Corruption Crime & Compliance

In this episode of Corruption, Crime and Compliance, we delve into the complex world of sanctions compliance and enforcement. In this new era of aggressive sanctions enforcement, companies have to understand the red lines that define where criminal and civil enforcement risk increases. In contrast to the history of FCPA enforcement, DOJ and OFAC have provided helpful guidance to alert companies where risks are likely to increase. Join host Michael Volkov as he navigates the intricate landscape of voluntary disclosures, criminal and civil enforcement risks, and the evolving strategies of regulatory agencies like OFAC and the Department of Justice.

Hear Michael discuss:

• Sanctions enforcement involves a mix of civil and criminal line drawing.
• On the civil side, OFAC has explained that sanctions violations can be found based on strict liability with aggravating factors that turn the actor's state of mind. 
• Third-party liability for distributors extends to situations where a principal company knew or reasonably should have known that products sold to a third party were intended for shipment to a prohibited entity or individual or a prohibited country. 
• Third-party liability for violations occurring in a company's supply chain requires companies to break down its supply chain and learn the sourcing for all companies in its supply chain. It is clear that a failure to examine and assess your supply chain can lead to civil liability. 
• In defining where criminal enforcement picks up on the culpability spectrum, DOJ and OFAC have defined potential criminal conduct based on the term "willful," meaning when an actor knew that its conduct was wrong but did not necessarily know the specific law that her/she was violating. 
• Applying the "you know it when you see it" standard, companies have to weigh the evidence of surrounding circumstances to determine if an individual actor or actors possessed the requisite intent. 
• Criminal enforcement determination will turn on the attribution of individual conduct to a company based on respondeat superior principles -- that is, whether the conduct was committed in the course of an individual's duties and in furtherance of a legitimate business purpose. 
• Enforcement examples to track where the precise line falls between criminal and civil are few—a good start is by reviewing a meaningful record of DOJ enforcement actions against sanctions violations. The situation is akin to the early days of aggressive FCPA enforcement, where enforcement and settlement cases were reviewed for important precedents and explanations. DOJ's record here is about to be defined and companies, commentators and trade compliance professionals will be reading tea leaves and looking for patterns.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

LRN has issued another important report. In its latest report, The 2024 Benchmark of Ethical Culture Report, LRN has focused on the critical issue of corporate culture. LRN is a pacesetter and the leader in reliable studies on complex ethics and compliance issues. If not properly promoted or maintained, a defective culture can lead to serious misconduct, government investigation, reputational damage, and collateral harm. On the other hand, a positive and effective culture is a company's most valuable intangible asset, as it is tied directly to increased financial performance and sustainable growth. Over the past few years, business leaders have embraced what compliance and governance professionals already knew: companies with strong ethical cultures outperform other companies with weaker cultures. Employees at ethical companies are more productive, more satisfied, less likely to seek a new job, and more committed to the company's mission.

Hear Michael discuss:

• LRN's 2024 Benchmark of Ethical Culture Report underscores the importance of ethical culture in driving financial performance and reducing misconduct rates.
• Generation Z shows a higher tolerance for unethical conduct, with nearly a quarter admitting to engaging in such behavior to get the job done.
• Hybrid workers who alternate between working from home and the office exhibit lower rates of misconduct and are more likely to report observed misconduct due to increased job satisfaction.
• Organizations with strong ethical cultures outperform those with moderate to weak cultures by at least 50% across various business performance measures.
• Employees at companies with strong ethical cultures are 1.5 times more likely to report observed misconduct, emphasizing the value of a positive work environment.
• Senior leaders often have more favorable perceptions of their organization's culture than middle management and frontline workers, highlighting the need for consistent messaging.
• LRN's research shows that nearly 70% of the variance in business performance is linked to an organization's ethical culture, emphasizing the critical role of culture in success.

Resources

LRN’s 2024 Benchmark of Ethical Culture Report

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Dottie Schindlinger is Executive Director of Diligent Institute, the global corporate governance research arm of Diligent - the largest SaaS software company in the Governance, Risk, Compliance (GRC), and ESG space. She co-authored the book Governance in the Digital Age: A Guide for the Modern Corporate Board Director, co-hosts “The Corporate Director Podcast,” and co-created Diligent Institute’s Certification programs for directors and executives, including AI Ethics & Board Oversight. Dottie was a founding team member of the tech start-up BoardEffect, acquired by Diligent in 2016. She graduated from the University of Pennsylvania and is a Fellow of the Salzburg Global Seminar Corporate Governance Forum. Diligent and Bitsight recently issued an important report on corporate board oversight of cybersecurity risks. 

Dottie Schindlinger, Executive Director of Diligent Institute, joins Michael Volkov to discuss the important findings of Diligent's report.

You'll hear Dottie and Michael discuss:

• Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings. On average, the Total Shareholders’ Return (TSR) over three and five years for companies in the advanced security performance range is approximately 372% and 91% higher, respectively, than their peers in the basic security performance range.
• Companies with a specialized risk or audit committee had higher security performance ratings on average. Companies falling within these two categories have an average security rating of 710, whereas companies lacking both committees have an average security rating of 650.
• The findings also suggest that the distribution of security ratings among companies with specialized risk and audit committees tends to skew towards the advanced security performance range, whereas companies lacking either of these committees tend to skew toward the basic security performance range.
• Having a cybersecurity expert on the board is not enough. Integrating a cybersecurity expert into the board committee tasked with cybersecurity risk oversight makes a significant difference in an organization’s performance.
• Merely having a cybersecurity expert on the board does not correlate to having a higher security performance rating. Highly regulated industries tend to outperform other industries in terms of cybersecurity performance. 
• Of the companies with advanced-level security performance ratings, a full third (33%) came from the financial services sector – with an average rating of 720. The sector with the highest average rating overall was healthcare at 730. 
• Nearly a quarter (24%) of companies with basic security performance ratings came from the industrial sector. 

Resources

Dottie Schindlinger on LinkedIn

Diligent Institute | Diligent | Board Effect

The Report can be downloaded at: Cybersecurity, Audit and the Board Report

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

A new compliance cottage industry surrounds artificial intelligence. We are at such an early stage of AI development, and companies are still figuring out how they can employ the technology. However, some industries, such as financial institutions, have been using AI for fraud detection and other issues. These early adopters will likely set the tone for AI compliance practices. There is no question that AI holds terrific promise. The hype surrounding AI is just that -- hype. Until there is more certainty surrounding AI technology, we will witness a lot of bloviating. But this aside, corporate boards, senior executives, and business developers need to pay attention until the dust settles. The AI industry is moving so fast that the sooner we start to focus, the nimbler our response will be.

Luckily, ethics and compliance principles are easily adaptable to AI risks. In this episode of Corruption, Crime, and Compliance, Michael Volkov discusses how the compliance profession is more than capable of building effective compliance programs around AI operations.

• Financial institutions have been using AI for fraud detection and other issues. They are at the forefront of developing compliance practices around AI.
• Companies need to embrace AI's promise and not get overwhelmed by all the hype. Corporate boards, senior executives, and business developers must pay attention until the dust settles.
• The AI industry is moving fast, and companies need to focus on what’s happening. Compliance has to be nimble and quick, just like the technology.
• Like every aspect of a business, any new technology presents risks, and AI certainly presents risks that need to be mitigated. This, in turn, leads to the necessary question: How should a company structure its AI risk and compliance program?
• AI can be a very productive tool. It can easily end up reducing costs and increasing efficiency. More efficient companies can help the economy expand and create new opportunities for growth.
• Financial institutions, tech companies, pharmaceutical, medical device and transportation logistics industries are likely to be significant users of AI technology.
• Generative AI use may increase the risk of fraud and will need to incorporate risk mitigation costs and capabilities.
• Compliance professionals have the intelligence, professional capabilities, and integrity to rise to the challenge of AI technology and onboard a third party.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

With the beginning of the “New FCPA” era coined by DOJ’s Deputy Attorney General Lisa Monaco, we now need to focus on third-party risk and sanctions enforcement. The law, the practice, and the risks are important and not just the same as FCPA legal requirements. As we embark on a new criminal enforcement era surrounding sanctions violations, companies have to address this issue and do it correctly. 

In this episode, Michael Volkov takes a comprehensive look at third-party risks from the distribution and supply sides and outlines appropriate strategies to manage these risks.

• Epsilon Electronics serves as a stark reminder of the financial consequences of non-compliance. The company faced an OFAC enforcement action due to a shipment to Iran, resulting in a staggering penalty of over $4 million.
• Apollo Aviation Group settled with OFAC for $210,600 for leasing aircraft engines which ultimately ended up being placed in to aircraft of a prohibited entity, Sudan Airways, violating sanctions regulations.
• ELF Cosmetics settled with OFAC for $996,000 for importing false eyelash kits containing materials sourced from North Korea, highlighting supply chain due diligence failures.
• The ELF Cosmetics case underscores the crucial role of supply chain due diligence in preventing sanctions violations. Instead of sticking their heads in the sand, companies must undertake basic supply chain due diligence when sourcing products from regions close to high-risk countries or regions.
• “Reason to know” is now the key phrase guiding the New FCPA era. OFAC does not need to prove goods ultimately end up in a sanctioned country. When you see red flags, you must resolve them or they could be considered a “reason to know” in OFAC’s eyes.
• Seven essential elements to boost your compliance program and effectively mitigate third-party sanctions risks include risk assessment, varying levels of due diligence, end-user documentation, monitoring, training, and red flag identification.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Carlos Villagrán is the Director of Compliance at CMPC, a 100-year-old Chilean-based holding company, one of the worldwide leading pulp, paper, packaging, personal care, and other forest products manufacturers. With more than 20,000 employees, CMPC has industrial operations in 9 countries (LatAm and the US) and commercial offices in the US, Europe, and China, selling and distributing its products to more than 45 countries around the world. Carlos joined CMPC to remediate and rebuild CMPC's culture and compliance program after a devastating scandal -- CMPC was prosecuted for its involvement in a decade-long conspiracy to fix prices in Peru and Chile for consumer paper products. Carlos discusses the challenges he faced in rebuilding CMPA's culture and commitment to compliance. His story is an inspiration to all legal and compliance professionals and provides important instructive lessons to corporate leaders and compliance professionals.

You'll hear Michael and Carlos discuss:

• The importance of rebuilding and rediscovering the values and purpose of CMPC after a major corporate crisis.
• The effects on market share quotas and sales prices when CMPC faced an investigation and found to be the leader of a cartel in Chile and Peru.
• How the crisis significantly impacted CMPC's reputation, leading to public protests and consumer backlash in Chile and Peru.
• CMPC’s compliance team addressed the company’s complex nature because of its diverse workforce, including data analytics experts, IT professionals, and engineers.
• How the compliance program at CMPC shifted from a traditional approach to a more cultural and system-thinking perspective, aligning with the company's values and operations.
• Success for the compliance program at CMPC is defined by the number of critical tables the team is seated on, indicating their value and integration within the business operations.

Resources

Carlos Villagran on the Web | LinkedIn

Email: [email protected] or [email protected]

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Over the last ten years, we have seen a marked shift from the Delaware Chancery Court chipping away at corporate board member liability claims. In a number of seminal cases involving Boeing airplane crashes (In re the Boeing Co. Derivative Litig., No. 2019-0907 (Del. Ch. Sept 7, 2021)), and deadly listeria outbreaks from tainted ice cream (Marchand v. Barnhill, 212 A.3d 805 (Del. 2019)), Delaware Courts have upheld plaintiffs' cases against claims of failing to adequately plead violations of the standards set forth in Caremark, 698 A.2d 959 (Del. Ch. 1996), (establishing basic pleading requirements to withstand motions to dismiss). 

In this episode, Mike Volkov provides a comprehensive update on the recent Caremark decisions issued by the Delaware Chancery Court, underscoring their importance for accountability and governance in the corporate world.

• Caremark oversight duties stem from the well-established duty of loyalty and its subsidiary duty of good faith. To plead a Caremark claim, a plaintiff is required to put forth adequate facts from which a factfinder can make a reasonable inference that the fiduciary acted in bad faith. 
• Under Caremark, bad faith can be established when a fiduciary: “(1) utterly fail[s] to implement any reporting or information system or controls," or (2) having implemented such a system or controls, consciously fail to monitor or oversee its operations, which results in a failure to act or attend to a risk or problem requiring their attention or response. 
• Last year, the Chancery Court made a groundbreaking decision, extending the so-called Caremark oversight obligations and governance requirements to senior management in the McDonald's case. In re McDonald’s Corp. S’holder Derivative Litig., 289 A.3d 343 (Del. Ch. 2023). This ruling is one of the most significant developments in recent years, advocating for increased accountability for oversight and governance failures.
• Recent cases, such as the Boeing 737 MAX crashes and the Listeria outbreak from tainted Blue Bell ice cream, have highlighted failures in proper board governance and oversight responsibilities.
• In a case involving Segway, the Chancery Court dismissed a motion against an officer for failing to detect financial discrepancies, emphasizing the need to demonstrate a lack of good faith in monitoring central compliance risks.
• The trend in Delaware Chancery Court decisions is moving towards holding directors and officers accountable for failures to act in response to indications of potential illegal conduct, with a focus on bad faith actions.
• The Boeing case exemplifies the consequences of board members ignoring safety concerns and focusing solely on the bottom line, leading to tragic outcomes that could have been prevented with proper oversight and accountability.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Directive 2019/1937 of the European Parliament and Council dated 23 October 2019 on the “protection of persons who report breaches of Union law” (the “Directive”) is currently being implemented by EU Member States. The directive has broad applicability to organizations operating in the EU internal market and applies to both public and private sector organizations alike. Whistleblowers are guaranteed legal protection to the extent: (1) they have reasonable grounds to believe that the information reported was true at the time of the report; and (2) the whistleblower reported either internally to the organization, externally to a competent authority, or publicly. Private sector organizations with 50 or more workers are legally required to establish channels and procedures for internal reporting of EU law breaches and conduct appropriate follow-up. 

In this episode, Mike Volkov is joined by Daniela Melendez and Alex Cotoia from the Volkov Law Group, who bring their expertise to the table as they delve into the EU Directive and its implementation by several member states. Listen to this discussion to understand and navigate the complexities of the EU Whistleblowing Directive.

• The EU Whistleblower Directive shifts the burden of proof on retaliatory actions to the person taking the detrimental action, requiring them to demonstrate it was not linked to reporting concerns.
• Global companies are taking a proactive stance by increasingly focusing on robust ethics and compliance programs. This strategic move is aimed at mitigating risks and promoting positive corporate citizenship in today's economy, where adherence to legal and ethical standards is paramount.
• France signed the EU Directive into law on March 21, 2022, outlining protocols for gathering and handling whistleblower reports, including a two-month deadline for imposing disciplinary sanctions.
• Germany enacted the EU Directive on May 12, 2023, allowing anonymous reports and setting a three-month investigation deadline after receiving the report.
• Spain addressed the EU Directive on February 2023 by covering additional topics like occupational health and safety breaches. The directive established a three-month deadline for investigations and allowed anonymous reports.
• Italy transposed the EU Directive on August 4, 2022, including administrative, financial, civil, and criminal offenses not covered by the Directive, with a 30-day deadline to conduct investigations upon receipt of reports.
• Companies are advised to make resources available to conduct investigations quickly due to the short timeframes set by various countries' whistleblower protection laws.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Alex Cotoia on LinkedIn 

Email: [email protected]

Daniela Melendez on LinkedIn

Email: [email protected]

NAVEX continues to produce high-quality compliance reports, many of which are a must-read in the compliance industry. Its annual Whistleblower Report is of particular note -- NAVEX is the leading provider of hotline services in the world, and its data is invaluable as a source of trends in this industry. This year --2024 -- is no exception. NAVEX combed through the data from 3784 organizations for 2023. Its headline conclusion -- 2023 was a busy year, with a record level of use and the substantiation rate reaching an eleven-year high. More reports came in, and more were found to be true. 

Listen in as Michael discusses the findings of these reports and why the increase is a good sign, not a bad sign. It means that employees trust their respective hotline reporting systems to produce results.

• NAVX's 2024 Whistleblower Report revealed a record level of use and an 11-year high substantiation rate, indicating increased trust in employee reporting systems.
• Accounting-related reports, comprising approximately 4.3% of all reports in 2023, had a significant impact. With a median substantiation rate of 50%, these reports often led to employment separation events, underscoring the seriousness of the issues raised.
• Third-party reports were more likely to focus on business integrity and financial misconduct issues, accounting for 50% of reports compared to employees' 17%.
• Reports of imminent threats had a high substantiation rate in 2023, with nearly 9 out of 10 reports proven to be substantiated, highlighting the seriousness of such issues.
• Workplace civility complaints increased to 18% of reported cases, reflecting a growing concern within organizations about maintaining a respectful work environment and culture.
• HR issues, a significant portion of all reports in 2023, accounted for 55% of the total. This underscores the importance of addressing internal workplace issues, such as workplace discord, discrimination, harassment, and retaliation, to maintain a healthy and productive work environment.
• Clear Channel's extensive cooperation with the investigation, prompt sharing of facts, document production, and employee interviews demonstrated a commitment to transparency and accountability in addressing compliance issues.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

OFAC is capable of extending a long arm of enforcement, reaching sometimes non-U.S. companies that may "cause" another company to violate U.S. Sanctions laws. If you need to find an example of this long reach, look no further than OFAC's recent settlement with SCG Plastics ("SCG"). In this settlement, SCG, a Thai company that sells plastic resins, agreed to pay $20 million for violations of the Iran Sanctions Program.

In this episode, Michael Volkov explores the series of actions that led to that $20 million dollar settlement, and the consequences.

• In a recent enforcement action, SCG Plastics paid OFAC $20 million to resolve violations of the Iran sanctions program, showcasing OFAC's far-reaching jurisdiction.
• SCG Plastics caused U.S. financial institutions to process $291 million in wire transfer sales of High-Density Polyethylene Resin (HDPE) of Iranian origin from 2017 to 2018, which violated the Iran sanctions program.
• SCG Plastics voluntarily disclosed 10 violations but did not disclose 457, which led to OFAC determining all 467 violations as egregious.
• The size of the settlement was due to multiple aggravating factors: SCG Plastics willingly engaged in a multi-year pattern of conduct designed to circumvent the Iran sanctions program, causing significant harm to OFAC sanction policy objectives while earning substantial revenues.
• Importantly, commercial activity that may fall outside the jurisdiction of OFAC sanctions can still result in a violation when the financial transactions related to the activity are processed through or involve U.S. financial institutions.
• OFAC emphasized the risks for non-U.S. companies engaging in conduct that causes U.S. persons to violate sanctions, in this case processing the transactions, which would not have been done with adequate disclosure, highlighting the importance of compliance with U.S. sanctions and export control laws.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group