CORPORATE COMPLIANCE & RISK MANAGEMENT

PROF. DONFRO
FALL 2018

INTRODUCTION

Governance
□ Deals with the structure and control within an organization
□ The processes by which decisions relative to risk management and compliance are
made within an organization
□ Governance of organizations is often complex, involving layers of responsibility
and a variety of different offices and positions, with lines of authority projecting
in many different ways

Risk Management
□ Takes account of the risks facing an organization
□ Has a significant technical component (different than governance)
□ Refers to the processes by which risk is identified, analyzed, included in strategic
planning, and either reduced through risk mitigation tactics or accepted as inherent
in activities that the organization wishes to conduct
□ Goal is not to eliminate risk but rather to manage it
□ Recognizes that activities of the enterprise necessarily involve uncertain outcomes
with different consequences for the success of the organization’s mission

Compliance
□ Refers to the processes by which an organization polices its own behavior to ensure
that it conforms to applicable rules and regulations
□ Processes by which an organizations seeks to ensure that employees and other
constituents conform to applicable norms, which can include either the requirements
of laws or regulations or the internal rules of the organization

Note: the functions of governance, risk management, and compliance are not hermetically
separated
□ Serve a common purpose – to ensure that organizations are managed well and in
such a way as to enhance social welfare

How do you make corporations responsible?

□ Law relied upon corporate directors
□ Directors have specialized duties if they are on committees
□ NYSE requires audit committees
□ Sarbanes Oxley requires 1 person versed in accounting
□ Most shareholders have diversified portfolios therefore no particular interest in one

stock Law of Governance, Risk Management and Compliance

□ Includes not only conventional rules and regulations, but also “soft law”
recommendations from NGOs i.e. Committee of Sponsoring Organizations of
1
 the Treadway Commission (COSO)

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

□ Promotes the idea of “internal controls” to capture the essence of the GRC process
□ Internal control – a process implemented by an entity’s board of directors, management,
and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance
oControl environment – general tone of organization
oRisk assessment – process by which the organization identifies and evaluates
material risks to its operations both internal and external
oControl activities – procedures and policies that an organization employs to
ensure that decisions made by the board of directors and senior management
are faithfully and competently executed throughout the organization
oInformation and communication – means by which agents of the organization are
supplied with the information need to perform their duties
oMonitoring – process of quality assurance
□ COSO states that internal controls help an organization achieve its objectives
while reducing risk
□ Umbrella organization of 5 organizations:
1. American Accounting Association
2. American Institute of CPAs
3. Financial Executives International
4. Association of Accountants and Financial Professionals in Business
5. Institute of Internal Auditors

Three Lines of Defense (most focus is on the second and third line)
1. Operating executives have initial responsibility for implementing internal controls
within their own areas; line operators
2.Risk management and compliance operations catch problems that are not weeded out
at the front line
3.Internal audits i.e. spot checks and external audits

Role of Attorneys
□ Governance has a legal element because the rules allocating responsibility and
authority for compliance and risk management are contained in formal legal
documents such as charters, bylaws and board resolutions
□ Some of the most important risks an organization faces are legal in nature
□ Australian study concluded that lawyers don’t perform their compliance jobs
any differently than other compliance professionals

Shifting Risk:
□ “Swim at your own risk” – the theory that you assume the risk
□ Mitigating risks.

CORPORATE GOVERNANCE

2
“Separation of ownership and control” – defining issue for corporate governance
□ Number of shareholders makes it impossible for them to exercise effective governance
□ Managers control what happens in big companies, subject to only minimal checks
from shareholders or other constituencies

Organization for Economic Cooperation and Development (OECD)

□ Promote economic development
□ Principles of Corporate Governance:
oEnsure effective corporate governance
oRights of shareholders
oEquitable treatment of shareholders
oRole of stakeholders
oDisclosure and transparency
oResponsibility of the board
□ Reasons to adopt principles:
oTransparency for investment purposes; runs better
oInvestors will come to the company and then make the company more money
oSocial responsibility is important when consumers become more aware of social
issues i.e. Tom’s shoes
□ OECD’s Principles of Corporate Governance are a living instrument offering non-
binding standards and good practices as well as guidance on implementation, which
can be adapted to the specific circumstances of individual countries and regions
□ OECD is a good governance organization
□ Mission is to “promote policies that will improve the economic and social well-
being of people around the world”… “International standards on a wide range of
things, from agriculture and tax to the safety of chemicals”
□ OECD Principles of Corporate Governance are not law and no country is
obligated to adopt these principles as a matter of internal law
oOECD standards are recommended as “best practices” because”
When understood they are recognized as a better way to govern
Provide a focal point around which a consensus of regulators and
policy makers can coalesce
Makes it easier for governments to adopt internal reforms because
backed by prestigious international organizations
Serve the interests of organizations and individuals who pursue
agendas which do not necessarily align with the public interest

Shareholders
□ Gain profits in either of two ways:
oCompany many declare a dividend distributing some of the surplus back to its
owners
oShare price may rise to reflect the value of profits which have not been distributed
□ Voting your shares:
oBy proxy (i.e. agree or disagree; don’t give you opportunity to give your opinion)
oGo to annual meeting
□ Incur losses when value of their interest falls
oCompany becomes insolvent, they forfeit the entire value of their investments
3
 oCompany winds up its business (dissolution or acquisition) shareholders get a
distribution reflecting some measure of the value of their ownership interests
□ Reasons why can’t be managers of companies they own:
oNot practical because decisions need to be made quickly (a vote may take too
much time)
oCostly to ascertain the preferences of the shareholders
oMay not be well informed about decisions that they do make
oHold diversified portfolios thus are unlikely to care about any particular company
oAny shortcomings of the company the shareholder can sell tis stock
oIf the shareholder anticipates selling the stock, she has a reduced interest in
tracking what is going on at the company
oEven informed shareholders do not possess the judgment needed to make day to
day management decisions
oShareholders’ interests do not align optimally with what society would prefer
Moral hazard – all insurance policies create a problem of moral
hazard; creates disincentive to taking care
□ Ownership in a company is a limited form of ownership – you only have the
right to make certain decisions
□ People whose interests do not necessarily align with those of the firm will make all
the decisions and not be subject to checks and balances; will often serve their own
interests rather than the interests of the company or of society as a whole
□ Can make “fundamental”
decisions: oElection of board of
directors oChanges in company
charter oFundamental corporate
changes
oSelection of the company’s independent auditor
oHave a right of approval when substantially all the assets of their firm are sold to
another company, but not when their company acquires substantially all the assets
of another company
□ Managers can make important changes in a company’s governance through board
actions which do not require shareholder vote i.e. “poison pill” shareholder rights
plans, which can reduce the chance that a company will be acquired in a hostile
takeover (Moran v. Household International Inc.) and bylaw amendments designating
Delaware as the sole forums for lawsuits alleging breech of fiduciary duty in
Delaware corporations (Boilermakers v. Chevron)

The Case for Increasing Shareholder Power – Lucian Bebchuk

oIndicates that shareholders’ existing power to replace directors is insufficient to secure
the adoption of value-increasing governance arrangements that management disfavors
oShareholders should be able to adopt provisions that would give them subsequently a
specified power to intervene in additional corporate decisions
oA regime with shareholder power to intervene, would address governance problems that
have long troubled legal scholars and financial economists

The Case for Limited Shareholder Voting Rights – Stephen Bainbridge

oNatural division of labor, requires that the chosen directors and officers be vested with
discretion to make binding decisions
4
 oBounded rationality – the idea that people are not rationale they only satisfice; our
rationality is bounded (limited)
oImportance to specialize
oSeparating ownership and control by vesting decision making authority in a centralized
nexus distinct from the shareholders and all other constituents is what makes the large
public corporation feasible
oArgues that the separation of ownership and control is not a problem but rather a solution
to a problem
oCorporations can’t be run effectively by shareholders as a whole; they need to delegate
responsibility to specialists who will make decisions on a timely and informed basis

The Board of Directors

oHighest management authority in the organization
o“Board of trustees” in nonprofit organizations

a) Powers
oDelaware General Corporation Law §141(a) “the business and affairs of every
corporation…shall be managed by or under the direction of a board of directors…”
oNew York’s General Business Corporation Law “the business of a corporations
hall be managed under the direction of its board of directors”
oResponsibility can be shifted from the board in three ways:
1. Board committees may be established. Delaware General Corporation Law
§141(c)(2) states that a board committee if duly authorized may “exercise all
the powers and authority of the board of directors in the management of the
business and affairs of the corporation”
2. Persons outside the board. Delaware General Corporation Law §141(a)
provides that a company may vest management powers outside the board
by including a provision in its charter.
3. Delegate these tasks to senior officers. Delaware General Corporation Law
§141(a) recognizes two functions for the board: managing a company and
directing the management of a company
Managing – direct performance of executive tasks i.e. when
board hires or fires a CEO or selects an auditor
Directing the management – the activity of supervising others,
executive officers, who carry out day to day operations (largest
share of the time is spent on supervising)

Problems with Directing the Management

oIf senior executives don’t provide accurate information to the board, the board will be
disabled from making the best decisions on behalf of shareholders
oOversights are not good
o“Asymmetric information” risk – problem of obtaining needed information from
management; problem that the board of directors must make strategic decisions on behalf
of the company in reliance on information provided by managers
oThe proper stance of a board when supervising a company’s managers is “NIFO” – noses
in, fingers out

Compliance and Risk Management

5
 oRefers to the principal mitigation techniques that supplement the board’s role in
supervision and oversight
oInstruments designed to enhance and improve the management function in complex
organizations

b) Size
oEmpirical studies suggest that boards of directors become less effective once they
cross a certain threshold of size

Problem 2-1 (page 37)

□ Boards can be classified into 3 groups
□ Unclassified board, every director is up for election every year
□ Unclassified board increases the power of shareholders
□ As a director you don’t want to declassify the board and be subject to an early
election thereby allowing the shareholders objectives to move forward (i.e. cheaper
cosmetics)
□ I would not take the recommendation to declassify the board to allow the
shareholders contrary objectives to move forward; independent director has a
fiduciary obligation to the company and therefore has to think of the long term
reputation of the company

c) Qualifications to Become a Member of the Board

oSenior executive at firm
oDistinguished background in some other field requiring leadership skills
oSuccessful executive in some other industry
oPolitically or socially connected
oWoman or member of ethnic minority
oExpertise about the industry or aspects of firm’s operations
oOwns a lot of company’s stock
oAttorney, accountant, or other professional service provider
oRepresentative of some constituency in the firm
oWeaknesses to consider:
oPrevious service on board of another company that went bankrupt
oUndergoing contentious divorce
oLiving with chronic medical condition
oExpelled from college for cheating
oOn bad terms with person who heads up company’s government supervisor
oPublicly espouses unpopular views on matters of public controversy

Independence
oInside director – someone employed by or otherwise linked to the company for reasons other
than his or her service as a director
oBenefits:
Intimately involved in the management of the company.
They know the personalities, strengths and weaknesses of other senior
managers and are equipped to assess the best use of the available
human resources
Have a commitment to the enterprise which is both financial
6
 and reputational
oDeficits:
They are likely to think along the lines which are set within
the organization.
May lack perspective that comes with broader experience (if they
spent their entire career at the firm)
If they are not the CEO they may find themselves limited in what they
can say on the board because of fear that the CEO who controls their
possibilities for promotion may not approve
Usually want to be paid more
Tend to value the powers and perquisites of their jobs
May be incompetent or unmotivated and therefore prefer that the
board not closely scrutinize their job performance

Paramount v. Time Life

□ Time Life argued that Paramount would bring down the character of the corporation
□ Insiders would resist a takeover because they want to keep things in the company the
way it is; this ignorance may be a problem

oIndependent director – someone without these connections

oBenefits:
Come from a different background and brings a different perspective
Less concerned about offending CEO
Less conflict of interest over compensation
No incentive to allow the company’s executive officers to behave in
an incompetent or unmotivated way; more likely to insist on good
job performance
Have a pubic relations function; bring reputation to the job which is good
oDeficits:
Because part time they can never have the knowledge base that an
insider director brings
Partial involvement is a strength but also a weakness; they have les to
lose if company does poorly
Often are connected to senior management by different ties; therefore
may find it hard to raise challenging questions in the board room
oNYSE and NASDAQ require that the majority of directors of a listed company be
independent.
oAll members of the audit, compensation and nominating committees of the board must be
independent
oListed companies must disclose the identity of independent directors in their
proxy statements and 10-K forms

Additional Notes on Independent Directors

□ There is some evidence that audit committees comprised of independent directors
discourage companies from engaging in “earnings management” (manipulating financial
operations and reporting so as to show steady growth of profits over time)
□ Several studies suggest that boards of directors dominated by independent directors are
more likely than boards dominated by insiders to fire the CEO when firms are
7
 performing poorly

Problem 2-1 (page 37)

□ Boards can be classified into 3 groups
□ Unclassified board, every director is up for election every year
□ Unclassified board increases the power of shareholders
□ As a director you don’t want to declassify the board and be subject to an early
election thereby allowing the shareholders objectives to move forward (i.e. cheaper
cosmetics)
□ I would not take the recommendation to declassify the board to allow the
shareholders contrary objectives to move forward; independent director has a
fiduciary obligation to the company and therefore has to think of the long term
reputation of the company.

FIDUCIARY DUTIES

Fiduciary – a person charged under the law with making decisions fundamental to the welfare of
someone else
□ Directors are fiduciaries because they make decisions that affect many others
i.e. shareholders who have an ownership interest in the firm

Fiduciary duty – the legal duty that a fiduciary owes to the person on whose behalf she is acting
□ Directors owe this legal duty to the firm and indirectly to shareholders (possibility
other constituents)
□ Meinhard v. Salmon – “the level of conduct for fiduciaries has been kept at a level
higher than that trodden by the crowd” (Cardozo)

Duty of Care

In re Citigroup Inc. Shareholder Derivative Litigation (2009)

□ Plaintiffs’ theory amounted to a claim that the director defendants should be
personally liable to the company because they failed to fully recognize the risk posed
by subprime securities
□ Fiduciary duty of care and the business judgment rule – focus on the decision
making process rather than on a substantive evaluation of the merits of the
decision
□ Business judgment rule – a presumption that in making a business decision the
directors of a corporation acted on an informed basis, in good faith and in the honest
belief that the action taken was in the best interests of the company
oBurden on plaintiffs, or party challenging directors’ decision, to rebut this
presumption
oRule prevents a judge or jury from second guessing director decisions if they were
the product of a rational process and the directors availed themselves of all
material and reasonably available information
oIf the presumption is not overcome, the plaintiff has no chance of winning a
lawsuit against a director based on a claim of fiduciary duty
oRule shields directors from liability for bad judgments but doesn’t foreclose
judicial inquiry into the procedure which the board used to reach the bad decision
8
 oDecision must result from a “rational process” in which the directors availed
themselves of “all material and reasonably available information”

Super business judgment rule – Delaware General Corporation Law §102(b)(7) allows a
Delaware corporation to include in its certificate of incorporation a provision that eliminates
liability of directors for money damages in lawsuits based on violations of the duty of care.
Statute makes clear that absent special circumstances, directors face no exposure for money
damages in lawsuits claiming violations of the duty of care.

Rationale for business judgment rule and statute as per court In re Citigroup:
□ Idea that directors know more than courts know about the business decisions they
have to make
□ Hindsight bias – rule counteracts this tendency by requiring judges to credit the good
faith and reasonableness of managerial decisions unless the contrary is shown. There is a
tendency for judges to evaluate decisions in light of how they turned out.

Other explanations for business judgment rule:

□ Shareholders are protected from loss (i.e. have diversified portfolios) therefore
less reason to intervene
□ Corporate managers are subject to market discipline that doesn’t exist for
other fiduciaries
□ In the case of public corporations, imposing personal liability on directors would do
little to rectify the harm since the amount of damages will far exceed their resources
□ If responsible people feared having to pay damages for violation of the duty of care,
they would not want to serve on corporate boards
□ If a state imposed a duty of care with any significant threat of liability, companies
would re-charter in a more accommodating jurisdiction

Duty of Loyalty
□ Business judgment rule is a presumption that holds unless the contrary is established
□ The principal way that the presumption can be rebutted, is to show that the defendant
director or controlling shareholder had a conflict of interest in the transaction in
question
□ Standard case is the American Express case. Stock went down in value. Had company
sold stock they would have had tax loss which they could write off. Instead they
delivered devalued stock to shareholder. They could only record the gain. The
company basically said they made a decision and that’s enough.
□ Modern cases touch duty of loyalty.
□ Duty of loyalty cases are intentional wrongs

In re Southern Peru Copper Corp. Shareholder Derivative Litigation (2011) (Add notes)
□ Found that the controlling stockholder defendants breached their fiduciary duty of
loyalty in a transaction involving the controlling stockholder’s subsidiary.
□ Chancellor Strine found significant shortcomings on the part of the committee
when assessing whether the transaction was subject to a fair process and had a
fair price
□ Found that Southern Peru overpaid when it acquired the controlling

9
 stockholder’s subsidiary
□ The merger was not entirely fair, in process or in price; defendants breached their
duty of loyalty
□ Plaintiffs were awarded damages to remedy the breach of the controlling
stockholders fiduciary duties
□ Damages in this case is one of the largest ever awarded in a breach of fiduciary case
□ Question:
oMining company sold to NYSE listed company. Hired financial advisor who said
the company is not worth anything close to $3.1 billion. Instead worth much less.
Controlling shareholder doesn’t need to owe a majority of the stock. Sometimes
only requires 5% of stock.
oCommittee had to evaluate proposal and decide whether the mining company was
worth $3.1 billion. This independent committee was set up to justify the
transaction
oCourt concluded that the controlling shareholder got too good of a duty b/c more
money than it was worth.
o$1.263 billion overpaid.
oAll directors and officers that voted for this were jointly and severally liable.

Duty of Oversight?

In re Caremark International Inc. Derivative Litigation (1996) (Delaware Chancery)

□ Defendant corporation provides health care services and products to patients who are
often referred to them by a physician. Business is reliant on referrals, there is a
temptation by companies like Caremark to compensate physicians. Federal law, the Anti
Referral Payments Law is in place to prevent such a system and in 1991 the Department
of Health and Human Services began investigating potential ARPL violations. Caremark
was indicted for violating the ARPL and plaintiffs initiated suit alleging that the Board of
Directors did not exercise the appropriate attention to this problem. There was a proposed
settlement between the shareholders and Board calling for more oversight and ensuring
that corporate employees were abiding by laws regarding relationships with outside
health care professionals.
□ Complaint for breach of oversight to be active monitors of corporate performance
□ Two necessary conditions for director oversight liability:
oThe directors utterly failed to implement any reporting or information system or
controls; or
oHaving implemented such a system or controls, consciously failed to monitor or
oversee its operations thus disabling themselves from being informed of risks or
problems requiring their attention.
□ In both cases, imposition of liability requires a showing that the directors knew that
they were not discharging their fiduciary obligations
□ Directors have a duty to ensure themselves that information and reporting systems
exist to show compliance with the law
□ Director liability for a breach of the duty exercise appropriate attention may arise in 2
contexts:
oDecision was ill advised or negligent (breach of duty of care)
oUnconsidered failure of the board to act in circumstances in which due attention
would have prevented the loss (not action or inaction; wasn’t even thought of)
10
 □ Whether a judge or jury considering the matter after the fact believes the decision
is wrong or stupid or egregious or irrational, provides no ground for director
liability
□ Duty of oversight and breach of that duty is unconsidered inaction

Stone v. Ritter (2006) (Delaware Supreme Court) – confirms the validity of Caremark liability
under Delaware law, and recognizes the generality of its applications, while providing
information about the scope of the duty
□ Shareholders brought a derivative lawsuit against the bank’s directors for breach of
fiduciary duty. Argued that the defendants had failed to implement monitoring,
reporting or information controls that would have enabled them to learn of problems
requiring their attention.
□ Examples of conduct that would establish a failure to act in good faith:
oWhere the fiduciary intentionally acts with a purpose other than that of advancing
the best interests of the corporation
oWhere the fiduciary acts with the intent to violate applicable positive law
oFiduciary intentionally fails to act in the face of a known duty to act,
demonstrating a conscious disregard for his duties
□ Court held that the plaintiffs’ complaint seeks to equate a bad outcome with bad faith.
Although there may have been failures by employees to report deficiencies to the board,
there is no basis for an oversight claim seeking to hold the directors personally liable for
such failures by the employees. The board received and approved relevant policies and
procedures, delegated to certain employees and departments the reasonability for filing
and monitoring compliance, and exercised oversight by relying on periodic reports from
them.
□ Caremark liability is not a third branch of fiduciary duty, but rather part of the
duty of loyalty

Re Caremark
□ Chancellor Allen
□ Medicare won’t pay for 3 rd party referral fees
□ Caremark is in the business of paying referral fees; they kept on doing it; even the
predecessor paid referral fees; they keep saying that they are not and have guides to
show that they are not; have an ethics committee that said there are no material
violations
□ Now there is a complaint for breach of oversight to be active monitors of
corporate performance
□ Director liability for a breach of the duty exercise appropriate attention may arise
in 2 contexts:
oDecision was ill advised or negligent (breach of duty of care)
oUnconsidered failure of the board to act in circumstances in which due attention
would have prevented the loss (not action or inaction; wasn’t even thought of)
□ Whether a judge or jury considering the matter after the fact believes the decision
is wrong or stupid or egregious or irrational, provides no ground for director
liability
□ Duty of oversight and breach of that duty is unconsidered inaction
□ Directors have a duty to ensure themselves that information and reporting systems
exist to show compliance with the law
11
Stone v Ritter
□ Derivative lawsuit against bank directors; failed to implement monitoring
and information controls
□ Caremark standard relies on the concept of failure to act on good faith; fiduciary acts
with the intent to violate applicable positive law; acts with a purpose other than that of
advancing the best interests of the corporation; where fiduciary intentionally fails to
act in the face of a known duty to act (demonstrating a conscious disregard for his
duties)
□ “Utter failure to attempt to assure a reasonable information and reporting system exists
Caremark: requires information to be reported to board

Stone v Ritter: liability only for utter failure to attempt to assure a reasonable information and
reporting system (lower standard; easier to escape liability)

Rich ex rel. Fuqi Intern, Inc. v. Yu Kwai Chong (2013)

□ Plaintiff alleged that Fuqi’s directors are liable for failure to oversee the operations of
the corporation. Fuqi argues that the complaint fails to plead facts that show that the
directors “consciously and in bad faith failed to implement any reporting or accounting
system or controls”.
□ Essence of a Caremark claim is a breach of the duty of loyalty arising from a
director’s bad-faith failure to exercise oversight over the company. A Caremark
claim is “possibility the most difficult theory in corporation law upon which a
plaintiff might hope to win a judgment”
□ One way a plaintiff may successfully plead a Caremark claim is to plead facts
showing that a corporation had no internal controls in place
□ Here, the disclosures show that Fuqi had no meaningful controls in place. The board of
directors may have had regular meetings, and an audit committee may have existed, but
there does not seem to have been anyay regulation offo the company’s operations in
China. Even if Fuqi had some internal controls in place, it can be inferred that the
board’s failure to monitor that system was a breach of fiduciary duty.
□ Cited Stone v. Ritter, where there the Supreme Court held that if the directors have
implemented a system of controls, a finding of liability is predicated on the directors’
having “consciously failed to monitor or oversee the operations thus disabling
themselves from being informed of risks or problems requiring their attention.” One way
that the plaintiff may plead such a conscious failure to monitor is to identify “red flags”
obvious and problematic occurrences that support an inference that the Fuqi directors
knew that there were material weaknesses in Fuqi’s internal controls and failed to
correct such weaknesses.
□ Fuqi had several “warnings” that all was not well with the internal controls:
oDirectors were aware that there may be challenges in brining the company’s
internal controls into harmony with the US securities reporting system. The
directors did not ting to ensure that its reporting mechanisms were accurate
oBoard knew that it had problems with its accounting and inventory processes. It
also acknowledge the likelihood of material weaknesses in its internal controls
oFuqi received a letter form NASDAQ warning them that it would face delisting if
the company did not bring its reporting requirements up to date with the SEC.
□ Can be inferred that these “red flags” show that the directors knew that there
12
 were deficiencies in Fuqi’s internal controls
□ When faced with knowledge that the company controls are inadequate, the directors
must act, i.e. they must prevent further wrongdoing from occurring. A conscious failure
to act, in the face of a known duty, is a breach of the duty of loyalty.
□ The knowing failure to stop further problems from occurring supports the
plaintiff’s claim for breach of the duty of good faith under Caremark
□ Conscious failure to act in the face of a known duty is a breach of the duty of loyalty
□ Essence of a Caremark claim is a breach of the duty of loyalty arising form a
director’s bad faith failure to exercise oversight over the company
□ Plaintiffs must plead facts that allow a reasonable inference that the defendants
knew they were not fulfilling their fiduciary duties i.e. directors disabling
themselves from
being informed include a corporation’s lacking an audit committee or a corporation’s not
utilizing its audit committee
□ A conscious failure to act, in the face of a known duty, is a breach of the duty of loyalty
□ When faced with knowledge that the company controls are inadequate, the director
must act i.e. they must prevent further wrongdoing from occurring

Law of Delaware – there are only 2 duties (1) duty of care and (2) duty of loyalty

Additional Notes:

Law of Delaware there are only 2 duties: duty of care and duty of loyalty
ADD NOTES from book (page 64)
Problem 2-4 (page 66)
□ As independent director and chair of the audit committee you have a fiduciary duty to
the corporation
□ Spanish language may be an issue b/c the entire board meetings are conducted in
Spanish. If you are independent director and chair of audit committee and are relying on
translation this may be problematic.

Class notes:
□ Duty of oversight is a species of duty of loyalty
□ Not uncommon for new corporations (.com) to be incorporated in Delaware; this is
the norm
□ Why Delaware?
oCitigroup: Company is domiciled in Delaware b/c state is more favorable to
corporations. Incorporators decide where the company will be incorporated.
Shareholders can vote but at the end of the day the directors decide. Ordinary
business decisions are decided by owner, CEO or the directors. Law itself is more
beneficial to directors i.e. ability to waive liability under 102b(7) Delaware
General Corporation Law. Super business judgment. Absent special
circumstances, directors face no exposure for money damages in lawsuits
claiming violations of the duty of care. Changes in company charter is voted on
by shareholders; so who would actually vote for the super business judgment rule
to apply and therefore change the charter to reflect this?
□ Duty of care – duty to act rationally
oVery few decisions that are not rationale
13
 oBusiness judgment rule protects from liability
□ Why Delaware:
COMMITTEES

□ Board of directors may be authorized to delegate functions to committees

composed of only some board members
□ Problem 2-7 (p.74): Seek audit committee members in their entirety. Verify information
with Sally. The goal is to get the company to comply and get Sally to do her job
properly. To create resistance in Sally is not going to help. You need to get her to do
what you want her to do. Persuasion is leading while being led. Know what their values
are to move where you want them to be. Begin where the employee is and then get them
to where you are/want them to be. Contact the board. Audit committee must have good
relations with internal audit staff. Need internal audit to be stronger. Steps to take:
oTalk to audit committee then maybe to the board
oNeed free-flow of communication to audit committee
oHotline – take steps to make the hotline complaints are anonymous
□ Problem 2-8 (p.75): Blanchard would be done if he squealed on the powerful figure.
Blanchard can be recommended by board to CEO to be fired. The board has limited
powers. As an independent director you need to be careful as to how you express your
views. Want company to move from where they are now to the right place.
□ Greenbrier Corporation Risk Committee Charter – p.77
oBiggest risks:
Credit risk
Liquidity risk i.e. may become cash poor
Funding risks
Product risk
Market risk i.e. stock market risk if publicly traded
Reputation risk

Note: these risks are totally independent.

oRisk officer – to manage all these different kinds of risks
oEnron problem: High powered incentives – executives should get stock options
or compensated based on the stock price; the idea is that their perspective and that
of shareholders would be aligned
Turned out that earnings manipulation allowed stock price to go up
in short term, allow executives to cash out

Problem 2-9 (p.82): Delaware statute allows you to rely on the truthfulness of reports by
members of the corporation.

Problem 2-10: “risk appetite”. What type of security would allow you to hedge the risk of
interest rate increase? Variable interest rate. Option = option to purchase a certain security i.e.
security with a higher interest rate. Either exercise the option or you don’t. Try to transfer the
risk? Hedge = offsetting the risk. Is it bad to have the regulator irritated with you? Yes but how
bad? Regulators have discretion. Insurance regulators act differently in different states.

Audit Committees
□ Originally formed to supervise company’s finances and to manage relationships
14
 with outside auditor
□ Rationale for assigning financial matters to specialized committee:
oGreater focus and clarity of action could be obtained
oAddresses the problem that a full board might be suspect on the issue of financial
reporting a they have an interest in maximizing the company’s stock price
□ Audit function is to check and make sure that procedures are followed and items
properly recorded
□ Audit committees exist in every public company and a majority of private companies
□ SOX, SEC Rule 10a-3, and the listing requirements of national securities exchanges
require that the audit committee of a public company be staffed entirely by
independent directors
oSEC Rule 10a-3 – each audit committee must have the authority to engage
independent counsel and other advisors
oSEC requires that the audit committee be given “appropriate funding” for
payment of the expenses of accountants and advisers as well as the
committee’s ordinary administrative expenses
Audit committee (not the full board) has the authority to determine
what these expenses should be
□ Unless there is some other specialized committee in place, the audit committee is
responsible for overseeing the company’s compliance operation; receives regular
reports from CCO
□ SOX and the SEC regulations require that such committees establish procedures for the
receipt, retention, and treatment of complaints regarding accounting, internal
accounting controls, or auditing matters; and the confidential, anonymous submission
employees of concerns regarding questionable accounting or auditing matters
□ Audit committee members must satisfy competence qualifications
□ Each public company must disclose whether it has a “financial expert” on its
audit committee and if not, why
□ NASDAQ – audit committees of NASDAQ listed companies must include at least
one member who has past experience in finance or accounting, professional
accounting certifications, or comparable experience
□ NYSE and NASDAQ listing standards require that all audit committee members
possess minimum levels of financial literacy
□ Key line of defense for ensuring that the company remains compliant with applicable
rules and regulations
□ To supervise the activities of the internal audit department, which checks to ensure
that a company’s policies and procedures are being carried out in a reliable and
effective way

Risk Committees
□ New committees have been created to take over some of the burden and to focus on
tasks which are deemed to be discrete, important, and outside the central competence
of the audit committee
□ Nearly all banks operate a board level risk committee
□ SEC Regulation 407(h) requires public companies to disclose the extent of their
board’s role in overseeing the organization’s risk exposure, including how the board
administers its risk oversight function and how the leadership structure accommodates

15
 such a role.
□ SEC is also facilitated the growth of risk committees by ruling in 2009 that shareholder
proposals regarding risk could not be excluded from a company’s proxy materials on
the ground that they related to the day to day operations of the firm
□ §165 (h) of the Dodd-Frank Act directs the Federal Reserve Board to require certain
large bank holding companies and systemically important nonbank financial
companies to establish a board risk committee that is responsible for oversight of
enterprise wide risk management, is comprised of an appropriate number of
independent directors, and includes at least one risk management expert
□ SEC only has power to order public companies to make disclosures to the
market; it cannot instruct them how to manage their affairs
□ Risk committees operate under charters approved by the full board of directors
□ An advantage of a board-level risk committee is that it focuses exclusively on risk
and therefore doesn’t get distracted by other responsibilities as could happen, if
the responsibility for assessing and managing risk were given to the audit
committee
□ Risk committee has the capacity to manage risk on an enterprise wide basis, rather
than by individual business lines as had often been the case in earlier years
□ Risk committees pose challenges for institutional design; vesting responsibility
to a committee f the board threatens to cut the other board members out of the
loop
□ Board risk committees under the Dodd-Frank Act must include “at least one
risk management expert”
□ No competency requirements for board risk committees

Compliance Committees
□ Companies in industries with intensive regulation and high potential for infractions
maintain a specialized compliance committee that operates separately from the
audit committee


Governance and Nominating Committees

□ The risk of “old school” connections between a company’s senior managers and the
board of directors can be reduced fi the job of nominating a new director is taken
away from the company’s mangers and given to unrelated parties

Compensation Committees
□ The enhanced focus on compensation is due to factors including:
oSome companies paid high compensation to senior managers. The outrage at
perceived excesses became widespread to the public.
oFinancial crisis of 2007-2009 convinced many that corporate CEOs were not all
they have been cracked up to be
oShareholder activists have become much more powerful in recent years, and a
principal focus of their activism has been a campaign to curb excessive
compensation of corporate managers.
EXECUTIVES

16
Introduction
□ Board of directors and the relevant board committees are charged in law and policy
with the task of overseeing management of the organization, including managing
risk and ensuring that the firm complies with all applicable laws and regulations
□ Board’s oversight at meetings must be conducted at a high level of generality
□ Meet only a few times a year; rarely more than once a month and often only once
every two months or every quarter year
□ Board can decide on broad issues of strategy and can oversee the operations of
the company at a general level
□ Board members rely on the company’s senior employees to carry out the practical
tasks of management
□ Senior employees are the board’s eyes and ears: independent board members only
see and hear information provided to them by company employees
□ “Management” of a company = senior executive team
□ Vast majority of decisions regarding the company’s organization and strategies are
made by senior executives rather than the board
□ “Chief” and other with jobs of similar seniority are sometimes referred to
collectively as the “C-Suite”
□ Corporate governance is “chief” heavy

Sarbanes Oxley Act

□ Internal control with respect to the financial statements of the company (internal audit)

The Management Team

□ Most important compliance responsibility is contained in §404(a) of the Sarbanes
Oxley Act
□ Sarbanes Oxley Act – enacted in 2002 in the wake of Enron and other scandals
□ §404(a) requires that a reporting company’s annual report must contain an “internal
control report” which states “the responsibility of management for establishing and
maintain an adequate internal control structure and procedures for financial
reporting”
oThis report must also “contain an assessment…of the effectiveness of the internal
control structure and procedures of the issuer for financial reporting”
□ SEC requires reporting firms to “maintain disclosure controls and procedures”
and “internal control over financial reporting”
□ “Disclosure controls or procedures” are those that are designed to ensure that
information required to be disclosed is recorded, processed, summarized and
reported, within the specified time periods
□ There must be mechanisms in place to ensure that all necessary
information is communicated to the people who need to make the key
decisions
□ “Internal control over financial reporting: incudes those policies and procedures that:
1. pertain to the maintenance of records that in reasonable detail accurately
and fairly reflect the transactions and dispositions of the assets of the issuer

17
 2. provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements
3. provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the issuer’s assets that could have
a material effect on the financial statements
□ SEC does not require management to use any particular framework but to be suitable it
must be free from bias, must permit consistent qualitative and quantitative
measurements of a company’s internal control over financial reporting, msut be
complete so that relevant factors are not omitted, and must be relevant to an evaluation
of internal control over financial reporting
□ COSO identifies 5 components of internal control:
oControl environment
oRisk assessment
oControl activities
oInformation and communication
oMonitoring activities
□ Event studies – examine the effect of a change on a company’s stock price
□ “Go dark” – firms that cease to be public companies required to comply with SOX
and report under SEC rules
□ For smaller firms, SOX increased compliance costs
□ Section 404(b) of SOX requires that public company auditors must attest to and report on
the management’s assessment of the effectiveness of the company’s internal control over
financial reporting
Chief Executive Officer
□ Senior most official in a firm
□ If both president and CEO, former reports to latter
□ CEO is an employee of the organization however in practice is more than that
□ Has many responsibilities:
oPublic face of a firm
oMakes decisions at the management level
oLender in the way other executives are not
oResponsible for setting the tone at the top
With regards to compliance, no one else can be as effective in
communicating to everyone the crucial importance of adherence to
applicable laws and standards
Most important compliance officer in the organization
□ Establishing “Tone at the Top”
oCEO implements ethics code
oSection 302 of SOX requires that the CEO and CFO certify in each
annual/quarterly report, based on their knowledge, that the report does not contain
any untrue statement of a material fact or omit to state a material fact necessary in
order to make the statements not misleading and that the financial statements and
other financial information included in the report fairly present in all material
respects the financial condition and results of operations of the issuer for the
reporting period
□ These officers are required to certify that:
 oThey are responsible for establishing and maintaining internal controls
oDesigned such internal controls to ensure that material information relating to the
issuer and its consolidated subsidiaries is made known to such officers by others
within those entities
oHave evaluated the effectiveness of the issuer’s internal controls as of a date
within 90 days prior to the report
oPresented in the report their conclusions about the effectiveness of their internal
controls based on their evaluation as of that date
□ CEO and CFO must certify that they have disclosed to the issuer’s auditors and the
board audit committee all significant deficiencies in the design or operation of internal
controls which could adversely affect the issuer’s ability to record, process, summarize,
and report financial data and have identified for the issuer’s auditors any material
weaknesses in internal controls; and any fraud, whether or not material, that involves
management or other employees who have a significant role in the issuer’s internal
controls
□ Signing officers must indicate factors that could affect internal controls including
any corrective actions with regard to significant deficiencies and material
weaknesses
□ §906 requires that an issuer’s periodic reports to the SEC be “accompanied” by a written
statement of the CEO and CFO certifying that the information contained in the reports
fairly presents, in all material respects, the financial condition and results of operations
of the issuer
oAnyone who doesn’t comport with this requirement is subject to criminal
penalties
□ Sections 302 – is a civil provision enforced by the SEC
□ Section 906 – is backed by criminal penalties and is enforceable by the
Department of Justice

GAAP and GAAS

□ Rules accountants need to follow
□ Generally Accepted Accounting Standards
□ Generally Accepted Accounting Principles

Chief Financial Officer

□ Officer principally responsible for financial controls and reporting
oCFO ensures in her controller function that financial information about the
company is complied, processed and presented to the appropriate decision
makers in a timely and accurate fashion
oResponsible for monitoring the company’s financial condition and identifying
when key items present a risk of moving outside accepted tolerances
oEconomic forecaster, assessing how the company is likely to respond to future
events or conditions
oManages the treasury function, investing the company’s extra cash and making
sure that the firm has sufficient liquidity on hand to pay its debts as they come due
□ CFO in public companies is responsible for signing the certifications required under §§302
and 906 of SOX
Often in the US, are not accountants!
Chief Audit Executive

Internal audit – the function of monitoring the actions of employees, processes, and systems to
verify their effectiveness and compliance with internal or external norms
□ Internal audit departments are led by people with titles such as Chief Audit Executive
□ Head of internal audit reports to someone else in the company i.e. direct reporting
line to the CEO
□ At the board level, the head of internal audit reports principally to the board
audit committee
□ Internal audit needs a degree of independence in order to assure that this
process of investigation and validation is as impartial and objective as possible
□ Internal audit on the other hand is part of the company

What is the relationship between internal audit and a company’s external auditor?
□ Two operate at arm’s length but internal audit typically cooperates in the
performance of the external audit

What is the relationship between internal audit and the regulators?

□ Regulators rely on internal audit departments
□ If the regulators’ reliance is to be justified, they need assurance that internal
audit is capable, vigorous, and unflinching in the performance of its
responsibilities

Audit Process
□ Deals with 2 audible components:
oFunctions i.e. company’s rewards program
oEntities i.e. distribution center
□ Audit universe – all there is for purposes of internal audit
oWhat components should be in the audit universe?
Everything that can have a tangible effect on the company’s fortunes,
but should not include topics that do not have such a tangible effect
oOnce the audit universe is identified, the audit department must determine how to
fit any particular audit within the overall program
How frequently the audit will occur
How many resources will be required when it occurs
□ Audit plan – the schedule for the timing and anticipated resource requirements
for all audits within the audit universe
oWill be developed after a risk assessment by the internal audit department
intended to identify those areas of the audit universe that pose the greatest risk to
the company and therefore that warrant the most intensive scrutiny during the
audit process
□ Internal audit process assesses whether the audited component is performing
according to the audit criteria i.e. expectations set by senior managers or external
authorities
 □ Internal audit’s job is not to make policy but to ascertain that policy is being followed
and that systems and internal control are effective

Internal Auditors
□ Assess whether their review and investigation have uncovered any significant
failures to satisfy the audit criteria
□ A finding of nonconformance with an audit criterion can be contentious because it
might be taken by the line manger as a criticism of how she is performing her job
□ Audit findings – are internal audit’s determinations about whether the relevant audit
criteria are being met; the term is typically used to mean that the criteria are not
being met

Problem 3-2: Conflict of interest between the two. Generalists vs. specialists.

What is done when internal audit finds that audit criteria are not being met?
□ Responsible decision maker will agree to undertake prompt remediation to
correct the discrepancy
□ Internal audit then schedules a follow up to confirm that the undertakings are
being honored
□ Internal audit’s report usually contains:
oA statement of any problem identified in the audit or a statement that no problems
were encountered
oA statement of the audit criterion or criteria
oAn analysis of the cause of any negative findings
oA description of the consequences of the problem so identified
oA statement of what is being done to remediate the problem or accept the risk or
a recommendation about what should be done
□ Audit findings are sorted according to severity
□ Some findings may be minor that they are only brought to the attention of the
line managers
□ More serious findings are raised to senior level managers
□ Critical findings are brought to the attention of the board audit committee

Institute of Internal Auditors

□ Recognized as an international standard setting body for the internal audit profession

Vendors
□ To keep costs under control, internal audit departments use outside vendors
□ Can be helpful for smaller institutions
□ Help reduce disparity
□ Two types of services to internal audit departments:
oProvide help in performing actual audits, up to and including turnkey
arrangements in which particular audits are delegated in their entirety to an
outside vendor
oMay offer vendor created audit software
□ Provide valuable service to aid in the internal audit function
□ There are risks:
 oMay not perform as required
oMay require access to proprietary or non public information maintained by the
client, creating a risk of data breaches
□ Outsourcing may be beneficial to an institution if it is properly structured and
prudently managed
□ Outsourcing arrangement – contract between an institution and an outsourcing
vendor to provide internal audit services
oTake many forms and are used by institutions of all sizes
oSome arrangements are structured so that an outsourcing vendor performs all the
procedures and tests of the system of internal controls
oInternal audit manager is responsible for the results of the outsourced audit work
oIn any outsourced internal audit arrangement, the institution’s board of directors
and senior management must maintain ownership of the internal audit function
and provide active oversight of outsourced activities
oThe outsourcing arrangement should not increase the risk that a breakdown of
internal control will go undetected
□ Engagement letter – written contract that distinguishes the duties of the
outsourcing vendor
□ Vendor competence
oInstitution should perform due diligence to satisfy itself that the outsourcing
vendor has sufficient staff qualified to perform the contracted work
□ Management
oDirectors and senior management should ensure that the outsourced internal audit
function is competently managed
□ Communication
oCommunication between the internal audit function and the audit committee and
senior management should not diminish because the institution engages an
outsourcing vendor
□ Contingency Planning
oBecause the arrangement may be terminated suddenly, the institution should have
a contingency plan to mitigate any significant discontinuity in audit coverage
□ SOX prohibits a company’s external auditor from simultaneously providing
outsourced services to internal audit

Chief Compliance Officer

□ Executive officer is vested with the compliance function or obligation

General Counsel
□ Traditionally was the company’s compliance officer
□ Why has the compliance role of corporate general counsels been curtailed in
some companies?
oJob of compliance is no longer exclusively a legal task
 oCompliance operation tests for conformity not only with external legal norms, but
also with internal codes of conduct which may not be binding in a strict legal
sense
oTesting for compliance is not a specifically legal task; more in common with an
internal audit
□ Function of compliance is in tension with the legal role of the corporate general counsel
□ General counsel is not a regulator or an agent of regulators; the relationship
with the regulator is potentially adversarial
□ Compliance is a form of privatized law enforcement
□ Some companies have clarified the role of general counsel as the company’s lawyer
as a result of the conflict of roles i.e. duties of loyalty that sit uncomfortably with
the compliance operation
□ If the company sues or is sued by regulator, the GC will usually supervise the litigation
□ Plays an increased role in strategic management
□ Likely to have significant input into the company’s assessment of reputational risks
□ Constructive role in strategic planning to manage reputational risk before adverse
events occur, and to minimize the harmful impact afterwards

Chief Risk Officer

□ Senior management position charged with designing and implementing risk
management policies and procedures across the organization
□ May report to the CEO, CFO or another senior executive, or to the board or the board
risk committee
□ Some companies have created management level risk committees that replicate
at the executive level some of the function of the board risk committee
□ In addition to CRO, members of the management risk committee may include
CEO, COO, GC and the heads of any departments deemed critical to risk
management i.e. financial institution
□ Function of management risk committee is to coordinate risk management
activities at the level of implementation, leaving the board risk committee or the
full board the formulation of general policies relating to risk
□ CROs often rely on vendors to assist them in compiling and analyzing information
pertinent to risk and in crafting tables, heat maps, and other graphic tools that assist in the
risk management task

Director of Human Resources

□ Manages employment related compliance and risk management issues
□ Becomes involved in these issues at the outset when someone is hired
□ Head of HR in some organizations reports directly to the CEO; in other the reporting
line passes through another senior officer i.e. COO

COMPLIANCE

Compliance function – a form of internalized norm enforcement within organizations

□ Tradeoff of costs and benefits
 □ Institutions to police themselves to carry out a compliance operation
□ External enforcer (regulator, prosecutor, etc.) loses some degree of control over
the situation
□ But, external enforcer needs to monitor the compliance function to ensure that it is
faithfully and effectively carried out (bears all the costs of the enforcement
activity)
□ When external enforcer relies on internal compliance to enforce norms, the
enforcer doesn’t bear the costs of enforcement; these are imposed on
organization
□ Policymakers to devise compliance system to minimize total costs of
norm enforcement/violations

Compliance – 3 elements:
□ An actor is conforming her behavior to some standard or norm
□ The standard or norm is external – not set by the actor, but rather by some other authority
□ The actor would not necessarily act in accordance with the standard on her own –
some effort of will, incentive, or compulsion is involved

Additional elements:
□ The actor in question is a complex organization, not an individual
□ Actions that the organization undertakes to ensure that the norm is obeyed

Landmarks in the History of Compliance:

□ The Interstate Commerce Commission
□ The Progressive Movement of the 1890s through 1920s
□ The Depression and the New Deal of the 1930s
□ Environmental awareness
□ Foreign corrupt practices
□ The savings and loan debacle
□ Corporate scandals of the early 2000s – led to enactment of SOX (2002)
□ Terror and rogue states – Sept. 11 th, 2001
□ Financial crises of 2007-09 – led to Dodd-Frank Act (2010), the most significant
piece of financial regulation since the Great Depression, which contains many
provisions pertinent to compliance

Enforcement Powers

a) Power to Obtain Information

□Government regulators have broad rights to information about businesses,
including:
oAny company that wants to list its securities on a public exchange must make
fulsome disclosure of its operations, financial performance, and governance
Arrangements
oCompanies that need government licenses must provide the licensing agency with
information as a precondition to obtaining the authority in question
oIndustries such as banking, insurance, mining, pharmaceutical, or nuclear power
must submit to inspection in which agents of the government come onto the
 company’s premises to examine its compliance with applicable norms
oTax authorities require elaborate disclosure of a company’s income and expenses
oArmed with warrants or subpoenas, agents of the government can break down
walls, rifle through papers, eavesdrop on conversations and confiscate evidence
□ But, companies being legal persons are protected by the Bill of Rights and have
some privacy left
□ Government investigations that probe too deeply may run afoul of the
Fourth Amendment
□ Donovan v. Dewey (1981) (exceptional case; general rule is that you need a warrant):
Secretary of Labor brought suit seeking to enjoin company from refusing to permit
warrantless searches of mining facilities. District Court granted summary judgment in
favor of company on ground that Fourth Amendment prohibited warrantless searches
authorized by Federal Mine Safety and Health Act of 1977. Secretary appealed directly
to the Supreme Court. The Supreme Court held that: (1) warrantless inspections by
federal mine inspectors of underground mines at least four times a year and surface
mines at least twice a year to insure compliance with health and safety standards required
by the Act did not violate Fourth Amendment, and (2) warrantless inspections of stone
quarries, like similar inspections of other mines covered by the Act, were constitutionally
permissible.
oUnlike searches of private homes, which generally must be conducted pursuant to
a warrant in order to be reasonable under the Fourth Amendment, legislative
schemes authorizing warrantless administrative searches of commercial
property do not necessarily violate that Amendment.
oA warrant may not be constitutionally required when Congress has reasonably
determined that warrantless searches are necessary to further a regulatory scheme,
and the federal regulatory presence is sufficiently comprehensive and defined that
the owner of commercial property cannot help but be aware that his property will
be subject to periodic inspections undertaken for specific purposes.
oWarrant requirement would seriously undercut the Act’s objectives
oWarrantless searches required by Mine Safety and Health Act do not offend the
Fourth Amendment
oSubstantial federal interest in improving the health and safety conditions of
underground and surface mines

b) Power to Impose Penalties

□Civil penalties:
oCERCLA – penalties of $25,000 a day for serious misconduct
oCivil money penalties for violations of federal banking regulations i.e. $5,500 a
day for ordinary violations; up to $27,500 a day for more serious violations
oControlling persons who violate insider trading rules can be liable for penalties of
up to the greater of $1 million or three times the violator’s profits
oViolators of Bank Secrecy Act can be assessed penalties of up to $25,000 per
violation
oResource Conservation and Recovery Act can be assessed civil penalties of up to
$27,500 for each day of non compliance
□ Criminal penalties:
oProsecutions rare before late 1980s
o1990s – Dept. of Justice pursued thousands of criminal investigations and
 prosecutions based on alleged compliance violations because increased
appropriations, creation of specialized task forces, rewards and protections for
whistleblowers and informants, heightened public appetite to see harsh
punishments meted out for violations
o2 types of criminal statutes:
Laws specific to the industry in question i.e. banks – falsifying bank
books and records
General federal offenses
oUS Sentencing Guidelines prescribe severe sentences if the crime “substantially
jeopardized the safety and soundness of a financial institution” or if the crime
affected a financial institution and the defendant derived more than $1 million in
gross receipts form the crime

Protections available to shield a regulated party against these threats of civil or criminal liability:
□ If the penalty scheme is simply irrational
□ A court
might declare that the penalty violates the “excessive fines” clause of the 8 th
Amendment
□ Court might elect to interpret an ambiguous statute in an effort to avoid
constitutional issues
□ In criminal cases, the defendant is entitled to have a jury determine beyond a
reasonable doubt any fact that increases the penalty for a crime beyond the statutory
minimum

Reasons for Severity of Penalties Increasing:

□ Move towards the administrative model of enforcement corresponds to changes in
public attitudes and corresponding shifts in political power
□ The move towards the administrative model of enforcement corresponds to greatly
increased threats to the public welfare posed by business enterprises, especially
banks, securities firms, pharmaceutical companies, and energy companies
□ Regulators have limited budgets and large responsibilities (reducing the
costs of enforcement requires increasing severity of sanctions)

The Compliance Response

□ Increase in the government’s power to impose its will on private actors
□ Transformation from the judicial to the administrative model of enforcement and
the upgrade to regulatory power is a fundamental reason for the growth of
compliance function over the past decades

The Compliance Industry

□ Growth areas include banks, securities firms, health care companies, energy
companies, and education institutions
□ No requirement that compliance department be made up of attorneys; can be
attorneys, accountants, MBAs, or other professionals

INTERNAL ENFORCEMENT
Compliance Policies
□ A statement approved by the highest level authority in an organization, that sets forth
the organization’s philosophy and general approach to compliance issues
□ Fundamental charter of an organization’s operation
□ Phrased in aspirational terms
□ “Tone at the top” – attitude of receptivity and support for compliance values; set of
values and standards which is subscribed to by an organization’s leaders and effectively
communicated throughout the organization
oSwift responses to compliance violations signals this tone
oAppointing a high level officer to head up a compliance office and giving the
person the resources necessary to conduct their job effectively
□ “Corporate culture” – tone at the top is influenced by the attitudes of its leaders i.e.
being committed to compliance others will take the obligation more seriously too
□ Typically framed at a high level of generality

Compliance Programs
□ A formal statement of mechanisms that an organization uses to ensure compliance and
the procedures that it employs when possible instances of non-compliance are discovered
□ Fleshes out compliance policies but may or may not be part of the same document
as the compliance policy
□ Organizations not required to adopt and implement compliance programs
□ Firm’s failure to adopt a compliance program is not an independent basis for
legal liability
□ Idea of “voluntary” compliance programs must be qualified by the fact that such
programs are often adopted in the shadow of enforcement actions, and serve, in part
the purpose of mitigating that exposure
□ Zambac Co. – Example
oGoal is to maintain a culture that promotes the prevention, detection, and
resolution of potential violations of law or company policy
oHas a compliance officer dedicated to support company’s culture of compliance
oDevelopment and distribution of written standards of conduct as well as written
policies, procedures and guidelines has been a key element of the company’s
compliance program
oCode of conduct is the company’s statement of the values, standards, and ethical
principles that guide its daily operations
oAnnual training program of its employees on their legal and ethical obligations
under the policy and regulations
oAll employees are required to participate in annual training as a condition of
their employment; will undergo periodic re-training and remedial training
programs
oEmployees to bring workplace issues of any type to the attention of management
– encourages employees to communicate openly with management about all
types of workplace issues without fear of retaliation or recrimination
Seek out immediate supervisor or manager to discuss
“Safe haven” where concerns are addressed in confidence
Confidential hotline
Office of Ethics is accountable for ensuring appropriate review and
 follow-up with respect to issues raised to the Ombudsman or via
the hotline
oMonitoring, auditing, and ongoing evaluation regarding compliance with the
company’s policies and procedures
oPrimary responsibility for oversight is with management
oCommitted to hiring a workforce whose actions will reflect a high degree of
integrity and ethics
oCompliance program is an internal document prepared for and used by people
within the organization

Training (p.181-82)
□ Important part of company compliance programs
□ Types of training given to senior officials should reflect nature of their job
□ Companies may not be good at setting up in house training therefore should
use “vendors’
oOnline and in-person training available via vendors
□ Important in companies that employ many lower-level workers whose activities
may implicate compliance concerns
□ For newly hired sales staff are one part of the process for managing the compliance
risk posed by these employees
□ Example – securities brokers-dealers
oEmploy traders who are compensated b the profits they generate – can expose
company to compliance problems; training programs for new traders coupled with
mandatory refresher classes, can mitigate although not eliminate the risk that they
will let greed override good judgment in the performance o ftheir jobs
□ Training programs are often included in compliance programs established in
settlements of enforcement proceedings
□ Three effects a training program might have:
oMake someone aware that certain forms of conduct are prohibited
oMake someone aware of the serious penalties they can expect
oInfluence how a person thinks about certain forms of conduct – to cause a change
in values so that conduct that once appeared attractive is now avoided
□ “Sensitivity” training been criticized

Monitoring
□ Key part of internal enforcement is the job of monitoring employees
□ A policy tradeoff between efficacy and privacy

a) Drug and Alcohol Testing

□ By public officials is regulated by
law including 4 th Amendment
□ Unless the employment agreement or union contract specifically regulates what the
employer can do as regards to drug and alcohol testing, there is almost no limit
under law o the employer’s conduct in this regard
□ Exampl
e – Texas Workforce Commission, Model Drug Free Workplace Policy
oCompany has a list of things it prohibits i.e. sale or possession of narcotics on
company or customer premises or while performing job
 oCertain circumstances where drug/alcohol testing may occur:
Random testing: employees may be selected at random fro drug
and/or alcohol testing at any interval determined by the company
For cause testing: if it feels that the employee may be under the
influence i.e. unusual conduct or negative performance
patterns
Post-accident testing: on the job accident or injury under
circumstances that suggest possible use or influence of drugs
or alcohol in the accident

b) Surveillance
□ Company/employer may to a very large extent snoop on employees by reviewing
logs of phone calls, analyzing key strokes on computer, video surveillance cameras,
check web sites or read emails
□ “Packet sniffers” – allow the employer to check, on what websites the employee
has visited, what material she has reviewed on the site, what emails sent, who
emailed, and what has been downloaded
□ Voice mail messages stored on the company’s system are fair game
□ In general, the law prohibits the practice of recording conversations unless the
party consents or the monitoring is done for a legitimate law enforcement
purpose – but protection doesn’t necessarily apply in the workplace
□ Employers sometimes listen in on “job related” phone conversations
□ Employer can install video surveillance cameras and may monitor them at all
times – but generally not in places where employees have a high expectation of
privacy i.e. toilets or locker rooms
□ Generally employer can rifle through an employee’s possessions stored at their
work desk if it is in a public space (so, typically not lockers)
□ Conclusion – employees have few legal protections for their privacy in the
workplace
□ If employer elects to embed protections of employee privacy in a formal
policy or manual, the employer must respect the rights so conferred

Investigations (p.186)

a) Types of Investigations
□Internal investigations sort into two general types:
i. Small scale inquiries into minor misconduct – usually performed in
house by the company’s HR department
ii. Large scale investigations
□ No formal requirement that company who uncovers evidence of criminal
behavior alert the authorities as they might prefer to let the matter drop after the
employee has departed on the theory that a referral to prosecutors will only
cause further disruption
□ Large scale investigations have three principal differences from small
scale investigations:
oCannot be performed in house – leads to the impression that the company
is attempting to minimize the problem rather than get to the bottom of
things
 oDisclosure – small scale investigations are usually kept confidential and
never disclosed; large scale it is often expected that they will be disclosed
at least when concluded
oLarge scale investigations of compliance breaches are conducted under the
shadow of government enforcement actions
□ Factors that should be considered when deciding to launch an
internal investigation:
oExpense, drain on managerial time, effect on morale, nature of alleged
wrongdoing, credibility of the source that reported, potential for allegation
to “go viral” on social media, extent of potential misconduct within the
organization, potential problems that might arise if the company fails to
launch one, degree to which the alleged wrongdoing occurred at vendors
or contractors rather than at the company itself, whether alleged
wrongdoing occurred at an independent company that was subsequently
acquired, extent to which the alleged wrongdoing occurred abroad, and
the possible consequences within other countries of launching or no
launching investigation

Miriam Hechler Baer, Corporate Policing and Corporate Governance (p.189)

□ Hewlett Packard’s pretexting scandal – to identify a member of the board of
directors who had been leaking information about confidential corporate matters
to the press
□ Project Kona II after leaks of confidential board deliberations
□ Patricia Dunn, HP’s non-executive Chairman initiated the investigation
oReview company email accounts and phone records
oHiring PI firm
oFollowing suspected Board members in public
oSetting up a “sting” where investigators sent journalists an email containing fake
tips about HP
□ Investigation was monitored and supervised by HP’s chief CO and attorney
□ Issues that were debated between board member and outside counsel included the
manner by which HP conducted the investigation, the investigator’s attempts to
obtain information regarding journalist Perkins’ personal phone line, and HP’s
obligation to disclose Perkins’ reasons for leaving HP
□ HP scandal illustrates a troubling irony of modern corporate law: the fact that
compliance operations designed to enforce legal norms, can sometimes result in their
being violated

b) Comparison of Internal Investigations and Government Investigations (p.191)

□ Both ferret out evidence of legal violations within the organization
□ Government investigations have access to the formidable powers of the compulsory
process; subpoena power allows government agencies to compel the production of
evidence; with search warrant can enter a workplace or employee’s home; benefits from
the law making it a crime to lie to a federal official
□ Private firms have no access to these means for compelling the production of
informationPrivate firms have advantages:
oEmployees have lower expectations of privacy in the workplace vis-à-vis their
employers
 oEmployers do not need subpoena or warrant to investigate an employee’s
activities at the work place
oEnjoy potential advantages of interrogations – 5 th amendment protections are
absent in internal investigations
oCan interview suspected employees and do not need to inform the employee of
the reasons for inquiries
oNo right to counsel and no 5 th amendment privilege against compelled self-
incrimination
oCan’t be forced to answer, but failure to answer can be used against him i.e. fired

c) The Role of Counsel (p.192)

□ Internal compliance investigations are spearheaded by counsel
□ Three key advantages of having attorneys:
oAllows the organization to claim the attorney’s privileges i.e. notes, mental
impressions, drafts and legal theories prepared are protected against compelled
disclosure under work product privilege
oProfessional trading and expertise may make her a good candidate to head up the
investigation i.e. understanding the precise rules in question and forensic
relevance of facts
oDegree of gravitas within organizations – employees who are asked to supply
information the organization’s attorney may provide a quicker and more
comprehensive response than if the request comes form some other source

REGULATORS

□ Employ several strategies to encourage private actors to implement compliance

policies and programs
□ Direct regulatory requirements, settlements of enforcement actions, oversight
liability, granting of credit or leniency in sanctions, offering advice and guidance
about how to develop and effective program
□ Downsides to
government policies that encourage compliance programs:
oOrganizations might create a pretend compliance program which appears to be
effective but does the opposite – “Potemkin village” analogy; getting credit for
compliance programs might encourage bad behavior by affording organizations a
built in defense to liability
oGiving credit for a compliance program eliminates or reduces the company’s
liability
oGovernment may need to expend resources to monitor the organization’s
compliance operation to satisfy itself that the operation is robust and effective
oGovernment may make mistakes in specifying the criteria for an acceptable
program since it lacks information about the regulated entity
oWhen government makes errors, it is likely to require that regulated parties
expend too many rather than too few resources; government officials fear being
criticized if violations occur, but do not fear being criticized for imposing
excessive regulatory burdens
□ Benefits that can be achieved when the government encourages organizations to
institute compliance programs:
 oRegulators can manage incentives more effectively by punishing senor officers
oCompanies don’t always behave rationally
oWhen the government provides a defense or mitigation of liability for firms that
maintain robust compliance programs, the effect is to reduce the risk a firm faces
as compared with the traditional rule that they are strictly liable for misconduct of
their agents
oGovernment encouragement of compliance programs may reflect perceptions of
blameworthiness; companies that implement bona fide compliance programs
demonstrate by their actions that they wish to avoid violating legal norms
oCompliance programs can provide external benefits that go beyond the particular
rules being enforced; companies that upgrade the vigor and profile of their
compliance operations signal to others that they take their compliance obligations
seriously

Government Mandated Compliance Operations (p.197)

□ Example – the rule on
money laundering, see Bank Secrecy Act
O Establish anti-money laundering program:
development of internal policies, procedures, and controls
designation of a CO
ongoing employee training program
independent audit function to test programs
o4 pillars of compliance:
i. internal policies
ii. senior official specially tasked with the compliance function
iii. training of line employees
iv. backstop of internal audit
□ SEC final rule (p.198-203)
O Same 4 pillars continued
O Rule 206(4)-7 under the Advisers Act and new rule 38a-1 under the
Investment Company Act – requires each registered investment adviser and
each fund to adopt and implement compliance programs that conform to the
new rules
O Failure to do so will constitute a violation of the rules independent of an other
securities law violation
O Permits the SEC to address the failure of an adviser or fund to have in place
adequate compliance controls, before that failure has a chance to harm clients or
investors
O Investment advisors:
Rule 206(4)-7 – unlawful to provide investment advice unless the adviser
has adopted and implemented written policies and procedures reasonably
designed to prevent violation of the Advisers Act by the adviser or any
of its supervised persons; does not require advisers to consolidate all
compliance policies and procedures into a single document
Requires each adviser registered with the SEC to designate a COO
to administer its compliance policies and procedures
Rule requires advisors to consider fiduciary and regulatory obligations
and to formalize policies t address them
 Adviser’s policies at a minimum should address certain issues:
□ Portfolio management processes
□ Trading practices
□ Proprietary trading of the adviser and personal trading
activities of supervised persons
□ Accuracy of disclosures made to investors, clients, and
regulators, including account statements and advertisements
□ Safeguarding of client assets
□ Accurate creation of required records and their maintenance
□ Marketing advisory services
□ Processes to value client holdings and assess fees
□ Safeguards for the privacy protection of client records
□ Business continuity plans
O Investment companies:
Rule 38a-1 requires each fund to appoint a COO responsible for
administering the fund’s policies and procedures; several provisions to
promote the independence of the COO from the management of the
fund
□ COO will serve in her position at the pleasure of the fund’s
board which can remover her if it loses confidence in her
effectiveness
□ COO will report directly to board
□ COO meet in executive session with the independent
directors at least once ach year
□ COO to be protected from undue influence by fund service
providers seeking to conceal their or others’ non-compliance
e with the federal securities law

Comments: (p.203)
□ Investment company – pools funds contributed by investors and invests them in a
portfolio of assets; organized as business entities and are officially governed by a
board of directors or board of trustees; regulated by Investment Company Act
□ Investment advisor – entity that provides investment advice and other services;
typically sponsors and advises the investment company; regulated at the federal
level by the Investment Advisers Act
□ Both statutes are administered by the SEC and implemented through
regulations promulgated by that agency
□ Prior to the adoption of the amendments investment companies relied on the
compliance operations of their service providers for assurance that the rules were
being followed
□ SEC believes that this practice was ineffective and provided insufficient
protections for investors for 2 reasons:
i. Compliance function was balkanized into silos representing different
service providers
ii. Assurance provided by the service provider was only as good as
the compliance operation at that firm
□ Principal purpose of crating an independent compliance operation in the investment
 company, with COO reporting directly to the board was to counteract the power of
the fund’s investment adviser
□ SEC’s amended rule prohibit lying to or impeding an investment company’s COO –
violation could lead to severe sanctions including fines and an order barring an
offender form working in the securities industry  example In the Matter of Carl D.
Johns (p.
205); provides a description of the violations to conceal personal securities trading and
the corresponding sanctions imposed by the SEC

Compliance Terms in Settlements (p.207)

□ In many cases, the government demands that companies implement or upgrade
compliance programs during settlement negotiations over civil or criminal
enforcement actions, see In the Matter of RBS Citizens, N.A. where “within 10 days,
the board shall appoint a Compliance Committee of at least 3 independent directors,
which may not be employees or officers of the Bank or any of its subsidiaries or
affiliates”
● In the Matter of HSBC Bank USA, N.A. where the Comptroller identified certain
unsafe or unsound practices related to enterprise wide compliance…by consent the
Bank has
consented to the issuance of the consent order by the Comptroller” (p.208); Root cause of
the deficiencies appears to have been the failure on the part of the bank’s senior officers
and board to manage chance as the bank grew in size and complexity
o “Integration of compliance risk into the enterprise wide risk management
framework” = modern approach to risk management; compliance risk is 1 of
many risks
o “Control environment” – goes to culture; maintained by business lines and
risk functions (“second lines of defense”) that ensure compliance with
applicable laws, rules and regs
o In general, when a company agrees to implement compliance reforms in the face
of government civil enforcement actions, the quid pro quo is that the
government will go easier on the company in terms of the penalty it demands
□ Note: At some point, the regulator may conclude that the bank is in compliance
with the law and lift the obligations of the decree

United States v. International Brotherhood of Teamsters, Chauffeurs, Warehousemen and

Helpers of America (p.212-17)
□ Union defendants acknowledge that there have been allegations of past problems
with La Cosa Nostra corruption of various elements of the IBT
□ Settlement arose out of an action by the US alleging that senior officials of
the Teamsters, was effectively under the control of the Mafia
□ Lawsuit was based on the RICO law, Racketeer Influenced and
Corrupt Organizations Act initiated by US Dept of Justice
□ RICO applies when there is shown to be a “pattern of racketeering activity” – at
least 2 criminal activities commonly associated with organized crime. Pattern
statue.
□ IBT initially resisted the decree at every turn
□ Who pays for enforcement of the decree? Even with the requirement that the
union pay most of the costs, the decree has been expensive
 □ Ordered permanent injunction from committing any acts of racketeering activity and
from knowingly associating with any member or associate of the Colombo
Organized Crime Family of La Cosa Nostra etc.
□ Court shall appoint 3 officers – independent administrator, investigations
officer and elections officer

Oversight Liability
□ Members of the board of directors of a Delaware corporation owe a duty to
shareholder to exercise oversight over the company’s compliance
programs
□ Governments do not ordinarily sue for violation of this duty, unless they stand in the
shoes of shareholders for some reason (i.e. bank regulators who have taken over a
failed bank)
□ In the Matter of Steven A. Cohen (p.218)
O A giant in the hedge fund industry at the time the SEC brought the proceeding.
SEC’s lawsuit grew out of an insider trading scandal that erupted at S.A.C.
Capital in 2012. Several senior employees at companies controlled by S.A.C.
were indicted or pleaded guilty to criminal offenses. In March 2013, S.A.C. also
settled civil charges with the SEC for $616 million. The SEC was apparently
unable to obtain sufficient evidence to obtain an indictment of Cohen itself. The
SEC filed its civil case against Cohen just before the statute of limitations was
due to expire on some of the underlying conduct. To provide failure of oversight,
the SEC needed to establish that Cohen acted with some sort of bad intent – mere
negligent failure of oversight was probably not enough to support the
government’s theory.
O SEC deemed it necessary that public administrative proceedings be instituted to
determine:
Whether the allegations are true and to afford Cohen an opportunity
to establish defenses
If any remedial action is appropriate in the public interest against
Cohen, including but not limited to civil penalties
□ United States v. S.A.C. Capital Advisors, LLP (p.220)
O Indictment followed the civil action against Cohen. Not based on a theory of
oversight liability, but rather the claim that the corporate entities were themselves
guilty of insider trading.
O Charges the corporate entities responsible for the management of a major hedge
fund with criminal responsibility for insider trading offenses committed by
numerous employees and made possible by institutional practices that encouraged
the widespread solicitation and use of illegal inside information
O The defendants enabled and promoted the Insider Trading scheme through several
means:
Sought to hire S.A.C. PMs and S.A.C. RAs with proven access to
public company contacts likely to possess inside information
Employees were financially incentivized to recommend to the S.A.C.
Owner “high conviction” trading ideas in which the S.A.C. PM had
an “edge” over other investors, but repeatedly were not questioned
when making trading recommendations that appeared to be based on
 inside information
Failed to employ effective compliance procedures or practices to prevent
S.A.A. PMs and RAs from engaging in insider trading
O Systematic insider trading resulting in hundreds of millions of dollars of illegal
profits and avoided losses at the expense of members of the investing public
O Defendants shall forfeit to the US all property, real and personal, which
constitutes or is derived from proceeds traceable to the SEC of those offenses

Mitigation of Penalties (p. 221)

□ Another way regulators induce organizations to institute compliance programs or
conduct internal investigations is to offer opportunities to mitigate penalties for
violations if the organization has manifested good faith efforts to comply with the law
and to report and remediate instances of non compliance

Environmental Protection Agency, Incentives for Self-Policing: Discovery, Disclosure,

Correction and Prevention of Violations (p.221)
□ EPA's enforcement program provides a strong incentive for compliance by imposing stiff
sanctions for noncompliance. Enforcement has contributed to the dramatic expansion of
environmental auditing as measured in numerous recent surveys. For example, in a 1995
survey by Price Waterhouse LLP, more than 90% of Corporate respondents who
conduct audits identified one of the reasons for doing so as the desire to find and correct
violations before government inspectors discover them. . .
□ But because govt. resources are limited, universal compliance can’t be
achieved without active efforts by the regulated community to police
themselves.
□ More than half of the respondents of the Price Waterhouse survey said they
would expand environmental auditing in exchange for reduced penalties for
violations discovered and corrected.
□ While many companies already audit or have compliance management programs
in place, EPA believes that the incentives offered in this Policy will improve the
frequency and quality of the self policing efforts.
□ Incentives for Self-Policing-
O The major incentives that EPA provides to entities that meet the conditions of this
policy are: (I.e. to encourage to self-policing, self-disclosure, and prompt self-
correction)
Waiving or reducing gravity-based civil penalties
Declining to recommend criminal prosecution for regulated entities
that self-police, and
Refraining from routine requests for audits
O The conditions that must be met to be eligible for incentives are: I) systematic
discovery of the violation; (2) voluntary discovery; (3) prompt disclosure; (4)
discovery and disclosure independent of government or third party plaintiff; (5)
correction and remediation; (6) steps to prevent recurrence; (7) no repeat
violation; (8) other violations excluded; and (9) cooperation.] . . .
o Eliminating Gravity-Based Penalties-
In general, civil penalties that EPA assesses are composed of two
elements: the economic benefit component and the gravity-
based component.
 □ The economic benefit component= the economic gain
derived from a violator’s illegal competitive advantage.
□ Gravity-based penalties are that portion of the penalty over and
above the economic benefit. (i.e.- the punitive portion of the
penalty that reflect the egregiousness of the violator’s
behavior.
Under the Audit Policy, EPA will not seek gravity-based penalties for
disclosing entities that meet all nine Policy conditions, including
systematic discovery. ("Systematic discovery" means the detection of a
potential violation through an environmental audit or a compliance
management system that reflects the entity's due diligence in
preventing, detecting, and correcting violations.
EPA has elected to wave gravity-based penalties for violations discovered
systematically, recognizing that environmental auditing and
compliance management systems play a critical role in protecting
human health and the environment by identifying, correcting and
ultimately preventing violations. . . .
o75% Reduction of Gravity-based Penalties
Gravity-based penalties will be reduced by 75% where the disclosing
entity does NOT detect the violation through systematic discovery
but otherwise meets all other Policy conditions.
□ EPA expects that a disclosure under this provision will
encourage the entity to work with the Agency to
resolve environmental problems and begin to develop
an effective auditing program or compliance
management system.
O No Recommendations for Criminal Prosecution
When a disclosure that meets the terms and conditions of this Policy
results in a Criminal investigation, EPA will generally not recommend
criminal prosecution for the disclosing entity, although the Agency
may recommend prosecution for culpable individuals and other entities
...
The condition "systematic discovery" is not required to be eligible for this
incentive, although the entity must be acting in good faith and must
adopt a systematic approach to preventing recurring violations
o No Routine Requests for Audit Reports
EPA has not and will not routinely request copies of audit reports
to trigger enforcement investigations. . . .
In general, an audit that results in expeditious correction will reduce
liability, not expand it. However, if the Agency has independent
evidence of a violation, it may seek the information it needs to establish
the extent and nature of the violation and the degree of culpability . . . .
□ Conditions:
O Systematic Discovery of the Violation
The violation must have been discovered through either
□ An environmental audit; or
□ A compliance management system that reflects due
diligence in preventing, detecting and correcting
 violations
O Compliance management system is a systematic
management plan or systematic efforts to achieve and
maintain compliance
Compliance management Programs that train and motivate employees
to Prevent, detect and correct violations on a daily basis are a
valuable complement to periodic auditing.
Where the violation is discovered through a compliance management
system and not through an audit, the disclosing entity should be prepared
to document how its program reflects the due diligence criteria defined
in [this] Policy statement.
□ Due Diligence criteria, which are adapted from existing codes of
practice—such as Ch. 8 U.S. Sentencing Guidelines for
Organizational Defendants—are flexible enough to
accommodate diff. types and sizes of businesses and other
regulated entities
□ The Agency recognizes that a variety of Compliance management
programs are feasible , and it will determine whether basic due
diligence criteria have been met in deciding whether to grant
Audit Policy Credit.
As a condition of penalty mitigation, EPA may require that a
description of the entity’s compliance management system be made
publicly available
□ Availability will allow the public to judge the adequacy of the
system, lead to enhanced compliance, and foster greater
public trust in the integrity of compliance management
systems.
O Voluntary Discovery
The violation must have been identified voluntarily, and not through a
monitoring, sampling, or auditing procedure that is required by statute,
regulation, permit, judicial or administrative order, or consent
agreement.
oPrompt Disclosure
[The entity must] disclose the violation in writing to EPA within
21 calendar days after discovery
□ the trigger for discovery is when any officer, director,
employee or agent of the facility has an objectively
reasonable basis for believing that a violation has, or may
have, occurred.
oThe "objectively reasonable basis" standard is measured
against what a prudent person, having the same information
as was available to the individual in question, would have
believed. It is not measured against what the individual in
question thought was reasonable at the time the situation
was encountered
□ If an entity has doubt as to existence of violation, the entity
should disclose and allow the regulatory authorities to make a
definitive determination.
oDiscovery and Disclosure Independent of Government or Third Party Plaintiff
entity must discover the violation independently. The Violation must be
discovered and identified before EPA or another government agency
likely would have identified the problem either through its own
investigative work or from information received through a third
party.
□ Entity must take initiative to find violations and disclose
promptly- cant wait for indication of pending enforcement
action or third- party compliant
oCorrection and Remediation
IT]he entity must remedy any harm caused by the violation and
expeditiously certify in writing to appropriate Federal, State, and
local authorities that it has corrected the violation.
□ I.e- responding to spills and carrying out any removal
or remedial actions as required by law.
□ Certification requirment enables EPA to ensure that the
regulated entity will be publicly accountable for doing what
it has to do
Violation must be corrected within 60 calendar days from discovery,
or ASAP.
□ Some violations can/ should be corrected
immediately, while others take longer than 60 days
oPrevent recurrence
Entity must agree to take steps to prevent a reoccurrence of violation
after it has been disclosed.
Preventative steps include, but not limited to, improvements to the
entity’s environmental auditing efforts or compliance management
system
oNo Repeat Violations
[Repeat offenders are barred] from receiving Audit Policy credit.
□ Exclusion benefits both the public and law-abiding entities by
ensuring that penalties are not waived for those entities that
have previously been notified of violations and fail to prevent
repeat violation
oOther Violations Excluded
This provision excludes violations that result in serious actual harm to the
environment or which may have presented an imminent and substantial
endangerment to public health or the environment.
When events of such a consequential nature occur, violators are
ineligible for penalty relief and other incentives under the Audit
Policy. The
provision also excludes violations of the specific terms of any
order, consent agreement, or plea agreement . . .
o Cooperation
IT]he regulated entity must Cooperate as required by EPA and provide
the Agency with the information it needs to determine Policy
applicability. The entity must not hide, destroy or tamper with possible
evidence following discovery of potential environmental
 violations . . . .
Entities that disclose potential criminal violations may expect a more
thorough review by the Agency. In criminal cases, entities will be
expected to provide, at a minimum, the following: access to all requested
documents; access to all employees of the disclosing entity; assistance in
investigating the violation, any noncompliance problems related to the
disclosure, and any environmental consequences related to the violations;
access to all information relevant to the violations disclosed, including
that portion of the environmental audit report or documentation from the
compliance management system that revealed the violation; and access to
the individuals who conducted the audit or review. . . .

SEC Report of Investigation Pursuant to Sec. 21(a) of the Securities Exchange Act of 1934 and
Commission Statement on the Relationship of Cooperation to Agency Decisions (p.226)
□ Gisela de Leon-Meredith, a former controller of a public company’s subsidiary, was
found to have caused the parent company’s books and records to be inaccurate and
its periodic reports misstated and then covered up those facts.
□ The SEC decided not to take action against the parent company because of the
nature of the company’s conduct and the company’s responses
oWithin a week of learning about the apparent misconduct, the company's internal
auditors had conducted a preliminary review and had advised company
management who, in turn, advised the Board audit committee, that Meredith had
caused the company's books and records to be inaccurate and its financial reports
to be misstated. The full Board was advised and authorized the company to hire
an outside law firm to conduct a thorough inquiry.
oFour days later, Meredith was dismissed, as were two other employees who, in the
company's view, had inadequately supervised Meredith; a day later, the company
disclosed publicly and to us that its financial statements would be restated. The
price of the company's shares did not decline after the announcement or after the
restatement was published
oThe Company pledged and gave complete cooperation to the SEC staff
Co. provided staff with all relevant info, produced the details of its internal
investigation, including notes and transcripts of interviews with
Meredith and others;
Co. did not invoke attorney-client privilege, work product protection or
other privileges or protections with respect to any facts uncovered in
the investigation.
The company also strengthened its financial reporting processes to address
Meredith's conduct-developing a detailed closing process for the
subsidiary's accounting personnel, consolidating subsidiary accounting
functions under a parent company CPA, hiring three new CPAS for the
accounting department responsible for preparing the subsidiary's
financial statements, redesigning the subsidiary's minimum annual audit
requirements, and requiring the parent co.'s controller to interview and
approve all senior accounting personnel in its / subsidiaries' reporting
processes.
O SEC willingness to credit such behavior in deciding whether and how to take
enforcement action benefits investors as well as our enforcement program.
 When businesses seek out, self-report and rectify illegal conduct, and
otherwise cooperate with Commission staff, large Expenditures Of
government and shareholder resources can be avoided and investors
can benefit more promptly.
O Enforcement actions & credits for good behavior are done to:
Benefit investors- Protect investors & promote their best interests
Deter future violations
Assure compliance in the future
O Type of credits available to companies that self-police, self-report, remediate and
cooperate with /by SEC:
Taking no enforcement action
Bringing reduced charges
Seeking lighter sanctions
Including mitigation language in documents used to announce and
resolve enforcement actions
O Some criteria considered when determining whether, and how much, to
credit self- policing, self-reporting, remediation and cooperation:
What is the nature of misconduct?
□ Inadvertence, honest mistake, simple negligence, reckless or
deliberate indifference to indicia of wrongful conduct, willful
misconduct or unadorned venality? were the Company's
auditors misled?
How did the misconduct arise?
□ Is it the result of pressure placed on employees to achieve specific
results, or a tone of lawlessness set by those in control of the
company? What compliance procedures were it in place to
prevent the misconduct now uncovered? Why did those
procedures fail to stop or inhibit the wrongful conduct?
□ Where in the organization did the misconduct occur?
□ How high up in the chain of command was knowledge of, or
participation in, the misconduct? Did senior personnel participate
in, or turn a blind eye toward, obvious indicia of misconduct?
How systemic was the behavior? Is it symptomatic of the way the
entity does business, or was it isolated?
How long did the misconduct last?
□ One quarter, one time event, or did it last several years? In the case
of a public company, did the misconduct occur before the company
went public? Did it facilitate the company's ability to go public?
How much harm has the misconduct inflicted upon investors and
other corporate constituencies?
□ Did the share price of the company's stock drop
significantly upon its discovery and disclosure?
How was the misconduct detected and who uncovered it?
How long after discovery of the misconduct did it take to implement
an effective response?
What steps did the company take upon learning of the misconduct?
□ Did the company immediately stop the misconduct? Are persons
responsible for any misconduct still with the company? If so, are
 they still in the same positions? Did the company promptly,
completely and effectively disclose the existence of the
misconduct to the public, to regulators and to self-regulators? Did
the company cooperate completely with appropriate regulatory and
law enforcement bodies? Did the company identify what additional
related misconduct is likely to have occurred? Did the company
take steps to identify the extent of damage to investors and d other
corporate constituencies? Did the company appropriately
recompense those adversely affected by the conduct?
What processes did the company follow to resolve many of these issues
and ferret out necessary information? Were the Audit Committee and
the Board of Directors fully informed? If so, when?
Did the company commit to learn the troth, fully and expeditiously? Did it
do a thorough review of the nature, extent, origins and consequences of
the conduct and related behavior? Did management, the Board or
committees consisting solely of outside directors oversee the review? Did
company employees or outside persons perform the review? If outside
persons, had they done other work for the company? Where the review
was conducted outside counsel, had management previously engaged
such counsel? Were scope limitations placed on such review, if so, what
were they?
What assurances are there that the conduct is unlikely to recur? Did
company adopt and ensure enforcement of new and more effective internal
controls and procedures designed to prevent a recurrence of the
misconduct? Did the company provide our staff with sufficient
information for it to evaluate the company's measures to Correct the
situation and ensure that the conduct does not recur?
Is the company the same company in which the misconduct occurred,
or has it changed through a merger or bankruptcy reorganization?
Questions and Comments (p. 228)
Agencies often administer significant penalties in highly publicized cases in an
effort to send a message to the industry about what not to do. In this case, the
Opposite occurred: The SEC conspicuously refrained from administering a
sanction against a company in order to send a message to the industry about
what should be done.
While encouraging self-policing, the SEC is careful not to indicate that
cooperation of this sort will automatically be a shield against
liability.
One step that agency applauds is the fact that the company promptly fired
the responsible officials

Advice (p.230)
Regulated organizations can get advice on how to structure or administer their
compliance operations- accounting firms, law firms, compliance consultants,
etc.
The most informative and reliable source of advice is- the regulators themselves-
because:
 o they determine whether the organization has committed a violation
o often, whether it has an effective compliance program in place
Regulators offer extensive advice about various elements of compliance
O Can be in the form of written “guidance” which is widely distributed in the
industry and often publicly available on government websites. (And this book!)
o Offer more particularized advice as part of its supervisory responsibilities (ex.
Report of examination containing a section detailing the deficiencies noted in the
regulated firm’s compliance operation. The report is vetted w. management before
finalized and then made available to the BOD)
O Informal compliance – related advise
O In highly regulated industries, such as banks, the regulator maintains
permanent staff and offices within the organization
the frequent interactions that these contacts make possible are fruitful
opportunities for conveying information-not Only advice about formal
policies and procedures, but also suggestions for best practices and
hints about the regulator's Overall enforcement priorities and
philosophy.
Question and Comments (231)
oThe advice that regulators offer about compliance may technically be only that —
advice–but the identity of the party giving me advice cannot help But have
impact. Advice, although technically discretionary, can be mandatory and all but
name. Yet such advice is often adopted without the formal protections of notice
and comment rulemaking or other avenues for public vetting
oThe line between “advice” and “threat” is sometimes attenuated. If the regulator
provides recommendations about how an organization should structure its
compliance operation, there may be an unspoken sanction at the back end if the
advice is not heeded– the agency will take some action to punish the organization.
oInformal advice may lead to a too-cozy relationship between the regulator and it’s
regulated industry. In Bragg v. US, the federal Mine Safety & Health
Administration determined that a horrific coal mine accident had resulted, in part,
From the negligence of its own inspectors, who had failed to identify or demand
correction of numerous safety violations.
The investigation report surmised that the inspector’s failures could have
been caused by a conflict of interest: some of the identified
deficiencies may have stemmed from the relationship that MSIU 1
developed with [company] representatives [U]sing enforcement
personnel in this
manner to assist the [company] with its compliance efforts may have
created a conflict of interest that, over time, may have affected the level of
scrutiny MSHA provided at [the Mine] during subsequent mine
inspections. . . .

Admissions (p.231)
If an enforcement proceeding goes to a litigated judgment, the determination could be
used against the defendant in a subsequent lawsuit: The facts and conclusions
necessary to the judgment might give rise to an estoppel which would bar the defendant
from denying them in a subsequent case.
If a settlement occurs the result is more ambiguous:
 oSince no litigated judgment, settlement seen as a private compromise and no facts
are established
oHowever, defendants worry that that if they agree to a settlements—especially
those imposing substantial obligations—their compromise of govt actions will be
held against them in subsequent cases
I.e. the settlement itself will be taken as an admission of culpability that
can be used against D in later legal proceedings such as class actions
or shareholders derivative lawsuits.
oD’s also worry that the settlement will be admissible in evidence as probative of
liability. Ex. If settlement involves an agreement to upgrade the defendant’s
compliance operation, there is concern that the agreement will be admitted as
evidence that D’s system of internal control was previously inadequate.
This fear is usually unfounded because in law, subsequent remedial
repairs are inadmissible to establish evidence of negligence. (Policy: we
want people to fix potentially dangerous problems and we would deter
them from doing so if they knew that fixing it could get them in
trouble)
In general, therefore, a company's agreement to upgrade its
compliance operations in response to a government lawsuit may be
deemed inadmissible as evidence bearing on liability in a
subsequent private lawsuit. Notwithstanding this protection,
defendants worry that their agreement to enter a consent decree will
buy trouble in the form of subsequent lawsuits.
oTo avoid these risks, defendants generally insist that settlement agreements with
the government recite that they do not admit misconduct. The government's
willingness to agree to such stipulations is often of material assistance in
smoothing the way to a settlement.
oThere are a lot of issues with this practice (the settlement reading that the
defendant neither confirms nor denies the allegations). The exceprts below are an
exchange between the SEC and a Judge who did not want to approve a
settlement because the company (Citigroup Global Markets and SEC came to
agreement where the defendant company neither confirmed nor denied
wrongdoing.

SEC’s memo of Law in Response to Questions Posed by the Court Regarding Proposed
Settlement (p.232)
The SEC alleged that Citigroup Global Markets had engaged in misrepresentations in
connection vrith the marketing of collateralized debt obligation securities. The conse.nt
decree required Citigroup to (a) pay the SEC a fine of $95 million; '`b) disgorge $160
million ofprohts and $30 mill " finterest; and (c) undertake a series of undertakings for
a period of three years designed to prevent the repeat of following provisions
(compliance and risk management usual improvement stuffs)
[Court asked a bunch of questions to the parties regarding the proposed settlement]
and the Commission responded.
Court asked: Why should the Court impose a judgment in a case in which the S.E.C.
alleges a serious securities fraud but the defendant neither admits nor denies wrongdoing?
oSEC answer:
SCOTUS endorses the use and entry of consent judgments (which are
 characterized by D ceasing illegal activity without admitting to guilt
or liability. The disclaimer of liability is a standard feature in consent
decrees)
Consistent with this standard practice, the SEC has long utilized consent
decrees in which defendants admit no wrongdoing. Despite being
appropriate, SEC became troubled with by D’s subsequent public
denials of wrongdoing.
□ In response in 1972, the SEC prohibited the practice of consent
decrees where the SEC imposed sanctions while allowing the D
to deny the allegations, saying Refusal to admit allegations=
denial, unless D states that he neither admits nor denies the
allegations.
While SEC does not require express admissions (given collateral estoppel
effects), the Commission has prohibited the denials that consent
decrees often contain. Since this policy was announced, the
Commission has, a general matter, included in its proposed consent
judgments a provision that the defendant neither confirms nor denies the
Commission’s allegations.
Consistent with this policy SEC and Citibank entered into a no
admit/deny settlement
SEC laid out advantages and disadvantages to both parties in a
no admit/deny consent judgment.
□ D not subject to collateral estoppel w. regards to claims asserted,
but investors are still able to pursue any available private remedies
in addition to relief obtained by SEC.
● SEC is able to bring the matter to speedy resolution, obtain
compensation for victims in timely manner, and allocate its limited
resources to bringing additional enforcement actions for the
protection of still more investors.
□ Courts have repeatedly recognized the balance of advantages and
disadvantages in the no admit/deny policy and have expressed
reluctance to upset that balance. So this court should do the
same.
[Responded to court’s question about whether this policy is consistent
with Justice Dept. policy of not accepting nolo contender pleas in
crim cases and basically told the court that the comparison was stupid
comparison (p.234)]
Questions and Comments (p.234)
Why do Ds resist making any admissions of misconduct when settling a civil
complaint? (Admissions of wrongdoing:)
owould be embarrassing and could lead to long-term reputational harm for the
organization
omight be followed by removal from office of any officials of the D org who had
anything to do with misconduct—including senior officers (CEO) who had
general oversight responsibility
ocould have collateral estoppal effect (D may be precluded from denying facts so
admitted in subsequent civil or criminal litigation brought against organization or
its officers)
 oadmissions of wrongdoing might result in problems under the organization's
liability insurance policy, which will typically exclude coverage for particular
types of wrongful acts.
At one time, the typical settlement acknowledged that the defendants denied the
allegations. After the settlement was announced, and the judgment releasing the
defendant from liability became final, defendants would publicly state that they had
done nothing wrong. In 1972 the SEC modified its policy and required that the
defendant "neither admit nor deny" the allegations. That way the defendant could not
subsequently claim that they had denied the allegations in the consent decree.
SEC interpreted its post-1972 policy as also precluding a defendant from denying the
allegations in post-settlement statements (the SEC indirectly alludes to this aspect of
the policy when it says that the new approach would preclude denials both in the
consent decree itself "and elsewhere)
SEC does not object when a defendant denies the allegations in court pleadings in private
cases where the same conduct formed the basis of the government action (for example,
in a shareholders derivative lawsuit or a securities class action)

SEC v. Citigroup Global Markets, inc. (p.236) – Response to SEC memo

“IT]he Court concludes, regretfully, that the proposed Consent Judgment is neither
fair, nor reasonable, nor adequate, nor in the public interest. Most fundamentally, this
is because it does not provide the court with a sufficient evidentiary basis to know
whether the requested relief is justified under any of these standards. “
oReasoning:
oWhen a public agency asks a court to become its partner in enforcement by
imposing wide-ranging injunctive remedies on D, enforced by “formidable
judicial power on contempt”, the court and the public need some knowledge
of the underlying facts because otherwise the court “becomes a mere
handmaiden to a settlement privately negotiated on the basis of unknown
facts, while the public is deprived of ever knowing the truth in a matter of
obvious public importance.”
[Court strongly dislikes the SEC no admit/deny policy because the policy only
serves the interests of the parties:
oCitigroup
“penalties” 1) gets a mild slap on the wrist, 2) is subject to injunctive
relief by the court that Citi knows SEC wont follow-through on, 3)
imposes relatively inexpensive prophylactic measures (compliance
and risk programs) for 3 years.
Benefits: Citi ends 4 year SEC investigation and avoids any investor’s
relying on SEC’s consent Judgment in seeking return for losses (i.e.
no help for private investor cases against Citi)- Citi basically just takes
the SEC consent judgment as cost of business
oSEC (court nicely says that SEC accepting this judgment is bullshit)
SEC gets a quick good headline
Deterrence penalty against Citi ($95 mil) is pocket change to
Citi because of its size
SEC, per the judgment, may, but is not required to return any of the
$285 million dollars it got from Citi to the investors
Judgment leaves investors really short-changed because despite SEC’s
 alleged support of investors in private civil actions to recoup losses,
the combination of charging Citi with Negligence and then
permitting Citi to settle without admitting or denying allegations,
leaves investors screwed. (private investors cant bring securities
claims based on negligence and cant derive collateral estoppel
assistance from non- admission/ non-denial; investors can’t bring
own claims on SEC’s allegations because they don’t know if they are
rely on allegations because they are unproven )
Court said that parties resolution does not square with public
interest because it is not fair, adequate , or reasonable
● Not reasonable to impose substantial relief (backed by
judicial enforcement) on basis of allegations
● Not fair because despite Citi’s nominal consent, the
potential for abuse in imposing penalties on the basis of
facts that are neither proved nor acknowledged is patent
● Not adequate because in the absence of any facts, Court
lacks framework for determining adequacy
 Consent judgments like these are against public interest because:
● “An application of judicial power that does not rest on facts is
worse than mindless, it is inherently dangerous. The
injunctive power of the judiciary is not a free-roving remedy
to be invoked at the whim of a regulatory agency, even with
the consent of the regulated. If its deployment does not rest on
facts cold, hard solid facts, established either by admissions or
by trials--it serves no lawful or moral purpose and is simply
an engine of oppression.
● “in any case like this that touches on the transparency of
financial markets whose gyrations have so depressed our
economy and debilitated our lives, there is an overriding public
interest in knowing the truth. In much of the world,
propaganda reigns, and truth is confined to secretive, fearful
whispers. Even in our nation, apologists for suppressing or
obscuring the truth may always be found. But the SEC, of all
agencies, has a duty, inherent it its statutory mission, to see
that the truth emerges; and if it fails to o do so, this Court must
not, in the name of deference or convenience, grant judicial
enforcement to the agency's contrivances. Accordingly, the
Court refuses to approve the proposed Consent Judgment.
Instead, the Court. . . directs the parties to be ready to try this
case.......................................................................”
 Court refused to grant consent judgment and order parties to
litigate. SEC V. Citigroup Global Markets (p.239)- 2nd Circuit Court
 This was an appeal from the motion to stay the district court proceeding, when the
District court refused to approve the settlement and ordered the parties to go to
trial
 SEC and Citi joined together to appeal the lower court’s decision and Circuit court
appointed counsel to argue in support of the district court’s position to make a
decision.
  Circuit Court (Panel) held for the parties and stating that it is not the function of
the federal judges to make policy choices
o “It is not, however, the proper function of federal courts to dictate policy to
executive administrative agencies. Federal judges--who have no constituency
have a duty to respect legitimate policy choices made by those who do. The
responsibilities for assessing the wisdom of such policy choices and resolving the
struggle between competing views of the public interest are not judicial ones: our
Constitution vests such responsibilities in the public branches.”
 Held For the parties and stayed DC order to litigate
o In conclusion, we are satisfied (l) that the SEC and Citigroup have made a strong
showing of likelihood of success in setting aside the district court's rejection of
their settlement, either by appeal or petition for mandamus; (2) the petitioning
parties have shown serious, perhaps irreparable, harm sufficient to justify grant of
a stay; (3) the stay will not substantially injure any other persons interested in the
proceeding; and (4) giving due deference to the SEC's assessment of the
importance of its settlement to the public interest, that interest is not disserved by
our grant of a stay. .
Questions and Comments (P.241)
 This last except is not a final disposition of the matter, but only a decision by Three
judges made on a motion to stay without the benefit of adversarial testing. The final
decision, which had not yet appeared as this book went to press, will be made by a
different panel and--in theory at least will not look to this preliminary decision as
authority. On the other hand, the three judges here do make their views pretty clear,
and they are judges of the court that must ultimately decide the issues presented.
o These judges opine that "the scope of a court's authority to Second-guess an
agency's discretionary and policy-based decision to settle is at best
minimal."
o The judges observe that federal courts "have no constituency and then
suggest that the lack of a constituency impairs their ability to assess a
Settlement as compared, for example, With an administrative agency.
o The panel accuses Judge Rakoff of not giving proper deference to the SEC. The
panel's principal exhibit in support of their conclusion that Judge Rakoff had not
deferred to the SEC is the fact that he disagreed with the SEC's view of the case.
 In spite of the arguments it made in the excerpted case, the SEC has gradually moved
away from a uniform policy of negotiating "neither admit nor deny” settlement
agreements. Since 2012 it has generally required some concession of wrongdoing in
settlements involving a parallel criminal case in which admissions Or convictions
have been obtained. In 2013 it informally announced that it would also refuse to enter
into "neither admit nor deny" settlements in cases of egregious conduct or widespread
shareholder harm.
 In 2013 the SEC reached a $200 million settlement agreement with JPMorgan Chase
in Connection with the "London Whale" trading fiasco. As part of the settlement, JP
Morgan Chase admitted that "its conduct violated the federal Securities laws.”
PROSECUTORS

The Problem of Corporate Criminal Liability

● Companies are not human beings. They are fictional persons.
● Companies cannot be imprisoned or executed.
 ● Given that the only effective penalty against a company is a fine, the incidence of the
penalty will fall principally on the shareholders who will take a loss when the fine
appear on the bottom line.
● Companies can only act through agents, and agents can be prosecuted if they cause
their employers to violate the law.
● Prosecutors have responsibilities other than enforcing corporate compliance obligations.

Samuel W. Buell, The Blaming Function of Entity Criminal Liability (p.244) (one of the
principal prosecutors of Arthur Andersen in Enron)
● Respondeat superior liability – the law that governs most cases of criminal enterprise
liability; if a master were an entity, the master could be convicted for virtually any
crime the master’s agent committed within the scope of agency.
o Inquiry into an entity’s criminal responsibility would proceed no further.
o The only slight modification to this rule has been to add requirement that
the agent have acted in some part, to benefit the master.
o “No soul to be damned and no body to be kicked” – criticism of respondeat
superior; but, it has become firmly entrenched as the across the board rule
of enterprise liability for all manner of crimes
o Treatments of this problem have run in one of three directions:
 Toward conclusions that retribution against nonhuman legal forms
is nonsensical and pointless
 Skepticism that criminal law could add anything useful to the project
of regulating firms, which can suffer only financial consequences
 Embrace of a popular impulse to condemn entities criminally for the
harms they visit upon people (only this one has begun to explain what
is involved in the modern practice of imposing criminal liability on
organizations)
● Thesis: the blaming function of entity criminal liability is linked closely to the utility
of the doctrine.
● Argues that conventional justifications for corporate criminal liability are problematic
● The scope of corporate criminal liability is very large. Corporations are strictly liable for
acts of their agents that cause the corporation to engage in criminal behavior – even if
the corporation has done everything possible to prevent this from happening.
● Even though corporations can’t feel shame, the people who work in a corporation
do experience negative reactions when their companies are prosecuted
● Miriam Hechler Baer – recommends that the law should abolish entity wide criminal
liability but require instead that companies take out policies of insurance against the
costs of civil sanctions
o Problem: a company that is insured against monetary sanctions for
compliance violations might become less diligent at preventing them
The Decision to Prosecute
● “Prosecutorial discretion” – freedom to charge or not; resources are limited
● There can be abuse of office for political purposes which raises concerns in the
public about the rule of law; too much discretion can impair the deterrence objectives
of criminal law
● Constraints on prosecutorial discretion give citizens notice about what conduct is likely
to be punished and how severe the punishment will be; also facilitate the effective
management of the prosecutor’s office by giving clear indications to staff attorneys about
 enforcement priorities

United States Attorneys Manual, Principles of Federal Prosecution of Business Organizations

(p.248-58)
● Department promotes critical public interests which include:
o Protecting the integrity of our free economic and capital markets
o Protecting consumers, investors, and business entities that compete only
through lawful means
o Protecting the people from misconduct that would violate criminal
laws safeguarding the environment
● Federal prosecutors and corporate leader share common goals  execution of
fiduciary duties by officers and directors serves the same values in promoting public
trust and confidence that prosecutor’s cases are designed to serve
● Corporations should not be treated leniently because of their artificial nature nor
should they be subject to harsher treatment
● Factors in determining whether to charge a corporation as they do with respect to
individuals; need to consider factors in reaching a decision as to the proper treatment of
a corporate target
o Nature and seriousness of offense
o Pervasiveness of wrongdoing
o Corporation’s history of similar misconduct
o Timely and voluntary disclosure
o Existence of pre-existing compliance program
o Remedial actions
o Collateral consequences
o Adequacy of the prosecution of individuals responsible
o Adequacy of remedies i.e. civil or regulatory enforcement actions
● Special policy concerns include risk of harm to the public from the criminal misconduct
● So long as the corporation timely discloses relevant facts about the putative
misconduct, the corporation may receive due credit for such cooperation regardless of
whether it chooses to waive privilege or work product protection in the process
● Failure to disclose relevant facts of alleged misconduct will not allow corporation
to receive credit
o Government cannot compel and the corporation has no obligation to make
such disclosures
o Corporation’s failure to provide relevant information does not mean
the corporation will be indicted
o Cooperation is a relevant potential mitigating factor but alone is not dispositive
● Department has no formulaic requirements regarding corporate compliance programs
● Prosecutors should attempt to determine whether a corporation’s compliance program is
a “paper program” or whether it was designed, implemented, reviewed and revised as
appropriate in an effective manner
● Prosecutors need to consider when evaluating the compliance program:
o The comprehensiveness of the program
o The extent and pervasiveness of the criminal misconduct
o Number and level of the corporate employees involved
o Seriousness, duration and frequency of the misconduct
o Any remedial actions taken
 ● Two other factors used in evaluating a corporation’s remedial efforts are:
o Restitution
o Reform
● Primary goals of criminal law:
o Deterrence
o Punishment
o Rehabilitation
● Under theory of respondeat superior any act of any corporate employee may be the basis
for corporate criminal liability, so long as it is committed in the scope of employment or
with an intent to serve the company
● Having a compliance program is not sufficient on its own to justify not charging
a corporation for criminal conduct of its directors
●
●
PROSECUTORS – part 2 p.259-270

Major role:
● Negotiating plea agreements with corporations
● Generally should seek to plea the most serious, readily provable offense charged
● Terms of the plea agreement should contain appropriate provisions to ensure
punishment, deterrence, rehabilitation, and compliance with the plea agreement in the
corporate context

p.262 – Deferred Prosecution and Non-Prosecution Agreements

● Third option besides criminal indictment and a declination
● Declining prosecution may allow a corporate criminal to escape without consequences
● These agreements can help restore the integrity of a company’s operations and preserve
the financial viability of a corporation that has engaged in criminal conduct while
preserving the government’s ability to prosecute a recalcitrant corporation that
materially breaches the agreement

Deferred Prosecution Agreement (DPA)

● The target complies with the government’s investigation and agrees to implement
remedial measures; in exchange the government agrees to defer the filing of
charges

Non-Prosecution Agreement (NPA)

● Government is satisfied with the target’s compliance and therefore agrees to drop
the case at the time of the agreement

p.259 – Plea Bargains, Deferred Prosecution Agreements, and Non-Prosecution Agreements

Corporate Plea Agreement

● Should contain provisions that recognize the nature of the corporate “person” and
that ensure that the principles of punishment, deterrence, and rehabilitation are met
● Punishment and deterrence are generally accomplished by fines, mandatory restitution,
and institution of appropriate compliance measures i.e. continued judicial oversight or
the use of special masters or corporate monitors
 ● Where the corporation is a government contractor, permanent or temporary
debarment may be appropriate
● Where corporation engaged in fraud against government, a prosecutor may not
negotiate away an agency’s right to debar or delist the corporate defendant
● Prosecutors should consider:
o the deterrent value of prosecutions of individuals within a corporation
 One factor that may be considered in determining whether to enter into a
plea agreement is whether the corporation is seeking immunity for its
employees and officers or whether the corporation is willing to
cooperate in the investigation of culpable individuals
 Prosecutors should rarely negotiate away individual criminal liability in
a corporate plea
o Rehabilitation value- requires that the corporation undertake to be law- abiding
in the future.
 It is, therefore, appropriate to require the corporation, a condition of
probation, to implement a compliance program or to reform an
existing one
 Prosecutors may consult with the appropriate state and federal
agencies and components of the Justice Department to ensure best
practices.
o In plea agreements in which the corporation agrees to Cooperate, the prosecutor
should ensure that the cooperation is entirely truthful. To do so, the prosecutor
may request that the corporation make appropriate disclosures of relevant factual
information and documents, make employees and agents available for debriefing,
file appropriate certified financial statements, agree to governmental or third-
party audits, and take whatever other steps are necessary to ensure that the full
scope of the corporate wrongdoing is disclosed and that the responsible personnel
are identified and, if appropriate, prosecuted.
 In taking such steps, Department must respect corporate attorney-
client privileges
● Cooperation is not measured by the waiver of attorney- Client
privilege and work product protection, but rather is measured by
the disclosure of facts and other considerations identified herein
such as making witnesses available for interviews and assisting
in the interpretation of complex documents Or business records. .
..
Questions and Comments (p.260)
 What if, after a plea agreement is finalized, the defendant subsequently pro- claims her
innocence or seeks to minimize her guilt? Such behavior is problematic because it
detracts from the perceived gravity of the offense and reduces the deterrent effect of
the prosecution on other companies; it also indicates that the defendant is likely to
commit future offenses. The Manual disapproves of such conduct, warning that "[a]
corporation should be made to realize that pleading guilty to criminal charges
constitutes an admission of guilt and not merely a resolution of an inconvenient
distraction from its business."
o Several factors work together to discourage defendants from disavowing
or minimizing responsibility for their crimes:
 Some jurisdictions require that the defendant "allocate": make a
 statement at the time the plea is presented which admits guilt. Having
made the statement, the defendant will be hard-pressed to disavow it.
 Prosecutors are advised to place evidence of guilt on the record, which
can be used to refute subsequent protestations of innocence.
 If, despite the foregoing, a defendant acts in such a way as to indicate it
doesn't take the guilty plea seriously, the prosecutors or civil regulators
are likely to view this conduct in a negative light the next time the
defendant gets into trouble.
 Some jurisdictions allow a plea of nolo contendere (no contest), which neither admits
nor denies guilt but which can have the same effect as a guilty plea for purposes of plea
bargaining.
o When the defendant enters a nolo plea, she may be relieved from the need
to allocute the plea by formally admitting to wrongful acts.
o Although the rules vary across jurisdictions, this procedure can limit the degree
to which the plea bargain can be used against the defendant in subsequent civil,
criminal, or administrative proceedings.
 Although federal courts do not prohibit nolo pleas, the U.S. Department of Justice
generally refuses to negotiate them. If the defendant is adamant, the DO] might in some
cases "wink" at the nolo plea by simply allowing the defendant to make the plea in
court, without the department's approval, and then cooperating with the defendant in
joint sentencing recommendation. A risk to the defendant from this approach, even if the
prosecutors agree to go along, is that the recommendation is not binding and therefore
might be ignored by the sentencing judge.
 Corporate defendants often resist entering into plea agreements because of the
potential collateral consequences.
o The admission of guilt that is required in a plea agreement may deprive a
corporate defendant of the protections of its insurance Coverage, which
may exclude indemnification for criminal misconduct.
o The guilty plea may come back to haunt the company or its directors in
civil litigation brought by shareholders or others.
o The company may forfeit the right to bid on government contracts.
o The reputational costs of a plea agreement are also high, particularly in
certain areas of commerce such as the service or government contracting
sectors.

Deferred Prosecution and Non-Prosecution Agreements- (p. 262)

 Deferred prosecution agreements (DPAs) or non-prosecution agreements (NPAs) offer
alternative avenues to dispose of corporate criminal cases without the inconveniences
and risks of a formal guilty plea.
o In the DPA, the target complies with the government's investigation and agrees
to implement remedial measures; in exchange the government agrees to defer the
filing of charges. If the target satisfies the government that it has fully complied
with its promises, the government never brings the prosecution.
 NPA is similar except that the government is satisfied with the target's compliance
and therefore agrees to drop the case at the time of the agreement.
o NPAs, being more definitive, are typically seen only when the target has made
a prompt self-report of the violation and provided the government with
extensive cooperation in its investigation.
 These sorts of agreements have grown greatly in importance over the past decade.
 According to one estimate, the Department of Justice entered into 35 corporate DPAs
or NPAs in 2012, with total recoveries of $9 billion.

United States Attorneys Manual, Principles of Federal Prosecution of Business Organizations

(p.262)
 [W]here the collateral consequences of a corporate conviction for innocent third
parties would be significant, it may be appropriate to consider a non-prosecution
or deferred prosecution agreement with conditions designed, among other things,
to Promote compliance with applicable law and to prevent recidivism.
 Such agreements are a third option, besides a criminal indictment, on the one
hand, and a declination, on the other.
o Declining prosecution may allow a corporate criminal to escape
without consequences.
o Obtaining a conviction may produce a result that seriously harms
innocent third parties who played no role in the criminal conduct.
o Under appropriate circumstances, a deferred prosecution Or non-prosecution
restore the integrity of a company's operations and preserve the financial
viability of a corporation that has engaged in criminal conduct, while
preserving the government's ability to prosecute a recalcitrant corporation
that materially breaches the agreement. These agreements achieve other
important objectives (like prompt restitution for victims
 Ultimately, the appropriateness of a criminal charge against a Corporation, or some
lesser alternative, must be evaluated in a pragmatic and reasoned way that produces
a fair outcome, taking into consideration, among other things, the Department's need
to promote and ensure respect for the law.

Questions and Comments (p.262)

 DPAs and NPAs conserve on the prosecutor's resources and generate reason-
ably credible guarantees of compliance going forward-all good things.
 Downside to DPA & NPA- unlike a plea agreement, a DPA or NPA doesn't have to be
presented to a court for review. This means that, at least for the particular case, there will
be no judicial evaluation of the credibility of the government's case or the
reasonableness of its legal theories.
 Companies ordinarily do not admit guilt when entering into a DPA or NPA.
 The victims of wrongdoing do not have any standing to object to the terms of a DPA
or NPA. They can’t appeal the trial court's decision to approve one of these
agreements. They are not entitled to restitution for the harms they suffered.
 Targets often agree to adopt enhanced compliance programs and activities
as consideration for the government's agreement to a DPA or NPA.

United States District Court for the Southern District of Texas – Deferred Prosecution
Agreement (p.263)—Example of what government expects in a DPA
 Aibel Group accepts and acknowledges that the United States will file a criminal
Information in the United States District Court for the Southern District of Texas
charging Aibel Group with violating the Foreign Corrupt Practices Act ("FCPA"). In so
doing, Aibel Group knowingly waives its right to indictment on these charges, as well as
all rights to a speedy trial pursuant to the Sixth Amendment to the United States
Constitution, Title 18, United States Code Section 3161, Federal Rule of Criminal
 Procedure 48(b), and all applicable Local Rules of the United States District Court for
the Southern District of Texas for the period during which this Agreement is in effect.
 Aibel Group accepts and acknowledges that it is responsible for the acts of its Officers
and employees as set forth in the Statement of Facts annexed hereto… Should the
Department. . . initiate the prosecution that is deferred by this Agreement, Aibel Group
agrees that it will neither contest the admissibility of, nor contradict, in any such
proceeding, the facts contained in the Statement of Facts. Aibel Group does not
endorse,
ratify or condone criminal conduct and, as set forth below, has taken and commits to
continue to take significant steps to prevent such conduct from occurring in the future.
 This Agreement is agreed to by the Department based upon the fact:
o that Aibel Group had voluntarily disclosed the misconduct referenced in
the Statement of Facts;
o conducted a thorough investigation of that misconduct; regularly reported all
its findings to the Department;
o cooperated in the Department's subsequent investigation of this matter;
o agreed to implement remedial measures to ensure that this conduct will not recur
and to continue to operate with the Department in its ongoing investigation of
the conduct of Aibel Group, the Vetco Aibel Entities, and the officers, directors
and employees thereof;
o and, proposed and agreed too the compliance structure set forth. . . herein,
including the duties and obligations of the Executive Chairperson,
Compliance Committee and Compliance Counsel as more fully set out herein.
 During the three (3) year term of this Agreement, Aibel Group agrees to cooper fully
with the Department, and any other authority or agency, domestic or foreign, designated
by the Department investigating Aibel Group and the Vetco Aibel Entities, or any of its
present and former directors, officers, employees agents, consultants, contractors and
subcontractors, or any other party, in an, and all matters relating to corrupt payments in
Connection with its operations.
 Aibel Group agrees that its Cooperation shall include, but is not limited to, the following:
o Aibel shall truthfully disclose all information with respect to the activities of
Aibel Group and the Vetco Aibel Entities concerning all matters relating to
Corrupt payments in connection with their operations, related false books and
records, and inadequate internal controls about which Aibel Group and the
Vetco Aibel Entities has any knowledge or about which the Department shall
require.
 This obligation of truthful disclosure includes obligation to provide
Dept., upon request, any document, record or other tangible evidence
relating to such corrupt payments, books and records, and internal
controls about which the Dept shall inquire of Aibel.
 If specificall requested by Dept., Aibel must provide Dept with access to
info, docs, records, facilities and employees of Aibel that may be subject
to the atty-client/ work-product privileges.
o Upon Request of Dept., Aibel and subsidiearies shall designate
knowledgeable employees, agents, or attorneys to provide the info and
materials described
o Aibel shall use their best efforts to make their directors, officers, employees,
agents and consultants available to provide information and testimony as
requested by the Department, including sworn testimony before a federal
 grand jury or in federal trials, as well as interviews with federal law
enforcement authorities.
 Cooperation under this Paragraph will include identification of witnesses
who, to the knowledge of Aibel Group and the Vetco Aibel Entities, may
have material information regarding the matters under investigation.
o These entities shall use their best efforts to make available, for interviews or
for testimony, such present and former Aibel Group and Vetco Aibel Entities
 officers, directors, agents, Consultants, and employees, and the officers, directors,
employees, agents and consultants of contractors and sub-contractors, as may be
requested by the Department.
o Aibel Group and the Vetco Aibel Entities consent to any and all disclosures of
any information, testimony, document, record, or other tangible evidence
provided to the Dept., to other Government agencies, whether agencies of the
United States or a foreign government, of such materials as the Department, in
its sole discretion, shall deem appropriate.
 In return for the full and truthful cooperation of Aibel Group and the Vetco Aibel JI
Entities, and compliance with all the terms and conditions of this Agreement, the
Department agrees not to use any information related to the conduct described in the
attached Statement of Facts against Aibel Group or the Vetco Aibel Entities in any
criminal or civil case, except in a prosecution for perjury or obstruction of justice; in a
prosecution for making a false statement after the date of this Agreement; in a
prosecution or other proceeding relating to any crime of violence; or in a prosecution
or other proceeding relating to a violation of any provision of Title 26 (US Code).
 In addition, the Department agrees, except as provided herein, that it will not bring any
criminal or civil case against Aibel Group or the Vetco Aibel Entities related to the
conduct Of present and former employees of these entities as described in the attached
Statement of Facts. This Paragraph does not provide any protection against Prosecution
for any corrupt payments, if any, made in the future by Aibel Group or the Vetco or any
of their officers, directors, employees, agents Or consul- tants, whether or not disclosed
by Aibel Group or the Vetco Aibel Entities, nor does it apply to any such payments,
made in the past, which are not described in the attached Statement of Facts.
 In addition, this agreement does not provide any protection against criminal prosecution
of any present or former officer, employee, director, shareholder, agent or consultant of
Aibel Group or the Vetco Aibel Entities for any violations committed by them.

Questions & Comments (p.266)

 This DPA requires the target (Aibel) to waive its right to a speedy trial. Such waivers
are, or should be, parts of every DPA because otherwise the target could claim-, after a
suitable period of time, that the government had waited too long to bring it to trial, and
thus could avoid further compliance with its obligations under the agreement.
 Remedial measures required in DPAs usually involve the company instate changes
in corporate governance. Governance provisions commonly include:
o Commitments to fire specified employees (or recitations that these individ-
uals had already been terminated).
o Creation of specified managerial positions, such as that of a chief
compliance officer or a chief risk officer.
o Guarantees of reporting lines for these or other officers to the CEO, the
board audit committee, or other senior corporate body.
o splitting of the positions of board chairman and chief executive officer.
o The addition of directors
o Additional guarantees of director independence
o The creation of new board committees or the vesting of new powers in
existing committees.
 o Retention of a consultant, paid by the defendant, to recommend
additional governance changes.
o Appointment of outside monitors to evaluate continuing compliance.
 A DPA is not the product of an informed judgment on the merits made by a judge
or Jury.
 Because criminal cases against corporations rarely go to trial, the role of the judge and
jury in such matters is attenuated. Questions about whether prosecutors are equipped
to perform the tasks traditionally assigned to the judge and the jury-for example, the
impartial administration of the law, or the application of community norms and values
o Justice Breyer in a 2012 case: "the prosecutor in such a system, perhaps armed
with statutes providing for mandatory minimum sentences, can become the
ultimate adjudicator. The prosecutor/adjudicator plays an important role in many
'European inquisitorial' systems. But those prosecutors, unlike Ours, typically
are trained formally to be more like neutral adjudicators than advocates.

p.268 – Sentencing – SUPER IMPORTANT

● Influenced by the Federal Sentencing Guidelines for Organizations
o Guidelines provide that in some circumstances a corporate defendant may receive
a more lenient sentence if it has in place an effective compliance and ethics
program
Federal Sentencing Guidelines, §8B2.1 Effective Compliance and Ethics Program (p.268)
[Seven Elements of an “effective compliance and Ethics Program]
(a) To have an effective compliance and ethics program, . . . an organization shall
1. exercise due diligence to prevent and detect criminal conduct; and
2. otherwise promote an organizational culture that encourages ethical conduct and
a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, imple- merited,
and enforced so that the program is generally effective in preventing and detecting
criminal conduct. The failure to prevent or detect the instant offense does not
necessarily mean that the program is not generally effective in preventing and
detecting criminal conduct.
(b) Due diligence and the promotion of an organizational culture that encourages ethical
conduct and a commitment to compliance with the law within the meaning of subsection
(a) minimally require the following:
(I) The organization shall establish standards and procedures to prevent and detect
criminal conduct.
(2) (A) The organization's governing authority shall be knowledgeable about the content
and operation of the Compliance and ethics program and shall exercise reasonable oversight
with respect to the implementation and effectiveness of the compliance and ethics program.
(B) High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program, as described in this guideline. Specific
individual(s) within high-level personnel shall be assigned overall responsibility for the
compliance and ethics program.
(C) Specific individual(s) within the organization shall be delegated day-to-day
operational responsibility for the compliance and ethics program. Individual(s)
with
 operational responsibility shall report periodically to high-level personnel and, as
appropriate, to the governing authority, or an appropriate subgroup of the governing
authority, on the effectiveness of the compliance and ethics program. To carry out such
operational responsibility, such individual(s) shall be given adequate resources, appropriate
authority, and direct access to the governing authority.
(3) The organization shall use reasonable efforts not to include within the substantial authority
personnel of the organization any individual whom the organization knew, or should have
known through the exercise of due diligence has engaged in illegal activities or other conduct
inconsistent with an effective compliance and ethics program.
(4) (A) The organization shall take reasonable steps to communicate periodically and in a
practical manner, its standards and procedures, and other aspects of the compliance and
ethics program, to the individuals referred to in subparagraph (B) by conducting effective
training programs and otherwise disseminating information appropriate to such individuals'
respective roles and responsibilities.
(B) The individuals referred to in subparagraph (A) are the members of the governing
authority, high-level personnel, substantial authority personnel, the organization's employees,
and, as appropriate, the organization’s agents.
(5) The organization shall take reasonable steps:
(A) to ensure that the organization's compliance and ethics program is
followed, including monitoring and auditing to detect criminal conduct;
(B) to evaluate periodically the effectiveness of the organization's compliance and
ethics program; and
(C) to have and publicize a system, which may include mechanisms that allow for
anonymity or confidentiality, whereby the organization's employees and agents may report
or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
(6) The organization's compliance and ethics program shall be promoted and enforced
consistently throughout the organization through (A) appropriate incentives to perform in
accordance with the compliance and ethics program; and (B) appropriate disciplinary
measures for engaging in criminal conduct and for failing to take reasonable steps to prevent
or detect criminal conduct.
(7) After criminal conduct has been detected, the organization shall take reasonable steps to
respond appropriately to the criminal conduct and to prevent further similar criminal
conduct, including making any necessary modifications to the organization's compliance and
ethics program.

(c) In implementing subsection (b), the organization shall periodically assess the risk of
criminal conduct and shall take appropriate steps to design, implement, or modify each
requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through
this process.

Questions & Comments (p.269)

 The adoption of the sentencing guidelines for organizations in 1991 was an important
step in the development of the modern law of compliance; it provided an incentive to
firms to adopt compliance programs in order to mitigate the severity of their sentences
if they were subsequently convicted of federal crimes, and also sewed as a model for
compliance programs outside the criminal justice sphere.
 Professor Jennifer Arlen criticizes the sentencing guidelines for organizations on
the ground that they offer too little credit for organizations' self-policing activity:
o To deter corporate crime, corporate sanctions must be structured to induce large
corporations to help federal prosecutors detect and punish corporate crime.
Specifically, firms must be encouraged to detect and report wrongdoing, and to
cooperate with the govt.’s effort to identify and sanction the indivuals
responsible for the crime. Firms will not engage in these activities unless they
face lowerexpected sanctions if they do not… Although the Organizational
Sentencing guidelines offer sanction mitigation to firmsthat adopt effective
compliance programs, self-report and cooperate,… these provisions offer too
little mitigation to encourage firms to detect, report and cooperate. Indeed, the
Guidelines’ mitigation provisions are particularly inadequate in the very
circumstances where corporate detection and investigation is most important: in
cases involving crimes committed by managers of large firms.
 WHISTLEBLOWERS

Whistleblower – a person who, without being required to do so, reports misconduct within an
organization; not a law enforcement agent nor an internal or external auditor; volunteer who has
personal knowledge of misconduct within an organization and who comes forward on her own;
enforces rules or norms

Sherron Watkins – Enron Case (p.272)

● Accountant who provided a matter of fact summary of the events that gave rise to
her conversation with Mr. Lay
● Assets were hedged with an entity called Raptor
● Was alarmed by the information she was receiving i.e. it was her understanding that as
an accountant the company could never use its own stock to generate a gain or avoid a
loss on its income statement
● Watkins seemed satisfied that Lay had heard her out in good faith and that he would
look into her concerns; Lay commissioned an investigation by Enron’s outside counsel,
Vinson & Elkins but, it was hedged by so many limitations that it failed to uncover what
was in fact a massive fraud

Encouraging Whistleblowing
● Often whistleblowers are lauded and lionized for their courage in coming forward i.e.
Cynthia Cooper of WorldCom reported evidence of fraud leading her to be named
Time Magazine’s Persons of the Year; Sherron Watkins received similar tributes
● But, less favorable terms i.e. “leaker”, “snitch”, “fink”, “rat”,
● More common pattern is that they are disliked
● Norm against snitching  those engaged in wrongdoing intimidate anyone who will
blow their whistle, everyone has done something wrong and can associate with the
target, communities often prefer to manage their own problems rather than have
someone come in from without, people outside may be even worse than the people
within the group
● 4 strategies to counteract the anti-snitching norm:
1) Tone at the Top
 People don’t come forward because:
● Complaint’s will not be heard or acted on
● Suffer retaliation
 Senior managers need to reassure that reports are valued and will be
carefully investigated, and that the organization will neither retaliate
nor will it tolerate others doing so
2) Protections for Whistleblowers
 SOX prohibits publicly traded companies from retaliating against people
who provide information in connection with an investigation into
potential violations of the securities law
 Remedies for proven violations include reinstatement, back pay, and
compensation for any special damages sustained as a result of the
discrimination i.e. litigation costs, expert witness fees, attorney’s
fees
  Organizational codes of ethics include protections i.e. Apple Computer’s –
will not retaliate and will not tolerate retaliation against any individual for
filing a good faith complaint with management
3) Rewards
 Financially via bonuses or bounties for information or by promoting
the person within the company
 SEC’s bounty program authorizes payments to individuals who
voluntarily provide the SEC with “original information – first one to give
the information” that leads to an SEC enforcement action generating more
than $1 million in sanctions
 Example – Eli Lilly Zyprexa case: 4 whistleblowers shared 20 percent of
an $800 million settlement. Off label market case against pharmaceutical
manufacturer.
 IRS also operates a whistleblower bounty program for tax compliance,
the Informant Whistleblower Award Program
 SEC operates a bounty 21f, 10-20% recovery by whistleblower
 To date, bounty programs have generally been restricted to cases of fraud
4) Mandatory Reporting
 Organizations may require people with knowledge of compliance
violations to report what they know, on penalty of being disciplined
themselves if they keep silent i.e. Apple’s policy – failure to report
can lead to termination of employment
 Legal profession is subject to an important snitch obligation – Model
Rules; only those which raise a substantial question as to the other
attorney’s honesty, trustworthiness or fitness; neither the rules or
commentary describes which violations are so serious as to require
reporting; applies only when the attorney knows that another attorney
has committed a violation

Whistleblower Policies (p.279-82)

● OVB Inc. policy – provides a means for early detection of problematic situations before
they have serious consequences; to ensure that OVB fulfills its responsibilities under the
US whistleblower laws i.e. SOX, and California law

Responding to the Whistleblower (p.282-86)

● First step – launch and internal investigation
● Examples – Report of Investigation by the Special Investigative Committee of the Board
of Directors of Enron Corp.
o Enron in the wake of Sherron Watkins’ disclosures: one conducted soon after
she came forward, when the company was under its former management; the
other conducted later, after the former managers had been replaced
o Vinson & Elkins was chosen as it was familiar with Enron and LJM matters;
V&E would conduct a “preliminary investigation” which was defined as
determining whether the facts raised by Watkins warranted further
independent legal or accounting review
o “Powers Report” – named after the committee chairman, William C. Powers,
who was appointed to the Enron Board after the events giving rise to Enron’s
problems, for the purpose of chairing the investigative committee
 oTwo sorts of investigations in report: a) the investigation engaged by V&E; and b)
the subsequent investigation engaged in by the special investigating committee,
which comments on the nature of the first investigation
oV&E concluded that it was not ethically precluded from conducting
the investigation; no further review was warranted

Qui Tam Actions (p.286)

□ A special type of whistleblower proceeding
□ Traditional mechanism for encouraging whistleblowers to come forward by
offering them bounties if they do so
□ False Claims Act – 31 USC §3730 is the qui tam provision that sets forth a procedure
whereby a private party called the “relator” can file a lawsuit on behalf of the
government charging that a person has made a false claim on the government in violation
of §3729
□ “Relator” is a volunteer; can be expected that multiple suits will be filed when news
of a potential FCA violation begins to leak out
□ FCA allocates the litigation to the first person to file the action
□ Under FCA private citizens may bring suit for false claims on behalf of the US
and share in any recovery obtained by the government
□ FCA bars a qui tam relator from bringing a case based upon allegations that
already have been publicly disclosed unless the relator is an “original source” of
the information
oOriginal source – §3730 an individual who either “prior to a public disclosure has
voluntarily disclosed to the Government the information on which allegations or
transactions in a claim are based or who has knowledge that is independent of and
materially adds to the publicly disclosed allegations or transactions and who has
voluntarily provided the information to the government before filing an action
under the section”
□ Florida has its own False Claims Act (2014)
□ Similar to other whistleblower programs but they have one special feature that gives
extraordinary power to the person providing the information  relator is allowed to
proceed on her own if the government refuses to act giving the relator potentially
larger benefits form coming forward
□ Relator in FCA action seeks recovery on behalf of the government; her interest in the
matters is that of a good citizen who wants to protect the public finances, coupled
with the not-insubstantial interest in receiving a bounty at the end of the day
□ Vermont Agency of Natural Resources v. U.S. ex rel. Stevens – holding that the injury in
fact sustained by the US was sufficient to confer Art. III standing on the qui tam
plaintiff.
□ FCA allows a relator to pursue litigation when the government doesn’t want to
pursue the case
□ Two policies:
oEncourage whistleblowers to bring evidence of fraudulent claims to the attention
of the government
oEnlist the qui tam relator as a participant and to some degree as a monitor in the
government’s conduct of litigation

Darity v. C.R. Bard Inc. – Complaint

Facts: Plaintiff was employed by Defendant, NJ based corporation that develops and
manufacturers medical products. Plaintiff was relator in this case and was in a position to
observe the alleged misconduct. Defendant engaged in a variety of schemes designed to induce
customers to purchase its brachytherapy seeds. Inducements provided by Bard to customers
result in increased prices for the seeds. These increased prices are paid for by the Medicare and
Medicaid programs. Bard was allegedly able to engage in its illegal marketing strategy because
under applicable regulations, payments for the seeds were passed directly on to the Medicare
and Medicaid programs. Hospitals and other health care providers would not incur a loss if they
overpaid. It would arguably have been easy to persuade health care providers to overpay
because the government was picking up the tab.

Department of Justice, Office of Public Affairs, C.R. Bard Inc. to Pay U.S. $48.26 Million to
Resolve FCA Claims (p.290)
□ Bard agreed to pay to resolve the claims it knowingly caused false claims to
be submitted to Medicare for the seeds used in violation of the FCA
□ Settlement:
oRequired Bard to pay and resolve claims relating to Bard’s sale of seeds to
hospitals
oUS alleged that Bard provided illegal remuneration to customers and physicians
to induce them to purchase Bard’s seeds in violation of the Anti-Kickback Statute
oSettlement is part of the US’ ongoing effort to combat the payment of illegal
kickbacks to health care providers
oIllegal kickbacks in any form pervert our health care system, which is designed to
insure that health care providers make decisions based solely on what is best for
the patient
oThe civil settlement resolves a lawsuit filed in the US District Court Georgia by
Julie Darity, under the qui tam, or whistleblower provisions, of the FCA
oBard has agreed to pay an additional $2.2 million and to take numerous remedial
steps, many of which the company identified and began to implement prior to the
criminal investigation, to enhance its corporate compliance program to prevent
similar illegal actions in the future
oBard agreed to refine its Code of Conduct and other written policies and
procedures that promote Bard’s commitment to full compliance with all Federal
health care program requirements and to develop an effective program to monitor
medical education grants provided by Bard to ensure compliance with those
requirements
oShould the Department of Justice have taken Bard’s compliance rap sheet into
consideration when it agreed to the settlement?
 GATEKEEPERS

Gatekeeper – someone whose certification or support is needed before an organization can reach
a goal
□ Two models:
O Zealous advocate on behalf of the organization (historically more important)
o Serves the organization but also acts as a public servant who carries out a broader
responsibility by ensuring that the organization complies with governing norms
□ Tension = choosing between helping the organization fend off the government and
helping the government force the organization to comply with the government’s
wishes

Lincoln Savings & Loan Ass’n v. Wall (p.295)

Facts: Bank regulators took control of the company after concluding that it was insolvent. The
former controlling parties sued to get it back. Trial judge concluded that the company’s financial
strategies were rife with fraud and misconduct. Upheld the government’s actions. Asked a series
of questions.
□ Here it was clear the private sector was not willing to cooperate with the
public oversight regulators
□ Private sector impeded the regulatory authorities from discharging their duties
□ Two problems with the behavior of the professions who provided services to Lincoln:
oA cynical attitude of disrespect for the law;
oA failure to do the right thing when confronted with evidence of misconduct

Attorneys (p.296)
□ Three advantages that the attorney brings to the gatekeeper role:
oAttorney client privilege
oWork product privilege
oDefense of reliance on counsel

a) Zealous Advocates or Public Servants? (p.297)

□ Lord Brougham – lawyer as a zealous advocate; knows but one person in all
the world, and that person is his client
□ Roscoe Pound – attorney as public servant; no less a public service because
it may incidentally be a means of livelihood
□ Rules governing attorneys generally favor the model of the attorney as zealous
advocate, but also refer at points to the model of the attorney as public
servant
□ ABA Model Rules – “a lawyer, as a member of the legal profession, is a representative of
clients, an officer of the legal system and a public citizen having special responsibility
for the quality of justice”
□ Different roles an attorney plays:
oAdvocate, advisor, negotiator, evaluator
□ Lawyer may not lied to the regulator about a material fact
□ Lawyer may not knowingly fail to disclose material information to a government official
if the information is to otherwise protected from disclosure by the ethical duty of
confidentiality and if disclosing the matter is necessary to avoid assisting the client in
 a criminal or fraudulent act.
□ Lawyers may not impede investigations by government agencies
□ Attorney may not ask a person other than a client to refrain from voluntarily giving
relevant information to another party, including a government agency conducting
a compliance investigation
□ Limits on advice an attorney can give:
oCan dissuade a client from doing something illegal
oAttorney permitted to refer to other considerations such as moral, economic,
social and political factors, that may be relevant to the client’s situation.

Kaye Scholer Affair (p.300)

Facts: Office of Thrift Supervision (OTS) sued a leading corporate law firm and three partners
who worked on Lincoln Savings & Loans matters. Case brought in a OTS administrative
tribunal. Agency demanded millions in penalties and also froze defendants’ assets pending
resolution.
Issue: Whether Kay Scholer’s representation of Lincoln Savings was proper, or whether the firm
had crossed the line into illegality.
□ Important case because of its implications for the role of attorneys representing
clients in compliance matters
□ Symbolized to many a change in the respective powers of the government
and private attorneys in compliance matters
□ OTS perspective – wanted to punish Kaye Scholer not only for its
perceived misconduct, but also to make an example of the firm
□ Routine examination, made themselves responsible for handling all matters
dealing with OTS.
□ Kaye Scholer perspective – firm acted with no intent to violate any law; their
representation of Lincoln was vigorous, but this representation is what clients in
Lincoln’s position want and expect; at the time it represented the bank, relations with its
regulators had become adversarial; it was not a surprise that Kaye Scholer would treat
the engagement along the model of contested litigation rather than friendly transaction

United States v. Stevens (p.306)

Facts: VP and Associate General Counsel of GlaxoSmithKline, a manufacturer of prescription
drugs. FDA launched an investigation into whether GSK had illegally promoted its depression
medication for weight loss, an unapproved use. FDA asked GSK to turn over copies of materials
presented at GSK programs related to Wellbutrin. Stevens led GSK’s response to the FDA’s
inquiry in consultation with outside counsel. Indictment charged that Stevens had violated 2
statutes: (1) “corruptly…obstructs, influences, or impedes any official proceeding, or attempts to
do so…”; (2) “knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes false
entry in any record…”
Stevens argument: She had not acted with wrongful intent. She should be acquitted because all
her actions were undertaken in reliance on advice from outside counsel.
Court’s oral ruling:
□ Standard under Rule 29 is whether any rational trier of fact could find the defendant
guilty beyond a reasonable doubt, viewing the evidence in the light most favorable to the
government.
□ Talks about crime fraud exception with respect to privilege – court found that
the company did not come to Stevens and ask her to help them commit a
 crime; no reasonable juror could conclude otherwise beyond a reasonable
doubt
□ Would be a miscarriage of justice to permit the case to go to a jury
□ A lawyer should never fear prosecution because of advice that they were given to a client
who consults him and a client should never fear that its confidences will be divulged
unless it is for the purpose in consulting the lawyer for the purpose of committing a
crime or a fraud
□ Potential for abuse in allowing prosecution of an attorney for the giving of legal advice
ABA Rule 1.6
- Confidentiality of Information
- Three general categories of exceptions
o Waiver
o Adsf
o

Waiver of Privilege (p.333)

□ Waiver by the client is the most common situation where communications are
subject to compelled production in legal proceedings

a) US Attorneys Manual, Principles of Federal Prosecution of Business Organizations

□ Purpose of privilege is to encourage full and frank communication between attorneys
and their clients and thereby promote broader public interests in the observance of law
and administration of justice
□ Prosecutors should not ask for such waivers and are directed not to do so
□ Upjohn – Communications with the attorney pursuant to the investigation will likely be
privileged. Once the government has focused on a particular client as a potential target of
enforcement actions, the company may wish to demonstrate a cooperative attitude
towards the government by sharing the results of its internal investigation. The problem
is that the sharing of the results may result in waiver of the privilege.
□ A corporation through its officers, employees, directors, or others, may have consulted
with corporate counsel regarding or in a manner that concerns the legal implications
of the putative misconduct at issue.
□ Communications which are both independent of the fact gathering component of an
internal investigation and made for the purpose of seeking or dispensing legal advice,
lie at the core of the attorney client privilege.
□ Non-factual or core attorney work product i.e. mental impressions or legal theories, lies
at the core of the attorney work product doctrine; corporation need not disclose and
prosecutors may not request disclosure as a condition for the corporation’s eligibility
to receive cooperation credit

Reliance on Counsel as a Defense to Liability (p.335)

□ Advisable for organizations to include an attorney on all significant compliance related
communications and to place them in charge of compliance related internal
investigations
□ Can provide a potential shield against liability, under the “advice of counsel” theory
□ Advice of counsel defense applies to allegations of misconduct that require the
government to establish that the defendant acted with some sort of culpable mental
 state
□ Not technically an affirmative defense but rather a refutation of an element
of the government’s case in chief
□ To obtain the benefit of the advice of counsel theory the defendant must establish that
she fully informed the attorney of all the facts material to the proposed course of
action
□ Downside? Waives the client’s attorney-client privilege at least for the advice given

Accountants (p.337)
 ● Line between duty to the client and to the public interest is difficult to draw
● Zealous advocacy norm is the prevailing approach
● Deloitte case – Defendants provided services with financing transactions. Charged
with having facilitated improper behavior. Deloitte fined $22 million.

Auditors (p.338)
● Owe principal duties to investors or other third parties who rely on the integrity of
the financial statement which the auditor has reviewed
● US v. Arthur Young – recognized the public role of the independent auditor;
assumes public responsibility transcending any employment relationship with the
client.
● Two ways that SOX changed oversight:
1) Established new agency, Public Company Accounting Oversight Board
to exercise regulatory authority over public company auditors
 PCAOB:
● Power to establish auditing standards
● Inspect public company auditors
● Investigate allegations of misconduct
● Impose disciplinary sanctions on auditing firms found to
have violated the rules
2) Requiring that all public companies host audit committees composed
entirely of independent board members; empowered independent directors to
select, compensate, and monitor their company’s auditor

Andersen and Enron (p.340)

● Andersen performed both internal and external auditing work for Enron
● SEC opened inquiry into Enron after the company issued a press release announcing
a million dollar net loss (Fall 2001)
● Charge: Andersen through its partners did knowingly, intentionally and corruptly
persuade and attempt to persuade other person to wit: Andersen employees with intent to
cause and induce such persons to (a) withhold records, documents and other objections
from official proceedings namely, regulatory and criminal proceedings and
investigations; (2) alter, destroy, mutilate and conceal objects with intent to impair the
objects’ integrity and availability for use in such official proceedings
● Jury convicted the firm but SC reversed years later the conviction.
● Response to Enron? SOX prohibited an accounting firm fro acting as the external
auditor of a public company during the same period that the firm provides internal audit
outsourcing and certain other services to the company

Independence Requirements (p.343)

● SOX and PCAOB contains several measures intended to enhance public company
auditor independence
● List of prohibitions for audit firms i.e. bookkeeping or other services related to the
accounting records, internal audit outsourcing services, management functions or
HR
● US law requires rotation of audit partners but not audit
firms Attestation of Internal Controls (P.344)
● Section 404(b) of Sarbanes-Oxley requires the auditor to attest to, and report on,
management’s assessment of its internal controls over financial reporting required
under
§ 404(a)(See. Ch 3)
o To perform this function, auditor must use framework
o American public accounting firms usually employ the framework for internal
control promulgated by Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
o PCAOB sets forth standards for audits of internal control in Auditing
Standard No.5
● Applying a suitable framework, the auditor is responsible for assessing whether there
are deficiencies in internal control over financial reporting
o A deficiency exists when “the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned
functions, to prevent or detect misstatements on a timely basis”
 Deficiency of design exists when a) a control necessary to meet the
control objective is missing or b) and existing control is not properly
designed so that even if the control operates as designed, the control
objective is not always met
 Deficiency in operation exists when a properly designed control does
not operate as designed, or when person performing the control does not
possess the necessary authority or qualifications to perform the control
effectively
● If deficiency found, auditor determines how serious the problem is.
o If relatively minor  doesn’t need to be elevated to senior management level
o Significant deficiency  report to overseers
 Significant deficiency is a deficiency, or a combination of deficiencies, in
internal control over financial reporting that is less severe than a material
weakness, yet important enough to merit attention by those responsible
for oversight of the company’s financial reporting.
o Material Weaknesses  serious deficiencies, or combinations of deficiencies, in
internal control over financial reporting, such that there is a reasonable
possibility that a material misstatement of the company’s annual or interim
financial statements will not be prevented or detected on a timely basis.
 PCAOB example of material weakness (p.345)
● Lack of proper procedure to insure that reconciliations of
intercompany accounts are done on a consistent and timely basis.
Lack of proper procedure leads to frequent and significant
differences in intercompany accounts. This material deficiency
represents a material weakness because: magnitude of financial
statement misstatement negatively impacts wide-range of
company activities, likelihood of misstatement is not remote
(frequently occur and compensating controls are not effective in
catching and preventing/fixing mistake)
● If all goes well, auditor can issue an unqualified opinion management hopes/wants this
● Auditor must express an adverse opinion on the company’s internal controls:
 o If management fails to provide a sufficient basis on which to perform audit,
auditor must inform management and the audit committee and then disclaim
an opinion on the grounds that the audit cant be successfully completed
o If audit is completed but audit shows that one or more material weaknesses in
the systems control exist, management is precluded from concluding that
internal control over financial reporting is effective.
● Audit Process- auditor expected to to perform comprehensive scrutiny of the
company’s financial control “soup to nuts”
o auditor examines and evaluates all of company’s internal controls over
financial reporting using a “top down” approach:
 1) Auditor starts at the financial statement level- she comes to
understand the overall risks to internal control over financial reporting
 2) Then, focuses on entry-level controls
 3) Significant accounts and disclosure and their relevant assertions
 This approach directs the auditor’s attention to accounts, disclosures and
assertions that present a reasonable possibility of material misstatement
to financial statements and disclosures
 4) Auditor verifies her understanding of risks in company’s processes
and selects for testing those controls that sufficiently address the risk of
misstatement to each relevant assertion
o Management must supply a variety of representations pertinent to
internal controls
 Such as statements:
● Acknowledging management’s responsibility for establishing
and maintaining effective internal controls
● That management has assessed the effectiveness of these
control and that the assessment did not use same procedure that
auditor used
● That set forth management’s conclusion about the effectiveness
of controls,
● Describing any material frauds,
● Stating whether control deficiencies identified in prior audits
have been resolved
o Beyond obtaining info, the auditor has to perform a systematic, on-site
valuation of managements controls over financial reporting, including:
 Assessment of the overall control environment
 The company’s risk assessment processes
 Management own monitoring of controls
o Auditor must understand these issues, test and evaluate the effectiveness
of controls, both individually and in combination
 Testing internal controls extends to the granular level of identifying and
analyzing significant accounts, important processes, and major classes
of transactions
● Auditor performs “Walk-throughs” which trace a transaction
from its origination through the company’s information systems
until it is reflected in the company’s financial reports
 o Auditor must also consider the effectiveness of the audit committee’s oversight of
the companies external financial reporting and internal control over financial
reporting

Questions and comments (p.346)

 Many public companies—especially smaller and midsized firms—complain about the

expense and burden of § 404(b) audits. They say the audit process is time-consuming
an expensive, not only because of the auditor fees involved, but also because of the
time, energy, and focus which a demand of management
o There appears to be substantial evidence that audit fees for public companies
rose after The enactment of the Sarbanes-Oxley act and the increase in fees has
been disproportionately experienced by smaller issuers
o The fact that audit fees have increased however is not necessarily a valid
objection; what matters is whether the increased costs are offset by
corresponding benefits

PCAOB Enforcement Actions (p.347)- PCAOB Has the authority to examine public accounting
firms and to impose supervisory sanctions if violations of laws and regulations are discovered.
 Ex.- In the Matter of Ernst & Young LLP
o Facts- Medici, A pharmaceutical company, had its auditing work performed
by Ernst & Young (E&Y). E&Y were found to have “Failed to identify and
appropriately address the material departure from U. S. Generally accepted
accounting principles (“GAAP”)”
 Medici was selling product to pharmacys who sold the products to
costumers. Costumers were given the option to return any expired
product back to Medici for either the price they paid for it or a
replacement of the product. When creating its financial statements,
Medici had to report a reserve amount of money to cover any potential
product replacement and any potential reimbursement cost (two different
prices). Medici’s methodologies were wrong and resulted in reported
sales returns reserve being materially understated and it’s reported
revenue being misstated.
 E&Y’s approach to evaluating Medici’s sales returns reserve
methodology and estimate was inconsistent with their obligations to
exercise professional skepticism as the company’s independent
auditor
 Partner’s at E&Y, furthermore, after becoming aware of the improper
methodologies tried to justify the use of such through another Statement
of Financial Accounting Standard, even though they should have known
that that exception did not apply to Medici and therefore they failed to
Identify and appropriately Address a material departure from GAAP
 PCAOB later inspected E&Y’s audits of Medicis Preserving at
replacement cost was not in conformity with GAAP and the company
was required to restate its accounting for its returns reserve.
● The restatment of Medici’s financial statement for 2005,
2006, 2007, 2008 was embarrassing as they had to re-report
return statements of increases of (585%, 184%, 600%)
  PCAOB Held that “to protect the interests of investors and further the
public interest in the preparation of informative, accurate, and
independent audit reports, the Board determines it appropriate to impose
sanctions” :
● Censures E&Y
● Bars Anderson and Thibault [E&Y partners] From
being associated with a registered public accounting
firm
● Censures Butler and Christie [other auditors at E&Y]
● Imposes civil money penalties in the amount of $2 million as
to E&Y, $50,000 dollars as to Anderson, $25,000 dollars as to
Thibault, And $25,000 as to Butler

Questions and Comments [p.350]

 The restatement generated class action litigation which settled in 2011 for
$18 million ($11 million from the company and $7 million from E&Y)

 In addition to bringing enforcement actions in connection with

inspections of individual audits, PCAOB Conducts annual inspections of
auditor performance for registered public accounting firms that provide
audit reports for more than 100 issuers. These annual inspections include
analysis of selected audits specific inspection reports. Deficiencies are
commonly noted in compliance with the following standards (among
others):
o AU 230, which requires the independent auditor to plan
and perform his or her work with due professional care
o AS No.5, requires the auditor to plan and perform the audit
to obtain appropriate evidence that is sufficient to support the
auditor’s opinion on internal control over financial reporting
o AS No. 13, Requires that, if the auditor plans to assess control
risk at less than the maximum and to base the nature, Timing, and
extent of substantive audit procedures on that lower assessment,
the auditor must obtain evidence that the controls tested were
designed an operating effectively during the entire period for
which the auditor plans to rely on controls to modify the
substantive procedures.
o AS No. 15, Requires the auditor to plan and perform audit
procedures to obtain sufficient appropriate audit evidence
to provide a reasonable basis for the audit opinion
 Reports of annual examinations also include PCAOB’s evaluation of
the audit firms policies and procedures for quality control in the areas
of:
o Management structure and processes, including the tone at the top
o Practices for partner management, including allocation of
partner resources and partner evaluation, compensation,
admission, and disciplinary actions.
 o Policies and procedures for considering and addressing the
risks involved in accepting and retaining clients, including the
application of the firms risk rating system
o Processes related to the firm’s use of audit work that the firm’s
foreign affiliates performed on the foreign operations of the
firm’s US issuer audit clients
o The firms processes for monitoring audit performance, including
processes for identifying and assessing indicators of deficiencies
in audit performance, independent policies and procedures, and
processes for responding to weaknesses and quality control
 When PCAOB Issues a report of an annual inspection, it will identify
what it considers to be deficiencies in selected audits. This part of the
report is made public
 The report also contains analysis of the firms quality control environment
o PCAOB “criticisms of or potential defects in the quality control
systems are not made public unless the firm fails to address those
criticisms” to PCAOB’s satisfaction Within 12 months.

● In 2013, PCAOB released the confidential portions of two annual inspection reports
for Price Waterhouse Coopers (PwC), One of the world’s largest public accounting
firms. It’s Public statement announcing this conclusion, and PwC’s response, is
contained in the following excerpt:
In the Matter of PricewaterhouseCoopers LLP’s Quality Control Remediation Submissions
(p.352) (2013)
● PCAOB evaluated PwH’s efforts to address certain quality control criticisms in non
— public portions of PCAOB’s report.
● The Board determined that the firm did not address the following to the
boards satisfaction so they made the following criticisms public:
o Failing to obtain sufficient support for estimates of an asset’s fair value
o Relying too heavily on an audited client’s internal controls
o Relying too heavily on work performed by an audit client’s internal
audit Department
o Failing to deal adequately with the implications of a finding that an audit
client’s internal controls have failed in some respect
o Relying excessively on system-generated data
o Failing to exercise sufficient skepticism over management’s Estimates of
key audit numbers
● In response, PwC Said that it had made significant improvements in those areas
outlined actions taken:
o Providing our audit professionals with enhanced audit tools, Training and
additional technical guidance to promote more consistent audit
execution.
Questions and comments (P.354)
● When PCAOB publishes criticisms of a firm, the audit firm can file a response and, if
no changes made to PCAOB’s report, the firm can take an appeal to the SEC.
Compliance Audits (p.355)

● A compliance auditor may examine a firm’s operations to assess whether they conform
to a variety of different standards:
o Legal requirements
o Codes of best practices promoted by standard-setting bodies
o Internal ethics codes
o Etc.
● These compliance audits may be conducted at the behest of the organization
whose activities are being scrutinized; They may also be demanded by commercial
counterparties
● Firms conducting these audits do not have to have a professional accounting
certification, Although some do; law firms, consulting firms and others also play a role
in the space
● An important area for compliance-based audits is the global supply chain.
o A variety of different standards applied to firms in the supply chain, including
labor rules, environmental rules, human rights rules, product quality standards,
and governance rules
Questions and comments (p.356)
● International standard setting bodies sometimes issue standards for the certification
of the audit firms that perform compliance-based audits
o The International Organization for Standardization, based in Geneva,
Switzerland, is particularly active in specifying requirements for firms that audit
compliance using that organization’s standards

Consultants and Monitors (p.356)

● In addition to attorneys, accountants, and auditors, a variety of consultants advisory

assist organizations in the performance of the compliance functions

In re American Continental/ Lincoln Savings & Loan Securities Litigation

● This litigation represents an attempt by plaintiffs’ Attorneys to impose a form of
gatekeeper liability on an economic consulting firm which had provided services to
Lincoln Savings. The case turned into a grudge match between several of the most
powerful (and wealthiest) firms on either side of the divide: prominent class action
firms, on one side; and on the other side Lexecon, one of the most successful forensic
consulting firms in the country.
o Class action against a ton of defendants based on claim The defendants have
conspired to violate securities and racketeering laws by misleading investors with
respect to the safety of ACC securities. One of the defendants, an accounting firm
(Arthur Young and Co.), retained Lexecon and Fischel as experts to assist in
preparing its defense. Later, the defendants, as class counsel, try to add lexicon
and facials as parties to the defendants based on certain reports prepared by
Lexecon and Fischel and on behalf ACC/Lincoln for submission to the SEC. The
defendants claims that Lexecon and Fishel have learned the “true” nature of
ACC/Lincoln’s Business practices, But nevertheless assisted the thrift it its
efforts to keep regulators at bay while it continued to sell worthless debentures.
The
 motion was denied. Six months later the defendants renewed their efforts to bring
Lexecon into the litigation. The defendants created another complaint and the
document was circulated to dozens of Lexecon’s Potential clients-individual
lawyers, law firms, and corporations (This document was never submitted to the
court).
oAccording to Lexecon, Defendants’ purpose behind involving them in the
litigation was 1) To extract false testimony implicating other defendants, 2)
prevent the plaintiff from using them as an expert witness, and 3) To make
Lexecon and Fischel far less attractive to potential clients as expert witnesses
Lexecon claims that D’s wanted to do this as revenge for Lexecon having
testified against them previously and testimony had alleglely led to
suge losses for Ds.
oLexecon later filed a complaint alleging a malicious prosecution, abuse of
process, defamation, and other commercial disparagement torts, taking the
position that it had no choice but to sue due to defendants’ him proper
collateral use of Lexecon’s involvement in the class action

Questions and comments (p.357)

□ This case quieted efforts by plaintiffs’ attorneys to use litigation as a vehicle for
imposing a gatekeeper function on private economic and forensic consultants such
as Lexecon.

□ Closely related to the role of consultant is that of the “private sector

monitor” or “independent private sector inspector general” (IPSIG)
oIPSIG – an independent, private sector firm with legal, auditing, investigative,
management and loss prevention skills, employed by an organization (voluntarily
or by compulsory process) to ensure compliance with relevant law and
regulations, and to deter, prevent, uncover and report on ethical and illegal
conduct by, within and against the organization. May be a major participant with
management in enhancing the economy, efficiency, and effectiveness of the
organization.

James B. Jacobs & Ronald Goldstock, Monitors & IPSIGs: Emergence of a new criminal justice
role
□ The market for monitors and IPSIGs Will likely grow even more rapidly in the future
because of prosecutors recent use of IPSIGs and IPSIG-like monitors and number of
high profile deferred prosecution and plea bargains including cases involving huge
public corporations and partnerships As well as the boom in private sector firms’ use of
monitors to comply with the Federal Sentencing Organizational Guidelines.

New York State Dept. of Financial Services, In the Matter of Deloitte Financial Advisory
Services LLP (P.358)
□ Deloitte FAS, a private consulting firm, was hired to do consulting work for Standard
Chartered Bank (SCB) in connection With compliance with money laundering
regulations and regulations restricting the provision of services to entities subject to
US economic sanctions.
□ The New York State Department of Financial Services Found that Deloitte violated New
York banking law and its own policies by knowingly disclosing confidential
supervisory information to SCB regarding other Deloitte client banks. Finding that
Deloitte:
oDid not demonstrate the necessary autonomy and objectivity that is required of
consultants performing regulatory compliance work for entities supervised by the
Department
□ In order to resolve this matter without proceedings, Deloitte and the Dept
Agreed upon the following:
oFacts- Deloitte, upon being hired by SCB, suggested that to other bank reports
used for other clients be used as templates for drafting the SCB final report and
sent those two reports to SCB employees. The report also contained other
confidential supervisory information, which Deloitte was legally barred by
New York banking law from disclosing to any individual or entity without the
Departments prior authorization. Deloitte Was not authorized to disclose those
two reports to SCB
oSettlement provisions
Monetary payment of $10 million from Deloitte to the Department-
Payment represents the aggregate of fees and expenses received for its
work and reimbursement to the department for the costs of its
investigation and the cost to be incurred by the department in
connection with the development and implementation of the procedures
and safeguards required by this agreement
oPractice reforms- Deloitte We’ll establish and implement, ASAP, but within 12
months from the date of this agreement the procedures set forth, Which are
intended to raise the standards now generally viewed as applicable two
independent financial services consultants. The design and implementation of
these procedures are subject to modification refinement as maybe agreed between
Deloitte and the department on the basis of further analysis and experience. The
department and Deloitte We’ll meet at least monthly to discuss Deloitte’s
Progress in implementing these procedures and safeguards. The department
intends to use these procedures and safeguards as the model for establishing the
standards that will govern all independent consultants seek to be retained or
approved by the department
oDeloitte agrees not to accept any new engagements that would require approval
by the Department
oIndependent Consultant Practices (Exhibit A)
In order to provide Dept of Financial Services (DFS) with better
transparency, the Independent Consultant (C) and Financial
Institution (FI) must adhere to the following practices:
□ FI and C must disclose all work done by C for FI over the last
3 years
□ DFS may deem prior work impairs FI & C’s ability to do
the job well
□ C may take FI’s views into account but C must make
its own decisions and exercise independent judgment
□ C & FI must submit a work plan to DFS setting forth procedures
and timeline for the proposed work, confirm the location(s)
from which the transaction and account data will be reviewed
during engagement
□ Any material modifications or additions to the work plan shall
be submitted to DFS for prior approval before implementing
□ DFS and C will maintain open line of
communication during course of engagement
□ DFS will identify point person of contact for C and C will
identify and specify same ( C must notify DFS if there is a
change in C’s point person)
□ There will be a monthly meeting between DFS and C, without the
precense of FI and FI must consent to C’s use of confidential
info during the meetings
□ If there is any disagreement between C and FI during the
engagement about anything, and parties can’t come to
an agreement, DFS must be notified as to the
disagreement
□ C & FI need to maintatin records of recommendation to FI
relating to suspicious activity report filings that FI did not
adopt, and provide records to DFS if requestes.
□ The final report must be submitted by C and C may show drafts
to FI prior to submission; FI must tell C who saw the drafts,
made comments or reviewed them
□ C must have in place policies and procedures designed
specifically to maintain confidentiality of bank supervisory
material which would provide that Bank material should not
be shared with anyone who is not authorized by law or
regulation to receive it.
□ C must develop training program regarding the requirements of
NY Banking Law governing confidential info and shall provide the
training to all of its partners, principals and employees assigned to
engagements in which C expects to have access to the materials
covered by the banking laws
□ Deloitte must make a handbook with same info as
training program and distribute it to everyone in
company
 SETTLEMENTS

Compliance Remedies (p.376-78)

□ In re Johnson & Johnson Derivative Litigation – motion to approve final settlement in
several shareholder derivative actions; followed a misbranding prosecution against a
J&J subsidiary involving alleged off-label marketing.
oMany corporate governance settlements include a list of reforms to be maintained
for 2-5 years; settlement distinguishes it from common reforms
oSettlement included more substantial terms:
Adoption of Q&C core objective
Creation and adoption of more robust compliance committee
Implementation of a PRM standard

Class Actions (p.379)

□ Joining multiple similar claims in a single proceeding
□ Most are “opt out” actions and are brought in federal court (CAFA)
□ To enforce direct claims against the defendants in contrast with
shareholders derivative suits where claims are brought on behalf of the
corporation
□ Grimes v. Donald – Court tried to draw the line between derivative suits and class
actions: “the distinction depends upon the nature of the wrong alleged and the
relief which could result if plaintiff were to prevail.”
□ Direct action – plaintiff must allege more than an injury resulting from a wrong to the
corporation; claim must be separate and distinct from that suffered by other
shareholders; or a wrong involving a contractual right of a shareholder which is
independent of the corporation
□ Often generate settlements that include governance reforms as an element of
relief (but, less likely to happen than in cases of derivative litigation which is
about governance failures i.e. breach of fiduciary duties to company)
□ Usually not about governance failures; they are about violations of
substantive legal standards

In re JPMorgan Chase & Co. Securities Litigation (p.380)

□ Allegation that the defendants failed to disclose in the proxy statement soliciting
votes for the 2004 merger between JPMorgan and Bank One
□ Theory of the case was that JPMC should have taken the CEO of Bank One’s offer of
no- premium deal in exchange for his immediate promotion to head of the
combined firm
□ Plaintiff’s attorneys never discovered any evidence of the purported offer
 □ Plaintiffs attempted to negotiate with defendants a monetary settlement, but
this was refused
□ Plaintiffs next considered a “corporate therapeutics” settlement which would
include corporate governance reforms to remain in effect for four years
(p.381)
□ Trial court rejected the settlement because the defendant could unilaterally walk away
from the deal constrained only by their fiduciary duty and the requirement that they
explain why what they were substituting would more effectively accomplish the goals
of the settlement
□ But, trial court agreed that the reforms might confer a substantial benefit on the company
Chevron Corporation v. Donzinger (p.384)
Facts: Class action filed against Texaco in NY on behalf of indigenous people living in Amazon
rainforest. Alleged that over the course of several decades, Texaco, together with other oil
companies, had degraded the environment destroying rainforest habitat to make roads and
airstrips, dumbing toxic waste, and filling open pits with sludge. Dismissed for inconvenient
forum; re-filed in Ecuador. In 1998, Texaco settled the controversy and promised to engage in
clean-up efforts. But, 2002, Chevron acquired Texaco. In 2011, Ecuador court awarded $18.2
billion judgment against Texaco. Largest environmental judgment in history. Chevron sought
injunction to prohibit enforcement of the Ecuadorian judgment. Chevron brought lawsuit against
Donziger and other involved in plaintiffs’ litigation claiming they procured the judgment by
fraud and corruption.
Decision: Evidence was later discovered that the plaintiff’s lawyers had paid the Ecuadorian
judge to allow them to write his opinion and that they intimidated him to appoint a biased
expert. Evidence that the experts had ghostwritten an expert report estimating the damages at
$27 billion.

Federal Financial Institution Examination Council (p.393)

□ Umbrella organization of financial institution
regulators
□ 2 general rules to implement §501 and related requirements:
oPrivacy Rule – doesn’t impose obligations with respect to safeguarding
information; this is left to the Security Guideline
oSecurity Guidelines – intended to prevent or respond to unauthorized access or
use of private information

Interagency Guidelines Establishing Information Security Standards (p.393)

□ Each financial institution must:
oDevelop and maintain an effective information security program tailored to the
complexity of its operations
oRequire, by contract, service providers that have access to its customer
information to take appropriate steps to protect the security and confidentiality of
this information
□ Also
, oIdentify and evaluate risks to its customer information
oDevelop a plan to mitigate the risks
oImplement the plan, test it, and update when necessary
□ Agency may take action if it finds that a financial institution’s performance
is deficient under the Security Guidelines
Security Guidelines – require financial institutions to safeguard and properly dispose of customer
information
□ Set forth “measures that an institution must consider and if appropriate adopt”
□ Need not implement if after due consideration it concludes that it is no
appropriate to adopt them
□ Recognize that financial institutions may use consultants and third party service providers
to assist in their information security program; “second set of eyes” but also carries
risks

Customer information – any record containing nonpublic personal information about an

individual who has obtained a financial product or service from the institution to be used for
personal family, or household purposes (ongoing relationship with institution)

Implementation of an Information Security System

□ Begins with conducting an assessment of reasonably foreseeable risks
□ Risk assessment procedures, analysis and results must be written
□ Under Security Guidelines, risk assessment must include 4 steps:
1) Identify reasonably foreseeable internal and external threats
2) Assessing the likelihood and potential damage of identified threats
3) Assessing the sufficiency of policies and procedures
4) Applying each step in connection with the disposal of customer information

Hiring an outside consultant to conduct the risk assessment – examines the risks that relate to its
customer information; only examining a subset of the institution’s risks is insufficient to meet the
Security Guideline requirements

Engaging in an ongoing risk assessment process – institutions should continually review their
current policies and procedures to make sure they are safeguarding customer information

Security Guidelines require a financial institution to design an information security program to

control risks identified through assessment
□ List of measures that must be considered and if appropriate, adopted:
oAccess controls on customer information systems
oAccess restrictions at physical locations containing customer information
oEncryption of electronic customer information
oProcedures designed to ensure that customer information system modifications
are consistent with the institution’s information security program
oDual control procedures
oMonitoring systems and procedures to detect actual and attempted attacks
oResponse programs
oMeasures to protect against destruction, loss or damage of customer information
□ An institution should:
oEnsure that paper records are rendered unreadable
oRecognize that computer based records present disposal problems
□ In addition to considering these measures, each institution may need to
implement additional procedures or controls specific to the nature of
its operations
 □ Insurance coverage is not a substitute for an information security program

Developing and Implementing a Response Program (p.396)

□ Components include:
oAssessment of the nature and scope of the incident
oPrompt notification to federal regulator
oNotification to appropriate law enforcement authorities; filing a timely Suspicious
Activity Report
oMeasure to contain and control the incident
oNotification to customers when warranted

Circumstances for Customer Notice – Incidence Response Guidance

□ Once institutions is aware of unauthorized access it should conduct
a reasonable investigation
□ If there is misuse institution should notify any affected customer as soon as possible

Sensitive customer information – name, address, telephone number, SSN, driver’s license, any
combination of components of customer information that would allow an unauthorized third
party to access the account electronically

Training Staff
□ To prepare and implement institution’s information security program

Testing Key Controls

□ Required by Security Guidelines to test key controls of information security program

Overseeing Service Providers

□ Institution must:
oExercise due diligence in selecting is service providers
oMonitor its service providers to confirm that they satisfy obligations

Contracts with Service Providers

□ Contract provisions in the Security Guidelines apply to all of a
financial institution’s service providers
□ After selecting a company, institution must enter a contract to implement
appropriate measures to implement objectives of the Security
Guidelines
□ Must require service providers by contract to:
oImplement appropriate measures designed to protect against unauthorized access
oProperly dispose of customer information
oRequire service provider to take appropriate actions to address incidents of
unauthorized access to the financial institution’s customer information

Monitoring Service Providers (p.398)

□ In accordance with risk assessment
□ Security Guidelines do not impose any specific requirements regarding the
methods or frequency of monitoring service providers
 ● Institution should include reviews of its service providers in its written
information security program

Adjusting the Program

● To reflect the results of its ongoing risk assessment and the key controls necessary to
safeguard customer information and ensure the proper disposal of customer
information
● Adjust program to take into account changes in technology, sensitivity of its
customer information, internal or external threats to information, and the institution’s
own changing business arrangement

Responsibilities of and Reports to the Board of the Directors

● Must approve the written information security system
● Must oversee the implementation and maintenance of the program i.e. assign
specific responsibility for implementing the program and reviewing management
reports

Federal Financial Institutions Examination Council (p.399)

● Consists of:
o Comptroller of the Currency
o Board of Governors of the Federal Reserve System
o Federal Deposit Insurance Corporation
o National Credit Union Administration
o Consumer Financial Protection Bureau
o State Liaison Committee (representing state financial institution supervisors)

Compliance Regime
● Risk based
● Security Rule is similar to many other modern compliance programs which require
the regulated entity to perform its own risk analysis and to tailor its compliance
program

Federal Financial Institution Examination Council, Interagency Guidance on Response

Programs for Unauthorized Access to Customer Information and Customer Notice (p.400)
● Gramm-Leach-Bliley Act §501(b)(3)– information security standards established by the
agencies must include various safeguards to protect against not only “unauthorized
access to” but also the “use of” customer information in a manner that could result in
“substantial harm or inconvenience to any customer’
● Components of an institution’s response program:
o Assess the nature and scope of an incident and identify what
customer information systems and types of information have been
accessed
o Notify primary federal regulator – prompt notification when learning of
an incident involving unauthorized access
o Filing a SAR
o Take appropriate steps to contain and control the incident
o Notify customers when warranted
● When an incident of unauthorized access to sensitive customer information involves
customer information systems maintained by an institution’s service provider, it is
the financial institution’s responsibility to notify its customers and regulator
Sensitive Customer Information
● Name, address and telephone number, SSN, credit card number, account number etc.

When Customer Notice Should be Provided – whenever it becomes aware of an incident of

unauthorized access to customer information
● But, guidance doesn’t require that he institution clear the consumer notification with
the regulator before it is distributed

Customer Notice – given in a clear and conspicuous manner

● Should include:
o Description of incident
o Types of information subject to unauthorized access
o Measures taken by the institution to protect customers from further
unauthorized access
o Telephone number customers can call for assistance
o Remind customers to remain vigilant over the next 12 to 24 months

Delivery of Customer Notice – in a manner designed to ensure that a customer can reasonably be
expected to receive it

Medical Records and HIPAA (p.402)

● Health Insurance Portability and Accountability Act
● Requires healthcare entities to protect the confidentiality of health related
information (“PHI” = protected health information); includes name, address, SSN
and all medical information
● “Covered entities” – health plans, health care providers, or health care clearinghouses
are subject to civil or criminal penalties if they improperly handle or disclose PHI
● Department of Health and Human Services has implemented HIPAA’s data
protection provisions through 2 rules:
o Privacy Rule – deals with all media in which health related information is stored
o Security Rule – deals with electronic medical information

Consumer Information (p.410)

● Federal Trade Commission exercises authority under §5 of the Federal Trade
Commission Act to Punish unfair or deceptive practices directed against
consumers

In the Matter of Dave & Buster’s, Inc. (p.411)

Facts: Dave and Buster’s agreed to settle Federal Trade Commission charges that the company
left consumers’ credit and debit card information vulnerable to hackers, resulting in several
hundred thousand dollars in fraudulent charges. Dave & Buster’s will put in place a
comprehensive information security program as a condition for settling the case. According to
the FTC, Dave & Buster’s collects credit card numbers and expiration dates from customers in
order to obtain authorization for payment card purchases. The agency alleges the company failed
to take reasonable steps to secure this sensitive personal information on its computer network.
Specifically, it failed to:
 ● Take sufficient measures to detect and prevent unauthorized access to the network.
● Adequately restrict outside access to the network, including access by Dave &
Buster’s service providers.
● Monitor and filter outbound data traffic to identify and block the export of
sensitive personal information without authorization.
● Use readily available security measures to limit access to its computer networks
through wireless access points.
Settlement: Dave & Buster’s to establish and maintain a program designed to protect the
security, confidentiality, and integrity of personal information collected from customers. To
obtain independent, professional audits, every other year for 10 years, to ensure that the security
program meets the standards of the settlement. Standard record-keeping provisions to allow the
FTC to monitor compliance. Persistent identifier be combined with other available date that
identifies an individual consumer. Select and retain capable service providers and to require
these providers by contract to implement and maintain appropriate safeguards. Retain
independent third party expert to assess its performance in the area including its compliance
with the order.

Persistent Identifier – piece of information i.e. IP address or mobile device identifier, that is
associated with some use that lasts over time; need not be personally identifying; associate with
particular device not necessarily a particular person

Public Company Information (p.413-417)

● Companies in general don’t like to disclose security breaches – doing so is likely
to trigger an inquiry from regulators; may cause investors to lose confidence in the
company’s management; spark class action lawsuits

Cyber Attacks
● Cyberrisks come in many different forms and from different sources – range of
possible harms
● Cyber incident can be from a deliberate attack or unintentional event
o Not limited to gaining unauthorized access to digital systems for purposes of
misappropriating assets or sensitive information, corrupting data, or causing
operational disruption
o Can be carried out where doesn’t require gaining unauthorized acess
o Carried out by third parties or insiders
o Objectives of attacks vary widely i.e. theft of financial assets, IP,
sensitive information

Securities and Exchange Commission, Cyber security

● Registrants that fall victim to cyper attacks can incur negative consequences:
o Remediation costs
o Increased cyber security protection costs
o Lost revenues
o Litigation
o Reputational damage
 □ While registrants should provide disclosure tailored to their particular circumstances and
avoid generic boilerplate disclosure, SEC laws do not require disclosure that itself
would compromise a registrant’s cyber security

Two types of disclosure are covered in the SEC, Cyber security excerpt:
□ Disclosure of cyber risks
□ Disclosure of cyber breaches

Law Firm Information (p.418)

□ Prohibited from revealing client information
□ In some respects, the problem of data security in law firms is more severe
than the problems in other organizations
□ Rule 1.6(c) ABA Model Rules imposes a duty on attorneys to safeguard the security of
client information; comments also stress that an attorney is protected if she
undertakes precautions to safeguard security which are reasonable under the
circumstances
□ See State Bar of Arizona Ethics Opinion 05-04 (July 2005) – as an opinion
dealing with data security at law firms (issued prior to the adoption of 1.6(c))

Off Label Drugs (p.425)

□ Leading compliance issue for health care industry is the promotion of “off-
label” drug use by pharmaceutical manufacturers
□ Off label drug use occurs when a medication approved by the FDA is used to
treat a different condition for which it is not approved
□ FDA must approve a new drug for specific uses before it an be sold
in interstate commerce
□ Rationale for banning promotions of drugs for unapproved uses – if companies could do
this they could circumvent much of the regulatory scheme which requires clinical trials
in order to demonstrate a medication’s safety and efficacy before it is marketed

The Compliance Response (p.434)

□ Johnson & Johnson paid more than $2.2 billion to settle criminal and civil charges
arising out of its marketing of Risperdal; Pfizer paid $2.3 billion to settle charges of off
label marketing for its antibiotic agent; Eli Lilly paid $1.4 billion in connection with
Zyprexa
□ Penalties for off label marketing is not limited to fines; some employees
have faced criminal sentences
□ 2 factors creates the ideal environment for the compliance function:
oTemptation to engage in off label marketing
oSignificant risk associated with this activity
□ An effective compliance program can guide those charged with marketing
drugs into engaging in legal activities and avoiding illegal ones
□ The presence of a well designed compliance operation tends to negative criminal intent
□ Companies can adopt off label drug promotion compliance programs on their
own; but, often the program is shaped by the settlement of an enforcement
action
Corporate Integrity Agreement between Office of Inspector General and Cephalon, Inc. (p.435)

□ Cephalon, Inc. (Cephalon) hereby enters into this Corporate Integrity Agreement (CIA)
with the Office of Inspector General (OIG) of the United States Department of`
Health and Human Services (HHS). . . .
□ Cephalon established a voluntary compliance program (known as "Global Compliance"
or "Global Compliance Program") applicable to all Cephalon employees.......Cephalon's
Global Compliance Program includes an Executive Vice President, [a] Chief Compliance
Officer who reports directly to the Audit Committee of the Board of Directors and to the
CEO, and a Compliance Committee. The Global Compliance Program also includes a
Code of Conduct applicable to all employees that is regularly reviewed and
disseminated, written policies and procedures that, as represented by Cephalon, promote
high ethical standards, educational and training initiatives that, as represented by
Cephalon, help to ensure compliance with applicable laws and regulations, a Disclosure
Program that allows for the confidential disclosure and investigation of potential
compliance violations and appropriate disciplinary procedures, screening measures. ,
and regular internal
auditing procedures.
□ Cephalon may modify it’s CIA compliance program as appropriate, but at a
minimum, Cephalon Shell and sure that during the term of the CIA, it shall
comply with the obligations set forth herein…
□ Term and scope of the CIA
oThe period of the compliance obligations under the CIA shall be five years from
the effective date of this CIA, unless otherwise specified
□ Corporate Integrity Obligations
□ Cephalon shall establish and maintain a compliance program throughout the term
of this CIA that includes the following elements:
oCompliance responsibilities of Chief Compliance Officer, Compliance
Committee, the Board of Directors, and Management Certifications.
Chief Compliance Office (COO)
□ Responsible for developing and implementing policies, procedures
and practices designed to ensure compliance with the
requirements set forth in the CIA and with federal health care
program requirements and FDA requirements
□ Is a member of executive management of Cephalon,
□ Shall make periodic (at least quarterly) Reports regarding
compliance matters directly to the audit committee of the Board
of Directors
□ Shall be authorized to report on such matters to the
Board of Directors at any time
□ Shall not be subordinate to the General Counsel or CFO
□ Shall be responsible for monitoring the day-to-day compliance
activities engaged in by Cephalon as well as for any
reporting obligations created under the CIA
Compliance Committee
□ The Compliance Committee shall, At a minimum includethe
CCO and other members of senior management necessary to
meet the requirements of the CIA
oSenior managers of relevant departments, such as legal
medical affairs, sales, marketing, human resources, and
internal audit)
oThe CCO shall chair of the compliance committee and the
committee shall support the CCO in fulfilling his/her
responsibilities
Board of Directors
Board of Directors (Board) or a Committee of the Board, if applicable.
Shall be responsible for the review and oversight of matters related
to compliance with federal health care program requirements, FDA
requirements, and the obligations of the CIA
The board or a committee of the board, shall, At a minimum,
be responsible for the following:
□ Meeting at least quarterly to review and oversee Cephalon’s
Global compliance program, including but not limited to the
performance of the CCO and Global compliance
department
□ For each reporting period of the CIA, adopting a resolution
summarizing it’s official review and oversight of Cephalon’s
compliance with federal health care program requirements, FDA
requirements, and the obligations of the CIA. Each individual
member of the board or, if applicable, each member of the
committee of the board having responsibility for compliance,
shall sign a statement indicating that he or she agrees with
resolution
oAt minimum, the resolution shall include the following
language: “The Board of Directors has made a reasonable
inquiry into the operations of Cephalon’s global
compliance program, including the performance of the
CCO and the global compliance department. Based on its
inquiry, the board has concluded that to the best of its
knowledge, Cephalon has implemented an effective global
compliance program to meet the federal health care
program requirements FDA requirements and the
obligations of the CIA”
oIf the Board is unable to provide such a conclusion in the
resolution, the Board shall include in the resolution a
written explanation of the reasons why it is unable to
provide the conclusions and the steps is taking to
implement an effective compliance program at Cephalon
□ Cephalon shall Report to OIG, In writing, any changes in the
composition of the board, or any actions or changes that would
affect the Board’s ability to perform the duties necessary to
fulfill the obligations in the CIA, within 15 days after such
change
oManagement Accountability and Certifications
Cephalon represents that compliance is a component of each employee's
performance objectives. In addition to the responsibilities set forth in
this CIA for all Covered Persons [major shareholders, officers, directors,
employees and contractors working more than 160 hours per year],
certain Cephalon employees ("Certifying Employees") are specifically
expected to monitor and oversee activities within their areas of
authority and shall annually certify in writing or electronically that the
applicable area of authority is compliant with Federal health care
program require- ments, FDA requirements, and the obligations of this
CIA.
□ The Certifying Employees include, at a minimum, the following:
Chairman and Chief Executive Officer, Executive Vice President
of Worldwide Medical and Regulatory Operations, Executive
Vice President of Worldwide Pharmaceutical Operations, all
business unit sales vice presidents, all business unit marketing
vice presidents, all business unit sales directors, all business unit
marketing directors, the Vice President of worldwide Medical
Affairs, and all medical directors of communications and medical
science liaisons (MSLs).
For each Reporting Period, each Certifying Employee shall certify
in writing or electronically that:
□ “I have been trained on and understand the compliance
requirements and responsibilities as they relate to [department or
functional area], an area under my supervision.......To the best
of
my knowledge, except as otherwise described herein, the
[department] of Cephalon is in compliance with all applicable
Federal health care program requirements, FDA requirements, and
the obligations of the CIA."
oWritten Standards
Code Of Conduct
□ Prior to the Effective Date, Cephalon developed,
implemented, and distributed a written Code of Conduct to
all Covered Persons.
□ Cephalon currently requires all newly employed persons to
certify in writing or electronically that they have received,
read, understood, and shall abide by Cephalon's Code of
Conduct.
Cephalon shall continue to make the promotion of, and adherence
to, the Code of Conduct an element in evaluating the performance
of all employees.
□ At a minimum, Code of Conduct shall include the following:
oCephalon's commitment to full compliance with all Federal
healthcare program and FDA requirements, including its
commitment to market, sell, promote, research, develop,
provide information about, and advertise its products in
accordance with Federal health program requirements and
FDA requirements;
 oCephalon's requirement that all of its Covered Persons shall
be expected to comply with all Federal health care program
and FDA requirements and with Cephalon's own Policies
and Procedures. . . ;
oThe requirement that all of Cephalon's Covered Persons
shall be expected to report to the Chief Compliance
Officer, or other appropriate individual des- ignated by
Cephalon, suspected violations of any Federal health care
program and FDA requirements or of Cephalon's own
Policies and Procedures;
oThe possible Consequences to both Cephalon and Covered
Persons of failure to comply with Federal health care
program and FDA requirements and with Cephalon's own
Policies and Procedures and the failure to report such non-
compliance; and
oThe right of all individuals to use the Disclosure Program
and Cephalon's commitment to maintain, as appropriate,
confidentiality and anonymity with respect to such
disclosures.
oTo the extent not already accomplished, within 120 days
after the Effective Date, the Code of Conduct shall be
distributed to each Covered Person and each Covered
Person shall certify, in writing or electronically, that he or
she has received, read, understood, and shall abide by
Cephalon's Code of Conduct.
New Covered Persons shall receive the Code
of Conduct and shall complete the required
certification within 30 days after becoming a
Covered Person or within 120 days after the
Effective Date, whichever is less…
Third Party Personnel
□ Within 90 days after the Effective Date, and annually thereafter. . .
Cephalon shall send a letter to each entity employing Third
Party Personnel.
oThe letter shall outline Cephalon's obligations under the
CIA and its commitment to full compliance with all Federal
health care program and FDA requirements.
oThe letter shall include a description of Cephalon's
Compliance Program. Cephalon shall attach a copy Of its
Code of Conduct to the letter and shall request the
employing Third Party Personnel to either: (a) make a copy
of Cephalon's Code of Conduct and a description of
Cephalon's Compliance Program available to its Third
Party Personnel; or (b) represent to Cephalon that it has
and enforces a substantially comparable code of conduct
and compliance program for its Third Party personnel.
Policies and Procedures
□ Cephalon shall implement written poilicies and Procedures
regarding the operation of the Compliance Program and
Cephalon’s compliance with Fed. Health Care program and
FDA requirements (Policies and Procedures).
□ Should address:
oThe subject relating to the Code of Conduct
oAppropriate ways to conduct Promotional and Product
Services Related to functions of compliance with all
applicable FDA requirements
oThe mechanisms through, and manner in which, Cephalon
receives and responds to request for info about non-FDA
approved (or off-label) uses of Cephalon’s products
oDevelopment of call plans for field sales reps who promote
Government reimburse products
oconsultant or other fee-for-service arrangements entered
into with [health care providers and health care
institutions];
oprograms to educate field representatives, including
preceptorships. . . ;
oo sponsorship or funding of grants (including educational
grants) or charitable contributions. . . ;
ofunding of, or participation in, any Third Party Educational
Activity;
oreview of promotional materials by appropriate qualified
personnel (such as regulatory, medical, and/or legal
personnel).
osponsorship or funding of research or related activities. . . ;
ocompensation (including salaries and bonuses) for Relevant
Covered Persons. .
odisciplinary policies and procedures for violations Of
Cephalon's Policies and Procedures. . .
Training and Education
□ Training to employees on a regular basis must cover
the following areas
oReview procedures
Engagement of independent review organization
(such as accounting, auditing, or consulting firm)
— “IRO” to perform reviews to assist Cephalon in
assessing and evaluating its Promotional and
Product Services Related Functions
□ IRO shall have expertise in applicable Fed.
Health Care program and FDA reqs.
□ IRO must assess with Cephalon whether
the IRO can perform its engagement in a
professionally independent and
objective
 fashion—taking into account any other
business relationship or other engagements
that may exist
oIRO Review Reports- IRO(s) shall prepare a report (or
reports) based upon each Review performed
□ Validation Review- in the event that
OIG has reason to believe that (a)
any IRO
Review fails to conform to the requirments
of this CIA; or (b) the IRO’s findings or
Review results are inaccurate, OIG may, at
its discretion, conduct its own review to
determine whether the applicable IRO
Review complied w. the reqs of the CIA
and/or findings or Review results are
innacurrate
Disclosure Program
□ Designed to facilitate communications relating to compliance w.
Fed. Health Care program and FDA reqs and Cephalon’s policies.
□ Cephalon shall maintain a Disclosure Program that includes a
mechanism (a toll-free compliance line) to enable individuals to
disclose, to the Compliance Officer or some other person—who
is not in the disclosing person’s chain of command—any
identified issues or questions associated with Cephalon’s policies,
conduct, practices, or procedures with respect to a Fed. Health
Care program or FDA req believed by the individual to be a
potential violation of criminal, civil, or administrative law.
oProgram shall emphasize a non-retaliation policy and
include an anonymous reporting mechanism for which
appropriate confidentiality shall be maintained
Questions and Comment (P.440)
□ CIA). This is the name the FDA uses to describe what are in essence Consent decrees that
settle regulatory enforcement proceedings. A CIA typically includes requirements to hire
a compliance officer; appoint a compliance committee; develop written standards and
policies; implement a comprehensive employee training program; retain an independent
review organization to conduct annual reviews; establish a confidential disclosure
program; restrict employment Of ineligible persons; report overpayments, reportable
events, and ongoing investigations and legal proceedings; and provide an
implementation report and annual reports on the status of the entity's compliance
activities.
□ This case arose out of a probe into allegations that Cephalon, a drug manufacturer, was
promoting medications for uses not approved by the FDA. As a result of that
investigation Cephalon agreed, among other things, to pay $425 million to settle
charges that it had improperly marketed several Of its prescription medications for
unapproved uses.
□ Cephalon's situation illustrates the pack of trouble a company can experience as a result
of a serious compliance breakdown. At the time it entered this settlement agreement with
HHS, the company was also being pursued by the U.S. Department of Justice, various
 state attorneys genera, and (undoubtedly) many plaintiffs' attorneys. Part of the task of
counsel, in a crisis such as this, is to find a path to a comprehensive settlement that allows
the company to go forward free of the burden of its past conduct.
□ Did the agreement in the excerpted matter impose new obligations on
Cephalon's board of directors? See In re Pfizer, 722 F. Supp. 2d 453, 461
(S.D.N.Y. 2010) (although
corporate integrity agreement did not Create new fiduciary duties, it imposed affirmative
obligations on Pfizer's board that went well beyond the basic fiduciary duties required by
Delaware law.").

Foreign Corrupt Practices (p. 443)

□ US regulations of FCP grew out of revelations in 1970s that hundreds of American

companies were bribing foreign officials to secure contracts overseas, and were
falsifying records to conceal the activity
□ Public outrage heightened by Watergate, sparked Congress to action
□ Spirit of FCPA reflected in Senate report on the measure:
o“corporate bribery is bad business. In our free-market system it is basic that the
sale of products should take place on the basis of price, quality, and service.
Corporate bribery is fundamentally destructive of this basic tenet. Corporate
bribery of foreign officials takes place primarily to assist corporations and gaming
business. Thus foreign corporate bribery affects the very stability of overseas
business. Foreign corporate bribes also affect our domestic competitive climate
when domestic firms engage in such practices as a substitute for healthy
competition for foreign business.”
□ There are two essential requirements of the FCPA
oThe anti-bribery provision: prohibit covered persons from paying foreign
officials to obtain or retain business
oThe accounting provisions: require issuers to make and retain accurate books and
records and to devise and maintain an adequate system of internal accounting
controls. They also prohibit covered parties from knowingly falsifying books and
records are knowingly circumventing or failing to implement a system of internal
controls.
□ American companies resisted the statutes, they did not object to a rule that prohibited
bribing foreign officials, But they complained that the FCPA placed limits on their
ability to follow accepted business practices in foreign countries.
oCongress partially responded to these concerns and 1988 by creating an
affirmative defense for actions performed an for bona fide promotional
expenses which are shown to be legal in the country where they occurred
□ The FCPA affectively requires companies doing business abroad
to implement compliance programs.
oThe presence of a program no matter how well-designed is not a guarantee of
immunity from liability
oThe absence of a compliance program we’ll not be viewed with favor when
regulators decide whether to bring enforcement proceedings
□ The FCPA is jointly enforced by the Department of Justice and the SEC
U.S Department of Justice and Securities and Exchange Commission, A Resource Guide to the
U.S. Foreign Corrupt Practices Act (p.444)—Advice by agencies to those covered by the FCPA

□ Hallmarks of Effective Compliance Programs

oDiscussion is meant to provide insight into the aspects of compliance programs
that DOJ and SEC assess when making their own determination of what is an
effective program
Small and medium-sized enterprises likely will have different compliance
programs from large multinational corporations, of fact DOJ and SEC
take into account when evaluating companies compliance programs
oPrograms that employ a “check the box” approach maybe inefficient and more
importantly ineffective
Compliance program should be tailored to an organizations specific
needs risks and challenges
oIf designed carefully, implemented earnestly, and enforce fairly, a company’s
compliance program—no matter how large or small the organization —Will allow
the company generally to prevent violations, detect those that do occur, and
remediate them promptly appropriately.
□ Commitment from senior management and a clearly articulated policy against corruption
oCompliance begins at the Board of Directors and senior executives setting the
proper tone for the rest of the company—TONE AT THE TOP!
DOJ and SEC consider the commitment of corporate leaders to a culture
of compliance and look to see if this high-level commitment is also
reinforced and implemented by middle managers and employees at
all levels of business
A well-designed compliance program that is not enforced in good faith,
such as when corporate management explicitly or implicitly
encourages
employees to engage in misconduct to achieve business objectives, will be
ineffective.
A strong ethical culture directly supports a strong compliance program.
By adhering to ethical standards, senior managers will inspire middle
managers to reinforce those standards. Compliant middle managers,
in turn will encourage employees to strive to attain those standards
throughout the organizational structure.
DOJ and SEC dust evaluate whether senior management has clearly
articulated company standards, Communicated them in unambiguous
terms, adhered to them scrupulously, and disseminated them
throughout the organization
□ Code of conduct and compliance policies and procedures
oA company’s code of conduct is often the foundation upon which an effective
compliance program is built
The most effective codes are clear, concise, and accessible to all
employees and to those conducting business on the company’s
behalf
□ Needs to be available in the local language so that
employees in foreign subsidiaries can access and
understand it
oDOJ and SEC will review:
  whether the company has taken steps to make sure that code of conduct
remains current and effective and whether a company has periodically
reviewed and updated its code
Whether a company has policies and procedures outlined responsibilities
for compliance within the company, detailed proper internal controls,
auditing practices, and documentation policies, and set forth
disciplinary procedures
□ These types of policies and procedures will depend on the
size and nature of the business and the risks associated with
the business
Effective policies and procedures require an in-depth understanding of the
company’s business model, including its products and services, third-
party agents, Customers, government interactions, and industry and
geographic risks.
Among risks that companies may need to address include the nature
and extent of transactions with foreign governments including:
□ Payments to foreign officials
□ Use of third parties
□ Gifts, travel, entertainment expenses
□ Charitable and political donations
□ Facilitating and expediting payments
For example- Some companies with global operations of created web-
based approval processes to review and approve routine gifts, travel, and
entertainment involving foreign officials and private customers with clear
monetary limits and annual limitations. The systems ability and flexibility
so that senior management, or in-house legal counsel, can be apprised of
and, inappropriate circumstances, approve unique requests. These types
of systems can be a good way to conserve corporate resources while, if
properly implemented, preventing and detecting potential FCPA
violations.
These standards and policies should apply to personnel at all levels of
the company
oOversight, autonomy, and resources
DOJ and SEC also consider whether a company has assigned
responsibility for the oversight and implementation of a company’s
compliance program to one or more specific senior executives within
an organization.
□ These individuals:
oMust have appropriate authority within organization
oHave adequate autonomy from management
Generally includes direct access to an organizations
governing authority such as board of directors
and audit committees
oHave sufficient resources to ensure that the company’s
compliance program is implemented effectively
 □ Depending on size and structure of the organization it may
be appropriate for day-to-day operational responsibility
to be delegated to other specific individuals within the
company
oDOJ and SEC Typically consider whether the company
devoted adequate staffing and resources to the compliance
program given the size, structure, and risk profile of the
business
oRisk assessment
DOJ and SEC evaluate a company’s risk assessment because it
is fundamental to developing a strong compliance program
One-size-fits-all compliance programs are generally ill-conceived and
ineffective because resources are inevitably spread too thin with too
much focus on low-risk markets and transactions to the detriment of
high-risk areas
□ Company needs to devote resources appropriately (i.e- don’t
waste time & money policing modest entertainment and gift
giving instead of focusing on large government bids,
questionable payments to third party consultants, or
excessive discounts to resellers and distributors)
DOJ and the SEC Will give meaningful credit to a company that
implements in good faith a comprehensive, risk-based compliance
program, even if that program does not prevent an infraction in the low
risk area because greater attention and resources have been devoted to
a high-risk area
As a company’s risk for FCPA violations increases, that business should
consider increasing its compliance procedures, including due diligence
and periodic internal audits.
□ Degree of appropriate due diligence is fact specific and should
vary based on industry, country, size and nature of the
transaction, and the method And amount of third party
compensation
□ Factors to consider include risks presented by:
oThe country and industry sector,
oThe business opportunity
oPotential business partners
oLevel of involvement with governments
oAmount of government regulation and oversight
oExposure to customs and immigration and conducting
business affairs
DOJ and SEC take into account whether and to what degree the
company analyzes and addresses the particular risks it faces
oTraining and continuing advice
DOJ and SEC will evaluate whether a company has taken steps to ensure
the relevant policies and procedures have been communicated
throughout the organization
Periodic training and certification for all directors, officers,
Relevant employees, and, where appropriate, agents and business
partners
 □ Can be a combination of web-based and in
person training conducted a varying intervals
Training typically covers:
□ Company policies and procedures
□ Instruction on applicable laws
□ Practical advice to address real-life scenarios and case studies
Information should be presented in a manner appropriate for the targeted
audience, including providing training and training materials in the local
language. In addition to the existence and scope of the companies
training program, a company should develop appropriate measures, To
provide guidance and advice on complying with the companies ethics and
compliance program, including when such advice is needed urgently.
oIncentives and disciplinary measures
DOJ and SEC will consider the company’s enforcement of the
compliance program
□ Compliance program should apply from the boardroom
to the supply room—no one is beyond reach
□ When enforcing a compliance program, A company
should have appropriate and clear disciplinary
procedures
oThe procedures are applied reliably and promptly
oShould be commensurate with violation
oMany companies have found that publicizing disciplinary
actions internally, can have an important deterrent effect,
demonstrating that unethical and unlawful actions have
swift ensure consequences
□ Positive incentives can also drive compliant behavior.
Incentives such as:
oPersonal evaluations and promotions
oRewards for improving and developing a company’s
compliance program
oRewards for ethics and compliance leadership
oSome organizations have made a adherence a to
compliance a significant metric for management’s bonuses
so that compliance becomes an interval part of management
everyday concern
oBeyond financial incentives, Some companies have
highlighted compliance within their organizations by
recognizing compliance professionals and internal audit
staff
oMake “doing the right thing” a priority and reward it
□ DOJ and the SEC consider whether disciplinary scheme are
potential incentives are fairly and consistently applied across
the organization
oThird-Party Due Diligence and Payments
 Third parties, Including agents, consultants, and distributors, or commonly
used to conceal the payment of bribes to foreign officials and
international business transactions
Risk-based due diligence is particularly important with third parties and
will be considered by DOJ and SEC in assessing the effectiveness of
a company’s compliance program
Degree of appropriate due diligence various based on industry, country,
size and nature of the transaction, and historical relationship with the
third-party
Guidelines for Risk-based due diligence:
□ Companies should understand the qualifications
and associations of its third-party partners
oBusiness reputation, and relationships, if any, with
foreign officials
oThe degree of scrutiny should increase as red flags surface
□ Companies should have an understanding of the
business rationale for including the third-party in the
transaction
oUnderstand the role of a need for the third-party and ensure
that the contract terms specifically describe the services to
be performed
oPayment terms and how those payment terms compared to
typical terms in that industry and country
oTiming of the third party’s introduction to the business
oMay want to confirm a document that the third party is
actually performing the work for which it is being paid and
the its compensation is commensurate with the work being
provided
□ Company should undertake some form of ongoing
monitoring of third-party relationships. This may include
oUpdating due diligence periodically
oExercising audit rights
oproviding periodic training
oRequesting annual compliance certifications by the third-
party
DOJ and SEC also assess whether the company has informed third
parties of the companies compliance program and commitment to
ethical and lawful business practices
□ Also whether company has sought assurances from third parties,
through certifications and otherwise, of reciprocal
commitments

oConfidential reporting an internal investigation

Compliance program should include a mechanism for an
organization’s employees and others to report suspected or actual
misconduct or violations on a confidential basis and without fear of
retaliation
□ Ex. Anonymous hotlines or ombudsman
 Once an allegation is made, Company should have in place an
efficient, reliable, and properly funded process for
□ investigating the allegation and
□ documenting the company’s response
oIncluding any disciplinary or remediation measures taken
Companies should consider “taking lessons” learned from any reported
violations and the outcome of any resulting investigation to update
their internal controls and compliance programs and focus future
training on such issues
oContinuous improvement: periodic testing and review
Program should consistently evolve
□ A company’s business changes over time, so environments in
which it operates, nature of its customers, while the
government actions, and the standards of its industry.
□ In practice compliance programs better followed will
inevitably uncover compliance weaknesses and
require enhancements
DOJ and SEC evaluate whether companies regularly review and
improve their compliance programs and not allow them to become
stale
□ Review and test controls
□ Think about potential weaknesses and risk areas
□ Can use employee surveys to monitor compliance culture And
strengthen internal controls, identify best practices, and
detect numerous areas.
□ Can periodically test internal controls with targeted audits to
make sure that certain controls on paper or working in
practice
DOJ and SEC will give meaningful credit to thoughtful efforts to create
a sustainable compliance program if problem is later discovered
□ Undertaking proactive evaluations before a problem
strikes can lower the applicable penalty range under the
US sentencing guidelines
□ Nature and frequency of evaluations may vary depending on the
size and complexity of an organization, the idea behind efforts
is the same: continuous improvement and sustainability

oMergers and Acquisitions: Pre-acquisition Due and Post– Acquisition Integration

A company that does not perform adequate FCPA due diligence prior to
a merger or acquisition may face both legal and business risks
□ Ex.- Can allow course of bribery to continue with all the
attendant harms to a businesses profitability and reputation,
as well as potential civil and criminal liability.
Companies that conduct effective due diligence on their acquisition targets
are able to evaluate more accurately each target’s value and negotiate
for the costs of the bribery to be borne by the target
□ Such actions demonstrate to DOJ and SEC at company’s
commitment to compliance and are taken into account
when evaluating any potential enforcement action
 When Pre-Acquisition due diligence is not possible, DOJ has described
procedures … pursuant to which companies can nevertheless be
rewarded if they choose to conduct thorough post-acquisition FCPA due
diligence.
FC PA due diligence is only a portion of the compliance process
for mergers and acquisitions.
DOJ and SEC evaluate whether the acquiring company promptly
incorporated the acquired company into all of its internal
controls, including its compliance program.
□ Company should consider training new employees, reevaluating
third parties under company standards, and, where
appropriate, conducting audits on new business units
Questions and Comments (P.450)

□ 10 “Hallmarks” of an effective compliance program:

1) Commitment from senior management and a clearly articulated policy
against corruption
2) Code of conduct and compliance policies and procedures
3) Oversight, autonomy, and resources
4) Risk assessment
5) Training and continuing advice
6) Incentives and disciplinary measures
7) Third-party due diligence and payments
8) Confidential reporting an internal investigation
9) Continuous improvement: periodic testing and review
10) Mergers and acquisitions: pre-Acquisition due diligence and post-
acquisition integration
□ In place of “check-the-box” approaches to compliance, the guidance follows
contemporary thinking and recommending a “risk-based” approach that tailors
the intensity of the compliance inquiry to the estimated risk of the activity in
question
□ A particular concern and FC PA compliance is the use of local agentsto
develop business.
oThe company wishing to enter a foreign market often has little choice but to
employ locals were familiar with the language, Customs, laws, and government
of the country in question. These agents may not always scrupulously observed
US rules on foreign corrupt practices. If the country itself has a culture of
corruption, someone who is familiar with the culture, and who is capable of
making the necessary introductions and arrangements, may not herself display the
most ethical business practices.
oIt is difficult for US firms to know whether their agents or are intermediaries are
greasing the palms of foreign officials in order to facilitate sales
oSome companies might choose to “wink” at the activities of foreign
representatives; they know or suspect that their agents are giving bribes,
but close
their eyes to the conduct because the bribes generate lucrative contracts
□ Companies find ways to distribute compensation to people with power to
purchase their products
 o2013 scandal About marketing activities in China conducted by GlaxoSmithKline,
the big UK drug company. Chinese officials alleged that GSK used a network of
travel agents to distribute as much as $489 million in order to facilitate the sales
of its products there. In some cases, according to press, representatives of GSK
went so far as to gratify physicians’ “sexual desires” in order to induce them to
prescribe GSK medications.
□ In 2012, J.P. Morgan Chase and other firms we’re accused of hiring the sons and
daughters of Chinese politicians in an effort to curry favor with the
government

Avon Products, Inc., 2010 Form 10k (p.452)

□ Reports about Avon’s internal investigation and compliance reviews focus
on compliance with FCPA in and additional countries
□ Being conducted under oversight of the audit committee
□ Avon voluntarily contacted (and cooperated with) the SEC and DOJ to
advise both agencies about the internal investigation
□ In connection with the internal investigation Avon commenced compliance reviews
regarding the FCPA and related US foreign laws in additional countries in order
to evaluate their compliance efforts
□ Investigation and reviews are focused on reviewing certain expenses and
books and records it processes, including, but not limited to:
oTravel
oEntertainment
oGifts
oUse of third-party vendors and consultants and related due diligence
oJoint adventures and acquisitions
oPayments to third party agents and others in connection with our business
dealings, Directly or indirectly, with foreign governments and their employees
□ Several derivative actions were filed against certain present or former officers and/or
Directors of the company that alleged breach of fiduciary duty, and, in certain
complaints, abusive control, waste of corporate assets, unjust enrichment and/or
proxy disclosure violations, relating to the company’s compliance with the FCPA
oRelief sought includes certain declaratory and equitable relief, restitution,
unspecified damages, exemplary damages and interest.

Questions and comments (p. 453)

□ The Avon filing disclosed that Avon had incurred “significant professional and
related fees associated with the FCPA investigation and compliance reviews”
amounting to approximately $95 million in the reporting year. That is just a
expenditure for the investigation– Not for any ultimate liability the company
might face at the hands of government or private investors
□ Given that liability exposure for FCPA violations is so large, why do
US companies continue to violate the statute?
oCompetitors to US corporations may not be subject to the same onerous sanctions,
To maintain a competitive advantage and doing business in certain countries
□ FCPA Reaches foreign corporations which are listed in the US and any foreign firm that
causes an act to occur in the US as part of the corrupt practice. This rule extends the
net
 of the FCPA to cover many of the larger foreign firms, but many foreign firms are
outside the reach of US law. Arguably these firms have a competitive advantage over US
firms if they’re allowed to pay bribes and US firms are not
□ A partial remedy to the problem of unfair competition is to press for international
agreements that commit many countries to similar enforcement policies. The OECD’s
Anti-Bribery Convention, which requires signatory countries to make it a crime to
bribe foreign officials, as a step in that direction
oThree dozen countries have signed on, including (In addition to the United States)
all member states of the European Union, plus Australia, Brazil, Canada, Chile,
Japan, Korea, Mexico, New Zealand, and Turkey.
□ The FCPA does not provide an affirmative defense based on having
adequate compliance operations in place

AML/BSA/OFAC

Intro (p.455)
□ Criminals, terrorists and rogue states need financial services to carry out their activities
O Example- Drug Cartel
Mostly a cash business, dealers on the street aren’t keen on taking
checks or credit cards.
□ Storing so much money in cash is risky:
● it could be lost or stolen
□ transporting large amounts of cash is a problem for criminal
organizations, Because of the issue of security and also because if
cash in transit is discovered by the authorities, it might tip them
off as to the underlying criminal conduct.
□ Cartel would work more smoothly if the cash could be
deposited in a bank and drawn on when/where it was needed
Investment problem- criminal enterprise may be so lucrative that
leaders have more wealth on hand than they can profitably put back
into the criminal enterprise
□ Leaders may want to invest ill-gotten $ legitimately
O They need to use the services of a broker or other financial
services firm
O Example- Terrorist Organization-
Need to use financial system in order to raise or transfer funds
Support a network of people who work for the organization and
expected to be compensated
May function as de facto governments and need financing to fund activities
— military or civilian
O Governments need to use financial system in order to trade for goods that
cannot be produced efficiently in domestic market
 □ Financial services sector is the key battleground in the fight against crime,
terror, and state violators of human rights or international law.
O Problem is that banks and other financial firms have traditionally not concern
themselves very much with the nature of their clients’ business
Traditionally, Bank doesn’t ask where money comes from. There
job starts and stops with caring out the transfer
Banks aren’t fond of terrorists it is just not in their nature to partner
with the government in clamping down on such people
O Sometimes banks do become more than passive participants in illegal activities
Bank for Credit and Commerce International (BCCI), Founded by a
Pakistani financier, after persuading several wealthy Middle Eastern
investors to entrust him with huge amounts of money, opens several
banks in different countries. He split the operation into two groups, one
regulated by Luxembourg and one by the Cayman Islands, and avoided
effective regulation by either. Many of BCCI’s customers were
legitimate; but others were not. Clients included dictators, violent
druglords, money launderers and notorious terrorists. The biggest
successful for a long time, at its peak it had more than $20 billion in
assets and was one of the largest private banking organizations in the
world. The bank was shut down in 1991 and most of its misdeeds were
brought to light but not before it caused serious harm. The operation of
the organization was so opaque that some of its activities have never been
fully understood.
O Governments cannot count on banks voluntarily and enthusiastically
participating in law-enforcement, anti-terror, and international human rights
activities.
It is necessary to require them to cooperate

ANTI-MONEY LAUNDERING/ BANK SECRECY

□ Bank Secrecy Act was first US statute specifically aimed at enlisting banks in
the fight against criminality
O Principal concern was money laundering by organized crime organizations
O Requires banks to file “Suspicious Activity Reports” (SARs) with the Financial
Crimes Enforcement Network (FinCEN) a bureau of the US Dept. of Treasury
SARs are required whenever a transaction involves at least $5k and “the
bank knows, suspects, or has reason to suspect” that the “transaction
involves funds derived from illegal activities or is intended or conducted
in order to hide or disguise funds or assets derived from illegal
activities”
Bank can also file SAR of any other suspicious transaction that it
believes is relevant to the possible violation of any law or regulation
O Act is unusual in that it requires private firms to implement compliance programs
31 U.S.C. 95318(h) provides that "[i]n order to guard against money
laundering through financial institutions, each financial institution shall
establish anti-money laundering programs, including, at a minimum-
(A) the development of internal policies, procedures, and controls; (B)
the designation of a compliance officer; (C) an ongoing employee
training program; and (D) an independent audit function to test
programs.
 Congress paid special attention to transactions involving foreign nationals
with bank accounts in the United States: 31 U.S.C. 9531, 5318(i) (l)
provides that "[e]ach financial institution that establishes, maintains,
administers, or man- ages a private banking account or a correspondent
account in the United States for a non-United States person, including a
foreign individual visiting the United States, or a representative of a non-
United States person shall establish appropriate, specific, and, where
necessary, enhanced, due diligence policies, procedures, and controls
that are reasonably designed to detect and report instances of money
laundering through those accounts.
oThe requirement of filing SARs presents unusually daunting compliance
problems. Banks conduct millions of transactions every day, and often those
transactions involve amounts greater than $5,000. It is feasible for a bank to keep
track of transactions that exceed the size threshold, through the use of appropriate
computer systems, but it is hard for them to determine which transactions might
involve illegal activities
oMany forms of financial activity may give rise to suspicions of illegal activity, but
some occur on a frequent enough basis to warrant being called out by the
regulators. Like FinCEN’s list below:
FinCen Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative
(p.457)

Examples of some common patterns of suspicious activity are:

□ a lack of evidence of legitimate business activity, or any business
operations at undertaken by many of the parties to the transaction(s);
□ Unusual financial nexuses and transactions occurring among certain business
types (e.g., food importer dealing with an auto parts exporter);
□ t transactions that are not commensurate with the stated business type and/or that are
unusual and unexpected in comparison with the volumes of similar businesses
operating in the same locale;
□ unusually large numbers and/or volumes of wire transfers and/or repetitive
wire transfer patterns;
□ unusually complex series of transactions indicative of layering activity
involving multiple accounts, banks, parties, jurisdictions;
□ suspected shell entities;
□ bulk cash and monetary instrument transactions;
□ unusual mixed deposits of money orders, third party checks, payroll checks, etc.,
into a business account;
□ unusual mixed deposits of money orders, third party checks, payroll checks, etc.,
into a business account;
□ transactions being conducted in bursts of activities within a short period
of time, especially in previously dormant accounts;
□ Transactions and/or volumes of aggregate activity inconsistent with the expected
purpose of the account and expected levels and types of accounts activity conveyed
to the financial institution by the account holder at the time of the account opening
□ Beneficiaries maintaining accounts at foreign banks that have been subjects
of previous SAR filings
□ Parties and businesses that do not meet the standards of routinely initiated
due diligence and anti- money laundering oversight programs (e.g.,
Unregistered/unlicensed businesses)
□ Transactions seemingly designed to, or attempting to avoid reporting
and recordkeeping requirements
□ Correspondent accounts being utilized as “past– through” points by
foreign jurisdictions with subsequent outgoing funds to other foreign
jurisdiction

□ Once the bank has identified a suspicious activity, the next step is to report the
matter to FinCen.
oThe agency facilitates the reporting task ( as well as its task of analyzing the
reports received) by providing an online filing system.
□ This SAR form is rather extensive, Containing numerous fields for specific information
about the filing institution, the institution where the activity occurred, the subject of
the suspicious activity, the nature of the suspicious activity, and the narrative of the
events giving rise to the suspicion
oMost challenging of these requirements is the narrative, since this requires the
exercise of judgment and cannot be automated.
oNarrative is most important- it is the only way the government can get a full
picture of the nature of the bank’s concerns
oFinCEN Instructs banks to use the narrative section as a means for describing the
modus operandi of the subject committing the Suspicious activity
oMust be concise accurate and in logical manner.
oContaining the 5 W’s: who? When? Where? And why?
□ To assist banks in the process fence and provide examples of good and
bad narratives here’s an example:
oFinCEN Guidance on preparing a complete and sufficient SAR (P.458)
Good Narrative-
□ Is well written summary of all the suspicious activity
and supports the stated purpose for filing the SAR.
□ Provides an internal bank reference number for the SAR that can
be used by law-enforcement investigators that wish to contact the
bank to discuss pertinent facts presented in the narrative
□ Specific information is also provided the details the
source An application the suspect funds
□ Identifies other actions taken by the financial institution as part
of its internal due diligence program and its effort in
detecting possible illegal activity being facilitated by the
suspect…
Insufficient or incomplete depository institutions SAR narratives
□ Feels to provide specific details on the application of
the suspect funds
oNo name, bank, and account number of the beneficiary, if
identifiable
 □ Fails to provide any information concerning the
relationship, if any, between the institution and the
customer.
□ No specific transaction data is provided that identifies
the dates and amounts of each wire transfer

Questions and comments (p.460)

□ Vendors plan important role in bank compliance with BSA/AML requirements. In
number of companies offer sophisticated software designed to identify and report of
suspicious transactions, without requiring costly evaluations by human beings in
each case.

US v. Wachovia (p.460)
□ Deferred Prosecution Agreement in a criminal case
□ Facts- 2005, State Atty, DEA & IRS investigated certain Wachovia wire transfers from
Mexico to US. Drug Cartels were wiring large sums of money at Mexican Currency
exchange houses (CDCs ) that held bank accounts in Miami Wachovias. The money was
used to buy planes used to import drugs into the US. At least $13 mil transferred through
Wachovia to but planes that contained more than 20 thousand kilos of cocaine. During
the investigation, law enforcement reviewed the CDC banking activity that occurred at
Wachovia and found readily identifiable evidence and red-flags of large-scale drug
money laundering (structured wire transactions by multiple people using false names
into same acct over brief period of time; deposits of sequentially numbered travelers
checks with unusual markings; Significant full cash transactions in great success of the
customers self-identified expectations)
□ Since the beginning of the BSA investigation, Wachovia fully cooperated
and provided valuable assistant to law-enforcement
oMade periodic reports
oDevoted substantial resources to investigation and responding to us requests for
info
oMade employees available for interviews
□ Wachovia also took remedial measures
oHired COO And BSA/AML officer
oUndertook substantial remediation of its AML compliance functions
oEnhance transaction party monitoring, focusing on high-risk countries and
financial institution risk\ developed and provided an enhanced AML training for
employees.
Topics of training included regulatory responsibility, red flag detection,
the black market peso exchange, large cash transactions wires to high-risk
countries and activity inconsistent with an account’s stated purpose
□ Wachovia voluntarily conducted a detailed “Look-back” of transactions with 13
Mexican CDCs during a three-year period And filed SARs for conduct related to
the CDCs
oFiled more than 4200 SARs relating to wire transactions conducted by the CDCs,
Which included $4.3 billion in total dollars
oFiled eight SARs relating to full cash transactions conducted by the CDC’s,
Which included more than 4 billion in total dollars
 o Filed 18 SARs relating to sequentially numbered travelers checks transactions
conducted by the CDC’s, Which included $25 million dollars in total
● Since Wachovia’s acquisition by Wells Fargo, Wachovia has been subject to Wells
Fargo’s BSA/AML compliance program and compliance and operational risk
management, oversight, and independent testing. Wells Fargo’s policies and procedures,
including those relating to escalating and exiting of customer relations, now apply to
Wachovia. As the integration progresses, Wells Fargo’s transaction monitoring system,
a more advanced version of the system used by Wachovia will beUsed to monitor
Wachovia transactions
● The deferred prosecution agreement states:
o The charges- Wachovia show wave indictment and agreed to the filing of one
count information in the US District Court for the Southern District of Florida
charging it with failing to maintain an effective anti-money laundering
program
o Acceptance of responsibility- Wachovia accepted knowledge its responsibility
for its conduct and that of its employees as set forth in the factual statement… if
the US initiate the prosecution that is deferred by this agreement against
Wachovia, Wachovia agrees that it will neither neither contest the admissibility
of the factual statement or any other documents provided by Wachovia to the
United States, nor contract and any such proceeding the facts contained within
the factual statement
o Forfeiture and fine–Wachovia agreed to settle and does settle any and all civil and
criminal forfeiture claims presently held by the United States for the sum of $110
million… in addition to the forfeiture Wachovia shall pay a fine of $50 million
 Factors in determining the appropriate fine in this matter being
$50 million
● Wachovia’s considerable remedial actions specified within
the factual statement
● the legal entity that will pay the fine is Wells Fargo Bank
[which acquired Wachovia during the financial crisis of 2007-
2009]
● There is no evidence or allegation that Wells Fargo Bank’s
anti- money laundering program is deficient
Questions and comments (P. 463)
● As this case illustrates, AML/BSA cases can be— And often our — brought by
several different government agencies at once
● State regulators have also entered the picture to enforce rules on money-laundering
o Benjamin Lawsky, new York chief financial regulator, has been particularly
active. In 2013, he embarrassed federal officials by obtaining a $250 million
settlement from Bank of Tokyo– Mitsubishi UFJ over charges related to
matters the federal regulators have settled the previous year for $8.57 million

-AML/BSA enforcement with compliance elements is also frequently observed in civil

administrative proceedings

Board of Governers of the Federal Reserve System, Written Agreement by and Among M&T
Bank Corporation, Manufacturers & Traders T™st Company and Federal Reserve Bank of New
York (P.464)
● Inspection of M&T Conducted by the Federal Reserve Bank of New York (Reserve
Bank) Identify deficiencies in M&T’s firm-wide compliance risk management program
with respect to compliance with BSA/AML requirements; the bank’s internal controls,
customer due diligence procedures, and transaction monitoring processes with respect to
compliance with BSA/AML requirements; and [Wilmington Trust Corporation's
(WTC)] due diligence practices for foreign correspondent accounts; . . .
● Now, therefore, the Resewe Bank, M&T, and the Bank hereby agree as follows:
o Firm-Wide BSA/AML Compliance Program
 Within 60 days of this Agreement, M&T shall submit to the Reserve
Bank an accept- able revised written firm-wide BSA/AML compliance
program that describes the specific actions that will be taken, including
timelines for completion, to ensure Compliance with applicable
BSA/AML Requirements. The revised program shall, at a minimum,
include:
● reporting to and oversight by senior management of M&T's
firm- wide BSA/ AML compliance controls and processes,
including, but not limited to, procedures to ensure oversight of a
Arm-wide customer due diligence program;
● written policies, procedures, and compliance risk
management standards;
● comprehensive BSA/AML risk assessment process;
● measures to ensure that BSA/AML compliance functions
outsourced by subsidiaries to third-parties, including affiliates,
are performed to meet regulatory requirements;
● measures to ensure compliance and improve accountability within
all business lines and legal entities and their respective compliance
functions;
● procedures to require the escalation of significant matters related
to compliance risks to appropriate Senior officers and the board of
directors; and
● the findings and recommendations of the consultant recently
engaged by M&T to assist in matters related to compliance
with the BSA/AML Requirements.
 BSA/AML Compliance
● within 60 days of this Agreement, the Bank shall submit to the
Reserve Bank an acceptable written revised BSA/AML
compliance program. The program shall include provisions for
updates on an ongoing basis, as necessary, to incorporate
amendments to the BSA and the rules and regulations issued
there under. At a minimum, the revised program shall include:
o Internal controls to ensure compliance by the Bank and
any non-bank subsidiaries with applicable BSA/AML
Requirements; and
o poIicies and procedures designed to ensure
identification and verification of the identity of account
holders in accordance with applicable regulations.
 CUSTOMER DUE DILIGENCE
 □Within 60 days of this Agreement, the Bank shall submit to the
Reserve Bank an acceptable written revised program for
conducting appropriate levels of customer due diligence by the
Bank, WTC, and as applicable, other subsidiaries. At a minimum,
the program shall include:
o(a) Policies, procedures, and controls to ensure that the
Bank and WTC collect, analyze, and retain complete and
accurate customer information for all account holders;
o(b) a plan, with timelines, to remediate deficient due
diligence for existing customer accounts; and
o(c) a methodology for assigning risk ratings to account
holders that considers factors such as type of customer,
type of products and services, and geographic location;
o(d)a risk-focused assessment of the Bank's and WTC's
customer base to:
(i) identify the categories of customers whose
transactions and banking activities are routine
and usual; and
(ii) determine the appropriate level of enhanced due
diligence necessary for those categories of
customers that pose a heightened risk of conducting
potentially illicit activities at or through the Bank
or WTC;
o(e)For each customer whose transactions require enhanced
due diligence, procedures to:
(i) determine the appropriate documentation
necessary to verify the identity and
business activities of the customer; and
(ii) understand the normal and expected
transactions of the customer;
o(f) policies and procedures, including appropriate
documentation, for identification and due diligence with
regard to politically exposed persons;
o(g) policies, procedures, and controls to ensure that foreign
correspondent accounts are properly identified and
accorded the appropriate due diligence and, where
necessary, enhanced due diligence; and
o(h) procedures to ensure [that] periodic reviews and
evaluations are conducted and documented for all account
holders.
Suspicious Activity Monitoring and Reporting
□Within 60 days of the Agreement, M&T and the Bank shall jointly
submit to the Reserve Bank an acceptable written program to
reasonably ensure the identification and timely, accurate, and
complete reporting by M&T, the Bank, and WTC, as applicable, of
all known or suspected violations of law or Suspicious transactions
 to law enforcement and supervisory authorities, as required by
applicable suspicious activity reporting laws and regulations. At a
minimum, the program shall include:
o(a) Monitoring and investigation criteria and procedures to
ensure the timely detection, investigation, and reporting of
all known or suspected violations of law and suspicious
transactions;
o(b) policies regarding the level and type of due diligence
required when reviewing suspicious account activity; and
o(c) measures to ensure escalation to, and documented
oversight by, senior management of significant matters,
including, but not limited to repetitive suspicious activity
reporting and suspected structuring activities
Transaction Review
□ (a) Within 60 days of this Agreement, the Bank shall engage an
independent consultant, acceptable to the Reserve Bank, to
conduct a review of account and transaction activity associated
with any high risk customer accounts conducted at, by, or through
the Bank and WTC from July 1, 2012 to December 31, 2012 to
determine whether suspicious activity involving high risk customer
accounts Or transactions at, by, or through the Bank or JJTC was
properly identified and reported in accordance with applicable
suspicious activity reporting regulations (the "Transaction
Review") and to prepare a written report detailing the consultant's
findings (the "Transaction Review Report"). For each covered
customer, the Transaction Renew may commence as soon as the
Bank has completed the remediation of the covered customer's
account in accordance with the revised remediation program
required by paragraph 3 of this Agreement.
□ (b) Based on the Reserve Bank's evaluation of the results of the
Transaction Review, the Reserve Bank may direct the Bank to
engage the independent consultant to conduct a review Of the
types of transactions described in paragraph 5(a) for
additional time periods.
□ Within 10 days of the engagement Of the independent
consultant, but prior to the commencement of the
Transaction Review, the
Bank shall submit to the Reserve Bank for approval an engagement
letter that sets forth:
o(a) the scope of the Transaction Review;
o(b) the methodology for conducting the Transaction
Review;
o(c) the expertise and resources to be dedicated to the
Transaction Review;
o(d) the anticipated date of completion of the Transaction
Review and the Transaction Review Report; and
 o (e) a commitment that supporting material associated with
the Transaction Review will be made available to the
Reserve Bank upon request.
● The Bank shall provide to the Resewe Bank a copy of the
Transaction Review Report at the same time that the report
is provided to the Bank.
● Throughout the Transaction Review, the Bank shall ensure that
all matters or transactions required to be reported that have not
previously been reported are reported in accordance with
applicable rules and regulations. . . .
The Office Of Foreign Assets Control
● Office Of Foreign Assets Control (“OFAC”) administers and enforces economic and
trade sanctions against entities such as targeted foreign countries, terrorists,
international narcotics traffickers, and those engaged in activities related to the
proliferation of weapons of mass destruction.
● OFAC regulations require banks to block accounts and other property and to prohibit
or reject unlicensed trade and financial transactions with specified countries, entities,
and individuals.
● Both OFAC and BSA/AML require financial institutions to keep detailed records of
their transactions for purposes of policing against the use of the financial system by bad
actors;
o a difference is that in the case of BSA/AML it is up to the bank to identify
the suspicious party,
o in the case of OFAC the bad actor is already identified, giving the bank the
task of making sure it doesn't engage in a prohibited transaction with that
person or entity.
● Because the requirements are to some extent parallel, BSA/AML and OFAC
compliance issues are often grouped together.
● The following excerpt is from a consent order which includes elements of both
OFAC and AML/BSA compliance.

Board of Governors of the Federal Reserve System In the Matter of: Citigroup Inc. New York,
New York (p.467)
● Consent Order- Citigroup and its institution-affiliated parties shall cease and desist
and take affirmative action as follows:
● Source of Strength
o Board of Directors at Citi shall take appropriate steps to fully utilize
Citigroup's financial and managerial resources. to serve as a source of
strength to each of
the Banks, including, but not limited to, taking steps to ensure that each of the
Banks complies with the Consent Orders issued by their respective banking
agency supervisors and any other supervisory actions taken by their respective
banking agency supervisors.
● Board Oversight
o Citigroup's board of directors shall submit to the Reserve Bank an
acceptable written plan to continue ongoing enhancements to the board's
oversight of Citigroup's firm-wide compliance risk management program
with regard to
 compliance with BSA/AML Requirements. The plan shall describe the actions
that the board of directors has taken since the Consent Orders became effective
and will take to improve Citigroup's Firm-wide compliance risk management
with regard to BSA/AML Requirements, including, but not limited to, ensuring
that such compliance risk is effectively managed across Citigroup including
within and across business lines, support units, legal entities, and jurisdictions in
which Citigroup and its subsidiaries operate. The plan shall, at a minimum,
address, consider, and include:
 (a) Funding for personnel, systems, and other resources as are needed
to operate a BSA/AML compliance risk management program that is
commensurate with the compliance risk profile of the organization and
that fully addresses the organization's compliance risks on a timely and
effective basis;
 (b) policies to instill a proactive approach throughout the organization in
identifying, communicating, and managing BSA/AML compliance
risks;
 (c) measures to ensure adherence to approved BSA/AML compliance
policies, procedures, and standards, and ensure the timely completion
Of related projects and initiatives; and
 (d) measures to ensure the resolution of BSA/AML-related
audit, compliance reviews, and examination findings.
● COMPLIANCE RISK MANAGEMENT PROGRAM
o Citigroup shall submit an acceptable written plan to the Reserve Bank to continue
to improve the governance, structure, and operations of the compliance risk
management program with regard to BSA/AML Requirements and the
regulations issued by the Office of Foreign Assets Control of the United States
Department of the Treasury ("OFAC"). The plan shall, at a minimum, address,
consider, and include:
 (a) The structure and composition of Citigroup's compliance committees
and a determination Of the optimum structure and composition needed
to provide adequate oversight of Citigroup's firm-wide compliance risk
management;
 (b) enhanced written policies, procedures, and compliance
risk management standards;
 (c) the independence and authority of the compliance functions and
related compliance committees;
 (d) the duties and responsibilities of the heads of compliance for
global business lines, the BSA/AML global program, and legal
entities, as applicable, including the reporting lines within Citigroup,
and between Citigroup and its business lines and legal entities;
 (e) a process for periodically reevaluating staffing needs in relation to
the organization's compliance risk profile, and management succession
planning for key compliance positions;
 (f) the scope and frequency of compliance risk assessments;
 (g) measures to ensure compliance and improve accountability within
business lines and legal entities and their respective compliance
functions;
 (h) procedures for the periodic testing of the effectiveness of
the compliance risk management program;
 (i) consistency with the Board of Governors' guidance regarding
Compliance Risk Management Programs and Oversight at Large Banking
Organizations with Complex Compliance Profiles, dated October 16,
2008 (SR 08-8); and
 (j) the findings and recommendations of the consultant engaged by
Citibank pursuant to Article V of Citibank's Consent Order with the
OCC.
● BSA/AML COMPLIANCE PROGRAM
o Citigroup shall complete a review of the effectiveness of Citigroup's firm-wide
BSA/AML compliance program (the "BSA/AML Review") and prepare a
written report of findings and recommendations (the "BSA/AML Report"). The
BSA/AML Review shall, at a minimum, address, consider, and include:
 (a) The structure of Citigroup's firm-vade BSA/AML compliance
program, including reporting lines and taking into account the functions
that Citigroup Performs for the Banks and Citigroup's other
subsidiaries;
 (b) standards for BSA/AML compliance that apply on a firm-wide
basis, includ- ing business lines and legal entities;
 (c) the duties, responsibilities, and authority of Citigroup's chief
BSA/AML com- pliance official, including reporting lines within
Citigroup and from Citigroup's business lines and legal entities to the
chief BSA/AML compliance official;
 (d) communication of BSA/AML-related roles and responsibilities
across the organization;
 (e) coordination among corporate BSA/AML compliance and
the BSA/AML compliance functions of the Banks, Citigroup's
other subsidiaries, and business lines;
 (f) processes for monitoring business line and legal entity compliance
with Citigroup's BSA/AML policies and procedures and BSA/AML
requirements;
 (g) policies, procedures, and processes, including, but not limited to,
those for identifying and investigating suspicious activity, and for filing
suspicious activity reports
 (h) the scope and frequency of reporting with respect to BSA/AML
compliance within Citigroup, at a minimum, to senior management and
board committees, as well as between Citigroup and its business lines
and legal entities;
 (i) BSA/AML-related risk assessments;
 (j) measures to ensure that any BSA/AML compliance functions,
including, but not limited to, transaction monitoring and suspicious
activity reporting, that are performed by [Citigroup's nonbank
subsidiaries] for the Banks or the Edge Act Corporation are performed
to meet regulatory requirements;
 (k) independent testing within Citigroup entities subject to
BSA/AML Requirements;
 (I) training; and
 
(m) the findings and recommendations of the consultant engaged by
Citibank pursuant to Article V of Citibank's Consent Order with the
OCC.
o Within 120 days of this Order, the board of directors of Citigroup shall review the
BSA/AML Report and shall submit an acceptable written plan to the Reserve
Bank that includes a description of the specific actions that Citigroup will take to
continue to strengthen the management and oversight of Citigroup's firm-wide
BSA/AML compliance program, taking into account the requirements of the
appropriate federal of state supervisor of Citigroup's functionally regulated
subsidiaries.
● PROGRESS REPORTS
o Within 30 days after the end of each calendar quarter following the date of this
Order, the board of directors of Citigroup Or an authorized committee thereof
shall submit to the Reserve Bank written progress reports detailing the form and
manner of all actions taken to secure compliance with this Order, a timetable
and schedule to implement specific remedial actions to be taken to address the
recommendation in the Report, and the results thereof.
● APPROVAL AND IMPLEMENTADON OF PLANS
o (a) Citigroup shall submit written plans that are acceptable to the Reserve Bank
within the applicable time periods set forth in paragraphs 2, 3, and 5 of this
Order.
o (b) Within 10 days of approval by the Reserve Bank, Citigroup shall adopt the
approved plans. Upon adoption, Citigroup shall promptly implement the
approve plans and thereafter fully comply with them.
o (c) During the term of this Order, the approved plans shall not be amended
or rescinded without the prior written approval of the Reserve Bank. . . .

Questions and Comments (p.470)

● this recites that Citigroup shall serve as a “Source of strength" to its subsidiary banks.
The reference to "source of strength" alludes to a principle applicable in the area of bank
failure. Mhen a bank in a holding company gets into trouble, federal banking law
requires the holding company to act as a source of strength to the troubled bank, meaning
that the holding company is expected to provide capital to the subsidiary to help tide it
over its troubles. Here, the concept of source of strength is employed to justify the
provisions of the order that require the parent company –Citigroup—to cause its
subsidiary banks to undertake the necessary compliance actions. The particular concern
was about Banamex USA, the American branch of Citigroup's Mexican subsidiary.
● Athough the government's action was significant, it is also noteworthy that Citigroup
was not required to pay a fine, unlike several of its peers which had to Cough up very
large sums for AML/BSA violations. The sense is that although Citi's Controls were far
from perfect, the bank had taken positive steps to upgrade its compliance operations in
this area—partly in response to consent orders issued by federal bank regulators—and
therefore should not be severely sanctioned for the deficits that remained.

The Role of Attorneys (p.470)

 ● Ill-gotten gains can be laundered through various means ranging from very
simple (actually running a laundry!) to the very complex.
o Terrorist activities can be financed by straight forward means (such as
wiring money to a bank account maintained by a terrorist organization) or by
more indirect methods
o Complex arrangements are more insidious because they are difficult to detect
and punish
 They also call for the services of attorneys
● Lawyers play an important role—both good and bad—in the area of money
laundering and terrorism
o Can facilitate activities by providing services to bad actors
o Can help prevent or deter these activities by refusing to provide services
or cooperating in government law enforcement efforts
● Advice from American Bar Association :
American Bar Association Task Force on Gatekeeper Regulation and the Profession, Voluntary
Good Practices Guidance for Lawyers to Detect and Combat Money Laundering and Terrorist
Financing (p.471)
● [A]n overarching purpose of this paper is to encourage lawyers to develop and
implement voluntary, but effective, risk-based approaches consistent with the
Lawyer Guidance, thereby negating the need for federal regulation of the legal
profession. . . .
● WHAT IS THE RISK-BASED APPROACH?
o Is grounded in the premise that the limited resources (both governmental
and private sector) available to combat money laundering and terrorist
financing should be employed and allocated in the most efficient manner
possible so that the sources of the greatest risks receive the most attention.
o A risk-based approach is intended to ensure that measures to prevent or
mitigate money laundering and terrorist financing are commensurate with
the risks identified, thereby facilitating an efficient allocation of this limited
pool of resources.
o The proportionate nature of the risk-based approach means that higher risk
areas should be subject to enhanced procedures, such as enhanced client
due diligence ("CDD") and enhanced transaction monitoring.
 By contrast, simplified, modified, or reduced controls may apply in
lower risk areas........In no case [will] the risk may ever be so low as
to
eliminate any form or level of CDD.
o An effective risk- based approach involves identifying and categorizing
money laundering and terrorist financing risks and establishing
reasonable controls based on the risks identified. . . .
● WHAT ARE THE RISK CATEGORIES?
o Three major risk categories with regard to legal engagements:
 Country/ Geographic risks
● No universally adopted listing of countries or geographic areas
● Client’s domicile, the location of the transaction, and
the source of funding are a few sources from which
money laundering risk can arise
● Higher risk countries include those that are:
 o Subject to sanctions, embargoes, or similar measures
o Identified by credible sources as having
significant levels of corruption or other criminal
activity
o Location from which funds or support are provided
to terrorist organizations
o Those identified by credible sources as countries
generally lacking appropriate [anti-money
laundering] laws, regulations, and other measures.

 Service risk
● Services that involve the movement of funds and/or
the concealment of beneficial ownership
 Client risk
● Clients range from individuals, partnerships and limited
liability companies with dozens of partners or members
to multi-national corporations.
● Given this spectrum of clients, a lawyer will be challenged to
determine whether a particular client poses a higher risk and,
if so, the level of that risk and whether the application of any
mitigating factors influences that assessment.
● Various categories of potentially higher risk clients[ if client
falls in one of the categories, lawyer must way this risk to
other risks to determine the appropriate level of client due
diligence]:
o Politically exposed persons ("PEPs")- are
individuals who are or have been entrusted with
prominent functions in a foreign country. . . .
o Unusual Activity- Clients conducting their
relationship or requesting services in unusual or
unconventional circumstances (as evaluated in light of
all the circumstances of the representation). . .
o Masking of Beneficial Ownership - Where the
structure or nature of the client entity or relationship
makes it difficult to identify in a timely manner the
true beneficial owner or controlling interests
o Cash Intensive Businesses – clients that are cash
(or cash equivalent) intensive
o Charities and NPOs- those that are not subject
to monitoring
o Financial Intermediaries Not Subject to
Adequate [Money Laundering] Laws. . .
o Clients with Certain Criminal Convictions- Clients
having convictions for proceeds generating crimes
who instruct the lawyer (who has actual knowledge of
such convictions) to undertake specified activities on
their behalf are potentially higher risk clients. . . .
 o Clients with No Address/Multiple Addresses-
Clients who have no address, or multiple addresses
without legitimate reasons. . . .
o Unexplained Change in Instructions. Clients who
change their settlement or execution instructions
without appropriate explanation are potentially
higher risk clients. . . .
o Structures With No Legal Purpose. The use of legal
persons and arrangements without any apparent legal
or legitimate tax, business, economic or other reason
are potentially higher risk situations. . . .

o Relative weight to be given to each risk category in assessing the overall risk
of money laundering and terrorist financing will vary from one lawyer or
firm to another becuz of size, sophistication, location, and nature and scope
of services offered
o Lawyers need to asses independently the weight to be given to each risk factor
 Factors subject to variables that may increase or decrease
the perceived risk posed by a particular client or type of
work
Questions and Comment (p.473)
● The reference to "gatekeepers," in the context of this report include lawyers, notaries,
trust and company service providers, real estate agents, accountants, and auditors
who assist with transactions involving the movement of money in the domestic and
international financial systems.
● Sanctions programs administered by OFAC prohibit a U.S. person from engaging in
transactions with persons in certain countries. In such cases an attorney may be
prohibited by law from engaging in the representation at all even if it was otherwise
not problematic
● Risk- Based approach to the attorney’s role in preventing money laundering and
terrorist financing - This approach involves an initial risk assessment which influences
the intensity of compliance activities that follow: more comprehensive vetting and
scrutiny for persons or trans- actions deemed to present a higher risk, less
comprehensive vetting and scrutiny for persons and transactions deemed to present
lower risk.
o The leading authority on risk-based approach in this area is Financial
Association Task Force

American Bar Association Standing Committee on Ethics and Professional Responsibility,

Formal Opinion 463: Client Due Diligence, Money Laundering, and Terrorist Financing (p.474)

● ("Good Practices Guidance") are consistent in their ethical principles, including

loyalty and confidentiality.
● By implementing the risk-based control measures detailed in the Good Practice
Guidance where appropriate, lawyers can avoid aiding illegal activities in a
manner consistent with the Model Rules.
● The underlying theory behind the "lawyer-as gatekeeper" idea is that the lawyer has
the capacity to monitor and to control, or at least to influence, the conduct of clients
and prospective clients in order to deter wrongdoing.
o Many have taken issue with this theory and with the word "gatekeeper." The
Rules do not mandate that a lawyer perform a "gatekeeper" role in this
context.
● Mandatory reporting of suspicion about a client conflicts with Rule 1.6 and 1.8
● Reporting without informing client is in conflict with Rule 1.4(a)(5).
● In this opinion we examine the contours of a lawyer's ethical obligations under the
Model Rules of Professional Conduct with regard to efforts to deter and combat
money laundering:
o The Committee believes that the advice derived from the Good Practices
Guidance is consistent, and not in conflict, with the ethical obligations of
lawyers under a situation where the lawyer is compelled to decline or terminate
the relationship, the lawyer should comply with the requirements of the
applicable rules of professional conduct." Accordingly, lawyers should be
conversant with the risk- based measures and controls for clients and legal
matters with an identified risk profile and use them for guidance as they develop
their own client intake and ongoing client monitoring processes.
o When in a lawyer's professional judgment aspects of the contemplated
representation raise suspicions about its propriety, that lawyer's familiarity with
risk-based measures and controls will assist in avoiding unwitting assistance to
unlawful activities. Indeed, the usefulness of the Good Practices Guidance is an
example of the declaration in the Model Rules that "The Rules do not. . .
exhaust the moral and ethical considerations that should inform a lawyer.
..............................................................................................................“
 SEXUAL HARASSMENT

Introduction (p.477)
● In the workplace is prohibited under both state and federal law
● Meritor Savings Bank – SC held that language at the federal level encompasses cases
in which an employer subjects employees to a hostile work environment by acts of
sexual harassment
● Equal Employment Opportunity Commission – defines sexual harassment (see definition)
● Problem with corporations being accountable because it can only act through agents;
respondeat superior only makes employer liable for wrongful conduct if the
employee was acting within the scope of employment; no employer will ever say that
harassing behavior is part of an employee’s job description

Faragher v. City of Boca Raton

Facts: College student; worked as lifeguard for the City of Boca Raton. She alleged during this
time two male supervisors made offensive sexual remarks and lewd gestures to her and other
female lifeguards, touched them inappropriately, and asked them for sex. 2 years after resigning,
she filed suit under Title VII and Florida law, alleging that the two supervisors created a sexually
hostile work environment and that, as agents for Boca Raton, they made the city liable for
nominal damages, costs, and lawyer fees.
Decision: Employers can be subject to vicarious liability when supervisors create a
discriminatory environment. At the same time, employers may raise affirmative defenses to
liability or damages. The court observed that such affirmative defenses have two elements: (1)
employers must have exercised reasonable care to prevent and promptly correct any sexually
harassing behaviour, and (2) victimized employees unreasonably failed to take advantage of any
preventive or corrective opportunities provided by the employer. Affirmative defenses are
unavailable when the harassment ends in tangible, adverse job-related actions, including
demotions and discharges.

Notes:
● Conduct must be relatively severe – ordinary tribulations of the workplace do not create
a basis for liability

Sexual Harassment Programs (p.481)

EEOC, Vicarious Employer Liability for Unlawful Harassment by Supervisors

● The case raises the question of what sorts of compliance programs satisfy
the requirements for the affirmative defense
● Reasonable care requires an employer to establish, disseminate, and enforce an anti-
harassment policy and complaint procedure and to take other reasonable steps to
prevent and correct harassment (not mandatory requirements)
● Whether an employer can prove they exercised reasonable care depends on
factual circumstances and the nature of the employer’s workforce
● No “safe harbors” for employers based on the written content of policies and procedures
● Lack of a formal policy and complaint procedure will not defeat the defense if
the employer exercised sufficient care through other means
 ● If the employer has a policy and complaint procedure but an official has failed to
carry out their responsibility to conduct an investigation or management ignored
previous complaints, the employer has not discharged duty to exercise reasonable care
● Employer has discretion in determining the sanction and that penalties can include
termination, reassignment, reprimands, demotion, reduction in pay, and other
measures
● Merely distributing and administering a sexual harassment policy and
complaint procedure may not be a fully effective strategy to minimize risk of
harassment
● EEOC doesn’t require formal training of supervisory employees but suggests that
a company that implements such programs will be viewed favorably

Policy and Complaint Procedure (p.481)

● Employer should give employees a copy
● Should be written in a way that is easily understood
● Post in central locations and incorporate in handbooks
● Provide training to all employees if possible
● Publicize, enforce and establish anti-harassment policies and complaint procedures
● Should contain:
o Explanation of prohibited conduct
o Assurance that employees who make complaints won’t be retaliated against
o Clearly describe complaint process
o Assurance that employer will protect confidentiality
o Prompt, thorough, and impartial investigation
o Assurance that employer will take immediate and appropriate corrective
action when it determines that harassment has occurred

Using Third Party Vendors (p.484)

● Independent HR consultants, employment discrimination attorneys and
other professionals
● Typical curriculum:
o Laws prohibiting unlawful harassment
o Forms of harassment
o Prevention
o Identifying and preventing retaliation
o Rights and responsibilities of staff members
o Consequences of harassment suits
o What to do when complaint filed
o Conducting an investigation

Enforcement (p.485)

EEOC v. Carrols Corp.

Facts: Carrols Corp. has agreed to pay $2.5 million to settle a lawsuit in which 89 women claim
they were sexually harassed at Burger King restaurants across the country.
Settlement:
● $2.5 million in compensatory damages and lost wages to 89 alleged victims.
● Implement measures to increase employees’ awareness of its anti-harassment policies
● Improve its response to complaints brought forward under those policies, including:
o Enhanced training for managers in preventing and responding to harassment;
o Improved mechanisms for tracking harassment complaints;
o Notices posted in all domestic Carrols Burger King locations
informing employees about the lawsuit’s resolution and their rights
under federal antidiscrimination laws;
o Injunction prohibiting further harassment and retaliation.
● Comprehensive procedures and processes in place to encourage employees to
report policy violations, and to do so without fear of reprisal.
● Complaint hotline and dedicated email addresses for employees to file complaints
● HR managers will conduct audits biennially of each restaurant
● Manager evaluation forms to ensure adherence to EEO policies
● Duration of decree will be 2 years from date of entry
 SOCIAL RESPONSIBILITY

Public Benefit Companies (p.496)

● “Benefit corporations”, “low profit limited liability companies”, “flexible
purpose corporations”
● Charitable or public interest activities are central focus of the organization
● Justification? People who invest in them do so knowing that the entity will be devoted
in part to charitable causes
● Capture tax benefits because offer charitable foundations a way to invest funds that
they would otherwise be required to distribute

Code of Ethics (p.496)

● Companies are encouraging that anyone affiliated wit the firm go beyond what is
required by law or regulation and display a higher level of social conscious
business conduct
● Admonish people to act in commendable ways
● Declaring in a formal document that employers should be courteous and
respectful creates a contract
● Section 406 SOX requires public companies to disclose to shareholders whether
they have adopted a code of ethics for senior managers and explain why if they
havent
● Andropolis v. Red Robin Gourmet Burgers, Inc. – a code of ethics is inherently
aspirational; it can’t simply be that every time a violation of that code occurs, a
company is liable under federal law for having chosen to adopt the code at all; “mere
puffery”
● Provisions found in corporate code of ethics:
o Compliance
o Honesty
o Confidentiality
o Respect
o No retaliation
● Persons typically subject to the policy should engage in conduct such as:
o Follow the policy
o Notify officers of known violations
o Use good judgment
o Ask questions about what to do

Social Responsibility (p.499)

● Corporate Social Responsibility (CSR) is to move corporations away from an
exclusive focus on earning profit towards providing value for society as a whole
● CSR – refers to the concept that corporations should seek to advance broader
social objectives rather than focus exclusively on earning a profit for shareholders
● The key is that the desired conduct is not forced on corporations
● Argument is that it is good for society and shareholders because the company
will perform better than companies that are not committed to CSR
● Change corporate values from within to elect directors committed to socially
progressive agenda
 ● Proponents make 2 general arguments:
1) Beneficial so managers should adopt it even if their sole objective is to
maximize shareholder returns – idea that customers will reward companies for
good behavior
2) Even if CSR doesn’t maximize shareholder returns, it should be adopted
because it is better for society
● CSR is promoted by international standard setting bodies i.e. ISO (standard
contains guidance on socially responsible behavior but not mandatory
requirements)
● India is the most stringent jurisdiction where CSR initiatives have progressed
through legislation
● Groups are motivated by the private benefits to participants i.e. maximizing
budgets, obtaining influence, increasing membership, securing jobs, and promoting
wealth transfers into their organizations and constituencies
● Chiquita Bananas – “Declared that it is dedicated and committed on a daily basis to be
responsible citizens of the world in which we live”; but haven’t always received
positive reviews i.e. federal court denied motions to dismiss a class action against it for
aiding in torture and war crimes

Human Rights (p.501)

● Focus has traditionally been on state actors, has now expanded to include corporations
● Alien Tort Claims Act – establishes federal court jurisdiction over “any civil action by
an alien for a tort only, committed in violation of the law of nations or a treaty of the
US”
o Kiobel v. Royal Dutch – SC ruled that the presumption against extraterritorial
application applies to the ATCA; the statute in many cases will not reach actions
committed overseas, even if those actions are in violation of international law;
case increased the utility of alternative mechanisms in human rights
enforcement through corporate governance standards

UN High Commissioner on Human Rights Guiding Principles on Business and Human Rights
(p.502)
● Responsibility of business enterprises to respect human rights refers to internationally
recognized human rights; at a minimum those in the International Bill of Human
Rights and principles concerning fundamental rights set out in the ILO’s Declaration
● Business enterprises are required to:
o Avoid causing or contributing to adverse human rights
o Seek to prevent or mitigate adverse human rights that are directly linked to
their operations
● Responsibility to respect human rights applies to all enterprises
● Businesses should have in place policies and processes appropriate to their size
and circumstances, including:
o A policy commitment to meet their responsibility to respect human rights
o A human rights due diligence process
o Processes to enable the remediation of any adverse human rights impacts
they cause
 ● Human rights due diligence – assessing actual and potential human rights impacts,
integrating and acting upon the findings, tracking responses, and communicating
how impacts are addressed
● Does a company have a legal or ethical obligation to insist on ethical behavior
by counterparties? – No.
● Conflicts Minerals and Supply Chain Management:
o Dodd-Frank Act and SEC Rule (13p-1 applies only to public companies)
require SEC reporting firms to engage in due diligence and make disclosures in
connection with their use of conflict minerals “DRC Countries”; if an issuer
knows or has reason to believe that its conflict minerals may have originated in
DRC countries it is required to prepare an audited conflicts minerals report
describing matters such as the products the issuer produces with conflicts
minerals, facilities used, country of origin, what efforts have been made to
determine the location of origin
o States are beginning to take an interest in human rights enforcement through
supply chain management i.e. California enacted legislation barring companies
found to be in violation of the federal conflict minerals rule from participating
in state contracts
o Principal purpose of conflict minerals rule is to staunch the supply of money
that is believed to be fueling and prolonging a conflict which has involved rape,
gender based violence and other human rights violations
o Consider “blood diamonds” mined in conflict zones in Angola, Sierra Leone,
or Cote d’Ivoire

Sustainability (p.507)
● Activity is sustainable if it is consistent with the needs and interests of future generations
● Concept borrowed from ecology; idea that the corporation should operate in such
a manner that the environment would support its continuing to do so indefinitely

Iowa Law Review Article – Sustainability and Profitability

● Sustainable business don’t want to damage earth’s resources
● Compliance with environmental regulations, generous towards employees, paying
more for goods that are humanly produced
● Two ways of operationalizing sustainability in business:
o Triple bottom line approach
 Views corporate performance and success in three dimensions:
economic prosperity, environmental quality, and social justice
 Bettering bottom line while also bettering its social and
environmental bottom lines
o Gearing up framework
 Take a company from a level of bare compliance with applicable law to
a place where sustainability is systemic, integrated part of its strategy
that transforms its business model and markets
● First gear – does little beyond complying with applicable
labour and environmental regulations
 ● Second gear – firms voluntarily move beyond mere compliance
i.e. viewing sustainability as legitimate; focus efforts on “eco-
efficiency”
● Third gear – more proactive in their efforts often partnering
with the government as well as suppliers and customers
● Fourth gear – firm has integrated sustainability principles into
its strategy and business processes
● Fifth gear – companies redesign or reengineer their
business models
● Nike example – company has rethought its entire design and production process to
reduce waste, utilize improved and even reusable materials and eliminate harmful
materials
● Argument in favor of sustainability – can be profitable for companies
● Argument not in favor – green business practices can sometimes entail profit
sacrifices, particularly in the short term
● Conflict arises with the commonly held view that corporate directors and officers
must strive to maximize shareholder wealth and affirmatively neglect other corporate
constituencies like labor, creditors, suppliers, customers and the environment
● Issue is how to maximize shareholder profits and becoming more sustainable

Sustainability Policy (p.510)

● A statement adopted by the highest authority in the organization, setting forth
the organization’s commitment to engaging in sustainable projects
● Can display a “tone at the top” which encourages employees to have greater respect
for the environment
● Can improve company’s public image and reduce the chance that it will be targeted
by activists
● Plexus Inc. sustainability policy example (p.511)
 WHEN COMPLIANCE FAILS

Enron (p.513)
● American energy, commodities, and services company based in Houston, Texas.
Bankruptcy on December 2, 2001; Enron employed approximately 20,000 staff and
was one of the world's major electricity, natural gas, communications, and pulp and
paper companies, with claimed revenues of nearly $111 billion during 2000.
● What happened?
o The mark-to-market practice led to schemes that were designed to hide the
losses and make the company appear to be more profitable than it really was.
o In order to cope with the mounting losses, Andrew Fastow, CFO, came up with a
plan to make the company appear to be in great shape, despite the fact that many
of its subsidiaries were losing money.
o Scheme was achieved through the use of special purpose entities (SPE).
o An SPE could be used to hide any assets that were losing money or
business ventures that had gone under; this would keep the failed assets off
of the company's books.
o In return, the company would issue to the investors of the SPE, shares of
Enron's common stock, to compensate them for the losses. This game couldn't
go on forever, however, and by April 2001, many analysts started to question
the transparency of Enron's earnings.
● Summary of findings:
o Company’s profits were inflated and its financing structures were rife with
fraud and conflicts of interest; pumping up stock price, but stock eventually
collapsed
o Had code of ethics and compliance committees yet committed massive fraud
o The transactions between Enron and LJM2 that had the greatest impact on
Enron's financial statements involved four SPEs known as the “Raptors”
o Raptors were designed to make use of forecasted future growth of Enron's stock
price to shield Enron's income statement from reflecting future losses incurred
on merchant investments. This strategy of using Enron's own stock to offset
losses runs counter to a basic principle of accounting and financial reporting:
except under limited circumstances, a business may not recognize gains due to
the increase in the value of its capital stock on its income statement.
o Used partnerships to enter into transactions that it could not or would not do
with unrelated commercial entities; allowed Enron to inflate earnings Raptors
o Board of directors failed in oversight duties; approved arrangements that allowed
the Company’s CFO to serve as general partner in partnerships that participated
in significant financial transactions with Enron
o Board should be faulted for failing to demand more information, and for failing
to probe and understand the information that did come to it
o Had COI rule but had exception to the rule which was granted to Andrew
Fastow (CFO)
o Outside professional advisors, Vinson & Elkin should have brought a
stronger, more objective and more critical voice to the disclosure process
 o Company’s management was focused on financial results, not operating results.
What came out after the demise of Enron, including jail sentences for many of
the top executives, was overwhelming proof that Enron’s tone at the top was
fatally flawed.
o Tone at the top – Enron’s top executives set the tone for the culture; personal
ambition and greed seemed to overshadow their corporate and individual lives;
strived to maximize individual wealth by initiating and participating in
fraudulent behavior; Enron’s culture created an atmosphere ripe for the unethical
and illegal behavior that occurred; bad top management morality can be a
sufficient condition for creating a self destructive ethical climate
o Problem:
 Enron operated what appeared to be a cutting edge compliance shop
 Majority of the board were independent of management
 Enron’s Code of Conduct of Business Affairs set forth high
ethical obligations for senior management
 Company established procedures for review of related party transactions
at the highest corporate levels and required its Audit and Compliance
Committee to conduct annual reviews of such transactions
 Operated a whistleblower program with mechanisms for
anonymous reporting
 Retained reputable independent professionals i.e. Arthur Andersen
for accounting and Vinson & Elkins for law
 But, all these safeguards failed to detect or prevent the fraud
● Whistleblower – Sherron Watkins

Worldcom (p.518)
● US telecommunication corporation
● What happened?
o Fraud was implemented by and under the direction of CFO Scott Sullivan
o Sullivan directed the making of accounting entries that had no basis in GAAP
in order to create the false appearance that the company had achieved those
targets
o CFO and accounting firm inflated numbers so the company would hit its targets
o MBO = management by objectives
o More than $9 billion in false or unsupported accounting entries were made
in WorldCom’s financial systems in order to achieve desired reported
financial results.
o The fraud did not involve WorldCom’s network, its technology, or
its engineering.
o Most of WorldCom’s people did not know it was occurring. Rather, the fraud
occurred as a result of knowing misconduct directed by a few senior executives
centered in its Clinton, Mississippi headquarters, and implemented by
personnel in its financial and accounting departments in several locations.
o The fraud was the consequence of the way WorldCom’s CEO, Bernard J.
Ebbers, ran the Company – “source of the culture”; “Tone at the top”
o That the fraud continued as long as it did was due to a lack of courage to blow
the whistle on the part of others in WorldCom’s financial and accounting
 departments; inadequate audits by Arthur Andersen; and a financial system whose
controls were sorely deficient.
o Serious corporate governance failure
o Board and its Committees did not function in a way that made it likely that
they would notice red flags i.e. outside directors had little or no involvement in
the company’s business other than the attendance at board meetings
o The Board, in particular Audit Committee, played a limited role in the
oversight that it was unlikely that the fraud could have come to their attention;
no independent leadership until 2002
o Reputation played a role in the fraud i.e. Sullivan as the “whiz kid”
o Lawyers were not given full information, didn’t understand accounting
o Board of directors or board audit committee only saw information that
was provided to them, and the information had been carefully massaged
o Nature of accounting fraud:
 Reduction of reported line costs
 Exaggeration of reported revenues
o Why didn’t anyone blow the whistle early?
 The culture emanating from corporate headquarters emphasized making
the numbers above all else; keeping financial information hidden from
those who needed to know; blindly trusting senior officers even in the
face of evidence that they were acting improperly; discouraging dissent;
and a lack of outlets through which employees believed they could safely
raise their objections.
 Tone at the top – poor example of ethical leadership; disdain for
internal controls, overemphasizing profits over ethics and blaming
others for unethical practices.
● Ebbers controlled the Board’s agenda and its decisions; he and the
Board permitted a corporate environment in which the pressure to
meet the numbers was high, the departments that served as
controls were weak, and the word of senior management was final
and not to be challenged
● Board didn’t challenge Ebbers on the extent of his substantial
outside business interests i.e. rice farm, luxury yacht building
company etc.; Ebbers presented false picture to the market
● Steps to be implemented (see p.524)

Commonality between Enron and WorldCom (p.525)

● “High flying” company that seemed to go from success to success
● Excellent public relations
● Assiduous efforts to cultivate politicians
● Extraordinary stock price performance
● Rapid expansion through mergers rather than internal growth
● Lavish compensation of senior mangers
● Ostentatious spending
● Domination by a single individual or small group
● Complex corporate structure that made it difficult to understand the entire enterprise
 RISK MANAGEMENT I

What is Risk? (p.531)

● 2 definitions:
o Risk is the chance of something bad happening
o Risk is the dispersal of possible outcomes

What is Risk Management? (p.531)

● Any activity that an organization undertakes to deal with future uncertainties
● Seems to have substantial overlap with compliance
● Compliance function is a form of risk management
● In banking, compliance risk is sometimes referred to as “integrity risk”
● Three models:
1) Compliance and risk management operate in essentially discrete “silos”, each
with its own policies, procedures and management (practice to date); problematic
because it ignores the essential similarities in the functions and sacrifices
potential economies of scale
2) Compliance is part of risk management and places the compliance function
within the risk management operation; integrates risk and compliance and also
achieves better economies of scale and scope; problem is that any attempt to
merge the operation is going to be controversial
 Risk management recognizes that all business activities carry risk
and seeks to ensure that the company’s operations remain within the
parameters of a risk appetite defined by the board of directors
 Compliance cannot easily admit that the company has any “appetite”
for non-compliance; this could offend the regulators and the public
 “Zero tolerance” – the view that no level of compliance violations
is acceptable
 Combining risk management and compliance must overcome the hurdle
of the inconsistent attitudes
3) Risk management and compliance functions should be coordinated but
not combined
 Considerations of risk management are integrated into the
compliance function by allocating compliance resources on a risk
based model

Public Interest in Risk Management (p.533)

● Costs and benefits assumed by firms are not internalized by the organization
● Third parties gain or lose from what the firm does
● “Externalities” – third party effects which play a key role in the economic analysis
of social welfare
 □ Because third parties are affected by the risk that organizations take on, there is a public
interest in risk management that transcends the particular concerns of the organization
or its owners
□ External effects of risky behavior are no t limited to financial institutions
□ A company’s risk appetite will be reviewed by the regulator, and if anything
sparks concern, the regulator is likely to raise the problem with
management
Enterprise Risk Management (p.535)
□ Traditional notion of risk is the chance of something bad happening
□ Modern approach sees the chance of something bad happening as only one aspect;
general understanding would be the chance of something good happening as well – risk is
measured by a dispersal of outcomes rather than simply the chance of a bad one
□ Both concepts generate different philosophies of risk management
□ Focus is on determining how much risk the organization is willing to take on
□ Preference to a more encompassing definition of risk, but, practically the focus
is on adverse events rather than good ones

Distribution of Responsibility for Managing Risk

□ Historically – distributed across business lines; no longer the case because it
became to be seen as sacrificing more than it gains (“silos” are bad!);
oProblems:
Allocating risk management to operating divisions does not generate
optimal results because the incentives and philosophy of the line managers
may not align reliably with the interests of the organization
Dividing the tasks of risk management ignores correlations across
different parts of the company i.e. a risk that may be acceptable in
one division could be unacceptable for the enterprise
Risks can also fall through the cracks when managed on a siloed basis
because no one takes responsibility for ensuring that the separate
operations are coordinating their activities i.e. NASA’s Mars
Planet Orbiter
□ Modern – seeks to centralize the task of risk management and to provide greater
analytical focus by defining a risk appetite applicable to the organization as a
whole; integrated approach is intended to deal with the probes of insufficient or
skewed incentives, conflicts in goals, and problems of coordination that had
afflicted the silo approach (better when different divisions talk to each other!)

Risk Mitigation Strategies (p.537)

□ Traditionally – insurance
□ Modern – programs that do not focus on insurance i.e. bearing the risk itself or “self-
insuring”, implementing system of internal controls that reduce the chance of an
adverse event occurring
□ The concept of insurance as the preferred device for mitigating risk grows out of the
first definition of risk; it doesn’t take account of the upside of risk that is included
in the newer definition
□ Asymmetric information risk
Priority of the Topic
□ Historically – given a modest priority; a technical issue to be handled
by professional managers without substantial board attention
□ Risk is today a central focus of board deliberations, and companies have
created positions for chief risk officers and devoted resources to manage risks

Focus of Risk Assessment

□ Traditionally – looked a financial risks to the organization; risks took longer to develop
□ Modern – focuses on non-financial as well as financial risks; while all risks affect
an organization’s bottom line, not all risks are easily quantified in financial
terms
oSuccession risk – who will take over leadership if the CEO dies? This risk is not
immediate or easily quantified
oSeeks to take into account the unquantifiable risks

Transparency of Risk and Risk Management (p.538)

□ Financial crisis 2007-09 demonstrated that risks were not transparent in many financial
organizations i.e. AIG insurance that failed as a result of poorly understood bets made
by a London office which wrote credit default swaps
□ Contemporary risk management operations seek to avoid unpleasant surprises
□ ERM
oSet of policies and procedures under which upside and downside risks are
analyzed systematically, comprehensively managed, and treated as central aspects
of an organization’s strategic plans
oUsed in a positive sense conveying an idea of progress and subtly denigrating the
approaches to risk management used in the past
oEncourages organizations to incorporate a risk assessment as a central feature in
the design and implementation of other systems of internal control
oToday, almost all large organizations endorse ERM
oIdeas included in ERM:
Risk is conceptualized as dispersal or variance of results, not the chance
of something bad happening
Risk management is carried out on an enterprise wide basis, rather
than being distributed within the organization
Risk includes any contingency that may affect the
organization’s performance
Approved risk management strategies are broader than the purchase
of insurance
Risk management function is elevated in importance within
the organization through institutional changes
Organization’s policies towards risk and risk management are
more transparent both internally and for purposes of regulatory
review

Types of Risk (p.539)

□ ERM asks organization’s mangers to assess all material risks to the organization
□ First step – to compile an inventory of risks with a view to assessing both the
probability they will occur as well as the costs that the organization will experience
if they do
 □ Leading risks that regulators have identified:
Credit risk
Liquidity risk
Market risk
Strategic risk – i.e. transformation risk or the risk associated with changes in
the organization’s business model; change management – the management of
transformation risk (biggest worry for risk managers!)
Competitive risk
Regulatory risk
Reputation risk
Asymmetric information risk - fancy way of referring to the fact that the board of
directors and even senior executives may not fully understand what is going on in
the companies they manage; asymmetric because the information exists but not
in the hands of those who need it in order to make decisions i.e. JPMorgan
Chase’s “London Whale” trading fiasco
Operational risk – the risk of losses resulting from inadequate or failed
internal processes, people and systems, or external events
i.e. Basel committee uses the term in the traditional loss focused sense, it
does not address the risk of gains from above average internal
processes, systems, or people or fortunate external events
The loss focused definition of operation risk may reflect the fact that the
Basel guidelines were adopted before the ERM movement cam into
full power
Operational risk is intended to exclude strategic or competitive risks i.e. if
a company’s board makes a bad business decision, this is a strategic
risk not operation risk; if the company finds that it is unable to meet
competition from cheap imports, this is not operation but rather
competitive
Included in operational risk are cases of compliance failures or other
violations of the law; they represent a failure of people or systems
of internal control
Includes systems breakdowns
Range of operational risks is so enormous that it may be impossible
to inventory all cases
Problematic aspect of operational risk concerns the risk associated with
vendors i.e. “vendor risk” – at Fidelity National Information Services;
practice exposes the organization to risk form an operational risk failure
at a vendor
□ Managing the risk of corporate change is challenging because of the magnitude of
potential problems and in many cases the infrastructure used to manage change is
itself disrupted by the change
□ Ordinary risk management – deals with “known unknowns”
□ Corporate changes – often involve “unknown unknowns”

Governance of Risk (p.543)

□ Job of overseeing risk management is reserved for the board of directors
 □ Boards often delegate risk management to committees i.e. audit committee,
special risk committee
□ At the executive level, the task of risk management is carried out by a designated officer
i.e. CRO who reports to the risk committee, the board, or the CEO
□ Directors owe a fiduciary to ensure that reporting systems are in place for
detecting legal violations by corporate agents

Wachtell, Lipton, Rosen, & Katz, Risk Management and the Board of Directors (2013)
□ What is the proper role of the board in corporate risk management?
oArgues that the board should not be involved in day to day risk management but
instead should through their oversight role, satisfy themselves that the risk
management processes designed and implemented by executives and risk mangers
are adapted to the board’s corporate strategy and are functioning as directed, and
that necessary steps are taken to foster a culture of risk adjusted decision making
through the organization
oThe board can send a message to the company’s management and employees that
corporate risk management is not an impediment to the conduct of business nor a
mere supplement to a firm’s overall compliance program but is an integral
component of the firm’s corporate strategy, culture and value generation process
oImportant for directors to have the experience, training and knowledge of the
business necessary for making a meaningful assessment of the risk that the
company faces
oShould also consider the best organizational structure to give risk
oversight sufficient attention at the board level
□ Company’s RMS should function to bring to the board’s attention the company’s most
material risks and permit the board to understand and evaluate how these risks
interrelate, how they affect the company, and how management addresses these risks
□ Courts have taken the view that a breach of duty for failure to exercise oversight would
be a breach of the duty of loyalty, which is not subject to indemnification by a company
□ The board is advised to act well above the minimal standards established in Caremark
□ To avoid risk of Caremark liability, boards should ensure that the company implements
appropriate monitoring systems tailored to each type of risk, and to periodically review
these monitoring risks and ask management and/or outside consultants for an
assessment of the systems’ adequacy
□ Directors should involve the company’s general counsel to fulfill its duty
to have effective monitoring systems
RISK MANAGEMENT II - “APPROACHES TO RISK MANAGEMENT”

Introduction (p.547)
□ No single approach to risk management dominates; no consensus, instead, the
techniques in common usage are adapted to, and sometimes grow out of, specific
business lines or areas

Data
□ All risk management techniques depend crucially on the acquisition,
analysis, and presentation of information
□ Data must first be compiled; decision maker will not sort through or understand raw data
therefore someone must categorize and analyze the information so it can be presented
to the decision-maker in summary form
□ Presentation of data must be embodied in a medium and a form that allows
the decision- maker to focus on the important patterns and screen out the
noise
□ Classic example of the importance of information analysis and presentation is the
case of the NASA Challenger – illustrates two points about the role of information
in risk management:
1) The proper information must be used if the analysis is to be valid (in
Challenger, relevant information had been compiled but it was not used)
2) The challenger disaster illustrate the power and also the perils of
graphic presentation of data
□ Graphic or tabular presentation of data is a key element of
contemporary risk management
oUniversal use of this form of presentation is driven by 2 developments:
Vendors of analytic risk management products sell their services
most effectively if they can offer to package information in
attractive compelling ways
Attractive and inexpensive color photocopying has made it possible to
enhance the effectiveness of graphic presentations by coding
information in color
□ Dashboard – the graphic presentation of data; a suite of charts or a slide deck containing
information displayed in a variety of graphic formats; organized in hierarchical
fashion (tables are an important element of any dashboard)
oValues out of range would show up in red
□ Heat maps – a matrix that displays how one variable varies across two others; might
locate different functions on a grid formed by the variables “likelihood” and
“impact”; areas of greatest impact and likelihood would show up in red and the area
of lowest impact and lowest likelihood shown in green; intermediate values in yellow

Risk Appetite (p.551)

□ A formal statement of the amount of risk that the board of directors is willing to take on
□ Approved by the board of directors and thus represents a policy implemented
on an enterprise wide basis and adopted at the heist corporate level
□ Reflects core objectives of ERM
□ Captures the idea of tolerance for risk
 ● It is not risk per se that firms desire, but rather the return that cannot be achieved
without accepting a certain level of risk
● Junk bonds – debt issued by low rated corporations; if things go well the investor
can earn a much larger return; but they also carry a substantial risk of default
o Not necessarily a bad investment; much depends on the investor’s willingness
to tolerate risk
● Risk is always relative; no riskless options!
● Risk appetite suggests that while an organization is willing to take on a certain level
of risk, its appetite is not unlimited; there are some strategies that simply carry too
much risk to be accepted

Implementing the Risk Appetite (p.552)

● 5 steps involved: (occur more or less simultaneously and are performed on an ongoing
basis; senior managers should assess the full range of options before presenting
questions to the board for decision)
1) Compiling a risk inventory
 Many risks are known and require little effort to identify; but there
are always emerging risks which are not immediately salient
 Organizations can use various strategies in responding to the challenge
of identifying emerging risks i.e. management consultants, independent
directors, regulators
2) Assessing inherent risk
 Inherent risk – risk associated with an activity if the
organization undertakes no efforts to prevent or mitigate the risk
 Measured by evaluating two variables: the probability that the event
will occur multiplied by the magnitude of the vent if it does occur
 Risk managers use more of a qualitative approach
3) Assessing controls and mitigation options
 Controls – things an organization can do to prevent the risky event
from happening; reduce the likelihood of a bad event occurring
 Mitigation options – things the organization can do to limit the costs if
the risky event does occur; they reduce the magnitude of the event if it
does take place i.e. risk of loss to a homeowner as a result of storm
damage, a control strategy would be some measure the homeowner uses
to prevent damage like hurricane windows, a mitigation option would be
to purchase home insurance
 Leading control strategies:
● Internal controls by creating lines of defense against mistakes or
violations of policy that could harm the organization i.e. internal
audit function
● Activity level management reduces risk by reducing the amount
that a company engages in a particular investment or line of
business i.e. risk manger concerned that company has too much
exposure to mortgage backed securities, a strategy would be to
sell off some of the organization’s portfolio of these products
 Leading mitigation options:
 ● Policies of insurance and related arrangements
● Hedging transactions through offsetting investments that
perform in the opposite direction than the investment creating
the risk
4) Assessing residual risk
 Residual risk – the risk that remains in an activity once the
organization has implemented measures to control or mitigate risk
 Can be modeled on the same heat map that the risk manager uses
to evaluate inherent risk
 Example, drug manufacturers – there is an inherent element of risk
that they will be found liable; then there are control strategies such as
a compliance program, and mitigation options such as cooperating
with regulators; the residual risk is the risk of off label marketing
violations after the risk management measures have been implemented
5) Accepting residual risk
 Key step in the process; should be undertaken deliberately by persons
with appropriate levels of responsibility within the organization
 Central to the concept of ERM i.e. views risk as accepting good as well as
bad outcomes which insists that risk be intelligently and comprehensively
managed on an enterprise wide basis
● There are several points of leverage in this process i.e. cut back the level of the
propose activity, increase strategies and options to mitigate or control risk, accept or
not accept the level of inherent risk that remains in choices 1 and 2

Black Swans, Fat Tails, and Stress Tests (p.556)

● Effective risk management requires that organizations also plan for unusual times
and circumstances
● Process occurs at the level of senior management and often involves qualitative
factors that cannot be reduced to numeric form
● Black swan event – one which is unanticipated and unexpected but which has
major consequences i.e. a rare bird
o Events can be unexpected in 2 ways:
1) While rare may be predicted to happened according to a well understood
pattern i.e. people’s IQs are distributed according to a normal probability
distribution
2) We do not even understand the probability distribution from which the
event is drawn
● Fat tail distribution – one where the probabilities of the tails, the extreme events, are
higher than under the bell curve distribution i.e. financial crisis, with respect to
financial panics we have insufficient information to model the underling probabilities
with any confidence
● Stress test – a scenario in which a model of an organization is subjected to unusual
and challenging conditions then evaluated for its performance; hypothetical scenario
o 2 key elements:
 Must be a model of the organization
 Stressors chosen – many different stress scenarios may be chosen
o Most fully developed set of stress scenarios are in the area of financial institutions
Drilling Down: Specific Risk Management Strategies (p.559)
□ In financial firms quantified risk management strategies are utilized to
control particular forms of risk
□ Rely on mathematical models – simplified versions of reality that seek to
emulate some features of the institutions being managed or evaluated
□ Different approaches: (all combine several features i.e. quantitatively precise, inputs to
the models must be limited in number and readily available, models should be supported
by intellectual credentials, models should generate output that can easily be used in
defined strategies by people who don’t understand the underlying theory i.e. traders)
oCorporate default estimation methods
oBlack Scholes option pricing formula
oValue at risk models
□ Note: all three depend on mathematical formula

Model Risk (p.563-70)

□ Occurs primarily for two reasons: (p.564)
1) Model may have fundamental errors and may produce inaccurate outputs
when viewed against the design objective and intended business uses
2) Model may be used incorrectly or inappropriately
□ Mathematical models have power because they generate controlled and
theoretically justified quantitative results that can be of immediate use to
decision makers
□ Guiding principle for managing model risk is “effective challenge”

Behavioral Economic Approaches to Risk Management (p.570)

□ Challenges the classical models of economics which assume that regardless of their goals
and purposes, people will generally act in such a way as to maximize whatever
objectives they seek to achieve
□ People don’t always act in the ways modeled by classical economics anthat
behavior deviates from rationality and predictable ways
□ Intellectual hazard – the tendency of behavioral biases to interfere with accurate
thought and analysis within complex organizations; impairs the acquisition,
analysis, communication, and implementation of information within an organization
and the communication of such information between the organization and external
parties
□ Geoffrey Miller et al. argue that intellectual hazard was a cause of the financial crisis
□ Moral hazard v. intellectual hazard: (p.571-72)
oIntellectual hazard is similar to moral hazard in a number of ways:
Moral hazard is a problem that results from a structural feature of
markets that is in other respects highly beneficial – shifting of risk to
more efficient risk bearers
Intellectual hazard results from otherwise beneficial division
of responsibility among specialized instrumentalities
Like moral hazard, intellectual hazard is pervasive
Just as moral hazard exists whenever risk is shifted away from an
actor whose actions may cause harm, intellectual hazard exists
whenever production becomes segmented into complex
organizational forms
Like moral hazard, intellectual hazard can present systemic risks –
because it affects organizations that are large, interconnected, or linked to
many other similarly situated organizations, intellectual hazard can pose a
threat to the stability of an entire system of markets or institutions
Intellectual hazard poses a threat to the smooth, orderly, and
efficient functioning of the world’s financial markets
 WEAKNESSES OF ERM

Two general issues:

□ What factors cause the risk management function to break down?
□ What steps could or should have been undertaken to prevent the disaster
before it occurred?

UBS and the Financial Crises (p.573)

□ Swiss bank took huge losses a the outset of the crises as a result of improvident
investments in subprime mortgage backed securities; a bailout by the Swiss
National Bank was required to tide the bank through its troubles
□ UBS issued a “transparency report” to its shareholder which examined the
bank’s failures leading up to the crises identifying the following causes:
oGrowth strategy
oNo balance sheet limits
oLow refinancing rates
oComplacency
oNo overall assessment of risk positions
oReliance on information rom business units
oOverreliance on statistical methods – too little attention paid to the fundamental
risks underlying the US housing market
oRemuneration – UBS did not distinguish good performance from income
generated by exploiting market advantages i.e. low funding costs; incentive
structure encouraged the generation of revenues without adequately considering
the associated risks
□ Note: report was prepared by a company which experienced a breakdown in risk
management; also, one of UBS’s self criticisms is that the bank failed to impose limits
on growth
oReport faults the bank for complacency and overconfidence
oChange was part of UBS’s problems
oReport suggests that ordinary standards of business prudence were cast by the
wayside in the company’s impetuous push for growth
oUBS relied too heavily on statistical models
oStudy involves breakdowns both in risk management and compliance
oRisk management breakdown occurred when the bank maintained a large, un-
hedged portfolio of mortgage backed securities
oCompliance breakdown occurred when representatives of the bank’s wealth
management department solicited business of US citizens on promises to help
them avoid US taxes

The London Whale (p.575)

□ Example of risk management breakdown is JPMorgan Chase’s London Whale fiasco
□ What happened?
oIn April and May 2012, large trading losses occurred at JPMorgan's Chief
Investment Office, based on transactions booked through its London branch. The
unit was run by Chief Investment Officer Ina Drew. A series of derivative
 transactions involving credit default swaps (CDS) were entered, reportedly as part
of the bank's "hedging" strategy. Trader Bruno Iksil, nicknamed the London
Whale, accumulated outsized CDS positions in the market. An estimated trading
loss of US$2 billion was announced, with the actual loss expected to be
substantially larger. These events gave rise to a number of investigations to
examine the firm's risk management systems and internal controls.
oThe internal investigation concluded in July 2012. It involved more than 1,000
people across the firm and outside law firm WilmerHale. A report issued in
January 2013 made the following key observations
CIO [Chief Investment Office] judgment, execution and escalation in
the First Quarter of 2012 were poor
The Firm did not ensure that the controls and oversight of CIO evolved
commensurately with the increased complexity and risks of certain
CIO activities
CIO risk management was ineffective in dealing with synthetic
credit portfolio
Risk limits for CIO were not sufficiently granular
Approval and implementation of CIO Synthetic Credit VaR Model
were inadequate
oJPMorgan Task Force criticized both those who designed and implemented the
flawed trading strategy and also those in management, including top bank
officers, for having allowed the losses to occur (about people!)
Ina Drew – failed to ensure that the CIO management understood and
properly monitored the trades, failed to ensure that internal controls
functioned as intended, and failed to understand or appreciate the
changes that occurred to the Synthetic Credit Portfolio in 2012
Barry Zubrow – head of the enterprise’s risk management operation at
the time of the trades, filed to purely control risk in the CIO operation
Douglas Braunstein – CFO did not correct weaknesses in financial
controls applicable to the Synthetic Credit Portfolio, failed to question the
changes displayed by the portfolio in 2012, and believe that the problems
were primarily the responsibility of risk management rather than finance
Jamie Dimon – CEO and Chairman, he did respond forcefully wen
he became aware of the seriousness of the issue and he provided
self- criticism
oConsequences?
August 2013 two traders who worked in the CIO department were
indicted for allegedly falsifying records and hiding losses from
regulators
JPMorgan Chase entered into a $920 million agreement with multiple
regulators to settle charges arising out of the fiasco i.e. SEC,
Federal Reserve System, Comptroller of the Currency
Bank agreed to a $100 million settlement with the Commodities Futures
Trading Commission and acknowledged that it bore some degree of
blame for the fiasco

Benghazi (p.578)
 □ Government is also a complex organization subject to many risks
□ Report made by a State Department review board of the events surrounding the
terror attacks in Libya that cost the lives of Ambassador Chris Stevens and three
other US government personnel

Report of the State Department Accountability Review (p.579)

□ Risk appetite did not extend to those who died
□ Report examines whether the attacks were security related; whether security systems and
procedures were adequate and implemented properly; the impact of intelligence and
information availability; whether any other facts or circumstances in these cases may be
relevant to appropriate security management of US missions worldwide; whether any
US government employee or contractor breached her duty
□ Concluded that while the US cannot retreat in the face of such challenges, it
must work more rigorously and adeptly to address them, and that US
diplomats and security professionals serve the nation in an inherently risky
profession
□ Risk mitigation involves 2 imperatives:
oEngagement
oSecurity
□ Both require leadership, good intelligence and evaluation, proper defense
and strong preparedness and downsizing, indirect access and even
withdrawal
□ No one paradigm!
□ Accountability Review Board determined that:
oThe attacks were security related
oSystemic failures and leadership and management deficiencies at senior levels
within two bureaus of the State Department resulted in a Special Mission security
posture that was inadequate for Benghazi and grossly inadequate to deal with the
attack that took place
oSystems and the Libyan response fell short in the face of a series of attacks that
began with the sudden penetration of the Special Mission compound by dozens of
armed attackers
oIntelligence provided no immediate, specific tactical warning of the September 11
attacks
oCertain senior State Department officials within two bureaus demonstrated a lack
of proactive leadership and management ability in their responses to security
concerns posed by Special Mission Benghazi, given the deteriorating threat
environment and the lack of reliable host government protection
□ Four members of the committee were picked by the Department and one came
form the intelligence community
□ The committee declared that they had full and complete access to every source of
information which they deemed relevant to their investigation; committee
never interviewed Hillary Clinton
□ Whistleblower revealed that the agency had been engaged in extensive
surveillance involving US citizens and leaders of friendly countries –
Edward Snowden
□ There was a lack of security features, security forces personnel, budget
and bureaucratic issues