By Mark Speck
Managing Partner, Spectrum Inc
For those of you who remember or have heard the song “Mrs. Robinson” by Simon & Garfunkel, I give you these updated lyrics, “Where have you gone, corporate governance, investors turn their lonely eyes to you…whoo hoo hoo.”
Last week, the FCPA Blog reported that Dun & Bradstreet, which provides vital corporate data used for third-party due diligence, had two subsidiaries in China make unlawful payments to obtain information that its subscribers likely use to vet third parties for red flags of bribery and corruption. So now we have the providers of information used to determine red flags of corruption engaging in corruption themselves in order to obtain valuable information. Should subscribers even trust the information it receives from Dun & Bradstreet if its related to Chinese entities?
Also, the FCPA Blog’s Thomas Fox reported that the UK’s Financial Conduct Authority appears to be going soft on Barclays’ attempt to unmask a whistleblower.
Recently, Wells Fargo agreed to pay a whopping $1 billion to settle with federal regulators in lending abuses, which consisted of mandatory insurance for customers with auto loans and excessive fees charged for customers for mortgage services. The customers are also to be refunded per this settlement.
Then I talked to an HR executive at a public high-tech company, who indicated the company didn’t even have a governance, risk management, and compliance (GRC) approach or enterprise risk management (ERM) system or organization. Dun & Bradstreet self-reported the possible FCPA violations to the SEC, but it cost them $9 million, which included $6 million in disgorgement.
Mark Zuckerberg, while testifying to Congress—in what must have seemed to him to be two grueling days—failed to indicate that Facebook had any semblance of a compliance program. Facebook may in fact have a sound compliance management function, but Zuckerberg certainly failed to represent such.
These events led me to the same question the immortal football coach Vince Lombardi was famously captured on film shouting, “What the hell’s going on out here?”
Why does global corporate not get it? How can a CEO expect investment in their firm if there is a lack of self- governance, which includes programs or management systems to stop corruption and unethical behavior, such as conflict of interest, money laundering, bribery, bilking unsuspecting clients, and other forms of fraud or financial impropriety.
And does regulation matter? Look at FCPA settlements, export controls, economic sanctions, and Consumer Financial Protection Bureau settlements issued to the likes of Wells Fargo, Siemens, Lloyds Bank, BAE Systems, Alstom, Teva, ZTE, Weatherford, and Schlumberger. The regulations alone did not keep these successful public companies from massive fines and penalties.
Now enter the General Data Protection Regulation, which adds a few new wrinkles for those companies signed up through the Department of Commerce’s Privacy Shield, including the requirement of a singular opt-in by the data subject for purposes of processing personal data.
Google, which likely tracks and stores every search made, saw its stock drop 4% despite an earnings beat, which may be in part because of the fears it too will have a data scandal of Facebook proportions.
With so much at stake in fines and penalties, investor value, and brand reputation, you would think that companies would employ a “three lines of defense” model to GRC or ERM: the second line an independent group would use while working with the business on identifying and mitigating risk in an organization. Google “three lines of defense for business” or the like, and you will see that the Big Four (EY, Deloitte, KPMG, and PwC) are all proponents of this approach to corporate governance. Most US public companies have such a function since the Sarbanes-Oxley (SOX) law became official in 2003. But apparently, some do not, which is surprising given the rigors of SOX documentation, management’s need for risk management support, and the organization’s need for internal watchdogging that leads us to compliance.
Since compliance is a risk management endeavor aimed at a specific set of objectives that are either required by regulations or company-mandated per the organization’s governance structure, it has a vital role in that second defense level. Chief compliance officers should have a seat at the C-suite table and be part of leadership and strategic business decision making. When developing new products, updating existing products, entering new markets, engaging in joint ventures, and evaluating mergers and acquisition, the chief compliance officer needs to be at that table to properly assess compliance risk. Why wait until the C-suite is committed to a decision before having compliance review, which will likely be perceived as raining on a parade? A compliance officer should be in the corner office and the boardroom as ideas are being formulated in case plans may need to be tempered due to ethics and regulatory risk. Remember that whereas counsel may advise what can be done, compliance officers advise what should be done or not done.
One wonders how often relationships with rainmakers who end up acting as intermediaries for bribes could have been properly vetted if the compliance group knew of the pending relationship, because they were in the room when the decision was made to improve its sales presence in an emerging market. Take Japan-based Panasonic who it was announced on April 30th, will pay $143M to resolve FCPA and fraud violations in which its avionics subsidiary retained an official at $875K for a position that required minimal work in exchange for influence which won the company a deal valued at over $700M.
It’s not guaranteed that a compliance officer in the corner office would have prevented this mess for Panasonic Avionics Corp., but certainly, it might have made the deed more challenging and, perhaps, sent a message that might have deterred this behavior altogether.
Wouldn’t Zuckerberg have looked better had he been briefed by a chief compliance officer who would have undoubtedly informed Zuckerberg that a continuous third-party due diligence program was in place or in the works?
As most know, certainly, even a robust compliance program is not going to guarantee that no misdeeds will ever take place again, but a robust program with full board and CEO support—which includes regular board appearances for the chief compliance officer and a seat at the C-suite table—will go a long way to reducing regulatory and other corruption risk, along with making CEOs look good if they end up on the congressional hot seat. And the visibility to emerging markets may just prevent anti-bribery and fraud information service providers from engaging in the very activity they purport to prevent.