Compliance Perspectives

By Adam Turteltaub While many of the world’s governments are struggling to determine what to do about AI, Brazil already has a track history in this area. As Maria Victoria Mota, Corporate Attorney at Viapol (a subsidiary of RPM), explains in this podcast, the roots of government action in Brazil go back to 2018 with data protection regulations that are similar to the European General Data Protection Regulation (GDPR). This initial legislation was followed by a second in 2020 created to develop the rules of how the government, companies and individuals may use AI. It was followed by more legislation, most recently in 2023. The latest came after a committee of jurists was created to help frame the bill. Working with scientists and experts in technology, they examined how AI should be used and AI laws of 31 different countries. The goal was to creation legislation specific for the needs of Brazil. Privacy is a central pillar of the bill, which is also based in human rights and sound data protection practice

By Adam Turteltaub Fast Company recently ran an article with the headline “Research Shows High Performing Employees are More Prone to Unethical Mistakes.” It’s both an alarming and an intriguing proposition. To understand more I spoke with Richard Bistrong, CEO of Front-Line Anti-Bribery LLC, who co-authored the article along with Ron Carucci and Dina Smith. Why are high performers potentially so dangerous? For one, he explains, success tends to block scrutiny. People don’t like to question it and are just grateful to see so much of it. They may not think to look or not want to look too deeply. Another challenge is that the more successful people are, the more addicted to success they may become, something Richard knows from his own experience. The challenge of being a corporate hero, he explains, is that once you earn that status, you typically don’t want to give it up and may end up going down what has been called the rabbit hole of success. At the same time, the company may be exerting pressure on the

By Adam Turteltaub In the September 2023 issue of Compliance and Ethics Professional® (CEP) magazine, Andrea Falcione (LinkedIn), Chief Ethics and Compliance Officer and Head of Advisory Services of Rethink Compliance LLC, wrote about fostering a speak-up culture. Institutional justice, she wrote, is a critical part of that effort and “paramount to gaining and keeping employee trust.” To learn more about the topic, I sat down with her for this podcast, in which she explains that there are four elements of institutional justice. The first is Respect for everyone involved in an incident. That includes the person who comes forward with an allegation of course, but it should also include those the allegation was raised against, any witnesses and also people who come forward to self-report. By doing so, you make it clear that it is safer and better to come forward when there is wrongdoing. Voice is the second element. She shares that this means allowing people to speak and share their story. It also means list

By Adam Turteltaub Where is the compliance profession now and where is it going? To find out we sat down with Chris Audet, Chief of Research at the Gartner Center for Legal, Risk & Compliance Leaders. Gartner recently issued a report: “Key Budget, Staffing and Spending Trends for Compliance in 2023”, and in this podcast he shares some of the insights in it. When it comes to budgets, compliance teams are strained, but not how they expected. During the pandemic there were fears of large funding cuts. While there have been some reductions, on the whole they have been minor. However, workloads have increased dramatically. This has led, he explains, to overstretched departments where the loss of even one FTE can be devastating. Three key issues have led to the increase in demands on compliance teams: The challenge of tracking regulations. A rising number of issues, such as ESG, that may have begun in another department but are now considered compliance’s responsibility Conducing internal investigations

By Adam Turteltaub When an organization begins to expand globally, or even when a global organization enters a new market, the compliance challenges can be considerable and multiple. In this podcast, Dr. Shan Nair, President of Nucleus explains that companies need to worry not just about issues such as anti-corruption and data privacy. There are a host of HR, accounting, corporate taxation, indirect taxes, withholding taxes and other compliance issues. In addition to these obligations there may also be filing requirements. Germany, for example, requires a special filing if a local subsidiary is not self-funding. Making things more complicated is that a trusted source for compliance advice in one area likely is completely unaware of the challenges in another. The bottom line is that it takes a concerted effort and a very local approach to meet all these obligations and ensure that the organization is compliant not just on the big issues, but on the dozens of less headline grabbing ones as well.

By Adam Turteltaub You may not realize it, but your compliance program has a brand. Line employees and management all have a host of impressions about the compliance department that color how they respond to what you say and do. A strong brand means that your actions are more likely to be appreciated. A weak brand means it’s a very steep uphill climb. Adam Balfour, Vice President & General Counsel for Corporate Compliance at Bridgestone Americas and author of the book Ethics & Compliance for Humans, is an advocate for compliance teams making the effort to invest in creating a strong, positive brand that communicates the value of the program. As a part of that effort, compliance teams need to move beyond simply building awareness to ensuring that the brand resonates and is relevant to the organization. To do that he advocates taking a people centric approach and using three methods of motivation: Start with why. Don’t just tell them what to do. Tell them why they need to do it beyond “the law requires it

By Adam Turteltaub On October 4, 2023 at the SCCE Compliance & Ethics Institute in Chicago, US Deputy Attorney General Lia A. Monaco spoke live from Washington to the attendees and used this opportunity to announce a new Safe Harbor Policy for voluntary self-disclosures made in the context of the merger and acquisition process. Under the policy, acquiring companies that promptly disclose criminal misconduct voluntarily within the six-month safe harbor period, cooperate with investigators and engage in remediation, restitution and disgorgement will receive the presumption of a declination. She also explained that, absent aggravating factors at the acquired company, it will not impact the acquiring company’s ability to receive a declination. She also shared how the Department of Justice has been fighting corporate crime including: The expansion of corporate enforcement efforts in the national security realm New tools DOJ is using to penalize corporate misconduct and provide invectives for good corporate

By Adam Turteltaub Much of the day to day of compliance isn’t about understanding laws. It’s about influencing human behavior and steering people in the right direction. In this podcast, Scott Young, Principal Advisor and Head of Private Sector at Behavior Insights Team, Americas shares that understanding how people make decisions can help compliance teams be more effective. To do so, he advocates for using behavioral science to gain a broader perspective for thinking about human behavior. The field has shown, for example, that the classic economics model of rational thinking doesn’t always apply. Too often we operate in a semi-automatic mode, making decisions quickly, not really aware we are even making them. So what do compliance teams do? Adopt what he describes as the EAST Framework. Easy. Make sure the proper choice is the default choice. Attractive. Make compliance fun and engaging. Embrace gamification and other ways to make compliance more attractive to people. Social. Humans are social being a

By Adam Turteltaub NAVEX earlier this year issued its very substantial 2023 State of Risk & Compliance Report. To learn about the key findings we sat down with longtime ethics and compliance leader Carrie Penman, who serves as the company’s Chief Risk and Compliance Officer. Overall, the data reveals strong management support for compliance and ethics programs, although there are cracks showing. When asked whether this commitment persists in the face of competing interests, the numbers show a troubling drop. Worse, there was an increase in the number of survey respondents indicating that middle managers encouraged employees to act unethically or impeded compliance personnel from their job. It was still a minority, but a larger one than before. Turning to specific risk areas, data breaches and privacy/security threats were the top fears for compliance professionals. Not surprisingly, cyber came up as a top training topic. It was followed by codes of conduct and privacy. Looking globally – the survey also h

By Adam Turteltaub It may be time to rethink background checks.  Brent Douglas (LinkedIn) partner at the law firm Hahn Loesser, explains that their use has been greatly reduced in many industries. This reflects the increase in the number of what are known as “ban the box” laws, which prohibit employers from asking job applicants to tick a box if they have a criminal history. He also warns that in some jurisdiction screening applicants wholesale for criminal backgrounds may not be permissible. Only after a job offer has been conditionally made can a firm conduct a check. That doesn’t mean background checks are always prohibited. In certain industries, such as healthcare, defense and transportation they are often obligated. Even screening for marijuana usage may be permissible, but be careful. California, starting in January 2024, will enforce a new testing methodology. If your organization conducts background checks, it may be best to have a third party conduct it for you. This both leverages their experti

By Adam Turteltaub Mary Shirley (LinkedIn) has had a fascinating journey as a compliance professional. Born in Hong Kong and raised in New Zealand, she has worked in Singapore, Dubai and across the US. She currently serves as Head of Compliance at Masimo, and she just authored the book Living Your Best Compliance Life: 65 Hacks & Cheat Codes to Level Up Your Ethics & Compliance Program. In this podcast she argues for embracing professional development and owning your own advancement. Among the hacks she recommends is creating a notebook on yourself. Record in it what you have done, the key steps along the way, and some of the larger details. That way, when annual performance time comes around, you are prepared to share what you have accomplished and won’t have to scramble to reconstruct what you did over the past year. The same information, she points out, is very helpful when looking for your next position. It can help  you both recall what you have done and prepare to answer questions about key accomplis

By Adam Turteltaub You’re all signed up for the Compliance & Ethics Institute or another SCCE or HCCA conference. Now, how do you make the most out of your time there? Kristy Grant-Hart CEO of Spark Compliance Consulting and a former compliance officer, herself, shares in this podcast several excellent tips for making your conference time truly valuable. Her recommendations: Plan out which sessions you want to attend before you arrive. It makes for a much more strategic and less stressful approach than picking sessions hurriedly at the breaks. Pick the sessions based on both the topic and the speakers you want to listen to and meet. Map out time to do work and answer email. It’s a lot easier to sit and listen to a session when you have a defined times to work and a defined time to be fully present at the conference. Start your networking before you go. Announce on LinkedIn that you’ll be there and try to connect with others who will be attending. Take advantage of vendor receptions and dinners t

By Adam Turteltaub First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework. The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted. The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling

By Adam Turteltaub Payment Card Industry (PCI) compliance is driven by a set of rules that set a standard of security for any entity that takes, stores or processes credit card data. Any time you or I make a credit card purchase, we rely on PCI compliance by all involved to keep our information safe. Now, the standard is evolving to PCI 4.0, explains Mark Schreiber, Senior Counsel at McDermott Will & Emery. PCI 4.0 is far more robust and clarifies the misunderstandings in the previous standard. It also imposes more than 50 new obligations. Most notable of the changes is the new emphasis on third parties and the need to monitor them. Now, merchants must maintain lists and descriptions of all third-party providers, have written agreements with them that accounts for security standards and includes a process for due diligence before engaging with them. Central to the process is a responsibility matrix, which outlines which party is responsible for each aspect of credit card security. Perhaps needless to say

By Adam Turteltaub Stamford Health has just a bit less than 4000 employees spread out in over 40 local offices. For some that would be a nightmare when figuring out how to put together a celebration of Corporate Compliance & Ethics Week, but it’s not for Cheryl Gilbert, the director of compliance and privacy. To make the annual event work she uses a wide range of communications vehicles to get the word out. The organization has a new employee orientation every other week, and compliance is a part of it. The organizational newsletter, which publishes twice each week, is also put to use. So, too, is the compliance intranet site. What aren’t used? Posters. The team found that the effort involved in creating them, putting them up and taking them down just wasn’t worth it. To make the week fun they have developed a wide range of activities including a: Haiku contest. Employees are challenged to write a haiku based on the organizations core values. Where’s Waldo type game in which employees have to spot al

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency t

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The g

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned.  They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: Select a framework for the certification criteria that the organization will grade itself against. Conduct a scenario-based compliance risk assessment. Assess and design key control activities. Create a sub-certification wa

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the oth