The Department of Justice in the U.S. and the Serious Fraud Office in the UK have shared guidance on the best ways to ensure that you are not only establishing a strong compliance program, but also evolving your program to meet your compliance needs as your company changes—acquisitions, mergers, joint ventures, and starting new areas of business increase the risk for non-compliance within your organization. One thing that these agencies both stress as a matter of necessity in a successful compliance program is risk-based training. To begin, you can focus your energy on completing an initial company-wide risk assessment. This will give you a sense of where you need to tailor your training. The assessment should help to expose gaps in compliance knowledge, to ensure all employees are aware of the risk scenarios they can be faced with, and how to respond when in those risky situations. As a leader for your compliance message to your company and those representing your company, you must ensure that they receive the proper training for:
Their role within the company: whether an executive in the C-Suite or an intern, every employee needs to understand how their role can expose them to high-risk scenarios. The training should cover every position to ensure there are no misunderstandings as to expectations, and there should be a clear policy in place to keep employees apprised of their role in ensuring compliance and good governance.
Their level of expertise: there are going to be some employees who, based on their previous work or their current position, will have more knowledge as to their relationship with high-risk scenarios. TRACE offers competency-based training, using pre-tests to determine knowledge level on a compliance topic to allow those with more knowledge to “test out” of annual required training and meet all learners “where they are.”
Their risk level: as touched on above, each position within a company can be faced with different scenarios of varying risk. Based on the risk assessment, you will know more about the risk level of each position within your company. From this data, you will be able to tailor and deploy training that caters to the needs of each position and its corresponding risk level.
Training should include additional professional development learning for those who might be exposed to a higher risk. For example, at TRACE International, we offer a higher learning program called TRACEpro through our memberships. This program can be used to supplement the compliance training for those employees who are inherently exposed to more high-risk scenarios and thus need to be armed with the appropriate tools to ensure they are compliant with local laws and company policy.
No matter the size of your compliance team, the importance of risk-based training is clearly a priority, especially to those enforcement agencies who are keeping tabs on international company compliance and good governance. By focusing your initial energy on a company-wide risk assessment, you will be able to tailor your education and training to address those high-risk areas and positions within your institution and better align your company with your compliance initiatives, while saving costs associated with extraneous resources that do not match your company’s compliance goals.
Associate Director, Compliance Training, TRACE
This post is part of our “Ask an Expert” series where we take questions submitted by readers and ask an expert in the compliance field to provide insight. If you have a question you would like answered, please submit here. |
In-house counsel, compliance officers and internal auditors are under various legal obligations to report wrongdoing, and it is worth refreshing your recollection of the relevant statutes and some details about those duties.
First, though, take a moment to consider and appreciate why you have been given the job of safeguarding the public interest. Your role puts you in the middle of the action in our capitalist arena, and your work directly supports the ethical foundation on which it was built. That is empowering. If the obligation to report potential criminal acts feels like a heavy responsibility, remember that the flip side of responsibility is trust. You have been entrusted with doing the right thing if and when needed, and you have the confidence of lawmakers, government agencies, the judiciary, and the public. They have clarified through various laws their ask and made it your task. Let’s review some of the key ones.
1. Section 307 of the Sarbanes-Oxley Act is the basis for 17 CFR Part 205, which emphasizes "up-the-ladder" reporting requirements for lawyers employed by Issuers. In-house counsel is required to report evidence of a material violation of securities law, breach of fiduciary duty or similar has occurred, is, or is about to occur to their General Counsel or CEO, and if an appropriate response is not provided within a reasonable time, make the report to the audit committee or full board of directors.
2. Rule 10b-5 of the Securities Exchange Act of 1934 prohibits securities fraud. To briefly summarize, Rule 10b-5 makes it unlawful to: (a) employ any device, scheme, or artifice to defraud, (b) make any untrue statement of a material fact or omit to state a material fact necessary to make the statements made not misleading, or (c) engage in any act, practice, or course of business which operates or would operate as a fraud or deceit. The Rule also requires lawyers to be aware of their role in preventing and not participating in fraudulent activities related to securities transactions. Upon encountering fraud or deceit, in-house counsel has an obligation to report this internally and possibly externally.
3. Insider Trading and Securities Fraud Enforcement Act of 1988 requires in-house counsel at issuers to report knowledge of insider trading. It also expanded the scope of civil penalties to control persons who fail to take adequate steps to prevent insider trading. Compliance teams must ensure that proper policies and procedures are in place for handling material non-public information and to prevent insider trading.
4. Whistleblower Provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Dodd-Frank enhances whistleblower protections and rewards, encouraging employees to report securities violations to the Securities and Exchange Commission (SEC). The Whistleblower Hotline has been a critical component of the SEC's efforts to encourage and protect whistleblowers reporting securities violations. In 2023, the SEC received 18,000 tips, nearly a 50% increase from the previous year. Almost $600 million in awards were granted, including a record single award of nearly $279 million, the highest in the program’s history. Under the applicable rules, employees whose primary job responsibilities involve compliance or internal audit functions are excluded from the program unless a narrow exception is met. In-house counsel also would need to consider complex attorney-client privilege issues. But none of us got into Compliance for the money, and the Hotline is available if your company’s internal controls and processes fail.
5. The Foreign Corrupt Practices Act (FCPA) and UK Bribery Act 2010 do not impose an obligation on in-house counsel or compliance officers to report suspected violations. Of course, you should report any concerns internally and help lead the discussion about whether to self-report to the enforcement authorities, especially if the violation is significant.
6. The Bank Secrecy Act and Anti-Money Laundering (AML) Regulations primarily target financial institutions, although AML regulations can affect issuers. In-house counsel must ensure their employer complies with AML laws and report any suspicious transactions that may indicate money laundering activities. This duty includes situations in which in-house counsel suspects their employer is engaging in violations of AML regulations.
7. The Model Rules of Professional Conduct of the American Bar Association, Rule 8.3(a), imposes an ethical duty on lawyers to report misconduct to regulatory authorities if it involves a violation that raises substantial questions about a lawyer’s honesty, trustworthiness, or fitness to practice law.
Beyond specific statutes, in-house counsel and compliance officers have a general duty under corporate governance principles to report significant legal issues or violations internally to the CLO or CEO and if necessary to their company’s board of directors or appropriate board committee. The laws discussed above also anticipate and support that employees will report any suspected wrongdoing through internal channels before going to an enforcement agency. The compliance team must ensure that employees know this, have confidence that their report will be handled earnestly and without delay, and feel protected from any potential retaliation.
Be sure to familiarize yourself with reporting obligations required under laws and regulations applicable in your jurisdiction or region and in your industry. Finally, before making a report of possible illegal activity to enforcement authorities, it is advisable to seek advice from external counsel.
General Counsel
Last week, Boston Consulting Group (BGC) announced that the U.S. Department of Justice (DOJ) declined to prosecute the firm despite paying bribes to win deals in Angola. BCG, which self-reported the payments, will disgorge $14.4 million in profits it received through the corrupt contracts.
The declination reflects the DOJ’s efforts to encourage companies to come forward if they discover potential misconduct.
BCG, through its Lisbon office, paid roughly $4.3 million in commissions to an agent to secure business with Angolan government agencies. The firm knew that this agent had close connections with government officials and members of the ruling party in Angola but agreed to pay between 20% and 35% of the value of any government contracts obtained, with the payments being routed through three different offshore entities. The payments were made between 2011 and 2017.
For risk and compliance teams, the declination offers several insights:
BCG would probably have seen a considerably worse outcome had it not come forward after discovering potential wrongdoing, as news reports later implicated BCG in questionable deals relating to Angola’s state-owned oil company, as well as a jewelry company owned by the former president’s daughter, Isabel dos Santos. Corporate wrongdoers are not eligible for declinations if the potential misconduct is already in the news. (Note, though, that the DOJ declination letter does not specify whether these were the specific deals that were corruptly won.)
When BCG chose to self-disclose, it did so under a less generous DOJ policy that did not grant declinations as easily. Since then, in 2023, the DOJ listed the criteria for a presumption of a declination: voluntary self-disclosure, full cooperation, and timely and appropriate remediation. In granting the declination, the DOJ cited factors from the 2023 policy to support its decision, even though it would not have been in effect when BCG turned itself in.
In order to quality for the presumption, a company’s executive management cannot have been involved in the misconduct. Yet there were equity partners in BCG’s Portugal office that were “implicated” in the activity, suggesting that they are not considered “executive management.” This may be because they manage a local office, and not the global enterprise. (Alternatively, there may be an unexplained distinction between being “involved in” and being “implicated” in misconduct.)
While details of BCG’s control failures are scant, the company appears to have taken a very aggressive approach to risk. While the egregiousness of a violation does not necessarily preclude a declination, it does mean that a company must take significant remedial steps to enhance its compliance program and oversight.
TRACE members may learn more about self-disclosure in the Voluntary Disclosure Under the Foreign Corrupt Practices Act white paper.
FCPA Compliance Consultant