Month: October 2008

FTC Will Grant Six-Month Delay of Enforcement of ‘Red Flags’ Rule

The FTC announced that they will suspend enforcement of the new “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. The Identity Theft Rules are found at 16 C.F.R. Part 681.2.

The FTC published a FTC Business Alert in June 2008 entitled New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft. The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

A financial institution has the same meaning as in 15 U.S.C. 1681a(t) which is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

The Red Flag Rules would require the establishment of an Identity Theft Prevention Program. 16 C.F.R. Part 681.2 lays out these requirements and elements:

(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

(2) Elements of the Program. The Program must include reasonable policies and procedures to:

(i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;

(ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;

(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and

(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

PCAOB Standard No. 5

pcaob_logoThe Public Company Accounting Oversight Board released Auditing Standard No. 5 – An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statement (.pdf) on June 12, 2007. The standard was approved by the SEC on July 25, 2007 and became effective for audits of fiscal years ending on or after November 15, 2007.

SEC Prosecutions under the Foreign Corrupt Practices Act

sec-sealAccording to Linda Chatman Thomsen, director of the SEC’s Division of Enforcement, in a Forbes Article [The SEC in 2008: A Very Good Year?], the SEC filed 15 FCPA cases in 2008. Since January 2006, the SEC has brought 38 FCPA enforcement actions. That number is more than were brought in all prior years combined since 1977 when the FCPA became.

Thinking About Training

Jeffrey M. Kaplan and Rebecca Walker, partners in the law firm of Kaplan & Walker LLP wrote an article Thinking About Training in the March/April 2008 edition of Ethikos.

The goals of training—to enhance employees’ understanding of the law and company policy and promote ethical business conduct—will not be achieved if training is not comprehensible and interesting enough to be heard and remembered. The Sentencing Guidelines highlight this notion by providing that companies must not only provide training—they must do so in an effective manner.

Email Etiquette and Compliance

Lots of hallway conversations have turned into email and instant messaging conversations. There are lots of problems with that.

First, is just the lack of human interaction. Humans are social and need to meet face-to-face. Along with that is the limited ability to add tone, sarcasm and other elements of conversation into the written word.

The second problem is that ability to retrieve that email or instant message conversation in a way that you cannot with a hallway conversation. This is a records management and compliance problem.

An example of an embarrassing and damaging IM conversation came out on Capitol Hill today. According to the New York Times (Rating Agencies Draw Fire on Capitol Hill) Congressman John A. Yarmuth, a Democrat from Kentucky, read aloud from an instant-message conversation between two S&P employees in the firm’s structured product division:

Official 1: By the way, that deal is ridiculous

Official 2: I know, right. The model definitely doesn’t capture half the risk.

Official 1: We should not be rating it

Official 2: We rate every deal. It could be structured by cows and we would rate it

Official 1: There is a lot of risk associated with it. I personally don’t feel comfy signing off as a committee member.

That may have been a funny hallway conversation, but is not getting the company in lots of trouble.

Before you send that email or IM, ask yourself how you would feel if your Congressman was reading it into testimony and having it appear in the New York Times.

Compliance and Ethics Training – How Much is Enough

In this podcast panel discussion, OCEG’s Carole Switzer moderates a discussion with ELT’s Shanti Atkins and SAI Global’s Mark Rowe to answer the question of how much is enough when it comes to compliance and ethics training. You can listen to a webcast and read a transcript (.pdf).

Ms. Atkins talks about a three layers of training. The first layer is training that is legally mandatory. One example is sexual harrassment training in some states. The second layer is training related to mandatory guidelines. You are not in violation of law for failing to do the training, but in the event of a problem the failure to have training results in elevated fines, penalties or damages. One example is the federal sentencing guidelines. The third layer is training as a best practice for the organization giving its risk profile.

Ms. Atkins sees extremes between lengthy training sessions that happens at regular intervals, but is not reactive to the company’s needs and is repetitive.  At the other extreme is companies doing the bare minimum.

Ms. Switzer tries to draw a line between generational differences in the workplace at training. Ms. Atkins de-bunks this approach. (In my prior career in Knowledge Management I also did not see generational differences in training. There is just good training and bad training. I see some generational differences in tolerance for bad training.) Mr. Rowe has found story-based training to be more effective. You need to engage them in the training and not just talk at them.

Ms. Atkins sees some problems with scoring learners and keeping track of a database of scores as employees go through the training. One is how you go about following-up and addressing sub-par performers. The second is the potential for that information to be used against the company in a lawsuit.

Handing out a code of conduct and get a signed acknowledgment that an employee read it, is not training. Mr. Rowe emphasized the need to put the information into context, into a real-life situation. He also likes the idea of setting a bar that learners need to prove they understand one topic before they move onto another topic.

Ms. Atkins emphasized the need to keep the training modular so that scenarios can be added and removed and the training can be updated.

Mr. Rowe points out that “ethics training isn’t just a list of rules; it’s guidance that should help people perform their jobs in a better way and reduce risk to the organization.”

International Standards for the Bribery of Public Officials

The Foreign Corrupt Practices Act is the U.S. standard for bribery of public officials by U.S. concerns or international concerns with a presence in the U.S. The international standard is the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions promulgated by the Organization for Economic Co-Operation and Development.

The convention sets a criminal offense for:

any person intentionally to offer, promise or give any undue pecuniary or other advantage, whether directly or through intermediaries, to a foreign public official, for that official or for a third party, in order that the official act or refrain from acting in relation to the performance of official duties, in order to obtain or retain business or other improper advantage in the conduct of international business.

A foreign public official means:

any person holding a legislative, administrative or judicial
office of a foreign country, whether appointed or elected; any person exercising a public
function for a foreign country, including for a public agency or public enterprise; and any
official or agent of a public international organisation.

A public enterprise means:

any enterprise, regardless of its legal form, over which a government, or governments, may, directly or indirectly, exercise a dominant influence. This is deemed to be the case, inter alia, when the government or governments hold the majority of the enterprise’s subscribed capital, control the majority of votes attaching to shares issued by the enterprise or can appoint a majority of the members of the enterprise’s administrative or managerial body or supervisory board.

Evaluation of the Chief Compliance Officer

thompson hine logoThompson Hine put together a paper: Evaluation of the Chief Compliance Officer:

While Rule 38a-1 under the Investment Company Act requires a Board of Directors to approve the appointment, removal and compensation of a fund’s Chief Compliance Officer (“CCO”), the rule is silent as to any requirement to annually review the performance of the CCO. However, Rule 38a-1 does require that a fund annually review the adequacy and effectiveness of its written compliance policies and procedures (“Compliance Program”), as well as the Compliance Program of each investment adviser, principal underwriter, administrator and transfer agent of the fund (“Fund Service Providers”). Because the CCO is an integral part of any Compliance Program, it is reasonable to expect a board to evaluate the effectiveness of a CCO as part of, or in connection with, the annual review of the Compliance Programs.

The following statement by the Securities and Exchange Commission (“SEC”) serves as a useful starting point for evaluating the effectiveness of a CCO:

“A fund’s chief compliance officer should be competent and knowledgeable regarding the federal securities laws and empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the fund.”

Although this is a relatively vague standard, the SEC staff has informally articulated a number of specific qualities and capabilities that it believes a CCO should possess. In addition to analyzing these qualities and capabilities, a CCO’s effectiveness can be evaluated by reviewing the duties and functions actually performed by the CCO. This review should take into consideration the size, resources and business activities of the fund complex.

An Effective Compliance Program under the U.S. Sentencing Commission Guidelines

Section 8B2.1 of the 2007 version of the United States Sentencing Commission Guidelines define and “effective compliance and ethics program” for purposes of section (f) of § 8C2.5 for the Culpability Score and section (c)(1) of §8D1.4  for Recommended Conditions of Probation – Organizations:

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.

(2)    (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

(4)   (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

(5) The organization shall take reasonable steps—

(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

(7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.