Dealing with organizations like the FTC, SEC, DOJ, HHS and DOL, compliance professionals might sometimes wonder if they’ve been dunked in a bowl of alphabet soup. But in large corporations, like those in the Fortune 500, the legal and compliance departments have to learn to deal with these regulators in order to ensure that everything is in order and day-to-day business can continue on unimpeded.
It's never been enough for companies to sit back and hope that they are in compliance. Instead, they must have a “proactive approach at compliance, and the regulators specifically encourage that,” explains Lisa M. Noller, partner at Foley & Lardner LLP. “Regulators have been endeavoring to hold companies accountable… and using creative means of going after wrongdoers.”
This means that legal and compliance professionals must take note of the major issues that are front and center with the regulatory bodies that oversee them, noting the changes in policy and execution that may have changed over the years, and developing strategies to deal with the regulators in advance of any potential problems.
There are dozens of federal regulatory agencies that interface with large corporations, though many have very narrow and specialized purviews. Still, most companies in the Fortune 500 don't need to deal with the Nuclear Regulatory Commission, for example, there are regulators that are on the radar of most big businesses in the United States.
Any large corporation that is in the business of selling goods to consumers, for example, must endeavor to keep the Federal Trade Commission (FTC) on its good side. The FTC has its fingers in a number of pies, including handling antitrust matters, but Fortune 500 companies must be aware of the commission's regulations regarding deceptive advertising and privacy.
“Privacy is of enormous interest to the FTC,” explains John Feldman, partner at Reed Smith LLP. “Over the last 20 years or so, the FTC has not focused on privacy in and of itself, but as a matter of advertising and substantiation. Privacy is thought of as a representation of business promises, and if you don't live up to those promises, that is deceptive.” Recent data breaches suffered by large companies have demonstrated that businesses are not always able to properly protect customer data, and this is a matter that the FTC takes seriously.
“The FTC is fighting the battle over whether they can be in the business of promoting good safeguarding of sensitive data, saying that consumers should have an expectation that their data is protected at a certain level, regardless of if anyone is hurt,” adds Feldman, citing current FTC cases involving Wyndham Worldwide and LabMD as examples of the commission's seriousness on this matter.
For Fortune 500 companies in the financial services industry, of course the Securities and Exchange Commission (SEC) is the primary regulator of concern. However, increasingly, the SEC works in tandem with the Department of Justice (DOJ) to take a multifaceted approach to investigations, fines and sanctions.
In the six or so years since the financial crisis, the SEC has changed its tack in dealing with financial institutions. “In regards to Dodd-Frank, the amount of focus is intense, and the rulemaking process has gotten people increasingly focused on the regulatory challenges,” says James Odell, partner at Blank Rome LLP and former general counsel of investment banking for Citigroup. “It's been a mixed bag. Some of the overriding principles are beneficial, such as better transparency and disclosure in the marketplace.
Another regulatory change that has taken place in recent years is a growing emphasis on international business. Companies in the Fortune 500 are increasingly involved in overseas transactions, from acquisitions to supply chain agreements. The DOJ, for example, has turned much of its attention to global matters.
“As the economy globalized, the cartel conduct tended to globalize as well,” says Philip Giordano of Kaye Scholer LLP, a former prosecutor in the Antitrust Division of the DOJ. “What the Antitrust Division found was that the cartels affecting the U.S. affected greater and greater amounts of commerce in the U.S., not just by domestic manufacturers but increasingly foreign manufacturers as well.”
“In terms of criminal enforcement, there is a certain amount of alignment with the SEC,” he says. “Banks under investigation for financial crimes are facing the SEC and the Antitrust Division and in some cases state regulators.”
The DOJ is also coordinating with other agencies as well, such as when it works in parallel with the Department of Health and Human Services (HHS) on False Claims Act (FCA) cases. Whenever more than one regulator is involved, though, it is important for companies to realize that the two organizations are not one monolithic entity. “Companies need to appreciate that agency goals overlap but are different,” says Noller. “Companies need to address matters early in an FCA investigation, meeting with HHS lawyers and DOJ lawyers separately.”
At the end of the day, the responsibility for dealing with these regulatory bodies falls to the compliance department. The common message for chief compliance officers is to make sure you have all your ducks in a row.
“The notion is, before the regulator comes knocking, make sure that everything is in order,” says Matthew Boxer, chair of the corporate investigations and integrity practice at Lowenstein Sandler LLP. “The corporate community has adapted to make sure they have procedures in place to help avoid problematic activity by employees—and a visit from law enforcement.”
“A robust compliance program should be proactive about advocating compliance within the organization,” Giordano explains. This includes proper training, but also, “a structure that would allow for employees that become aware of unlawful conduct to report it up to the counsel's office so you have early notice that you need to address potential wrongdoing.”
Communication is key
Though some outsiders might have concerns about compliance professionals forming close relationships with regulators, having familiarity with those on the other side of a potential situation does have its benefits. “If you are a bank, whether dealing with the Fed or the SEC, etc., there are years of relationship history there,” explains Odell. “The sides know each other; there's diplomacy in terms of how interactions work.”
“If that call comes in, it may be from a regulator with whom you have an existing relationship,” Odell says.
Boxer says the duties of a GC go beyond simple communication, however. “Any GC interacting with regulators or who has someone interacting with them on his or her behalf must establish dialogue and communication through which the company can continue to establish credibility,” he points out, noting that it is also essential to be truthful with regulators, keep promises and always be prepared. And he gives perhaps the best piece of advice of all: “Don't to into a communication with a regulator and not know what they’re talking about.”