Law360 (June 16, 2021, 8:44 PM EDT) -- With President Joe Biden gung-ho about fighting corruption, new anti-money laundering rules looming, and vulnerabilities that were amplified by the pandemic, companies should act now to reexamine and bolster their compliance programs, experts say.
Biden issued a memo this month giving more than a dozen government agencies 200 days to make recommendations on how to better combat corruption, a move that put criminal entities, financiers of terrorism and human rights abusers across the globe on notice.
"I expect a robust enforcement environment going forward in the anti-corruption space," said Christopher Cestaro, who in May joined WilmerHale after serving as chief of the U.S. Department of Justice's Foreign Corrupt Practices Act unit.
The FCPA unit last year entered into eight corporate resolutions that resulted in a record amount of global penalties and other payments — over $7.8 billion — a dramatic jump from $2.8 billion in 2019, according to DOJ data. The strong results were thanks in part to the additional resources and staffing funneled into the unit during the Trump administration, Cestaro noted, and the Biden administration has signaled that even more resources are likely on the way.
"Now is absolutely an opportune time for companies to make an assessment of their compliance program," Cestaro said. "An effective compliance program and a strong control environment are important safeguards that can stop a violation before it happens."
The easing of the COVID-19 pandemic in the U.S. also makes this a good time for compliance teams to review the impacts of the massive changes in workforce habits and data use, experts said. In addition, companies should prepare for sweeping new anti-money laundering rules currently being hashed out by the Financial Crimes Enforcement Network.
Here are some areas that experts say companies should review now instead of later to avoid investigations and potential enforcement actions.
Check Your Cyber-Risks
Cybersecurity has been top of mind in recent months with high-profile hacks of both government and private companies, including the SolarWinds and Colonial Pipeline incidents.
It's no surprise that a May 12 executive order from Biden created a national review board for major cyberattacks and ordered information technology sector government contractors to report data breaches.
Companies are expected to protect customer data, prevent breaches and report any breaches to authorities should they occur, and companies should look out for more formal potential regulations in this space, experts said.
Compliance in this area requires a three-pronged approach on the tech, communications and legal fronts, according to Seth DuCharme, a Bracewell LLP partner who served as acting U.S. attorney for the Eastern District of New York until March.
The tech piece requires either an in-house or third-party team "sophisticated enough" both to prevent attacks and to monitor the so-called dark web in real time, looking for auctions of stolen credentials that are often "the first indication of a breach," he said.
Companies also need communications staff "who can communicate about the technology you've got in a way that's going to be understandable to people that aren't subject-matter experts on the technology … so you can project confidence in the technology," DuCharme added.
In addition, companies should be on top of several levels of legal exposure, from setting up response plans for potential incidents to making sure company leadership and staff understand the consequences of making misstatements.
"If you don't understand the legal exposure, you're going to impulsively fire off messages, like [we've] seen in many of the white-collar cases, that can create at least the inference of some type of either misconduct or negligence," DuCharme said.
While ransom payments may be a last resort, the "U.S. government essentially has said we'd prefer you not pay, but we understand that a lot of people do," he said, adding that due diligence before making any such payment is crucial to make sure the money isn't falling into the hands of a blacklisted entity or terrorist organization.
Fill the (Data) Gaps
A gap analysis measures internal controls against the standards for compliance programs to uncover any gaps, hence the name.
A key change to the standards in the DOJ's June 2020 update to its corporate compliance guidance asks whether "compliance and control personnel have sufficient direct or indirect access to relevant sources of data."
That key stipulation is currently creating the biggest "gaps," because compliance personnel must now have access to all HR-related, financial and operational data — at a time when the use of data "sped up exponentially" during COVID-19, said Thomas Fox, an independent compliance consultant and founder of TomFoxLaw LLC.
"That would be the first place to start to make sure that, as a compliance officer, there are no gaps in the data that you have access to," Fox said.
In the anti-corruption landscape, sales made to governments or state-owned customers in high-risk jurisdictions are a key focus of companies looking to identify potential gaps, but there is a whole host of additional risk areas that have resulted in enforcement actions, Cestaro said.
"This has included enforcement actions associated with bribes to obtain licenses, bribes to obtain construction permits and other permits, bribes to obtain cheaper raw materials [and] bribes to obtain financing," Cestaro said.
Companies should also ensure that any red flags or allegations that have been identified by compliance or audit teams are addressed immediately, he noted.
"I would implore companies at a time like now to make sure that they've addressed the issues that have been raised," Cestaro said. "Oftentimes companies get into trouble when they don't take swift, immediate, decisive action to address those red flags. We see that in so many different resolutions in the FCPA space."
FCPA and AML Training
Fox advised that companies implement more focused training — and get a little creative along the way. While a majority of employees may only need a yearly refresher on the FCPA and anti-money laundering rules, companies should tailor training for employees on the front lines, such as those in sales and operations, he said.
"First, I would advocate for determining who needs that more focused, more detailed training, and then deliver that to them," Fox said. "And the second part of that is not sending a one-hour PowerPoint and saying, 'Review it.'"
The consensus among training experts is that short, three- to five-minute training sessions made up of "entertaining bursts of information" are just as effective as long training webinars or presentations, Fox noted. These could come in the form of a YouTube Live video, a short podcast or even a meme, "just to keep it in the front of people's minds," he said.
DuCharme of Bracewell sought to remind companies that compliance should be engrained into corporate culture and a "living, breathing, proactive, forward-looking" element of the business.
"Don't resist the compliance function and the training function and the audit function; embrace it, because you're essentially testing yourself to make sure you can withstand the scrutiny of others later," DuCharme said. "And if you have that confidence, then you can go forward with confidence to make money and grow value."
The Postpandemic Assessment
Companies should also take a fresh look at their compliance programs in light of changes brought by COVID-19, experts said.
"The whole work environment for many people changed abruptly, and policies may not have quickly caught up with the reality of the way people were operating," DuCharme said.
For instance, more people are logging into networks, accessing credentials and using virtual video and conference lines from home, DuCharme said. This major increase in remote work has made companies "much more vulnerable to both sophisticated intrusion, and frankly, pretty dumbed-down intrusion," he added.
In addition, many people were forced to work from home but "didn't have the benefit of a full home office setup," which has led to a bending of the rules that were primarily designed for the on-site worker, DuCharme said.
"They didn't necessarily have a laser printer and a scanner and fax machine and all that — so then there comes this temptation," he said.
DuCharme drew up a scenario where an employee receives a 37-page attachment but can't figure out how to connect their work laptop to a home printer. In fact, they're not even sure if that's allowed.
"So you think, maybe I just forward it to my Gmail account because I can print it from my home computer, and I can read this thing in my lawn chair," he said. "Now you've violated a policy, you've created a cyber vulnerability, and it's the result of the change in physical environment from COVID. And that's just one example."
Follow the Money
The U.S. Department of the Treasury's financial crimes unit in April requested input for the rollout of new anti-money laundering rules that aim to stop the flow of illicit funds through shell companies, in part by requiring the disclosure of so-called beneficial ownership information.
Industry attorneys said in December that the beneficial ownership database would be a "godsend" to bank compliance teams, which are often scrambling to retrieve such information.
But the Biden memo's call for federal officials to potentially identify "the need for new reforms" also suggests that the administration "may believe there is more legislative or regulatory work to be done to combat illicit finance," according to a recent commentary from McDermott Will & Emery LLP.
"The previous administration did not appear to be as incensed by, or as openly dedicated to prosecuting, corporate fraud," Benton Curtis, a former federal prosecutor and a McDermott partner, said in an email.
"I think the next few years, though, will evidence a significant shift in policy, with the current administration applying a more expansive interpretation to white-collar statutes that, in turn, will allow it to investigate — and potentially combat — global corruption with greater ease," he added.
With the Biden administration "making this particular push at this early a stage and in such a public fashion," Curtis advised that companies proactively implement or update "thoughtful compliance programs," and that executives take notice, too.
"The best way for companies to hold executives to a high standard is to make clear upfront that if allegations of individual wrongdoing are discovered and sustained — either internally or by the government — those executives will not be able to find shelter later on in the form of a corporate resolution, indemnification or a cushy golden parachute," he said.
--Editing by Breda Lund.
For a reprint of this article, please contact email@example.com.