Summary: Podcast featuring the top Compliance and Ethics thought leaders from around the globe. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association will keep you up to date on enforcement trends, current events, and best practices in the compliance and ethics arena. To submit ideas and questions, please email: firstname.lastname@example.org
By Adam Turteltaub email@example.com The words “Socratic Method” tend to conjure up images of law school professors boring into and humiliating ill-prepared students. But, it shouldn’t necessarily be this way. Instead, explains Jonathan Rusch, Adjunct Professor at the Georgetown University Law Center and Principal of DTG Risk & Compliance, Socratic questioning is about learning by asking questions about a topic. As he wrote in a recent article and shares in this podcast, the object is to ask questions, listen for the answer and then follow up appropriately to ensure you are getting to the heart of the issue. In addition, rather than the badgering seen in movies, it’s far better to maintain a measured, even tone. In many ways, it’s an approach reminiscent of the recent DOJ guidance for evaluating compliance programs, which is rich with questions. Listen in to learn more about the importance of doing your homework, carefully structuring questions, actively listening, focusing on topics (vs. individual questions) and being patient.
By Adam Turteltaub firstname.lastname@example.org The US Supreme Court’s Digital Realty Trust decision has been a cause of concern within the compliance community. In that the case the court found that the Dodd-Frank whistleblower protection provisions do not apply in instances where the whistleblower does not report the allegation to the Securities & Exchange Commission (SEC). To better understand what this case means we sat down with Sean X. McKessy, a partner at the law firm Phillips and Cohen and the former Chief of the SEC Whistleblower Office. As he explains in this podcast, the ruling was shocking to many. It puts employees considering reporting an issue into a more difficult position since they may potentially lose protections if they only report internally. That will likely increase the likelihood of them taking their concerns directly to the government and, potentially, bypassing internal channels. As a result, he argues, it is now more important than ever for compliance teams, and the organization as a whole, to underscore that even if the law does not promise protection against retaliation, the institution does. Listen in to learn more about what the decision means and what compliance teams can due to help their own internal reporting efforts.
By Adam Turteltaub email@example.com In the pre-digital age, workplace communications tended to be verbal and memo based. Then email came along, which changed everything. And, now there is an explosion of new technologies such as Slack and Microsoft Teams being deployed with the goal of increasing collaboration and productivity. Behind the change, explains Robert Cruz, Managing Director at Smarsh is a changing workforce. Younger workers and clients have their own preferences for how they want to communicate, and the emphasis is on speed. The challenge for compliance and ethics professionals, and the businesses that they serve, is that there are not yet clear guardrails, Cruz explains in this podcast, for communication on these platforms. While some may recognize that the need for careful communication still applies, many do not. That creates substantial risk in areas ranging from protecting corporate intellectual property to harassment to privacy laws. Organizations need to spend the time, he argues, examining what the risks are and not just the potential productivity gains. In addition, they need to assess the ability to capture historical data should an incident occur and an investigator or regulator wants to access previous communications. That may be harder than it seems based on how the platform has been deployed and what content it contains: text, videos, and even emoji’s. Listen in to learn more about the opportunity and risks in the emerging space of collaboration platforms.
By Adam Turteltaub firstname.lastname@example.org July 12, 2019, was the date of the first SCCE Regional Compliance & Ethics Conference in Thailand. With our growing membership in Asia, the association is eager to provide more opportunities for members of the local compliance and ethics community to meet, network, and share best practices. While there I sat down to record this podcast with John Frangos, a partner and Deputy Director, Dispute Resolution at the law firm Tilleke & Gibbins. In our conversation, we cover the many compliance risks for companies doing business in the country, which has the 25th largest GDP in the world. At the top of the list of compliance risks is corruption. The country had a score of just 36 on the Transparency International 2018 Corruptions Perception Index. Perhaps surprisingly, is that corruption is not limited to the public sector. Business needs to be wary of corruption in the private sector as well. A second risk, although mostly for businesses in the fishing industry, is modern slavery. This can be a particularly challenging risk area because of the length and complexity of the fish processing supply chain, he explains. To stay on top of the issue businesses need to audit their supply chain diligently. Organizations also need to be careful when they find an issue. Thailand, he warns, has very strict defamation laws. Accusing a company of wrongdoing publicly can lead to criminal prosecution if that company fights back. One key to mitigating risks in Thailand, as elsewhere, is to encourage local companies your organization works with to establish or strengthen their compliance efforts. Doing so successfully will involve convincing the local company that it will benefit their business, including the business they have with you. It can also be advantageous to remind them of the relevant Thai law that prohibits bribery. John also suggests that compliance requirements be put into the contract, while remembering that corporate criminal liability was only introduced in Thailand in 2015. It’s a very new concept there. Listen in to learn more about the risks of doing business in Thailand and how to navigate safely around them.
By Adam Turteltaub email@example.com When thinking about South America, the first step in compliance risk management is to stop thinking about South America and start thinking about each individual country. Geert Aalbers, a Senior Partner and head of Control Risks’ Brazil and Southern Cone business, explains that the risk profiles vary considerably by country. In fact, when looking at a risk such as anticorruption, it even varies by which governmental body you are dealing with. While customs may be clean in one country, it could be a dangerous mess in the other. Adding to the complexity, the capacity to combat corruption also varies considerably by country. Corruption, of course, is not the only risk to think about. As Geert explains in this podcast, other risks include regulatory, security, social, economic, environmental and, increasingly, cyber and data-related risks. Brazil, for example, recently passed a new data protection law that is very similar in its approach to GDPR. Many may think, “no problem, already have that covered.” Geert cautions, however, that data security practices in Brazil tend to be lax, creating a potential “perfect storm” of challenges for the compliance team. Listen in to learn more about compliance risks across the continent, mistakes to avoid, and how to strengthen your compliance efforts from Argentina to Uruguay.
By Adam Turteltaub firstname.lastname@example.org Few relationships are as difficult, important, and filled with risks as those with regulators. Get them right and even a bad situation can be better. Get them wrong, and situations can quickly spiral out of control. Gabe Shawn Varges, Senior Partner in the Swiss offices of HCM and Director of Compliance Studies at the University of St. Gallen, knows the dynamic well, having served with FINMA, the Swiss financial markets regulator. In this podcast, he provides his advice for ensuring your relationship with regulators starts on the right foot and stays on the right front. Among his pieces of advice: * Avoid overly legal thinking and taking an adversarial approach * Invest in the relationship and build trust when before issues arise * Appreciate that regulators are human, and trying to juggle multiple responsibilities * Stay tough on the problem but not on people Listen in to learn more and, hopefully, pave the way for a healthier relationship with your regulators.
By Adam Turteltaub email@example.com Joseph Agins, Compliance Officer for Sam Houston State University in Texas isn’t a big fan of sitting behind the desk. Instead he believes in what he calls “compliance by wandering around.” As he explains in the podcast, that doesn’t mean roaming the halls endlessly. It’s much more strategic than that. It includes meeting with employees, compliance partners and management so that the compliance team has a better idea of what people are doing, while at the same time providing an opportunity to demonstrate the value proposition of compliance. It is also an opportunity to break down barriers and truly listen to people, understand what they do, provide assistance and get better results, including making the workforce more comfortable about bringing issues to compliance. Likewise, it’s easier to hear about problems when you are out and about. Listen in to learn more about how to wander purposefully.
By Adam Turteltaub firstname.lastname@example.org The European General Data Protection Regulation (GDPR) has kept compliance officers busy for the last few years, and has kept consumers clicking “I Accept” more than they ever imagined. For those thinking the wave of work is over, it’s time to think again. The California Consumer Privacy Act (CCPA) is due to go into effect on January 1, 2020 with enforcement beginning July 1. As Teresa Troester-Falk, Chief Global Privacy Strategist for Nymity explains, the law applies to more than businesses based in California. It affects any business that processes data of California residents and has either $25 million or more revenues, shares or sells data for commercial purposes on 50,000 or more California residents or gains 50% or more of its revenues from selling consumer information. That’s a low enough threshold to affect a sizable portion of the business community. The good news is that any business that has already worked to meet the GDPR’s mandates has gone a long way to matching the requirements of the CCPA. The law focuses, she explains, on the obligations to protect consumer rights. But, it breaks new ground by giving consumers the right not to have their data sold to third parties. In addition, if a consumer requests an organization deletes information it has on him or her, that organization must also pass that request down to third parties that it has provided data to. More, California is not alone. Several other states have laws in various stages of the legislative process. As a result, business must be prepared for future regulations that will affect how they handle consumer data. Listen in to learn more about the CCPA’s requirements, and what organizations need to do to meet them.
By Adam Turteltaub email@example.com The French Commission Nationale de l’Informatique et des Libertés, better known as CNIL, is one of the foremost authorities in Europe and globally when it comes to the protection of individual data. With the implementation of GDPR, the stakes have been raised and more companies will find themselves under the microscope of CNIL and other data regulators. Noémie Lichon, the Head of Sanctions and Litigation at CNIL, sat down for a podcast in which she discussed CNIL’s mission, activities, expectations and common problems that affect organizations that hold consumer data. As she explains, the mission of CNIL is to ensure that data privacy law is applied to the collection, use, and storage of personal data. CNIL informs individuals of their rights under the laws of France and GDPR. In addition, it provides guidance to businesses and other organizations on how to ensure that they comply with data laws. It can also levy penalties, including in January 2019 a €50 million fine of Google. Take the time to listen in as she shares: * Data on complaints, investigations, and sanctions * Common problems that lead to security breaches * The importance of compliance to security practices * GDPR expectations for response times from data controllers * The Google case * CNIL’s key priorities for the immediate future Also, be sure to take advantage of the resources she refers to in her podcast, all available on the CNIL website: Guide: Security of Personal Data Guidelines on Transparency Guidelines on Consent Presentation of the 2018 Activity Report and 2019 Issues of the French Data Protection Authority
By Adam Turteltaub firstname.lastname@example.org May 2, 2019 saw the release by the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) of a watershed document: A Framework for OFAC Compliance Commitments. As Gibson & Dunn partner Judith Alison Lee explains in this podcast, this is the first time that OFAC has issued guidance for compliance programs. With its publication, organizations with OFAC compliance programs will find a valuable new resource, and those without a program will have a harder time explaining to the treasury why they should still receive a reduction in their fines. The contents of the new OFAC guidance should not be surprising to anyone familiar with sanctions compliance, Ms. Lee explains. OFAC expects companies to be able to demonstrate senior management commitment to compliance, a risk assessment, risk-based approach, internal controls and training of employees. The real challenge will be, as with other compliance efforts, having the controls integrated into business processes. One business process that OFAC will be paying particular attention to: the onboarding of new customers. Businesses are expected to do what it takes to identify the customers’ owners and see if they are listed as a designated party or entity. That’s much more granular than the typical FCPA-third party screening. Listen in to this podcast to learn more about what OFAC has to say about compliance programs.
By Adam Turteltaub email@example.com Few corporate scandals begin in isolation with one person perpetrating a crime that absolutely no one else in the entire organization knew anything about. More often, people saw something and feared speaking up. For Josh Toas, Vice President of Compliance and Chief Compliance Officer for the Research Foundation for the State University of New York (SUNY), compliance is about more than the compliance team being willing to say “no” when it sees something wrong. It’s about the entire organization feeling just as empowered. The challenge, he reports, is that it is too easy for people to hold their tongue. Employees either don’t know how to frame the conversation, fear retribution, wait until a decision has already been made, or until they are angry. Many also feel it just isn’t worth it. They want to just get along or believe that they are not paid enough to take the risks inherent in saying no to people in power. To meet this challenge Josh offers several pieces of advice for the compliance team and the workforce as a whole. These include avoiding confrontations when already angry, not sweating the small stuff, and helping people realize that everyone makes mistakes. Listen in to learn more about how to handle confrontations professionally, and how to teach your workforce to do so as well.
By Adam Turteltaub firstname.lastname@example.org Helplines are ubiquitous these days, but do they help? Recent research co-authored by Kyle Welch, an Assistant Professor of Accountancy at George Washington University’s business school, is very promising. As he explains in this podcast, his research, which used data helpline provider NAVEX Global, found that firm that have active helplines generally have higher quality corporate governance and earning reports. Some may find this counterintuitive, thinking that more calls are a sign of trouble. Instead, his research revealed, it is more probably a sign of a healthy work environment and business. Listen in to hear more of his data, and to help make the business case for investing in compliance and ethics. Also, be sure to download a copy of his research.
By Adam Turteltaub email@example.com The world has grown enamored with Big Data and the promise of Artificial Intelligence (AI). As the next big thing, many believe that it will be transformative for business, and even medicine, exposing patterns that humans miss, and enabling far better decision making. But over the last few months, there has been a shift in the discussion as cases of less than compliant and not exactly ethical decisions were being made by the algorithms behind AI, reports Deborah Adleman, a Director with Ernst & Young LLP where she is the US and America’s Data Protection Leader and an executive within the Office of Ethics and Compliance and Risk Management. In this podcast she reports that at least one case gender bias started to emerge, and people from certain ethnic backgrounds were being precluded from hiring due to zip code-based decision making. This should set off alarm bells for compliance and ethics teams. To help manage the risk, she recommends not blindly trusting the AI. Compliance teams should take the time to consider four areas that are important for generating trust in the AI solution: * Ethics: Does the solution agree with the values, mission and code of the organization? * Social Responsibility: Does it have potentially negative social implications? * Accountability: Is there clarity as to how the AI operates and the decisions it is supporting * Reliability: Has it been tested rigorously? Even before that, she advises compliance professionals to invest the time in understanding AI and the emerging rules: both the European Commission and OECD have already issues AI principles. Listen in to raise your own intelligence level about Artificial Intelligence.
By Adam Turteltaub firstname.lastname@example.org Walk around most corporate compliance conferences and you’ll see people from virtually every industry, save one: financial services. Banks and the entire securities industry are largely absent, and yet, they have very extensive compliance programs. Don Griffith, who is Head of Financial Crimes & Fraud Prevention Compliance for MassMutual, has unique insight into this issue. He has worked in private practice, corporate compliance, financial services compliance and at the Securities & Exchange Commission. As he explains in this podcast, the two compliance worlds have a very different perspective. While corporate compliance tends to begin with a very broad view, starting from the approach outlined in the US Federal Sentencing Guidelines, financial services compliance programs were built to meet the need to comply with very specific regulations and securities law. While these approaches are very different, there is much that each side can learn from the other, Don believes. The financial services practice of digging down into business products and processes, for example, can be very instructive for corporate compliance efforts. Likewise, the focus on ethics and the big picture issues in corporate compliance programs can provide lessons for financial services. Listen in to learn more about how both financial service compliance professionals and corporate compliance professionals could benefit from each other’s expertise.
By Adam Turteltaub email@example.com You’ve just been offered a new job, or you’ve just offered a candidate a new position on your team. Then the job seeker would like to negotiate on salary. If it goes right, everyone is happy. If it goes wrong, the hire may not be made, or the relationship could get off on a very wrong foot. Steve Harrison, a partner at compliance executive search firm Conselium, reports that one of the greatest myths when it comes to hiring is that it is necessary to negotiate salary in the first place. While many believe that it is expected, that’s not true. In fact, it is perfectly acceptable and not a sign of some deficiency for a candidate to say yes to the offer, consider it a win and move on. Sometimes, though, there is a need for some back and forth on salary, vacation time or other benefits. In those cases, he advises in this podcast, it should never be done emotionally. It’s important for both sides to recognize that this is a business conversation. Have facts to back up your case and both sides should have a “yes” number and a “no” number in mind. Another myth: that the candidate should disclose his or her current salary. In some jurisdictions that may not be required, but wherever the conversation takes place it is very helpful for there to be clarity on the candidate’s side of what his or her expectations are. If that conversation doesn’t take place early enough, a great interviewing process may all be for naught. Another way for hiring to go awry: the hiring manager hands off the negotiation and final details to HR or some other part of the organization to handle. It’s critical to stay involved so that whoever is handling things for the company understands why the person was recruited and the value that they can bring to the organization. Whether you are looking for a new job or looking to hire, listen in to learn more about how you can make the hiring process much easier, and less likely to go awry.