Corruption Crime & Compliance

California's data privacy regulations, primarily embodied in the California Consumer Privacy Act (CCPA) and its extension through the California Privacy Rights Act (CPRA), constitute a pioneering and influential framework. These regulations, effective from 2018 and further strengthened in 2020, set a standard for data protection not only within the state but also across the national and global economy. In this episode of Corruption, Crime and Compliance, Michael Volkov explores the nuances of the CCPA and CPRA, and the evolving data privacy landscape.You’ll hear Michael talk about:The lack of a federal data privacy law in the United States has led to a complex patchwork of state laws. Businesses are faced with the challenge of navigating these varied regulations, which contributes to compliance complexities.California, through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), is a leader in data privacy regulation in the United States, with implications for both the national and global economy. The CPRA, enacted in 2020, establishes the California Privacy Protection Agency (CPPA) to enforce the law robustly.The CPRA introduces critical changes, including: Protection of employee and business-to-business personal information, which is now subject to the same privacy protections as consumer personal information. Enhanced consumer rights, such as the right to access, delete, and correct their personal information, and the right to opt out of the sale of their personal information.Companies are now obligated to implement reasonable security precautions and undergo annual cybersecurity audits and risk assessments.In addition to California, other states such as Virginia, Colorado, Utah, Iowa, and Connecticut have also enacted data privacy laws that echo the GDPR. Businesses must stay up-to-date on evolving compliance requirements and adapt their systems accordingly.Compliance issues comprise risk assessments, impact assessments, adherence to data breach requirements, and compliance with notification standards. Companies are developing systems based on the most stringent set of laws to guarantee compliance.KEY QUOTES“We have a patchwork of laws that apply in the United States. Unfortunately, we continue to suffer from the absence of a federal data privacy and breach notification law. Congress has tried for years to broker a deal here, but it has never been able to overcome strong lobbying forces. Whether it's high tech trial lawyers, law enforcement, or other gadflies, the public continues to suffer.” - Michael Volkov“Many commentators have suggested that California's data privacy laws and regulations are starting to look closer and closer to the EU's GDPR regime.” - Michael Volkov“To me, we're getting into a more strict regulation. We already have, under the California Consumer Privacy Act, a requirement to have on your website: an ‘opt out’ in terms of any information that you may provide to a website, that it can't be used by the entity for sharing or selling or whatever consumer products purposes. So keep tabs on the California events.” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

3M’s recent $6 million settlement with the SEC for violating the FCPA serves as a stark reminder of the risks global companies face in today's economy and underscores the crucial role of ethics and compliance programs. In this episode of Corruption, Crime and Compliance, Michael Volkov sheds light on the unethical conduct that led to legal repercussions and offers valuable insights into compliance, bribery mitigation, and the importance of tight control over official visits.You’ll hear Michael talk about:3M Corporation, a global company, was found to have made improper payments to Chinese healthcare officials employed by state-owned enterprises. These payments were disguised as expenses for attending overseas conferences and educational events.The scheme involved deceptive tactics where 3M presented these events as educational, but in reality, they included tourism and entertainment activities. This included creating fake agendas and hidden tourism components.Employees at 3M's China operations colluded with travel agencies to set up alternative itineraries that combined tourism activities with the purported educational events. Chinese officials either did not attend the educational events or missed significant portions of them. 3M China employees tracked the impact of these events on the company's sales. The costs of these trips were improperly recorded as legitimate business expenses, resulting in 3M benefiting by at least $3.5 million in increased sales.In the aftermath of this ethical breach, 3M took crucial steps towards remediation through self-reporting, cooperation with the investigation, and taking disciplinary actions such as terminating employees involved, severing relationships with travel agencies, and enhancing controls over cross-border fund transfers.KEY QUOTES“But 3M made payments to Chinese healthcare officials from state-owned enterprises or hospitals or healthcare delivery systems to attend overseas conferences, educational events, and healthcare facility visits. And these were paid for presumably as permissible educational events, but they actually were pretexts to provide overseas travel, sightseeing, and entertainment or tourism activities.” - Michael Volkov“3M employees accompanied the Chinese officials on the tourism activities, and the tourism activities included guided tours, shopping visits, day trips to nearby sites, and other leisure activities.” - Michael Volkov“This case also reminds me of a case several years ago called Johnson Controls, where the local China operation was able to secure funding and engaged in a sort of collusion process by which they sought funds and expenditures for less than $5,000. And they did that because it didn't require corporate approval above just the local level.” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

CEOs play a pivotal role in shaping an organization's commitment to ethical practices. Involving CEOs in compliance training, having them share their experiences, and demonstrating a personal commitment to compliance initiatives sets a strong tone from the top. This engagement fosters a culture of ethics and compliance throughout the organization, reinforcing the importance of ethical conduct at all levels.Mary Shirley is a highly regarded authority in the field of ethics, compliance, and corporate governance. She is widely recognized for her expertise in helping organizations navigate the complex landscape of compliance, mitigate risks, and promote ethical practices. With a wealth of experience and insights, Mary Shirley has become a sought-after thought leader, speaker, and author. Her book, Living Your Best Compliance Life: 65 Hacks and Cheat Codes to Level Up Your Ethics and Compliance Program, has earned acclaim for bridging gaps in existing literature on compliance programs.You’ll hear Michael and Mary discuss:Organizations can promote ethics and compliance by recognizing and rewarding individuals or teams who exhibit ethical behaviors. This creates a positive atmosphere throughout the company, as employees are more likely to behave ethically if they see that it is valued and rewarded. Additionally, recognizing and rewarding ethical behavior can help to set a good example for other employees and encourage them to behave ethically as well.Engaging leaders from different regions and departments in compliance training programs ensures diverse perspectives and reinforces the importance of compliance at all levels. Leaders from different regions and departments will have different experiences and understanding of compliance issues. By engaging them in training programs, organizations can gain a more holistic view of compliance risks and how to mitigate them. Practical solutions and problem-solving are essential for compliance initiatives. For example, shortening documentation requirements or providing training for HR on investigation best practices can be effective solutions. These solutions can help to reduce the burden of compliance on employees and make it easier for businesses to comply with regulations.One of the critical elements Mary discusses is the significance of building strong relationships within the company. Collaboration and idea implementation are key to success in the compliance world.Collaboration between legal, compliance, and HR teams, along with training for HR on investigation best practices, helps streamline compliance efforts.CEOs play a critical role in setting the tone for compliance within an organization. They are the ones who set the example for their employees, and their actions and words can have a significant impact on whether or not employees comply with regulations. When CEOs are involved in compliance training, it demonstrates that they are committed to ethical practices and that they take compliance seriously.Mary recommends forming task forces to validate compliance ideas at an early stage, fostering a culture of innovation and problem-solving.Encouraging employees to share personal anecdotes related to compliance principles humanizes the process and fosters a culture of ethical work. When employees feel like they can share their own experiences with compliance, it helps them to understand the principles on a deeper level. It also helps to create a sense of community and belonging, as employees see that they are not alone in their commitment to ethical behavior. KEY QUOTE“One of the things that I learned way later that I wish I had was that when you involve people in the conceptualizing aspect [of] building a compliance initiative… and they feel [like they are] part of it… you’re in a much better position to get buy-in when you [implement].” - Mary ShirleyResourcesMary Shirley on LinkedIn Order Mary’s new book: Living Your Best Compliance Life

When operations span across borders, navigating local regulations and ethical standards becomes even more crucial. As evidenced by Corficolombiana's case, neglecting these measures can lead to hefty legal ramifications and significant economic repercussions. In this episode of Corruption, Crime and Compliance, Michael Volkov unravels the Corficolombiana and Group Aval scandal, shedding light on the importance of implementing and maintaining robust ethics and compliance programs for global companies.You’ll hear Michael talk about:Corfico is a subsidiary of the Colombian financial behemoth, Grupo Aval. The two entities agreed to substantial settlements with both the DOJ and SEC, stemming from allegations of a bribery scheme in Colombia.  It emerged that Corfico had conspired with Odebrecht, a Brazilian construction firm, to pay around $23 million in bribes to influential Colombian government officials to clinch the project. The DOJ's settlement with Odebrecht throws more light on the matter.Corfico's forthcoming cooperation with both DOJ and Colombian authorities demonstrated their intent to amend their ways.Corfico embarked on extensive remedial measures, which the DOJ acknowledged and appreciated. This included a comprehensive root cause analysis and subsequent enhancements to their corporate governance and controls. Corfico also revamped its compliance program, introducing improved reporting, investigation, and disciplinary procedures and revisited its anti-corruption compliance program.The DOJ extended a 30% fine reduction to Corfico, a significant reprieve. What stood out, however, was the decision against appointing an independent compliance monitor in this case. Such international scandals accentuate the risks that large projects in foreign lands pose. Drawing parallels with the ABB case, it’s clear that ethics and compliance are non-negotiables for global firms.KEY QUOTES“The DOJ credited Corfico's cooperation, citing its production of facts obtained through the company's internal investigation, making numerous detailed factual presentations that distilled certain key factual information producing documents that the government may not have been able to get access to because of foreign data privacy laws providing sworn testimony from Columbia.” - Michael Volkov“Corfico promptly engaged in extensive remedial measures, including, among other things, conducting a root cause analysis of the bribery scheme identified during the internal investigation. Promptly took the actions to enhance its corporate governance and controls and joint venture entities as well as improved its oversight of noncontrolled joint ventures and investments, overhauled its compliance program… As a result of this, the DOJ awarded Corfico a 30% reduction off the bottom of the applicable guidelines fine range.” - Michael Volkov“It's always good to look at the underlying conduct, and imagine: If you're working in a company, with your compliance program, would you have been able to detect this? How would your compliance program have prevented this from occurring?” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

Proactive approach to sanctions and export control compliance is crucial for companies. DOJ, Commerce Department, and Treasury Department issue guidelines on voluntary disclosure for violations. Landscape of sanctions enforcement is evolving rapidly with designated prosecutors. Joint Criminal Enterprise (JCE) Guidance provides detailed guideline for voluntary disclosures. Importance of voluntary disclosures for reducing civil penalties and effective compliance programs highlighted.

The podcast discusses the SEC's adoption of new cybersecurity disclosure rules that require public companies to disclose incidents and governance policies. Noteworthy changes include filing Form 8-K within four days of determining materiality and comprehensive cybersecurity risk management in annual Form 10-K filings. The rules also mandate disclosure of board committees responsible for oversight and monitoring processes. Implementation and potential appeals of these rules are considered.

As companies rapidly adopt artificial intelligence (AI), it becomes paramount to have robust governance frameworks in place. Not only can AI bring about vast business benefits, but it also carries significant risks—such as spreading disinformation, racial discrimination, and potential privacy invasions. In this episode of Corruption, Crime and Compliance, Michael Volkov dives deep into the urgent need for corporate boards to monitor, address, and incorporate AI into their compliance programs, and the many facets that this entails.You’ll hear Michael talk about:AI is spreading like wildfire across industries, and with it comes a whole new set of risks. Many boards don’t fully understand these risks. It's important to make sure that boards are educated about the potential and pitfalls of AI, and that they actively oversee the risks. This includes understanding their obligations under Caremark, which requires them to exercise diligent oversight and monitoring.AI is a tantalizing prospect for businesses: faster, more accurate processes that can revolutionize operations. But with great power comes great responsibility. AI also comes with risks, like disinformation, bias, privacy invasion, and even mass layoffs. It's a delicate balancing act that businesses need to get right.Companies can't just use AI, they have to be ready for it. That means adjusting their compliance policies and procedures to their specific AI risk profile, actively identifying and assessing those risks, and staying up-to-date on potential regulatory changes related to AI. As AI grows, the need for strong risk mitigation strategies before implementation becomes even more important.The Caremark framework requires corporate boards to ensure that their companies comply with AI regulations. Recent cases, such as the Boeing safety oversight, demonstrate the severity of the consequences when boards fail to fulfill their responsibilities. As a result, boards must be proactive: ensure that board members have the technical expertise necessary, brief them on AI deployments, designate senior executives to be responsible for AI compliance, and ensure that there are clear channels for individuals to report issues.KEY QUOTES“Board members usually ask the Chief Information Security Officer or whoever is responsible for technology [at board meetings], ‘Are we doing okay?’ They don't want to hear or get into all of the details, and then they move on. That model has got to change.”“In this uncertain environment, stakeholders are quickly discovering the real and significant risks generated by artificial intelligence, and companies have to develop risk mitigation strategies before implementing artificial intelligence tools and solutions.”“Board members should be briefed on existing and planned artificial intelligence deployments to support the company's business and or support functions. In other words, they've got to be notified, brought along that this is going to be a new tool that we're using, ‘Here are the risks, here are the mitigation techniques.’”Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

According to critics, there are a lot of gray areas surrounding compliance and the SEC's position on cryptocurrency regulations. Such uncertainty poses challenges for legitimate crypto projects and creates room for fraudulent activities to thrive. Such is the case for Ripple and Celsius, two recent controversies making waves in the crypto world.Matt Stankiewicz is a Managing Counsel at The Volkov Law Group. His expertise includes financial regulation and compliance, with a focus on securities, anti-money laundering (AML), and cryptocurrency regulation. Given his professional background and interest in crypto regulations, he is a frequent speaker on legal matters concerning cryptocurrency exchanges and the SEC.You’ll hear Michael and Matt discuss:The SEC faces criticism for its unclear stance on cryptocurrency regulations. Such uncertainty poses challenges for legitimate crypto projects and creates room for fraudulent activities to thrive.The Ripple case offers a complex view into how cryptocurrencies are perceived legally. While some sales of XRP tokens were considered securities, others weren't, a distinction that has sent ripples through the crypto world. The case's broader implications, especially with the SEC's decision being appealed, hold immense importance for other companies in similar situations.Bad actors can exploit innovative technologies and make things worse for everyone else. With the CEO and CRO of Celsius charged with fraud and numerous questionable practices coming to light, the importance of stringent regulations and monitoring becomes abundantly clear. Strong compliance programs serve as bulwarks against fraudsters and those under sanctions, ultimately safeguarding both the platform and its users. However, regulating an asset as novel and dynamic as cryptocurrency is no easy feat. Critics claim the SEC's approach leans more toward enforcement than establishing clear rules.Matt underscores the importance of erecting a sturdy compliance structure within the cryptocurrency industry. He emphasizes that such programs are not just regulatory measures but critical tools to ward off fraudsters and maintain the industry's reputation.KEY QUOTES“[Crypto] is a brand new asset. It’s virtually impossible to pigeonhole it to any other kind of real-world asset right now.” - Matt Stankiewicz“Don't cripple the good projects because there’s some bad people out there.” - Matt Stankiewicz“The SEC just says, well, ‘You should know. You’ve got to figure it out; we're not your attorneys.’ Which is fair in some regard, right? But that said, it's not helpful. The SEC needs to provide some kind of guidance here.” - Matt StankiewiczResourcesMatt Stankiewicz on LinkedInEmail: mstekwitz@volkofflaw.com

Transparency, ethics, and compliance are more than just corporate buzzwords; they're foundational to building trust in today's global organizations. Consequence management systems encompass elements like transparency, robust employee reporting, protective measures for whistleblowers, and effective internal investigations. These are all essential for maintaining organizational justice, trust, and integrity. In this episode of Corruption, Crime and Compliance, Michael Volkov underscores the value of collecting and analyzing employee reports, the pivotal role of Chief Compliance Officers, and the integration of compliance compensation with consequence management.You’ll hear Michael talk about:Global companies now recognize the significance of robust consequence management systems, which encompass vital processes from internal investigations to disciplinary actions. A pivotal aspect of these systems is transparency, especially when designing and implementing employee reporting.When it comes to effective employee reporting, a system is more than just a hotline; it involves tracking and addressing concerns in real-time. To foster trust, such systems must operate promptly, fairly, and consistently, ensuring that reporters are protected against obstruction and/or retaliation.Key components of an effective reporting system include:Clear internal communication, which ensures employees feel heard.Foundational support, which bolsters efficiency.Collated reports from diverse sources, which offers insights into the company's culture and potential risks.Transparency and consistency, as sporadic disclosure can negatively influence employees' perceptions of a company's intentions.A CCO’s commitment is reflected when issues are investigated and addressed swiftly and justly. They play a crucial role in collecting and analyzing employee reporting data, as well as educating senior management and boards on the significance of employee reports.Companies need to establish written protocols for internal investigations to ensure that they are conducted fairly and impartially. These protocols should outline the steps that will be taken during an investigation, as well as the rights of the employees involved. The protection of employees and whistleblowers is paramount.An internal oversight committee should be responsible for overseeing internal investigations. Regular reviews ensure that procedures are followed consistently and that there is a focus on quality. Additionally, all investigations should be properly documented and resolved in order to maintain integrity.Compliance and consequence management systems should work together to meet the expectations of the DOJ, promoting corporate citizenship and financial success. KEY QUOTES“A true employee reporting system includes reports to supervisors, walk-ins to human resources, walk-ins to legal and compliance, and an automated reporting system.” - Michael Volkov“The real question is whether the company backs up its statement through specific actions. This cannot be accomplished through words, but really only through deeds, through actions. All too often, companies get ahead of themselves. They make these broad pronouncements. They sound good, they pat each other on the back, and they don't build the essential foundations and infrastructure needed to establish an effective employee reporting system.” - Michael Volkov“As a basic initial requirement, every company should adopt a written internal investigation protocol that is published internally, promoted internally to demonstrate a commitment to transparency, and those protocols and procedures should be followed to the T.” - Michael VolkovResources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

The DOJ is advocating for increased consequences for individuals who engage in misconduct or fail to exercise proper oversight, via the implementation of compliance compensation programs that include financial penalties. Companies need to develop incentives and penalties in a balanced manner to maintain ethical performance, while ensuring the potential for accountability. A crucial aspect of enforcing these policies is the execution of robust clawback provisions as part of the executive's contract and bonus terms. These clawbacks can act as a deterrent for misconduct, and their enforceability largely depends on the clarity of their language, among other things. In this episode of Corruption, Crime and Compliance, Michael Volkov explores compliance compensation systems and their role in corporate governance in detail. You’ll hear Michael talk about:Clawback provisions are important rules that determine how executives' contracts and bonus terms can be enforced. Companies have a responsibility to execute robust clawback provisions to ensure accountability and deter misconduct.Compliance programs are becoming increasingly vital to global companies as they grapple with complex legal and economic risks. These programs are crucial in reinforcing compliant behavior and promoting positive corporate citizenship.The DOJ has emphasized the importance of compensation systems and consequence management in corporate compliance programs. Not being proactive in reviewing these systems is considered a serious mistake that requires urgent attention and correction.DOJ's focus has expanded towards consequence management, seeking to escalate penalties for those involved in misconduct. Companies are required to implement compliance compensation programs focusing primarily on clawbacks.Clawback policies, often limited to senior executives and specific conduct, need to be broadened in their scope and applicability. Notably, the Dodd-Frank Act mandates listed companies to have a written clawback policy for financial restatements resulting from accounting misconduct.Compliance rewards act as a significant incentive for ethical behavior and compliance. Executives and managers who fulfill specific compliance requirements may become eligible for performance-related rewards.Compliance compensation systems must be designed to hold individuals accountable for misconduct. Penalties, including retroactive discipline and financial penalties like clawbacks or deferred compensation systems, can be potent deterrents.A comprehensive compliance compensation system requires careful crafting to minimize litigation and defense possibilities. It involves identifying the executives and managers to be included in the penalty system and determining the corresponding percentage penalties.A company must balance its incentive structure, considering factors like large contingent payouts to executives and ethical performance requirements. Clarity in written policies and employment agreements fortify clawback provisions.Collaboration between business, finance, legal, and HR is pivotal in the design and implementation of effective compliance reward and penalty systems.KEY QUOTE:“The DOJ wants to add to their risk calculation, and that's requiring companies to implement compliance compensation programs that include financial penalties against those actors who engage in misconduct, or supervisors that fail to rein in their underlings or conduct proper oversight to ensure compliance.” - Michael VolkovResources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group