Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: September, 2017
Sep 12, 2017

I believe one of the most significant innovations in compliance will come through the incorporation of blockchain into compliance. I see great value propositions for the compliance function. Mike Volkov has noted, “The key to blockchain is creating a secure environment among multiple actors in which the actors can record events and transactions in real time in shared ledgers. These ledgers are immutable, meaning they cannot be modified, and secure from potential hacking or modification. Blockchain users can receive real-time reports of activities without having to rely on post hoc reports. As a consequence, a specific user can flag potential red flags early, almost in real time, when events occur based on specific settings they establish for monitoring blockchain events.” 

A more detailed exploration of the use of blockchain was presented in an article in the MIT Sloan Management Review, entitled “How Blockchain Will Change Organizations, where authors Don Tapscott and Alex Tapscott speculate that the transformations which blockchain may facilitate in the corporate world could lead to some truly revolutionary modifications in key businesses processes. 

How could blockchain have such a dramatic impact on compliance? First is the explanation of what blockchain might mean as a tool in business process. The authors explained that in a business transaction, you cannot email money as you can a document so a company must “use intermediaries to establish trust and maintain integrity. Banks, governments, and in some cases big technology companies have the ability to confirm identities so that we can transfer assets; the intermediaries settle transactions and keep records. For the most part, intermediaries do an adequate job, with some notable exceptions. One concern is that they use servers that are vulnerable to crashes, fraud, and hacks.” 

The authors then go on to ask, “What would happen if there were an internet of value where parties to a transaction could store and exchange value without the need for traditional intermediaries?” The answer is that blockchain provides a transparent method to verify and approve transactions that is encrypted. Not only would this lower transaction costs and perhaps even barriers to doing business but also allow greater expansion of business into new geographic areas, through the use of previously external resources which were prohibitively expensive. Think of the possibilities in compliance for the supply chain and vertical integration. 

There are several specific areas where the value from blockchain could enhance the operationalization of compliance into the fabric of a company. In Human Resources (HR) and Procurement “Blockchain will enable organizations requiring specialized talent and capabilities to obtain better information about potential contractors and partners than many traditional recruitment and procurement methods offer.” This means that with a potential third party business partner’s consent, a company will have access to a cache of information that is known to be correct because it has been uploaded, stored, and managed on a highly secure, distributable database. Such potential business partners would not be able to misrepresent their capabilities after such information has entered on the blockchain. The authors also note that “Tampering with data after the fact wouldn’t be possible: It would involve taking over the entire blockchain, a nearly impossible task.”

This is made even more powerful in the area of financial reporting. Typically, a search is “horizontal (across the web) and vertical (within particular websites). What you find can be out-of-date or inaccurate in other ways. On a blockchain, though, there’s a third dimension: sequence. In addition to being able to obtain a historical picture of the company since it was incorporated, you can see what has occurred in the last few minutes.” The authors correctly note, “The opportunity to search a company’s complete record of value will have profound implications for transparency as it brings to light off-book transactions and hidden accounts. People responsible for records and reports will be able to create filters that allow stakeholders to find what they are searching for at the press of a button. Companies will be able to create transaction ticker tapes and dashboards, some for internal use”. This would be extremely helpful in the difficult vetting of third parties around financial information. 

In the sales realm, blockchain could be most helpful in understanding who you are doing business with and, more particularly, if the company is a state-owned enterprise. The same information you would consider about potential third parties sales agents would be available from customers. Obviously this would be critical in any Foreign Corrupt Practices Act (FCPA) analysis but it could also pay big results in anti-money laundering (AML) compliance. As the authors note, “sellers won’t have to incur the cost of establishing trust — thus they can facilitate transactions that would have been risky or might not have been possible otherwise.” Finally, there could be a data security plus as “blockchains will eliminate the cost of warehousing data and protecting other people’s data from security breaches.”

There are two specific areas where I see blockchain directly impacting the compliance profession. The first is with third parties. Volkov has stated, “a company could maintain immutable records of its due diligence process for a specific third party or a specific regulatory requirement. Due diligence delays would be eliminated by providing immediate and real-time and immediate access to the data, collection of information from potential third parties, and analysis of the information. A compliance officer could expedite the entire verification and validation process.” 

The second area where blockchain provides a potential game changer is contracts, specifically around compliance terms and conditions. As the authors explain, “Blockchains facilitate contracting in both the short and long term. Through smart contracts — software that, in effect, mimics the logic of contracts with guaranteed execution, enforcement, and payments — companies will be able to automate the terms of agreement. This means that if a company develops contract programs to run on blockchain, it can incorporate the required compliance term and conditions and with blockchain, it can trigger alerts and ensure compliance This could be expanded to include compliance training, annual certification, or another ongoing obligation. 

The authors conclude that blockchain could help alleviate some of the more egregious scandals seen, beginning back with Enron and up through Volkswagen (VW) and Wells Fargo. They believe that blockchain could help to “codify ethics and integrity into the circuitry of the enterprise, or reduce the moral hazard that too often sees management gambling with shareholder capital. Through smart contracts under blockchain, shareholders will be able to enforce the commitments executives make. Companies can specify relationships and state specific outcomes and goals so that everyone understands what the respective parties have signed up to do and whether those things are actually getting done.” 

This final points sounds to me quite a bit like operationalizing compliance. It will be interesting to see when the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will begin to comment on blockchain as a part of a best practices compliance program. 

Three Key Takeaways

  1. Blockchain has great potential for the compliance profession.
  2. Blockchain can facilitate the third party due diligence and update requirements.
  3. Blockchain can provide a clear trigger for compliance terms and conditions.

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

 

Sep 12, 2017

In this episode, Roy Snell and I have a wide ranging discussion on the SCCE's Compliance and Ethics Institute. Roy reviews its history and how it became the largest annual event for the compliance professional. He talks about some of the highlights over the years and hits on some of the highlights for the 2017 event. 

You can find out more information on the event at the SCCE website, by clicking here

Sep 11, 2017

In Compliance and Continuous Improvement”, John Nocero discussed the concept of Kaizen or continuous improvement in compliance. He explained, “Loosely translated, Kaizen means change for the better. It has been utilized successfully by a variety of organizations in healthcare, psychotherapy, government and other industries to help develop long-term competitive strategies, improve operational practices and stay viable. When you think about it further, this principle has even more direct application to the compliance practitioner. In today’s environment in which we work, being a compliance practitioner is like setting yourself on fire at the beginning of the day and trying to put it out by day’s end. We fight fires. We want to be able to control the fire that is burning within ourselves – by learning how to handle the difficult conversation before it occurs, or anticipating how we will act when someone challenges our knowledge or authority.” 

The company Graphic Products explains on their website, “Kaizen works by reducing waste (muda) and eliminating work processes that are overly difficult (muri). As a lean business practice, Kaizen succeeds when all employees look for areas to improve and provide suggestions based on their observations and experience. Generally, these suggestions are for small changes that incrementally change the business for the better.” They suggest a four-step approach, which they call “Plan-Do-Check-Act (PDCA).” 

Under the Plan prong, you “define the problem and develop potential solutions.” Under the Do prong, you next move to “implementing the best solution.” During the Check prong you should “evaluate results to see if the solution worked.” Under the Act prong, you have one of two options: (A) If the solution you implemented succeeded, you work to standardize it and then implement it across the organization. (B) However if the solution did not work, you should return to the planning stage and start again. The site notes that using “PDCA to implement changes ensures that there is a continuous cycle in place to monitor changes and to continue to improve upon them.” 

Copenhagen Compliance suggest another approach in their e-newsletter entitled Using the Kaizen Approach to Risk Management by the Audit Committee”. They say, “Understanding the current nature of a risk is a precondition for a determining your risk appetite and providing a risk response.” It is therefore incumbent that you take the necessary “time, resources and expertise to have a closer look at individual risks and understand what a risk management means to the various department heads and divisions.” 

Using the small workshop format to determine and consider the different levels of risk, they propose you should start with the following questions: 

  1. List the different causes and the circumstances that decrease or increase the likelihood of risks;
  2. List the different causes and the circumstances to understand a risk at an individual level;
  3. List the different causes and effect that can make risks occur;
  4. Describe the effects which take place immediately after a risk occurs; and
  5. Describe the effects of a risk that happen because of the primary effects or because time elapses. 

The answers you deliver to these queries should provide you with a detailed analysis and more insight into both the order and magnitude of the compliance risks your company faces going forward. However Copenhagen Compliance then suggests a second step where you review the risks from a difference perspective. You should begin by using the results of the first exercise to take a look at a couple of different areas. First you should consider “the different causes and the circumstances that focus on the processes or events that precede a risk occurrence.” From there you should “list the different causes and the circumstances that focus on the processes or events that precede a cause of the risk.” The data you develop in this second phase “will provide valuable insights to determine the risk appetite, effective responses to optimize the management of risks with focus on Risk identification” which are embedded in the way you are doing business. 

Marty Ellen, the Chief Financial Officer (CFO) at Dr. Pepper, discussed these theoretical underpinnings in a Wall Street Journal (WSJ) article, entitled “How Dr Pepper Cuts Cost. And Then Cuts Costs Some More”, by Mike Esterl. At Dr. Pepper, Kaizen events are known as “Rapid Continuous Improvement” or RCI. Ellen said, “RCI is about taking the existing baseline and improving it by finding the waste. It starts with walking the entire process. We call it “going to gemba,” which is Japanese for going to see how the work is done. The goal is always to shorten cycle times. You would be surprised. You put a bunch of people in a room to describe how a process works, and they don’t all agree with each other - and they all work on the same process.” 

For the Chief Compliance Officer (CCO) or compliance practitioner, the most interesting take-away from the article was that Ellen has successfully used the process not only in manufacturing processes but also in internal controls and financial processes such as accounts payable. Moreover, using RCI is not about cutting jobs but making the internal processes more efficient. So if you can reduce costs in compliance by being more efficient in the process it sounds like a win for all concerned. 

Three Key Takeaways

  1. Kaizen works by reducing waste and eliminating work processes that are overly difficult.
  2. Use a four-step approach, “Plan-Do-Check-Act”.
  3. Kaizen works in for internal compliance controls and compliance processes.  

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 11, 2017

In this episode, I visit with Alex Tsigutkin, founder and CEO of AxiomSL and Varun Singhal – Senior Vice President Product Management, AxiomSL. AxiomSL a global leader in risk data management and regulatory reporting solutions for the financial industry, including banks, broker dealers, asset managers and insurance companies. Its unique enterprise data management (EDM) platform delivers data lineage, risk aggregation, analytics, workflow automation. 

We discuss data lineage, which is quickly becoming a top line concern and challenge for data managers in financial services. In the past, data lineage—generation of a trail of information that tracks the use and custody of data as it travels throughout the enterprise—was primarily a concern for niche internal projects, usually run by reporting teams. A combination of closer oversight by prudential regulators and rising global standards around data governance, itself, has rapidly led many financial institutions to become more interested in how to do this on a broader level. The implications to and applications for the anti-corruption compliance profession are significant for transparency and accountability in data for sales, third party sales agents and payments, data flow in an organization and vendors in the Supply Chain. You can find out more about AxiomSL and data lineage by checking out their website, by clicking here.

Sep 8, 2017

One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program. 

According to a Harvard Business Review (HBR) article “Embracing Agile, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made. 

One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically. 

Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs. 

Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward. 

An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.

An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation. 

Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.” 

The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”

There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.” 

The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.”” 

The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization. 

Three Key Takeaways

  1. Agile compliance involves new practices and benefits and is a radical alternative to command-and control-style management.
  2. Agile compliance allows you to take small, digestible steps.
  3. Agile compliance works at the top. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 8, 2017

After a two week absence, Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories which happened while we were off, including: 

  1. Retired U.S. Army colonel, Joseph Baptiste was caught in a FCPA sting. Sam Rubenfeld reports in the WSJ Risk and Compliance Journal. Richard Bistrong writes that the Baptiste arrest was unlike the Gun Sting case, where he was a cooperating witness. See his blog post in the FCPA Blog.
  2. Andy Spalding asks if the DOJ could make the Pilot Program even better? See his article in the FCPA Blog.
  3. New York banker Mahmoud Thiam jailed for seven years for laundering bribes from Chinese companies. See article by Dick Cassin the FCPA Blog.
  4. Wells Fargo’s woes grow even worse. See Joe Mont’s article in Compliance Week.
  5. Mike Volkov has a two-part series on the intersection of anti-corruption compliance and anti-trust compliance. For Part I, click here. For Part II, click here.
  6. Bill Steinman writes about why we fight graft and corruption in the FCPA Blog.
  7. Compliance Week explores the pro and con arguments of SEC no admission settlements. For the pro side see post by Brad Karp and Susanna Buergel of Paul Weiss. For the con side see post by Judge Jed Rakoff.
  8. SFO wants great powers to fight money-laundering. See article by Suzy Ring in Bloomberg.
  9. Not surprisingly, Uber is under investigation for possible FCPA violations. See article in the WSJ.
  10. Tom interviews Adam Turteltaub about the upcoming SCCE 2017 Compliance and Ethics Institute. See podcast and for registration information click here.
  11. What are the compliance lessons from Hurricane Harvey? Tom explored in Hurricane Harvey-Reflections on Being Prepared and Practicing Compliance. Jaclyn Jaeger discusses Corporate Philanthropy at it Finest in Compliance Week. Matt Kelly explored these themes in a blog post on Radical Compliance. Finally Tom and Matt explored these themes and more in podcast in Compliance into the Weeds.
  12. Yet another Boston sports team caught cheating, as the Red Sox steal signs from the hated Yankees via an AppleWatch. See article in the New York Times.
  13. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include how to set a strategic plan for innovation in your compliance program, Artificial Intelligence as a compliance advantage, how to find patterns in raked leaves and ComTech. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
Sep 7, 2017

In this episode, I visit with Rakhi Kumar, the Managing Director, Head of ESG Investing and Asset Stewardship for State Street Global Advisors (SSGA) on the firm’s recent white paper entitled, “SSGA’s Perspective On Effective Climate Change Disclosure”. While the white paper focused more specifically on climate impact and climate risk to businesses in the energy and mineral extractive industry, it set out a protocol which every Board of Directors can use for a wide variety of risks, including compliance risk.

We consider the purpose & methodology of SSGA’s white paper. We take a deep dive into the four areas of how a Board can better position climate change risk:

  1. Governance and board oversight of climate risk
  2. Establishing and disclosing long-term GHG goals
  3. Disclosing information on carbon price assumptions
  4. Discussing impacts of scenario planning on tong-term capital allocation impact

We then consider the SSGA approach in the context of a broader risk management process through the exploration of such issues as

  1. How broadly do climate related changes impact businesses?
  2. How should businesses prepare for disruption due to climate change or climate impact?
  3. Is there a business opportunity for companies which engage in strategic risk management around climate change?
Sep 7, 2017

What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road. 

Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company. 

The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.

Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach. 

Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context. 

The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective. 

A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise. 

There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI. 

This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away. 

This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies. 

Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.” 

There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech. 

Three Key Takeaways

  1. Artificial intelligence has already disrupted the legal profession, the compliance profession may be next. ComTech will be the result.
  2. Document review will be the first area of significant AI use in compliance.
  3. Beware the limitations and disadvantages of ComTech. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 6, 2017

In this episode, Matt Kelly and I take a deep dive into the good, bad and ugly of Hurricane Harvey for the compliance professional. We discuss what lessons may be drawn from the storm and its aftermath for the greater compliance, ERM and business communities and the need to take a much greater holistic approach to the consideration of your risk management strategy. We end with some thoughts on the travails of Salt Lake City nurse Alex Wubbels who was arrested for obeying the law in refusing to take blood from an unconscious patient.  We consider her plight from the compliance perspective. 

For more on Hurricane Harvey and its aftermath see the following:

Matt Kelly’s piece Corporate Ethics, and Glitches, in Houston

Tom Fox’s pieces

 Hurricane Harvey - Reflections on Being Prepared

How Weather Can Bring Analytical Clarity to Compliance

How the Storms of “The Scottish Play” Inform Your Compliance Program

Holmes, the Fog of London and Root Cause Analysis

Practicing Compliance

For Matt’s piece on the arrest of Nurse Wubbels, click here.

Sep 6, 2017

We previously considered how artificial intelligence (AI) can be used as business advantage for compliance. However, the power of AI can also extend the more traditional functions of prevention, detection and remediation. The first way is in simply the mass amount of data which could inundate a compliance practitioner. Many compliance practitioners are overwhelmed about the amount of data available to them and do not know how or even where to begin. 

Patrick Taylor, President and CEO of Oversight Systems, Inc. has noted that AI allows the compliance practitioner to understand the “subtle clues in that pattern of activity that will clue me in to take a different look”. He likened to seeing a pattern in “raked leaves” which allows you to then step in and take a deeper and broader look at an issue, either through an audit or investigation.  This is where compliance practitioner can step back and literally keep an eye on the big picture and longer term as opposed to just the immediate numbers and information in front of them. It may also be the best hope for finding that kind of systemic fraudulent behavior. 

This speaks to one of the difficult issues for the compliance practitioner, which is what does all the information mean? Consider the example of GlaxoSmithKline (GSK) in China. The Chinese business unit employees were working en masse to create fraudulent reimbursable invoices, inflating the cost of industry events to create a pool of money to pay bribes. They would stage an event around a drug product, or service in a hotel. They would inflate the hotel charge 20% above the actual costs and submit the entire amount to the corporate office for reimbursement. In some cases, GSK employees would submit invoices for events which never took place. 

Now layer on top of these deceptions, in China, there is a rampant sale of fake receipts. For every Marriott the Chinese business unit utilized, personnel they could buy an official Marriott receipt, which showed the price that was paid and it was a backup documentation for the auditor to look at on that expense report. Finally, there was the illegal sale of official Chinese government real tax stamps to tier on another level of complexity. 

Taylor said that AI would provide you the opportunity to detect even this type of massive and systemic fraud because, statistically those charges would not make sense. Taylor said the reason this type of fraud can be so difficult to detect and prevent is the charges were on credit cards, so recorded and there was paper documentation to back up the charges. Standard modalities of detection will not assist the compliance practitioner. You just know that something does not make sense. AI allows a compliance professional to gather and compute statistics across a wide variety of customers and situations; such as geographic and time dimensions. 

Using these two data points, you can analyze what is a reasonable amount to spend at a hotel or other venue. But also includes such variables as the time of year as some cities have tremendous seasonality in their hotel charges. Yet others do not and indeed there may even be zero variability in transportation cost across seasons. AI allows you to pull geographic, time, type of expense and even specific vendors statistics for a big-picture analysis. 

In a broader manner, consider all the data points in the lifecycle of any business transaction which produce data analytics for a compliance practitioner. When Business Development (BD) initially makes a call on a potential customer; when a request for proposal (RFP) comes into an organization; when the response is formulated with pricing and proposed discounts; during any subsequent contract negotiations; post-contract obligations for travel and training; and continued business development contacts with a customer. 

Each of these steps could provide data, which taken singularly might not raise any red flags or even be outside company specifications, but taken as a whole it might be a transaction which would lend itself to compliance oversight. Starting with the BD representative, what was the spend on gifts, meals and entertainment (GTE)? Even if that information is not available to the compliance department it is available from employee reimbursement requests so it can be used to take an appropriate business deduction from the Internal Revenue Service (IRS). From the Foreign Corrupt Practices Act (FCPA) perspective, is the BD representative entertaining a foreign government official under the Act? If so, what is the aggregate spending by any one such government official over a 12-month period by one BD representative? What is the BD spend on one particular state owned enterprise official by several company BD representatives? Has there been any travel involved to tour company facilities? If so, what was the aggregate spend and was it correlated with other GTE spends? 

Moving on to any contract negotiations which might take place, were any discounts offered outside the standard discount range? If so were these discounts properly vetted through the internal company process? Was this process documented and was there senior management sign-off in place? Did the customer suggest the use of any third parties as suppliers to the prime contract? Were there any charitable donations requested by the customer? Were there any charitable donations made during any part of this process or within 12 months after a successful contract negotiation? Was the contract properly vetted by all required internal processes: by management, legal, and compliance? 

If the business function was successful in concluding the contract; did it specify any travel for the customer? How about ongoing training and if so where and for how long? Was there a specification of business class or above travel accommodations? Has any required compliance or FCPA training been delivered to third parties involved in the contract? Was there any Corporate Social Responsibility (CSR) requirement going forward? Does compliance have visibility into this or does is go through a company charitable donation group or committee? 

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. Obviously, AItion holds both promise and challenge for CCOs. However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition. 

Three Key Takeaways

  1. Do you know what your information means?.
  2. AI can help both the detect and prevent prongs in a best practices compliance program.
  3. AI can help you to see the patterns in raked leaves. 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 5, 2017

Next we consider the introduction of Artificial Intelligence (AI) into the compliance profession. A few pieces claimed AI is revolutionary and would change the face of compliance. Well I have some news for such pontificators, technology has been involved in compliance since the profession began in earnest with the implementation of the US Sentencing Guidelines in 1992. One thing is certain however and that is technology that will improve the efficiency of compliance and will assist in the operationalization of compliance into fabric of every business which embraces it. 

A recent article in MIT Sloan Management Review, entitled “Building a More Intelligent Enterprise, by Paul J. H. Schoemaker and Phillip E. Tetlock explored how businesses could “blend technology-enabled insights with a sophisticated understanding of human judgment, reasoning, and choice” which will provide to them “an advantage over their rivals”. The compliance professional who incorporates the techniques they advocate into their organization’s compliance program will not only move their compliance program forward but also make their company run more efficiently and, at the end of the day, more profitably. 

The reason is not simply that AI can make compliance more effective and more efficient but “in the knowledge economy, strategic advantages will increasingly depend on a shared capacity to make superior judgments and choices.” AI is a step which weds the human interaction and experiences with the data which is available to every company - its own internal information which is most generally sitting in siloed verticals and not being used. This data can “provide the foundation for operations research, forecasting models” when using AI. When you couple this data with the “growing understanding of human judgment, reasoning, and choice” which has provided insights in what humans do well or poorly; you can pair the best of these two seemingly disparate incongruities. 

The authors suggest that you use this strategy in an area which will have the greatest benefit for your company, stating, “The starting point for becoming an intelligent enterprise is learning to allocate analytical effort where it will most pay off — in other words, being strategic about which problems you decide to tackle head-on. The sweet spot for intelligent enterprises is where hard data and soft judgment can be productively combined.” For the compliance professional, this translates to your greatest risk area. Consider the possibility that you could identify through forecasting what your highest risk might be, then use AI to more efficiently and accurately assess the risk and finally tie both an AI technology solution with compliance subject matter expertise (SME) to manage the risk going forward. 

The key in such a scenario is in aiding the compliance practitioner to avoid judgmental “biases that often distort human information processing and by recognizing the precarious assumptions on which statistical models sometimes rest, the analytical whole can occasionally become more than the sum of its parts.” This means you should critically look at a variety of factors around where your compliance risks lie. Most compliance practitioners only rely on the Transparency International-Corruptions Perceptions Index (TI-CPI) for a country’s corruption rating. While the TI-CPI is a good starting point, it is only that. A compliance analysis that an area is high, medium or even low risk does not consider the starting assumption using the TI-CPI. Moreover, because this Index has been used so long, compliance professionals are biased towards and do not seek out other data which might provide a more nuanced approach. 

Another technique which I have been involved with is known as boot-strapping. Here a group of SMEs would develop a model of possible risks which could be assessed with large amounts of data or other inputs. By modeling the experts’ knowledge in risk areas, you could develop not only a more comprehensive forecast and assessment of risk but it would also be more consistent, which would greatly help in your planning and risk management. 

The authors reported researchers who asked a group of corn experts to rate 500 ears of corn to predict their eventual prices in the marketplace, using a variety of factors. “The researchers then created a simple scoring model based on cues that judges claimed were most important in driving their own predictions. Both the judges and the researchers expected the simple additive models to do much worse than the predictions of seasoned experts. But to everyone’s surprise, the models that mimicked the judges’ strategies nearly always performed better than the judges themselves.” Most of the factors were subjective but that did not stop the model from being more efficient. The authors believe the boot-strapping model “remains one of the most compelling demonstrations of the potential benefits of combining the powers of models and humans, including the value of expert intuition.” 

Boot-strapping is the most straight-forward use of this type of technology, as it is “a simple input-output approach to modeling expertise without delving into process models of human reasoning.” Now consider how boot-strapping can be augmented by AI technologies “that allow for more complex relationships among variables drawn from human insights or from mining big datasets.” 

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. The authors conclude by noting, “the cognitive-science revolution holds both promise and challenge for business leaders.” However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition. 

Three Key Takeaways

  1. Innovation in your compliance program has been required since the implementation of the US Sentencing Guidelines.
  2. AI can help compliance in the knowledge economy.
  3. AI in compliance will benefit the business going forward.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 5, 2017

In this episode, I visit with Adam Turteltaub, Vice President of Strategic Initiatives and International Programs. We discuss the upcoming 2017 Compliance and Ethics Institute, which is one of the primary education and networking event for professionals working in the Compliance and Ethics profession across all industries around the world. Sessions at the 2017 conference will offer the latest compliance information on hot topics and current events. Sessions are carefully selected and will be presented by leading experts who will explore real-world compliance issues, practical application, emerging trends, and state of the art techniques. 

The CEI conference and compliance training is great for everyone in the compliance and ethics field including: Compliance Auditors, Compliance Directors, Compliance Management, Compliance Officers, Risk Managers, International Compliance, Financial Compliance, Corporate Business Ethics, Ethics Officers, Ethics Management, Compliance Lawyers, HR Management, and Human Resource Risk. 

Adam and I discuss the tracks for breakout sessions and events, the pre-and post conference events and sessions you wish consider and the volunteer opportunities that are available. If you attend only one compliance and ethics event for the year, this is one for you. You can find out more information at the SCCE homepage, by clicking here.

Sep 1, 2017

Welcome to the September edition of my yearlong podcast series of One Month to a More Effective Compliance Program. In the month of September, I will be focusing on innovation in compliance. I will look at innovation from a variety of angles including AI and ComTech, structural innovations, tools and tactics and innovation in leadership. At this end of September, you will have a number of solid ideas you can use to move your compliance program forward. 

I begin this month by considering the starting point, which is an innovation strategy. In the most recent Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) issued by the Department of Justice they all include an element along the following strictures, “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]. This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. 

All of this means you should begin with an innovation strategy for your compliance program. Gary P. Pisano, in an article in the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy” discussed such an approach. He began by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” The key to success is something that every CCO or compliance practitioner should take to heart; which is, a compliance practitioner must be able to lay out an innovation strategy for compliance that details the efforts will support the overall business strategy. This means creating an innovation strategy for compliance that will create value for customers of compliance, IE., employees, third parties and customer, show how the company will capture that compliance value going forward and finally which types of compliance innovation to pursue.

First, some basic definitions useful for the compliance practitioner to think through innovation in the compliance function. Pisano defined a “strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal.” If you have a good strategy, it can promote alignment among diverse groups in a company, help to clarify objectives and priorities and guide your focus on those objectives. It can also be modified as necessary and with sufficient feedback. 

There are several questions you need to consider in connecting innovation to strategy. Initially, how will innovation create value for the customers of compliance; IE., your employees and relevant third parties? Your innovation can make compliance faster, easier, quicker, nimbler and so on. Focus on that creation of value going forward. Pisano’s next question was “How will the company capture a share of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Next what types of innovation will allow the company to create and capture value, and what resources should each type receive, such as a change in technology and a change in a business process. Both are equally valid.

Obviously senior management has a key role around innovation in compliance, as innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resources allocated but management must also incentivize the business units to proceed with implementing the innovations. Another area where senior management is critical is with making trade-offs. 

The author noted there are four essential tasks in creating and implementing an innovation strategy. Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ or speaker from the Securities and Exchange Commission (SEC) I have ever heard say when they talk about the basics of any best practices compliance program. It is that both compliance and innovation strategies must evolve. Pisano wrote that every innovation “strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

You must recognize that your compliance program will have to be innovative. Start with a strategy which has senior management buy-in and support, then move to implement. Finally use data in a feedback loop to fine tune your innovations. Innovation in compliance is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate an operationalized compliance program is that the latter creates an active, vibrant and effective compliance program. That is the bottom line for innovation. 

Three Key Takeaways

  1. Both the DOJ and SEC expect innovation in your compliance program.
  2. Innovation in compliance should have a strategy going forward.
  3. The key is to demonstrate how the compliance innovation will benefit the business going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

« Previous 1 2