The DOJ’s Latest Compliance Program Warning

U.S Deputy Attorney General Rod Rosenstein recently announced the Department of Justice’s revised FCPA Corporate Enforcement Policy. The revised Policy is based on the DOJ’s FCPA Pilot Program (in place since April 2016), which provided mitigation credit for voluntary reporting of wrongdoing and specified levels of cooperation and remediation in connection with the resulting investigation. Much has been made about the new Policy provisions that create the presumption of a DOJ enforcement declination and specify percentage reductions from the U.S. Federal Sentencing Guidelines in the event that a company self-discloses, cooperates and/or remediates in accordance with specified Policy requirements. Certainly, these provisions significantly further the shift toward encouraging company cooperation, as well as continue the focus on holding individuals accountable, and deserve careful attention. It was, however, Deputy Attorney General Rosenstein’s third “policy enhancement” that most caught my eye. That provision provides detail about how the DOJ evaluates compliance programs, specifying what he calls “hallmarks of an effective compliance program.” The Policy first states that the criteria for an effective compliance and ethics program may vary based on the size and resources of the organization, which seems fair enough. It then provides a list of criteria (quoted below), which it says will be periodically updated: The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated; The resources the company has dedicated to compliance; The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; The authority and independence of the compliance...

The FTC’s New Data Breach Response Guide (and a Reminder)

The two-pronged mission of the Federal Trade Commission is to protect consumers and promote competition. According to the FTC’s website, protecting consumers includes “stopping unfair, deceptive or fraudulent practices in the marketplace,” which these days necessarily includes data security. To that end, the FTC recently published a user-friendly response guide for organizations that have experienced a data breach, which seems to be just about everybody. The guide assumes that a hypothetical company has just learned that it has experienced a data breach, which might include hackers taking personal information, an insider stealing customer information, information being inadvertently exposed on the company’s website or any number of other breach events. The fifteen-page guide then walks through the basic steps to be taken by the company and the persons or agencies that it should contact. Here are the highlights: Secure your operations Assemble a team of experts, including data forensics and legal Secure physical areas Stop additional data loss Remove improperly posted information from the web Interview key personnel Do not destroy the evidence Fix vulnerabilities Think about service provider access privileges and remediation steps Check network segmentation effectiveness Work with forensics experts to analyze the nature and scope of the breach Have a clear, plain-English communication plan that reaches all affected audiences, including employees, customers, stockholders and business partners but does not further compromise privacy rights Notify appropriate parties Determine legal requirements Notify law enforcement Notify affected businesses Consider whether electronic health information was involved and whether the HIPAA Breach Notification Rule was triggered Notify affected individuals (the guide includes a model notification letter) The FTC’s guide is designed for...

Sustainability Reporting Gains Momentum

A couple of years ago I suggested that companies should consider adding new, or enhancing their existing, sustainability disclosures. (See this Doug’s Note.) The trend toward sustainability (frequently known as “ESG” for environmental, social and governance) disclosure was picking up steam at that time, and has mushroomed since then. A recent speech by SEC Chair Mary Jo White at the International Corporate Governance Network Annual Conference in San Francisco highlights that reality, underscores its importance and hints at where the SEC is headed with this issue. Chair White begins by noting the breadth of topics encompassed by “sustainability,” including climate control, resource scarcity, corporate social responsibility and what she calls “good corporate citizenship.” To the extent that they may materially impact a company’s risk profile or trends and uncertainties, for example, such disclosures would be required under current rules. To the extent they are not technically required by existing rules, they may still be advisable due to emerging disclosure standards within a company’s industry or peer group. Chair White cites reports stating that in 2015 75% of S&P 500 companies and more than 90% of the world’s 250 largest companies published a sustainability or corporate responsibility report. She notes also that various organizations have developed guidelines for sustainability disclosures. (See this Doug’s Note, for example.) Yet, she notes that the push continues for even more reporting, including “integrated reporting” of financial and sustainability information. Nevertheless, the SEC appears to continue its wait-and-see attitude. Chair White acknowledges that sustainability reporting remains governed by the old materiality standards, limited recent guidance on certain issues (such as climate change), general concepts of...

Practical Tips for Effective Corporate Compliance

SEC personnel frequently speak publicly on a variety of topics. Some speeches are less than memorable, while others so perfectly capture the essence of a subject and provide such practical insight that it would be a shame for them to go unnoticed. A recent speech by Andrew J. Donohue, SEC Chief of Staff, falls squarely into the latter category. Mr. Donohue began with general observations for effective corporate governance, many of them as fundamental as kindergarten lessons and, therefore, worth revisiting from time to time. He highlighted, for example, the importance of: “integrity and personal responsibility”; “a culture of always doing the right thing”; simple and intuitive policies and procedures; using technology well, but not to excess; integrating systems across all business units and geographies; and understanding that, in the compliance world, ignorance is not bliss. But the real highlight for me was Mr. Donohue’s fifteen tips (quoted below) for getting comfortable with being responsible (fully or partially) for corporate compliance or, put another way, being sure things are working as they should: Get to know the businesses better than the people who run them; Have a deep understanding of the regulatory regimes you operate under; Identify areas of key risk and focus on them; Get to know all the key people in your organization and try and discern where you should focus your attention; Understand and appreciate the limitations inherent in any system that you rely on; Constantly ask yourself how you know everything is ok [I really like that one]; Constantly ask yourself what am I missing; Follow your instincts and if something does not make sense...

The Fundamentals of Social Media Communication Compliance

Communication via social media is now standard practice, to some extent, at almost all public companies. What once seemed limited to technology and other “forward-thinking” companies has now made its way into even the most traditional businesses. The SEC, and other affected agencies, have long struggled to stay on top of the breakneck pace of social media innovation (see, for example, this Doug’s Note). And despite their best efforts, many companies continue to lag the latest developments, both in terms of dollars spent on new technology and updated communications policies and practices. Nevertheless, companies must remain compliant at all times. Public disclosure on social media (even a few casual keystrokes by an employee or business partner) of misleading statements, material non-public information or protected private information may violate a host of laws and regulations. As you would expect, there is no single formula for staying on top of the changes and remaining consistently compliant. However, adhering to these few fundamental principles will make ongoing compliance more achievable: Don’t be lulled to sleep by the casualness of social media communications. Information-sharing has become nearly as existential as breathing in our society. As a result, many employees may not even consider the implications of their latest post. Be sure that all employees, including those at the highest levels (see this Doug’s Note), understand the legal limitations on all communications and the consequences of failure to comply. Create flexible compliance processes. The variety of social media options and the sheer number of social media communications continues to expand exponentially, with no end in sight. Be sure your processes are sufficiently flexible and...

The PCAOB’s Enhanced Auditor Performance Standards–Be Sure You’re Ready

A little over a year ago the PCAOB issued new Auditing Standard No. 18, which enhanced auditor performance standards in three significant areas of a company’s audit: Company relationships and transactions with related parties, “Significant unusual transactions,” and Company relationships and transactions with its executive officers. These three areas were selected because of the frequency with which they generate material misstatements in a company’s financial statements or outright financial fraud. AS 18 took effect for audits of fiscal years beginning on or after December 15, 2014, which means that it applies to the current 2015 audit cycle. However, it appears that a significant number of companies have not yet fully informed their audit committees about the enhancements, nor have many legal departments determined what steps should be taken to be sure the company is in compliance and the audit goes smoothly. What changed? The new rules are designed to strengthen auditor requirements for identifying, assessing and responding to the risks of material misstatements. Related Party Transactions. AS 18 requires auditors to: Understand the company’s relationships and transactions with its related parties, including the nature of the relationships and the terms and business purposes of the transaction; Evaluate whether the company has properly identified its related party relationships and transactions, using procedures to test the accuracy and completeness of management’s efforts in that regard; Perform certain procedures (a) if the auditors find a previously undisclosed relationship or transaction and (b) regarding each related party transaction that is required to be disclosed in the financial statements or is determined to be of a significant risk; and Communicate to the audit committee...