Category Archives: Compliance

Is a European Anti-Corruption Prosecutor Needed?

by Jonathan J. Rusch

In a January 17 interview with the French news-magazine L’Obs, former French Prime Minister Bernard Cazeneuve argued that a European anti-corruption prosecutor is needed “to restore a balance, to correct the asymmetry of the Euro-Atlantic relationship in the fight against corruption from which European companies are currently suffering.”

In the interview, Cazeneuve — now a partner with the August Debouzy law firm specializing in compliance issues – stated that “it cannot be ruled out that in a context of rising protectionism under the Trump Administration, ‘compliance’ rules are also used to protect the economic and industrial interests of certain powers.  Faced with such a reality, it would be very naive not to seek to protect our own interests!”  At the same time, Cazeneuve said that “in a global economy, corruption is a long-term factor that impoverishes companies and distorts competition. Only the law can regulate what needs to be and create the conditions for a global level playing field. Preventing corruption in French companies is still the best way to protect them from the often intrusive procedures of U.S. prosecuting authorities.” Continue reading

Microchipping Employees and Biometric Privacy Laws – It’s Time To Start Paying Attention

By Avi Gesser, David Popkin, and Michael Washington

Until recently, biometric privacy was a niche area of the law that had little application to most companies.  But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably time for companies to start paying attention.  Indeed, one of our top privacy law predictions for 2019 was a judicial expansion of the notion of harm, which happened quicker than we anticipated in the context of gathering biometric data.

On January 25, 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186 (PDF: 61.7 KB), unanimously finding that plaintiffs could bring a private cause of action for violations of the notice and consent requirements of the state’s biometric privacy law without any showing of harm.  In Six Flags, a mother sued the owner of a theme park on behalf of her teenaged son after he was fingerprinted in connection with the purchase of a season pass to the park.  Neither the son nor the mother consented in writing to the taking of the fingerprint or signed any written release. Further, the park did not provide any documentation about their retention schedule or guidelines for retaining and then destroying the data.  The court found that individuals possess a right to privacy in and control over their biometric identifiers. Continue reading

How Understanding Organizational Culture Can Help Us Assess Compliance Programs

by Alison Taylor

In 2015, I undertook an extensive literature review and interviewed 23 anticorruption experts and practitioners to explore a simple question: What does organizational culture look like in a corrupt company? My work was a direct challenge to the long-dominant “bad apple” or “rogue employee” explanation of corporate wrongdoing, focusing instead on the organizational and team conditions that undermine integrity. Subsequent corporate scandals—for example, regarding fake accounts at Wells Fargo or car emissions at Volkswagen—have illustrated the importance of overall culture, rather than individual traits, in driving or undermining integrity. Regulatory interest in the importance of organizational culture has increased. This post will explore the implications of my research study for regulators who seek to evaluate compliance programs. Continue reading

State-Level Actors on the Frontlines of U.S. Cybersecurity and Data Privacy Regulation and Enforcement

by John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

While the General Data Protection Regulation (GDPR) significantly expanded the powers of European national data protection authorities in 2018, legislative and enforcement developments in the United States over the last year showcased the growing role and importance of state attorneys general and other state regulators in the realm of cybersecurity and data privacy.

In 2018, California passed a data privacy law akin to the GDPR and enacted legislation addressing internet-based bot activity and security of devices connected to the Internet of Things.  With passage of legislation in Alabama in March 2018, all 50 states now have data breach notification laws, with requirements as to notification content, timing, and recipients varying across jurisdictions.  And prescriptive cybersecurity regulations promulgated by New York State’s Department of Financial Services continued to take effect in rolling fashion.  Absent preemptive legislation at the federal level, where proposals are stalled in Congress, we can expect data protection and privacy laws and regulations to proliferate at the state level, as state legislatures and regulators vie for the mantle of lead cybersecurity enforcer. Continue reading

UK Financial Conduct Authority Puts Heads of Legal Outside the Senior Managers Regime

by Karolos Seeger and  Andrew H.W. Lee

In a long-awaited but widely-expected development, the UK Financial Conduct Authority (“FCA”) has issued a new consultation paper[1] proposing that Heads of Legal do not need to be designated as Senior Managers under the Senior Managers Regime (“SMR”). Ever since the introduction of SMR in 2016, the FCA has delayed formally confirming whether heads of legal should be allocated the SMF18 role (Other Overall Responsibility Function).

The FCA came to its position in light of the potential difficulties created by legal professional privilege. A fundamental principle of the SMR is that if a firm breaches a FCA requirement, the Senior Manager responsible for that area can be held accountable if they did not take reasonable steps to prevent the breach from occurring (the so-called ‘Duty of Responsibility’). This could lead to a conflict of interest in which a Head of Legal wishes the firm to waive privilege to help him or her avoid personal liability, while being professionally obliged to advise the firm not to waive privilege where this is not otherwise beneficial for the firm. The FCA also explained that privilege would often restrict it from exercising its usual supervisory processes regarding Senior Managers to obtain documents and information from Heads of Legal, leaving little benefit in requiring them to be Senior Managers. Continue reading

AML Information Sharing in a Technology-Enabled and Privacy-Conscious World

by Kevin Petrasic, Paul Saltzman, Jonah Anderson, Jeremy Kuester, John Wagner, Rebecca Copcutt, and John Timmons

Financial firms play an integral role in preventing, identifying, investigating and reporting criminal activity, including terrorist financing, money laundering, and many other finance-related crimes. It is a critical role that depends on financial firms having the information they need to identify and report potentially suspicious activity and provide other relevant information to law enforcement. However, there are significant barriers to information sharing throughout the US anti-money laundering (“AML”) regime. These barriers limit the effectiveness of AML information sharing within a financial institution, among financial institutions, and between financial institutions and law enforcement.

Much has changed in the 17 years following the passage of the USA PATRIOT Act (“Patriot Act”), which, among other things, sought to enable greater information sharing among law enforcement, regulators and financial institutions regarding AML risks. Of note, Section 314(a) of the Patriot Act and its implementing regulations (“Section 314(a)”) enables federal, state, local and European Union law enforcement agencies to reach out to US financial institutions through the US Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to locate accounts and transactions of persons that may be involved in terrorism or money laundering. Section 314(b) of the Patriot Act and its implementing regulations (“Section 314(b)”) provides a limited safe harbor for financial institutions to share information with one another in order to better identify and report potential money laundering or terrorist activities. Continue reading

Detoxing Corporate Culture: How To Assess Toxic Cultural Elements

by Benjamin van Rooij, Adam Fine, and Judy van der Graaf

All views here represent the authors’ own views and not their organizations.

There is a cultural moment in the world of corporate compliance. Following recent major corporate scandals, there is now growing recognition among corporate boards and beyond  that truly changing corporate misconduct means addressing the toxic elements within cultures.

The central question for companies and regulators is how to assess toxic cultural elements.

Toxic corporate culture exists when organizations, whose chief business and business means are legal, develop structural violations of rules over a period of time.

Our recent paper (PDF: 1.06 MB), published in Administrative Science,  offers an in-depth analysis of what toxic cultural elements played a role in three major corporate scandals: BP’s polluting and unsafe oil exploration practices, VW’s diesel emission cheating practices, and Wells Fargo’s fake and unauthorized accounts schemes. In all three cases, the illegal behavior spanned over a decade and investigators concluded that corporate culture was to blame. Yet in all three cases, no one had yet systematically sought to understand what toxic cultural elements sustained the illegal conduct. We developed an analytical framework to examine toxicity in organizational cultures on three levels: structures, values, and practices (see Table 1 below[1]). Continue reading

Firm Reputation Following Accounting Frauds: Evidence from Employee Ratings

by Christos A. Makridis and Yuqing Zhou

Intangible capital is becoming an increasingly important determinant of firm value. For example, the ratio of intangible capital to the United States’ GNP is totaling 1.7, according to McGrattan and Prescott (2010).[1] Companies are further prioritizing their brand and perception among consumers and the media, which can affect the way they do business by influencing corporate strategy and investment. In this sense, how employees and/or the general public think about a company can ultimately influence the company’s ability to retain and attract talented employees, which is an integral determinant of firm value.[2]

While there are many different circumstances that firms find themselves in, some can be particularly damaging. For example, the public revelation of a cyber security breach can have lasting reputational effects when a company prides itself on privacy and security, as was the case with Equifax and their 2017 breach.[3] Much like data breaches, the public revelation of an accounting fraud can have a lasting effect on a company’s reputational capital. If employees and/or the public do not trust senior leadership, then employee engagement and retention will quickly dwindle. No one wants to work for an infamous company, especially skilled workers, given their ability to find alternative options in the labor market. Continue reading

Why It Is Hard For Managers To Convey That They Are Open To Information About Misconduct, And What They Can Do About This

by Elizabeth Wolfe Morrison, PhD

Most managers will say that they want to receive information about issues and problems in their organization, including information about misconduct.  They wish to see themselves as the type of manager who is open to input from employees, and they know that it is important to receive information about problems in a timely manner.  They claim to have “an open door policy.”  Nonetheless, when it comes to actual behavior, far too many managers are not nearly as open as they aim or profess to be.  Rather than responding in a receptive manner when employees raise concerns, they respond with annoyance, hostility or defensiveness.  They deny or dismiss the information.  They pretend to listen, but then fail to act. 

A consistent and disturbing theme from people who have internally reported misconduct is that the information “fell on deaf ears,” or worse, that they suffered negative career consequences for speaking up.  Studies have also shown that it is common, across many different types of workplaces, for employees to feel that speaking up is futile, or that they cannot speak up about a suspected violation without fear of reprisal.[1]  As a result, regardless of how open managers think that they are, employees often choose to keep mum when they have concerns.

What accounts for these beliefs and behaviors related to raising issues?  In some cases, they may stem from poor management or lack of ethical leadership.  There are managers who truly do not want to know what is going on in their organizations. Yet even managers with good intentions, who care about ethics and open communication, may find it hard to be receptive and responsive to information about misconduct.  What they do when confronted with such information diverges from what they believe or say that they would doContinue reading

Court Upholds SEC Authority and Finds Broker-Dealer Liable for Thousands of Suspicious Activity Reporting Violations

by H. Christopher Boehning, Jessica S. Carey, Michael E. Gertzman, Roberto J. Gonzalez, David S. HuntingtonBrad S. Karp, Raphael M. Russo, Richard S. Elliott, Rachel M. Fiorill, Karen R. King, Anand Sithian, and Katherine S. Stewart

Decision Provides Rare Judicial Guidance on SAR Filing Requirements

On December 11, 2018, the Securities and Exchange Commission (SEC) obtained a victory in its enforcement action against Alpine Securities Corporation, a broker that cleared transactions for microcap securities that were allegedly used in manipulative schemes to harm investors.[1] Judge Cote of the U.S. District Court for the Southern District of New York issued a 100-page opinion partially granting the SEC’s motion for summary judgment and finding Alpine liable for thousands of violations of its obligation to file Suspicious Activity Reports (SARs).[2]

Because most SAR-related enforcement actions are resolved without litigation, this decision is a rare instance of a court’s detailed examination of SAR filing requirements.  The decision began by rejecting—for a second time[3]—Alpine’s argument that the SEC lacks authority to pursue SAR violations.  The court then engaged in a number of line-drawing exercises, finding that various pieces of information, as a matter of law, triggered Alpine’s SAR filing obligations and should have been included in the SAR narratives.  This mode of analysis, which applies the SAR rules under the traditional summary judgment standard, may appear to contrast with regulatory guidance recognizing that SARs involve subjective, discretionary judgments.[4]

Although the decision has particular relevance in the microcap context, all broker-dealers—and potentially other entities subject to SAR filing requirements—may wish to review the court’s reasoning for insight on a number of SAR issues, including the adequacy of SAR narratives and the inclusion of “red flag” information. Among other cautions, the decision illustrates the dangers of relying on SAR “template narratives”[5] that lack adequate detail.

More broadly, the SEC’s action against Alpine is another indicator of heightened federal interest in ensuring broker-dealer compliance with Bank Secrecy Act (BSA) requirements. For example, last month the U.S. Attorney for the Southern District of New York brought the first-ever criminal BSA charge against a broker-dealer, noting that this charge “makes clear that all actors governed by the Bank Secrecy Act—not only banks—must uphold their obligations.”[6] Continue reading