Corporate compliance is an endlessly evolving field—so no matter how long you work in this industry, you can keep finding new insights about what “good” compliance should achieve, and examples that make you sit and think. 2019 has been no exception. I sat down to think about the lessons I’ve learned this year. Here are the compliance lessons I learned in 2019:
1. Sanctions Compliance Are Getting More Important
Sure, the Justice Department and the Office of Foreign Assets Control (OFAC) have dribbled out a steady stream of enforcement actions for years related to sanctions issues; that’s not news.
This year, however, we also saw guidance from OFAC about how sanctions programs should work, and from the Justice Department about how it wants sanctions issues resolved. Compliance professionals can take both gestures together as a single message that regulators want to put real structure around sanctions compliance, akin to how FCPA compliance became much more structured and ingrained in the early 2010s.
OFAC’s guidance, in particular, shows that regulators have a lot to say on the subject, too. It talks about the ideal structure for a sanctions compliance program (centralized in one office), the sort of expertise sanctions compliance officers should have, and even how screening software should be configured for maximum effectiveness. It was a level of detail we typically don’t see for guidance on compliance programs.
Meanwhile, the Justice Department’s cooperation policy for sanctions and export control issues (released just this month!) shows that prosecutors want to normalize the process to resolve sanctions issues—again, just like we saw with FCPA compliance earlier this decade.
Regulators don’t take these steps unless they want a steady, consistent effort to reduce a certain type of corporate misconduct. So I’ll be curious to see where this issue goes in 2020. The compliance lesson for this past year is that sanctions compliance is not going anywhere.
2. Cybersecurity Issues Increasing Around Third Parties
OK, in fairness, we could have listed this lesson every year since 2010 or so—but in 2019 cybersecurity risk lurking amid your third parties really surged to the fore.
The most glaring example happened in July, when Capital One disclosed a data breach that affected at least 100 million customers. That breach happened because Capital One stored its data with Amazon Web Services (AWS), and, according to law enforcement, a disaffected former AWS employee hacked into the data as it sat on AWS servers.
More interesting to me, however, are numerous smaller ransomware attacks that have paralyzed tech service providers, who then can’t provide their services to other businesses. For example, an IT services firm in Wisconsin was shut down by a ransomware attack in November, suddenly leaving more than 100 nursing homes across the country unable to use email, access patient records, or process billing payments.
Put yourself in the nursing homes’ shoes. Think about all the tech vendors you use for daily business processes. That gives you a sense of the risk—and, frankly, of companies’ weakness in mitigating that risk.
The compliance lesson we’ve seen in 2019 is that integrating cybersecurity into third-party risk management is imperative. The lesson for 2020 and beyond will be how to do that effectively. It will require collaboration in setting risk tolerance, performing risk assessment, and mitigating weaknesses we find.
3. Anti-Corruption Enforcement Isn’t Receding
2019 was a landmark year for FCPA enforcement actions. We saw one of the largest settlements ever just a few weeks ago when Ericsson ended its long-running case by paying $1.06 billion in fines and penalties. We saw a steady stream of enforcement actions from the Securities and Exchange Commission (SEC), where the SEC imposed disgorgement and penalties over civil violations of the law even when the Justice Department had declined to bring criminal charges.
We also saw a string of prosecutions against individuals, including a conviction for Lawrence Hoskins, the British national who had claimed his limited role as an agent of Alstom placed him beyond U.S. prosecution. An appellate court ruled that his argument should be heard at trial. A jury heard it, and convicted him on 11 charges anyway.
All of this means FCPA compliance very much remains a live issue for corporate leaders. Even if the Justice Department has shifted to prosecuting individuals more than companies, that still means expectations for cooperation from companies—and the risk that those individuals might turn witness against your company. Plus the SEC has kept up its own pressure.
So that means continued training, continued attention to internal controls, continued diligence in internal investigations and care of whistleblowers. It also means that any time corporate boards or fellow executives wonder whether they could ease up attention to anti-corruption, CCOs should answer with a firm “no.”
4. Leadership Matters More Than Ever
One of the most striking corporate misconduct settlements of 2019 happened in February when the Justice Department declined to prosecute Cognizant Technologies for FCPA violations that had happened in India.
The misconduct was egregious: the company’s former president and chief legal officer—that is, two of the most senior executives in the company—had orchestrated a $2 million bribe to Indian government officials so Cognizant could build a huge campus there; and then falsified books and records to conceal the act.
Those circumstances seemed tailor-made for a criminal charge against Cognizant. The Justice Department’s own FCPA Corporate Enforcement Policy said the participation of senior executives in the misconduct is an aggravating circumstance that typically would lead to an indictment. Instead, the department didn’t prosecute at all. Why?
Because as soon as Cognizant’s board discovered the trouble, the audit committee immediately alerted prosecutors and vowed full cooperation—with no guarantee that the Justice Department wouldn’t prosecute, since this was before the FCPA Enforcement policy was drafted. But the audit committee (peopled by a corporate auditor and a chief ethics and compliance officer, we might note) did the right thing anyway.
This case sent a wonderful message to corporate leaders: doing the right thing, even when that risks bringing pain you might not otherwise suffer, will be recognized and rewarded by the government. Let’s hope to see more examples like that in 2020 and beyond.
I hope this has given you a few compliance lessons to reflect on as you gear up for the new year. What are your 2020 compliance goals? Take a risk-based approach to due diligence? Better align your policies and training? Or maybe you are looking into new technology solutions to automate time-consuming tasks? Regardless of what your hopes are for the new year, we look forward to shaping the future of compliance with you.