For more on drafting a successful compliance policy, see our online exclusive "Creating a compliance program."
In this time of mounting regulation and enforcement activity, the in-house bar faces the unending task of identifying and addressing its risks and its compliance needs.
“If you’re a compliance attorney working in-house, it no doubt can feel like one heart attack after the next,” says Markus Funk, a partner at Perkins Coie, “because you are facing what can seem like a never-ending parade of serious issues and freshly minted compliance challenges.”
Different sectors face a panoply of industry-specific laws and regulations. Among the issues that affect a broader swath of corporations, there are seven that legal practitioners identify as the most pressing in light of current and expected future regulation and enforcement.
In light of the relentless enforcement activity aimed at Foreign Corrupt Practices Act (FCPA) violations, every company doing business abroad is aware of the risks, but the FCPA—along with its broader, across-the-pond sister, the U.K. Bribery Act—remains difficult terrain for numerous reasons (see “FCPA crackdowns”). As a result, it remains the top compliance concern for many companies.
On paper, the anti-bribery provisions of the FCPA are incredibly simple and broad, prohibiting any payment or gift to a foreign official in order to obtain or retain business. Compliance, however, can be hard to apply in the real world.
“FCPA issues present a tremendous conflict between the law ... and the reality of trying to do business in places like China, where everything you do is with a company owned in part by the state, and therefore everything you would normally do in a commercial context is subject to this additional regulation,” says Marc Rosenberg, a partner at Cravath, Swaine & Moore.
In-house counsel now understand the fundamental risks the FCPA presents, but without proper training and procedures, the nuances of those risks can fall under the radar in some companies. One example is how broadly the government defines “foreign officials”—it includes, for instance, officials from sovereign wealth funds and doctors in state-run hospitals, a definition that has caused trouble for the pharmaceutical and medical device industry. Furthermore, since most companies settle FCPA cases rather than take their chances before a jury, woefully little case law exists to illustrate and illuminate the line between what the government will consider corrupt and what it will deem acceptable.
Despite such uncertainties, when companies implement internal compliance procedures to address their FCPA risk, they must place a central focus on educating their people on the ground on what the FCPA prohibits and how it applies in their day-to-day.
“You hear people talk about tone at the top. The challenge for the FCPA is really tone at the middle,” Rosenberg says. “It’s getting the folks in the factory in China or in the marketing department somewhere in the Middle East to truly understand what you’re trying to accomplish. Otherwise you have the lawyers back in the states not really understanding how business gets done, and you have the people on the ground not really understanding what the law’s intended to do, and you end up with absurd results.”
2. Hacker Attacks
Sony’s PlayStation network shut down for 24 days in 2011 after hackers stole personally identifiable information for 77 million players. In 2010, a Hungarian hacker lifted financial and other confidential proprietary information from Marriott International’s computer systems and threatened to go public with it if the company didn’t give him an IT job. In June, hackers breached the user passwords of social networking site LinkedIn and the dating site eHarmony. Government- and private-sector hackers based in China have targeted myriad U.S. corporations, including Google Inc., members of the U.S. Chamber of Commerce and Nortel Networks Corp., where hackers are believed to have accessed networks for up to 10 years.
At an alarming rate, more and more companies are falling victim to computer hackers, whether they’re rogue employees, competitors, foreign nationals, good old-fashioned identity thieves stealing credit card numbers or hacktivists trying to make a statement.
“Computer hacking is much more widespread than is commonly believed,” says Patrick Daugherty, a partner at Foley & Lardner. “I have a client who says, ‘We used to say there are those companies that have been hacked and those that haven’t been. Now it’s a question of those companies that know and those that don’t know.’”
A breach can rise to a Securities and Exchange Commission (SEC) matter if it’s not properly disclosed, and the agency has issued guidance on such disclosures. But the bigger risk for companies, Daugherty says, is the potential theft of proprietary information and sensitive customer information, which can result in untold costs to the business and reputational damage. Proper network and data security policies to address such threats are vital.
“Say you’re in the business of making weapons systems and foreign nationals hack your computers to determine what new product parts you’re developing, or you’re a bank and someone hacks into the financial information of your customers," Daugherty says. "That's pretty profound."
3. Insider Trading
It’s an issue that dates back to the 1929 stock market crash, but insider trading is still top of mind for corporations, particularly in light of high-profile cases and severe punishments that continue to emerge. In June, for instance, the trial stretched forward in the case of Rajat Gupta, the former Goldman Sachs Group Inc. director accused of delivering confidential tips to hedge fund manager Raj Rajaratnam, founder of Galleon Group. Rajaratnam was sentenced last year to 11 years in prison, ordered to pay $102 million in criminal and civil fines and to forfeit nearly $54 million in profits. Matthew Kluger, an attorney who stole confidential information on corporate mergers from several law firms, was handed a record 12-year prison sentence in June for his part in an insider-trading scheme that prosecutors said generated $37 million in illegal profits over 17 years.
“People are trying to make sure they have the right procedures, that their own secrets are protected and that their people aren’t accused of mistreating others’ secrets—not necessarily trading on them, but just not handling them with appropriate care,” Rosenberg says. “That’s particularly true for people in businesses that involve handling other people’s confidential information.”
4. Supply Chains
Between the Food Safety Modernization Act, the Consumer Product Safety Improvement Act, Dodd-Frank’s conflict minerals provision and California’s Transparency in Supply Chains Act, companies increasingly find themselves combing through extensive and sprawling supply chains for noncompliant or problematic links.
Regulations under the Food Safety Modernization Act are aimed at the food industry, but they promise to affect entire supply chains, says John Shapiro, a partner at Freeborn & Peters. “Although industry-specific, it’s applicable to all kinds of companies that move goods and provide services and are somewhere along that supply chain,” he says. “It changes the nature of supply relationships.”
The supply chain compliance challenges mirror those in the FCPA context, Funk says. The baseline expectation in both areas is appropriate training, policies, due diligence procedures and other such measures.
Misconduct and noncompliance will put companies at risk of enforcement actions. Under the California statute, the state attorney general can order injunctive relief, forcing companies to make the necessary public disclosures.
“That remedy, however, doesn’t cause compliance personnel too many sleepless nights—what does are the potentially devastating negative PR consequences resulting from consumer boycotts, advocacy group actions, class action lawsuits and the related negative media coverage,” Funk says.
Under Sarbanes-Oxley, public companies are required to have procedures in place for whistleblowers to report accounting and auditing fraud. The Dodd-Frank Act provides whistleblower protections and bounties for any violations of securities laws. The False Claims Act is another area of the law with similar provisions.
“One of the biggest compliance issues for management related to the securities laws are the Dodd-Frank whistleblower provisions, and a big focus for corporate governance and board governance is making sure these companies have appropriate risk management and compliance programs in place,” says Tonya Grindon, a shareholder at Baker Donelson. “We’re seeing the implementation of robust compliance programs for whistleblowers.”
One of the main industry concerns about the Dodd-Frank provision was that it allowed employees to go straight to the government with complaints, but it appears that the corporate focus on strengthening compliance programs has helped avoid a spike in employees whistleblowing directly to the government before raising their concerns within the company.
“A lot of companies heightened the promotion of their compliance programs to encourage people to come forward internally, and that took a bit of the edge off of people going directly to the government,” says Bradley Siciliano, a shareholder at Littler Mendelson. “Studies have shown over and over again, both before and after Dodd-Frank, that the employees who ultimately go to the government almost inevitably start by going to their employer, and they only go to the government when they’ve been ignored. Most of these people are generally motivated not by greed, but by doing the right thing by their company, and they seem to still be doing that, notwithstanding the Dodd-Frank whistleblower provision.”
6. Data Privacy Protection
In recent years, technological innovations such as behavioral targeting and advertising, location-based services, facial recognition and biometrics have sparked debate about data privacy among consumer groups, industry groups and regulatory agencies such as the Federal Trade Commission (FTC), Federal Communications Commission and Department of Commerce.
Data privacy legislation is expected to arrive at some point in the distant future, but in the meantime, industry guidelines and agency guidance are beginning to weigh in on what’s acceptable and what’s expected of affected companies. And the enforcement has already begun: Failures to adequately protect user data at Facebook Inc. and Google have led to FTC settlements mandating they implement privacy programs and submit to outside privacy audits for 20 years. Beyond the usual suspects—Internet companies, software companies and social networks—action on data privacy will likely have effects on the financial services industry, telecommunications companies and retailers.
“I suspect we’ll have a lot more activity in that area and that it will impact companies that aren’t the obvious targets," Rosenberg says. “That’s probably the biggest risk.”
In addition to activity in the U.S., foreign laws addressing data privacy are mounting. The European Union, for instance, whose privacy laws were already known for their stringency, this year unveiled a comprehensive reform of its data privacy regulations, which introduced requirements such as appointing a data protection officer and giving people the right to request that companies delete their personal data.
One industry that is charged with protecting especially sensitive personal information is health care, which is subject to the Health Insurance Portability and Accountability Act and other health care regulations in the U.S. Industries can learn from its practices, such as organizations assessing their own practices and the practices of contractors, using appropriate encryption and instituting policies on mobile devices and laptops, says Douglas Swill, chair of the health care practice group at Drinker Biddle.
“These practices are seen across different industries that handle sensitive personal information,” he says. “Because health care deals with much more sensitive information, health care organizations have been a leading industry in terms of taking precautions on securitization of information.”
7. Economic Sanctions
In 2007 and 2008, set tlements in enforcement cases brought by the Treasury Department’s Of f ice of Foreign Asset Control (OFAC) related to transactions with places, parties and entities subject to U.S. economic sanctions recovered around $5 million. In 2009, the number shot to more than $772 million. Settlements in 2010 and 2011 recovered a total of around $292 million. Enforcement is up, the number of economic sanctions programs against countries and individuals deemed to be specially designated nationals is increasing, and the web of sanctions rules seems to grow more complex every day.
“For many years, the enforcement of economic sanctions laws has been somewhat sporadic,” says Jeffrey Lehtman, a partner at Richards Kibbe & Orbe. “We’re starting to see a developing trend of the U.S. government seeking to flex its muscles to enforce economic sanctions rules more forcefully and broadly. ... I expect that OFAC will become more aggressive in bringing cases against companies where perhaps violations of the economic sanctions rules aren’t obvious on their face.”
The skyrocketing OFAC enforcement numbers of the past few years have been bolstered by some very substantial penalties against non-U.S. banks, including a $536 million settlement with Credit Suisse AG, a $217 million settlement with Lloyds TSB and a $176 million settlement with Barclays, all related to OFAC violations for processing transactions for sanctioned countries and entities. In 2011, U.S.-based JPMorgan Chase & Co. settled civil charges related to OFAC violations for $88 million.
Economic sanctions are one of the biggest compliance challenges facing the financial services industry, says Thaddeus McBride, a partner at Sheppard Mullin.
“The challenge for financial institutions is that there are so many transactions every day, internationally, with so many parties, that it’s hard for them to always stay on top of what parties are sanctioned,” he says. “The Treasury Department relies tremendously on financial service institutions to be the bulwark against violations … and the banks and other financial institutions take these obligations very seriously and commit substantial resources to compliance.”
10 expert tips for a successful compliance program
- One size doesn’t fit all. “There’s a tendency for companies that either aren’t publicly traded or aren’t in any particularly sensitive industry to gravitate toward an off-the-shelf compliance infrastructure,” says Jeffrey Lehtman, a partner at Richards Kibbe & Orbe. “While there may be a limited number of circumstances in which that approach is adequate, in most cases companies should strive for their compliance programs to be risk-based and narrowly tailored to fit their profile and its operations.”
- Corporate culture matters and will trickle down. “You hear ‘tone at the top,’ and it really does mean something,” says Jacqueline Wolff, a partner at Manatt, Phelps & Phillips. “If the manager of a company gives lip service to compliance, you’re going to find a company with internal control weaknesses.”
- A successfully customized compliance program complements the existing business operations. “It is kind of a folly for a compliance team to say you must conform and do your business this way, for compliance reasons, without taking into account the structure and operations that are already there in the business,” says Dana Nahlen, director of international compliance at SunGard Data Systems Inc. “If you don’t take into account the systems and processes that are already in place and are supporting the operations of the company, you are at very high risk of not having it a compliance program that will be followed.”
- Audit the compliance program regularly to see if it’s working for the company. “You can have the greatest compliance program in the world in terms of procedures, policies and training, but some procedures may work well in one company and fall short in another company,” Wolff says. “The only way you’re going to find out what doesn’t work is if you’re actually testing it on a regular basis.”
- If the compliance program is not working for your company, change it. “There isn’t any ‘perfect’ compliance program,” Nahlen says. “It can always be improved and changed. It has to live—it’s never going to stay exactly the same, and it can’t be perfect.”
- Employee training is an ongoing process. “Companies should do compliance training at least on an annual basis, if not more often,” says David Perlman, a partner in the energy practice at Bracewell & Giuliani. “The expectation is that the rank and file won’t memorize everything but they’ll get sensitized to it enough so that they understand that if they see something that could be an issue, they’ll stop before they cross the Rubicon and bring the issue up with the right people.”
- Be realistic. “It doesn’t help to have very Draconian procedures that are simply not followed by personnel. You have to have things that work,” Wolff says.
- Work with what your company already has. “You may be able to find things to use that the business is already doing, and your compliance program can repurpose that for what you need,” Nahlen says. “You also will find a much more receptive response from the business team if you’re working with what you already have and tweaking what’s there instead of building from scratch.” (See “Creating a Compliance Program,” on InsideCounsel.com)
- Don’t overpromise. “If you tell the public—not to mention the government—that you are operating at a certain elevated compliance level, but in your day-to-day practices fall short of your ‘paper promises,’ you are unnecessarily putting yourself in serious legal jeopardy,” says Perkins Coie Partner Markus Funk. “Put simply, there is no reason to set your own bar so high that you can't clear it.”
- You don’t have to—and probably cannot—do it all. “Where the rubber meets the road, you have to have a program you can pay for,” Nahlen says. “Budgetary constraints are different [from company to company], but some budget constraint is always there. You can’t implement every good idea, and you don’t need to. You have to look at what your company is doing and what risks are presented by what your company is doing, both in terms of which of the compliance areas are important to your company and where you are likely to run afoul of the law.”