In 2014, the United States Securities and Exchange Commission (SEC) and the Justice Department (DOJ) reported collections of record fines and penalties to settle regulatory violations. These included settlements from banks that helped criminal gangs launder money, construction companies that paid bribes to secure contracts around the globe, and pharmaceutical companies that misreported the effectiveness of certain drugs. With increased data analytics and monitoring capabilities, the set of tools available to regulators to identify and monitor companies for compliance breaches has expanded to unprecedented levels. As compliance breaches are identified, increasingly regulators are asking: Where was the board? Where was the oversight?
Top Compliance Issues
Though not an exhaustive list of regulatory compliance issues, it is helpful to divide current trends into four broad categories: fraud, corruption, cybercrime and social issues.
Fraud: While fraud is frequently understood to mean theft of company assets, it is the misreporting of a company’s financial statements that is the focus of most fraud-related regulatory actions. But other kinds of fraud may also trigger regulatory investigations, including allegations of insider trading, false representations of product performance, and breaches of fiduciary duty.
Corruption: In the U.S., the Foreign Corrupt Practices Act (FCPA) is the statute governing bribery of foreign officials. Since the mid-2000s, the Justice Department and the SEC have been aggressively enforcing this law and obtaining significant fines and penalties from companies found to have engaged in bribery. The definition of “foreign public officials” is frequently expansive, and complex investigations of one company often yield information that implicates competitors. And it’s not just the FCPA with which companies have to comply. Recent laws passed in Britain and Canada contain even broader anti-bribery provisions and, while bribery is illegal in most countries, rates of enforcement are increasing in most jurisdictions.
Cybercrime: As the world has become more interconnected electronically, cybercrime has skyrocketed, and along with it the attention from regulators. There is an increased expectation that companies must maintain robust systems to protect customers’ private data from theft. Because this is a relatively new arena for regulatory enforcement, there are not many precedents to follow, and the scrutiny is likely to come from multiple regulatory bodies, including the DOJ, the SEC, Health and Human Services, Homeland Security, and the FTC (Federal Trade Commission). All eyes are currently on a case involving an FTC action against a large hotel chain for unfair business practices stemming from data security failures that allegedly allowed hackers access to customer data. And, as the scope and magnitude of breaches increases, it is likely that companies will soon be required to report data breaches to help law enforcement officials build a record of criminal activity.
Social Issues: With the increased globalization of supply chains, attention has grown to unsavory business practices, particularly in locations lacking a strong tradition of civil society. The Dodd Frank Act included a provision requiring companies to notify investors, through regular SEC reporting, whether certain minerals used in production originate from the Democratic Republic of the Congo. Similarly, the federal government has recently enacted rules to prohibit government contractors and subcontractors from engaging in a wide variety of human trafficking-related activities and requiring them to develop and maintain anti-trafficking compliance programs. And, with heightened scrutiny of poor manufacturing conditions in factories located across the globe, look for expanded disclosure requirements, and ultimately enforcement, from regulators.
Risk of Non-Compliance
While building a robust compliance structure may seem to be cost-prohibitive, the costs of non-compliance may be staggering. These can include fines and penalties associated with an enforcement action, as well as the legal and forensic accounting costs that will be incurred during an investigation. More difficult to quantify are the costs associated with the bad publicity and loss of reputation that may come from a well-publicized investigation. And, once a company has been found to have violated the law and a penalty has been assessed, there is the risk that shareholders and other stakeholders may sue management and the board of directors for failing in their fiduciary duties as organizational caretakers.
Because every company’s regulatory environment is different, there is no single path to achieving an optimal compliance environment. Guidance from regulators suggests that the most effective compliance programs are risk-based and should be approached holistically rather than piecemeal.
The Role of the Board of Directors
It is difficult to overstate the importance of the tone at the top of an organization, and this is where the role of the board of directors begins. Regulators have repeatedly sent the message to companies that when a compliance issue occurs, it is the culture of the organization that is the most basic factor taken into account when determining fines and penalties. Those companies with a strong tone at the top are almost always given less harsh treatment, and in several notable cases, regulators have declined to prosecute companies that have demonstrated both cooperation with the investigators and a robust culture of compliance.
The board is the body that holds the key to establishing the appropriate tone within the company and should be actively involved in asking the right questions of management and monitoring the overall effectiveness of compliance programs. What systems are in place to address the company’s specific compliance issues? Do the organization’s activities reflect the procedures contained in the compliance manual? What is the company’s response to compliance incidents? What incentive structures exist that may contribute to non-compliance? Is the compliance function given adequate resources?
When problems occur, regulators want to know how much oversight and attention were paid to the areas of highest risk. If the board can demonstrate a commitment to compliance and cooperation from the moment an issue is identified, the matter is much more likely to conclude with a favorable result for the company.