Cybersecurity and Compliance: The Growing Partnership of CISOs and CCOs

Companies have a vested interest in preserving internal communications for a variety of reasons -- to hold actors accountable and to protect the organization from potential private and government claims or investigations that may have serious direct or collateral consequences. Companies that want to use ephemeral messaging systems can do so, but they have to understand the risks involved and tailor appropriate controls and procedures to avoid potential damage.

DOJ's  Evaluation of Corporate Compliance Programs ("ECCP") released in March 2023 authorized companies to use ephemeral messaging but emphasized several important risk considerations and controls needed to preserve robust record-keeping requirements. DOJ's ECCP identifies three significant areas for consideration: employee use of personal devices, availability of communications platforms (e.g., Jabber, Slack, Teams, Google, Zoom), and messaging applications, including ephemeral messaging. DOJ's ECCP noted that a company's policies governing messaging applications "should be tailored to the corporation's risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.")

In this podcast, Michael Volkov and Eddie Green, CEO of SnippetSentry, discuss current communications preservation requirements and technical solutions to meet them.

You’ll hear them discuss:

• Companies are rapidly embracing and elevating the importance of robust ethics and compliance programs to promote positive corporate citizenship. This shift reflects a growing awareness of the significance of ethical practices in today's business landscape.
• Eddie discusses the significance of preserving communications data in today's business landscape, given the evolving nature of communication technologies and the need for proactive data preservation strategies.
• SnippetSentry's service allows users to seamlessly connect their phones to ensure all texts are archived without altering their day-to-day operations, allowing integration of compliance measures seamlessly into existing workflows.
• The evolution of email preservation serves as a blueprint for understanding the importance of preserving text messages in modern business communication. Reflecting on past practices can provide valuable lessons for adapting to the changing landscape of communication data preservation.
• Compliance mandates, such as those set by the SEC, emphasize the necessity of preserving text records to ensure regulatory adherence and mitigate risks, underscoring the critical role of data preservation in maintaining transparency and accountability in business operations.
• The collaboration between compliance, IT, and information security professionals is crucial in developing policies and procedures to safeguard data and mitigate communication risks.
• Financial institutions and other industries are increasingly adopting sophisticated data preservation strategies to protect intellectual property and ensure regulatory compliance. This proactive stance reflects a growing recognition of the importance of data security and compliance in safeguarding business interests.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Eddie Green on LinkedIn | SnippetSentry

In this special episode of Corruption, Crime, and Compliance, Michael Volkov joins colleague and long-time friend Tom Fox as they delve into the intricacies of recent FCPA enforcement actions, shedding light on the evolving landscape of corporate compliance. From the ABB case to the SAP settlement, Michael and Tom dissect the nuances of voluntary disclosure, extensive remediation, and the shifting priorities of the Department of Justice. Join them as they navigate the complexities of recidivism, cooperation, and the pivotal role of self-disclosure in today's compliance environment.

You’ll hear them discuss:

• The Department of Justice (DOJ) faced a challenging situation with ABB, a three-time FCPA recidivist, raising questions about their enforcement actions and policies.
• ABB's case highlighted the importance of voluntary disclosure, extensive cooperation, and remediation in mitigating penalties and demonstrating commitment to compliance.
• The shift in DOJ's approach towards recidivism and self-disclosure signaled a new emphasis on data-driven compliance and the use of evidence to support remediation efforts.
• Albemarle and SAP cases showcased the significance of data-driven compliance programs and proactive measures to address compliance deficiencies.
• DOJ's focus on self-disclosure as a key factor in enforcement actions underscores the importance of transparency, cooperation, and timely reporting in compliance efforts.
• The evolution of DOJ's policies and enforcement strategies in 2023 reflected a balance between tough enforcement on recidivism and incentivizing self-disclosure through reduced penalties.
• The role of voluntary disclosure, remediation, and cooperation is critical in navigating FCPA enforcement actions and achieving favorable outcomes with the DOJ.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Tom Fox on LinkedIn

Compliance Podcast Network

Christian Focacci is a leader in the artificial intelligence world and harnesses the capabilities for risk management. He is the founder and CEO of Threat.Digital, which has launched a new product DiligenAI.  Threat.Digital is leveraging large language models and real-time data feeds to empower organizations to identify risk information confidently and efficiently, setting a new standard in risk intelligence. Mike and Christian discuss AI and its use in compliance third-party risk management.

You'll hear them discuss:

• AI should be viewed as a tool to enhance decision-making processes rather than a replacement for human judgment. It highlights the importance of leveraging AI to process vast amounts of data efficiently.
• Organizations must strike a balance between recognizing the risks associated with AI, such as generative AI, and harnessing its potential benefits to improve productivity and decision-making within organizations.
• Advancements in language models, particularly large language models like Chat GPT, have revolutionized the processing and understanding of unstructured text data, enabling more accurate and context-aware analysis.
• Companies can use AI to significantly enhance due diligence processes, risk assessment, and compliance efforts by efficiently summarizing and analyzing vast amounts of information to support decision-making.
• The use of AI in due diligence and compliance is a tool meant to empower human decision-makers by providing them with comprehensive and distilled information, allowing them to focus on critical analysis and decision-making rather than mundane tasks.
• One major strength of AI, particularly large language models, is to improve monitoring processes by reducing false positives and providing real-time alerts based on predefined criteria, enabling more efficient risk identification and management.
• AI has a bright future, including the expansion of context windows in language models, the rise of open-source models, and the potential for running AI models on personal devices, indicating a shift towards decentralized and accessible AI technology.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Christian Focacci on LinkedIn | Threat.Digital

On December 31, 2021, President Joseph R. Biden, Jr. signed the the Uyghur Forced Labor Prevention Act (“UFLPA”) into law to address the ongoing exploitation of the ethnic minority Uyghur population by the government of the People’s Republic of China (“PRC”). Among other things, the UFLPA creates a rebuttable presumption that all goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part in Xinjiang, or by entities designated for inclusion on the UFLPA Entity List, are prohibited from entry into the United States. To overcome the presumption, entities are required to demonstrate, by “clear and convincing evidence,” that such imports were not mined, produced, or manufactured in whole or in part by forced labor.

In this episode, Mike and Alex discuss practical steps to comply with the UFLPA.

• The Uyghur Forced Labor Prevention Act, enacted by Congress, establishes a presumption that goods from Xinjiang are tied to forced labor. Importers must prove otherwise by providing extensive documentation, such as invoices, packing slips, and billing information, to demonstrate the origin of the goods and ensure compliance with the law.
• The UFLPA has led to a significant increase in enforcement by CBP, resulting in the detention of billions of dollars worth of commodities. This heightened scrutiny has prompted global companies to prioritize robust ethics and compliance programs to mitigate legal and economic risks associated with forced labor.
• Compliance with the UFLPA requires importers of record to furnish CBP with clear and convincing evidence that their goods were not produced using forced labor. This evidence includes supply chain tracing information, wage and payment records, credible audits, and attestations from every entity involved in the production process.
• Chinese entities have been known to employ deceptive practices to avoid detection and documentation requirements. This includes creating separate companies outside the Uyghur area and providing misleading information to purchasers. Due diligence and thorough investigation of beneficial ownership are crucial to ensure compliance.
• CBP's operational guidance for importers, published in 2022, provides essential information on navigating the complexities of the UFLPA. Importers should familiarize themselves with this guidance and engage in one-on-one discussions with their suppliers to communicate expectations and ensure compliance.
• The UFLPA places a significant burden on organizations relying on imports from China, as they must provide extensive documentation and meet the clear and convincing evidence standard. Failure to meet these requirements can result in the detention of goods, leading to supply chain disruptions and potential financial losses.
• Clear Channel, the former Chinese subsidiary of Clear Media, faced charges related to bribery violations. The bribes included expensive gifts, entertainment, and travel given to influence contract renewal negotiations with Chinese government officials. Clear Media engaged in deceptive practices, including falsifying payments and creating false invoices, to fund these illegal payments.

Resources

Alex Cotoia on LinkedIn | Email

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Gabrielle Griffith, Director BPE Global, is an expert in trade compliance issues. Gabrielle assists clients in implementing effective trade compliance programs by addressing improvements within organizations’ people, processes, and systems. In the area of U.S. export controls, she advises clients on compliance with the International Traffic in Arms Regulations, the U.S. Export Administration Regulations, and the various embargo and sanctions programs administered by the Office of Foreign Asset Controls. On import compliance matters, she advises on classification, country of origin, special duty programs such as USMCA, focused assessments, C-TPAT, antidumping/countervailing duty as well as Section 232 and 301 matters. Gabrielle joins Michael to discuss current trade compliance trends and expectations for 2024.

• The increase in national security risk has heightened the need for creative thinking to identify potential threats that may not be designated within regulations. This means that companies must go beyond traditional compliance measures and think outside the box to proactively address emerging risks to national security.
• Global companies are facing unprecedented risks and challenges in today's economy, leading to a greater emphasis on robust ethics and compliance programs. These programs are essential for promoting positive corporate citizenship and mitigating legal and economic risks associated with corruption and crime.
• Trade compliance is no longer a silo within a compliance department but must be integrated into the entire operation of a company. This means that trade compliance considerations should be incorporated into all aspects of a company's business processes, from product development to supply chain management.
• The Department of Justice is ramping up efforts to prosecute companies for trade compliance violations, particularly in relation to national security. This increased focus on enforcement means that companies need to be proactive in ensuring compliance with export control regulations and other trade compliance requirements.
• Over-controlling trade compliance can hinder business operations while under-controlling can lead to violations. Finding the right balance is crucial. Companies should strive to implement effective trade compliance measures that align with their specific business needs, avoiding unnecessary restrictions while still ensuring compliance with applicable regulations.
• The government should collaborate more with industry consultants to bridge the gap between enforcement agencies and companies, ensuring effective communication and guidance. This collaboration can help companies navigate the complex landscape of trade compliance and provide valuable insights to regulators on emerging technologies and industry practices.

Resources

Michael Volkov on LinkedIn | X(Twitter)

The Volkov Law Group

Gabrielle Griffith on LinkedIn

BPE Global

The Justice Department and the Office of Foreign Assets Control had a big year in 2023. Criminal and civil enforcement continue to increase. The DOJ has warned corporations that aggressive sanctions enforcement actions are coming -- to that end, the DOJ assigned 25 new prosecutors to the National Security Division to execute on its promise. Meanwhile, OFAC had a record year in collecting $1.539 billion in penalties, largely the result of two blockbuster settlements -- British American Tobacco and Binance, the cryptocurrency exchange.

• It's important for companies to ensure they have U.S. expertise to effectively address potential violations of U.S. sanctions laws, as unfamiliarity with these laws can hinder prompt identification and response. Having a strong compliance program based in the United States is a valuable lesson learned from OFAC.
• Global companies are facing unprecedented risks and challenges in today's economy, leading them to prioritize robust ethics and compliance programs. These programs play a crucial role in promoting positive corporate citizenship and mitigating legal and economic risks.
• In 2023, there was a significant increase in sanctions enforcement by the DOJ and OFAC, with plans for even more aggressive actions in the future. With 17 enforcement cases and $1.5 billion in penalties, it is evident that compliance areas such as third parties and internal controls are of utmost importance.
• Various countries, including Russia, Cuba, and Iran, continue to be the focus of global sanction schemes. While Venezuela's sanctions were temporarily relaxed, companies must stay vigilant and monitor the upcoming election. The British American Tobacco case, with its $629 million settlement, serves as a model for future enforcement actions.
• The Binance case, involving a $4.3 billion settlement, shed light on criminal violations in the cryptocurrency industry. This highlights the critical importance of compliance in this rapidly evolving sector.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

For the Justice Department and the SEC, 2023 was a slow year in FCPA enforcement. Despite promises of aggressive enforcement, DOJ and the SEC failed to achieve increases in FCPA enforcement. DOJ and the SEC issued no blockbuster enforcement actions or settlements. The SEC's number of enforcement actions was steady and eclipsed its 2022 number by one. Equally significant was DOJ's reduction in individual criminal prosecutions, thereby raising legitimate questions as to its ability to deliver on its promise of aggressive enforcement against individual FCPA violators. Despite a slower enforcement year, DOJ dedicated significant resources to issuance of new policy statements encouraging voluntary disclosures, incentivizing clawbacks, elevating compliance programs and offering new safe harbors for mergers and acquisitions.

In this episode, Michael Volkov reviews FCPA enforcement in 2023 and outlines new compliance trends in the anti-corruption field.

• Clear Channel's former Chinese subsidiary, Clear Media, was charged with bribery violations involving expensive gifts, entertainment, and travel given to influence contract renewal negotiations with Chinese government officials.
• Clear Media engaged in deceptive practices, such as falsely documenting payments to cleaning and maintenance companies to fund illegal payments. They used oral agreements, omitted gift recipients, and created false invoices and tax records to disguise payments through shell company intermediaries.
• Senior executive complicity was another trend observed in the cases discussed. In some instances, senior executives were aware of the bribery schemes but either turned a blind eye or actively participated in the misconduct.
• Internal audits conducted from 2012 to 2017 identified deficiencies, red flags, and indicators of bribery within Clear Channel. However, the company failed to take aggressive remedial actions to address these issues.
• Clear Media resisted internal auditors and even provided false information, hindering the detection and resolution of bribery-related problems.
• Despite these challenges, Clear Channel cooperated extensively with the investigation. They promptly shared relevant facts, produced necessary documents, and facilitated interviews with current and former employees.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Bribery is rampant in many countries around the world, and in this episode of Corruption, Crime, and Compliance, we take a look at a recent FCPA case involving SAP, a global software company. SAP’s violations spanned multiple countries, including South Africa and Indonesia, and resulted in prosecution and a hefty $220 million dollar penalty. However, many people were baffled with the resolution of this case. The DOJ lacked aggressiveness and failed to impose an independent compliance monitor. Join the host, Michael Volkov, as he analyzes the intricacies of this case and the implications for FCPA enforcement in the coming years.

• The SAP is a recidivist company, but DOJ’s enforcement action against them did not seem to take that into account when holding them accountable for instances of bribery that spanned the globe.
• As the DOJ seemed to take a step back, the SEC made an aggressive push to hold companies accountable for violating internal controls, which is what happened in the SAP case.
• SAP's repeated failure to follow internal control requirements governing third parties serves as a cautionary tale for companies to ensure that their procedures are not only in place but also actively implemented and monitored.
• Clear Channel's former Chinese subsidiary, Clear Media, engaged in deceptive practices to fund illegal payments, including creating false invoices and tax records, but even after internal audits, Clear Channel failed to take aggressive remedial actions.
• Clear Channel demonstrated a clear commitment to addressing the issues in the investigation that followed, highlighting the importance of cooperation, as it can lead to more favorable outcomes and potentially mitigate the severity of penalties imposed.

KEY QUOTES

"DOJ is turning its focus and pulling back on FCPA enforcement." - Michael Volkov

"The SAP resolution, which totals only $220 million, was far below the amount that a recidivist should have paid for its global bribery operations stretching into multiple countries." - Michael Volkov

"The SEC's approach demonstrates a more aggressive application of internal control enforcement." - Michael Volkov

"If a company is going to craft these internal controls, the company has to enforce those controls or face serious enforcement risks." - Speaker: Michael Volkov

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

How do you manage risk when the vulnerabilities are outside your organization’t in your hands? In this episode of Corruption, Crime, and Compliance, we delve into the world of third-party risk management with our guest, Natalie Druckmann, from Certa. As we discuss the regulatory landscape in EMEA and the US, Natalie highlights the higher regulatory burden faced by companies in EMEA, and how Certa uses AI to streamline workflows, provide intuitive data visualization, and enhance risk forecasting capabilities. AI is the future of third-party risk management, now and in the future.



• Cybersecurity has become one of the top concerns for organizations. In 2012, Target worked with a third-party vendor and, as a result, suffered an attack that exposed their customers’ credit data. Since then, compliance departments have started working closely with IT to prevent such vulnerabilities. 
• Unlike the US, EU companies don’t benefit from gaps created between state and federal regulations. EMEA faces a mandatory and substantial regulatory burden, particularly in areas like ESG and compliance. A forced labor scandal can sink a company, so ESG’s importance is on par with cyber security.
• Global companies are increasingly recognizing the importance of addressing ESG topics alongside cybersecurity and financial risks. ESG considerations, such as diversity, modern slavery, and gender pay gaps, have significant reputational and revenue impacts.
• AI is changing the world in many ways, including compliance. Certa aims to provide a comprehensive solution for third-party risk management, compliance, and operational risks by streamlining processes and incorporating AI capabilities to enhance efficiency and effectiveness.
• Certa utilizes various AI capabilities, including design AI, which allows users to create workflows using plain language. They don’t need to know anything about tech; they can simply dictate the process, and AI generates the necessary code and infrastructure for it. This allows the company to remain flexible and able to quickly adapt to change.
• Insights AI is another capability that collects and analyzes data, making it far more accessible and efficient in managing up-to-the-minute risks and developments. This technology also uses design AI, allowing for plain language inputs to immediately create actionable, detailed reports.
• Recall AI allows companies to guarantee rapid and consistent responses from suppliers and customers by recalling past interactions to create surveys, forms, workflows, and processes. This removes the back-and-forth burden on all parties while still retaining the human touch.
• Smaller and midsize companies should prioritize their risk management processes and consider automated solutions like Certa. These companies can benefit from the efficiency and effectiveness of an automated platform, regardless of their industry or size.

KEY QUOTE

“I think there is a very strong drive here for companies and stakeholders, not just to do the right thing… but doing the good thing as well.” - Natalie Druckman

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Natalie Druckman on LinkedIn

Certa

Email Natalie: nat@certa.ai

In this week's episode of Corruption, Crime, and Compliance, we usher in the New Year with a deep dive into something that happened in November of last year. As we begin 2024, it's crucial to reflect on the substantial shifts in the healthcare industry's compliance framework. The HHS Office of Inspector General's Comprehensive Compliance Guidance, released late last year, has set a new standard for healthcare companies, reinforcing the importance of an independent compliance function and outlining a robust framework for effective compliance programs. Michael Volkov meticulously dissects the seven key elements of this groundbreaking guidance, emphasizing its relevance not just in healthcare, but across the spectrum of compliance practices. 

You’ll hear Micheal discuss:

• The HHS Office of Inspector General issued the Comprehensive Compliance Guidance (GCPG) in November 2023, a significant document for the healthcare industry, emphasizing the need for independent and robust compliance programs.
• The guidance is structured around seven core elements: written policies and procedures, effective compliance leadership, training, open lines of communication, enforcing standards, risk assessment, and responsive corrective action for detected offenses.
• The role of a Chief Compliance Officer is critical, and they should:
• Report directly to the CEO or have independent access to the board,
• Have sufficient stature within the entity equal to other leaders,
• Demonstrate unimpeachable integrity, judgment, assertiveness and approachable demeanor, and
• Have sufficient funding, resources and staff to operate the program. 
• Emphasizing the separation of legal and compliance functions, the GCPG recommends that compliance officers focus solely on compliance, avoiding roles in legal or financial departments.
• The GCPG advises the establishment of a compliance committee, meeting quarterly, with responsibilities spanning legal regulation analysis, policy review, training effectiveness, and annual risk assessment.
• The CEO should include a signed introduction in the code of conduct. The board should include a signed endorsement or similar written statement to support the compliance commitment, and entities should review their codes when a new CEO is hired.
• Clear communication and board oversight is crucial, and they should be well-informed about compliance programs, and ensure that the compliance officer has sufficient access to them.
• How compliance officers and boards should respond when compliance concerns are reported or discovered, and focus on the root causes of the misconduct to prevent recurrence.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group