Compliance in 2016: Navigating the New Expectations

Transcription

1 Compliance in 2016: Navigating the New Expectations Prepared by: Kathleen Marcus Stradling Yocca Carlson & Rauth, P.C. 660 Newport Center Drive, Suite 1600 Newport Beach, CA P F NEWPORT BEACH I RENO I SACRAMENTO I SAN DIEGO I SAN FRANCISCO I SANTA BARBARA I SANTA MONICA

2 Evolution of Compliance Sarbanes-Oxley Act (2002) Amendments to the U.S. Federal Sentencing Guidelines (2004) Dodd Frank Wall Street Reform and Consumer Protection Act (2010) Organization for Economic Cooperation and Development Issues Good Practice Guidance (2010) DOJ/SEC Joint Guidance for FCPA Compliance (2012) 2

3 DOJ s Seven Elements (Part One) 1. Establish standards and procedures to prevent and detect criminal conduct; 2. Management knowledge and oversight: High-level personnel for overall program responsibility; Designation of day-to-day operational responsibility to report on the effectiveness of the compliance; Access to high-level personnel or governing authority; Provision of adequate resources to day-to-day personnel; 3. Reasonable efforts to exclude bad actors; 3

4 DOJ s Seven Elements (Part Two) 4. Reasonable steps to communicate periodically regarding compliance and ethics, including training; 5. Monitoring and auditing; 6. Consistent promotion and enforcement throughout the organization, including appropriate disciplinary measures; 7. Once violations have been detected, respond and prevent further similar conduct. * 2011 Federal Sentencing Guidelines Manual, Chapter 8, Part B 4

5 Government Use of Carrot and Stick Whistleblower bounties; Subpoenas; Compliance enhancements in settlement / Corporate Integrity Agreements; Corporate funded compliance monitors; Promise of leniency or nonprosecution for robust programs. 5

6 Hui Chen, Compliance Counsel Chen will help prosecutors determine whether a company had an effective compliance program in place and whether they have taken appropriate steps once a violation is discovered. Prior experience: Hired November 3, 2015 Photo via LinkedIn, as featured in Sue Reisinger, Report: Justice Dept. Names Chen to Controversial Compliance Counsel Post, Corporate Counsel, September 21, Global Head for Anti-Bribery and Corruption, Standard Chartered Bank - Assistant General Counsel, Pfizer - Director of Legal Compliance for Greater China Area, Microsoft - Trial Attorney and Assistant United States Attorney 6

7 DOJ Factors For Consideration (Part 1) Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies? Do the people who are responsible for compliance have stature within the company? Is there adequate funding for compliance? Are the institution s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company s employees? Are the institution s written compliance policies easy for employees to find? Do employees have repeated training, including direction about what to do or who to consult when issues arise? 7

8 DOJ Factors For Consideration (Part 2) Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one. Are there mechanisms to enforce compliance policies, including incentivizing good compliance and disciplining violations? Is discipline even handed? Does the organization make sure that its third parties like vendors, agents or consultants are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action including termination of a business relationship if a partner demonstrates a lack of respect for laws and policies. * Speech by Assistant Attorney General Leslie Caldwell, November 2,

9 The Simple Seven 1. Leadership 2. Risk Assessment 3. Policies, Procedures and Controls 4. Training and Communication 5. Funding 6. Oversight 7. Responsiveness 9

10 Leadership Commitment Tone at the top Unambiguous and visible Senior officer oversight of compliance function Legal and compliance department interaction Direct access to the board Actively evaluate questionable circumstances 10

11 Risk Assessment More focused than a business risk assessment or internal audit/financial statement risk process; Designed to identify existing or potential risk of legal or ethical noncompliance; Focused on avoidance of investigations, fines, penalties, litigation, reputational damage or bars from key markets; Conducted routinely. 11

12 Risk Assessment (cont.) Anti-bribery / anti-corruption; Data breach and data protection; Fraud; Antitrust and competition law; Money laundering; Foreign trade and sanctions; Life Sciences: off label; payments to doctors. 12

13 Policies, Procedures and Controls Code of Conduct Policies Which policies? How detailed? Procedures Incentives and disciplinary measures 13

14 14 Policy Assessment

15 Training and Communication Policies must be more than notification of rules; Active and repeated training on expectations, processes and procedures; Employees should be informed of who/how to consult; Open dialog within the organization, particularly middle management; Confidential reporting hotline. 15

16 Funding and Resources Walk the talk Adequate personnel Budget for: Training Assessments Technology/Automation Policy review and updates 16

17 Program Oversight Under the Chief Compliance Officer Consistent, periodic assessment Awareness of competencies and capabilities All levels of the organization Documentation Oversight of policies and procedures Instances of noncompliance 17

18 Responsiveness Identify problems as systematic or isolated Investigations Who conducts? Scope? Resolutions Objective, even-handed treatment Reflects on management s commitment to compliance 18

19 Corporate Compliance Maturity Model Evaluates program maturity on the matrix by ranking each element of the program: Unaware (reactive / ad hoc) Fragmented (silo policies) Top-Down (proactive and organizational) Systematic (planned, measured, coordinated, monitored) Risk Intelligent (embedded in strategy, capital allocation, product development, performance measures) * Deloitte, Galaz, Yamazaki, Ruiz Uquiza (2013); OCEG Corporate Compliance Maturity Model. 19

20 Sample Corporate Maturity Matrix Leadership Unaware Fragmented Top-Down Systematic Risk Intelligent Risk Assessment Policies and Procedures Training and Communication Funding Oversight Responsiveness 20

21 Great Debate: Compliance or Legal? Some sectors require the retention of a Compliance Officer. Why would a company want to separate Compliance from Legal? Report to CEO, Legal, the Board or a combination? 21

22 22 Questions?