Ashley: My name is Ashley Csaki, Director of Content and Experience at Momentum and it is my great pleasure to introduce David Stuart. David is a partner in Cravath’s Investigations and White Collar Criminal Defense Group. He focuses on government and internal investigations and matters related to regulatory enforcement, litigation and compliance, including financial reporting and disclosure, improper payments, insider trading, market manipulation, whistleblower claims and corporate governance. Welcome David.
David: Thank you, Ashley – a pleasure to be here.
Ashley: So David, having worked at the SEC, GE and now Cravath you have seen anti-corruption from all angles. What not-so-obvious trouble spots have you found lurking in compliance programs and what are some of the unexpected pitfalls compliance officers need to watch out for?
David: Well, I think that compliance programs may be in trouble when they aren’t regularly reexamining risk, and when they’re operating as though the past will be the same as the future. A compliance program really has to have a process set up to interact with all information sources and all functions in a disciplined and deliberate way in order to anticipate risk and implement controls to address that risk. So, I regularly see issues arising in government investigations – whether it’s an FCPA case, an accounting case, or even a case involving an obscure regulatory requirement – that could have been spotted by the organization before the government investigation began – and could have been rectified before it began. So, in my view, compliance officers need to view their role as integral to the risk management function of the organization – they need to be constantly communicating with all business and support functions about where compliance and regulatory risk is lurking in places that were never anticipated. Let me give you an example – all compliance functions understand that risks associated with the human resources organization typically include things like discriminatory hiring practices but, before the New York Times covered the investigations that had been initiated by the SEC and DoJ that were related to whether hiring practices might pose FCPA risks, how many compliance officers really understood that? I bet it wasn’t many, if any. So my point is that compliance isn’t a support function – it’s really integral to risk management, and the compliance officer needs to have in place a disciplined process for identifying what I would call “unanticipated risk”.
Ashley: During your roundtable, you will be discussing books and records violations. In your experience, what do you believe to be one of the top red flags for enforcement?
David: I would say one of the top red flags is repeated failure; if an organization is identifying repeated books and records deficiencies, that will be the most significant red flag for a regulator. Government regulators (in my experience) will accept a one-time finding of a deficiency if the organization implements a fix and returns to assess whether that fix is actually working. If no fix is implemented upon finding errors or incomplete entries in the books or records, or if that fix is implemented but it doesn’t really rectify the problem and there’s no attempt to modify the fix or the controls so that they work better, that will be a big problem and a red flag for enforcement.
Ashley: Properly maintaining books and records involves cooperation from various departments- what steps can compliance officers take to promote a culture of compliance?
David: I think compliance officers really need to position themselves as risk managers, rather than as what I would call “internal affairs”. Often the business people don’t want to have anything to do with the compliance officer or his or her organization, because they view the compliance function as an internal investigator that’s going to get in the way of their appropriate role, which is to increase profits for the enterprise. If a compliance officer projects his or her role in the organization as one of risk mitigation (like an insurance policy), it’s more likely to be accepted and welcomed. And that’s the way I think that an organization and a compliance officer can promote a culture of compliance – communicate in a way that convinces business people that a sound program and culture, that has process for mitigating compliance risk, will always be better for the business – it will reduce costs for the organization; and it will promote longevity and sustainability and will promote profit in the long run.
Ashley: Alright, as the SEC and DoJ have made it clear that anti-corruption enforcement will remain a high priority for 2015, what advice do you have for those companies looking to update or assess their compliance programs?
David: Look in the places that you haven’t previously perceived there to be FCPA risk – look in the places where you haven’t looked before – even companies that never sell to governments or to state-owned entities have FCPA risks. All organizations interact with governments at some time – whether it’s in connection with paying taxes, or obtaining business licenses, or lobbying for more favorable regulation – examine those practices thoroughly and be disciplined about identifying risk and coming back to that risk assessment regularly.
Ashley: Finally you will be speaking at Momentum’s ACES Compliance Summit. Why do you think an event of this nature is important for your industry and what do you hope to gain by attending?
David: I think that a lot of times prosecutors and regulators who are devoting their lives rooting out violations and misconduct, are developing new theories for those violations. It’s not necessarily that businesses are engaging in conduct that they haven’t previously engaged in – it’s that prosecutors and regulators are developing a new perspective on old conduct; but the only way that we learn about it is by interacting with our colleagues because the government won’t typically talk about their investigations publicly. So, in my view, events like this are extremely important to understanding what’s on the horizon – how regulators and prosecutors are viewing corporate conduct, and what other organizations are doing to mitigate risk associated with that conduct – and the government’s view of that conduct. Personally, I hope and expect to come away with a few more insights into what cutting-edge theories are being pursued by prosecutors and regulators in the investigations that we haven’t heard about now.
Ashley: Excellent – well those are all the questions I have for you today, thank you so much for taking the time to speak with us and I certainly look forward to seeing you this April at Momentum’s ACES Compliance Summit in McLean, Virginia.
David: My pleasure – thank you so much and I very much look forward to it as well.