Richard Steinberg 270004HRBG email@example.com | | Tags:  compliance morgan stanley fcpa grc openpages wal-mart sec | 0 Comments | 3,034 Visits
Chief Compliance Officers, General Counsels and other business executives have long been pushing regulators to provide clarity around the FCPA and more consistent (and appropriately fair) enforcement. Well, companies finally have something reasonably definitive to look at which shows how a well-constructed compliance program implemented in good faith can have extremely positive consequences – it’s the recent Morgan Stanley case, which we’ll get to in a moment.
At the other end of the spectrum is the Wal-Mart fiasco. You know the story – senior Wal-Mart executives knew of millions of dollars being paid to government officials in Mexico to aid expansion in that country, but shut down an investigation. The Justice Department and Securities and Exchange Commission are all over this, and things will not go well for the company. The last thing the DOJ or SEC looks favorably on is executives not reporting a suspected or known violation, and not conducting a full and comprehensive internal investigation. Now proxy advisory firms ISS and Glass Lewis, as well as major public pension funds, are recommending that Wal-Mart shareholders vote against members of the board of directors for neglecting their responsibilities. And there are indications the bribery might extend beyond the Mexican subsidiary. The stock price has taken a hit, the company faces potentially huge fines, executives could wind up in prison, and investors are suing. As is often the case, it’s not so much the bad action, but the cover-up. And it’s also whether the system, here the compliance process, was well designed, implemented and maintained.
Now to Morgan Stanley. The DOJ and SEC have long said that in enforcement actions they give credit to companies for already having a good compliance system in place, but we’ve seen little direct evidence of that. But now we have a game changer. The problems at Morgan Stanley reportedly arose when Garth Peterson, a managing director, successfully pushed for the firm to sell a real estate interest to a Chinese state-owned company, but it turned out to be a shell company in which Peterson had a direct interest, with related cash payments to himself and a Chinese official. Peterson pleaded guilty, facing a potential six-figure fine and five years in prison. But what happened to Morgan Stanley, or didn’t, is the real story here. The DOJ and SEC decided not to bring an enforcement action against the company. The reason – Morgan Stanley has had a strong compliance system, including relevant internal controls. It regularly updated controls to reflect risks of misconduct, and provided extensive training to its personnel, compliance reminders, annual confirmations by personnel, and continuous monitoring. And, when evidence of misconduct surfaced, the firm immediately began and conducted a thorough investigation.
So, there we have two well-known brand-name companies, one of which is likely to pay a high price, the other none at all and whose reputation is enhanced. The message now is clearer than ever. Engage in a cover-up, and deal with forceful regulators and angry shareholders. Have an effective compliance system and do the right thing, and the regulators and others will indeed look favorably upon the company.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages compliance sec fcpa | 0 Comments | 2,614 Visits
We know the Justice Department and SEC in recent years revved up enforcement of the Foreign Corrupt Practices Act, which certainly has gotten the close and widespread attention of the business community. With the vast majority of U.S. companies large and small operating globally, general counsels, compliance officers, boards of directors, and other business executives are focusing on related risks and controls. And now the U.S. Chamber of Commerce’s Institute for Legal Reform, noting that companies want to comply with provisions of the FCPA but unclear enforcement makes it challenging, thinks "it is common sense that the rules of the road are clarified." As such, the Chamber has put forth five recommendations: Adding a compliance defense, limiting liability for the prior actions of an acquired company, adding a “willfulness” requirement for corporate criminal liability, limiting liability for acts of a subsidiary, and defining what constitutes a "foreign official."
It appeared these proposals might gain some traction, and then along came Wal-Mart. The charges of bribery in Mexico and subsequent cover-up seems to have dampened interest in modifying, or some would say softening, the FCPA and related enforcement. Certainly Wal-Mart has put tremendous effort into successfully lobbying legislators in both parties – and supporting the President’s initiatives in health coverage and pollution control, and the First Lady’s on healthy foods to combat childhood obesity – all of which may serve the company in good stead in containing political fallout. But we can also expect notoriety around the Wal-Mart case to signal the continued relevance of the Act and deflect efforts to weaken it.
It seems there’s an interesting analogy here, where the Wal-Mart bribery case might be to the FCPA what WorldCom was to Sarbanes-Oxley. After Enron imploded, there was stirring inside the Beltway about need for legislation, but nothing much was expected to happen – until a few months later when the WorldCom fiasco hit the headlines, thereby generating momentum that turned into a rush to get a law passed. In this instance, it may well be the converse – a law that might have been weakened is more likely to stay as is, with continued strong enforcement by regulators. We’ll stay tuned to see what transpires.
Richard Steinberg 270004HRBG email@example.com | | Tags:  compliance openpages ocie sec | 0 Comments | 3,398 Visits
The head of the SEC's Office of Compliance Inspections and Examinations, Carlo di Florio, recently spoke about what his 900 professionals look for in conducting examinations of a wide range of financial institutions – noting the OCIE is breaking new ground. In carrying out its mission to improve compliance, prevent fraud, monitor risk, and inform policy, di Florio's office is expanding its focus to include boards of directors. In considering a firm's compliance culture, the OCIE is entering into direct discussions with boards of directors, to get a sense of the board's as well as senior management's attention to and focus on regulatory compliance issues. di Florio didn't name names, but media reports say such discussions already have taken place with the likes of Goldman, Morgan Stanley, Barclays and Wells Fargo. He did say that the new focus is due in part to the fact that a firm's compliance culture is an "elusive concept and a real challenge," having a huge impact on the extent to which a firm engages in ethical conduct, also noting the need to integrate compliance within risk governance processes.
If you've encountered Carlo di Florio, you may have observed a soft spoken, gentle demeanor and charming personality. But that shouldn't be misinterpreted for anything less than a hard-nosed and rigorous approach on the part of him and his staff. Having worked with him in our “past life,” I can assure you that he is not only thoughtful and creative in approach, he can be relentless in pursuing objectives.
OCIE's approach is multifold, focusing first on review of a firm's polices and related procedures, including policy management and flexibility in dealing with evolving conditions. There's focus on effectiveness of communication and training, and on such matters as how a firm assigns responsibility and handles accountability. Also in its sights are monitoring and testing processes, protocols for communicating issues upstream, and internal whistleblower processes. di Florio notes that the better the internal processes, the less OCIE will need to do. Highlighting its insightfulness, OCIE looks at such critical matters as where the power lies – the business side or legal/compliance – how bonus pools are allocated, independence of compliance staff, and involvement in critical decision-making. Also, the extent of compliance contributions of business units in performance assessment and reward processes are considered.
With all this, the focus on board of directors is consistent with attention to the tone at the top of a firm. Carlo di Florio is moving the lines, and I've no doubt he and his staff will have a sharper focus on and greater insight into what drives compliance.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages risk dodd-frank grc whistleblowing sec | 0 Comments | 1,318 Visits
The SEC’s final rules implementing Dodd-Frank’s whistle blowing provisions failed to remove angst among compliance officers and general counsels. While there are some incentives for potential whistleblowers to first report alleged misconduct via internal reporting channels, there’s no requirement to do so – and many are concerned the internal channels will be bypassed. And going outside is on the rise. It’s been reported that in only seven weeks after the SEC’s program began, there were 334 whistleblower filings. Compliance officer concerns are well founded – that bypassing internal channels will deprive the company of being able to investigate and fix problems before they grow, and company personnel will need to play catch up with investigations in reaction to SEC probes.
We can point to many resolved whistle blowing cases for clear evidence of the potential impact of the SEC’s still relatively new program. One homeowner delinquent on her mortgage ultimately received $18 million for reporting suspected use of fraudulent documents in the bank’s foreclosure process. It’s said that in acting against this homeowner – an attorney and career insurance fraud investigator – the bank “picked the wrong person at the wrong time in the wrong place,“ but the robo-signing and other compliance failures were widespread and surfaced from a number of sources. Nonetheless, this individual was one of six whistleblowers receiving $46.5 million said to be part of the five-bank $25 billion settlement. In an unrelated case, a member of a major bank’s quality control team who reportedly was displeased that the misconduct wasn’t reported to regulators, decided to do so herself – ending up with a settlement of $31 million. And there are many more.
Worth noting is a recent survey that indicates more than one-third of American workers have seen misconduct on the job. While many instances of misconduct have been reported through internal channels, it appears the vast majority have not. Why? The survey shows it’s because of fear of not being able to remain anonymous, and of retaliation. Those two factors, plus the possibility of monetary reward, are reported as key factors in incentivizing internal reporting. And the survey also shows two-thirds of respondents didn’t know about the SEC’s program – at least not yet.
Certainly it’s in a company’s interest to be first to know about alleged misconduct, and compliance officers are working hard to upgrade policies, training, communications, and the internal whistleblower systems, all to encourage internal reporting. Actions to ensure anonymity, with positive responses and nothing close to retaliation, are expected to help. Some companies have begun to pay bounties for valued reports. There are indications that when employees believe their reports will be taken seriously without adverse repercussions, there’s increased likelihood for internal reporting. Law firms and others have provided guidance on which companies are acting. However, it remains to be seen the extent to which the possibility of a huge, life-changing payday by the SEC will be too much to resist. Time will tell.
Liz Andrews 2700041WEU email@example.com | | Tags:  openpages regulatory_compliance dodd-frank sec | 0 Comments | 1,555 Visits
The following excerpts are taken from “Compliance, complexity and the need for XBRL: An interview with former SEC Chairman Christopher Cox”:
What are the key drivers of regulatory reform? Will Dodd-Frank really reduce systemic risk? Can better compliance processes drive better financial results?
In the weeks running up to the Vision 2011 and OPUS 2011 conferences, experts within IBM Business Analytics Financial Performance and Strategy Management posed these and other questions to Christopher Cox, a former SEC Chairman and keynote speaker at both events. Below is a transcript of that interview.
Looking forward into the next three years, what are some of the key drivers in the US that will be shaping regulatory and compliance reform? How are those different from the past five years?
The most significant characteristic of the time we are living in right now is the remarkable pace of change, both in legislation and in regulations governing corporate America, in particular the financial services sector.
Of course, the Dodd-Frank 2,300-page behemoth is well-known already to senior finance executives. But what is unknowable are the hundreds of rules that will be forthcoming under that legislation. The schedule called for in the statute has the bulk of the final rule makings scheduled for completion in the third quarter of 2011. It is very clear across the regulatory agencies that these deadlines are going to be largely missed.
As a result, not only will there be regulatory uncertainty on a continuing basis this year, but also for several years into the future. There are over 100 rule makings that have no statutory deadline at all. I think a significant share of even those that were expected to be completed earlier will also be rolled into the future. So during all of this time, senior Finance executives are going to have to be reading the tea leaves – not to mention the statute itself – to determine how to comply. And it isn’t just Dodd-Frank, of course, where we have all this legislative and regulatory ferment. The unprecedented rapid pace of chance in law and regulation and the continued uncertainty about what the government will do next pertains to the tax area as well. During the last year alone, Congress enacted no fewer than six major pieces of tax legislation – including the two “Obamacare” bills, the HIRE Act, the Education Jobs Act, the Small Business Jobs Act and, of course the year-end Tax Relief Act that temporarily extended the current tax rates.
That last piece of legislation bought us at least two years of tax certainty, but when it comes to long-term capital gains or any of the other rules governing the taxation of investment, two years are scarcely enough to permit long-term planning, and so the uncertainty continues.
That uncertainty about where financial, tax and regulatory policy are headed in turn creates a challenging environment within companies and within firms when it comes to shaping their response to regulatory and compliance changes. That’s the environment in which we find ourselves. Given the extent of this change and the predictable uncertainty that will continue for several years, it is very important that companies respond to this in ways that are exceptionally flexible.
How should Finance organizations prepare for this future regulatory environment in spite of uncertainties, particularly global companies that do business in multiple jurisdictions? What sustainable practices in their control and reporting processes and systems do they need to invest in to prepare for the future?
Being globally active, of course, only ramps up the uncertainty because the requirements from multiple jurisdictions are layered on the responsibility of senior Finance executives for U.S. compliance. It is nonetheless possible to synthesize thematically many of the global requirements, because at least topically, they have very much in common.
What is most important is that the different parts of a global organization can talk to one another and that the human beings who must extract information from the IT systems that collect and disgorge that information can rationalize it. In particular, companies that address these changes in ways that are adaptable and flexible will have a clear advantage. Companies that fail to manage the process in this way will likely find their companies non-compliant and their risk management practices called into question – not only by regulators, but also by their shareholders and their customers.
Do you think that the passage of Dodd-Frank will reduce systemic risk and improve stability in our financial services institutions?
Unfortunately, the Dodd-Frank Act failed to address several of the
most significant causes of instability in the financial system and
sources of systemic risk. The first is the status of the
This is particularly salient, as the conservatorships have required the GSEs to engage in practices that support housing at the expense of their financial well-being. Likewise, the government’s completely unjustifiable practice of keeping these two GSEs off the federal balance sheet, even as they are under government ownership, makes a mockery of financial reporting norms and honest accounting. Addressing this glaring omission in the Dodd-Frank Act remains a top priority of financial reform.
Next in importance is the inadequacy of bank capital and liquidity standards. Dodd-Frank did not adequately address the obvious failure of the Basel standards in the financial crisis. Those standards continue to create powerful incentives for asset concentration in mortgages and a reliance on credit ratings, and of course both of those had a role in generating the mortgage bubble that led to the financial crisis.
So the short answer to that question would be “No.”
Correct. I’d also say that Dodd-Frank has given the Financial Stability Oversight Council a strong incentive to protect competitors rather than to protect competition, which might take market share from the dominant firms. The systemically important designation implies government readiness to support those firms in a crisis, perversely encouraging more risky behavior despite the more stringent capital and other requirements and thus deepening moral hazard.
Can you discuss some of the best practices for boards of directors with regard to risk oversight? Do you think that changes in proxy disclosure with regard to risk governance has had an impact on risk management practices?
Yes. In 2010, the SEC added requirements for proxy statement discussion of a company’s board leadership structure and its role in risk oversight. Now companies are required to disclose in their annual reports the extent of the board’s role in risk oversight, and they’re required to address such topics as how the board administers its oversight function, the effect that risk oversight has on the board’s processes, and whether and how the board or one of its committees monitors risk. That increased focus on risk management has had considerable and very earnest take-up across the corporate community.
There are several types of actions that companies and their appropriate committees have been taking to step up their focus on risk management. Without question, they are spending more time with management, and isolating the categories of risk that the company faces – focusing on risk concentrations and interrelationships, the likelihood that these risks might materialize, and the effectiveness of the company’s potential mitigating measures.
Many companies have created risk management committees. Financial companies, of course, that are covered by Dodd-Frank must have designated risk management committees, but boards of other companies have carefully considered the appropriateness of a dedicated risk committee, and many of them have found it prudent to create one. In other cases, boards have delegated oversight of risk management to the audit committee, which is consistent with the New York Stock Exchange rule that requires the audit committee to discuss policies with respect to risk assessment and risk management.
For large-cap companies that have a Big Board listing, that has continued to be another way to address these heightened concerns. I think boards are carefully bearing in mind that different kinds of risks may be better-suited to the expertise of different kinds of committees, so they may not always wish to stovepipe responsibility for risk in a single committee.
Above all, best practices today are focused on the fact that regardless of how the board subdivides its responsibilities, the full board has the responsibility to satisfy itself that the activities of its various committees are co-ordinated and that the company has adequate risk management processes in place.
It’s a fascinating world. I can see why if you’re a controller or CFO it’s an exciting but intense place to be.
I think that’s absolutely right. All of these changes we’ve discussed – in particular in the US – mean that we are entering an era of unprecedented demand on companies’ governance, risk, and compliance processes and IT infrastructures. I think that companies have dealt with regulatory changes over the past half-century largely incrementally. They’ve made adjustments to their enterprise-wide systems as needed to comply with what have been modest changes from year to year. But given the enormous scope of changes in these forthcoming new regulations, companies will find it necessary to find a comprehensive and holistic approach to at least regulatory reporting – and, in my view, their management control as well.
Companies have traditionally relied on different processes to gather enterprise data to help management run the business on the one hand, and to gather data in order to satisfy regulators, on the other. In part, that was sustainable because the information that regulators were requiring was historical and post-facto. But things are rapidly changing under these new frameworks. Regulators including the SEC are now requiring information that is risk-based and predictive. While that is a big change, it’s also a significant silver lining in that this will align the process of collecting and gathering information more closely with what management needs. That means that CIOs should be looking for ways to integrate their regulatory and their management reporting processes. For that reason, regulatory reporting doesn’t have to be viewed as sheer cost, or necessary evil. Instead, there can be significant efficiencies and productivity gains for the enterprise by merging the requirements of management and regulatory data gathering processes.
This convergence will also allow companies to restructure their data in a way that will feed predictive analytical systems. That, in turn, can lead to an improvement in both risk management at the board level, and risk-based decision-making processes at the management level.
About Christopher Cox, Former Chairman, United States Securities and Exchange Commission (SEC)
Beginning in 1988, when he was elected to the House of Representatives, Christopher Cox established a record of legislative accomplishments that elevated him to the top of the Congressional leadership. His wide range of expertise in a variety of complex issues gives him the ability to take the long view of the economic future, predicting both the actions of Congress and the effects those actions will have on the marketplace. The author of the Internet Tax Freedom Act, which protects Internet users from multiple and discriminatory taxation, Cox held leadership positions ranging from chairmanships on committees and taskforces overseeing everything from budget process reform and policy to homeland security and financial services. During his tenure as chairman of the Securities and Exchange Commission, he continued this fight for justice and transparency in the world of investing.
An Accomplished Lawmaker and Reformer. During his seventeen years in Congress, Cox served in the majority leadership of the U.S. House of Representatives. He authored the Private Securities Litigation Reform Act, which protects investors from fraudulent lawsuits, and his legislative efforts to eliminate the double tax on shareholder dividends led to legislation that cut the double tax by more than half. In addition, he served in a leadership capacity as a senior member of every committee with jurisdiction over investor protection and U.S. capital markets, including the Energy and Commerce Committee, the Financial Services Committee, the JointEconomic Committee, and the Budget Committee.
An Advocate for Investors. At the SEC, Cox focused on the enforcement of securities law enforcement, bringing a variety of groundbreaking cases against market abuses such as hedge fund insider-trading, stock options backdating, and municipal securities fraud. He also helped turn the Internet into a secure environment, free of securities scams, and he worked to halt fraud aimed at senior citizens. As SEC chairman, he was one of the world’s leaders in the effort to integrate U.S. and overseas regulatory policies in this era of global capital markets, making international securities exchanges safe, profitable, and transparent. As part of an overall focus on the needs of individual investors, Cox reinvigorated the SEC’s initiative to provide important investor information in plain English, championing the investor’s right to a transparency. His reforms included transforming the SEC’s system of mandated disclosure from a static, form-based approach to one that taps the power of interactive data to give investors qualitatively better information about companies, mutual funds, and investments of all kinds.
In 1994 Cox was appointed by President Clinton to the bipartisan commission on entitlement and tax reform, which published its unanimous report in 1995. From 1986 until 1988, he served in as senior associate counsel to President Reagan. From 1978-1986, he specialized in venture capital and corporate finance with Latham & Watkins. Cox received an M.B.A. from Harvard Business School and a J.D. from Harvard Law School, where he was an Editor of the Harvard Law Review.