Professional Documents
Culture Documents
Compliance Outline
Compliance Outline
PROF. DONFRO
FALL 2018
INTRODUCTION
Governance
□ Deals with the structure and control within an organization
□ The processes by which decisions relative to risk management and compliance are
made within an organization
□ Governance of organizations is often complex, involving layers of responsibility
and a variety of different offices and positions, with lines of authority projecting
in many different ways
Risk Management
□ Takes account of the risks facing an organization
□ Has a significant technical component (different than governance)
□ Refers to the processes by which risk is identified, analyzed, included in strategic
planning, and either reduced through risk mitigation tactics or accepted as inherent
in activities that the organization wishes to conduct
□ Goal is not to eliminate risk but rather to manage it
□ Recognizes that activities of the enterprise necessarily involve uncertain outcomes
with different consequences for the success of the organization’s mission
Compliance
□ Refers to the processes by which an organization polices its own behavior to ensure
that it conforms to applicable rules and regulations
□ Processes by which an organizations seeks to ensure that employees and other
constituents conform to applicable norms, which can include either the requirements
of laws or regulations or the internal rules of the organization
Note: the functions of governance, risk management, and compliance are not hermetically
separated
□ Serve a common purpose – to ensure that organizations are managed well and in
such a way as to enhance social welfare
□ Includes not only conventional rules and regulations, but also “soft law”
recommendations from NGOs i.e. Committee of Sponsoring Organizations of
1
the Treadway Commission (COSO)
Three Lines of Defense (most focus is on the second and third line)
1. Operating executives have initial responsibility for implementing internal controls
within their own areas; line operators
2.Risk management and compliance operations catch problems that are not weeded out
at the front line
3.Internal audits i.e. spot checks and external audits
Role of Attorneys
□ Governance has a legal element because the rules allocating responsibility and
authority for compliance and risk management are contained in formal legal
documents such as charters, bylaws and board resolutions
□ Some of the most important risks an organization faces are legal in nature
□ Australian study concluded that lawyers don’t perform their compliance jobs
any differently than other compliance professionals
Shifting Risk:
□ “Swim at your own risk” – the theory that you assume the risk
□ Mitigating risks.
CORPORATE GOVERNANCE
2
“Separation of ownership and control” – defining issue for corporate governance
□ Number of shareholders makes it impossible for them to exercise effective governance
□ Managers control what happens in big companies, subject to only minimal checks
from shareholders or other constituencies
Shareholders
□ Gain profits in either of two ways:
oCompany many declare a dividend distributing some of the surplus back to its
owners
oShare price may rise to reflect the value of profits which have not been distributed
□ Voting your shares:
oBy proxy (i.e. agree or disagree; don’t give you opportunity to give your opinion)
oGo to annual meeting
□ Incur losses when value of their interest falls
oCompany becomes insolvent, they forfeit the entire value of their investments
3
oCompany winds up its business (dissolution or acquisition) shareholders get a
distribution reflecting some measure of the value of their ownership interests
□ Reasons why can’t be managers of companies they own:
oNot practical because decisions need to be made quickly (a vote may take too
much time)
oCostly to ascertain the preferences of the shareholders
oMay not be well informed about decisions that they do make
oHold diversified portfolios thus are unlikely to care about any particular company
oAny shortcomings of the company the shareholder can sell tis stock
oIf the shareholder anticipates selling the stock, she has a reduced interest in
tracking what is going on at the company
oEven informed shareholders do not possess the judgment needed to make day to
day management decisions
oShareholders’ interests do not align optimally with what society would prefer
Moral hazard – all insurance policies create a problem of moral
hazard; creates disincentive to taking care
□ Ownership in a company is a limited form of ownership – you only have the
right to make certain decisions
□ People whose interests do not necessarily align with those of the firm will make all
the decisions and not be subject to checks and balances; will often serve their own
interests rather than the interests of the company or of society as a whole
□ Can make “fundamental”
decisions: oElection of board of
directors oChanges in company
charter oFundamental corporate
changes
oSelection of the company’s independent auditor
oHave a right of approval when substantially all the assets of their firm are sold to
another company, but not when their company acquires substantially all the assets
of another company
□ Managers can make important changes in a company’s governance through board
actions which do not require shareholder vote i.e. “poison pill” shareholder rights
plans, which can reduce the chance that a company will be acquired in a hostile
takeover (Moran v. Household International Inc.) and bylaw amendments designating
Delaware as the sole forums for lawsuits alleging breech of fiduciary duty in
Delaware corporations (Boilermakers v. Chevron)
a) Powers
oDelaware General Corporation Law §141(a) “the business and affairs of every
corporation…shall be managed by or under the direction of a board of directors…”
oNew York’s General Business Corporation Law “the business of a corporations
hall be managed under the direction of its board of directors”
oResponsibility can be shifted from the board in three ways:
1. Board committees may be established. Delaware General Corporation Law
§141(c)(2) states that a board committee if duly authorized may “exercise all
the powers and authority of the board of directors in the management of the
business and affairs of the corporation”
2. Persons outside the board. Delaware General Corporation Law §141(a)
provides that a company may vest management powers outside the board
by including a provision in its charter.
3. Delegate these tasks to senior officers. Delaware General Corporation Law
§141(a) recognizes two functions for the board: managing a company and
directing the management of a company
Managing – direct performance of executive tasks i.e. when
board hires or fires a CEO or selects an auditor
Directing the management – the activity of supervising others,
executive officers, who carry out day to day operations (largest
share of the time is spent on supervising)
b) Size
oEmpirical studies suggest that boards of directors become less effective once they
cross a certain threshold of size
Independence
oInside director – someone employed by or otherwise linked to the company for reasons other
than his or her service as a director
oBenefits:
Intimately involved in the management of the company.
They know the personalities, strengths and weaknesses of other senior
managers and are equipped to assess the best use of the available
human resources
Have a commitment to the enterprise which is both financial
6
and reputational
oDeficits:
They are likely to think along the lines which are set within
the organization.
May lack perspective that comes with broader experience (if they
spent their entire career at the firm)
If they are not the CEO they may find themselves limited in what they
can say on the board because of fear that the CEO who controls their
possibilities for promotion may not approve
Usually want to be paid more
Tend to value the powers and perquisites of their jobs
May be incompetent or unmotivated and therefore prefer that the
board not closely scrutinize their job performance
FIDUCIARY DUTIES
Fiduciary – a person charged under the law with making decisions fundamental to the welfare of
someone else
□ Directors are fiduciaries because they make decisions that affect many others
i.e. shareholders who have an ownership interest in the firm
Fiduciary duty – the legal duty that a fiduciary owes to the person on whose behalf she is acting
□ Directors owe this legal duty to the firm and indirectly to shareholders (possibility
other constituents)
□ Meinhard v. Salmon – “the level of conduct for fiduciaries has been kept at a level
higher than that trodden by the crowd” (Cardozo)
Duty of Care
Super business judgment rule – Delaware General Corporation Law §102(b)(7) allows a
Delaware corporation to include in its certificate of incorporation a provision that eliminates
liability of directors for money damages in lawsuits based on violations of the duty of care.
Statute makes clear that absent special circumstances, directors face no exposure for money
damages in lawsuits claiming violations of the duty of care.
Rationale for business judgment rule and statute as per court In re Citigroup:
□ Idea that directors know more than courts know about the business decisions they
have to make
□ Hindsight bias – rule counteracts this tendency by requiring judges to credit the good
faith and reasonableness of managerial decisions unless the contrary is shown. There is a
tendency for judges to evaluate decisions in light of how they turned out.
Duty of Loyalty
□ Business judgment rule is a presumption that holds unless the contrary is established
□ The principal way that the presumption can be rebutted, is to show that the defendant
director or controlling shareholder had a conflict of interest in the transaction in
question
□ Standard case is the American Express case. Stock went down in value. Had company
sold stock they would have had tax loss which they could write off. Instead they
delivered devalued stock to shareholder. They could only record the gain. The
company basically said they made a decision and that’s enough.
□ Modern cases touch duty of loyalty.
□ Duty of loyalty cases are intentional wrongs
In re Southern Peru Copper Corp. Shareholder Derivative Litigation (2011) (Add notes)
□ Found that the controlling stockholder defendants breached their fiduciary duty of
loyalty in a transaction involving the controlling stockholder’s subsidiary.
□ Chancellor Strine found significant shortcomings on the part of the committee
when assessing whether the transaction was subject to a fair process and had a
fair price
□ Found that Southern Peru overpaid when it acquired the controlling
9
stockholder’s subsidiary
□ The merger was not entirely fair, in process or in price; defendants breached their
duty of loyalty
□ Plaintiffs were awarded damages to remedy the breach of the controlling
stockholders fiduciary duties
□ Damages in this case is one of the largest ever awarded in a breach of fiduciary case
□ Question:
oMining company sold to NYSE listed company. Hired financial advisor who said
the company is not worth anything close to $3.1 billion. Instead worth much less.
Controlling shareholder doesn’t need to owe a majority of the stock. Sometimes
only requires 5% of stock.
oCommittee had to evaluate proposal and decide whether the mining company was
worth $3.1 billion. This independent committee was set up to justify the
transaction
oCourt concluded that the controlling shareholder got too good of a duty b/c more
money than it was worth.
o$1.263 billion overpaid.
oAll directors and officers that voted for this were jointly and severally liable.
Duty of Oversight?
Stone v. Ritter (2006) (Delaware Supreme Court) – confirms the validity of Caremark liability
under Delaware law, and recognizes the generality of its applications, while providing
information about the scope of the duty
□ Shareholders brought a derivative lawsuit against the bank’s directors for breach of
fiduciary duty. Argued that the defendants had failed to implement monitoring,
reporting or information controls that would have enabled them to learn of problems
requiring their attention.
□ Examples of conduct that would establish a failure to act in good faith:
oWhere the fiduciary intentionally acts with a purpose other than that of advancing
the best interests of the corporation
oWhere the fiduciary acts with the intent to violate applicable positive law
oFiduciary intentionally fails to act in the face of a known duty to act,
demonstrating a conscious disregard for his duties
□ Court held that the plaintiffs’ complaint seeks to equate a bad outcome with bad faith.
Although there may have been failures by employees to report deficiencies to the board,
there is no basis for an oversight claim seeking to hold the directors personally liable for
such failures by the employees. The board received and approved relevant policies and
procedures, delegated to certain employees and departments the reasonability for filing
and monitoring compliance, and exercised oversight by relying on periodic reports from
them.
□ Caremark liability is not a third branch of fiduciary duty, but rather part of the
duty of loyalty
Re Caremark
□ Chancellor Allen
□ Medicare won’t pay for 3 rd party referral fees
□ Caremark is in the business of paying referral fees; they kept on doing it; even the
predecessor paid referral fees; they keep saying that they are not and have guides to
show that they are not; have an ethics committee that said there are no material
violations
□ Now there is a complaint for breach of oversight to be active monitors of
corporate performance
□ Director liability for a breach of the duty exercise appropriate attention may arise
in 2 contexts:
oDecision was ill advised or negligent (breach of duty of care)
oUnconsidered failure of the board to act in circumstances in which due attention
would have prevented the loss (not action or inaction; wasn’t even thought of)
□ Whether a judge or jury considering the matter after the fact believes the decision
is wrong or stupid or egregious or irrational, provides no ground for director
liability
□ Duty of oversight and breach of that duty is unconsidered inaction
□ Directors have a duty to ensure themselves that information and reporting systems
exist to show compliance with the law
11
Stone v Ritter
□ Derivative lawsuit against bank directors; failed to implement monitoring
and information controls
□ Caremark standard relies on the concept of failure to act on good faith; fiduciary acts
with the intent to violate applicable positive law; acts with a purpose other than that of
advancing the best interests of the corporation; where fiduciary intentionally fails to
act in the face of a known duty to act (demonstrating a conscious disregard for his
duties)
□ “Utter failure to attempt to assure a reasonable information and reporting system exists
Caremark: requires information to be reported to board
Stone v Ritter: liability only for utter failure to attempt to assure a reasonable information and
reporting system (lower standard; easier to escape liability)
Law of Delaware – there are only 2 duties (1) duty of care and (2) duty of loyalty
Additional Notes:
Law of Delaware there are only 2 duties: duty of care and duty of loyalty
ADD NOTES from book (page 64)
Problem 2-4 (page 66)
□ As independent director and chair of the audit committee you have a fiduciary duty to
the corporation
□ Spanish language may be an issue b/c the entire board meetings are conducted in
Spanish. If you are independent director and chair of audit committee and are relying on
translation this may be problematic.
Class notes:
□ Duty of oversight is a species of duty of loyalty
□ Not uncommon for new corporations (.com) to be incorporated in Delaware; this is
the norm
□ Why Delaware?
oCitigroup: Company is domiciled in Delaware b/c state is more favorable to
corporations. Incorporators decide where the company will be incorporated.
Shareholders can vote but at the end of the day the directors decide. Ordinary
business decisions are decided by owner, CEO or the directors. Law itself is more
beneficial to directors i.e. ability to waive liability under 102b(7) Delaware
General Corporation Law. Super business judgment. Absent special
circumstances, directors face no exposure for money damages in lawsuits
claiming violations of the duty of care. Changes in company charter is voted on
by shareholders; so who would actually vote for the super business judgment rule
to apply and therefore change the charter to reflect this?
□ Duty of care – duty to act rationally
oVery few decisions that are not rationale
13
oBusiness judgment rule protects from liability
□ Why Delaware:
COMMITTEES
Problem 2-9 (p.82): Delaware statute allows you to rely on the truthfulness of reports by
members of the corporation.
Problem 2-10: “risk appetite”. What type of security would allow you to hedge the risk of
interest rate increase? Variable interest rate. Option = option to purchase a certain security i.e.
security with a higher interest rate. Either exercise the option or you don’t. Try to transfer the
risk? Hedge = offsetting the risk. Is it bad to have the regulator irritated with you? Yes but how
bad? Regulators have discretion. Insurance regulators act differently in different states.
Audit Committees
□ Originally formed to supervise company’s finances and to manage relationships
14
with outside auditor
□ Rationale for assigning financial matters to specialized committee:
oGreater focus and clarity of action could be obtained
oAddresses the problem that a full board might be suspect on the issue of financial
reporting a they have an interest in maximizing the company’s stock price
□ Audit function is to check and make sure that procedures are followed and items
properly recorded
□ Audit committees exist in every public company and a majority of private companies
□ SOX, SEC Rule 10a-3, and the listing requirements of national securities exchanges
require that the audit committee of a public company be staffed entirely by
independent directors
oSEC Rule 10a-3 – each audit committee must have the authority to engage
independent counsel and other advisors
oSEC requires that the audit committee be given “appropriate funding” for
payment of the expenses of accountants and advisers as well as the
committee’s ordinary administrative expenses
Audit committee (not the full board) has the authority to determine
what these expenses should be
□ Unless there is some other specialized committee in place, the audit committee is
responsible for overseeing the company’s compliance operation; receives regular
reports from CCO
□ SOX and the SEC regulations require that such committees establish procedures for the
receipt, retention, and treatment of complaints regarding accounting, internal
accounting controls, or auditing matters; and the confidential, anonymous submission
employees of concerns regarding questionable accounting or auditing matters
□ Audit committee members must satisfy competence qualifications
□ Each public company must disclose whether it has a “financial expert” on its
audit committee and if not, why
□ NASDAQ – audit committees of NASDAQ listed companies must include at least
one member who has past experience in finance or accounting, professional
accounting certifications, or comparable experience
□ NYSE and NASDAQ listing standards require that all audit committee members
possess minimum levels of financial literacy
□ Key line of defense for ensuring that the company remains compliant with applicable
rules and regulations
□ To supervise the activities of the internal audit department, which checks to ensure
that a company’s policies and procedures are being carried out in a reliable and
effective way
Risk Committees
□ New committees have been created to take over some of the burden and to focus on
tasks which are deemed to be discrete, important, and outside the central competence
of the audit committee
□ Nearly all banks operate a board level risk committee
□ SEC Regulation 407(h) requires public companies to disclose the extent of their
board’s role in overseeing the organization’s risk exposure, including how the board
administers its risk oversight function and how the leadership structure accommodates
15
such a role.
□ SEC is also facilitated the growth of risk committees by ruling in 2009 that shareholder
proposals regarding risk could not be excluded from a company’s proxy materials on
the ground that they related to the day to day operations of the firm
□ §165 (h) of the Dodd-Frank Act directs the Federal Reserve Board to require certain
large bank holding companies and systemically important nonbank financial
companies to establish a board risk committee that is responsible for oversight of
enterprise wide risk management, is comprised of an appropriate number of
independent directors, and includes at least one risk management expert
□ SEC only has power to order public companies to make disclosures to the
market; it cannot instruct them how to manage their affairs
□ Risk committees operate under charters approved by the full board of directors
□ An advantage of a board-level risk committee is that it focuses exclusively on risk
and therefore doesn’t get distracted by other responsibilities as could happen, if
the responsibility for assessing and managing risk were given to the audit
committee
□ Risk committee has the capacity to manage risk on an enterprise wide basis, rather
than by individual business lines as had often been the case in earlier years
□ Risk committees pose challenges for institutional design; vesting responsibility
to a committee f the board threatens to cut the other board members out of the
loop
□ Board risk committees under the Dodd-Frank Act must include “at least one
risk management expert”
□ No competency requirements for board risk committees
Compliance Committees
□ Companies in industries with intensive regulation and high potential for infractions
maintain a specialized compliance committee that operates separately from the
audit committee
Compensation Committees
□ The enhanced focus on compensation is due to factors including:
oSome companies paid high compensation to senior managers. The outrage at
perceived excesses became widespread to the public.
oFinancial crisis of 2007-2009 convinced many that corporate CEOs were not all
they have been cracked up to be
oShareholder activists have become much more powerful in recent years, and a
principal focus of their activism has been a campaign to curb excessive
compensation of corporate managers.
EXECUTIVES
16
Introduction
□ Board of directors and the relevant board committees are charged in law and policy
with the task of overseeing management of the organization, including managing
risk and ensuring that the firm complies with all applicable laws and regulations
□ Board’s oversight at meetings must be conducted at a high level of generality
□ Meet only a few times a year; rarely more than once a month and often only once
every two months or every quarter year
□ Board can decide on broad issues of strategy and can oversee the operations of
the company at a general level
□ Board members rely on the company’s senior employees to carry out the practical
tasks of management
□ Senior employees are the board’s eyes and ears: independent board members only
see and hear information provided to them by company employees
□ “Management” of a company = senior executive team
□ Vast majority of decisions regarding the company’s organization and strategies are
made by senior executives rather than the board
□ “Chief” and other with jobs of similar seniority are sometimes referred to
collectively as the “C-Suite”
□ Corporate governance is “chief” heavy
17
2. provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements
3. provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the issuer’s assets that could have
a material effect on the financial statements
□ SEC does not require management to use any particular framework but to be suitable it
must be free from bias, must permit consistent qualitative and quantitative
measurements of a company’s internal control over financial reporting, msut be
complete so that relevant factors are not omitted, and must be relevant to an evaluation
of internal control over financial reporting
□ COSO identifies 5 components of internal control:
oControl environment
oRisk assessment
oControl activities
oInformation and communication
oMonitoring activities
□ Event studies – examine the effect of a change on a company’s stock price
□ “Go dark” – firms that cease to be public companies required to comply with SOX
and report under SEC rules
□ For smaller firms, SOX increased compliance costs
□ Section 404(b) of SOX requires that public company auditors must attest to and report on
the management’s assessment of the effectiveness of the company’s internal control over
financial reporting
Chief Executive Officer
□ Senior most official in a firm
□ If both president and CEO, former reports to latter
□ CEO is an employee of the organization however in practice is more than that
□ Has many responsibilities:
oPublic face of a firm
oMakes decisions at the management level
oLender in the way other executives are not
oResponsible for setting the tone at the top
With regards to compliance, no one else can be as effective in
communicating to everyone the crucial importance of adherence to
applicable laws and standards
Most important compliance officer in the organization
□ Establishing “Tone at the Top”
oCEO implements ethics code
oSection 302 of SOX requires that the CEO and CFO certify in each
annual/quarterly report, based on their knowledge, that the report does not contain
any untrue statement of a material fact or omit to state a material fact necessary in
order to make the statements not misleading and that the financial statements and
other financial information included in the report fairly present in all material
respects the financial condition and results of operations of the issuer for the
reporting period
□ These officers are required to certify that:
oThey are responsible for establishing and maintaining internal controls
oDesigned such internal controls to ensure that material information relating to the
issuer and its consolidated subsidiaries is made known to such officers by others
within those entities
oHave evaluated the effectiveness of the issuer’s internal controls as of a date
within 90 days prior to the report
oPresented in the report their conclusions about the effectiveness of their internal
controls based on their evaluation as of that date
□ CEO and CFO must certify that they have disclosed to the issuer’s auditors and the
board audit committee all significant deficiencies in the design or operation of internal
controls which could adversely affect the issuer’s ability to record, process, summarize,
and report financial data and have identified for the issuer’s auditors any material
weaknesses in internal controls; and any fraud, whether or not material, that involves
management or other employees who have a significant role in the issuer’s internal
controls
□ Signing officers must indicate factors that could affect internal controls including
any corrective actions with regard to significant deficiencies and material
weaknesses
□ §906 requires that an issuer’s periodic reports to the SEC be “accompanied” by a written
statement of the CEO and CFO certifying that the information contained in the reports
fairly presents, in all material respects, the financial condition and results of operations
of the issuer
oAnyone who doesn’t comport with this requirement is subject to criminal
penalties
□ Sections 302 – is a civil provision enforced by the SEC
□ Section 906 – is backed by criminal penalties and is enforceable by the
Department of Justice
Internal audit – the function of monitoring the actions of employees, processes, and systems to
verify their effectiveness and compliance with internal or external norms
□ Internal audit departments are led by people with titles such as Chief Audit Executive
□ Head of internal audit reports to someone else in the company i.e. direct reporting
line to the CEO
□ At the board level, the head of internal audit reports principally to the board
audit committee
□ Internal audit needs a degree of independence in order to assure that this
process of investigation and validation is as impartial and objective as possible
□ Internal audit on the other hand is part of the company
What is the relationship between internal audit and a company’s external auditor?
□ Two operate at arm’s length but internal audit typically cooperates in the
performance of the external audit
Audit Process
□ Deals with 2 audible components:
oFunctions i.e. company’s rewards program
oEntities i.e. distribution center
□ Audit universe – all there is for purposes of internal audit
oWhat components should be in the audit universe?
Everything that can have a tangible effect on the company’s fortunes,
but should not include topics that do not have such a tangible effect
oOnce the audit universe is identified, the audit department must determine how to
fit any particular audit within the overall program
How frequently the audit will occur
How many resources will be required when it occurs
□ Audit plan – the schedule for the timing and anticipated resource requirements
for all audits within the audit universe
oWill be developed after a risk assessment by the internal audit department
intended to identify those areas of the audit universe that pose the greatest risk to
the company and therefore that warrant the most intensive scrutiny during the
audit process
□ Internal audit process assesses whether the audited component is performing
according to the audit criteria i.e. expectations set by senior managers or external
authorities
□ Internal audit’s job is not to make policy but to ascertain that policy is being followed
and that systems and internal control are effective
Internal Auditors
□ Assess whether their review and investigation have uncovered any significant
failures to satisfy the audit criteria
□ A finding of nonconformance with an audit criterion can be contentious because it
might be taken by the line manger as a criticism of how she is performing her job
□ Audit findings – are internal audit’s determinations about whether the relevant audit
criteria are being met; the term is typically used to mean that the criteria are not
being met
Problem 3-2: Conflict of interest between the two. Generalists vs. specialists.
What is done when internal audit finds that audit criteria are not being met?
□ Responsible decision maker will agree to undertake prompt remediation to
correct the discrepancy
□ Internal audit then schedules a follow up to confirm that the undertakings are
being honored
□ Internal audit’s report usually contains:
oA statement of any problem identified in the audit or a statement that no problems
were encountered
oA statement of the audit criterion or criteria
oAn analysis of the cause of any negative findings
oA description of the consequences of the problem so identified
oA statement of what is being done to remediate the problem or accept the risk or
a recommendation about what should be done
□ Audit findings are sorted according to severity
□ Some findings may be minor that they are only brought to the attention of the
line managers
□ More serious findings are raised to senior level managers
□ Critical findings are brought to the attention of the board audit committee
Vendors
□ To keep costs under control, internal audit departments use outside vendors
□ Can be helpful for smaller institutions
□ Help reduce disparity
□ Two types of services to internal audit departments:
oProvide help in performing actual audits, up to and including turnkey
arrangements in which particular audits are delegated in their entirety to an
outside vendor
oMay offer vendor created audit software
□ Provide valuable service to aid in the internal audit function
□ There are risks:
oMay not perform as required
oMay require access to proprietary or non public information maintained by the
client, creating a risk of data breaches
□ Outsourcing may be beneficial to an institution if it is properly structured and
prudently managed
□ Outsourcing arrangement – contract between an institution and an outsourcing
vendor to provide internal audit services
oTake many forms and are used by institutions of all sizes
oSome arrangements are structured so that an outsourcing vendor performs all the
procedures and tests of the system of internal controls
oInternal audit manager is responsible for the results of the outsourced audit work
oIn any outsourced internal audit arrangement, the institution’s board of directors
and senior management must maintain ownership of the internal audit function
and provide active oversight of outsourced activities
oThe outsourcing arrangement should not increase the risk that a breakdown of
internal control will go undetected
□ Engagement letter – written contract that distinguishes the duties of the
outsourcing vendor
□ Vendor competence
oInstitution should perform due diligence to satisfy itself that the outsourcing
vendor has sufficient staff qualified to perform the contracted work
□ Management
oDirectors and senior management should ensure that the outsourced internal audit
function is competently managed
□ Communication
oCommunication between the internal audit function and the audit committee and
senior management should not diminish because the institution engages an
outsourcing vendor
□ Contingency Planning
oBecause the arrangement may be terminated suddenly, the institution should have
a contingency plan to mitigate any significant discontinuity in audit coverage
□ SOX prohibits a company’s external auditor from simultaneously providing
outsourced services to internal audit
General Counsel
□ Traditionally was the company’s compliance officer
□ Why has the compliance role of corporate general counsels been curtailed in
some companies?
oJob of compliance is no longer exclusively a legal task
oCompliance operation tests for conformity not only with external legal norms, but
also with internal codes of conduct which may not be binding in a strict legal
sense
oTesting for compliance is not a specifically legal task; more in common with an
internal audit
□ Function of compliance is in tension with the legal role of the corporate general counsel
□ General counsel is not a regulator or an agent of regulators; the relationship
with the regulator is potentially adversarial
□ Compliance is a form of privatized law enforcement
□ Some companies have clarified the role of general counsel as the company’s lawyer
as a result of the conflict of roles i.e. duties of loyalty that sit uncomfortably with
the compliance operation
□ If the company sues or is sued by regulator, the GC will usually supervise the litigation
□ Plays an increased role in strategic management
□ Likely to have significant input into the company’s assessment of reputational risks
□ Constructive role in strategic planning to manage reputational risk before adverse
events occur, and to minimize the harmful impact afterwards
COMPLIANCE
Compliance – 3 elements:
□ An actor is conforming her behavior to some standard or norm
□ The standard or norm is external – not set by the actor, but rather by some other authority
□ The actor would not necessarily act in accordance with the standard on her own –
some effort of will, incentive, or compulsion is involved
Additional elements:
□ The actor in question is a complex organization, not an individual
□ Actions that the organization undertakes to ensure that the norm is obeyed
Enforcement Powers
Protections available to shield a regulated party against these threats of civil or criminal liability:
□ If the penalty scheme is simply irrational
□ A court
might declare that the penalty violates the “excessive fines” clause of the 8 th
Amendment
□ Court might elect to interpret an ambiguous statute in an effort to avoid
constitutional issues
□ In criminal cases, the defendant is entitled to have a jury determine beyond a
reasonable doubt any fact that increases the penalty for a crime beyond the statutory
minimum
INTERNAL ENFORCEMENT
Compliance Policies
□ A statement approved by the highest level authority in an organization, that sets forth
the organization’s philosophy and general approach to compliance issues
□ Fundamental charter of an organization’s operation
□ Phrased in aspirational terms
□ “Tone at the top” – attitude of receptivity and support for compliance values; set of
values and standards which is subscribed to by an organization’s leaders and effectively
communicated throughout the organization
oSwift responses to compliance violations signals this tone
oAppointing a high level officer to head up a compliance office and giving the
person the resources necessary to conduct their job effectively
□ “Corporate culture” – tone at the top is influenced by the attitudes of its leaders i.e.
being committed to compliance others will take the obligation more seriously too
□ Typically framed at a high level of generality
Compliance Programs
□ A formal statement of mechanisms that an organization uses to ensure compliance and
the procedures that it employs when possible instances of non-compliance are discovered
□ Fleshes out compliance policies but may or may not be part of the same document
as the compliance policy
□ Organizations not required to adopt and implement compliance programs
□ Firm’s failure to adopt a compliance program is not an independent basis for
legal liability
□ Idea of “voluntary” compliance programs must be qualified by the fact that such
programs are often adopted in the shadow of enforcement actions, and serve, in part
the purpose of mitigating that exposure
□ Zambac Co. – Example
oGoal is to maintain a culture that promotes the prevention, detection, and
resolution of potential violations of law or company policy
oHas a compliance officer dedicated to support company’s culture of compliance
oDevelopment and distribution of written standards of conduct as well as written
policies, procedures and guidelines has been a key element of the company’s
compliance program
oCode of conduct is the company’s statement of the values, standards, and ethical
principles that guide its daily operations
oAnnual training program of its employees on their legal and ethical obligations
under the policy and regulations
oAll employees are required to participate in annual training as a condition of
their employment; will undergo periodic re-training and remedial training
programs
oEmployees to bring workplace issues of any type to the attention of management
– encourages employees to communicate openly with management about all
types of workplace issues without fear of retaliation or recrimination
Seek out immediate supervisor or manager to discuss
“Safe haven” where concerns are addressed in confidence
Confidential hotline
Office of Ethics is accountable for ensuring appropriate review and
follow-up with respect to issues raised to the Ombudsman or via
the hotline
oMonitoring, auditing, and ongoing evaluation regarding compliance with the
company’s policies and procedures
oPrimary responsibility for oversight is with management
oCommitted to hiring a workforce whose actions will reflect a high degree of
integrity and ethics
oCompliance program is an internal document prepared for and used by people
within the organization
Training (p.181-82)
□ Important part of company compliance programs
□ Types of training given to senior officials should reflect nature of their job
□ Companies may not be good at setting up in house training therefore should
use “vendors’
oOnline and in-person training available via vendors
□ Important in companies that employ many lower-level workers whose activities
may implicate compliance concerns
□ For newly hired sales staff are one part of the process for managing the compliance
risk posed by these employees
□ Example – securities brokers-dealers
oEmploy traders who are compensated b the profits they generate – can expose
company to compliance problems; training programs for new traders coupled with
mandatory refresher classes, can mitigate although not eliminate the risk that they
will let greed override good judgment in the performance o ftheir jobs
□ Training programs are often included in compliance programs established in
settlements of enforcement proceedings
□ Three effects a training program might have:
oMake someone aware that certain forms of conduct are prohibited
oMake someone aware of the serious penalties they can expect
oInfluence how a person thinks about certain forms of conduct – to cause a change
in values so that conduct that once appeared attractive is now avoided
□ “Sensitivity” training been criticized
Monitoring
□ Key part of internal enforcement is the job of monitoring employees
□ A policy tradeoff between efficacy and privacy
b) Surveillance
□ Company/employer may to a very large extent snoop on employees by reviewing
logs of phone calls, analyzing key strokes on computer, video surveillance cameras,
check web sites or read emails
□ “Packet sniffers” – allow the employer to check, on what websites the employee
has visited, what material she has reviewed on the site, what emails sent, who
emailed, and what has been downloaded
□ Voice mail messages stored on the company’s system are fair game
□ In general, the law prohibits the practice of recording conversations unless the
party consents or the monitoring is done for a legitimate law enforcement
purpose – but protection doesn’t necessarily apply in the workplace
□ Employers sometimes listen in on “job related” phone conversations
□ Employer can install video surveillance cameras and may monitor them at all
times – but generally not in places where employees have a high expectation of
privacy i.e. toilets or locker rooms
□ Generally employer can rifle through an employee’s possessions stored at their
work desk if it is in a public space (so, typically not lockers)
□ Conclusion – employees have few legal protections for their privacy in the
workplace
□ If employer elects to embed protections of employee privacy in a formal
policy or manual, the employer must respect the rights so conferred
Investigations (p.186)
a) Types of Investigations
□Internal investigations sort into two general types:
i. Small scale inquiries into minor misconduct – usually performed in
house by the company’s HR department
ii. Large scale investigations
□ No formal requirement that company who uncovers evidence of criminal
behavior alert the authorities as they might prefer to let the matter drop after the
employee has departed on the theory that a referral to prosecutors will only
cause further disruption
□ Large scale investigations have three principal differences from small
scale investigations:
oCannot be performed in house – leads to the impression that the company
is attempting to minimize the problem rather than get to the bottom of
things
oDisclosure – small scale investigations are usually kept confidential and
never disclosed; large scale it is often expected that they will be disclosed
at least when concluded
oLarge scale investigations of compliance breaches are conducted under the
shadow of government enforcement actions
□ Factors that should be considered when deciding to launch an
internal investigation:
oExpense, drain on managerial time, effect on morale, nature of alleged
wrongdoing, credibility of the source that reported, potential for allegation
to “go viral” on social media, extent of potential misconduct within the
organization, potential problems that might arise if the company fails to
launch one, degree to which the alleged wrongdoing occurred at vendors
or contractors rather than at the company itself, whether alleged
wrongdoing occurred at an independent company that was subsequently
acquired, extent to which the alleged wrongdoing occurred abroad, and
the possible consequences within other countries of launching or no
launching investigation
REGULATORS
Comments: (p.203)
□ Investment company – pools funds contributed by investors and invests them in a
portfolio of assets; organized as business entities and are officially governed by a
board of directors or board of trustees; regulated by Investment Company Act
□ Investment advisor – entity that provides investment advice and other services;
typically sponsors and advises the investment company; regulated at the federal
level by the Investment Advisers Act
□ Both statutes are administered by the SEC and implemented through
regulations promulgated by that agency
□ Prior to the adoption of the amendments investment companies relied on the
compliance operations of their service providers for assurance that the rules were
being followed
□ SEC believes that this practice was ineffective and provided insufficient
protections for investors for 2 reasons:
i. Compliance function was balkanized into silos representing different
service providers
ii. Assurance provided by the service provider was only as good as
the compliance operation at that firm
□ Principal purpose of crating an independent compliance operation in the investment
company, with COO reporting directly to the board was to counteract the power of
the fund’s investment adviser
□ SEC’s amended rule prohibit lying to or impeding an investment company’s COO –
violation could lead to severe sanctions including fines and an order barring an
offender form working in the securities industry example In the Matter of Carl D.
Johns (p.
205); provides a description of the violations to conceal personal securities trading and
the corresponding sanctions imposed by the SEC
Oversight Liability
□ Members of the board of directors of a Delaware corporation owe a duty to
shareholder to exercise oversight over the company’s compliance
programs
□ Governments do not ordinarily sue for violation of this duty, unless they stand in the
shoes of shareholders for some reason (i.e. bank regulators who have taken over a
failed bank)
□ In the Matter of Steven A. Cohen (p.218)
O A giant in the hedge fund industry at the time the SEC brought the proceeding.
SEC’s lawsuit grew out of an insider trading scandal that erupted at S.A.C.
Capital in 2012. Several senior employees at companies controlled by S.A.C.
were indicted or pleaded guilty to criminal offenses. In March 2013, S.A.C. also
settled civil charges with the SEC for $616 million. The SEC was apparently
unable to obtain sufficient evidence to obtain an indictment of Cohen itself. The
SEC filed its civil case against Cohen just before the statute of limitations was
due to expire on some of the underlying conduct. To provide failure of oversight,
the SEC needed to establish that Cohen acted with some sort of bad intent – mere
negligent failure of oversight was probably not enough to support the
government’s theory.
O SEC deemed it necessary that public administrative proceedings be instituted to
determine:
Whether the allegations are true and to afford Cohen an opportunity
to establish defenses
If any remedial action is appropriate in the public interest against
Cohen, including but not limited to civil penalties
□ United States v. S.A.C. Capital Advisors, LLP (p.220)
O Indictment followed the civil action against Cohen. Not based on a theory of
oversight liability, but rather the claim that the corporate entities were themselves
guilty of insider trading.
O Charges the corporate entities responsible for the management of a major hedge
fund with criminal responsibility for insider trading offenses committed by
numerous employees and made possible by institutional practices that encouraged
the widespread solicitation and use of illegal inside information
O The defendants enabled and promoted the Insider Trading scheme through several
means:
Sought to hire S.A.C. PMs and S.A.C. RAs with proven access to
public company contacts likely to possess inside information
Employees were financially incentivized to recommend to the S.A.C.
Owner “high conviction” trading ideas in which the S.A.C. PM had
an “edge” over other investors, but repeatedly were not questioned
when making trading recommendations that appeared to be based on
inside information
Failed to employ effective compliance procedures or practices to prevent
S.A.A. PMs and RAs from engaging in insider trading
O Systematic insider trading resulting in hundreds of millions of dollars of illegal
profits and avoided losses at the expense of members of the investing public
O Defendants shall forfeit to the US all property, real and personal, which
constitutes or is derived from proceeds traceable to the SEC of those offenses
SEC Report of Investigation Pursuant to Sec. 21(a) of the Securities Exchange Act of 1934 and
Commission Statement on the Relationship of Cooperation to Agency Decisions (p.226)
□ Gisela de Leon-Meredith, a former controller of a public company’s subsidiary, was
found to have caused the parent company’s books and records to be inaccurate and
its periodic reports misstated and then covered up those facts.
□ The SEC decided not to take action against the parent company because of the
nature of the company’s conduct and the company’s responses
oWithin a week of learning about the apparent misconduct, the company's internal
auditors had conducted a preliminary review and had advised company
management who, in turn, advised the Board audit committee, that Meredith had
caused the company's books and records to be inaccurate and its financial reports
to be misstated. The full Board was advised and authorized the company to hire
an outside law firm to conduct a thorough inquiry.
oFour days later, Meredith was dismissed, as were two other employees who, in the
company's view, had inadequately supervised Meredith; a day later, the company
disclosed publicly and to us that its financial statements would be restated. The
price of the company's shares did not decline after the announcement or after the
restatement was published
oThe Company pledged and gave complete cooperation to the SEC staff
Co. provided staff with all relevant info, produced the details of its internal
investigation, including notes and transcripts of interviews with
Meredith and others;
Co. did not invoke attorney-client privilege, work product protection or
other privileges or protections with respect to any facts uncovered in
the investigation.
The company also strengthened its financial reporting processes to address
Meredith's conduct-developing a detailed closing process for the
subsidiary's accounting personnel, consolidating subsidiary accounting
functions under a parent company CPA, hiring three new CPAS for the
accounting department responsible for preparing the subsidiary's
financial statements, redesigning the subsidiary's minimum annual audit
requirements, and requiring the parent co.'s controller to interview and
approve all senior accounting personnel in its / subsidiaries' reporting
processes.
O SEC willingness to credit such behavior in deciding whether and how to take
enforcement action benefits investors as well as our enforcement program.
When businesses seek out, self-report and rectify illegal conduct, and
otherwise cooperate with Commission staff, large Expenditures Of
government and shareholder resources can be avoided and investors
can benefit more promptly.
O Enforcement actions & credits for good behavior are done to:
Benefit investors- Protect investors & promote their best interests
Deter future violations
Assure compliance in the future
O Type of credits available to companies that self-police, self-report, remediate and
cooperate with /by SEC:
Taking no enforcement action
Bringing reduced charges
Seeking lighter sanctions
Including mitigation language in documents used to announce and
resolve enforcement actions
O Some criteria considered when determining whether, and how much, to
credit self- policing, self-reporting, remediation and cooperation:
What is the nature of misconduct?
□ Inadvertence, honest mistake, simple negligence, reckless or
deliberate indifference to indicia of wrongful conduct, willful
misconduct or unadorned venality? were the Company's
auditors misled?
How did the misconduct arise?
□ Is it the result of pressure placed on employees to achieve specific
results, or a tone of lawlessness set by those in control of the
company? What compliance procedures were it in place to
prevent the misconduct now uncovered? Why did those
procedures fail to stop or inhibit the wrongful conduct?
□ Where in the organization did the misconduct occur?
□ How high up in the chain of command was knowledge of, or
participation in, the misconduct? Did senior personnel participate
in, or turn a blind eye toward, obvious indicia of misconduct?
How systemic was the behavior? Is it symptomatic of the way the
entity does business, or was it isolated?
How long did the misconduct last?
□ One quarter, one time event, or did it last several years? In the case
of a public company, did the misconduct occur before the company
went public? Did it facilitate the company's ability to go public?
How much harm has the misconduct inflicted upon investors and
other corporate constituencies?
□ Did the share price of the company's stock drop
significantly upon its discovery and disclosure?
How was the misconduct detected and who uncovered it?
How long after discovery of the misconduct did it take to implement
an effective response?
What steps did the company take upon learning of the misconduct?
□ Did the company immediately stop the misconduct? Are persons
responsible for any misconduct still with the company? If so, are
they still in the same positions? Did the company promptly,
completely and effectively disclose the existence of the
misconduct to the public, to regulators and to self-regulators? Did
the company cooperate completely with appropriate regulatory and
law enforcement bodies? Did the company identify what additional
related misconduct is likely to have occurred? Did the company
take steps to identify the extent of damage to investors and d other
corporate constituencies? Did the company appropriately
recompense those adversely affected by the conduct?
What processes did the company follow to resolve many of these issues
and ferret out necessary information? Were the Audit Committee and
the Board of Directors fully informed? If so, when?
Did the company commit to learn the troth, fully and expeditiously? Did it
do a thorough review of the nature, extent, origins and consequences of
the conduct and related behavior? Did management, the Board or
committees consisting solely of outside directors oversee the review? Did
company employees or outside persons perform the review? If outside
persons, had they done other work for the company? Where the review
was conducted outside counsel, had management previously engaged
such counsel? Were scope limitations placed on such review, if so, what
were they?
What assurances are there that the conduct is unlikely to recur? Did
company adopt and ensure enforcement of new and more effective internal
controls and procedures designed to prevent a recurrence of the
misconduct? Did the company provide our staff with sufficient
information for it to evaluate the company's measures to Correct the
situation and ensure that the conduct does not recur?
Is the company the same company in which the misconduct occurred,
or has it changed through a merger or bankruptcy reorganization?
Questions and Comments (p. 228)
Agencies often administer significant penalties in highly publicized cases in an
effort to send a message to the industry about what not to do. In this case, the
Opposite occurred: The SEC conspicuously refrained from administering a
sanction against a company in order to send a message to the industry about
what should be done.
While encouraging self-policing, the SEC is careful not to indicate that
cooperation of this sort will automatically be a shield against
liability.
One step that agency applauds is the fact that the company promptly fired
the responsible officials
Advice (p.230)
Regulated organizations can get advice on how to structure or administer their
compliance operations- accounting firms, law firms, compliance consultants,
etc.
The most informative and reliable source of advice is- the regulators themselves-
because:
o they determine whether the organization has committed a violation
o often, whether it has an effective compliance program in place
Regulators offer extensive advice about various elements of compliance
O Can be in the form of written “guidance” which is widely distributed in the
industry and often publicly available on government websites. (And this book!)
o Offer more particularized advice as part of its supervisory responsibilities (ex.
Report of examination containing a section detailing the deficiencies noted in the
regulated firm’s compliance operation. The report is vetted w. management before
finalized and then made available to the BOD)
O Informal compliance – related advise
O In highly regulated industries, such as banks, the regulator maintains
permanent staff and offices within the organization
the frequent interactions that these contacts make possible are fruitful
opportunities for conveying information-not Only advice about formal
policies and procedures, but also suggestions for best practices and
hints about the regulator's Overall enforcement priorities and
philosophy.
Question and Comments (231)
oThe advice that regulators offer about compliance may technically be only that —
advice–but the identity of the party giving me advice cannot help But have
impact. Advice, although technically discretionary, can be mandatory and all but
name. Yet such advice is often adopted without the formal protections of notice
and comment rulemaking or other avenues for public vetting
oThe line between “advice” and “threat” is sometimes attenuated. If the regulator
provides recommendations about how an organization should structure its
compliance operation, there may be an unspoken sanction at the back end if the
advice is not heeded– the agency will take some action to punish the organization.
oInformal advice may lead to a too-cozy relationship between the regulator and it’s
regulated industry. In Bragg v. US, the federal Mine Safety & Health
Administration determined that a horrific coal mine accident had resulted, in part,
From the negligence of its own inspectors, who had failed to identify or demand
correction of numerous safety violations.
The investigation report surmised that the inspector’s failures could have
been caused by a conflict of interest: some of the identified
deficiencies may have stemmed from the relationship that MSIU 1
developed with [company] representatives [U]sing enforcement
personnel in this
manner to assist the [company] with its compliance efforts may have
created a conflict of interest that, over time, may have affected the level of
scrutiny MSHA provided at [the Mine] during subsequent mine
inspections. . . .
Admissions (p.231)
If an enforcement proceeding goes to a litigated judgment, the determination could be
used against the defendant in a subsequent lawsuit: The facts and conclusions
necessary to the judgment might give rise to an estoppel which would bar the defendant
from denying them in a subsequent case.
If a settlement occurs the result is more ambiguous:
oSince no litigated judgment, settlement seen as a private compromise and no facts
are established
oHowever, defendants worry that that if they agree to a settlements—especially
those imposing substantial obligations—their compromise of govt actions will be
held against them in subsequent cases
I.e. the settlement itself will be taken as an admission of culpability that
can be used against D in later legal proceedings such as class actions
or shareholders derivative lawsuits.
oD’s also worry that the settlement will be admissible in evidence as probative of
liability. Ex. If settlement involves an agreement to upgrade the defendant’s
compliance operation, there is concern that the agreement will be admitted as
evidence that D’s system of internal control was previously inadequate.
This fear is usually unfounded because in law, subsequent remedial
repairs are inadmissible to establish evidence of negligence. (Policy: we
want people to fix potentially dangerous problems and we would deter
them from doing so if they knew that fixing it could get them in
trouble)
In general, therefore, a company's agreement to upgrade its
compliance operations in response to a government lawsuit may be
deemed inadmissible as evidence bearing on liability in a
subsequent private lawsuit. Notwithstanding this protection,
defendants worry that their agreement to enter a consent decree will
buy trouble in the form of subsequent lawsuits.
oTo avoid these risks, defendants generally insist that settlement agreements with
the government recite that they do not admit misconduct. The government's
willingness to agree to such stipulations is often of material assistance in
smoothing the way to a settlement.
oThere are a lot of issues with this practice (the settlement reading that the
defendant neither confirms nor denies the allegations). The exceprts below are an
exchange between the SEC and a Judge who did not want to approve a
settlement because the company (Citigroup Global Markets and SEC came to
agreement where the defendant company neither confirmed nor denied
wrongdoing.
SEC’s memo of Law in Response to Questions Posed by the Court Regarding Proposed
Settlement (p.232)
The SEC alleged that Citigroup Global Markets had engaged in misrepresentations in
connection vrith the marketing of collateralized debt obligation securities. The conse.nt
decree required Citigroup to (a) pay the SEC a fine of $95 million; '`b) disgorge $160
million ofprohts and $30 mill " finterest; and (c) undertake a series of undertakings for
a period of three years designed to prevent the repeat of following provisions
(compliance and risk management usual improvement stuffs)
[Court asked a bunch of questions to the parties regarding the proposed settlement]
and the Commission responded.
Court asked: Why should the Court impose a judgment in a case in which the S.E.C.
alleges a serious securities fraud but the defendant neither admits nor denies wrongdoing?
oSEC answer:
SCOTUS endorses the use and entry of consent judgments (which are
characterized by D ceasing illegal activity without admitting to guilt
or liability. The disclaimer of liability is a standard feature in consent
decrees)
Consistent with this standard practice, the SEC has long utilized consent
decrees in which defendants admit no wrongdoing. Despite being
appropriate, SEC became troubled with by D’s subsequent public
denials of wrongdoing.
□ In response in 1972, the SEC prohibited the practice of consent
decrees where the SEC imposed sanctions while allowing the D
to deny the allegations, saying Refusal to admit allegations=
denial, unless D states that he neither admits nor denies the
allegations.
While SEC does not require express admissions (given collateral estoppel
effects), the Commission has prohibited the denials that consent
decrees often contain. Since this policy was announced, the
Commission has, a general matter, included in its proposed consent
judgments a provision that the defendant neither confirms nor denies the
Commission’s allegations.
Consistent with this policy SEC and Citibank entered into a no
admit/deny settlement
SEC laid out advantages and disadvantages to both parties in a
no admit/deny consent judgment.
□ D not subject to collateral estoppel w. regards to claims asserted,
but investors are still able to pursue any available private remedies
in addition to relief obtained by SEC.
● SEC is able to bring the matter to speedy resolution, obtain
compensation for victims in timely manner, and allocate its limited
resources to bringing additional enforcement actions for the
protection of still more investors.
□ Courts have repeatedly recognized the balance of advantages and
disadvantages in the no admit/deny policy and have expressed
reluctance to upset that balance. So this court should do the
same.
[Responded to court’s question about whether this policy is consistent
with Justice Dept. policy of not accepting nolo contender pleas in
crim cases and basically told the court that the comparison was stupid
comparison (p.234)]
Questions and Comments (p.234)
Why do Ds resist making any admissions of misconduct when settling a civil
complaint? (Admissions of wrongdoing:)
owould be embarrassing and could lead to long-term reputational harm for the
organization
omight be followed by removal from office of any officials of the D org who had
anything to do with misconduct—including senior officers (CEO) who had
general oversight responsibility
ocould have collateral estoppal effect (D may be precluded from denying facts so
admitted in subsequent civil or criminal litigation brought against organization or
its officers)
oadmissions of wrongdoing might result in problems under the organization's
liability insurance policy, which will typically exclude coverage for particular
types of wrongful acts.
At one time, the typical settlement acknowledged that the defendants denied the
allegations. After the settlement was announced, and the judgment releasing the
defendant from liability became final, defendants would publicly state that they had
done nothing wrong. In 1972 the SEC modified its policy and required that the
defendant "neither admit nor deny" the allegations. That way the defendant could not
subsequently claim that they had denied the allegations in the consent decree.
SEC interpreted its post-1972 policy as also precluding a defendant from denying the
allegations in post-settlement statements (the SEC indirectly alludes to this aspect of
the policy when it says that the new approach would preclude denials both in the
consent decree itself "and elsewhere)
SEC does not object when a defendant denies the allegations in court pleadings in private
cases where the same conduct formed the basis of the government action (for example,
in a shareholders derivative lawsuit or a securities class action)
Samuel W. Buell, The Blaming Function of Entity Criminal Liability (p.244) (one of the
principal prosecutors of Arthur Andersen in Enron)
● Respondeat superior liability – the law that governs most cases of criminal enterprise
liability; if a master were an entity, the master could be convicted for virtually any
crime the master’s agent committed within the scope of agency.
o Inquiry into an entity’s criminal responsibility would proceed no further.
o The only slight modification to this rule has been to add requirement that
the agent have acted in some part, to benefit the master.
o “No soul to be damned and no body to be kicked” – criticism of respondeat
superior; but, it has become firmly entrenched as the across the board rule
of enterprise liability for all manner of crimes
o Treatments of this problem have run in one of three directions:
Toward conclusions that retribution against nonhuman legal forms
is nonsensical and pointless
Skepticism that criminal law could add anything useful to the project
of regulating firms, which can suffer only financial consequences
Embrace of a popular impulse to condemn entities criminally for the
harms they visit upon people (only this one has begun to explain what
is involved in the modern practice of imposing criminal liability on
organizations)
● Thesis: the blaming function of entity criminal liability is linked closely to the utility
of the doctrine.
● Argues that conventional justifications for corporate criminal liability are problematic
● The scope of corporate criminal liability is very large. Corporations are strictly liable for
acts of their agents that cause the corporation to engage in criminal behavior – even if
the corporation has done everything possible to prevent this from happening.
● Even though corporations can’t feel shame, the people who work in a corporation
do experience negative reactions when their companies are prosecuted
● Miriam Hechler Baer – recommends that the law should abolish entity wide criminal
liability but require instead that companies take out policies of insurance against the
costs of civil sanctions
o Problem: a company that is insured against monetary sanctions for
compliance violations might become less diligent at preventing them
The Decision to Prosecute
● “Prosecutorial discretion” – freedom to charge or not; resources are limited
● There can be abuse of office for political purposes which raises concerns in the
public about the rule of law; too much discretion can impair the deterrence objectives
of criminal law
● Constraints on prosecutorial discretion give citizens notice about what conduct is likely
to be punished and how severe the punishment will be; also facilitate the effective
management of the prosecutor’s office by giving clear indications to staff attorneys about
enforcement priorities
Major role:
● Negotiating plea agreements with corporations
● Generally should seek to plea the most serious, readily provable offense charged
● Terms of the plea agreement should contain appropriate provisions to ensure
punishment, deterrence, rehabilitation, and compliance with the plea agreement in the
corporate context
United States District Court for the Southern District of Texas – Deferred Prosecution
Agreement (p.263)—Example of what government expects in a DPA
Aibel Group accepts and acknowledges that the United States will file a criminal
Information in the United States District Court for the Southern District of Texas
charging Aibel Group with violating the Foreign Corrupt Practices Act ("FCPA"). In so
doing, Aibel Group knowingly waives its right to indictment on these charges, as well as
all rights to a speedy trial pursuant to the Sixth Amendment to the United States
Constitution, Title 18, United States Code Section 3161, Federal Rule of Criminal
Procedure 48(b), and all applicable Local Rules of the United States District Court for
the Southern District of Texas for the period during which this Agreement is in effect.
Aibel Group accepts and acknowledges that it is responsible for the acts of its Officers
and employees as set forth in the Statement of Facts annexed hereto… Should the
Department. . . initiate the prosecution that is deferred by this Agreement, Aibel Group
agrees that it will neither contest the admissibility of, nor contradict, in any such
proceeding, the facts contained in the Statement of Facts. Aibel Group does not
endorse,
ratify or condone criminal conduct and, as set forth below, has taken and commits to
continue to take significant steps to prevent such conduct from occurring in the future.
This Agreement is agreed to by the Department based upon the fact:
o that Aibel Group had voluntarily disclosed the misconduct referenced in
the Statement of Facts;
o conducted a thorough investigation of that misconduct; regularly reported all
its findings to the Department;
o cooperated in the Department's subsequent investigation of this matter;
o agreed to implement remedial measures to ensure that this conduct will not recur
and to continue to operate with the Department in its ongoing investigation of
the conduct of Aibel Group, the Vetco Aibel Entities, and the officers, directors
and employees thereof;
o and, proposed and agreed too the compliance structure set forth. . . herein,
including the duties and obligations of the Executive Chairperson,
Compliance Committee and Compliance Counsel as more fully set out herein.
During the three (3) year term of this Agreement, Aibel Group agrees to cooper fully
with the Department, and any other authority or agency, domestic or foreign, designated
by the Department investigating Aibel Group and the Vetco Aibel Entities, or any of its
present and former directors, officers, employees agents, consultants, contractors and
subcontractors, or any other party, in an, and all matters relating to corrupt payments in
Connection with its operations.
Aibel Group agrees that its Cooperation shall include, but is not limited to, the following:
o Aibel shall truthfully disclose all information with respect to the activities of
Aibel Group and the Vetco Aibel Entities concerning all matters relating to
Corrupt payments in connection with their operations, related false books and
records, and inadequate internal controls about which Aibel Group and the
Vetco Aibel Entities has any knowledge or about which the Department shall
require.
This obligation of truthful disclosure includes obligation to provide
Dept., upon request, any document, record or other tangible evidence
relating to such corrupt payments, books and records, and internal
controls about which the Dept shall inquire of Aibel.
If specificall requested by Dept., Aibel must provide Dept with access to
info, docs, records, facilities and employees of Aibel that may be subject
to the atty-client/ work-product privileges.
o Upon Request of Dept., Aibel and subsidiearies shall designate
knowledgeable employees, agents, or attorneys to provide the info and
materials described
o Aibel shall use their best efforts to make their directors, officers, employees,
agents and consultants available to provide information and testimony as
requested by the Department, including sworn testimony before a federal
grand jury or in federal trials, as well as interviews with federal law
enforcement authorities.
Cooperation under this Paragraph will include identification of witnesses
who, to the knowledge of Aibel Group and the Vetco Aibel Entities, may
have material information regarding the matters under investigation.
o These entities shall use their best efforts to make available, for interviews or
for testimony, such present and former Aibel Group and Vetco Aibel Entities
officers, directors, agents, Consultants, and employees, and the officers, directors,
employees, agents and consultants of contractors and sub-contractors, as may be
requested by the Department.
o Aibel Group and the Vetco Aibel Entities consent to any and all disclosures of
any information, testimony, document, record, or other tangible evidence
provided to the Dept., to other Government agencies, whether agencies of the
United States or a foreign government, of such materials as the Department, in
its sole discretion, shall deem appropriate.
In return for the full and truthful cooperation of Aibel Group and the Vetco Aibel JI
Entities, and compliance with all the terms and conditions of this Agreement, the
Department agrees not to use any information related to the conduct described in the
attached Statement of Facts against Aibel Group or the Vetco Aibel Entities in any
criminal or civil case, except in a prosecution for perjury or obstruction of justice; in a
prosecution for making a false statement after the date of this Agreement; in a
prosecution or other proceeding relating to any crime of violence; or in a prosecution
or other proceeding relating to a violation of any provision of Title 26 (US Code).
In addition, the Department agrees, except as provided herein, that it will not bring any
criminal or civil case against Aibel Group or the Vetco Aibel Entities related to the
conduct Of present and former employees of these entities as described in the attached
Statement of Facts. This Paragraph does not provide any protection against Prosecution
for any corrupt payments, if any, made in the future by Aibel Group or the Vetco or any
of their officers, directors, employees, agents Or consul- tants, whether or not disclosed
by Aibel Group or the Vetco Aibel Entities, nor does it apply to any such payments,
made in the past, which are not described in the attached Statement of Facts.
In addition, this agreement does not provide any protection against criminal prosecution
of any present or former officer, employee, director, shareholder, agent or consultant of
Aibel Group or the Vetco Aibel Entities for any violations committed by them.
(c) In implementing subsection (b), the organization shall periodically assess the risk of
criminal conduct and shall take appropriate steps to design, implement, or modify each
requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through
this process.
The adoption of the sentencing guidelines for organizations in 1991 was an important
step in the development of the modern law of compliance; it provided an incentive to
firms to adopt compliance programs in order to mitigate the severity of their sentences
if they were subsequently convicted of federal crimes, and also sewed as a model for
compliance programs outside the criminal justice sphere.
Professor Jennifer Arlen criticizes the sentencing guidelines for organizations on
the ground that they offer too little credit for organizations' self-policing activity:
o To deter corporate crime, corporate sanctions must be structured to induce large
corporations to help federal prosecutors detect and punish corporate crime.
Specifically, firms must be encouraged to detect and report wrongdoing, and to
cooperate with the govt.’s effort to identify and sanction the indivuals
responsible for the crime. Firms will not engage in these activities unless they
face lowerexpected sanctions if they do not… Although the Organizational
Sentencing guidelines offer sanction mitigation to firmsthat adopt effective
compliance programs, self-report and cooperate,… these provisions offer too
little mitigation to encourage firms to detect, report and cooperate. Indeed, the
Guidelines’ mitigation provisions are particularly inadequate in the very
circumstances where corporate detection and investigation is most important: in
cases involving crimes committed by managers of large firms.
WHISTLEBLOWERS
Whistleblower – a person who, without being required to do so, reports misconduct within an
organization; not a law enforcement agent nor an internal or external auditor; volunteer who has
personal knowledge of misconduct within an organization and who comes forward on her own;
enforces rules or norms
Encouraging Whistleblowing
● Often whistleblowers are lauded and lionized for their courage in coming forward i.e.
Cynthia Cooper of WorldCom reported evidence of fraud leading her to be named
Time Magazine’s Persons of the Year; Sherron Watkins received similar tributes
● But, less favorable terms i.e. “leaker”, “snitch”, “fink”, “rat”,
● More common pattern is that they are disliked
● Norm against snitching those engaged in wrongdoing intimidate anyone who will
blow their whistle, everyone has done something wrong and can associate with the
target, communities often prefer to manage their own problems rather than have
someone come in from without, people outside may be even worse than the people
within the group
● 4 strategies to counteract the anti-snitching norm:
1) Tone at the Top
People don’t come forward because:
● Complaint’s will not be heard or acted on
● Suffer retaliation
Senior managers need to reassure that reports are valued and will be
carefully investigated, and that the organization will neither retaliate
nor will it tolerate others doing so
2) Protections for Whistleblowers
SOX prohibits publicly traded companies from retaliating against people
who provide information in connection with an investigation into
potential violations of the securities law
Remedies for proven violations include reinstatement, back pay, and
compensation for any special damages sustained as a result of the
discrimination i.e. litigation costs, expert witness fees, attorney’s
fees
Organizational codes of ethics include protections i.e. Apple Computer’s –
will not retaliate and will not tolerate retaliation against any individual for
filing a good faith complaint with management
3) Rewards
Financially via bonuses or bounties for information or by promoting
the person within the company
SEC’s bounty program authorizes payments to individuals who
voluntarily provide the SEC with “original information – first one to give
the information” that leads to an SEC enforcement action generating more
than $1 million in sanctions
Example – Eli Lilly Zyprexa case: 4 whistleblowers shared 20 percent of
an $800 million settlement. Off label market case against pharmaceutical
manufacturer.
IRS also operates a whistleblower bounty program for tax compliance,
the Informant Whistleblower Award Program
SEC operates a bounty 21f, 10-20% recovery by whistleblower
To date, bounty programs have generally been restricted to cases of fraud
4) Mandatory Reporting
Organizations may require people with knowledge of compliance
violations to report what they know, on penalty of being disciplined
themselves if they keep silent i.e. Apple’s policy – failure to report
can lead to termination of employment
Legal profession is subject to an important snitch obligation – Model
Rules; only those which raise a substantial question as to the other
attorney’s honesty, trustworthiness or fitness; neither the rules or
commentary describes which violations are so serious as to require
reporting; applies only when the attorney knows that another attorney
has committed a violation
Department of Justice, Office of Public Affairs, C.R. Bard Inc. to Pay U.S. $48.26 Million to
Resolve FCA Claims (p.290)
□ Bard agreed to pay to resolve the claims it knowingly caused false claims to
be submitted to Medicare for the seeds used in violation of the FCA
□ Settlement:
oRequired Bard to pay and resolve claims relating to Bard’s sale of seeds to
hospitals
oUS alleged that Bard provided illegal remuneration to customers and physicians
to induce them to purchase Bard’s seeds in violation of the Anti-Kickback Statute
oSettlement is part of the US’ ongoing effort to combat the payment of illegal
kickbacks to health care providers
oIllegal kickbacks in any form pervert our health care system, which is designed to
insure that health care providers make decisions based solely on what is best for
the patient
oThe civil settlement resolves a lawsuit filed in the US District Court Georgia by
Julie Darity, under the qui tam, or whistleblower provisions, of the FCA
oBard has agreed to pay an additional $2.2 million and to take numerous remedial
steps, many of which the company identified and began to implement prior to the
criminal investigation, to enhance its corporate compliance program to prevent
similar illegal actions in the future
oBard agreed to refine its Code of Conduct and other written policies and
procedures that promote Bard’s commitment to full compliance with all Federal
health care program requirements and to develop an effective program to monitor
medical education grants provided by Bard to ensure compliance with those
requirements
oShould the Department of Justice have taken Bard’s compliance rap sheet into
consideration when it agreed to the settlement?
GATEKEEPERS
Gatekeeper – someone whose certification or support is needed before an organization can reach
a goal
□ Two models:
O Zealous advocate on behalf of the organization (historically more important)
o Serves the organization but also acts as a public servant who carries out a broader
responsibility by ensuring that the organization complies with governing norms
□ Tension = choosing between helping the organization fend off the government and
helping the government force the organization to comply with the government’s
wishes
Attorneys (p.296)
□ Three advantages that the attorney brings to the gatekeeper role:
oAttorney client privilege
oWork product privilege
oDefense of reliance on counsel
Accountants (p.337)
● Line between duty to the client and to the public interest is difficult to draw
● Zealous advocacy norm is the prevailing approach
● Deloitte case – Defendants provided services with financing transactions. Charged
with having facilitated improper behavior. Deloitte fined $22 million.
Auditors (p.338)
● Owe principal duties to investors or other third parties who rely on the integrity of
the financial statement which the auditor has reviewed
● US v. Arthur Young – recognized the public role of the independent auditor;
assumes public responsibility transcending any employment relationship with the
client.
● Two ways that SOX changed oversight:
1) Established new agency, Public Company Accounting Oversight Board
to exercise regulatory authority over public company auditors
PCAOB:
● Power to establish auditing standards
● Inspect public company auditors
● Investigate allegations of misconduct
● Impose disciplinary sanctions on auditing firms found to
have violated the rules
2) Requiring that all public companies host audit committees composed
entirely of independent board members; empowered independent directors to
select, compensate, and monitor their company’s auditor
PCAOB Enforcement Actions (p.347)- PCAOB Has the authority to examine public accounting
firms and to impose supervisory sanctions if violations of laws and regulations are discovered.
Ex.- In the Matter of Ernst & Young LLP
o Facts- Medici, A pharmaceutical company, had its auditing work performed
by Ernst & Young (E&Y). E&Y were found to have “Failed to identify and
appropriately address the material departure from U. S. Generally accepted
accounting principles (“GAAP”)”
Medici was selling product to pharmacys who sold the products to
costumers. Costumers were given the option to return any expired
product back to Medici for either the price they paid for it or a
replacement of the product. When creating its financial statements,
Medici had to report a reserve amount of money to cover any potential
product replacement and any potential reimbursement cost (two different
prices). Medici’s methodologies were wrong and resulted in reported
sales returns reserve being materially understated and it’s reported
revenue being misstated.
E&Y’s approach to evaluating Medici’s sales returns reserve
methodology and estimate was inconsistent with their obligations to
exercise professional skepticism as the company’s independent
auditor
Partner’s at E&Y, furthermore, after becoming aware of the improper
methodologies tried to justify the use of such through another Statement
of Financial Accounting Standard, even though they should have known
that that exception did not apply to Medici and therefore they failed to
Identify and appropriately Address a material departure from GAAP
PCAOB later inspected E&Y’s audits of Medicis Preserving at
replacement cost was not in conformity with GAAP and the company
was required to restate its accounting for its returns reserve.
● The restatment of Medici’s financial statement for 2005,
2006, 2007, 2008 was embarrassing as they had to re-report
return statements of increases of (585%, 184%, 600%)
PCAOB Held that “to protect the interests of investors and further the
public interest in the preparation of informative, accurate, and
independent audit reports, the Board determines it appropriate to impose
sanctions” :
● Censures E&Y
● Bars Anderson and Thibault [E&Y partners] From
being associated with a registered public accounting
firm
● Censures Butler and Christie [other auditors at E&Y]
● Imposes civil money penalties in the amount of $2 million as
to E&Y, $50,000 dollars as to Anderson, $25,000 dollars as to
Thibault, And $25,000 as to Butler
The restatement generated class action litigation which settled in 2011 for
$18 million ($11 million from the company and $7 million from E&Y)
● In 2013, PCAOB released the confidential portions of two annual inspection reports
for Price Waterhouse Coopers (PwC), One of the world’s largest public accounting
firms. It’s Public statement announcing this conclusion, and PwC’s response, is
contained in the following excerpt:
In the Matter of PricewaterhouseCoopers LLP’s Quality Control Remediation Submissions
(p.352) (2013)
● PCAOB evaluated PwH’s efforts to address certain quality control criticisms in non
— public portions of PCAOB’s report.
● The Board determined that the firm did not address the following to the
boards satisfaction so they made the following criticisms public:
o Failing to obtain sufficient support for estimates of an asset’s fair value
o Relying too heavily on an audited client’s internal controls
o Relying too heavily on work performed by an audit client’s internal
audit Department
o Failing to deal adequately with the implications of a finding that an audit
client’s internal controls have failed in some respect
o Relying excessively on system-generated data
o Failing to exercise sufficient skepticism over management’s Estimates of
key audit numbers
● In response, PwC Said that it had made significant improvements in those areas
outlined actions taken:
o Providing our audit professionals with enhanced audit tools, Training and
additional technical guidance to promote more consistent audit
execution.
Questions and comments (P.354)
● When PCAOB publishes criticisms of a firm, the audit firm can file a response and, if
no changes made to PCAOB’s report, the firm can take an appeal to the SEC.
Compliance Audits (p.355)
● A compliance auditor may examine a firm’s operations to assess whether they conform
to a variety of different standards:
o Legal requirements
o Codes of best practices promoted by standard-setting bodies
o Internal ethics codes
o Etc.
● These compliance audits may be conducted at the behest of the organization
whose activities are being scrutinized; They may also be demanded by commercial
counterparties
● Firms conducting these audits do not have to have a professional accounting
certification, Although some do; law firms, consulting firms and others also play a role
in the space
● An important area for compliance-based audits is the global supply chain.
o A variety of different standards applied to firms in the supply chain, including
labor rules, environmental rules, human rights rules, product quality standards,
and governance rules
Questions and comments (p.356)
● International standard setting bodies sometimes issue standards for the certification
of the audit firms that perform compliance-based audits
o The International Organization for Standardization, based in Geneva,
Switzerland, is particularly active in specifying requirements for firms that audit
compliance using that organization’s standards
James B. Jacobs & Ronald Goldstock, Monitors & IPSIGs: Emergence of a new criminal justice
role
□ The market for monitors and IPSIGs Will likely grow even more rapidly in the future
because of prosecutors recent use of IPSIGs and IPSIG-like monitors and number of
high profile deferred prosecution and plea bargains including cases involving huge
public corporations and partnerships As well as the boom in private sector firms’ use of
monitors to comply with the Federal Sentencing Organizational Guidelines.
New York State Dept. of Financial Services, In the Matter of Deloitte Financial Advisory
Services LLP (P.358)
□ Deloitte FAS, a private consulting firm, was hired to do consulting work for Standard
Chartered Bank (SCB) in connection With compliance with money laundering
regulations and regulations restricting the provision of services to entities subject to
US economic sanctions.
□ The New York State Department of Financial Services Found that Deloitte violated New
York banking law and its own policies by knowingly disclosing confidential
supervisory information to SCB regarding other Deloitte client banks. Finding that
Deloitte:
oDid not demonstrate the necessary autonomy and objectivity that is required of
consultants performing regulatory compliance work for entities supervised by the
Department
□ In order to resolve this matter without proceedings, Deloitte and the Dept
Agreed upon the following:
oFacts- Deloitte, upon being hired by SCB, suggested that to other bank reports
used for other clients be used as templates for drafting the SCB final report and
sent those two reports to SCB employees. The report also contained other
confidential supervisory information, which Deloitte was legally barred by
New York banking law from disclosing to any individual or entity without the
Departments prior authorization. Deloitte Was not authorized to disclose those
two reports to SCB
oSettlement provisions
Monetary payment of $10 million from Deloitte to the Department-
Payment represents the aggregate of fees and expenses received for its
work and reimbursement to the department for the costs of its
investigation and the cost to be incurred by the department in
connection with the development and implementation of the procedures
and safeguards required by this agreement
oPractice reforms- Deloitte We’ll establish and implement, ASAP, but within 12
months from the date of this agreement the procedures set forth, Which are
intended to raise the standards now generally viewed as applicable two
independent financial services consultants. The design and implementation of
these procedures are subject to modification refinement as maybe agreed between
Deloitte and the department on the basis of further analysis and experience. The
department and Deloitte We’ll meet at least monthly to discuss Deloitte’s
Progress in implementing these procedures and safeguards. The department
intends to use these procedures and safeguards as the model for establishing the
standards that will govern all independent consultants seek to be retained or
approved by the department
oDeloitte agrees not to accept any new engagements that would require approval
by the Department
oIndependent Consultant Practices (Exhibit A)
In order to provide Dept of Financial Services (DFS) with better
transparency, the Independent Consultant (C) and Financial
Institution (FI) must adhere to the following practices:
□ FI and C must disclose all work done by C for FI over the last
3 years
□ DFS may deem prior work impairs FI & C’s ability to do
the job well
□ C may take FI’s views into account but C must make
its own decisions and exercise independent judgment
□ C & FI must submit a work plan to DFS setting forth procedures
and timeline for the proposed work, confirm the location(s)
from which the transaction and account data will be reviewed
during engagement
□ Any material modifications or additions to the work plan shall
be submitted to DFS for prior approval before implementing
□ DFS and C will maintain open line of
communication during course of engagement
□ DFS will identify point person of contact for C and C will
identify and specify same ( C must notify DFS if there is a
change in C’s point person)
□ There will be a monthly meeting between DFS and C, without the
precense of FI and FI must consent to C’s use of confidential
info during the meetings
□ If there is any disagreement between C and FI during the
engagement about anything, and parties can’t come to
an agreement, DFS must be notified as to the
disagreement
□ C & FI need to maintatin records of recommendation to FI
relating to suspicious activity report filings that FI did not
adopt, and provide records to DFS if requestes.
□ The final report must be submitted by C and C may show drafts
to FI prior to submission; FI must tell C who saw the drafts,
made comments or reviewed them
□ C must have in place policies and procedures designed
specifically to maintain confidentiality of bank supervisory
material which would provide that Bank material should not
be shared with anyone who is not authorized by law or
regulation to receive it.
□ C must develop training program regarding the requirements of
NY Banking Law governing confidential info and shall provide the
training to all of its partners, principals and employees assigned to
engagements in which C expects to have access to the materials
covered by the banking laws
□ Deloitte must make a handbook with same info as
training program and distribute it to everyone in
company
SETTLEMENTS
Hiring an outside consultant to conduct the risk assessment – examines the risks that relate to its
customer information; only examining a subset of the institution’s risks is insufficient to meet the
Security Guideline requirements
Engaging in an ongoing risk assessment process – institutions should continually review their
current policies and procedures to make sure they are safeguarding customer information
Sensitive customer information – name, address, telephone number, SSN, driver’s license, any
combination of components of customer information that would allow an unauthorized third
party to access the account electronically
Training Staff
□ To prepare and implement institution’s information security program
Compliance Regime
● Risk based
● Security Rule is similar to many other modern compliance programs which require
the regulated entity to perform its own risk analysis and to tailor its compliance
program
Delivery of Customer Notice – in a manner designed to ensure that a customer can reasonably be
expected to receive it
Persistent Identifier – piece of information i.e. IP address or mobile device identifier, that is
associated with some use that lasts over time; need not be personally identifying; associate with
particular device not necessarily a particular person
Cyber Attacks
● Cyberrisks come in many different forms and from different sources – range of
possible harms
● Cyber incident can be from a deliberate attack or unintentional event
o Not limited to gaining unauthorized access to digital systems for purposes of
misappropriating assets or sensitive information, corrupting data, or causing
operational disruption
o Can be carried out where doesn’t require gaining unauthorized acess
o Carried out by third parties or insiders
o Objectives of attacks vary widely i.e. theft of financial assets, IP,
sensitive information
Two types of disclosure are covered in the SEC, Cyber security excerpt:
□ Disclosure of cyber risks
□ Disclosure of cyber breaches
□ Cephalon, Inc. (Cephalon) hereby enters into this Corporate Integrity Agreement (CIA)
with the Office of Inspector General (OIG) of the United States Department of`
Health and Human Services (HHS). . . .
□ Cephalon established a voluntary compliance program (known as "Global Compliance"
or "Global Compliance Program") applicable to all Cephalon employees.......Cephalon's
Global Compliance Program includes an Executive Vice President, [a] Chief Compliance
Officer who reports directly to the Audit Committee of the Board of Directors and to the
CEO, and a Compliance Committee. The Global Compliance Program also includes a
Code of Conduct applicable to all employees that is regularly reviewed and
disseminated, written policies and procedures that, as represented by Cephalon, promote
high ethical standards, educational and training initiatives that, as represented by
Cephalon, help to ensure compliance with applicable laws and regulations, a Disclosure
Program that allows for the confidential disclosure and investigation of potential
compliance violations and appropriate disciplinary procedures, screening measures. ,
and regular internal
auditing procedures.
□ Cephalon may modify it’s CIA compliance program as appropriate, but at a
minimum, Cephalon Shell and sure that during the term of the CIA, it shall
comply with the obligations set forth herein…
□ Term and scope of the CIA
oThe period of the compliance obligations under the CIA shall be five years from
the effective date of this CIA, unless otherwise specified
□ Corporate Integrity Obligations
□ Cephalon shall establish and maintain a compliance program throughout the term
of this CIA that includes the following elements:
oCompliance responsibilities of Chief Compliance Officer, Compliance
Committee, the Board of Directors, and Management Certifications.
Chief Compliance Office (COO)
□ Responsible for developing and implementing policies, procedures
and practices designed to ensure compliance with the
requirements set forth in the CIA and with federal health care
program requirements and FDA requirements
□ Is a member of executive management of Cephalon,
□ Shall make periodic (at least quarterly) Reports regarding
compliance matters directly to the audit committee of the Board
of Directors
□ Shall be authorized to report on such matters to the
Board of Directors at any time
□ Shall not be subordinate to the General Counsel or CFO
□ Shall be responsible for monitoring the day-to-day compliance
activities engaged in by Cephalon as well as for any
reporting obligations created under the CIA
Compliance Committee
□ The Compliance Committee shall, At a minimum includethe
CCO and other members of senior management necessary to
meet the requirements of the CIA
oSenior managers of relevant departments, such as legal
medical affairs, sales, marketing, human resources, and
internal audit)
oThe CCO shall chair of the compliance committee and the
committee shall support the CCO in fulfilling his/her
responsibilities
Board of Directors
Board of Directors (Board) or a Committee of the Board, if applicable.
Shall be responsible for the review and oversight of matters related
to compliance with federal health care program requirements, FDA
requirements, and the obligations of the CIA
The board or a committee of the board, shall, At a minimum,
be responsible for the following:
□ Meeting at least quarterly to review and oversee Cephalon’s
Global compliance program, including but not limited to the
performance of the CCO and Global compliance
department
□ For each reporting period of the CIA, adopting a resolution
summarizing it’s official review and oversight of Cephalon’s
compliance with federal health care program requirements, FDA
requirements, and the obligations of the CIA. Each individual
member of the board or, if applicable, each member of the
committee of the board having responsibility for compliance,
shall sign a statement indicating that he or she agrees with
resolution
oAt minimum, the resolution shall include the following
language: “The Board of Directors has made a reasonable
inquiry into the operations of Cephalon’s global
compliance program, including the performance of the
CCO and the global compliance department. Based on its
inquiry, the board has concluded that to the best of its
knowledge, Cephalon has implemented an effective global
compliance program to meet the federal health care
program requirements FDA requirements and the
obligations of the CIA”
oIf the Board is unable to provide such a conclusion in the
resolution, the Board shall include in the resolution a
written explanation of the reasons why it is unable to
provide the conclusions and the steps is taking to
implement an effective compliance program at Cephalon
□ Cephalon shall Report to OIG, In writing, any changes in the
composition of the board, or any actions or changes that would
affect the Board’s ability to perform the duties necessary to
fulfill the obligations in the CIA, within 15 days after such
change
oManagement Accountability and Certifications
Cephalon represents that compliance is a component of each employee's
performance objectives. In addition to the responsibilities set forth in
this CIA for all Covered Persons [major shareholders, officers, directors,
employees and contractors working more than 160 hours per year],
certain Cephalon employees ("Certifying Employees") are specifically
expected to monitor and oversee activities within their areas of
authority and shall annually certify in writing or electronically that the
applicable area of authority is compliant with Federal health care
program require- ments, FDA requirements, and the obligations of this
CIA.
□ The Certifying Employees include, at a minimum, the following:
Chairman and Chief Executive Officer, Executive Vice President
of Worldwide Medical and Regulatory Operations, Executive
Vice President of Worldwide Pharmaceutical Operations, all
business unit sales vice presidents, all business unit marketing
vice presidents, all business unit sales directors, all business unit
marketing directors, the Vice President of worldwide Medical
Affairs, and all medical directors of communications and medical
science liaisons (MSLs).
For each Reporting Period, each Certifying Employee shall certify
in writing or electronically that:
□ “I have been trained on and understand the compliance
requirements and responsibilities as they relate to [department or
functional area], an area under my supervision.......To the best
of
my knowledge, except as otherwise described herein, the
[department] of Cephalon is in compliance with all applicable
Federal health care program requirements, FDA requirements, and
the obligations of the CIA."
oWritten Standards
Code Of Conduct
□ Prior to the Effective Date, Cephalon developed,
implemented, and distributed a written Code of Conduct to
all Covered Persons.
□ Cephalon currently requires all newly employed persons to
certify in writing or electronically that they have received,
read, understood, and shall abide by Cephalon's Code of
Conduct.
Cephalon shall continue to make the promotion of, and adherence
to, the Code of Conduct an element in evaluating the performance
of all employees.
□ At a minimum, Code of Conduct shall include the following:
oCephalon's commitment to full compliance with all Federal
healthcare program and FDA requirements, including its
commitment to market, sell, promote, research, develop,
provide information about, and advertise its products in
accordance with Federal health program requirements and
FDA requirements;
oCephalon's requirement that all of its Covered Persons shall
be expected to comply with all Federal health care program
and FDA requirements and with Cephalon's own Policies
and Procedures. . . ;
oThe requirement that all of Cephalon's Covered Persons
shall be expected to report to the Chief Compliance
Officer, or other appropriate individual des- ignated by
Cephalon, suspected violations of any Federal health care
program and FDA requirements or of Cephalon's own
Policies and Procedures;
oThe possible Consequences to both Cephalon and Covered
Persons of failure to comply with Federal health care
program and FDA requirements and with Cephalon's own
Policies and Procedures and the failure to report such non-
compliance; and
oThe right of all individuals to use the Disclosure Program
and Cephalon's commitment to maintain, as appropriate,
confidentiality and anonymity with respect to such
disclosures.
oTo the extent not already accomplished, within 120 days
after the Effective Date, the Code of Conduct shall be
distributed to each Covered Person and each Covered
Person shall certify, in writing or electronically, that he or
she has received, read, understood, and shall abide by
Cephalon's Code of Conduct.
New Covered Persons shall receive the Code
of Conduct and shall complete the required
certification within 30 days after becoming a
Covered Person or within 120 days after the
Effective Date, whichever is less…
Third Party Personnel
□ Within 90 days after the Effective Date, and annually thereafter. . .
Cephalon shall send a letter to each entity employing Third
Party Personnel.
oThe letter shall outline Cephalon's obligations under the
CIA and its commitment to full compliance with all Federal
health care program and FDA requirements.
oThe letter shall include a description of Cephalon's
Compliance Program. Cephalon shall attach a copy Of its
Code of Conduct to the letter and shall request the
employing Third Party Personnel to either: (a) make a copy
of Cephalon's Code of Conduct and a description of
Cephalon's Compliance Program available to its Third
Party Personnel; or (b) represent to Cephalon that it has
and enforces a substantially comparable code of conduct
and compliance program for its Third Party personnel.
Policies and Procedures
□ Cephalon shall implement written poilicies and Procedures
regarding the operation of the Compliance Program and
Cephalon’s compliance with Fed. Health Care program and
FDA requirements (Policies and Procedures).
□ Should address:
oThe subject relating to the Code of Conduct
oAppropriate ways to conduct Promotional and Product
Services Related to functions of compliance with all
applicable FDA requirements
oThe mechanisms through, and manner in which, Cephalon
receives and responds to request for info about non-FDA
approved (or off-label) uses of Cephalon’s products
oDevelopment of call plans for field sales reps who promote
Government reimburse products
oconsultant or other fee-for-service arrangements entered
into with [health care providers and health care
institutions];
oprograms to educate field representatives, including
preceptorships. . . ;
oo sponsorship or funding of grants (including educational
grants) or charitable contributions. . . ;
ofunding of, or participation in, any Third Party Educational
Activity;
oreview of promotional materials by appropriate qualified
personnel (such as regulatory, medical, and/or legal
personnel).
osponsorship or funding of research or related activities. . . ;
ocompensation (including salaries and bonuses) for Relevant
Covered Persons. .
odisciplinary policies and procedures for violations Of
Cephalon's Policies and Procedures. . .
Training and Education
□ Training to employees on a regular basis must cover
the following areas
oReview procedures
Engagement of independent review organization
(such as accounting, auditing, or consulting firm)
— “IRO” to perform reviews to assist Cephalon in
assessing and evaluating its Promotional and
Product Services Related Functions
□ IRO shall have expertise in applicable Fed.
Health Care program and FDA reqs.
□ IRO must assess with Cephalon whether
the IRO can perform its engagement in a
professionally independent and
objective
fashion—taking into account any other
business relationship or other engagements
that may exist
oIRO Review Reports- IRO(s) shall prepare a report (or
reports) based upon each Review performed
□ Validation Review- in the event that
OIG has reason to believe that (a)
any IRO
Review fails to conform to the requirments
of this CIA; or (b) the IRO’s findings or
Review results are inaccurate, OIG may, at
its discretion, conduct its own review to
determine whether the applicable IRO
Review complied w. the reqs of the CIA
and/or findings or Review results are
innacurrate
Disclosure Program
□ Designed to facilitate communications relating to compliance w.
Fed. Health Care program and FDA reqs and Cephalon’s policies.
□ Cephalon shall maintain a Disclosure Program that includes a
mechanism (a toll-free compliance line) to enable individuals to
disclose, to the Compliance Officer or some other person—who
is not in the disclosing person’s chain of command—any
identified issues or questions associated with Cephalon’s policies,
conduct, practices, or procedures with respect to a Fed. Health
Care program or FDA req believed by the individual to be a
potential violation of criminal, civil, or administrative law.
oProgram shall emphasize a non-retaliation policy and
include an anonymous reporting mechanism for which
appropriate confidentiality shall be maintained
Questions and Comment (P.440)
□ CIA). This is the name the FDA uses to describe what are in essence Consent decrees that
settle regulatory enforcement proceedings. A CIA typically includes requirements to hire
a compliance officer; appoint a compliance committee; develop written standards and
policies; implement a comprehensive employee training program; retain an independent
review organization to conduct annual reviews; establish a confidential disclosure
program; restrict employment Of ineligible persons; report overpayments, reportable
events, and ongoing investigations and legal proceedings; and provide an
implementation report and annual reports on the status of the entity's compliance
activities.
□ This case arose out of a probe into allegations that Cephalon, a drug manufacturer, was
promoting medications for uses not approved by the FDA. As a result of that
investigation Cephalon agreed, among other things, to pay $425 million to settle
charges that it had improperly marketed several Of its prescription medications for
unapproved uses.
□ Cephalon's situation illustrates the pack of trouble a company can experience as a result
of a serious compliance breakdown. At the time it entered this settlement agreement with
HHS, the company was also being pursued by the U.S. Department of Justice, various
state attorneys genera, and (undoubtedly) many plaintiffs' attorneys. Part of the task of
counsel, in a crisis such as this, is to find a path to a comprehensive settlement that allows
the company to go forward free of the burden of its past conduct.
□ Did the agreement in the excerpted matter impose new obligations on
Cephalon's board of directors? See In re Pfizer, 722 F. Supp. 2d 453, 461
(S.D.N.Y. 2010) (although
corporate integrity agreement did not Create new fiduciary duties, it imposed affirmative
obligations on Pfizer's board that went well beyond the basic fiduciary duties required by
Delaware law.").
AML/BSA/OFAC
Intro (p.455)
□ Criminals, terrorists and rogue states need financial services to carry out their activities
O Example- Drug Cartel
Mostly a cash business, dealers on the street aren’t keen on taking
checks or credit cards.
□ Storing so much money in cash is risky:
● it could be lost or stolen
□ transporting large amounts of cash is a problem for criminal
organizations, Because of the issue of security and also because if
cash in transit is discovered by the authorities, it might tip them
off as to the underlying criminal conduct.
□ Cartel would work more smoothly if the cash could be
deposited in a bank and drawn on when/where it was needed
Investment problem- criminal enterprise may be so lucrative that
leaders have more wealth on hand than they can profitably put back
into the criminal enterprise
□ Leaders may want to invest ill-gotten $ legitimately
O They need to use the services of a broker or other financial
services firm
O Example- Terrorist Organization-
Need to use financial system in order to raise or transfer funds
Support a network of people who work for the organization and
expected to be compensated
May function as de facto governments and need financing to fund activities
— military or civilian
O Governments need to use financial system in order to trade for goods that
cannot be produced efficiently in domestic market
□ Financial services sector is the key battleground in the fight against crime,
terror, and state violators of human rights or international law.
O Problem is that banks and other financial firms have traditionally not concern
themselves very much with the nature of their clients’ business
Traditionally, Bank doesn’t ask where money comes from. There
job starts and stops with caring out the transfer
Banks aren’t fond of terrorists it is just not in their nature to partner
with the government in clamping down on such people
O Sometimes banks do become more than passive participants in illegal activities
Bank for Credit and Commerce International (BCCI), Founded by a
Pakistani financier, after persuading several wealthy Middle Eastern
investors to entrust him with huge amounts of money, opens several
banks in different countries. He split the operation into two groups, one
regulated by Luxembourg and one by the Cayman Islands, and avoided
effective regulation by either. Many of BCCI’s customers were
legitimate; but others were not. Clients included dictators, violent
druglords, money launderers and notorious terrorists. The biggest
successful for a long time, at its peak it had more than $20 billion in
assets and was one of the largest private banking organizations in the
world. The bank was shut down in 1991 and most of its misdeeds were
brought to light but not before it caused serious harm. The operation of
the organization was so opaque that some of its activities have never been
fully understood.
O Governments cannot count on banks voluntarily and enthusiastically
participating in law-enforcement, anti-terror, and international human rights
activities.
It is necessary to require them to cooperate
□ Once the bank has identified a suspicious activity, the next step is to report the
matter to FinCen.
oThe agency facilitates the reporting task ( as well as its task of analyzing the
reports received) by providing an online filing system.
□ This SAR form is rather extensive, Containing numerous fields for specific information
about the filing institution, the institution where the activity occurred, the subject of
the suspicious activity, the nature of the suspicious activity, and the narrative of the
events giving rise to the suspicion
oMost challenging of these requirements is the narrative, since this requires the
exercise of judgment and cannot be automated.
oNarrative is most important- it is the only way the government can get a full
picture of the nature of the bank’s concerns
oFinCEN Instructs banks to use the narrative section as a means for describing the
modus operandi of the subject committing the Suspicious activity
oMust be concise accurate and in logical manner.
oContaining the 5 W’s: who? When? Where? And why?
□ To assist banks in the process fence and provide examples of good and
bad narratives here’s an example:
oFinCEN Guidance on preparing a complete and sufficient SAR (P.458)
Good Narrative-
□ Is well written summary of all the suspicious activity
and supports the stated purpose for filing the SAR.
□ Provides an internal bank reference number for the SAR that can
be used by law-enforcement investigators that wish to contact the
bank to discuss pertinent facts presented in the narrative
□ Specific information is also provided the details the
source An application the suspect funds
□ Identifies other actions taken by the financial institution as part
of its internal due diligence program and its effort in
detecting possible illegal activity being facilitated by the
suspect…
Insufficient or incomplete depository institutions SAR narratives
□ Feels to provide specific details on the application of
the suspect funds
oNo name, bank, and account number of the beneficiary, if
identifiable
□ Fails to provide any information concerning the
relationship, if any, between the institution and the
customer.
□ No specific transaction data is provided that identifies
the dates and amounts of each wire transfer
US v. Wachovia (p.460)
□ Deferred Prosecution Agreement in a criminal case
□ Facts- 2005, State Atty, DEA & IRS investigated certain Wachovia wire transfers from
Mexico to US. Drug Cartels were wiring large sums of money at Mexican Currency
exchange houses (CDCs ) that held bank accounts in Miami Wachovias. The money was
used to buy planes used to import drugs into the US. At least $13 mil transferred through
Wachovia to but planes that contained more than 20 thousand kilos of cocaine. During
the investigation, law enforcement reviewed the CDC banking activity that occurred at
Wachovia and found readily identifiable evidence and red-flags of large-scale drug
money laundering (structured wire transactions by multiple people using false names
into same acct over brief period of time; deposits of sequentially numbered travelers
checks with unusual markings; Significant full cash transactions in great success of the
customers self-identified expectations)
□ Since the beginning of the BSA investigation, Wachovia fully cooperated
and provided valuable assistant to law-enforcement
oMade periodic reports
oDevoted substantial resources to investigation and responding to us requests for
info
oMade employees available for interviews
□ Wachovia also took remedial measures
oHired COO And BSA/AML officer
oUndertook substantial remediation of its AML compliance functions
oEnhance transaction party monitoring, focusing on high-risk countries and
financial institution risk\ developed and provided an enhanced AML training for
employees.
Topics of training included regulatory responsibility, red flag detection,
the black market peso exchange, large cash transactions wires to high-risk
countries and activity inconsistent with an account’s stated purpose
□ Wachovia voluntarily conducted a detailed “Look-back” of transactions with 13
Mexican CDCs during a three-year period And filed SARs for conduct related to
the CDCs
oFiled more than 4200 SARs relating to wire transactions conducted by the CDCs,
Which included $4.3 billion in total dollars
oFiled eight SARs relating to full cash transactions conducted by the CDC’s,
Which included more than 4 billion in total dollars
o Filed 18 SARs relating to sequentially numbered travelers checks transactions
conducted by the CDC’s, Which included $25 million dollars in total
● Since Wachovia’s acquisition by Wells Fargo, Wachovia has been subject to Wells
Fargo’s BSA/AML compliance program and compliance and operational risk
management, oversight, and independent testing. Wells Fargo’s policies and procedures,
including those relating to escalating and exiting of customer relations, now apply to
Wachovia. As the integration progresses, Wells Fargo’s transaction monitoring system,
a more advanced version of the system used by Wachovia will beUsed to monitor
Wachovia transactions
● The deferred prosecution agreement states:
o The charges- Wachovia show wave indictment and agreed to the filing of one
count information in the US District Court for the Southern District of Florida
charging it with failing to maintain an effective anti-money laundering
program
o Acceptance of responsibility- Wachovia accepted knowledge its responsibility
for its conduct and that of its employees as set forth in the factual statement… if
the US initiate the prosecution that is deferred by this agreement against
Wachovia, Wachovia agrees that it will neither neither contest the admissibility
of the factual statement or any other documents provided by Wachovia to the
United States, nor contract and any such proceeding the facts contained within
the factual statement
o Forfeiture and fine–Wachovia agreed to settle and does settle any and all civil and
criminal forfeiture claims presently held by the United States for the sum of $110
million… in addition to the forfeiture Wachovia shall pay a fine of $50 million
Factors in determining the appropriate fine in this matter being
$50 million
● Wachovia’s considerable remedial actions specified within
the factual statement
● the legal entity that will pay the fine is Wells Fargo Bank
[which acquired Wachovia during the financial crisis of 2007-
2009]
● There is no evidence or allegation that Wells Fargo Bank’s
anti- money laundering program is deficient
Questions and comments (P. 463)
● As this case illustrates, AML/BSA cases can be— And often our — brought by
several different government agencies at once
● State regulators have also entered the picture to enforce rules on money-laundering
o Benjamin Lawsky, new York chief financial regulator, has been particularly
active. In 2013, he embarrassed federal officials by obtaining a $250 million
settlement from Bank of Tokyo– Mitsubishi UFJ over charges related to
matters the federal regulators have settled the previous year for $8.57 million
Board of Governers of the Federal Reserve System, Written Agreement by and Among M&T
Bank Corporation, Manufacturers & Traders T™st Company and Federal Reserve Bank of New
York (P.464)
● Inspection of M&T Conducted by the Federal Reserve Bank of New York (Reserve
Bank) Identify deficiencies in M&T’s firm-wide compliance risk management program
with respect to compliance with BSA/AML requirements; the bank’s internal controls,
customer due diligence procedures, and transaction monitoring processes with respect to
compliance with BSA/AML requirements; and [Wilmington Trust Corporation's
(WTC)] due diligence practices for foreign correspondent accounts; . . .
● Now, therefore, the Resewe Bank, M&T, and the Bank hereby agree as follows:
o Firm-Wide BSA/AML Compliance Program
Within 60 days of this Agreement, M&T shall submit to the Reserve
Bank an accept- able revised written firm-wide BSA/AML compliance
program that describes the specific actions that will be taken, including
timelines for completion, to ensure Compliance with applicable
BSA/AML Requirements. The revised program shall, at a minimum,
include:
● reporting to and oversight by senior management of M&T's
firm- wide BSA/ AML compliance controls and processes,
including, but not limited to, procedures to ensure oversight of a
Arm-wide customer due diligence program;
● written policies, procedures, and compliance risk
management standards;
● comprehensive BSA/AML risk assessment process;
● measures to ensure that BSA/AML compliance functions
outsourced by subsidiaries to third-parties, including affiliates,
are performed to meet regulatory requirements;
● measures to ensure compliance and improve accountability within
all business lines and legal entities and their respective compliance
functions;
● procedures to require the escalation of significant matters related
to compliance risks to appropriate Senior officers and the board of
directors; and
● the findings and recommendations of the consultant recently
engaged by M&T to assist in matters related to compliance
with the BSA/AML Requirements.
BSA/AML Compliance
● within 60 days of this Agreement, the Bank shall submit to the
Reserve Bank an acceptable written revised BSA/AML
compliance program. The program shall include provisions for
updates on an ongoing basis, as necessary, to incorporate
amendments to the BSA and the rules and regulations issued
there under. At a minimum, the revised program shall include:
o Internal controls to ensure compliance by the Bank and
any non-bank subsidiaries with applicable BSA/AML
Requirements; and
o poIicies and procedures designed to ensure
identification and verification of the identity of account
holders in accordance with applicable regulations.
CUSTOMER DUE DILIGENCE
□Within 60 days of this Agreement, the Bank shall submit to the
Reserve Bank an acceptable written revised program for
conducting appropriate levels of customer due diligence by the
Bank, WTC, and as applicable, other subsidiaries. At a minimum,
the program shall include:
o(a) Policies, procedures, and controls to ensure that the
Bank and WTC collect, analyze, and retain complete and
accurate customer information for all account holders;
o(b) a plan, with timelines, to remediate deficient due
diligence for existing customer accounts; and
o(c) a methodology for assigning risk ratings to account
holders that considers factors such as type of customer,
type of products and services, and geographic location;
o(d)a risk-focused assessment of the Bank's and WTC's
customer base to:
(i) identify the categories of customers whose
transactions and banking activities are routine
and usual; and
(ii) determine the appropriate level of enhanced due
diligence necessary for those categories of
customers that pose a heightened risk of conducting
potentially illicit activities at or through the Bank
or WTC;
o(e)For each customer whose transactions require enhanced
due diligence, procedures to:
(i) determine the appropriate documentation
necessary to verify the identity and
business activities of the customer; and
(ii) understand the normal and expected
transactions of the customer;
o(f) policies and procedures, including appropriate
documentation, for identification and due diligence with
regard to politically exposed persons;
o(g) policies, procedures, and controls to ensure that foreign
correspondent accounts are properly identified and
accorded the appropriate due diligence and, where
necessary, enhanced due diligence; and
o(h) procedures to ensure [that] periodic reviews and
evaluations are conducted and documented for all account
holders.
Suspicious Activity Monitoring and Reporting
□Within 60 days of the Agreement, M&T and the Bank shall jointly
submit to the Reserve Bank an acceptable written program to
reasonably ensure the identification and timely, accurate, and
complete reporting by M&T, the Bank, and WTC, as applicable, of
all known or suspected violations of law or Suspicious transactions
to law enforcement and supervisory authorities, as required by
applicable suspicious activity reporting laws and regulations. At a
minimum, the program shall include:
o(a) Monitoring and investigation criteria and procedures to
ensure the timely detection, investigation, and reporting of
all known or suspected violations of law and suspicious
transactions;
o(b) policies regarding the level and type of due diligence
required when reviewing suspicious account activity; and
o(c) measures to ensure escalation to, and documented
oversight by, senior management of significant matters,
including, but not limited to repetitive suspicious activity
reporting and suspected structuring activities
Transaction Review
□ (a) Within 60 days of this Agreement, the Bank shall engage an
independent consultant, acceptable to the Reserve Bank, to
conduct a review of account and transaction activity associated
with any high risk customer accounts conducted at, by, or through
the Bank and WTC from July 1, 2012 to December 31, 2012 to
determine whether suspicious activity involving high risk customer
accounts Or transactions at, by, or through the Bank or JJTC was
properly identified and reported in accordance with applicable
suspicious activity reporting regulations (the "Transaction
Review") and to prepare a written report detailing the consultant's
findings (the "Transaction Review Report"). For each covered
customer, the Transaction Renew may commence as soon as the
Bank has completed the remediation of the covered customer's
account in accordance with the revised remediation program
required by paragraph 3 of this Agreement.
□ (b) Based on the Reserve Bank's evaluation of the results of the
Transaction Review, the Reserve Bank may direct the Bank to
engage the independent consultant to conduct a review Of the
types of transactions described in paragraph 5(a) for
additional time periods.
□ Within 10 days of the engagement Of the independent
consultant, but prior to the commencement of the
Transaction Review, the
Bank shall submit to the Reserve Bank for approval an engagement
letter that sets forth:
o(a) the scope of the Transaction Review;
o(b) the methodology for conducting the Transaction
Review;
o(c) the expertise and resources to be dedicated to the
Transaction Review;
o(d) the anticipated date of completion of the Transaction
Review and the Transaction Review Report; and
o (e) a commitment that supporting material associated with
the Transaction Review will be made available to the
Reserve Bank upon request.
● The Bank shall provide to the Resewe Bank a copy of the
Transaction Review Report at the same time that the report
is provided to the Bank.
● Throughout the Transaction Review, the Bank shall ensure that
all matters or transactions required to be reported that have not
previously been reported are reported in accordance with
applicable rules and regulations. . . .
The Office Of Foreign Assets Control
● Office Of Foreign Assets Control (“OFAC”) administers and enforces economic and
trade sanctions against entities such as targeted foreign countries, terrorists,
international narcotics traffickers, and those engaged in activities related to the
proliferation of weapons of mass destruction.
● OFAC regulations require banks to block accounts and other property and to prohibit
or reject unlicensed trade and financial transactions with specified countries, entities,
and individuals.
● Both OFAC and BSA/AML require financial institutions to keep detailed records of
their transactions for purposes of policing against the use of the financial system by bad
actors;
o a difference is that in the case of BSA/AML it is up to the bank to identify
the suspicious party,
o in the case of OFAC the bad actor is already identified, giving the bank the
task of making sure it doesn't engage in a prohibited transaction with that
person or entity.
● Because the requirements are to some extent parallel, BSA/AML and OFAC
compliance issues are often grouped together.
● The following excerpt is from a consent order which includes elements of both
OFAC and AML/BSA compliance.
Board of Governors of the Federal Reserve System In the Matter of: Citigroup Inc. New York,
New York (p.467)
● Consent Order- Citigroup and its institution-affiliated parties shall cease and desist
and take affirmative action as follows:
● Source of Strength
o Board of Directors at Citi shall take appropriate steps to fully utilize
Citigroup's financial and managerial resources. to serve as a source of
strength to each of
the Banks, including, but not limited to, taking steps to ensure that each of the
Banks complies with the Consent Orders issued by their respective banking
agency supervisors and any other supervisory actions taken by their respective
banking agency supervisors.
● Board Oversight
o Citigroup's board of directors shall submit to the Reserve Bank an
acceptable written plan to continue ongoing enhancements to the board's
oversight of Citigroup's firm-wide compliance risk management program
with regard to
compliance with BSA/AML Requirements. The plan shall describe the actions
that the board of directors has taken since the Consent Orders became effective
and will take to improve Citigroup's Firm-wide compliance risk management
with regard to BSA/AML Requirements, including, but not limited to, ensuring
that such compliance risk is effectively managed across Citigroup including
within and across business lines, support units, legal entities, and jurisdictions in
which Citigroup and its subsidiaries operate. The plan shall, at a minimum,
address, consider, and include:
(a) Funding for personnel, systems, and other resources as are needed
to operate a BSA/AML compliance risk management program that is
commensurate with the compliance risk profile of the organization and
that fully addresses the organization's compliance risks on a timely and
effective basis;
(b) policies to instill a proactive approach throughout the organization in
identifying, communicating, and managing BSA/AML compliance
risks;
(c) measures to ensure adherence to approved BSA/AML compliance
policies, procedures, and standards, and ensure the timely completion
Of related projects and initiatives; and
(d) measures to ensure the resolution of BSA/AML-related
audit, compliance reviews, and examination findings.
● COMPLIANCE RISK MANAGEMENT PROGRAM
o Citigroup shall submit an acceptable written plan to the Reserve Bank to continue
to improve the governance, structure, and operations of the compliance risk
management program with regard to BSA/AML Requirements and the
regulations issued by the Office of Foreign Assets Control of the United States
Department of the Treasury ("OFAC"). The plan shall, at a minimum, address,
consider, and include:
(a) The structure and composition of Citigroup's compliance committees
and a determination Of the optimum structure and composition needed
to provide adequate oversight of Citigroup's firm-wide compliance risk
management;
(b) enhanced written policies, procedures, and compliance
risk management standards;
(c) the independence and authority of the compliance functions and
related compliance committees;
(d) the duties and responsibilities of the heads of compliance for
global business lines, the BSA/AML global program, and legal
entities, as applicable, including the reporting lines within Citigroup,
and between Citigroup and its business lines and legal entities;
(e) a process for periodically reevaluating staffing needs in relation to
the organization's compliance risk profile, and management succession
planning for key compliance positions;
(f) the scope and frequency of compliance risk assessments;
(g) measures to ensure compliance and improve accountability within
business lines and legal entities and their respective compliance
functions;
(h) procedures for the periodic testing of the effectiveness of
the compliance risk management program;
(i) consistency with the Board of Governors' guidance regarding
Compliance Risk Management Programs and Oversight at Large Banking
Organizations with Complex Compliance Profiles, dated October 16,
2008 (SR 08-8); and
(j) the findings and recommendations of the consultant engaged by
Citibank pursuant to Article V of Citibank's Consent Order with the
OCC.
● BSA/AML COMPLIANCE PROGRAM
o Citigroup shall complete a review of the effectiveness of Citigroup's firm-wide
BSA/AML compliance program (the "BSA/AML Review") and prepare a
written report of findings and recommendations (the "BSA/AML Report"). The
BSA/AML Review shall, at a minimum, address, consider, and include:
(a) The structure of Citigroup's firm-vade BSA/AML compliance
program, including reporting lines and taking into account the functions
that Citigroup Performs for the Banks and Citigroup's other
subsidiaries;
(b) standards for BSA/AML compliance that apply on a firm-wide
basis, includ- ing business lines and legal entities;
(c) the duties, responsibilities, and authority of Citigroup's chief
BSA/AML com- pliance official, including reporting lines within
Citigroup and from Citigroup's business lines and legal entities to the
chief BSA/AML compliance official;
(d) communication of BSA/AML-related roles and responsibilities
across the organization;
(e) coordination among corporate BSA/AML compliance and
the BSA/AML compliance functions of the Banks, Citigroup's
other subsidiaries, and business lines;
(f) processes for monitoring business line and legal entity compliance
with Citigroup's BSA/AML policies and procedures and BSA/AML
requirements;
(g) policies, procedures, and processes, including, but not limited to,
those for identifying and investigating suspicious activity, and for filing
suspicious activity reports
(h) the scope and frequency of reporting with respect to BSA/AML
compliance within Citigroup, at a minimum, to senior management and
board committees, as well as between Citigroup and its business lines
and legal entities;
(i) BSA/AML-related risk assessments;
(j) measures to ensure that any BSA/AML compliance functions,
including, but not limited to, transaction monitoring and suspicious
activity reporting, that are performed by [Citigroup's nonbank
subsidiaries] for the Banks or the Edge Act Corporation are performed
to meet regulatory requirements;
(k) independent testing within Citigroup entities subject to
BSA/AML Requirements;
(I) training; and
(m) the findings and recommendations of the consultant engaged by
Citibank pursuant to Article V of Citibank's Consent Order with the
OCC.
o Within 120 days of this Order, the board of directors of Citigroup shall review the
BSA/AML Report and shall submit an acceptable written plan to the Reserve
Bank that includes a description of the specific actions that Citigroup will take to
continue to strengthen the management and oversight of Citigroup's firm-wide
BSA/AML compliance program, taking into account the requirements of the
appropriate federal of state supervisor of Citigroup's functionally regulated
subsidiaries.
● PROGRESS REPORTS
o Within 30 days after the end of each calendar quarter following the date of this
Order, the board of directors of Citigroup Or an authorized committee thereof
shall submit to the Reserve Bank written progress reports detailing the form and
manner of all actions taken to secure compliance with this Order, a timetable
and schedule to implement specific remedial actions to be taken to address the
recommendation in the Report, and the results thereof.
● APPROVAL AND IMPLEMENTADON OF PLANS
o (a) Citigroup shall submit written plans that are acceptable to the Reserve Bank
within the applicable time periods set forth in paragraphs 2, 3, and 5 of this
Order.
o (b) Within 10 days of approval by the Reserve Bank, Citigroup shall adopt the
approved plans. Upon adoption, Citigroup shall promptly implement the
approve plans and thereafter fully comply with them.
o (c) During the term of this Order, the approved plans shall not be amended
or rescinded without the prior written approval of the Reserve Bank. . . .
Service risk
● Services that involve the movement of funds and/or
the concealment of beneficial ownership
Client risk
● Clients range from individuals, partnerships and limited
liability companies with dozens of partners or members
to multi-national corporations.
● Given this spectrum of clients, a lawyer will be challenged to
determine whether a particular client poses a higher risk and,
if so, the level of that risk and whether the application of any
mitigating factors influences that assessment.
● Various categories of potentially higher risk clients[ if client
falls in one of the categories, lawyer must way this risk to
other risks to determine the appropriate level of client due
diligence]:
o Politically exposed persons ("PEPs")- are
individuals who are or have been entrusted with
prominent functions in a foreign country. . . .
o Unusual Activity- Clients conducting their
relationship or requesting services in unusual or
unconventional circumstances (as evaluated in light of
all the circumstances of the representation). . .
o Masking of Beneficial Ownership - Where the
structure or nature of the client entity or relationship
makes it difficult to identify in a timely manner the
true beneficial owner or controlling interests
o Cash Intensive Businesses – clients that are cash
(or cash equivalent) intensive
o Charities and NPOs- those that are not subject
to monitoring
o Financial Intermediaries Not Subject to
Adequate [Money Laundering] Laws. . .
o Clients with Certain Criminal Convictions- Clients
having convictions for proceeds generating crimes
who instruct the lawyer (who has actual knowledge of
such convictions) to undertake specified activities on
their behalf are potentially higher risk clients. . . .
o Clients with No Address/Multiple Addresses-
Clients who have no address, or multiple addresses
without legitimate reasons. . . .
o Unexplained Change in Instructions. Clients who
change their settlement or execution instructions
without appropriate explanation are potentially
higher risk clients. . . .
o Structures With No Legal Purpose. The use of legal
persons and arrangements without any apparent legal
or legitimate tax, business, economic or other reason
are potentially higher risk situations. . . .
o Relative weight to be given to each risk category in assessing the overall risk
of money laundering and terrorist financing will vary from one lawyer or
firm to another becuz of size, sophistication, location, and nature and scope
of services offered
o Lawyers need to asses independently the weight to be given to each risk factor
Factors subject to variables that may increase or decrease
the perceived risk posed by a particular client or type of
work
Questions and Comment (p.473)
● The reference to "gatekeepers," in the context of this report include lawyers, notaries,
trust and company service providers, real estate agents, accountants, and auditors
who assist with transactions involving the movement of money in the domestic and
international financial systems.
● Sanctions programs administered by OFAC prohibit a U.S. person from engaging in
transactions with persons in certain countries. In such cases an attorney may be
prohibited by law from engaging in the representation at all even if it was otherwise
not problematic
● Risk- Based approach to the attorney’s role in preventing money laundering and
terrorist financing - This approach involves an initial risk assessment which influences
the intensity of compliance activities that follow: more comprehensive vetting and
scrutiny for persons or trans- actions deemed to present a higher risk, less
comprehensive vetting and scrutiny for persons and transactions deemed to present
lower risk.
o The leading authority on risk-based approach in this area is Financial
Association Task Force
Introduction (p.477)
● In the workplace is prohibited under both state and federal law
● Meritor Savings Bank – SC held that language at the federal level encompasses cases
in which an employer subjects employees to a hostile work environment by acts of
sexual harassment
● Equal Employment Opportunity Commission – defines sexual harassment (see definition)
● Problem with corporations being accountable because it can only act through agents;
respondeat superior only makes employer liable for wrongful conduct if the
employee was acting within the scope of employment; no employer will ever say that
harassing behavior is part of an employee’s job description
Notes:
● Conduct must be relatively severe – ordinary tribulations of the workplace do not create
a basis for liability
Enforcement (p.485)
UN High Commissioner on Human Rights Guiding Principles on Business and Human Rights
(p.502)
● Responsibility of business enterprises to respect human rights refers to internationally
recognized human rights; at a minimum those in the International Bill of Human
Rights and principles concerning fundamental rights set out in the ILO’s Declaration
● Business enterprises are required to:
o Avoid causing or contributing to adverse human rights
o Seek to prevent or mitigate adverse human rights that are directly linked to
their operations
● Responsibility to respect human rights applies to all enterprises
● Businesses should have in place policies and processes appropriate to their size
and circumstances, including:
o A policy commitment to meet their responsibility to respect human rights
o A human rights due diligence process
o Processes to enable the remediation of any adverse human rights impacts
they cause
● Human rights due diligence – assessing actual and potential human rights impacts,
integrating and acting upon the findings, tracking responses, and communicating
how impacts are addressed
● Does a company have a legal or ethical obligation to insist on ethical behavior
by counterparties? – No.
● Conflicts Minerals and Supply Chain Management:
o Dodd-Frank Act and SEC Rule (13p-1 applies only to public companies)
require SEC reporting firms to engage in due diligence and make disclosures in
connection with their use of conflict minerals “DRC Countries”; if an issuer
knows or has reason to believe that its conflict minerals may have originated in
DRC countries it is required to prepare an audited conflicts minerals report
describing matters such as the products the issuer produces with conflicts
minerals, facilities used, country of origin, what efforts have been made to
determine the location of origin
o States are beginning to take an interest in human rights enforcement through
supply chain management i.e. California enacted legislation barring companies
found to be in violation of the federal conflict minerals rule from participating
in state contracts
o Principal purpose of conflict minerals rule is to staunch the supply of money
that is believed to be fueling and prolonging a conflict which has involved rape,
gender based violence and other human rights violations
o Consider “blood diamonds” mined in conflict zones in Angola, Sierra Leone,
or Cote d’Ivoire
Sustainability (p.507)
● Activity is sustainable if it is consistent with the needs and interests of future generations
● Concept borrowed from ecology; idea that the corporation should operate in such
a manner that the environment would support its continuing to do so indefinitely
Enron (p.513)
● American energy, commodities, and services company based in Houston, Texas.
Bankruptcy on December 2, 2001; Enron employed approximately 20,000 staff and
was one of the world's major electricity, natural gas, communications, and pulp and
paper companies, with claimed revenues of nearly $111 billion during 2000.
● What happened?
o The mark-to-market practice led to schemes that were designed to hide the
losses and make the company appear to be more profitable than it really was.
o In order to cope with the mounting losses, Andrew Fastow, CFO, came up with a
plan to make the company appear to be in great shape, despite the fact that many
of its subsidiaries were losing money.
o Scheme was achieved through the use of special purpose entities (SPE).
o An SPE could be used to hide any assets that were losing money or
business ventures that had gone under; this would keep the failed assets off
of the company's books.
o In return, the company would issue to the investors of the SPE, shares of
Enron's common stock, to compensate them for the losses. This game couldn't
go on forever, however, and by April 2001, many analysts started to question
the transparency of Enron's earnings.
● Summary of findings:
o Company’s profits were inflated and its financing structures were rife with
fraud and conflicts of interest; pumping up stock price, but stock eventually
collapsed
o Had code of ethics and compliance committees yet committed massive fraud
o The transactions between Enron and LJM2 that had the greatest impact on
Enron's financial statements involved four SPEs known as the “Raptors”
o Raptors were designed to make use of forecasted future growth of Enron's stock
price to shield Enron's income statement from reflecting future losses incurred
on merchant investments. This strategy of using Enron's own stock to offset
losses runs counter to a basic principle of accounting and financial reporting:
except under limited circumstances, a business may not recognize gains due to
the increase in the value of its capital stock on its income statement.
o Used partnerships to enter into transactions that it could not or would not do
with unrelated commercial entities; allowed Enron to inflate earnings Raptors
o Board of directors failed in oversight duties; approved arrangements that allowed
the Company’s CFO to serve as general partner in partnerships that participated
in significant financial transactions with Enron
o Board should be faulted for failing to demand more information, and for failing
to probe and understand the information that did come to it
o Had COI rule but had exception to the rule which was granted to Andrew
Fastow (CFO)
o Outside professional advisors, Vinson & Elkin should have brought a
stronger, more objective and more critical voice to the disclosure process
o Company’s management was focused on financial results, not operating results.
What came out after the demise of Enron, including jail sentences for many of
the top executives, was overwhelming proof that Enron’s tone at the top was
fatally flawed.
o Tone at the top – Enron’s top executives set the tone for the culture; personal
ambition and greed seemed to overshadow their corporate and individual lives;
strived to maximize individual wealth by initiating and participating in
fraudulent behavior; Enron’s culture created an atmosphere ripe for the unethical
and illegal behavior that occurred; bad top management morality can be a
sufficient condition for creating a self destructive ethical climate
o Problem:
Enron operated what appeared to be a cutting edge compliance shop
Majority of the board were independent of management
Enron’s Code of Conduct of Business Affairs set forth high
ethical obligations for senior management
Company established procedures for review of related party transactions
at the highest corporate levels and required its Audit and Compliance
Committee to conduct annual reviews of such transactions
Operated a whistleblower program with mechanisms for
anonymous reporting
Retained reputable independent professionals i.e. Arthur Andersen
for accounting and Vinson & Elkins for law
But, all these safeguards failed to detect or prevent the fraud
● Whistleblower – Sherron Watkins
Worldcom (p.518)
● US telecommunication corporation
● What happened?
o Fraud was implemented by and under the direction of CFO Scott Sullivan
o Sullivan directed the making of accounting entries that had no basis in GAAP
in order to create the false appearance that the company had achieved those
targets
o CFO and accounting firm inflated numbers so the company would hit its targets
o MBO = management by objectives
o More than $9 billion in false or unsupported accounting entries were made
in WorldCom’s financial systems in order to achieve desired reported
financial results.
o The fraud did not involve WorldCom’s network, its technology, or
its engineering.
o Most of WorldCom’s people did not know it was occurring. Rather, the fraud
occurred as a result of knowing misconduct directed by a few senior executives
centered in its Clinton, Mississippi headquarters, and implemented by
personnel in its financial and accounting departments in several locations.
o The fraud was the consequence of the way WorldCom’s CEO, Bernard J.
Ebbers, ran the Company – “source of the culture”; “Tone at the top”
o That the fraud continued as long as it did was due to a lack of courage to blow
the whistle on the part of others in WorldCom’s financial and accounting
departments; inadequate audits by Arthur Andersen; and a financial system whose
controls were sorely deficient.
o Serious corporate governance failure
o Board and its Committees did not function in a way that made it likely that
they would notice red flags i.e. outside directors had little or no involvement in
the company’s business other than the attendance at board meetings
o The Board, in particular Audit Committee, played a limited role in the
oversight that it was unlikely that the fraud could have come to their attention;
no independent leadership until 2002
o Reputation played a role in the fraud i.e. Sullivan as the “whiz kid”
o Lawyers were not given full information, didn’t understand accounting
o Board of directors or board audit committee only saw information that
was provided to them, and the information had been carefully massaged
o Nature of accounting fraud:
Reduction of reported line costs
Exaggeration of reported revenues
o Why didn’t anyone blow the whistle early?
The culture emanating from corporate headquarters emphasized making
the numbers above all else; keeping financial information hidden from
those who needed to know; blindly trusting senior officers even in the
face of evidence that they were acting improperly; discouraging dissent;
and a lack of outlets through which employees believed they could safely
raise their objections.
Tone at the top – poor example of ethical leadership; disdain for
internal controls, overemphasizing profits over ethics and blaming
others for unethical practices.
● Ebbers controlled the Board’s agenda and its decisions; he and the
Board permitted a corporate environment in which the pressure to
meet the numbers was high, the departments that served as
controls were weak, and the word of senior management was final
and not to be challenged
● Board didn’t challenge Ebbers on the extent of his substantial
outside business interests i.e. rice farm, luxury yacht building
company etc.; Ebbers presented false picture to the market
● Steps to be implemented (see p.524)
Wachtell, Lipton, Rosen, & Katz, Risk Management and the Board of Directors (2013)
□ What is the proper role of the board in corporate risk management?
oArgues that the board should not be involved in day to day risk management but
instead should through their oversight role, satisfy themselves that the risk
management processes designed and implemented by executives and risk mangers
are adapted to the board’s corporate strategy and are functioning as directed, and
that necessary steps are taken to foster a culture of risk adjusted decision making
through the organization
oThe board can send a message to the company’s management and employees that
corporate risk management is not an impediment to the conduct of business nor a
mere supplement to a firm’s overall compliance program but is an integral
component of the firm’s corporate strategy, culture and value generation process
oImportant for directors to have the experience, training and knowledge of the
business necessary for making a meaningful assessment of the risk that the
company faces
oShould also consider the best organizational structure to give risk
oversight sufficient attention at the board level
□ Company’s RMS should function to bring to the board’s attention the company’s most
material risks and permit the board to understand and evaluate how these risks
interrelate, how they affect the company, and how management addresses these risks
□ Courts have taken the view that a breach of duty for failure to exercise oversight would
be a breach of the duty of loyalty, which is not subject to indemnification by a company
□ The board is advised to act well above the minimal standards established in Caremark
□ To avoid risk of Caremark liability, boards should ensure that the company implements
appropriate monitoring systems tailored to each type of risk, and to periodically review
these monitoring risks and ask management and/or outside consultants for an
assessment of the systems’ adequacy
□ Directors should involve the company’s general counsel to fulfill its duty
to have effective monitoring systems
RISK MANAGEMENT II - “APPROACHES TO RISK MANAGEMENT”
Introduction (p.547)
□ No single approach to risk management dominates; no consensus, instead, the
techniques in common usage are adapted to, and sometimes grow out of, specific
business lines or areas
Data
□ All risk management techniques depend crucially on the acquisition,
analysis, and presentation of information
□ Data must first be compiled; decision maker will not sort through or understand raw data
therefore someone must categorize and analyze the information so it can be presented
to the decision-maker in summary form
□ Presentation of data must be embodied in a medium and a form that allows
the decision- maker to focus on the important patterns and screen out the
noise
□ Classic example of the importance of information analysis and presentation is the
case of the NASA Challenger – illustrates two points about the role of information
in risk management:
1) The proper information must be used if the analysis is to be valid (in
Challenger, relevant information had been compiled but it was not used)
2) The challenger disaster illustrate the power and also the perils of
graphic presentation of data
□ Graphic or tabular presentation of data is a key element of
contemporary risk management
oUniversal use of this form of presentation is driven by 2 developments:
Vendors of analytic risk management products sell their services
most effectively if they can offer to package information in
attractive compelling ways
Attractive and inexpensive color photocopying has made it possible to
enhance the effectiveness of graphic presentations by coding
information in color
□ Dashboard – the graphic presentation of data; a suite of charts or a slide deck containing
information displayed in a variety of graphic formats; organized in hierarchical
fashion (tables are an important element of any dashboard)
oValues out of range would show up in red
□ Heat maps – a matrix that displays how one variable varies across two others; might
locate different functions on a grid formed by the variables “likelihood” and
“impact”; areas of greatest impact and likelihood would show up in red and the area
of lowest impact and lowest likelihood shown in green; intermediate values in yellow
Benghazi (p.578)
□ Government is also a complex organization subject to many risks
□ Report made by a State Department review board of the events surrounding the
terror attacks in Libya that cost the lives of Ambassador Chris Stevens and three
other US government personnel