Good morning. It’s an honor to join you at the 1LoD Summit. The views I express today are my own, not necessarily those of the Federal Reserve Bank of New York or the Federal Reserve System.
I’ve heard it said that being in the risk control business can be, and often is, a thankless task. We get all the blame when something goes wrong, and none of the glory when things go right. So, I want to start my remarks with a word of gratitude to you, my fellow travelers in the world of risk controls. Thank you—not just for the invitation to speak today, but also for the work you perform each day at your firms.
The growing sophistication and stature of the first line of defense is, in my view, an unqualified improvement in corporate governance—especially at financial firms. Let’s begin with what you are defending. Continue reading →
by Jason Driscoll This post is the second part of a two-part post by the author.
In my previous post (DeCoster v. United States: Testing the Limits of the Responsible Corporate Officer Doctrine), I discussed how the Food and Drug Administration (“FDA”) and the Department of Justice (“DOJ”) have revived the Responsible Corporate Officer (“RCO”) doctrine in an attempt to increase compliance with the Federal Food, Drug, and Cosmetic Act (“FDCA”). In light of the incarcerative sentences in the Quality Egg case, I addressed the DOJ’s new strategy of seeking enhanced sanctions in RCO cases. In United States v.Quality Egg, LLC, the government brought FDCA Section 333(a)(1) misdemeanor food adulteration cases against two corporate officers—Jack and Peter DeCoster—ultimately securing three-month prison sentences premised largely on the RCO doctrine. On appeal, the DeCosters argued that the incarcerative sentences violated due process absent evidence of mens rea or actus reus. The Eighth Circuit affirmed the sentences, however, holding that a three-month strict liability prison sentence was “relatively light” doing “no grave damage” to an offender’s reputation. A petition for a writ of certiorari followed, inviting the Supreme Court to review the doctrine for the first time since 1975, but was denied. Continue reading →
Last week the Financial Crimes Enforcement Network (FinCEN) issued much-anticipated Frequently Asked Questions (FAQs) that provide additional guidance to financial institutions relating to the implementation of the new Customer Due Diligence Rule (CDD Rule), set to go into effect on May 11, 2018. In general, the FAQs clarify certain issues that have caused implementation challenges for financial institutions. While FinCEN’s earlier guidance provided a general overview of the CDD Rule—including the purpose of the rule, the institutions to which it is applicable, and some relevant definitions—the new FAQs provide greater detail for financial institutions seeking to comply with the CDD Rule. The FAQs are meant to assist covered financial institutions in understanding the scope of their customer due diligence (CDD) obligations, as well as the rule’s impact on their broader anti-money laundering (AML) compliance. While the guidance is helpful in clarifying some of FinCEN’s expectations, the implementation challenge lies in applying the CDD Rule to a financial institution’s specific products and services.
As financial institutions work to meet the CDD Rule’s fast-approaching May 11 compliance deadline, they should pay special attention to the following key areas summarized below. Continue reading →
Corporations have reputations, just like individuals. However, the costs of protecting a corporate reputation, or the costs of losing one, are not well understood. Negative reputation shocks can be costly, and recent scandals at well-known firms such as News Corp. and Volkswagen have reaffirmed the fragility of corporate reputations. However, corporations can also invest in technologies such as corporate social responsibility (CSR) to build their reputations or to provide insurance against a future reputation shock. In a recent paper, we find that negative reputation shocks are at least partially insurable through CSR and that firms actively invest in CSR as the result of a negative reputation shock. Continue reading →
Avoiding retaliation for reported workplace misconduct is essential for companies and enforcement officials. Companies are accountable not just for their bad acts, but also for the cover up, including how they respond to allegations. A new survey of conduct in the US workplace by the Ethics and Compliance Initiative (ECI) has some bad news. Employees say that retaliation against whistleblowers is on the rise, doubling in the past four years. These disturbing results should motivate companies to (1) encourage candid internal discussions of what exactly constitutes retaliation (and what does not); (2) train managers to handle retaliation concerns and to avoid unintended acts of retaliation; and (3) ensure anti-retaliation programs are supported by a strong ethical culture.
The ECI Survey
Since 2000, ECI, a leading ethics and research organization for compliance professionals, has surveyed workplace conduct from the employees’ perspective. Their 2017 survey of more than 5,000 employees across the US has good and bad news. Continue reading →
In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks. Increasingly, these efforts include purchasing some form of cyber insurance.
Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program. While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea. First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits. Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft. Moreover, the cyber insurance market is relatively young and policy forms are still evolving. Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets. Continue reading →
[Following personal reflections on his return to private life from public service, former U.S. Secretary of Homeland Security Jeh Charles Johnson delivered the following keynote address at the Global Cyber Threats: Corporate and Governmental Challenges to Protecting Private Data cybersecurity conference held by the Program on Corporate Compliance and Enforcement at New York University School of Law on April 6, 2018.]
Like millions of other Americans, my world was rocked by the terrorist attack that occurred a few blocks from here on September 11, 2001. Like many of you, I am a New Yorker, and was in Manhattan that day. September 11 also happens to be my birthday. I have a vivid recollection of the day, both before and after 8:46 a.m., when the first plane hit the World Trade Center. At 9:59 a.m., when the first tower collapsed, it was perhaps the only time in my life when my mind could not believe what my eyes were seeing. Neither would I have been able to comprehend then that 15 years later, there would be something called the Department of Homeland Security, that I would lead it, and that the Secretary’s New York office would occupy the 50th floor of a taller, stronger World Trade Center tower standing in the same place. Continue reading →
On 19 March 2018, Singapore passed legislation introducing the concept of the deferred prosecution agreement (“DPA”) to the jurisdiction for the first time. Under the new laws, corporations (but not individuals) facing prosecution for offences of corruption, money laundering or receipt of stolen property may attempt to negotiate the terms of a DPA with prosecuting authorities, under which they would avoid prosecution, in return for adherence to various conditions imposed upon them, for a set period of time.
By introducing the DPA as an enforcement tool, Singapore joins the ranks of the United States, Brazil, the United Kingdom and France, which form the vanguard of an increasingly consistent global approach to corporate criminal resolutions. Australia and Canada are also both currently evaluating whether to introduce similar legislation. Continue reading →
The importance of establishing a robust “culture of compliance” within corporations is a common refrain among government regulators. But developing a structured process, much less a firm definition, around such a squishy concept can be a daunting task for compliance officers. At its core, an effective culture of compliance should shape employees’ gut instincts by reinforcing values that weigh against breaking the law. To accomplish this, companies should supplement their traditional ethics trainings and “tone at the top” by integrating compliance factors into their incentives programs and forestalling ethical fading. As an additional line of defense, companies should actively encourage employees to slow down and think methodically about their decisions before they take final action. Continue reading →
Defense lawyers all around the world have heard loud and clear that prosecutors and police agencies have announced a new age of international cooperation. Prosecutors from one country have been posted to the offices of another. Agents from nations around the world now sit at desks next to each other in central locations like London. Global resolutions of big cases are being announced by enforcers in multiple jurisdictions. One of the main subject-matter focuses of these joint cases has been anti-corruption – namely the Foreign Corrupt Practices Act in the United States and the Bribery Act in the United Kingdom. Continue reading →