Corruption Crime & Compliance

When operations span across borders, navigating local regulations and ethical standards becomes even more crucial. As evidenced by Corficolombiana's case, neglecting these measures can lead to hefty legal ramifications and significant economic repercussions. In this episode of Corruption, Crime and Compliance, Michael Volkov unravels the Corficolombiana and Group Aval scandal, shedding light on the importance of implementing and maintaining robust ethics and compliance programs for global companies.You’ll hear Michael talk about:Corfico is a subsidiary of the Colombian financial behemoth, Grupo Aval. The two entities agreed to substantial settlements with both the DOJ and SEC, stemming from allegations of a bribery scheme in Colombia.  It emerged that Corfico had conspired with Odebrecht, a Brazilian construction firm, to pay around $23 million in bribes to influential Colombian government officials to clinch the project. The DOJ's settlement with Odebrecht throws more light on the matter.Corfico's forthcoming cooperation with both DOJ and Colombian authorities demonstrated their intent to amend their ways.Corfico embarked on extensive remedial measures, which the DOJ acknowledged and appreciated. This included a comprehensive root cause analysis and subsequent enhancements to their corporate governance and controls. Corfico also revamped its compliance program, introducing improved reporting, investigation, and disciplinary procedures and revisited its anti-corruption compliance program.The DOJ extended a 30% fine reduction to Corfico, a significant reprieve. What stood out, however, was the decision against appointing an independent compliance monitor in this case. Such international scandals accentuate the risks that large projects in foreign lands pose. Drawing parallels with the ABB case, it’s clear that ethics and compliance are non-negotiables for global firms.KEY QUOTES“The DOJ credited Corfico's cooperation, citing its production of facts obtained through the company's internal investigation, making numerous detailed factual presentations that distilled certain key factual information producing documents that the government may not have been able to get access to because of foreign data privacy laws providing sworn testimony from Columbia.” - Michael Volkov“Corfico promptly engaged in extensive remedial measures, including, among other things, conducting a root cause analysis of the bribery scheme identified during the internal investigation. Promptly took the actions to enhance its corporate governance and controls and joint venture entities as well as improved its oversight of noncontrolled joint ventures and investments, overhauled its compliance program… As a result of this, the DOJ awarded Corfico a 30% reduction off the bottom of the applicable guidelines fine range.” - Michael Volkov“It's always good to look at the underlying conduct, and imagine: If you're working in a company, with your compliance program, would you have been able to detect this? How would your compliance program have prevented this from occurring?” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

Proactive approach to sanctions and export control compliance is crucial for companies. DOJ, Commerce Department, and Treasury Department issue guidelines on voluntary disclosure for violations. Landscape of sanctions enforcement is evolving rapidly with designated prosecutors. Joint Criminal Enterprise (JCE) Guidance provides detailed guideline for voluntary disclosures. Importance of voluntary disclosures for reducing civil penalties and effective compliance programs highlighted.

The podcast discusses the SEC's adoption of new cybersecurity disclosure rules that require public companies to disclose incidents and governance policies. Noteworthy changes include filing Form 8-K within four days of determining materiality and comprehensive cybersecurity risk management in annual Form 10-K filings. The rules also mandate disclosure of board committees responsible for oversight and monitoring processes. Implementation and potential appeals of these rules are considered.

As companies rapidly adopt artificial intelligence (AI), it becomes paramount to have robust governance frameworks in place. Not only can AI bring about vast business benefits, but it also carries significant risks—such as spreading disinformation, racial discrimination, and potential privacy invasions. In this episode of Corruption, Crime and Compliance, Michael Volkov dives deep into the urgent need for corporate boards to monitor, address, and incorporate AI into their compliance programs, and the many facets that this entails.You’ll hear Michael talk about:AI is spreading like wildfire across industries, and with it comes a whole new set of risks. Many boards don’t fully understand these risks. It's important to make sure that boards are educated about the potential and pitfalls of AI, and that they actively oversee the risks. This includes understanding their obligations under Caremark, which requires them to exercise diligent oversight and monitoring.AI is a tantalizing prospect for businesses: faster, more accurate processes that can revolutionize operations. But with great power comes great responsibility. AI also comes with risks, like disinformation, bias, privacy invasion, and even mass layoffs. It's a delicate balancing act that businesses need to get right.Companies can't just use AI, they have to be ready for it. That means adjusting their compliance policies and procedures to their specific AI risk profile, actively identifying and assessing those risks, and staying up-to-date on potential regulatory changes related to AI. As AI grows, the need for strong risk mitigation strategies before implementation becomes even more important.The Caremark framework requires corporate boards to ensure that their companies comply with AI regulations. Recent cases, such as the Boeing safety oversight, demonstrate the severity of the consequences when boards fail to fulfill their responsibilities. As a result, boards must be proactive: ensure that board members have the technical expertise necessary, brief them on AI deployments, designate senior executives to be responsible for AI compliance, and ensure that there are clear channels for individuals to report issues.KEY QUOTES“Board members usually ask the Chief Information Security Officer or whoever is responsible for technology [at board meetings], ‘Are we doing okay?’ They don't want to hear or get into all of the details, and then they move on. That model has got to change.”“In this uncertain environment, stakeholders are quickly discovering the real and significant risks generated by artificial intelligence, and companies have to develop risk mitigation strategies before implementing artificial intelligence tools and solutions.”“Board members should be briefed on existing and planned artificial intelligence deployments to support the company's business and or support functions. In other words, they've got to be notified, brought along that this is going to be a new tool that we're using, ‘Here are the risks, here are the mitigation techniques.’”Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

According to critics, there are a lot of gray areas surrounding compliance and the SEC's position on cryptocurrency regulations. Such uncertainty poses challenges for legitimate crypto projects and creates room for fraudulent activities to thrive. Such is the case for Ripple and Celsius, two recent controversies making waves in the crypto world.Matt Stankiewicz is a Managing Counsel at The Volkov Law Group. His expertise includes financial regulation and compliance, with a focus on securities, anti-money laundering (AML), and cryptocurrency regulation. Given his professional background and interest in crypto regulations, he is a frequent speaker on legal matters concerning cryptocurrency exchanges and the SEC.You’ll hear Michael and Matt discuss:The SEC faces criticism for its unclear stance on cryptocurrency regulations. Such uncertainty poses challenges for legitimate crypto projects and creates room for fraudulent activities to thrive.The Ripple case offers a complex view into how cryptocurrencies are perceived legally. While some sales of XRP tokens were considered securities, others weren't, a distinction that has sent ripples through the crypto world. The case's broader implications, especially with the SEC's decision being appealed, hold immense importance for other companies in similar situations.Bad actors can exploit innovative technologies and make things worse for everyone else. With the CEO and CRO of Celsius charged with fraud and numerous questionable practices coming to light, the importance of stringent regulations and monitoring becomes abundantly clear. Strong compliance programs serve as bulwarks against fraudsters and those under sanctions, ultimately safeguarding both the platform and its users. However, regulating an asset as novel and dynamic as cryptocurrency is no easy feat. Critics claim the SEC's approach leans more toward enforcement than establishing clear rules.Matt underscores the importance of erecting a sturdy compliance structure within the cryptocurrency industry. He emphasizes that such programs are not just regulatory measures but critical tools to ward off fraudsters and maintain the industry's reputation.KEY QUOTES“[Crypto] is a brand new asset. It’s virtually impossible to pigeonhole it to any other kind of real-world asset right now.” - Matt Stankiewicz“Don't cripple the good projects because there’s some bad people out there.” - Matt Stankiewicz“The SEC just says, well, ‘You should know. You’ve got to figure it out; we're not your attorneys.’ Which is fair in some regard, right? But that said, it's not helpful. The SEC needs to provide some kind of guidance here.” - Matt StankiewiczResourcesMatt Stankiewicz on LinkedInEmail: mstekwitz@volkofflaw.com

Transparency, ethics, and compliance are more than just corporate buzzwords; they're foundational to building trust in today's global organizations. Consequence management systems encompass elements like transparency, robust employee reporting, protective measures for whistleblowers, and effective internal investigations. These are all essential for maintaining organizational justice, trust, and integrity. In this episode of Corruption, Crime and Compliance, Michael Volkov underscores the value of collecting and analyzing employee reports, the pivotal role of Chief Compliance Officers, and the integration of compliance compensation with consequence management.You’ll hear Michael talk about:Global companies now recognize the significance of robust consequence management systems, which encompass vital processes from internal investigations to disciplinary actions. A pivotal aspect of these systems is transparency, especially when designing and implementing employee reporting.When it comes to effective employee reporting, a system is more than just a hotline; it involves tracking and addressing concerns in real-time. To foster trust, such systems must operate promptly, fairly, and consistently, ensuring that reporters are protected against obstruction and/or retaliation.Key components of an effective reporting system include:Clear internal communication, which ensures employees feel heard.Foundational support, which bolsters efficiency.Collated reports from diverse sources, which offers insights into the company's culture and potential risks.Transparency and consistency, as sporadic disclosure can negatively influence employees' perceptions of a company's intentions.A CCO’s commitment is reflected when issues are investigated and addressed swiftly and justly. They play a crucial role in collecting and analyzing employee reporting data, as well as educating senior management and boards on the significance of employee reports.Companies need to establish written protocols for internal investigations to ensure that they are conducted fairly and impartially. These protocols should outline the steps that will be taken during an investigation, as well as the rights of the employees involved. The protection of employees and whistleblowers is paramount.An internal oversight committee should be responsible for overseeing internal investigations. Regular reviews ensure that procedures are followed consistently and that there is a focus on quality. Additionally, all investigations should be properly documented and resolved in order to maintain integrity.Compliance and consequence management systems should work together to meet the expectations of the DOJ, promoting corporate citizenship and financial success. KEY QUOTES“A true employee reporting system includes reports to supervisors, walk-ins to human resources, walk-ins to legal and compliance, and an automated reporting system.” - Michael Volkov“The real question is whether the company backs up its statement through specific actions. This cannot be accomplished through words, but really only through deeds, through actions. All too often, companies get ahead of themselves. They make these broad pronouncements. They sound good, they pat each other on the back, and they don't build the essential foundations and infrastructure needed to establish an effective employee reporting system.” - Michael Volkov“As a basic initial requirement, every company should adopt a written internal investigation protocol that is published internally, promoted internally to demonstrate a commitment to transparency, and those protocols and procedures should be followed to the T.” - Michael VolkovResources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

The DOJ is advocating for increased consequences for individuals who engage in misconduct or fail to exercise proper oversight, via the implementation of compliance compensation programs that include financial penalties. Companies need to develop incentives and penalties in a balanced manner to maintain ethical performance, while ensuring the potential for accountability. A crucial aspect of enforcing these policies is the execution of robust clawback provisions as part of the executive's contract and bonus terms. These clawbacks can act as a deterrent for misconduct, and their enforceability largely depends on the clarity of their language, among other things. In this episode of Corruption, Crime and Compliance, Michael Volkov explores compliance compensation systems and their role in corporate governance in detail. You’ll hear Michael talk about:Clawback provisions are important rules that determine how executives' contracts and bonus terms can be enforced. Companies have a responsibility to execute robust clawback provisions to ensure accountability and deter misconduct.Compliance programs are becoming increasingly vital to global companies as they grapple with complex legal and economic risks. These programs are crucial in reinforcing compliant behavior and promoting positive corporate citizenship.The DOJ has emphasized the importance of compensation systems and consequence management in corporate compliance programs. Not being proactive in reviewing these systems is considered a serious mistake that requires urgent attention and correction.DOJ's focus has expanded towards consequence management, seeking to escalate penalties for those involved in misconduct. Companies are required to implement compliance compensation programs focusing primarily on clawbacks.Clawback policies, often limited to senior executives and specific conduct, need to be broadened in their scope and applicability. Notably, the Dodd-Frank Act mandates listed companies to have a written clawback policy for financial restatements resulting from accounting misconduct.Compliance rewards act as a significant incentive for ethical behavior and compliance. Executives and managers who fulfill specific compliance requirements may become eligible for performance-related rewards.Compliance compensation systems must be designed to hold individuals accountable for misconduct. Penalties, including retroactive discipline and financial penalties like clawbacks or deferred compensation systems, can be potent deterrents.A comprehensive compliance compensation system requires careful crafting to minimize litigation and defense possibilities. It involves identifying the executives and managers to be included in the penalty system and determining the corresponding percentage penalties.A company must balance its incentive structure, considering factors like large contingent payouts to executives and ethical performance requirements. Clarity in written policies and employment agreements fortify clawback provisions.Collaboration between business, finance, legal, and HR is pivotal in the design and implementation of effective compliance reward and penalty systems.KEY QUOTE:“The DOJ wants to add to their risk calculation, and that's requiring companies to implement compliance compensation programs that include financial penalties against those actors who engage in misconduct, or supervisors that fail to rein in their underlings or conduct proper oversight to ensure compliance.” - Michael VolkovResources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

Bank of America joins the infamous club of consumer abusers in the banking industry, despite the alarm bells set off by the notorious Wells Fargo case. On this week's episode of Corruption, Crime and Compliance, host Michael Volkov explores the shocking details of Bank of America's recent $250 million settlement for account fraud and abuse with the Consumer Financial Protection Bureau (CFPB) and the Office of the Comptroller of the Currency (OCC). This episode shines a light on corporate complacency, the inherent risk of ill-conceived sales incentives, and the importance of internal risk assessment in the wake of industry scandals.You’ll hear Michael discuss:The fraudulent practices perpetrated by Bank of America, compared to the infamous Wells Fargo scandal. He examines the similarities in the unethical practices and failure to adhere to consumer protection laws, and the recurring patterns in the banking industry's consumer abuse cases.The pitfalls of sales incentives structures, particularly when they lack appropriate checks and balances. Mike elaborates on how ill-considered incentives can encourage misconduct among salespeople.The enforcement actions brought by the CFPB and OCC against Bank of America: fines amounted to $250 million—$190 million for consumer harms and penalties to the CFPB and $60 million in penalties to the OCC.Unscrupulous methods adopted by Bank of America employees to reach their sales targets included illegally applying for and opening credit card accounts and charging customers multiple overdraft fees for the same transactions, significantly hurting consumers financially.Michael dissects the bank's promotional tactics, particularly the false advertising of special offers and the denial of sign-up bonuses due to inherent failures in their business systems. He discusses the negative impact of these practices on customers and the bank's reputation.Highlighting the current stringent regulatory environment, Michael stresses the need for organizations, especially banks, to maintain stringent internal audits and compliance measures. Based on the recent enforcement actions, Michael makes informed predictions about potential regulatory actions against Bank of America and discusses the bank's responsibilities moving forward.KEY QUOTES:"You would think that Wells Fargo's case would have sent alarm bells throughout Bank of America to take a look at their own sales practices to make sure they don't suffer from the same type of abuse of conduct. And what's clear is Bank of America just kept its head down, blinders on, and then developed their own problem." - Michael Volkov"Bank of America employees illegally applied for and then enrolled customers in credit card accounts in order to reach sales incentive goals." - Michael Volkov"This is a tough regulatory environment, and you would think Bank of America would try to address that through some kind of mitigation and sort of risk analysis and conducting audits to make sure that they don't run into future abuses and practices like this." - Michael VolkovResources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

In today’s world data is the new gold, and protecting it has become imperative for businesses worldwide. On this week's episode of Corruption, Crime and Compliance, Michael Volkov navigates the cybersecurity landscape, unpacking the key threats haunting businesses and the elements of a robust cybersecurity compliance program. He underscores the importance of proactively managing these digital threats, to ensure your business remains protected. You’ll hear him discuss:The growing partnership between compliance and cybersecurity is a rapidly emerging issue in compliance, affecting companies and their risk management strategies. Cyber threats are not only external but also internal, resulting from employee behavior and cybersecurity hygiene.Chief Information Security Officers (CISOs) are increasingly collaborating with Chief Compliance Officers (CCOs), leveraging the latter's expertise in governance, risk management, and training. This collaboration enables better education and training for employees on cybersecurity risks and the importance of good cybersecurity hygiene.Approximately 50% of cyber or data breaches are the result of internal actors, either intentionally or through negligence. Thus, CCOs can play a crucial role in designing controls, conducting training, and monitoring employee behavior to mitigate such risks.Major cybersecurity risks today include ransomware, cloud security, work from home security, phishing schemes, supply chain security, and identity and access management (IAM). The rise of cyber threats: The digital landscape is rife with cybersecurity threats, including insider threats, DoS and DDoS attacks, AI and machine learning attacks, and cyber espionage.Organizations need to be vigilant against disgruntled employees with access privileges who could intentionally or unintentionally harm systems. This emphasizes the need for robust access controls, regular monitoring, and comprehensive employee training.While AI and machine learning can enhance cyber defenses, they can also be weaponized by cybercriminals to automate and scale their attacks. A robust cybersecurity compliance program is necessary to protect a company's IT infrastructure and includes:Application Security: Familiarity with cloud security policies and the implementation of multifactor controls and administration privileges can help strengthen application security.Information Security: Companies must adhere to strict security standards and employ encryption among other strategies to protect data from possible breaches.Disaster Recovery Planning: This requires implementing backup and recovery systems, incident response drills, and endpoint protections.Network Security: Most companies use firewalls to monitor traffic for cyber threats and attacks. Companies must also secure their wireless networks and ensure that remote connections are encrypted.End User Security: Since hackers often gain unauthorized access through endpoints, companies must ensure that devices are updated with security programs and antivirus applications.Operational Security: This involves identifying any potential vulnerabilities that could be exploited by a hacker.Given the prevalence of phishing attacks and insider threats, cyber training for employees is of paramount importance for an organization's cybersecurity.KEY QUOTE:“In the end, cybersecurity fails when there's a lack of adequate controls and security readiness, and companies have to make smart strategic decisions when developing their controls and cybersecurity protections; and always focus on the human element, common mistakes, effectiveness of controls and vulnerabilities to hacker strategies to exploit any weaknesses.” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

Dare we imagine a world where companies are driven by their compliance obligations as much as they are by their financial performance? In a progressively interconnected and fast-paced digital world, compliance matters more than ever. Non-compliance can swiftly result in reputational damage, punitive fines, and compromised stakeholder trust. As such, more organizations are beginning to embrace the importance of having mature, robust compliance programs. This episode of Corruption, Crime, and Compliance with Michael Volkov dives into NAVEX's 2023 State of Risk and Compliance report. The report delivers a comprehensive overview of the global compliance landscape and sheds light on critical trends that are reshaping the field. You’ll hear him discuss:We've seen a substantial increase in organizations with mature compliance programs - 53% in 2023, compared to 38% in 2022. This is a testament to organizations worldwide waking up to the importance of compliance in their everyday operations.The power of leadership: robust leadership support is crucial when it comes to fostering a thriving compliance program. Strong board and executive-level engagement have proven instrumental in driving these changes.As the world becomes more digitized, cybersecurity threats have increased exponentially. Consequently, cybersecurity has skyrocketed to the top of compliance concerns, indicating how cyber threats and breaches have a far-reaching impact on organizations.Compliance and information security professionals are coming together like never before. This internal partnership proves crucial in managing cybersecurity risks and ensuring the safety of organizational data.The NAVEX report identified five high-stake risks that organizations should keep on their radar: cybersecurity, regulatory compliance, harassment and discrimination, anti-bribery and corruption, and diversity, equity, and inclusion. Addressing these will require diligence and strategic planning.There has been a decline in middle management's commitment to compliance compared to 2022. This dip stresses the need for targeted interventions to maintain the integrity of the compliance culture.From HR to IT, effective compliance necessitates collaboration across all levels and departments.With growing compliance demands, organizations are realizing the importance of purpose-built solutions. These platforms help manage third-party risks, policy management, and provide ethics and compliance training, making them indispensable in the modern compliance toolkit.KEY QUOTES:“So 53% stated that their organization had a mature compliance program and risk management program and that was compared to only 38% in 2022. Now that to me is a really welcome sign.” - Michael Volkov“I think perhaps the most significant finding in this area to me was that in recognition of the rising threat level from cybersecurity attacks, ransomware, data privacy ethics and compliance professionals are forging new and lasting internal partnerships with information security professionals.” - Michael Vokov“Three quarters of respondents reported that senior leaders encourage compliance in the organization, and nearly as many report that senior leaders demonstrate their commitment to compliance to employees. So it's not just words, but it's words and actions. However, there was one troubling concern, and that was with respect to middle management. …So NAVEX reported a lower commitment compared to the 2022 report with regard to middle management commitment to compliance.” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law GroupNAVEX State of Risk and Compliance Report