The General Data Protection Regulation (GDPR), a new European Union data privacy and protection regime, has already entered into force and is slated to become effective on May 25, 2018. Designed to provide greater protections to the personal data of individuals located in the EU, the GDPR imposes a host of new obligations on both “controllers” and “processors” of such data. Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations. While many U.S. companies have already begun the process of bringing themselves into compliance, the GDPR has such a long reach that it may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws. Smaller organizations or those that deal with a relatively small amount of data originating in the EU may be especially likely to be caught off-guard. Such organizations must take immediate steps to assess whether they are subject to the new GDPR and to bring themselves into compliance.
In this article, we begin by laying out the global scope of the GDPR and describing which organizations may be required to comply. Next, we explain the obligations that the GDPR imposes on controllers and processors, as well as the stringent restrictions placed on cross-border data transfers to countries outside of the EU. We then provide an overview of the various compliance mechanisms and penalties the GDPR includes, and potential deviations in the implementation of the GDPR that might be seen in particular EU member states. Finally, we conclude with practical advice for organizations transitioning to the new regime.Continue reading →
As the year ends, SEC registered investment advisers to private funds start considering how to assess their firm’s compliance culture. The Advisers Act of 1940 requires a formal annual review of the adequacy of “written policies and procedures reasonably designed to prevent violation of securities laws.” In other words, every year Chief Compliance Officers ask themselves how they can actually demonstrate their effectiveness.
Rather than viewing this process as a comprehensive narrative report identifying all deficiencies, perhaps a more useful construct is to think of the annual review as a way of collating and assessing activity throughout the year. Paradoxically, assembling information used throughout the year makes the process easier than attempting a comprehensive one-shot evaluation. Effective annual reviews are more like a movie than a photograph. Continue reading →
On November 29, 2017, Deputy Attorney General Rod J. Rosenstein announced that the US Department of Justice (DOJ) has implemented a permanent, revised version of the Foreign Corrupt Practices Act (FCPA) Pilot Program. The Pilot Program — which was launched as a one-year trial in April 2016 by then-Assistant Attorney General for the Criminal Division (and now Latham partner) Leslie Caldwell — was extended indefinitely in April 2017 to allow DOJ to evaluate the program’s efficacy. Rosenstein announced that the enhanced policy — now called the FCPA Corporate Enforcement Policy (FCPA Policy) — will be incorporated into the United States Attorneys’ Manual (USAM). Like its predecessor, the FCPA Policy aims to encourage companies to make timely and voluntary disclosures of wrongdoing under the FCPA, while providing additional concrete incentives rewarding corporations for cooperation.
This policy announcement is likely the first of several DOJ policy changes and/or enhancements under the new administration. As detailed in Latham’s October 2017 Client Alert, Rosenstein recently announced that DOJ was reviewing a wide range of existing corporate enforcement policies, including the Pilot Program, DOJ’s policy on “Individual Accountability for Corporate Wrongdoing” (the Yates Memo), and other DOJ policies and memoranda — with the intention of ultimately incorporating the revised policies into the USAM. Continue reading →
Effective anti-corruption compliance programs include protections for whistleblowers that raise corruption concerns. Article 13.3 of Russia‘s 2008 Federal Law No. 273-FZ on Counteracting Corruption (the “Anti-Corruption Law”) addressed Russian lawmakers’ expectations regarding effective compliance programs. But the law was silent on whistleblower protections. Recently proposed legislation in Russia may help address this gap.
Even before the Anti-Corruption Law came into effect, Russian law included several provisions that could be interpreted to provide some protection for whistleblowers. For example, Russian employment law prohibits discrimination and sets out an exhaustive list of permissible grounds for dismissing an employee for cause; firing an employee for blowing the whistle on potential corruption is not among them. As a result, firing an employee for whistleblowing could ran afoul of Russian employment law. In addition, the Russian government can protect individuals whose security might be threatened as a result of their participation in criminal proceedings that involve alleged corruption. The state might, for example, provide such witnesses with physical protection, relocate them, or even give them new identities. Continue reading →
In late June, FIFA, the world’s governing soccer organization, released the “Garcia Report,” chronicling the extensive corruption and conflicts of interest that occurred in FIFA’s awarding of the men’s 2018 and 2022 World Cup venues. Part1 summarized the report’s findings. Part 2 discusses how specific steps and safeguards can mitigate the risks of misconduct and ensure cooperation among FIFA officials – and at any organization.
FIFA’s problems started at the top. FIFA’s investigators found an astounding number of executive committee members committed misconduct and showed disdain for the investigation. FIFA’s failures were systemic and reflected a culture of corruption. An organization’s culture cannot be fixed simply by strengthening rules or creating a targeted compliance program. Indeed, these are meaningless if the leaders themselves are corrupt. Executives must have integrity and show a commitment to everyone’s compliance with the law. FIFA needs to identify candidates for its executive committee that have shown integrity and a dedication to complying with rules and laws. Continue reading →
The first installment of this two-part series summarizes the Garcia Report’s findings of misconduct. Author Brandon Fox also focuses on the difficulties investigators faced as a result of leaders failing to cooperate and contrasts the misconduct and lack of cooperation to the U.S. Soccer Federation’s behavior.
In late June, FIFA, the world’s governing soccer organization, released the Garcia Report chronicling the extensive corruption and conflicts of interest that occurred in FIFA’s awarding of the men’s 2018 and 2022 World Cup venues. This article summarizes the Garcia Report’s findings of misconduct, focusing on the difficulties investigators faced as a result of leaders failing to cooperate, and discusses how specific steps and safeguards can mitigate the risks of misconduct and ensure cooperation among FIFA officials – and at any organization.Continue reading →
Have you noticed the number of articles and blogs covering the troubling trend of personal liability for compliance officers and Chief Compliance Officers (CCOs) in the financial services sector? While anyone entering this industry knows it is highly regulated and replete with regulatory requirements, the growing liability of its compliance professionals is worrisome. Those responsible for overseeing their firm’s compliance program have many duties, and now more than ever find themselves on the receiving end of enforcement actions. This is evident in expanded corporate probes of compliance professionals or increasing regulatory expectations cited in speeches and proposed regulations.
Compliance professionals are concerned about facing personal liability especially when it is for non-rogue behavior. As a result, I thought this trend warranted a closer review. Continue reading →
The compliance infrastructure for managing financial crime risk at financial institutions is intended to be based on utilizing a risk-based, rather than rule-based, approach. A risk-based approach seeks to allocate resources commensurate with varying risk levels, reflecting the fact that financial institutions cannot eliminate all the risk of illicit activity occurring within an institution without completely shutting down all of its business. To optimize compliance, financial institutions must balance the need to provide legitimate and critical financial services and products with appropriate controls designed to mitigate the financial crime risk associated with those services and products to appropriate levels.
Where activity would violate law or regulation, the calculus is easy because the activity is simply prohibited. However, most legitimate activity will necessarily allow for some level of risk that it may be abused by criminals to facilitate illicit conduct or to exploit products and services for illicit purposes. Arriving at the right balance within this context requires an understanding of the risks, what level of controls can reasonably be put in place to mitigate that risk, and then making judgments based on an institution’s tolerance for reputational, regulatory and operational risk, about whether to engage in the activity. This last element, the exercise of judgment, must be arrived at within the framework of an institution’s risk appetite statement. Continue reading →
This year marks the fifteenth anniversary of the Sarbanes Oxley Act, enacted July 30, 2002, providing an important compliance-based teaching moment for both the governing board and executive management
As many lawyers and compliance professionals may recall, the law was enacted in response to the series of notorious and crippling accounting controversies that had occurred in prior months involving such companies as Enron and WorldCom. The goals of the Act included efforts to enhance the reliability and transparency of public company financial statements.
That seminal legislation has had an enormous impact not only on the development of corporate compliance programs. It has also affected the board’s relationship to compliance, the role of ethics and “tone at the top” within an organization, the general counsel’s role with respect to compliance, and laws affecting both whistleblower activity, and various forms of obstruction of justice. Continue reading →
This post is an abstract of the article published under the same title in the Revue Trimestrielle de Droit Financier / Corporate Finance and Capital Markets Law Review (Thomson Reuters), as part of the thematic section edited by Michel Perez and Margot Sève entitled “International Financial and White Collar Crime, Corporate Malfeasance and Compliance.”
On December 9, 2016, France adopted law n° 2016-1691 on transparency, the fight against corruption, and the modernization of the economy. The law has been commonly called the “Sapin II” law, after French Minister of Finance Michel Sapin who, in 1993, authored the first Sapin law on transparency in politics and public procurement, and sought in 2016 to further enhance transparency and combat corruption.
While France has in recent years certainly made efforts towards more severe punishment for corruption-related offenses, it has nonetheless been criticized for its weak enforcement track record. For example, while the sanctions for active and passive corruption of domestic officials, active and passive corruption in the private sector, corruption of foreign officials, and influence peddling were increased in 2013, only one company (Total S.A.) was fined between 2000 and 2016 for acts of corruption of foreign public officials. This lack of enforcement efficiency has led the OECD, as part of its monitoring of countries’ implementation and enforcement of the OECD Convention on Combatting Bribery, to report serious concerns regarding “the lack of foreign bribery convictions in France.” Continue reading →