quinta-feira, julho 24, 2025
Latest:
Artigos

The Business Case for Compliance

marcos , , , , , ,

I am not compliance?The Business Case for Compliance

In its guidance to the financial industry, the Office of Foreign Assets Control (OFAC) states that “[t]he importance of establishing a compliance program and developing internal audit procedures should be obvious to every financial institution.”[1] As support, OFAC notes that failure to comply with OFAC requirements opens up an institution to adverse publicity, fines, potential forfeiture of property, and even criminal penalties.  The Commerce Department’s Bureau of Industry and Security (BIS) and the State Department’s Directorate of Defense Trade Controls (DDTC), which also have the ability to levy substantial civil and criminal penalties, could make similar statements.

While OFAC may find the importance of a compliance program obvious, the same cannot be said for some multinational corporations, exporters, or international financial institutions.  The problem is not so much that firms do not have a compliance program in place (although this certainly does happen), but rather that compliance is not taken seriously.  Having a written program does little good if compliance is insufficiently supported, receives little visibility, or is implemented poorly.  The goal is not just to have a compliance program—it is to have an effective one.

Too many companies think of compliance only as a cost and business burden. But compliance is a means of ensuring the proper discharge of basic corporate responsibilities, including the need for a company to moderate and manage business and legal risks.  Compliance is central to the execution of one of the basic tasks of a company, which is to protect its reputation and assets.  There accordingly is a strong business case for compliance, especially in today’s business and regulatory environment.

The Positive Impact of Having a Strong Compliance Culture

Engaging in business in highly regulated areas, such as exporting goods to foreign countries or engaging in international financial transactions, is inherently risky.  Companies choose to engage in these activities because of the high rewards that often accompany these high risks.  Compliance may be costly, but it is part and parcel of doing business in the chosen area of competition.

Especially for companies engaged in high-risk activities, there is a good business case for compliance.  By adopting a compliance program, a corporation is setting forth the ethical standards that it aspires to reach.  It is communicating to its customers, suppliers, distributors, and shareholders that its high corporate standards make it a reliable business partner.  Some companies put their compliance programs on their websites to communicate this aura of reliability and concern for ethical and regulatory obligations.  This is a good idea, since most companies know that the problems of their business partners can percolate over into their own businesses.  In the current enforcement environment, companies tend to steer business to partners they view as minimizing regulatory risks.

Another consideration is the spin-off benefits of a strong compliance program.  The due diligence required under an effective program can ferret out the kinds of unreliable customers and business partners that can cause corporate troubles.  Customers who pose sanctions and export-control risks can be poor business prospects, especially after taking into account the regulatory risks they introduce.  Many companies (especially financial institutions) integrate their business and compliance due diligence to best serve both regulatory and anti-fraud needs.

Companies also need to consider the impact that violations can have on the premiums they pay for director and officer insurance.  With the cost of investigations commonly running into the millions of dollars, insurance companies have become very quick to adjust their premiums upwards to take into account the risk profiles of their policyholders.  Nothing will have a bigger impact than having to file a claim due to poor corporate controls.  A clean history helps keep insurance premiums down.

The impact on employees also should not be forgotten.  Corporations with cultures that take compliance and ethical issues seriously and give them top-level attention attract like-minded employees.  Corporations that give short shrift to compliance tend to have cultures that encourage excessive risk-taking and close skirting of ethical and legal responsibilities.  When compliance responsibilities are taken lightly in even one area, the lax culture tends to spread and infect the entire corporation.

This is why the best business case for compliance is provided, albeit ironically, by WorldCom, Adelphia, Tyco, Enron, and Arthur Andersen.  These large companies, which collectively employed hundreds of thousands of people and were longstanding corporate fixtures, were brought down by corporate scandals.  While these firms may have had compliance programs in place, their dictates clearly were not followed, in that fraudulent conduct was widespread and in some cases seemingly sanctioned by top management.  Fully developed compliance programs, properly implemented and with strong top-down corporate support, would have prevented some or all of these corporations from having been brought low by ethical violations.

The Dangers of Not Having a Strong Compliance Culture

A good compliance program does more than just deter violations—it also helps to detect violations once they have occurred, provides an internal mechanism to report them, prevents the violations from growing into a pattern, allows the company to conduct an internal review to determine what happened, and gives the company the opportunity to put in place appropriate remedial measures.  It serves education, deterrent, and discovery functions.  A compliance program is a key investment in risk mitigation, thereby helping the firm carry out its corporate objectives in a prudent and managed fashion.  It necessarily follows that the lack of a compliance program negates these advantages and increases the risk profile of the corporation.

Responding to Government investigations is extremely costly.  Answering Government requests for information can cost millions of dollars, and engaging in full-blown litigation regarding a potential sanctions or export-control violation can cost many times more.  Even internal investigations can be very expensive—and this is before taking into account criminal and civil penalties, and profit disgorgement, which can reach into the hundreds of millions of dollars.  These penalties also can be accompanied by other sanctions, such as suspensions, debarments, or prohibitions on doing business with the U.S. Government.  The existence of a compliance program—provided it was in existence before the issue arose and disclosure to the U.S. Government occurred—is strong support for an argument that the Government should assess a lower fine and not impose other onerous sanctions, such as debarment.

An important consideration also is the bad publicity that results from a publicly disclosed investigation.  For public companies, the usual result is a falling stock price, long-lasting damage to a corporation’s reputation, and the possibility of shareholder lawsuits against management and the board of directors.  Responding to the distractions and demands of these lawsuits while simultaneously dealing with the fallout of an official Government investigation, can pose a special burden for publicly traded companies.

There even is authority that having a strong compliance program is an inherent part of the corporate mission.  In United States v. Merck-Medco, the issue was whether the defendant had acted with reckless disregard by submitting false claims for payment to the U.S. Government.  The Government contended that the defendant’s failure to put in place an adequate compliance program, in and of itself, indicated reckless disregard and supported prosecution of the company for violations of the False Claims Act.  The Court held as a matter of law that the failure to have such a compliance program could be used as evidence of recklessness.

Another sobering case is In re Caremark Int’l Inc. Derivative Litigation, which involved a shareholder derivative suit alleging a board failure to put in place adequate “information and reporting systems.”[4] The Delaware Court of Chancery held that corporate directors have a fiduciary duty to ensure implementation of reporting systems to prevent wrongdoing.  The board’s failure to implement compliance and reporting systems left the directors liable for losses caused by noncompliance with applicable legal standards under the anti-kickback statute and the False Claims Act.

Finally, the Sarbanes-Oxley Act of 2002 requires that publicly traded companies establish audit committees and have internal accounting controls sufficient to allow them to report accurate financial statements.  Although Sarbanes-Oxley does not go so far as to mandate full-blown compliance programs, its emphasis on compliance procedures necessary for financial reporting is increasingly difficult to distinguish from general compliance procedures given the aggressive interpretation of the Sarbanes-Oxley Act by the U.S. Government.

In short, strong compliance programs help maintain customer retention, prevent damage to the corporate brand, enhance vendor relationships, lower director and officer insurance premiums, and minimize issues that can distract from running the corporation.  They also help avoid damage to the corporation in the form of criminal fines, civil penalties, suspension and debarment, loss of Government business, losses of supplier and business partners, and damage to the corporate reputation.  Even in cases where a compliance program is not mandated by specific regulation, only the most foolhardy multinational institution proceeds without one in place.

The Business Case for an Integrated Compliance Approach

This series of articles focuses on multinational corporations and international financial institutions because they are at the highest risk for potential government enforcement action.  The risks for these multinational corporations flow both from their increased regulatory responsibilities and from the inherent riskiness of their corporate activities.  OFAC maintains specific restrictions on financial institutions, which are required to take actions to reject or (more commonly) block prohibited transactions involving sanctioned persons or governments, and other restrictions are imposed on U.S. persons that deal with sanctioned countries or entities.

FCPA risks, by definition, only arise when companies are operating in areas where there is a potential payoff to a foreign government official, while export controls are triggered when there is, naturally enough, an export, whether in the form of a transaction that takes place abroad or the communication of information to a foreign national.  Anti-boycott issues only arise where foreign boycotts are involved.  Operating abroad thus raises a host of issues by the very nature of the foreign involvement.

Although the U.S. Government maintains a (somewhat) integrated approach to sanctions and export controls, the other laws governing international conduct are administered in a very piecemeal fashion.  Enforcement is split up between OFAC, the Departments of Justice, Commerce, and State, the Securities and Exchange Commission, other federal agencies, and even state banking authorities.  This is not the structure that would be imposed if these laws were being implemented for the first time today.  But the U.S. Government is taking steps to break down inter-agency barriers through enforcement actions at bridge these barriers.

With the U.S. government taking a more unified approach to enforcement, multinational corporations should consider taking the same view, only from a compliance perspective.  Unfortunately, however, many multinational corporations instead operate Balkanized compliance programs – i.e., programs that feature little coordination across divisions or countries, or that are narrowly directed at only a subset of the laws the U.S. Government has issued regulating exports or international conduct.

The reasons why companies have taken this approach vary.  In some case, it is because the company has been built over time through merger activity and organic growth, with more focus being given to business opportunities than to the risks of legal violations.  In others it is because decentralization of business activities has been reflected in decentralized compliance structures.  A very common issue that exacerbates the issue is that many foreign subsidiaries that operate completely independently of the United States have at best a tenuous appreciation for the extra-territorial application of the U.S. regulations, resulting in further incentive for global compliance standards to vary and for coordination of compliance efforts to lag.

The end result of this piecemeal approach is a fragmented approach to compliance, whether because of poor coordination between different divisions and subsidiaries or because of uneven application of compliance standards that emphasize some U.S. obligations more than others.  The end result is that companies that may have model compliance approaches in some areas or for some divisions or subsidiaries simultaneously can feature poor compliance strategies in other areas.

Whatever the reason for this type of fragmentation, this result is not one that should be allowed to continue in the current enforcement environment.  The U.S. Government has announced that it is taking a more global view of the laws that cover companies that operate internationally.  This is because it is finding that companies tend to violate multiple laws at the same time, both because the violations often are connected and because companies that have a cavalier attitude towards compliance in one area tend to be lax in others.

With the U.S. Government looking at the whole range of regulations that govern international conduct, this mindset needs to be followed by companies seeking to comply with these laws.  Handling all international areas together from a compliance perspective has a number of advantages, including:

  • Common Procedures. Employees are busy, and compliance usually is not their primary focus.  Creating one set of procedures is advantageous from implementation, training, and operational standpoints.
  • Cross-Fertilization. Integrating compliance reveals cross-trends, i.e., FCPA controls for government officials can reveal illicit contracts, know-your-customer guidelines can reveal FCPA risk areas, sanctions scanning can reveal AML concerns, and so forth.
  • Implementing Best Practices. An integrated approach allows for the implementation of best practices quickly across an entire organization.
  • Ease of Auditing. While many multinational corporations perform various types of compliance audits (especially banks, for AML purposes), many others do not, instead trusting that their compliance programs are working where they do not seem to be unearthing any problems.  The growing trend, however, is for companies to perform periodic audits to confirm that well conceived programs are being followed on the ground and to nip small problems before they become systemic.  An integrated approach leverages audit capabilities across compliance areas and different areas of the world.
  • Increased Visibility for Compliance. Traditional problems of getting companies and employees to take compliance seriously, and not just to treat it as a cost and distraction from making sales, are naturally combated by creating a centralized and higher-visibility compliance function.
  • Ease of Board-Level Monitoring. Compliance needs to jostle with strategic concerns for board-level attention.  Integrated compliance allows for the systematic presentation of compliance-related information to the board of directors, surely a strong consideration with Sarbanes-Oxley increasing the requirements of board-level monitoring.
  • Viewing Compliance and Risks as the U.S. Government Does. As discussed, it is an unfortunate reality that the U.S. Government does not have an integrated approach to regulating international conduct.  More than a dozen U.S. agencies, on the federal and state level, potentially have a say in how a financial institution operates abroad.  But when problems arise, the U.S. Government takes an integrated approach and brings together the regulators in joint indictments and settlement discussions that cover multiple problems.  It is a definite advantage to be identifying risk and engaging in risk mitigation in the same way that the U.S. Government does.

Also of concern is the traditional attitude of companies that compliance should be handled on a division- or a country-wide basis.  Certainly there are situations where this approach makes perfect sense.  In some cases, OFAC regulations allow foreign subsidiaries to take actions that would be forbidden to U.S. persons—although even there needs to be caution that the U.S. firm, or U.S. persons, are not engaged in illegal facilitation of the transaction.  The FCPA does not directly apply to subsidiaries (although increasingly aggressive enforcement of the Act makes this distinction increasingly meaningless).  Anti-Boycott coverage, which is dependent upon acts taken in interstate commerce and the involvement of U.S. persons, can vary as well.  In all these cases, there may be a specific reason why compliance standard should differ.

But all too often, differing compliance standards across the corporation are driven not by strategic decisions or the parameters of the regulations so much as they are a result of haphazard compliance directives developed at different times and by different people.  The standards vary not by design but rather by chance.

A compliance approach that has grown without conscious thought given to the overall construct of U.S. regulations generally will have deficiencies that inhibit complying with the very precise distinctions enshrined in many of the U.S. laws and regulations that govern international conduct.  Multinational corporations accordingly need to consider taking an integrated approach across divisions and countries, and even affiliates and joint ventures.

Taking an integrated approach does not mean that the exact same standards should govern dealings in each country or in each division.  This kind of lockstep compliance approach, while acceptable in some cases (such as in dealing with the increasingly global anti-bribery rules) does not make sense where the regulations themselves distinguish between the activities of U.S. and non-U.S. persons (such as for sanctions and export controls).  It does mean, however, that thought needs to be given regarding all the ways that U.S. regulations could impact foreign behavior, including through its application to U.S. citizens tangentially involved, the application of agency principles, novel theories of extra-territoriality, aiding, abetting, and facilitating charges, and the use of the threat of debarment to force settlements on entities that might not seem to be directly covered.  Differences between countries and divisions, in other words, should be there for a reason, rather than because of chance or mistaken notions of how far U.S. regulators are willing to push their jurisdiction.

The advantages of taking a geographic integrated approach include the following:

  • Ease of Monitoring. Compliance takes detailed knowledge of the relevant regulations and a firm understanding of how to apply them to myriad fact patterns.  Application of one standard facilitates the development of expertise in the application of the compliance standards.
  • Ease of Implementing. Implementing a single standard, or one with only a few, planned-out variations, is easier to do on a multi-country basis.
  • Dealing with Workforce Mobility. In many multinational corporations, people frequently move from division to division and from country to country.  Differing compliance standards multiply confusion as the rules change at every stop.
  • Centralization. Since many of the most stringent regulations originate in the United States, their nuances often are best understood by U.S. counsel or compliance staffs.  Having consistent, well thought out standards facilitates oversight by these compliance personnel.
  • Dealing with Extraterritoriality. The U.S. Government has become increasingly aggressive in enforcing U.S. laws against foreign interests, even in situations where it formerly declined to do so.  For example, the DOJ has begun to seek the recovery of bribes paid to foreign officials, and increasingly has sought to leverage jurisdiction over U.S. entities as a means of securing settlements against both U.S. and non-U.S. affiliates.  With the U.S. government reaching farther afield, setting standards that do not comply with U.S. norms becomes an increasingly risky strategy that should not be implemented without careful thought.
  • Standards Convergence. In some areas, such as the FCPA and anti-money laundering standards, U.S.-style prohibitions are being adopted by other countries.  This increases the value of taking a coordinated approach across jurisdiction, divisions, and subsidiaries.
  • Facilitation Standards and U.S. Citizens. Even in situations where the U.S. Government does not impose U.S. standards on foreign subsidiaries, it often imposed liability on U.S. persons involved in the transaction, including through the application of agency principles, prohibitions on U.S. person involvement in the transaction, and application of rules forbidding facilitation or aiding and abetting regulated conduct.  Maintaining different standards across divisions and countries multiplies the compliance burden of screening covered U.S. nationals from these types of transactions.

By: Gregory Husisian is of counsel with Foley & Lardner LLP and has extensive experience in export controls, the Foreign Corrupt Practices Act (FCPA), and issues arising from international trade. Mr. Husisian is a member of the firm’s Government Enforcement, Compliance & White Collar Defense; Securities Enforcement & Litigation; and Appellate Practices.

marcos

Professor, Embaixador e Comendador MSc. Marcos Assi, CCO, CRISC, ISFS – Sócio-Diretor da MASSI Consultoria e Treinamento Ltda – especializada em Governança Corporativa, Compliance, Gestão de Riscos, Controles Internos, Mapeamento de processos, Segurança da Informação e Auditoria Interna. Empresa especializada no atendimento de Cooperativas de Crédito e habilitado pelo SESCOOP no Brasil todo para consultoria e Treinamento. Mestre em Ciências Contábeis e Atuariais pela PUC-SP, Bacharel em Ciências Contábeis pela FMU, com Pós-Graduação em Auditoria Interna e Perícia pela FECAP, Certified Compliance Officer – CCO pelo GAFM, Certified in Risk and Information Systems Control – CRISC pelo ISACA e Information Security Foundation – ISFS pelo EXIN.

Você pode gostar também

Megadesconto pode ocultar golpe,veja dicas de compra online.

marcos

Compliance não resolve a falta de ética. Melhorar a gestão, sim!

marcos

Sobre as entrevistas no mapeamento de processos

marcos