This document summarizes a presentation given by Michele DeStefano at a meeting in Munich, Germany in October 2014. The presentation discusses the evolution of corporate compliance programs in the United States and challenges faced by Chief Compliance Officers. It also hypothesizes that efforts to increase compliance, transparency, and visibility through measures like separating compliance from legal departments may be "cloudy at best" and not achieve their objectives. The document outlines arguments for why departmentalization may not increase actual compliance, transparency, or visibility and entrenchment of compliance programs. It concludes by recommending corporations look inward at decision-making processes and culture beneath formal structures.
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy At Best
1. Compliance, Transparency, & Visibility
A Perspective of the US Market:
Cloudy At Best
Michele DeStefano
Professor of Law, University of Miami
Meeting of LAAW e.V. Munich Germany
October 2014
6. Questions
1. How Did We Get Here?
2. How is Compliance being managed?
3. What purpose does and should a compliance
department serve at a large publicly traded
corporation?
4. Who SHOULD be responsible for compliance
and what role should the Chief Compliance
Officer play?
5. How do ethics and culture fit in?
6. How should outside law firms be involved?
8. The Compliance Study
• Secondary research
• Primary Research:
– Interviewed 70 General Counsels and Chief
Compliance Officers
• @ large publicly traded corporations
• across multiple industries including banking,
petroleum, and pharmaceutical
9. The Compliance Study
Research Methodology
Stage 1 2006-2007
• 36 brief interviews
– General Counsels of S&P 500 corps
– Banking, pharmaceutical, and petroleum
10/9/2014 DeStefano 9
10. Stage 2 2010-2012
• 35 in-depth interviews
– General Counsels
– Chief Compliance Officers
• Large, publicly traded corporations in 9
industries:
– Pharmaceutical, Electric/Energy, Health Care,
Consumer Products, Petroleum, Professional
Services, Financial Services, Government,
Transportation & Logistics
10/9/2014 DeStefano 10
The Compliance Study
Research Methodology
11. Caveats:
1. Sample size is very very low
2. Not a random sample
3. Self-reports by senior executives which
arguably have certain stories to tell
10/9/2014 DeStefano 11
The Compliance Study
Research Methodology
12. Road Map
1) Background
2) Overview
1) The Compliance Function
2) Role & Challenges faced by CCOs
3) Organizational Structure
3) Trends & Recent Developments
– Hypotheses regarding Departmentalization
4) Conclusion
14. Background: 1960s & 1970s
In response,
other companies
beefed up their
compliance programs
Used strength of compliance
Program as defense against
Antitrust penalties
FCPA 1977 incented robust compliance programs
15. Background: 1980s & 1990s
OSGs mitigated corp
criminal penalties if orgs
showed effective
compliance program
Fraud by Defense Contractors
led to DOD reqs: written code,
training, procedures
In re Caremark and the Business Judgment Rule
16. Background: 2000s
Revisions to sentencing
guidelines recommend
ethics & compliance
programs
Sarbanes-Oxley Act change in
focus on individual actors and
corp fines to directing changes
within corporate entity
Deferred Prosecution Agreements require
structural changes to compliance function
17. Background: 2000s
2013 (2010): public federal
database of payments & gifts
made to physicians & teaching
hospitals by medical device and
pharmaceutical companies
Dodd Frank Act
and the
Whistleblower
Program 2010
21. What Is Corporate Compliance?
10/9/2014 DeStefano 21
“Most people can
articulate what a
lawyer or auditor
does for a living, but
the average
employee may have
difficulty defining
‘compliance.’”
Jose A. Tabuena
23. Both Legal and Compliance
rely on
legal expertise and
have a shared goal
to increase compliance
with the law
10/9/2014 DeStefano 23
Compliance Function
vs Legal
25. Compliance Function
• Builds policies and procedures
• Trains and educate employees
• Tests employees on adherence
• Reports misconduct
• Remediates
26. Key Substantive Areas
10/9/2014 DeStefano 26
• Fraud and Corruption
– Gifts, anti-bribery, anticorruption, antifraud, FCPA
compliance, and data protection
• Employment/Labor Law
• Antitrust/Trade Regulation
• Environment/Health and Safety
• Securities Regulation
27. Challenges for the CCO
Compliance personnel are charged with
communicating and providing training on the
legal and ethical regulations to
employees
around
the world.
28. Challenges for the CCO
They are also
charged with
risk assessment
and
understanding
risk tolerances
29. Challenges for the CCO
International training is
important not just to ensure
compliance but “so that we
can explain to the
government,
‘We did all we could: we
went there, we were there in
person, they got online
training, we did risk
assessments. This still
happened, but this is how
we try to show we have an
effective Compliance
Program.’” CCO
30. Challenges for the CCO
Thus, in addition to audit and internal
controls, training, ethics, and HR
communications, compliance professionals
need to understand politics.
Jack of all Trades:
CCO plays many
roles: from confidant,
to cop, to counselor,
to tattletale
33. Compliance was Part of the Legal
Department and Reported to
General Counsel
10/9/2014 DeStefano 33
34. Steady Decline in Reporting to GC
2011
To GC
Other
2012
To GC
Other
2013
To GC
Other
Data from PWC annual surveys of over 800 corporate compliance officers
41. Although the government
(e.g., OIG of the SEC and the DHHS)
does not
*require*
corporations
to have a separate
compliance department, or
a certain set of
ethics and compliance
programs and training
. . .
10/9/2014 DeStefano 41
45. 5 Year Corporate Integrity
Agreement
• Reporting hotline
• Develop employee training
• Revamp written codes of conduct
• Designate a chief compliance officer who
would report directly to the Chairman,
CEO, and President of the company.
– The chief compliance officer “shall not be or
be subordinate to the general counsel or chief
financial officer.”
47. Settlement Agreement
• Develop employee training
• Revamp written codes of conduct
• Designate a chief compliance officer who
would report directly to the Chairman,
CEO, and President of the company.
– The chief compliance officer “shall not be or
be subordinate to the general counsel or chief
financial officer.”
• Corporate Monitor
49. 5 Year Corporate Integrity
Agreement
• Develop employee training
• Revamp written codes of conduct
• Designate a chief compliance officer who
would report directly to the Chairman,
CEO, and President of the company.
– The chief compliance officer “shall not be or
be subordinate to the general counsel or chief
financial officer.”
• Corporate Monitor
51. SEC Saga Continues
• Recommendation – one department with
primary compliance responsibility
– Remained under Office of GC
• But in 2011 . . .
– The SEC GC was named as a defendant in
Madoff bankruptcy suit
– SEC was criticized for organization structure
of compliance
– In response, SEC separates compliance
function to reports to the SEC Chairman
52. The reaction by the DDHS and SEC
DEPARTMENTALIZATION
10/9/2014 DeStefano 52
53. 10/9/2014 DeStefano 53
• Changes in corporate liability rules
• Some of the Federal Sentencing
Guidelines
• Best Practices developed by
governmental entities
• OIG Compliance Program Guidance
• Institute of Internal Audit
• In-House Counsel Conferences
This Reaction is Consistent with Recent
Guidelines and Recommendations
54. Inconsistent with other corporate practices
and mandates that put compliance in the
hands of lawyers . . .
10/9/2014 DeStefano 54
55. Examples
ABA Task Force on
Corporate Responsibility
recommended that
general counsels
oversee compliance
(with direct oversight by
the Board)
And MR 1.6 (may)and
1.13 (must)
10/9/2014 DeStefano 55
Recent Federal Sentencing Guidelines
enable GC to oversee Compliance
SEC §307 of Sarbanes-
Oxley puts the GC in
role of whistle
blower/gatekeeper
2004 Investment
Company Act
'Compliance Rule'
enables GC to oversee
compliance
56. Despite the debate over who should
play gatekeeper, more and more
corporations are departmentalizing
10/9/2014 DeStefano 56
57. Review: Government Mandates
• Corporate Reporting
– Sunshine Act
– Dodd Frank
– Sarbanes Oxley
• Internal Policies and Programs
– Revised Written Codes of Conduct and Enhanced
Training
• Corporate Monitorships
• Departmentalization
– CCO separate from GC
– Direct access to the Board
58. Potential Objectives of Government
Mandates?
• Increase actual compliance with the law (and
prevention of noncompliance)
• Increase transparency externally & internally
– So that company AND government has increased
access to information in order to monitor and
catch noncompliance
• Increase visibility & entrenchment
– To enhance importance of and commitment to
compliance internally
– To demonstrate government has acted
68. May Not Increase Compliance
Watch Dog AND Cost Center
“I think compliance is the
world’s longest four letter word
XXXX
and it initiates a response in
people that is negative.”
- CCO
Interviewee
70. ‘C’ for ‘Chief’ ≠ Unlock the
Door to the “C-Suite”
“[E]ven if the chief compliance officer reports
to the [board] or CEO, they are going to
have the same problem, because chances
are the CEO is going to want to listen to the
general counsel . . . because they are their
trusted legal advisor. Very rarely is the
compliance officer reporting to a CEO,
because that’s what the CEO wants.”
– CCO/Assoc. GC
71. May Not Increase Compliance
No Guarantee
Right Professional with Right Skills
87. 10/9/2014 DeStefano 87
May Not Increase Visibility & Entrenchment
Emphasis ≠ Culture
Easy to Control:
Routine Check
the Box
Harder to Control:
Complex, multifaceted,
About ethics and morals
99. Recommendations
• Look inward at actual decision making
processes of individuals and at the informal
values, culture, and networks
– Conduct a network analysis to determine
communication flow and critical stopgaps
• Liability mitigation to corporations that make
changes based on internal findings on the
networks and ethical culture that exists
beneath the org chart
100. 10/9/2014 DeStefano 100
"Everything's got a moral,
if only you can find it.”
Lewis Caroll,
Alice’s Adventures in Wonderland
and Through the Looking Glass
102. Compliance, Transparency, & Visibility
A Perspective of the US Market:
Cloudy At Best
Michele DeStefano
Professor of Law, University of Miami
Meeting of LAAW e.V. Munich Germany
October 2014
Hinweis der Redaktion
Potential objectives of these govt mandates – departentalization specifcially but also sunshine act, whistle blower act etc.
----- Meeting Notes (10/9/14 06:45) -----
use research along with secondary to inform my analysis
Bacgkround US Regulatory History from 1960 to Today;
Overview The compliance function Role of and challenges faced by the CCO Organizational structure
Trends - Government MandatesvFour ExamplesvObjectives
***Tin 1960s governmnet prosecuted a group of heavy electric equipment companies for antitrust violations. GE argued that the strength of its compliance program should be part of its criminal defense – and in response other companies beefed up their compliance programs
And the Foreign Corrupt Practices Act of 1977 incented corps to develop more robust compliance programs
***Whistleblower uncovered fruad by govt defense contractors – lead to DOD issueing reqs
***OSGs Organizational Sentencing Guidelines wereimplemented –
partnered with In re caremark (interpreted by Delaware Stone v Ritter) busin judgment rule protection only appplies to directors who exercise a good faith judgment that the corps info and reporting system is in concept and deisgen adequate to assure the board that appropriate info will come to its attention in a timely manner as a matter of ordinary operations
***change in focus to directing corporate stucture – SOX, sentencing guidelines – include mitigation in sentencing for good programs, and deferred pros and nonprose agreeements (consent decrees) mandating structural changes – which we will delve into a bit more
***Corpor Crimilnial Liability Rules -- designed to incent people to give specific timiely info – if result in successful action over 1million then can get 10-30% monies collected – OWB – within SEC commission There is even a Chief of the Office of the Whistleblower. In 2013 th e office paid whistleblowers over 14 million in contributions to succeess of actions against frauds
In past 15 years in the wake of corporate scandals tha thave spanned industries pharma, insurance, financial services, health care, consumer p;roducts – the compliance funtionc is getting a lot of attention
Huge roup of lawyers and nonlawyers that now consider themsevels a part of this professsion – with professional associatisons and conferences like this one dedicated – and separate compliance departments and chief compliance officers and writtend codes of ethics and programs, and montiory and audit sytems and reporting procedures.
One of the reasons I set out to do these interviews was that compliance seemed to mean different things to different people
What are all these compliacne professionals doing? Not as clear as you may think
Difficult to tell where legal ends and compliance begins
Hard to sleep at night!
One GC of large trucking company said – I know someone is breaking the law someowhere at any moment – the key is what law and have I done everythign I can to help prevent it
Help prevent investigations – and mitigate penalties if noncompliance found
In terms of structure and organization at large publicly traded corporations, historically there has been a trend for compliance directors to report directly to the general counsel—or even to be the general counsel.
PwC’s third annual survey of 800 corporate compliance officers,117 reported that there has been a “steady reduction in formal reporting of compliance into the legal function over the past three years” (from thirty-seven percent of respondents in 2011 to thirty-three percent in 2012 to twenty-eight percent in 2013).118
Separating out the compliance function from the
In the wake of corporate scandals from JP Morgan to Walmart
And in response to all of these new regs and increased penalties Dodd Frank, Sunshine Act etc
Corporations are adopting – as a preemptive move – enhanced compliance programs so that Like GE in the 1960s they can defend that they “tried”
Of course also comes involuntary initiatives adopted bc they are mandates by the government – time and time again
PUT IN YOUR CHOICE
HANDCUFFS here
4 examples of recent misconduct and the govt reactions
In 2004, the Schering-Plough Corporation, one of the largest pharmaceutical manufacturers in the world, agreed to plead guilty to fraud in relation to pricing information it provided (or failed to provide) to Medicaid for its drug Claritin.136 Evidently, believing that Claritin was too expensive, two health maintenance organizations (“HMOs”) threatened to replace Claritin with Allegra on their list of covered drugs.137 To discourage the HMOs from doing so, Schering- Plough allegedly paid the HMOs millions of dollars in discounts via data fees, interest free loans, and rebates.138 Reputedly, Schering
pled guilty to one count of offering and paying a kickback in violation of the Anti-Kickback Statute.140 Further, it paid more than $290 million in settlement141 and assented to a five-year corporate integrity agreement (“CIA”) with the DHHS’s OIG.142 In addition to mandating that the company establish a reporting hotline, develop employee training, and revamp the written codes of conduct,143 the CIA required the company to designate a chief compliance officer who would report directly to the Chairman, CEO, and President of the company. 144
In October 2004, the SEC147 charged Quest Diagnostics with fraudulently projecting over $3.8 billion in revenue earnings in a
illegally promoting several of its drugs, including Bextra, for uses that were not specifically approved by the Federal Drug Administration (“FDA”)
led guilty to a felony criminal violation of the Federal Food, Drug, & Cosmetic Act and signed a five year CIA.15
FBI Investiaged 2 SEC attorneys for insider trading - at the time of the alleged insider trading, the compliance function at the SEC was disjointed and housed in two different departments.164 Disconcertingly, the OIG report concluded that the SEC “lack[ed] any true compliance system to monitor SEC employees’ securities transactions,”165 understand reporting requirements or who was in charge of overseeing ethics and compliance,166 and that there was “lax enforcement of the reporting requirements.”167
The report recommended that the SEC ensure that one department be vested with primary responsibility over compliance. And in response, the SEC consolidated the compliance department under the Office of Ethics Counsel and hired its first ever, chief compliance officer.168 This department, however, remained a part of the Office of General Counsel until late 2011.169 After the SEC’s general counsel was named as one of the defendants in a Madoff bankruptcy suit, the OIG criticized the SEC for having the ethics counsel report to the general counsel.170 In response, the SEC “formally proclaimed thndependence of its Office of Ethics Counsel as a stand-alone unit within the agency.”171 Resultantly, the head of this office no longer reports to the General Counsel but instead to the SEC Chairman.
Increase training policies – CCO does not report to the GC
Like the ABA Task force on Corp Resp that recommends that GC oversee compliance (with direct oversight by board)
MR 1.6 (may and 1.13 must
SEC Section 307 of Sarbanes Oxly puts GC in role of whistle blower/gatekeeper
2004 investment Company Act Compliane Rule enables GC to oversee compliance & Recent Fed Setencing guidelines
Departmentalizing and creating similar programs and policies
Potential objectives of these govt mandates – corporate monitorships, new laws, etc, departentalization specifcially but also sunshine act, whistle blower act etc.
**These last group differ slightly –
** For example, Some commentators claim that the government’s focus on ethics and on other aspects of compliance like corporate monitorships “demonstrate a broader regulatory trend that recognizes the limits of regulating corporations through external prescriptions and inspections, and therefore directs its energies towards encouraging corporations to engage in meaningful self-regulation through the adoption of effective internal compliance programs.” Ford & Hess, supra note 25, at 2; see supra note 5
Potential objectives of these govt mandates – corporate monitorships, new laws, etc, departentalization specifcially but also sunshine act, whistle blower act etc.
*Specifci to Departmentalization
By separating the two departments, a chief compliance officer will have the autonomy she needs to uncover and report misconduct thereby increasing the level of transparency into corporate conduct (by the board of directors and, in the case of investigations, also by the government).31
Potential objectives of these govt mandates – departentalization specifcially but also sunshine act, whistle blower act etc.
Potential objectives of these govt mandates – departentalization specifcially but also sunshine act, whistle blower act etc.
Well vven if its not wrong –it doesn’t appear to be right
Potential objectives of these govt mandates – corporate monitorships, new laws, etc, departentalization specifcially but also sunshine act, whistle blower act etc.
Departmentalization is purposeful – to sep compliance so that this professional has autonomy and independence to act – but result is that they are Seen as separate – legal and compliance
Create tension – refuse to collaborate – which goes against problem solving literature – entrenches competition and impedes open communication
And creates turf wars – which do not lend themselves to collaboration – which is key to problem solving
Further separation risks viewing compliance as an outsider -- How can you uncover anything if you aren’t invited to the table?
----- Meeting Notes (10/9/14 06:45) -----
true of GCs years ago - but now have a seat at C-suite
Worse separation exacerbates the idea that complinace is seen as a watch dog – purposefully kept out – not just outsider
----- Meeting Notes (10/9/14 06:45) -----
seen as "NO" people
Even if that isn’t the case, separation by itself – although it may signal that the corp is commiteed to compliance - doesn’t provide the CCO with the power influence and support they need to be able to do their job
Jack of all trades – master to NONE
There is no reason to believe that an independent chief compliance officer will have a better set of compliance skills or expertise than a chief compliance officer who reports to the general counsel.
Thus, it is not clear that the unofficial governmental mandate will change the current status quo.
Indeed its often Assoc GC that takes the job
Enhancing compliance – by departmentazlizing may not increase compliance bc people will view it as “taken care of”
Lack of responsibility
Lawyers not watching – not playing gatekeeping role
eparating the compliance and legal functions could entrench the fallacy that the general counsel’s role is to define what the corporation “can” do from a technically legal point of view versus what it “should do” based on the spirit of the law and other considerations
It exacerbates what Rosen calls this the Lawyer Cast of Mind – lawyers may be followers – and “may even aid their clients to resist and subvert regulation.”282 Thus, they find that lawyers can behave as “gamesters” treating the law as “a game of loopholes” and litigation as unavoidable.283 Similarly, others contend that lawyers take an “excessively legalistic approach” to compliance that obscures the “cultural influences that impact employee behaviors or nuances.”284
We have double trouble with separation - . It could lead to expectations that the legal team is a group of super talented, super educated set of strategic individuals—completely off the hook for compliance, ethics, reputation, and business risk counseling—and completely on the hook for helping the corporation find loopholes in the law—and there to serve the client above all else
Counterintuitive –one of the reasons for sep is to prevent the a/c priv from applying. However departmentalization may strengthen the argument that the attorney-client privilege should apply to communications with lawyers around compliance issues and, therefore, lead to less transparency into corporate behavior and
In the states the a/c priv only applies between lawyers and clients when primary purpose of the communication is legal advice. If the compliance function is sep – it makes clear that compl is not LEGAL and not considered part of legal then no ac priv right? Wrong
. Actually, this may increase application. Bc every time there is a lawyer in the room with compliance – arg can be made they were there for the primary purpose of legal advice – NOT true if the lawyer is also the CCO – thsu more information might actually be protectable – or better args for it
Thus, the way that employees interact and the groups they interact with do not match static organization or traditional communication flow diagrams.381 Instead, “social networks” (defined by Rob Cross and Andrew Parker are the more relevant indicator of organization and communication flow within institutions.382 And they have a dynamic influence on an organizations’ performance and its ability to execute strategy, react to issues, and to change.383 The internal dynamics of a corporation can create stopgaps and “moral mazes.”384 SO much depends on this inner web and communication among the teams . . .
Thus, the way that employees interact and the groups they interact with do not match static organization or traditional communication flow diagrams.381 Instead, “social networks” (defined by Rob Cross and Andrew Parker are the more relevant indicator of organization and communication flow within institutions.382 And they have a dynamic influence on an organizations’ performance and its ability to execute strategy, react to issues, and to change.383 The internal dynamics of a corporation can create stopgaps and “moral mazes.”384 SO much depends on this inner web and communication among the teams . . .
**Researchers have shown that First, having compliance report to legal may increase the corporation’s attention on risks, and, therefore, compliance. Bc Lawyers, they claim, are like Herman Melville’s “lightning-rod salesmen putting fear into people’s heads about the risks that “lightning” will strike.
** When a lawyer (as opposed to another type of professional) is in charge of compliance “the company is more frightened of conflict with regulators and third parties.”
While it is true that govt has said that it wants to insitll culture of compliance its not clear that xy do so. Some commentators claim that the government’s focus on ethics and on other aspects of compliance like corporate monitorships “demonstrate a broader regulatory trend towards encouraging corporations to engage in meaningful self-regulation - AND CULTURE ,BUT govt reg they place value on structural manifestations of compliance like adoption of codes of conduct, revisions to mission statements, and enactment of training programs.371
Second, However, there is little empirical evidence that these trappings are effective at deterring prohibited conduct without more372 and experts claim they may actually be the “weakest link in an org ethical structure
formal controls are completely unconnected to the way employees interact376 and are decoupled from norms and ethics.37
When dealing with routine check-the-box processes, noncompliance with these requirements is easy to uncover, and compliance is easy to motivate. However, when the choice involves, nonroutine, complex, multifaceted choices about ethics, morals, or personal preferences, malfeasance is much harder to control.
Combination of extrinsic and intrinsic
Can motivate simple jobs and complinance steps with carrots and sticks but not necesssarily true for the more complicated -
Money can motivate for routine tasks - explaining research study where offering money to people to give blood decreased by half the number of people willing to give blood). Also study with monkeys and puzzles
Ultimately, the analysis indicates that departmentalization is the wrong answer because the right question is not about independence but instead about connectivity, informal norms, ethics, and motivation.54
Speeding limits – there is a fine – you choose whether to break the law – like the day care situation