Compliance Perspectives

By Adam Turteltaub Benjamin Christenson, Trial Attorney and Special Assistant to the Director for Criminal Enforcement at the US Department of Justice Antitrust Division, joins us for this podcast in which he sheds light on the their document, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (ECCP). First issued in 2019, the ECCP was updated in 2024 to reflect changes in business, the law and technology, as well as what the Antitrust Division had learned over the last five years. He shares that there are three significant areas of focus in the ECCP worth particular study: AI and Emerging Technology. As companies deploy AI, it’s essential that compliance teams have visibility into what is being done, understand it and monitor antitrust issues such as using the technology to fix prices. NDAs and Whistleblowers. Like others in enforcement, the DOJ is concerned when a non-disclosure agreement may have a chilling effect on potential whistleblowers who are considering reporting an issue to the US government. In addition, whistleblowers need to know that they are protected by Federal law. Third party communication platforms. As employees increasingly move out of email and use texts or tools such as WhatsApp, organizations need to train their workers of the need to preserve the documents Overall the ECCP is very similar to the Criminal Division’s document on evaluating compliance programs, but the latest Antitrust Division ECCP is worth spending time with on its own right, especially if you have risk in this area. Listen in to learn more. Listen now

By Adam Turteltaub Want to improve your code of conduct? Don’t miss the session: Cornering the Code: A Multi-Disciplinary Approach Toward a Better Code of Ethics at the 2025 SCCE European Compliance &  Ethics Institute. In this podcast Matej Drascek, Head of Internal Audit at LON d.d. and Ursula Schmidt of Schmidt Advisory recommend starting with the right language. Research has shown, they explain, that people react more strongly to words like “we” and “our”, which can convey a stronger sense of shared responsibility  than words like “you”, “I” or “it”. Also, words like “must” or “have to” carry more weight than “may” or “should”. Of course, just using “we” and “must” won’t do it all. The code, they tell us, should have a service character that gives guidance to people and gives employees a sense of purpose. It should also be dynamic and work as a bit of a safety valve. It should provide reassurance that it protects them from making mistakes and helps them feel safer when addressing issues. For the code of conduct to be valuable in a crisis, it must have first been written clearly and avoid ambiguity. It should fit the organization’s culture, be practical, and able to be applied in a reasonable manner. Listen in to learn more. Then don’t miss their session at the 2025 SCCE European Compliance & Ethics Institute. Listen now

By Adam Turteltaub I want to write enough about this podcast to get you to listen to it, but not too much because then you might decide that reading this was enough. I’m conflicted, and conflicts of interest are the topic of this podcast with Kasturi Venkatesh, who spoke on the topic “Ethics in Action: A Fun Guide to Tackling Personal Conflicts of Interest” at the 2024 SCCE Compliance & Ethics Institute. When it comes to managing the issue, she explains, the primary goal for compliance teams is to help the workforce identify and bring forward potential conflicts. The challenge is that they often hesitate to bring these issues to management or the compliance team out of fear and a lack of understanding. Training is helpful, but it can’t demonstrate all the potential issues, nor can it always overcome the anxiety. That takes a personal touch of reassurance. In this podcast, Kasturi makes the case for a gentle hand a nuanced eye. The compliance team needs to be aware of the sensitivities of workers and also that, in some geographies, for example, with limited talent pools, there are likely to be many potential conflicts of interest. The nuanced eye needs to understand that challenge as well as see subtle issues, such as two connected workers who are “safely” in different departments, but there may still be some interaction between the two that could prove problematic. Listen in to learn more. Listen now

By Adam Turteltaub On November 6, 2024, the U.K.'s Home Office issued Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (the Guidance). It comes out of the  Economic Crime and Corporate Transparency Act (ECCTA), which establishes that a corporation can be held criminally liable for failing to prevent fraud committed by any “associated person” for the benefit of the company. This “associated person” can be an employee or even a third party. There is a defense, explains James Tillen, member at Miller & Chevalier, for organizations that had reasonable prevention procedures at the time of the offence. What constitutes reasonable? There are six principles: Top level commitment A risk assessment Proportionate risk-based prevention procedures Due diligence Communication and training Monitoring and review Sound familiar? It is, since it builds off the guidance for the UK Bribery Act and is very similar to the US approach. It’s not identical, though, since, unlike the US criteria for evaluating compliance programs, this guidance is fraud-specific, with details designed to address the risks posed by the fraud triangle of motive, opportunity and rationalization. Listen in to learn more about the guidance and the particular attention it pays to monitoring the mental well-being of employees. Listen now

By Adam Turteltaub Auditing and monitoring of the compliance program is pretty standard these days.  Entain’s Karen Nightingale, Group Director of Ethics & Compliance and Jonathan Fox, Group Head of Ethics & Compliance Programmes, make the case in this podcast for going to the next level and actively testing your program. The two will also be addressing the topic at the 2025 SCCE European Compliance & Ethics Institute, which will take place in Lisbon, 10-12 March. Doing so, they suggest, can turn a reactive compliance program into a proactive one by actively searching for points of weakness, identifying red flags in advance and addressing them early. In practice, testing is more like an audit. It should be done periodically and provide an in-depth look at whether processes and controls are working as intended. By going deeper, it can uncover where there may be a weakness in what may appear to be a strong process as a whole. To determine what controls to test, there are several factors. First is recognizing that your organization likely has limited resources: don’t plan a test that you don’t have the resources to carry out. Second, identify the taxonomy of risks and which fall within the compliance team’s remit. Next, prioritize the risks: identify the highest risks and start there. As you do this work, ask for help from other parts of the organization. HR, legal, internal audit and others may all be great help. Listen in to learn more, and then plan on attending their session at the 2025 SCCE European Compliance & Ethics Institute. Listen now

By Adam Turteltaub Note:  This podcast was recorded on December 17, 2024.  Any changes made after this date will be addressed at the Compliance Institute. At the 2025 HCCA Compliance Institute in Las Vegas, Adam Greene (LinkedIn), partner at Davis Wright Tremaine LLP will be leading the session “New Developments in Health information Privacy.” In this podcast he provides an overview of what he sees as notable privacy compliance challenges and what compliance teams need to be doing. Starting with the HIPAA Privacy Rule, reproductive information is the top of the list. There was a December 23, 2024 deadline for covered entities and business associates to have implemented a prohibition of using any personal health information (PHI) for the purposes of imposing liability or investigating reproductive health care that is lawful under state or federal law. That information, per the rule, should not even be provided to law enforcement or courts that seek to punish an individual for providing or facilitating that care. Relatedly, there is an attestation requirement in instances of judicial or law enforcement information requests that the requester is not seeking the PHI for this prohibited purpose. That is causing a great deal of confusion and challenge for compliance officers. Adding to the confusion is the possibility that the new Administration may reverse the policy. For now, though, he shares, it’s prudent to follow the rule until such time that changes are made by the government. Listen in to learn more about the complexities of this issue, the Confidentiality of Substance use Disorder Patient Record Rule, his insights on website disclosures of user information, and more. Then plan to join his session at the 2025 HCCA Compliance Institute in Las Vegas, taking place April 28-May 1. Listen now

By Adam Turteltaub Well, it turns out that you can be in two places at once, if you are a surgeon. Even better, you can bill the government under the Medicare program for being at both of them. It’s not quite as strange as it sounds, explains Sara Brinkmann, Partner, and Lauren Gennett, Counsel, of King & Spalding, and, of course, there are rules. Overlapping surgeries occur when one attending surgeon is responsible for procedures that overlap in time. The attending may perform the critical part of the procedure in both, assuming they are not supposed to happen at the exact same time. Non-critical portions of the procedure, such as closing the patient, are left to a resident. There must also be a backup surgeon in case something goes awry. Payment for both surgeries is possible so long as there are the requisite safeguards in place and the various other CMS rules are followed. There may also be state requirements to be mindful of as well. If those rules aren’t followed, there is substantial risk. As they explain, overlapping surgeries have been the subject of intense scrutiny and enforcement actions. Listen in to learn more, and, for the record, overlapping podcast listening is not approved. Listen now

By Adam Turteltaub On November 22, 2024, Principal Deputy Assistant Attorney General Nicole Argentieri recapped the changes made during the Biden Administration in enforcement policies and announced a few new ones. To better understand what this all means, we spoke with Daniel Kahn (LinkedIn) , partner at Davis Polk, and himself a veteran of the DOJ. There were a number of meaningful changes during the last few years, he noted. Most notably the voluntary disclosure program was significantly expanded, with companies with aggravating circumstances now able to still have the possibility of a declination. There is a catch, though, the bar for cooperation has been raised. The organization must have disclosed promptly, engaged in extraordinary cooperation and remediation and have had an effective compliance program at the time of the incident. A new change, just announced, is the addition of what we referred to in the podcast as “clawforwards” in addition to clawbacks.  Organizations are expected to not pay bonuses to employees involved in suspected wrongdoing. Perhaps the greatest change just announced is a difference in how the DOJ handles self-disclosures. In the past companies that did not have a perfect self-disclosure might find themselves a bit stranded. Now the DOJ is recognizing good faith efforts even when the voluntary disclosure may not have been as timely as it could have been. Listen in to learn more and to hear what he says companies should do with an upcoming change in administration. Listen now

By Adam Turteltaub Once again it is time to sit down with Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance and discuss what happened last year and where the compliance profession is going in the new one. In this podcast we looked back at 2024 and explored five key topics. Changes from the DOJ The DOJ recently issued a recap of its key activities over the last year or so, and Matt notes that a key change has been an increased willingness to give credit to companies that work with the Department of Justice.  In the past, the DOJ had only given full credit to companies that had self-disclosed, but now there is greater leniency for organizations who have demonstrated that they are willing to cooperate with the government and make serious remediation efforts. Lessons from Recent Dispositions Matt pointed to the TD Bank case and noted that, as he saw it, the company laid the seeds for its scandal by having a zero expense growth strategy  across its business.  That led to compliance spending shrinking, rather than growing, as the business rapidly expanded.  The key lesson there:  recognize the compliance risks of your business strategy. Looking at Boeing’s continued woes he notes that the court has now made quality a central part of the company’s compliance metrics.  The definition of compliance and scope of compliance programs could well be growing, with the recognition that having a speak up culture and effective controls isn’t just valuable for legal and regulatory compliance. From the RTX case he finds a lesson for companies in the importance of thorough due diligence and taking the time to understand the risks fully prior to acquisition. Compliance Team Struggles Compliance teams still need to earn their place fully as a trusted advisor for issues outside of the traditional compliance lane, such as AI and supply chain risk, which is often divided up among several departments. Compliance Program Progress The vast majority of CEOs now see compliance as much more than a check the box exercise.  They also recognize that having an ethical workforce is an asset. Matt also notes great progress in anticorruption due diligence and an opportunity to show that the same tools that help vet third parties in this risk area can be useful in many others. Listen in to learn more about his thoughts about 2024 and to prepare for a successful 2025. Listen now

By Adam Turteltaub Retaliation is the bane of every compliance program, with the potential of destroying employee confidence in reporting systems, not to mention embarrassing and expensive lawsuits. It is also complex and can be subtle, explains Keith Read, a former chief ethics and compliance officer and author of the book The Unconventional Compliance Officer: Doing Things Differently. There is overt retaliation, such as firing an employee for blowing the whistle. But there is also softer, more subtle retaliation, such as not including the whistleblower in meetings or on projects. He advises compliance teams to be sensitive to all of the many forms of retaliation and to treat it  as a risk area. That means look at where and how retaliation can occur, and then take the time to determine if is occurring. Track how the careers of whistleblowers go and see if the trajectory has changed for the worse. Also, look to patterns in management.  He found that retaliation followed certain managers around the organization. With this data in hand, you are better able to both support the whistleblower and foster a stronger culture of compliance. Listen in to learn more about how to prevent retaliation from undercutting your compliance program. Listen now