Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Cybersecurity & Privacy newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (March 8, 2021, 3:30 PM EST) -- Years ago, a colleague approached John Hanson, a car enthusiast and then-former internal audit director at a mortgage company, in the firm's lunchroom.
"Did you hear what Jane bought?" the colleague asked. "She just bought a BMW M5."
"I realized something didn't add up," Hanson recalled. "This is a $100,000 car, and Jane makes about 24 grand."
The incident was just one of many in Hanson's career where off-the-cuff office chatter provided the spark for an internal investigation, said the ex-FBI agent and current managing director in BDO USA LLP's forensic investigations and litigation consulting practice.
But in the COVID-19 era, compliance professionals have all but lost this essential tool, and they continue to operate largely without an on-site presence one year into the declaration of the pandemic as a national emergency.
"That channel has been taken away," Hanson said. "And when you're a compliance person, you don't want to take away any channels for people to report. You want as many as possible."
The lack of face-to-face interactions amid the pandemic is reducing the ability of compliance professionals to uncover potential misconduct and adequately monitor employees, industry experts told Law360.
The shift to remote work has also led to a heavy reliance on technological tools to help with the rising cybersecurity threats and employee oversight needs, but this has only placed additional strain on compliance officers who may lack the skills or guidance to implement them, they said.
While video conferencing has largely replaced in-person meetings and investigations, it isn't as effective as the real thing, said Hanson, who is also an independent auditor appointed by the U.S. Environmental Protection Agency in September 2019 to monitor Volkswagen's emissions practices.
"These are things somebody wants to share with you without it being potentially videotaped or audiotaped," Hanson said. "They're not necessarily coming to log a formal complaint, and they're not calling the hotline."
Investigative interviews are incredibly challenging over video conference, particularly when the aim is to extract sensitive information, he added.
"As an investigator or an FBI agent, you can't work a case from behind a computer screen," he said. "So if you're looking at doing compliance investigations, it's much more difficult now to interview people remotely."
"People are really hesitant and it's hard to build rapport, particularly when you're talking about investigative interviews that might be confrontational," he added. "If you're looking to get somebody to admit some sort of wrongdoing, do you think you're going to do that on a virtual conference? That would be extremely difficult."
The mere lack of an on-site presence makes the physical monitoring of employees impossible, allowing additional red flags to slip through the cracks, other experts said.
"In an open-office platform with cubicles, I can walk through a trading floor, and I can pick up red flags," said Dave Banerjee, president of the Southern California Compliance Group, an independent compliance consultant and retired CPA.
"If you've been in the industry long enough, it doesn't take long for you to figure out," he said. "You look at screens and you can also put in place other security processes, procedures and limitations."
The recent market volatility surrounding GameStop put the issue of employee oversight into focus when state regulators asked Massachusetts Mutual Life Insurance Co. whether it knew its employee and registered broker Keith Gill — a key figure at the center of the controversy — was posting on Reddit about the video game retailer's stock.
"If Gill was working for me and I walked past his desk in the office and I saw a screen, I would ask, 'What are you doing on Reddit? That's not an authorized social media platform,'" Banerjee said. "But if they're working from home, I lack that."
Yet the shift to remote work has led both the Financial Industry Regulatory Authority and the U.S. Securities and Exchange Commission to issue communications regarding technologies that can aid the transition.
In late May, FINRA shared certain practices implemented by firms that it said others "may wish to consider," touching on such things as the use of video conferencing, the security of remote online networks, and conducting virtual training on cybersecurity and fraud.
The SEC's asset management advisory committee recommended on Nov. 5 that the agency, in light of the pandemic, reassess its regulatory approach because "advancements in technology… [allow] firms to effectively supervise employee and customer activities leveraging technology."
The report argued that "COVID-19 accelerated longer-term trends that favor digital communications," and suggested that the pandemic has "demonstrated that a firm of any size can conduct a thorough inspection of broker-dealer locations remotely."
But many compliance professionals, particularly at smaller firms, lack the digital savvy to understand the technologies and how to implement them, Banerjee argued. It's also not clear from the existing regulatory guidance if the new technologies jibe with existing regulations, putting compliance officers at greater risk of culpability, he added.
"The high reliance on technology is actually significantly beyond these chief compliance officers' pay scale," he said.
A recent report from Smarsh Inc. likewise found that compliance professionals are unprepared for the shift to remote work and unclear on the regulatory requirements.
It showed that many of the firms surveyed were not adequately tracking virtual meetings and other employee communications, creating a concerning "compliance gap" that could leave them vulnerable in the face of regulatory examinations and investigations.
Respondents "were unclear on whether they should even record meetings," with 64% stating they "rarely or never" record the communications, according to the report. A similar percentage said they lacked the confidence to provide the meetings to regulators upon request.
In addition, the report showed that cybersecurity concerns among compliance professionals have grown, including those tied to ransomware and phishing as well as the loss of control that comes with employees' working off of "unsecured home networks."
While this additional strain could lead to some compliance officers leaving the profession, it also exacerbates the trend of firms outsourcing compliance matters — everything from cybersecurity to anti-money laundering and internal controls testing — to third parties, some of whom may not be exceptionally qualified, Banerjee argued.
"There is no requirement that the third party must meet minimum qualification standards," Banerjee said. "We're seeing a lot of reports where it's obvious that the attorneys or law firms engaged in doing this don't have the operational experience to actually do a good enough job."
Todd Cipperman, who founded Cipperman Compliance Services in 2004 and has built his business chiefly around providing remote chief compliance officer services, acknowledged he'd "like the regulators to give a little more guidance," but said the core best practices of remote compliance work have held true through the pandemic.
While compliance officers may get the occasional in-person tip or "get lucky" overhearing or seeing something, implementing a comprehensive testing program — much of which can be done remotely — is the most effective way to uncover both wrongdoing and mistakes, Cipperman said.
For instance, such testing programs might utilize portfolio analytics to make sure brokers and investment managers don't stray from investment mandates, he noted.
"How do you tell if someone's losing weight? Do you weigh them, or do you ask them?" he said. "Well, weighing them is a much better way to do that."
But the shift to remote work will continue to be "challenging for a lot of people," Cipperman noted.
"If you've been an in-house compliance officer for all these years and your M.O. is, as I like to say, 'shaking hands and kissing babies' around the office, and that's how you get information, you're going to have to change," he said. "You've got to start thinking about what tools you are going to use to do your forensic testing and if you are comfortable with the technology."
Hanson, of BDO, noted that the switch to remote work could potentially bring some positive changes that will stick. For instance, compliance officers may be spending more time devising new ways to monitor and audit transactions electronically.
"Human beings are extraordinarily creative," he said. "We figure out ways to do what we need to do."
Video calls have helped his own consulting business from a networking perspective, especially in the absence of in-person meetings and events, Hanson acknowledged.
Yet "it's not the same as getting together," he said, recalling how that in-person tip he received years back in the lunchroom, like many others, had ultimately paid off.
"Sure enough, I found that Jane was involved in a kickback conspiracy with a bunch of vendors," Hanson said. "But I learned that because I was out there interacting with employees, and when one of them said something that didn't make sense, I reacted to it."
--Editing by Philip Shea.
For a reprint of this article, please contact reprints@law360.com.
