Are Voluntary Monitors the Key to Mitigating COVID-19-Related Misconduct Risks?

by Jonny Frank and Kaitlyn Cecala

In the wake of serious misconduct, companies self-appoint “Voluntary Monitors” to avoid one imposed and selected by the government, reduce sanctions, escape prosecution, repair brand value and restore trust. In late July, for example, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), noting Whitford Worldwide’s retention of monitors, reduced an initially proposed $20 million penalty to $824,000.[1] And, on August 10th, the CFTC, SEC and FINRA announced settlements with Interactive Brokers, noting the company’s retention of an independent consultant to make recommendations to enhance its compliance program and a separate independent consultant to assess its implementation of an initial consultant’s recommendations.[2]

The COVID-19 era likely will see a rise in “Voluntary Monitors,” “Preemptive Monitors” and “Remediation Consultants” as companies search for new revenue sources, face heightened misconduct risks, and satisfy increased government expectations of remediation and ethics & compliance (E&C) programs.

Self-Selected, Not Government-Appointed

Voluntary and government-appointed monitors serve independently from the company, similar to the audit-client relationship.[3] Other names include “Independent Consultant,” “Independent Compliance Auditor,” “Financial Monitor,” “Integrity Monitor,” “Independent Review Organizations” and, in the U.K., “Pre-Emptive Monitors” and “Skilled Persons” (collectively “Voluntary Monitors”).[4]

The principal distinction between voluntary and government-appointed monitors is that the company, not the government, selects and sets the scope and term of the Voluntary Monitor. Another significant difference in the relationship is Voluntary Monitors serve only one client (i.e., the company); government-appointed monitors report to both the company and the government. And, although the company foots the bill, some government-appointed monitors and agencies that appoint the monitor regard only the prosecutor or regulator as the client.

Voluntary Monitors, like their government-appointed counterparts, apply a “forensic mindset” and employ cross-disciplinary teams (e.g., compliance, data analytics, forensic audit, investigation, and risks and controls experts). Teams typically include experts in the industries and markets in which the company engages in business. Scenarios in which a company may benefit from enlisting the assistance of a Voluntary Monitor include:

    • Serious Misconduct. Voluntary Monitorships often arise in response to serious corporate misconduct. In July 2020, OFAC and Whitford Worldwide Company entered a settlement that reduced a possible $20 million penalty to $824,000, due, in part, to the company’s appointment of external and internal monitors to audit its compliance with U.S. sanctions controls.

Earlier in 2020, the U.S. Department of Justice (DOJ) entered into a Deferred Prosecution Agreement (DPA) with Airbus SE relating to its use of third-party business partners to pay government officials in the United States, France, and the United Kingdom, and its violation of the Arms Export Control Act and International Traffic in Arms Regulations.[5] Early in the investigation, and three years before its settlement with U.S., French, and British authorities, Airbus voluntarily retained an independent compliance review panel to assess its remediation efforts and recommend improvements to its compliance processes, policies, organization and culture.[6] Acknowledging Airbus’s extensive remediation, the DPA did not impose a monitor.

In its enforcement action against Barclays Capital, the U.S. Securities and Exchange Commission (SEC) noted Barclays’s independent third-party consultant and permitted the company to continue with the consultant in lieu of a government-appointed monitor.[7] The U.K.’s Serious Fraud Office allowed Rolls-Royce to avoid a government-imposed monitor; Rolls Royce had hired an expert to “conduct an independent review of its ethics and compliance procedures and to act on an ongoing basis as a ‘quasi-monitor’ of its compliance programme.”[8] In Brazil, petroleum industry giant Petrobas appointed a third-party committee to avoid a government-imposed monitor arising from Operation Car Wash.[9]

    • Revenue and Expenditure Leakage. Beyond corporate misconduct, companies retain monitors to stem revenue and expenditure leakage. In New York City, for example, the owners of Madison Square Garden and Yankee Stadium retained monitors to reduce fraud and avoid infiltration of organized crime. Multinational companies hampered by COVID-19 travel restrictions likely will turn to Voluntary Monitors to protect against fraud and corruption in high-risk jurisdictions. 
    • COVID-19 Compliance Assurance – For companies that tout COVID-19 safety as a market differentiator, a Voluntary Monitor can provide independent third-party assurance on the design and operating effectiveness of the company’s COVID-19 safety program. Delta Airlines, for example, touts its disinfection and cleaning process.[10] A Voluntary Monitor would evaluate the design of the process and test a statistically valid sample to provide assurance to Delta and its customers that the airline follows the procedures. 
    • Mergers and Acquisitions. Voluntary Monitors also play a role in mergers and acquisitions. For example, to respond to antitrust concerns, T-Mobile engaged a monitor as part of its acquisition of Sprint.[11] Foreign companies seeking to invest in U.S. firms sometimes retain a monitor to address national security concerns and obtain Committee on Foreign Investment in the United States approval.[12] 
    • Underperforming Business Units. Because COVID-19 travel restrictions make it difficult to be on-site, a local Voluntary Monitor can help the parent company to understand the root causes of the poor performance and assess whether the business unit is complying with company policies, processes and controls.

Mitigate Heightened COVID-19 Misconduct Risk

Law enforcement officials, regulators, industry experts and fraud risks and controls experts agree COVID-19 heightens misconduct risk.[13] Take, for example, Cressey’s Fraud Triangle, named after the 1950s criminologist Donald Cressey, which teaches three conditions exist whenever misconduct occurs: (1) pressure or incentive; (2) opportunity; and (3) rationalization. The COVID-19 economy meets all three criteria.

    • Incentives and Pressure. Difficult economic times lead to pressure on companies and individuals to generate revenue and cut costs. During the 2008 financial crisis, employees lied to cover-up mistakes, not for personal financial gain, but to avoid being the one chosen for layoff. 
    • Opportunity. Working at home and other COVID-19 disruptions to normal business processes heighten the opportunity to engage in misconduct. Controls may no longer mitigate fraud risk or even exist. 
    • Rationalization. The prison system is filled with “good” people who rationalized “bad” conduct. Even famed fraudster Bernie Madoff rationalized his $50+ billion fraud scheme. Avoiding a loss ̶ whether it be a significant pay cut or, worse, getting fired ̶ generates all sorts of rationalization.

If Cressey is correct, companies can avoid misconduct by eliminating either of “incentive/pressure,” “opportunity,” or “rationalization.” Voluntary Monitors consider all three vertices.

Voluntary Monitors begin with evaluating the control environment, including incentives, pressures and rationalizations that lead to misconduct. They identify inherent schemes and scenarios that cause risk areas they are monitoring. If there is a controls inventory, the Voluntary Monitor will link and evaluate design and operating effectiveness of policies, processes and controls the company relies on to mitigate the risk(s). If there is no inventory, the Voluntary Monitor will work with the company to link risks to policies, processes and controls the company relies to mitigate the risk.

Evaluation of control activities’ design and testing operating effectiveness is essential. Defective control activities are as dangerous as no control activities because companies lower their guard and accept risks they would not otherwise accept. Defective conduct-related control activities are akin to buildings with broken smoke detectors or cities with understaffed firefighters and not fit-for-purpose equipment. In the COVID-19 environment, certain controls may no longer mitigate the risk or even exist, given that professionals are no longer in the office.

Voluntary Monitors rely heavily on forensic data analytics built on quantitative and qualitative risk indicators. Advances in forensic data analytics make it practical to analyze an entire data population, not just a sample, more data in less time, and data from multiple sources to identify anomalies.

Satisfy Steep Government Expectations

Simultaneous to heightened misconduct risk, companies must grapple with ever-increasing prosecutor and regulator expectations of remediation and compliance programs. For example, the June 2020 update to DOJ’s Evaluation of Compliance Program Guidance now stretches to 20 pages.[14] In July 2020, the SEC embraced these requirements in the Resource Guide to the U.S. Foreign Corrupt Practices Act it co-authored with the DOJ.[15]

Jurisdictions around the world are following suit. Several countries, including Australia, Canada, Finland, Denmark, France and Germany have or plan to adopt corporate criminal liability. And, the U.K. and Italy even impose criminal liability on companies for failure to prevent corruption and tax evasion.

When resolving an investigation, prosecutors and regulators consider the quality of the (1) E&C program when the misconduct occurred; (2) remediation; and (3) E&C program during charging decision.[16]

    • E&C Program When Misconduct Occurred. Commission of misconduct does not necessarily equate to an ineffective E&C program, particularly if the company identifies and self-reports the misconduct.[17] Like the government, Voluntary Monitors evaluate whether the E&C program stands up to the scrutiny of 20-20 hindsight. 
    • Remediation. Voluntary Monitors assess the company’s remediation against criteria of an effective remediation program, including whether the company conducted a proper root cause analysis, considered other misconduct by the perpetrators, audited for similar misconduct, disciplined primary and secondary wrongdoers, implemented corrective measures, and evaluated the remediation process.[18]  
    • Current E&C Program. Most importantly, a Voluntary Monitor evaluates the effectiveness of the E&C program against criteria agreed to up front with the company. If the company meets the criteria, the Voluntary Monitor certifies to the effectiveness of program, just as auditors certify internal controls over financial reporting.[19] 

Conclusion

When faced with misconduct, revenue and expenditure leakage, mergers and acquisitions, and underperforming business units―particularly in an era ripe for wrongdoing―companies look to practical approaches to mitigate risks and meet government expectations. Voluntary Monitors assist to identify areas needing tighter controls and help to strengthen the effectiveness of compliance programs. Certification to the effectiveness or remediation of E&C programs leads to significantly reduced enforcement penalties―and, sometimes, the avoidance of any enforcement action. With ever-increasing regulatory scrutiny already here, companies must manage in the coming days, weeks and months COVID-19-related risks. While much of the current environment is unpredictable, companies can prepare now for the near certain enforcement actions to follow.

Footnotes

[1] See U.S. Dep’t of Treasury, OFAC Settles with Whitford Worldwide Company, LLC for Its Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations (July 28, 2020), https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200728_whitford.pdf (PDF: 60.4 KB).

[2] See, e.g., In the Matter of Interactive Brokers LLC, CFTC Docket No. 20-25 (Aug. 10,2020), available at https://www.cftc.gov/PressRoom/PressReleases/8218-20

[3] The DOJ and SEC define monitor a monitor as “an independent third party who assesss and monitors a company’s adherence to the compliance requirements of an agreement that was designed to reduce the risk of recurrence of the company’s misconduct.” DOJ CRIMINAL DIV. AND SEC DIV. OF ENF’T, A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT 2nd ED. (2020) at 74, [hereinafter Resource Guide], https://www.justice.gov/criminal-fraud/file/1292051/download (PDF: 4.18 MB); see Global Investigations Review, The Guide to Monitorships (2020), https://globalinvestigationsreview.com/edition/1001493/the-guide-to-monitorships-second-edition); Ethics Compliance Initiative, Benchmarking Group On Monitors Best Practices Paper (2017), https://www.ethics.org/eci-benchmarking-group-monitors-best-practices/).

[4] See Jonny Frank, SEC-Imposed Monitors, PLI SEC Compliance and Enforcement Answer Book (2020 Edition) [hereinafter SEC-Imposed Monitors], https://stoneturn.com/insight/sec-imposed-monitors-3/.

[5] United States v. Airbus SE, Deferred Prosecution Agreement, 20-CR-00021(Jan. 31, 2020) [hereinafter AirBus], https://www.justice.gov/opa/press-release/file/1241466/download (PDF: 4.66 MB).

[6] Compliance at Airbus, https://www.airbus.com/company/ethics-compliance/compliance-at-airbus.html; see also Airbus, Form 20-F at (2019), https://www.sec.gov/Archives/edgar/data/0001119639/000119312519093231/d692671d20f.htm

[7] SEC-Imposed Monitors at 9-6.

[8] SEC-Imposed Monitors at 9-6.

[9] SEC Order, United States v. Petróleo Brasileiro S.A., available at https://www.sec.gov/litigation/admin/2018/33-10561.pdf (PDF: 205 KB).

[10] See, e.g., Mike Arnot, See for Yourself: How Airplanes Are Cleaned Today, N.Y. Times (Aug. 5, 2020) https://www.nytimes.com/2020/08/05/travel/coronavirus-airplane-cleaning.html

[11] Proposed Final Judgment, United States v. Deutsche TeleKom AG et al., No. 19-cv-02232 (D.D.C. Jul. 26 2019), available at https://www.justice.gov/opa/press-release/file/1187706/download (PDF: 2.08 MB)

[12] Harvard Law School Forum on Corporate Governance, Successful CFIUS Monitorships (https://corpgov.law.harvard.edu/2018/07/23/successful-cfius-monitorships/).

[13] Jonny Frank, Revisiting Conduct Risk Management in the COVID-19 Era with Updated DOJ Criteria, Journal of Risk Management in Financial Institutions (publication expected October 2020).

[14] DOJ, Criminal Division, Evaluation of Corporate Compliance Programs (June 2020) [hereinafter DOJ Guidance], https://www.justice.gov/criminal-fraud/page/file/937501/download (PDF: 209 KB).

[15] Resource Guide at 56-68.

[16] See, e.g., DOJ Guidance at 1.

[17] DOJ, Criminal Division, Evaluation of Corporate Compliance Programs (June 2020) [hereinafter DOJ Guidance], https://www.justice.gov/criminal-fraud/page/file/937501/download (PDF: 209 KB).

[18] See Jonny Frank, Chapter 13A—Remediation, Litigation Services Handbook: The Role of the Financial Expert (Wiley 5th ed. 2015), [hereinafter Remediation], http://stoneturn.com/wp-content/uploads/2016/08/Remediation_Litigation-Services-Handbook_2015.pdf (PDF: 134 KB); see also Jonny Frank, 10 Tips to Meet Government Expectations of Remediation Programs, Compliance Week (March 2020), https://www.complianceweek.com/opinion/10-tips-to-meet-government-expectations-of-remediation-programs/28584.article.

[19] See Public Company Accounting Oversight Board (“PCAOB”), Consideration of Fraud in a Financial Statement Audit, AS 2401(effective 2020)(available at https://pcaobus.org/Standards/Auditing/Pages/AS2401.aspx).

Jonny Frank and Kaitlyn Cecala specialize in remediation and monitoring at StoneTurn, and serve as Voluntary Monitor and Outside Remediation Consultant to a large Northern European bank. Mr. Frank also serves as the DOJ Criminal Division-appointed Business Ethics and Compliance Monitor to Deutsche Bank, DOJ Civil Division-appointed Independent Auditor to a Big Three U.S. automotive manufacturer, forensic audit adviser to the SEC-appointed Independent Consultant of a Big Four public accounting firm, and DOJ-appointed Independent Auditor to a top five automotive manufacturer. 

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.