Skip to content

The Integrity Agenda: Compliance news

Introducing the Foreign Extortion Prevention Act

The U.S. government begins 2024 with a new anti-corruption tool at its disposal: the Foreign Extortion Prevention Act (FEPA), which makes it a crime for foreign government officials to accept bribes from U.S. persons or companies.

Congress enacted FEPA in December. The law has been a long-time goal of anti-corruption activists, and serves as a counterpoint to the Foreign Corrupt Practices Act. Where the FCPA forbids a U.S. person or company from offering a bribe to foreign government officials, FEPA forbids those same foreign government officials from soliciting bribes.

Penalties for the foreign officials (assuming they’re ever indicted, extradited to the United States, and convicted) include up to 15 years in prison and a fine of up to $250,000 or three times the value of the bribe, whichever is greater. The Justice Department is also supposed to provide an annual report to Congress about FEPA enforcement actions that prosecutors have taken.

We don’t yet know how the U.S. Justice Department will enforce FEPA, although it’s clear that FEPA will have significant implications for corporate compliance programs. For example, since the Justice Department has long said that a company cooperating in an FCPA matter must help the department prosecute all individuals responsible for the violation — so presumably, that means help in holding the foreign government official accountable too.

It’s likely that the Justice Department will make some sort of policy pronouncement about FEPA in 2024, such as by giving a speech at a compliance conference or updating its guidelines for effective corporate compliance programs. Already, however, we can anticipate a few steps compliance officers should be prepared to take:

  • New policies, such as requiring employees to inform the compliance team any time a foreign official asks for a bribe;
  • Better third-party due diligence, such as screening customers against any database of corrupt government officials the Justice Department might publish;
  • Better risk assessments, such as using internal data about bribery requests to help the company decide whether it should keep doing business with certain foreign government officials.

Those are at least some of the early FEPA implications for corporate compliance programs. CCOs should be prepared for more as 2024 unfolds and we see how the U.S. government plans to put this law to work.

Former CCO Gets $12M in Whistleblower Case

The former chief compliance officer of a hospital system in Delaware will receive $12 million as part of a settlement that ends a long-running lawsuit the CCO filed against his company for over-charging the U.S. government.

Ronald Sherman was chief compliance officer of ChristianaCare from 2007 to 2014, when he was fired supposedly for investigating concerns that ChristianaCare was overcharging the federal government for the services of its neonatology unit. Sherman then filed a False Claims Act lawsuit against ChristianaCare in 2017. The hospital chain agreed in December to pay $47.1 million to settle the case; Sherman’s share of that sum is $12.1 million.

Compliance officers can be happy to see that Sherman has prevailed after such a long battle. That said, Sherman’s case is also a vivid reminder of the challenges that compliance professionals can face when trying to do their jobs. It imposed severe stress on both his personal and professional life, with no guarantee along the way that he’d ever see a penny of reward for his efforts. Many compliance professionals still hesitate to raise concerns about suspected compliance violations too loudly, for fear that their careers will be ruined.

Meanwhile, healthcare compliance officers should also pay attention to the specific allegations against ChristianaCare, since it might not be the only hospital system engaged in such practices.

ChristianaCare had been providing support staff (nurses, physician assistants, and the like) to a private neonatology practice delivering babies at ChristianaCare hospitals. Those neonatology specialists then billed the U.S. government full price for that staff assistance, and in exchange, recommended to their patients that they use ChristianaCare hospitals. Sherman (and, eventually, state and federal healthcare regulators) said such practices violate both the False Claims Act and the Anti-Kickback Statute.

Hospital systems across the United States engage in similar arrangements with various private medical practices: free support staff, in exchange for patient referrals. Sherman’s lawsuit is believed to be the first that resulted in a False Claims Act settlement — and now the question is whether others might pursue their own lawsuits against other hospital systems. Healthcare compliance officers, you have been warned.

Rite Aid Retreats on Facial Recognition Program

U.S. regulators have ordered a discount drugstore chain to cease using an AI-driven facial recognition technology to identify potential shoplifters, amid complaints that the program violated customers’ privacy rights.

The U.S. Federal Trade Commission ordered Rite Aid not to use the technology for at least five years. Rite Aid first adopted the technology in 2012, and then used it for years to compare customers entering its stores against a database of known shoplifters Rite Aid had compiled. If the IT system found a match, it sent an alert to employees’ cell phones to intercept the customer and typically escort that person off the premises.

The FTC, however, flagged numerous shortcomings in the technology. For example, the company lacked sufficiently strong technical controls to assure that its database used high-quality photos of shoplifters. The company also didn’t monitor the AI’s rate of false positives, where it flagged a legitimate customer as a shoplifter by mistake. The FTC also faulted Rite Aid for insufficient employee training on the system and other issues.

As a result, the FTC said, Rite Aid’s facial recognition program mistakenly flagged legitimate customers as shoplifters too often, and those people were then subject to disruption of their day, harassment, or even arrest by police.

What’s striking here is that all the FTC’s complaints against Rite Aid are about how the company managed its use of artificial intelligence — not the use of artificial intelligence per se. With the right technical controls and privacy safeguards, using artificial intelligence to monitor customers is perfectly fine.

That’s going to be the crucial issue for companies in years to come as they integrate artificial intelligence into business operations: whether the company can manage that adoption in a thoughtful way, with proper technical controls, training, and procedures to guard against the AI going haywire.

Compliance officers should very much be part of those conversations. They can explain what the company’s privacy obligations are, and encourage IT and business operations personnel to develop new policies, procedures, and other controls as necessary to keep their AI operations on the right side of compliance.

Otherwise, as the FTC demonstrates, even existing privacy law and regulation will be enough to launch an enforcement action.

SpaceX Hit by Whistleblower Retaliation Claims

SpaceX, the rocket company owned and run by Elon Musk, wrongly fired eight employees in 2022 for writing a letter critical of Musk’s leadership, according to U.S. labor regulators.

The National Labor Relations Board issued its complaint about the SpaceX employees in early January. The complaint will now go before an administrative law judge who will determine whether the case has merit and what monetary penalties or other damages (if any) might be warranted. SpaceX has denied the allegations in the complaint and responded by filing a lawsuit arguing that the NLRB itself is unconstitutional.

The complaint against SpaceX arises from a letter that several employees wrote and circulated in June 2022. The letter complained about numerous statements Musk had made on Twitter, including statements where he joked about sexual harassment allegations filed by a former SpaceX employee. (The company paid $250,000 to the former employee in 2018.)

The employees’ letter said Musk’s comments were “a frequent source of distraction and embarrassment for us” and urged SpaceX management to enforce “clear repercussions for all unacceptable behavior, whether from the C.E.O. or an employee starting their first day.” Within several days the letter’s two principal authors were fired; six more were fired several weeks later.

This is only the latest whistleblower retaliation headache for Musk and the companies he owns. Former employees at Tesla have also accused Musk of turning against them when they raised safety concerns; as have former employees of Twitter, who say previous owners and Musk have both turned a blind eye to privacy and security weaknesses.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution