Compliance Journal.
  5. Is the UK pushing back on US jurisdictional outreach? Evan Norris and Alma M. Mozetic pose this question in NYU’s Compliance and Enforcement blog.
  6. Valerie Charles says to consider the new FCPA Corporate Enforcement Policy from the compliance program perspective. In this month’s SCCE Magazine.
  7. Would a no-deal Brexit be a disaster for compliance? Paul Hodgson reports in Compliance Week. (sub req’d)
  8. Maurice Gilbert interviews Moore & Van Allen’s Valecia McDowell on compliance, leadership and promotion to the firm’s management committee. On CCI’s, Connected.
  9. The scandal at Maryland around the death of Jordan McNair deepens. The Trainer resigns, the University accepts responsibility and his parents call for the firing of the head coach. See coverage in Sports Illustratedand ESPN.
  10. The number of podcasts on the Compliance Podcasting Network has now reached the 1000 podcast milestone next week. To celebrate, running each week in August I am running a week-long special series as a tribute. This week it has been a series on the the future of audit, compliance and analytics. Next week it will be a series on ethical culture, what it means, how to measure and assess it and how to drive it. You can download the entire series next Monday at noon, on iTunes. The series will post daily at 10 AM on the Compliance Podcast Network.
Aug 16, 2018

To celebrate the Month of 1000 podcasts I am running for each of my podcasts this month, in this episode, the Everything Compliance gang focuses on the past five years; giving a retrospective of where we were, where we are and where we are going from their own perspectives. After the commentary we follow with rants and shout outs.

  1. Matt Kelly considers how did the 2013 Internal Controls Framework and the 2016 ERM Framework change things (or not)? He notes the two Frameworks provided widely distributed information to consider compliance in a disciplined way. Matt rants on Elon Musk. 
  1. Mike Volkov explores FCPA enforcement over the past 5 years. He lists the top 3 developments: (1) the long road to the FCPA Corporate Enforcement Policy; (2) The Yates Memo and individual prosecutions and (3) The global framework, built by the DOJ and SEC for anti-corruption investigation and enforcement. Mike rants on disgraced Representative Chris Collins.
  1. Jonathan Armstrong focuses on the evolution of data privacy. Numerous actors, including legislatures, regulators, individuals and pressure groups have all influenced EU/UK policy in this area. Further as US companies have become larger and larger, EU/UK Fair Trade/anti-trust and privacy laws will be used to greater effect on these entities. Armstrong shouts out to compliance when walking one’s bovine in Norwich City.
  1. Jay Rosen considers changes in compliance from the vendor perspective. He notes that many vendors brought a business process approach to not only how law firms and investigative firms worked but also how companies approached compliance programs. Jay rants on the NFL owners attempting to stop players from exercising free speech.
  1. Tom throws in a shout out for retiring Wall Street Journal reporter Ben DiPietro, who retires from the WSJ Risk and Compliance Journal on August 14.

The members of the Everything Compliance panelist are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at
  • Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.

Aug 15, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive into the upcoming changes into a question posed by Jonathan Marks at the GHBER Summer Members Workshop, “What is a control?”

Some of the highlights from this podcast are:

  1. A control is not a noun but a verb.
  2. One should consider the interlocking nature of controls.
  3. Controls must be properly designed.

We unpack of all these points and consider strategies going forward.

For more reading: see Matt’s piece Compliance 101-Defining a Control

For further reading see Jonathan Mark’s article of the same title

Compliance 101-Defining a Control

Aug 13, 2018

Over the next five podcasts, Matt Kelly and I will be exploring the future of internal audit, compliance and analytics. In Part I, we introduce the topic, explaining why internal audit (IA) is in the midst of a profound transformation, how this transformation will enable to move past its traditional detect function into a more proactive prevent role and how all of these transformations will lead to a more robust, operationalized risk management process.

Kelly believes IA is in midst of profound transformation. He explained IA itself is getting better and better technology. It has much more data analytics capability, so they can do a lot more with the data and do it faster but, at the same time, all the other departments in an organization, whether it's marketing, legal, compliance or operations, are receiving that same advance in technology too. This means other departments that IA is supposed to keep an eye on is also advancing with their technology too. Subsequently, their ability to throw off new data that can be analyzed is increasing exponentially at the same time. Kelly termed this as the “datafication” of the business process.

This is coupled with Boards of Directors wanting more bang for their buck out of the IA budget. This translates into the questions of how does IA add strategic value? The answer is a bit of a delicate thing because as IA works for the Board of Directors, it is supposed to be an independent and objective reviewer of business processes and of risks to the business. One of its functions is to recommend ways to reduce risks to acceptable levels. However, with this datafication it becomes much easier for IA to become much more of an analysis function to do more risk monitoring.  

The tech revolution is creating more ability to move beyond traditional audit duties of Sarbanes-Oxley (SOX) compliance, such as the confines of just reviewing financial statements and specific processes at fixed increments every few years. Does this mean that IA can move from a detect function to a more proactive prescriptive function? Kelly believes, “The question is to what degree should it, because there are always going to be these questions about how Internal Audit functions maintain their independence.”

Interestingly, Kelly believes that while the Boards of Directors are directly driving this change, the ultimate pressure is coming from a wide variety of players, including shareholders, regulators, consumers and other stakeholders. All these groups want to see the Board do a better job of managing strategic risk and not be caught with its collective jaw hanging off the floor when a scandal hits an organization. This pressure on Boards of Directors is driving them to ask for more and somewhat different approaches by IA. Kelly believes IA is being pushed beyond its traditional boundaries to “help Boards fulfill a new mission” to help more in the overall risk management process.

This process is also helped by the maturation of the IA function in its control design and testing requirements deriving from SOX. Technology has helped it move away from simple spreadsheets to more sophisticated reporting tools. Now IA has the ability to better interpret the information coming out from these controls. This will allow a greater operationalization of risk throughout an organization. IA can work with business process owners to write algorithms to allow greater self-monitoring of risks at the business or functional unit levels. They can then work to oversee the entire process to make sure the business processes stay within acceptable or defined risk parameters and report back to the Board of Directors. 

In Part II we consider the three steps of evolution that IA must go through to move to a more robust role in the overall risk management process.

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part II, we go through the three steps of evolution that an IA function must traverse so that it can move beyond its traditional audit duties under Sarbanes-Oxley (SOX) compliance and testing of financial controls. These three steps of evolution are: (1) Strengthening internal controls for financial reporting and SOX compliance; (2) Enhanced analytics; and (3) Risk optimization for other business functions. Kelly believes that companies must go through these three steps of evolution and in this prescribed order. 

The profession has been working as a whole since the passage of SOX back in 2001. It included strong internal controls for financial reporting, disclosure controls and compliance controls. Here companies would see which of these they had in place, which were working or effective and which could be removed or deleted. SOX 302 governs the disclosure controls and SOX 404 governs internal controls over financial reporting. The key is that once you have the appropriate internal controls required by SOX you can begin to test, see how they work and see what types of data they are generating. The fundamental bedrock is strong internal controls. If you have bad controls, they will give you bad data that will lead to bad conclusions and trouble at some point.

From this foundation of step one, the IA function is ready to move to a more analytics-based function. Kelly provided an example, “you could see how many of our invoices are paid before a purchase order arrives and you could see how often we are closing the books at the end of the month, within seven business days after the end of the month as opposed to out in 10 days.” It would allow an analysis of whether your finance function is narrowing that window or not? Finally, once you are able to build up a sufficient body of analytics, you can then move to a more risk monitoring, risk management and optimization for other business functions. This is a more robust risk management process. Kelly emphasized that you cannot take these steps out of order.

This evolution drives the importance of data governance up the priority list for internal auditors, compliance officers and risk officers. Kelly said that you need to consider the taxonomy of your data. This would include the “data you are generating, validation that the data is fitting, that it makes sense from a value perspective.” It would also include issues such as whether the data is in the right format and is it complete? While such issues as completeness of data, accuracy of data, validations and clear data taxonomies, all have long been considered by external audits for their financial audits, IA will now need to be more vigilant on such questions.

Kelly believes this will make “data governance closer to becoming an effective internal control, even like an entity level control.” Data governance is going to have to apply across all business processes to achieve this. It would allow you to document your risk management process, in a very data driven way and harbor the confidence in it because your data governance is robust. Kelly said, “it is such an important thing that we have nailed it time and time again. Internal audit and the business functions all work together to understand this is the data we have, this is how we classify it, this is how we validated, this is how we know it's all complete.” This also means that a Chief Audit Executive will need to work with the Board of Directors and C-Suite executives to ensure data governance has their attention as an entity level concern.

This also brings up the issue of taxonomy which Kelly described as “the dictionary or vocabulary of data”. He provided an example from the compliance arena, third parties. What are all the types of third parties your organization engages with and what is the taxonomy you are going to apply to such a diverse group as resellers to joint venture partners to sales agents? Further, do you want a taxonomy that splits it down to “sales agents by region, by country or something else?” There must be some type of definition so that all compliance professionals are clear on the definition of what a third party is, so they can be tagged for data analysis. They would all fit in this taxonomy and then a you can analyze the data presented as there is a clear understanding of each definition. 

In Part III, we consider some specific examples.

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. For Part III, we consider three examples of how a framework of a risk management process could be used. The examples are (1) Invoice before PO; (2) Travel and Entertainment (T&E) spending at $49; and (3) Hotline metrics for compliance and culture analysis. 

Invoices and no POs 

The first one actually comes from Cisco Systems, Inc. (Cisco) where they develop all their technology in house and while the technology they are using is not important, it is interesting to think through the theory of what they are trying to accomplish. Cisco wanted to determine how many times they get an invoice hitting the accounting department to be paid before a Purchase Order (PO) has been received by the accounting department. What Cisco was trying to do was track every instance where an invoice arrived before the PO. The company created a visualization tool so there would be a little red dot for each instance and studied how often this happened across several quarters. 

Through this visualization tool Cisco was able to classify every expense by such criteria as:  When did we get the purchase order? When did we get the invoice? What department is this for? From this point, the company could begin to detect and analyze. Equally important, with the use of the visualization tool, literally anyone in the company could see and use the data. By defining the practice as it violated internal company policy, quantifying it and then putting it into a visual format, this led to a reduction in the number of times this situation occurred because employees were more attentive to their spending.

T&E Spend at $49 

The second example came from a public utility company in the Midwest. The company had a policy where any employee with a T&E expense for more than $50 had to submit a receipt. For any expense at $49 or less, the employee could submit an expense without the receipt and it would be processed and paid. This process was an anti-fraud measure to see if any employee(s) were trying to slip something by at the $49 level where they were not required to supply documentation. 

Interestingly, the company did not find any instances of egregious fraud. However, they were able to communicate to all employees it could monitor such reimbursement requests and could impose strong fraud controls in the situation where there was no requirement for the employee to supply documentation. This innovation gave them the opportunity to monitor when the $49 threshold was “just a little bit too often or a little bit too frequently where it seemed shifty”. Kelly emphasized that this is the clear analytics which improve the company's bottom line and risk management because (1) you are improving your ability to find instances of fraud in the transaction and (2) it communicates to the employees the strength of the control environment. This can be an important signal to send from a control environment perspective.

 Hotline metrics for compliance and culture analysis

 The third example was one of hotline metrics and analysis. Many Chief Compliance Officers (CCOs) and compliance professionals focus on metrics from hotlines such as are you having a lot of calls or having no calls? Is that good or bad? Is your program working or is it not? What does it say about the culture tracking hotline calls themselves? However, following such metrics does not tell a CCO anything really about the culture. Kelly believes the better way to do this is to configure your intake system to get as many characteristics about the call as possible, specifically around retaliation complaints. 

Kelly said such analysis would include looking at questions, such as how many retaliation complaints relative to: all complaints; a type of manager; a specific time of year; in specific markets; at specific levels of the company or even against specific people if you can track it all the way down? What you are trying to do is identify where the problem areas are and where people seem to be retaliating more than usual. If you track those metrics over time, not only does it tell you about your culture but it gives insight into why we have this retaliation problem in the first place. It can lead to an analysis around your ethics training if it is working because if complaints about retaliation continue to increase, that tells you that maybe the ethics and anti-retaliation training you are providing to your managers is not working. 

Kelly concluded by noting that these three examples on invoices before PO orders, a T&E reimbursement expense request without documentation and examining retaliation complaints to get a better sense of your corporate culture can provide very practical steps you can take today which you might not have been able to accomplish 10 years ago because the tech was not available. However, with the evolution in the IA function and capabilities, you should be able to do going forward.   

In Part IV we will consider new working relationships based upon the evolution of IA.

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part IV, we consider the new relationships which can be created based upon the evolution of IA. These changes will allow IA to work more closely with 1stand 2nd lines of defense. However, how does your organization prepare for that empowered audit function? Finally, we will consider corporate culture and ask if analytics and monitoring can drive behavior even more forcefully than ethics?

Typically, IA is thought of a part of the Third Line of Defense. However, through the use greater use of analytics, IA can move closer to the second or first line of defense or at least work more closely with those who are traditionally seen as the first or second lines of defense. This speaks to one of Kelly’s key points, that the evolution of IA will change the relationship between audit and other functions. Kelly also said it raises in important question, “As internal audit moves towards better analytics and risk monitoring drives up the importance of strong control design,  people really need to start thinking about how to detect, how to monitor the risks that are important to my business process.”

Consider internal financial controls and the review of its effectiveness by an external auditor. In most situations bribes are funded through marketing or similar internal budgetary items. An external auditor will only consider material costs so if your marketing budget is over $100,000,000,000 annually for a worldwide, multi-national, a bribe payment of even $1,000,000 hidden in marketing expenses might not be considered material. Therefore, under this IA evolution, the function would need to not only understand the company’s risk but work with the first line business process owners to “clarify what your risks really are and figure out how to manage more accurately, more closely and more effectively.”

This does not mean IA will become a new department of risk monitoring as it will always need to maintain independence and objectivity. It does mean that other corporate departments, such as compliance, should consider taking advantage of IA’s expertise to help create a control for compliance risk that can be monitored and the results quantified. By having that conversation between IA and compliance, both corporate functions can become aware of the types of controls they are using and how they can be made more efficient or even streamlined. Now imagine that conversation with other risk areas in a corporation; anti-harassment, anti-trust, anti-bidding rigging, IT security and data privacy. It is all about the operational risk for each corporate function. But the business process owner would continue to actively manage the risk.

CCOs and heads of other functional units need to be having those conversations now as Boards of Directors are starting to ask those same questions. But it comes with something along the lines of “If not, why not?” Boards see these types of conversations are improving the overall risk management process. I believe that compliance is uniquely suited to having those conversations now with IA to move the process down into the business unit to more fully operationalize the compliance function into an organization. This is certainly the approach advocated by the Department of Justice (DOJ).

Now consider a world where analytics is more prominent. If your organization is more analytics driven, how will it work in your corporate culture? Obviously, if abused or mis-used, a data driven analytics culture can also wind up being a negative place to work. In most organizations, we have seen that that which is managed or measured gets managed well. However, if you measure and manage everything, then you are micromanaging people. Everyone involved will need to consider how does this really impact the human beings who are in an organization? You should also realize that if you are managing and observing everything, what does that say about making your organization a nice place to work? Is it an interesting and challenging place to work or is it simply an organization which manages risk well? Finally, will analytics and monitoring drive behavior even more forcefully than ethics? Those are the types of conversations every company should be having now, not later.

Tomorrow we conclude with getting started and moving forward.

Aug 13, 2018

In this special five-podcasts series, Matt Kelly and I have been exploring the future of internal audit (IA), compliance and analytics. In the final episode, Part V, we discuss how IA can get started and provide some concluding remarks. We consider whether the technology is here today to implement the suggestions put forward this week. Can (or perhaps should) a company outsource internal control testing or internally develop a tool for analytics? We consider some of the biggest obstacles audit leaders cite for moving forward; lack of resources, business complexity, and lack of staff and how the Chief Compliance Officer (CCO) can aid IA in this evolution. We conclude with some thoughts that to succeed, an organization should know its objectives, get good data and think in terms of harnessing and channeling risk, rather than fulfilling compliance.

It begins with complete and accurate reports and all of the financial data present. You must begin with complete and accurate list of data. You need to think all of this through at the beginning and have strong internal controls around it because without good data you get bad data, which leads to bad internal controls and this leads to bad conclusions. From that point, Kelly noted, “everything we have talked about here goes out the window because it started with a bad foundation.”

From there it moves to the analytics. Fortunately there are multiple vendors which currently provide those types of products which have some type of data analytics capabilities. For instance, they exist in the gift, travel and entertainment (GTE) database space, third party management platforms and hotline reporting tools. The key is to have a central repository of data that you can trust, that is validated and tamper-proof. The next step is to extract the data out from its respective repositories with an analytics tool and present the data in a visualization tool.

The next requirement is staff. Right now (and for the foreseeable future) data analytics professionals can write their own tickets. So this may be a problem for startups or smaller companies. However, larger companies may have business analysts who could fill this role. Kelly said that you could potentially pair them with IA to perform analysis projects. IA are going to know how to audit and what questions to ask, however they may not know how to get the visualization and the analytics done well and that is where the business analysts come in.

The pairing of a subject matter expert (SME) with IA can also work. Kelly pointed to the example from the Cleveland Clinic where the Chief Integrity Officer, Don Sinko, has had success using employees from the nursing staff as they know the operations inside and out and when you pair them with an internal auditor it “creates a nucleus of operational knowledge.” Other examples are banks which use employees from the customer care centers because they have the greatest knowledge of the company’s problems.

Another key issue which Kelly pointed to was does the company truly understand its objectives? He stated, “What are the actual objectives? Does everybody know them? Does everybody know which one is ranked number one and which one is ranked two, three and four? You really need to think through this is what we want to achieve.” From there you should ask what are the risks that might prevent us from achieving these objectives? The next step is to then reverse engineer what business process controls are to minimize that is going wrong. Kelly said another way to consider it is that “you need to manage the risk and actually the more technical school of thought out there is, it's an objective based risk management is what you need. What are my objectives? What are the risks to achieving them? How do I reduce those risks?” The implicit assumption is the business knows what its objectives are and which ones are more important than others.  

The IA evolution that we have explored over this five-part series follows what I see as the evolution of compliance where it went from a paper program to doing compliance to operationalizing compliance and beyond that now. IA, compliance and a wide variety of other corporate disciplines really need to change their thinking about risk and looking at risk as not only an opportunity to harness and channel but also to more nimbly manage that risk going forward, not simply just fulfilling some legal compliance. Kelly added some thoughts from the compliance realm, which is that “many compliance officers’ wince at the idea of compliance as a bolt on addition which you engage in only at the end of the business process.” This outdated definition of the corporate compliance function, “is a drag at the end of the otherwise aerodynamic operation. It slows everything down and you don't want that. You want compliance embedded throughout the whole organization and smart ethical conduct all the way through.”

This has a similar dynamic with IA because historically IA would do a financial statement audit and it would be bolt on because you only do the annual audit once a year. It was performed and completed after the end of the fiscal year. Now we are moving beyond this as Boards of Directors need more assurance on more risks. They need to know that risk is governed and it is governed all the way through from the risk management cycle.

Now overlay the same dynamic with the compliance function. As Kelly noted, “we're talking about risk monitoring and internal audit as opposed to ethics and compliance and the compliance function. This is where internal audit needs to get to because this is where business processes are moving to. All information is becoming datafiedand you are able to monitor this data.” Kelly added a visualization when he said, “You are able to analyze when something drifts out of the Green Zone and into the Red Zone.” Kelly believes this is where we are headed and closed by stating, “I think we can probably get there, but there's no reason why we cannot do so. With  some good thinking and good use of technology now, there is no reason why you could not start your organization on that path right away.”

Aug 13, 2018

In this episode, I visit with Ellen Hunt, the Chief Audit Executive and Ethics & Compliance Officer at AARP.  She is a lawyer and ethics & compliance professional with extensive management experience in designing, implementing and operating ethics and compliance programs including board governance and reporting, designing ethics education, managing enterprise risk processes as well as handling investigations and regulatory agency inquiries. In light of all of the corporate recent scandals, the role of the Board in Ethics & Compliance has been getting more attention. Some of the key highlights are:

  • The role of the Board and the C-Suite and why is it important to running an effective ethics and compliance program.
  • A CCO must build trust with your Board and your C-Suite that you are a practical and reasonable business person who is there is help resolve problems not unnecessarilyembarrass them.   
  • Tone at the Top is not memos or even speeches. It is how they interact everyday with their staff and others.  
  • We consider what went wrong at organizations like Uber, VW and Wells Fargo from the perspective of the Board and Compliance.
  • Organizational Justice is a key part of the Board’s responsibility. This means there is one set of rules and ethical obligations for everyone.
  • Why E&C expert is needed on the Board.
  • The role of the CCO and Board is that of a partnership and for it to work there has to be education, understanding and communication.
  • The E&C profession has to reset or rethink its response to certain situations, i.e., #MeToo, #UsToo, as investigations are not always the right response.
Aug 10, 2018

Having watched his beloved BoSox sweep the hated Yankees in a 4 game set in Fenway Park,  Jay is back from a well-earned vacation. He and Tom look at some of the top compliance stories from the past week.

  1. Ben we hardly knew ye. Ben DiPietro announces his retirement from the WSJ Risk and Compliance Journal via Twitter.   
  2. Mike Volkov continues his exploration of blockchain and compliance. In Part 1he considers how blockchain will revolutionize compliance. In Part 2, he provides some real world examples.
  3. Did Elon Musk’s tweet about going private violate securities law? The regulators are looking into it. Ben DiPietro reports in the WSJ Risk and Compliance Journal.
  4. And then there were none. The Jho Low mega yatch sails into Malaysian waters. What happens next? Harry Cassin speculates in the FCPA Blog.
  5. Donald Trump protestations notwithstanding, the DOJ Cyber Task Force issues its first report. Anne E. Railton and James D. Gatta report in NYU’s Compliance and Enforcement blog.
  6. Canada emerges as a money laundering hub? Sam Rubenfeld reports in the WSJ Risk and Compliance Journal.
  7. Down in the lower 48, some 24 state AGs lobby for some sunshine around shell companies. Jaclyn Jaeger reports in Compliance Week. (sub req’d)
  8. There are big changes coming in how lease obligations are accounted for in a company’s books. Is your organization prepared? Tammy Whitehouse tackles it from the accounting angle in Compliance Week(sub req’d). Matt Kelly considers it from a ERM angle in Radical Complaince. Tom and Matt hash it out on Compliance into the Weeds.
  9. We welcome a new commentator in law and compliance. It’s Jonathan Rausch, formerly SVP and head of Anti-Bribery and Corruption Governance at Wells Fargo. Check out his blog Dipping Through Geometries.
  10. The number of podcasts on the Compliance Podcasting Network will reach the 1000 podcast milestone next week. To celebrate, running each week in August will be a special series as a tribute. This week it has been a series on the intersection of Sherlock Holmes and innovation in compliance. Next week it will be the future of audit, Compliance and analytics. You can download the entire series next Monday at noon, on iTunes. The series will post daily at 10 AM on the Compliance Podcast Network.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Aug 9, 2018

The General Data Protection Regulation (GDPR) went live on May 25, 2018. What has happened since then in the data privacy and data protection world? In this episode, Jonathan Armstrong, partner at Cordery Compliance and I explore what is going on publicly and what has been going on behind the scenes as well. Armstrong provides his thoughts, reflections and observations on the activity which have and will impact companies and individuals going forward.

Some of the highlights of this podcast include:

  • A discussion of the significant court cases filed pre-GDPR go-live, but are now coming to fruition in court;
  • The numbers on data privacy complaints is very strong. There have been over 1100 complaints filed in the UK alone. Armstrong estimates there have been over 10,000 complaints filed EU wide;
  • Equally interesting is the number of data breaches reported. The numbers in Ireland and the UK alone are instructive at 1100 and 1800 respectively;
  • Over 100 cross border cases have been filed and Armstrong believes the EU system for coordinating complaints seems to be working well; and
  • Regulators are putting on training and educational campaigns around GDPR for companies, practitioners and individuals.

For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Aug 8, 2018

In this episode, we consider the leadership lessons from Mark Zuckerberg’s Congressional testimonies before the Senate and Wednesday before the House. We consider his effectiveness in answering the questions and how it positioned Facebook going forward with Congress, the regulators and the public. Some of the questions we considered are:

  • Made any sacrifices? Rather than make promises Zuckerberg and Facebook make any sacrifices? Could it be that Facebook is finally showing signs of understanding the importance of leading by example?
  • Looked forward and led the industry? Did Facebook offer to be a part of the regulatory landscape by offering an industry-wide proactive vision going forward?
  • Was he ready and willing to answer the toughest questions? Did Zuckerberg appear sympathetic and accept the role of public punching bag.
  • Did he stay on message? Did Zuckerberg get flustered when diverting from his prepared talking points?
  • Did he start thinking and acting like a media company, not a tech company? Facebook will find they get far more credit for leadership when it isn’t forced upon them by Washington. Did Zuckerberg change his approach in any meaningful way?

Most importantly, did Zuckerberg accept that government oversight and regulation are inevitable, thereby ensuring that Facebook has a hand in crafting what new regulations will look like.

Aug 7, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive into the upcoming changes in lease accounting treatment. While this may not seem like a compliance related topic, it turns out to have more than several implications for the compliance practitioner.

Some of the highlights from this podcast are:

  1. How does you company currently stand in its lease obligations?
  2. What is your document retention and review policy regarding leases?
  3. How will you assess value and risk going forward?
  4. What will be the collateral consequences?

We unpack of all these points and consider strategies going forward.

For more reading: see Matt’s piece Thoughts on Changes to Lease Accounting

What is the intersection of changes to lease accounting and compliance? Matt Kelly and I unpack some of them on this episode of Compliance into the Weeds.

Aug 6, 2018

What is the purpose of rehabilitation in a best practices compliance program? In this episode, I use the recent trade by the Houston Astros for closer Roberto Osuna last week as an introduction into several areas around compliance, discipline, punishment and zero tolerance. Osuna had been charged with violating the Major League Baseball (MLB) policy on domestic abuse. This weekend Osuna came off a 75-game suspension. It involved an incident for assault, for which Osuna pleaded not guilty to in a criminal case in Ontario. As part of this discussion, I consider several questions.

  • What is Zero Tolerance? Does it apply at all times or is it applied only situationally?
  • What is Due Diligence and how does an organization know if it has performed a sufficient level of DD?
  • What effect does or should any of this have on employee morale?
  • What is the purpose of rehabilitation?
  • What is the purpose of discipline in an organization?
  • What is deterrence?

For more reading see my blog post Due Diligence, Zero Tolerance and Compliance.

Aug 3, 2018

With the MLB July 31 trade deadline come and gone, what does zero tolerance mean for the  Astros? Jay is out on a well-earned vacation this week so Tom does a solo show and looks at some of the top compliance stories from the past week.

  1. The Houston Astros trade for Jose Oseuna from Toronto. He is one a 75 game suspension for violation of MLB domestic abuse policy. The Astros have a zero tolerance for domestic abusers. Guess what happened? David Barron lays it bare in the Houston Chronicle.
  2. Mike Volkov has a 3 part series on deterrence and white collar crime sentencing on his site, Crime, Corruption and Complinace.
  3. Mark Pyman says that corporations should take on more responsibility for the global fight against bribery and corruption. In the FCPA Blog.
  4. Feds make another FCPA arrest in PDVSA bribery case. Dick Cassin reports in the FCPA Blog.
  5. What is the future of Mexico’s anti-corruption system? Robert Clark explores in a guest post in FCPAméricas Blog.
  6. What are the teachable moments from the Panasonic FCPA Enforcment action? Eric Lochner opines in the FCPA Blog.
  7. What is the complexity of the compliance regulations in georgraphic regions? There is a new index for this. Jaclyn Jaeger reports in Compliance Week. (sub req’d)
  8. Companies which have done business in Malaysia are under scrutiny from a wide variety of regulators for corruption. Is your company ready? John Bray and Harrison Cheng explain what you should be doing in the FCPA Blog.
  9. Who is the only podcaster in compliance to accept queries via carrier pidgeon? Eric Morehead (of course). Check out his most excellent podcast, Compliance Beat.
  10. Next week I will have a 5 part podcast series on the intersection of Sherlock Holmes and innovation in compliance on my podcast series, Innovation in Compliance. Starting Monday at noon, you will be able to listen in iTunes here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Aug 2, 2018

As we begin the dog days of summer and the long spell between July 4thand Labor Day, the Everything Compliance gang returns to its four focused topics. After the commentary we follow with rants.

  1. Matt Kelly considers Trump’s move to politicize the selection process for administrative law judges what this might mean for agency enforcement going forward? 
  1. Tom Fox explores three FCPA settlements incorporating the new FCPA Corporate Enforcement Policy and anti-piling on policy. (D&B, Panasonic and Credit Suisse) He considers them in light of some of the following questions: Do these matters increasing the incentive for companies to self-disclose? Will these and similar resolutions increase compliance or will it go the other way and cause companies to take compliance less seriously?
  1. Jonathan Armstrong discusses GDPR at six weeks post go-live. Where are we? What is the difference between public pronouncements by regulators and private actions by EU individuals? Where are we going?
  1. Jay Rosen considers the pro-active uses of monitoring in areas outside anti-corruption compliance. Here I am thinking about uses to satisfy anti-trust agreements with the FTC/DOJ and hospital conversions.

The members of the Everything Compliance panelist are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at
  • Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.

Aug 1, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a deep dive into a recent speech by Deputy Assistant Attorney General Matthew Miner where he highlighted the new Justice Department focus on FCPA enforcement in the mergers and acquisition (M&A) context and his remarks on Opinion Releases.

Some of the highlights from this podcast are:

  1. Does this new focus on M&A really change anything?
  2. What was the prior DOJ focus on M&A in FCPA enforcement?
  3. Will this inclusion of M&A in the new FCPA Corporate Enforcement Policy incentivize companies to make more self-disclosures?
  4. What is the FCPA Opinion Release Procedure? Why isn’t it used more? How can it benefit companies going forward?

We unpack of all these points and consider strategies going forward.

For more reading: see Matt’s piece FCPA Enforcement and Inherited Liability

Jul 30, 2018

How do you measure the impact of  your ethics and compliance program? In the new the second of its four-part series of the Global Business Ethics Survey for calendar year 2018, the Ethics and Compliance Initiative (ECI) have released the report, “Measuring the Impact of E&C Programs” which shows you how to do just that. In this podcast, I visit with Dr. Pat Harned, Chief Executive Officer of ECI about the report as it provides a wealth of information on the return on investment for the compliance professional and builds on the High Quality Program structure initiative by ECI in 2016. The Report identifies 15 operational element you can use for your program as well as 17 cultural validation points to help assess your compliance program. Some of the highlights in this podcast are:

  1. What is the ECI Global Business Ethics Survey and how does the report of “Measuring the Impact of E&C Programs” fit into the overall structure?
  2. What are the key findings from the Report?
  3. What is a High Quality Program and what are the 5 principles?
  4. Why are mindset and accountability so critical for an effective compliance program?
  5. Why do High Quality Programs have a bigger impact?
  6. What were the Report’s Conclusions and Recommendations.

To receive a copy of the ECI report, Measuring the Impact of E&C Programs, click here.

Jul 27, 2018

With the MLB July 31 trade deadline almost upon us, the Yankees, Indians and Dodgers have significantly upgraded their programs, will the Red Sox and Astros do so? Jay and Tom consider this and take a look at some of the top compliance stories from the past week.

  1. Lots about AI, data analytics and compliance this week. Tom has a three part series on the intersection (Part I; Part II; & Part III). Scott Shaffer goes the other direction, noting how important the human element is in due diligence on theFCPA Blog. Tom relents on the Astros and now admits it was the use of data analytics and not his incessant razzing which lead to last year’s WS win. He reviews Ben Reiter’s book and critiques the Astros on the FCPA Compliance Blog.
  2. Mike Volkov considers corporate culture, values and the ostrich in his exploration of the Beam FCPA enforcement action on Crime, Corruption and Complinace.
  3. A CCO looks at corporate activism. Katie Smith pens a piece in Complaince Week. (sub req’d)
  4. What is your FCPA liability in the M&A context? DAAG Matthew Miner talks about it in a speechat the ACI Anti-Corruption Compliance in High Risk Markets conference (they need a better name) Matt Kelly opines in Radical Compliance. Dick Cassin weighs in on the FCPA Blog.
  5. Tesla leans on suppliers to rebate two-year old payments. Does that change the nature of your business relationship. Tom explores in The Man From FCPA(sub req’d)
  6. How should a company respond to an individual request for information under GDPR? Jeremy Feigelson, Jane Shvets, and Christopher Garrett explore in the NYU Compliance and Enforcement Blog.
  7. What are the downsides to using your founder/CEO/Board Chair as spokesperson? Ben DiPietro explores on the WSJ Risk and Compliance Journal.
  8. Need some insights into assessing your compliance training? Kaplan and Walker are there for you in the Compliance Program Assessment Blog.
  9. Will KPMG survive its ethical scandals? Madison Marriage, Caroline Binham and Martin Arnold explore in the Financial Times.
  10. Who is the only podcaster in compliance to accept queries via carrier pidgeon? Eric Morehead (of course). Check out his most excellent podcast, Compliance Beat.
  11. Tom has 5 part podcast series which explores how Shakespeare informs a best practices compliance program. Henry IV, Part 2; Henry V; Much Ado About Nothing; Othelloand King Lear.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Jul 26, 2018

In this episode of Across the Board, I visit with Amii Barnard-Bahn.  She is a strategic advisor to Boards of Director and executive coach many C-Suite members. She specializes in accelerating the success of C-Suite executives and partner with leaders and teams to help scale their business. She has shaped company culture and strategic initiatives as an executive at Fortune 20 companies, smaller businesses and nonprofits, leading multiple functions, including Human Resources, Legal, IT, Communications, and Compliance.

We discuss the recent turmoil at Papa John’s pizza around first racial comments by its founder John Schnatter. Schnatter had previously lost his role as CEO for negative comments he made about NFL players and their National Anthem protest last year. In the latest flap, Schnatter used the N-word during racial sensitivity training. He was pressured to resign from his position as the Chairman of the Board. He then changed his mind and wants to fight his voluntary resignation. Some of the topics we discuss are:

  • How should the Board respond?
  • What do Schnatter's actions say about Papa John's corporate culture and values?
  • What has changed for Boards in the #MeToo era of high stakes reputational damage?
  • Do you think a Board committee should handle this issue or the full Board?
  • Who should report to the Board on this issue?

This timely and topical podcast will help you as a Board member understand how your role has changed as the risks to your organization has evolved.

Jul 25, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a deep dive into the imbroglio Salesforce found itself in when it came out the company did work for ICE.

We use this dialogue as a starting point to discuss some of the following:

  1. What is the Trump Risk and how can companies being to manage it?
  2. If a company makes one miss-step does it make another when it tries to engage in ethical offsetting?
  3. Is your organization prepared to stand up for its own culture for ethics in the face of racism shown by the Administration?
  4. How do different stakeholders view you company’s ethical responsibility?

We unpack of all these points and consider the risk management strategies going forward.

For more reading: see Matt’s piece Salesforce Runs Into Trump Risk

Jul 23, 2018

What is the most famous line in Shakespeare about lawyers? That is an easy one because lawyer-haters across the world (and lawyer-lovers as well) know it - First thing we do is kill all the lawyers. It comes from Henry IV, Part II. Most lawyers understand that by killing all the lawyers, it will create an atmosphere that would allow for tyranny and anarchy. Unfortunately this clear import is not as widely seen by civilians (i.e. non-lawyers).

While I think the debate about whether the compliance function should be located in a company’s legal department or in a separate compliance function has largely concluded that it should be independent because of the difference in the two discipline’s mandates; many in a corporate compliance function came from the General Counsel’s office or have legal training. The lack of law schools providing training in leadership skills has led to a paucity of such proficiencies in my brethren.

Byron Hanson, in an article in MIT Sloan Management Review, entitled “Leading by the Numbers”; discussed the sometimes difficult transition financial professionals have to make when moving to broader leadership roles. I found some of his insights to be useful to the lawyer moving from a corporate legal department or large law firm into a leadership role in a compliance department.  He listed five changes needed which I have adapted for lawyers. 

  • Transition 1 - From Expert to Leveraging Expertise
  • Transition 2 - From Apprenticeship to Coaching
  • Transition 3 - From Reporter to Translator
  • Transition 4 - From the Right Answer to Multiple Possibilities
  • Transition 5 - From Value Protector to Value Creator

The ability to critically think is still the gift that most US law schools bestow on their graduates. That ability can serve you well as an in-house lawyer and as a CCO. However, the mandates of the legal department and the compliance department are so different and in many ways divergent that the transition from one to the other is not always guaranteed to be smooth. Hanson’s article gives some fine pointers that every lawyer should consider when they make the move to the CCO chair.

Jul 23, 2018

This week I am celebrating the intersection of Shakespeare and compliance with a week-long podcast series on the Bard & Compliance. Most people remember the St. Crispin’s Day speech in Henry V as one of the greatest speeches in all of Shakespeare. However many people do not focus on what led to that speech which was that Henry went out among his troops, disguised as a commoner to ask they what they thought and to hear what they had to say about the upcoming battle with the French. One of the most important things that Henry learns is that his men, while willing to do their duty, believe they will all die the next day in battle, most particularly because of the overwhelming size differential in the two armies. Henry takes this information and incorporates those fears, together with English patriotism, into the rousing speech he gave before he led his men to victory. It was an early use of social media. 

How can you get your head around the structure of a social media program for your company? In an article in the MIT Sloan Management Review, entitled “Finding the Right Role for Social Media in Innovation”, Deborah Roberts and Frank Pillar laid potential remedies as a useful tool to help CCOs design an internal company wide social media campaign.

The most important thing to remember is that communication in social media is two-way; both inbound and outbound. It can help to bring your employee base together in an efficient manner to create an environment conducive to compliance for your organization. It also has the benefit of continued engagement. It is more than putting on training or even a week set of initiatives, you can continue the conversation and enthusiasm about compliance going forward.

The authors broke this down further into three parts that emphasize (1) the need to listen to and learn from user-generated content; (2) the need to engage and facilitate dialogue with employee innovators; and (3) to find an audience of early adopters to create excitement and collect feedback. No doubt inspired by some fond childhood memories, the authors monikered these three concepts as (a) Explore, (b) Create and (c) Communicate.

  • Explore
  • Co-create
  • Communicate

CCOs and compliance practitioners need to develop a dedicated compliance strategy around social media, in the context of your corporate objectives. Just as Henry V gave one of the most rousing speeches in all of Shakespeare, basing it on the input he received from his men, you can take the input from your employee base and create a compliance experience that your employees will embrace.

Jul 23, 2018

This week I am celebrating the intersection of Shakespeare and compliance with a week-long podcast series on the Bard & Compliance. How does Shakespeare portend social media in the 21stcentury? I would submit that one only need look at Much Ado About Nothingto see how it should all play out. As with all Shakespeare’s plays there is quite a bit going on but the play centers around the action and dialogue of Benedick and Beatrice who go after each other in a manner which shames modern NBA trash-talkers. Apparently, everyone else in the play understands the two are meant for each other so they engage in a very social media style of communication to put the two together. Of course, as this is a comedy, everyone ends up married so Beatrice and Benedick, prompted by their friends' interference, finally, and publicly, confess their love for each other.

One of the first companies to embrace social media as a key tool in their compliance strategy was Dun & Bradstreet (D&B) who actively uses social media to make more effective the company’s compliance regime. The D&B experience provides three key insights for the Chief Compliance Officer (CCO) and compliance practitioner. The first is how compliance, like society, is evolving, in many ways ever faster. As more millennials move into the workforce, the more your employee base will have used social media all their lives. Once upon a time, email was a revelatory innovation. Now if you are not communicating, you are falling behind the 8-ball. Employees expect their employers to act like and treat them as if this is the present day, not 1994 or even 2004.

The second is that these tools can go a long way towards enhancing your compliance program going forward. Recall the declination to prosecute that Morgan Stanley received from the Department of Justice (DOJ), back in 2012, when one of its Managing Directors had engaged in FCPA violations? One of the reasons cited by the DOJ was 35 email compliance reminders sent over 7 years, which served to bolster the annual FCPA training the recalcitrant Managing Director received. You can use your archived social media communications as evidence that you have continually communicated your company’s expectations around compliance. It is equally important that these expectations are documented (Read – Document, Document, and Document).

Finally, never forget the social part of social media. Social media is a two-way communication. Not only are you setting out expectations but also these tools allow you receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program.

1 2 3 4 5 6 7 Next » 31