For many this has been the year of compliance anxiety. Whether your industry is banking, insurance, life sciences, aerospace/defence or energy, all have all come under scrutiny. With 2016 being the biggest year of record for fines (over USD6 billion) and imprisonment terms from the DOJ and SEC, in-house legal departments are scouting the globe on the lookout for potential internal FCPA or anti-bribery infringements to put an end to questionable business practices and initiate immediate remediation steps while desperately trying to change internal corporate culture.
But if 2016 was a trailer of coming attractions, the cost of compliance policies implementation for organisations rose 43% between 2011 and 2017, and the cost of not being in compliance rose 45%, according to new research from data integration firm Globalscape and Ponemon Institute (FOOTNOTE ONE). Risk crisis management is at such an all time high, that FBI white-collar crime investigators are crossing over into consulting corporate work where this skill set is on the rise and highly compensated.
With an innerving trend shift in incentives by the DOJ for more self-reporting, in-house legal departments and external counsel more than ever need to understand the complexities and potential risks associated with voluntarily disclosing FCPA violations to their respective government agencies and guiding their corporate clients through safe governance procedures while trying to remain competitive in a world many are finding no longer a level playing field (if it ever was one). So Mr or Ms General Counsel, should you be concerned? Read on and then decide.
While it’s true that the focus of FCPA enforcement seemed to initially target large US corporates to send a chilling message to those contemplating engaging in bribery (e.g., Baker-Hughes, IBM, Johnson & Johnson, Siemens, Pfizer, Oracle, Tyco International, Eli Lilly, Stryker, Archer Daniels Midland, Hewlett-Packard, Bristol-Myers, Johnson Controls, and many other similarly positioned NYSE-listed companies), looking at the wide range of investigations, no one seems exempted from a probe. This includes mid-sized to small-sized companies and even individual such as airline executives, former CEOs, VPs, and other corporate officers.
So, whom does the general counsel turn to for help? Is engaging an expensive, heavyweight forensic investigative company the only option? Is a mega law firm the only place for refuge when negotiating with the DOJ, SEC, SFO (UK’s Serious Fraud Office), or Europe's supervisory authorities responsible for AML/CFT (Anti-Money Laundering and Countering the Financing of Terrorism)? The sort of budget that these boutique players charge is not for the faint-hearted. Deep pockets be ready. These probes are expensive to deal with let alone survive without a multimillion-dollar fine. The internal investigation alone to document the violation (or hopefully the lack thereof) can run into millions of dollars.
Enter, artificial intelligence (“AI”). Given the correlation between risk and an organisation’s objectives, one could easily extrapolate how AI could help bring insight to Governance, Risk, and Compliance (“GRC”) activities as well. However, this technology is still under development. And while it is undeniable that one of the most important technological advances of our time is artificial intelligence, the implications for risk management can be huge, especially for fraud or bribery detection. But risk managers will find it difficult (at least for now) to explain the machine’s conclusions to corporate executives or a regulator (FOOTNOTE TWO).
Yet, it is not only the USA which is focusing on enforcing compliance legislation. The OECD is actively monitoring countries which are aggressively enacting anti-corruption legislation, while putting pressure on those which tend to be dragging their feet to embrace zero tolerance to corruption and risk crisis management (FOOTNOTE THREE). This trend is sending warning bells to historically dodgy jurisdictions, which had been used in the past as safe harbours by white-collar criminals. It is simultaneously both harder to hide below the radar while at the same time the spectrum from which corporate compliance violation may arise has widened.
But there’s more. Countries that never before had offered the US government assistance in FCPA investigations are now providing significant assistance through their own investigative teams and resources. From the US government's perspective, it’s a game-changer, but from a company’s perspective, knowing you have threats and potential risks coming at you from more jurisdictions and more areas than ever before, it’s simply terrifying.
During a recent panel at Compliance Week 2017 in Washington, DC, Kara Brockmeyer, former chief of the SEC’s FCPA Unit, and George McEachern, supervisory special agent at the FBI, spoke candidly about the future of FCPA enforcement, cooperation credit, third-party risk mitigation, and more. Brockmeyer and McEachern stressed repeatedly that the US government continues to develop relationships and cross-border collaboration with their foreign counterparts – and puts a premium on how companies resolve these cases (FOOTNOTE FOUR). In fact, the FBI now has agents sitting in corruption bureaus overseas looking at nothing but FCPA violations. This gives the US significant leverage to bring the culprits to justice, who can no longer hide behind dysfunctional and inefficient cross-border intelligence sharing. The DOJ or SEC can now say, “we don’t need to believe what you’re saying, we have our people on the ground.” This leverage was recently seen in the USD2.6 billion fine to Odebrecht for FCPA violations in the USA, Brazil and Switzerland.
And if this is not enough to keep you up at night, in-house counsel need to include cybersecurity in their suite of growing compliance responsibilities. Data, personal data is the new powder gold.
Recently, Infosecurity interviewed 1300 cybersecurity leaders to compile its latest study, The Business View of Security: Examining the Alignment Gap and Dangerous Disconnects. It was startling to note that 50% did not inform their customers when their personal data had been breached. This is a stark reminder that many organisations are playing with fire in light of the forthcoming EU General Data Protection Regulation (GDPR), which will mandate 72-hour breach notifications. The past 12 months have seen a slew of delayed and nebulous breach reports from big name firms that should know better, including Yahoo, Equifax and Uber. To this effect, UK banking regulator the Financial Conduct Authority (FCA) just announced new rules forcing lenders to be more transparent about security incidents, especially after recent successful cyber-attacks in the financial sector (FOOTNOTE FIVE).
It is with all this in mind that in-house legal teams led by general counsel need to have a viable, reliable alternative to go to for compliance assistance and crisis management that is not going to break the bank. Compliance failures are the new frontier where the future of many companies will be gambled. It is essential for in-house attorneys to know how to instil a strong corporate culture of zero tolerance for risk due to FCPA and anti-bribery violations. Of course, the mega-firms have too quickly identified the significant potential for large fees to man such operations and are beefing up their compliance expertise and sell it downstream to all their “scared” clients. But it is not all gloom.
There is relief in sight. External counsel, the in-country attorney sitting in Brazil, Switzerland, Turkey, India, Democratic Republic of Congo, Indonesia, or wherever the potential FCPA infringement may be taking place through a bribe, is now just as qualified as the US practising attorneys, and is fully capable of providing this needed assistance, real-time and at local rates, which makes a dramatic difference in the budget of the in-house legal team. Some networks of independent law firms may also be able to offer such cross-border capability and it is in the general counsel’s best interest to research which top-ranked network can provide such a service offering.
4. www.complianceweek.com (Understanding the inner workings of FCPA enforcement: Compliance Week 2017)