Compliance Risk Assessment
Fall 2016 Class 11
Stephen Paine
Compliance Risk Assessment:
Case Studies and Third Party Risk
Announcements
Tuesday, November 22 is our last class and it will be a Laboratory Class in which you will participate in mock interviews. Consider it a Moot CRA. More details next week.
You have turned in four assignments that have been graded; although your second graded assignment does not have to count. That grade was still recorded and I will drop your lowest of the four grades to calculate your total written assignment component (25%) of your overall grade for the course.
Course evaluations are starting and you are STRONGLY urged, encouraged and begged to complete your evaluation of this course.
http://law.fordham.edu/evaluate
Recap of Class 1
Pfizer Case Study and Compliance Risks
Legal and Regulatory Incentives/Conflicts of Interest
Political Failure of Controls
Reputational Recidivism
Point of Sale/Distribution
Definitions
Compliance Risk is the risk of failing to comply with applicable legal or regulatory requirements resulting in a material loss (financial or reputational) or legal/regulatory sanction
A Compliance Risk Assessment is a framework to enable the evaluation and analysis of the overall Compliance risk (both inherent risks and control effectiveness) associated with a particular business area
Recap of Class 2
The Five Elements of an Effective Compliance Program
Tone at the Top
Enron Chronology: July 1985 Enron established through merger and by November 2006 entire senior management team has either been indicted or convicted with Enron and Arthur Andersen no longer operating
Corporate Culture and Communication
Codes of Conduct set the values for employees to follow and those values are based on Compliance Risk.
3. Compliance Risk Assessment
4. Testing and Monitoring
5. Chief Compliance Officer
Case Study: HSBC
Financing drug cartels
Permitting sanctioned regimes to process dollar payments
Claw back of compensation (including Compliance Officers)
Criminal charges for “failure to maintain an effective AML program”
Recap of Class 3
Compliance Tools/Controls
Advisory Function
Coverage of Front Office and Technology, Finance and Operations
Conflicts of Interest -- A Deep Dive
Conflicts of interest are inherent in the financial services business
Historical success of the industry has been managing these conflicts by eliminating or disclosing them
Top to bottom review of business operations to address conflicts of interest of every kind
Risk Assessments
Follow-Up
Policies and Procedures
Education and Training
Compliance Surveillance and Business Unit Review and Testing
‹#›
Recap of Class 4
A Compliance Risk Assessment is a framework to enable the evaluation and analysis of the overall Compliance risk (both inherent risks and control effect ...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Compliance Risk Assessment Fall 2016 Class 11 Stephen Paine.docx
1. Compliance Risk Assessment
Fall 2016 Class 11
Stephen Paine
Compliance Risk Assessment:
Case Studies and Third Party Risk
Announcements
Tuesday, November 22 is our last class and it will be a
Laboratory Class in which you will participate in mock
interviews. Consider it a Moot CRA. More details next week.
You have turned in four assignments that have been graded;
although your second graded assignment does not have to count.
That grade was still recorded and I will drop your lowest of the
four grades to calculate your total written assignment
component (25%) of your overall grade for the course.
Course evaluations are starting and you are STRONGLY urged,
encouraged and begged to complete your evaluation of this
course.
http://law.fordham.edu/evaluate
2. Recap of Class 1
Pfizer Case Study and Compliance Risks
Legal and Regulatory Incentives/Conflicts of
Interest
Political Failure of Controls
Reputational Recidivism
Point of Sale/Distribution
Definitions
Compliance Risk is the risk of failing to comply with applicable
legal or regulatory requirements resulting in a material loss
(financial or reputational) or legal/regulatory sanction
A Compliance Risk Assessment is a framework to enable the
evaluation and analysis of the overall Compliance risk (both
inherent risks and control effectiveness) associated with a
particular business area
3. Recap of Class 2
The Five Elements of an Effective Compliance Program
Tone at the Top
Enron Chronology: July 1985 Enron established through merger
and by November 2006 entire senior management team has
either been indicted or convicted with Enron and Arthur
Andersen no longer operating
Corporate Culture and Communication
Codes of Conduct set the values for employees to follow and
those values are based on Compliance Risk.
3. Compliance Risk Assessment
4. Testing and Monitoring
5. Chief Compliance Officer
Case Study: HSBC
Financing drug cartels
Permitting sanctioned regimes to process dollar payments
Claw back of compensation (including Compliance
Officers)
Criminal charges for “failure to maintain an effective AML
program”
Recap of Class 3
Compliance Tools/Controls
Advisory Function
Coverage of Front Office and Technology, Finance and
Operations
Conflicts of Interest -- A Deep Dive
4. Conflicts of interest are inherent in the financial services
business
Historical success of the industry has been managing these
conflicts by eliminating or disclosing them
Top to bottom review of business operations to address conflicts
of interest of every kind
Risk Assessments
Follow-Up
Policies and Procedures
Education and Training
Compliance Surveillance and Business Unit Review and Testing
‹#›
Recap of Class 4
A Compliance Risk Assessment is a framework to enable the
evaluation and analysis of the overall Compliance risk (both
inherent risks and control effectiveness) associated with a
particular business area
1. Identifying Business Area(s) and Metrics
2. Mapping Applicable Rules
3. Identifying Key Compliance Risks and Themes
4. Defining a Controls Inventory
5. Rating Control Effectiveness
5. 6. Determining Residual Risks
7. Scoring, Rating and Reporting
It’s All About the Questionnaire . . .
Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
Determine Residual Risk
Score, Rate and Report
6. Phase 2 of the Course
Assignments
Listen carefully in class as assignments will be based on
material from the sector presented.
Sector Risk
Listen and assimilate the material/lecture through the lens of the
types of risks each of the areas present, as well as the
corresponding controls – the 3/4 central boxes of the CRA
Diagram
Be a proactive listener and ask questions or provide comments
Make notes of questions that you have or comments to discuss
later
Compliance Risk Assessment Steps
Identify Business Area and Metrics
Map Applicable Rules
Identify Key Compliance Risks & Themes
Define Controls Inventory
Rate Controls Effectiveness
7. Determine Residual Risk
Score, Rate and Report
Recap of Class 5
Financial Services Regulation
Banking Services
Deposit Taking
Lending
Fund Transfers, checking
Securities and Investments
Buying and selling stocks, bonds
Participating in Capital Markets transactions
Investment Advisory Activities
Investment Company Activities
Federal Reserve, OCC, SEC, FINRA and CFTC, plus Exchanges
FINRA Regulatory Regime
Supervision
Self-Reporting
Case Study: Prospectus Delivery
8. ‹#›
Recap of Class 6
Anti-Money Laundering and Financial Crime Risk and Controls
Anti-Money Laundering
Rule Mapping: Bank Secrecy Act, USA PATRIOT Act, EU
Directives Proceeds of Crime Act
Elements: Proceeds of crime used in banking system
Inherent Risks of Clients – Client Lifecycle (Onboarding,
Processing Transactions, Refreshing Information)
Geographical Location
Type of Client
Products and Services
Client Identification serves as the primary control: KYC --
Client Due Diligence and Enhanced Due Diligence
Sanctions
Rule Mapping: OFAC, United Nations and EU Directives
Elements: Penalties imposed by one country on one or more
other countries/individuals
Client Screening as a control
Anti-Bribery and Corruption (ABC)
US Foreign Corrupt Practices Act, UK Anti-Bribery Laws
Elements: Giving or receiving something of value to influence
an official in the discharge of his/her public or legal duties
Client Identification
Suspicious Transaction Reporting
Filing a report with the appropriate regulatory authority when
suspicious activity is identified
Strictly prohibited to disclose the filing of the report to parties
involved
9. ‹#›
Recap of Class 7
Anti-Corruption
Rule Mapping
US Foreign Corrupt Practices Act
UK Bribery Statute
Travel Act, Mail/Wire Fraud and Money Laundering
A Closer Look at the FCPA
Anti-Bribery
Books and Records
Internal Controls
FCPA Elements
Offer, Promise or Give
Anything of Value
Directly or Indirectly with “Knowledge”
To a Foreign Government Official
To Influence the Official
To Obtain or Retain Business
Case Studies
Glaxo Smith Kline and Nu Skin
BNY Mellon, Och Ziff and Morgan Stanley
‹#›
Recap of Class 7
Insider Trading
Definitions
Inside Information is material information that relates to the
securities of an issuer that is not publicly known -- MNPI
10. What is Material?
Insider Trading is the buying or selling of a security with the
intent to deceive and in breach of a fiduciary obligation or
other relationship of trust while in possess of material non-
public information
Rule Mapping
Section 10(b) of the Securities Exchange Act of 1934 and Rule
10b-5 promulgated thereunder
Prohibits fraud in connection with a purchase or sale of
securities
Rule 14e-3
Prohibits trading when you have MNPI about a tender offer, if
you got that information directly or indirectly from someone
involved in the tender offer
Section 16
Insider liability for short-swing profits (purchase/sale within 6
months)
Regulation FD
Prohibits selective disclosure by companies
Controls
Information Barriers -- Private Side and Public Side
The Control Room
Watch and Restricted Lists
Employee Trading
Surveillance
Case Studies
Galleon
Merck
‹#›
Recap of Class 8
11. Pharmaceutical Regulation
Prohibited Acts
Adulteration
Misbranding
Definitions of “Drug” and “Device”
Drug – Intended Use/Intended to Affect
Medical Device – No Chemical Action
Drug Regulatory Framework
Enforcement Tools
Advertising and Promotion
Good Manufacturing Practice
Good Clinical Practice
Related Compliance Risks
False Claims Act
The Park Doctrine
Corporate Integrity
Drug Supply Chain Act
‹#›
Recap of Class 9
Employment Law Compliance
Rule Mapping
Entitlement Laws
Anti-Discrimination Laws
Whistleblower Laws
National Labor Relations Act and Work Place Safety (OSHA –
Occupational Safety and Health Act)
Immigration, Tax and common law
12. Pre-Employment
Background Checks: Fair Credit Reporting Act; Criminal
Background: Ban the Box; Credit Checks; FINRA
Health: Americans with Disabilities Act; Drug Tests
Right Fit for the Job: Anti-Discrimination, Equal Employment
Opportunity Act; Personality Assessments
Ability to Work: US Immigration Reform and Control Act
(IRCA)
Employment
“At Will” Employment
Anti-Discrimination
Harassment
Retaliation
Entitlements
Whistleblower
Post-Employment
Lawful Terminations
Former Employee Risks:
Confidential Information
Intellectual Property
Disparagement
Unfairly competing/soliciting employees/clients
Defamation
‹#›
Overview of Key Employment Laws
Anti-Discrimination Laws
Entitlement Laws (Wage and Hour; Leave of Absence; Benefits)
Whistleblower Protections
National Labor Relations Act (NLRA) (Unions)
Workplace Safety (OSHA)
‹#›
13. Overview of Key Employment Laws
Immigration
Tax
Miscellaneous Other Statutes and Regulations
Background checks
Protection of private information
Many more . . . .
Patchwork of Overlapping State and Local Employment Laws
Common Law
Contract
Negligence (including negligent hiring)
Torts
‹#›
The Three Phases of The Employment Relationship
Pre-Employment/On-boarding
Employment
Termination/Post-employment
At Each Phase:
Identify the business aim
Identify the legal/compliance framework
Identify the risks:
people risks
process risks
‹#›
Background Checks
Generally not obligatory in private sector.
Business reasons for conducting them:
Properly vetting the applicant (avoiding “people risks”)
Possible legal exposure for not properly vetting:
14. Respondeat superior liability: Employee acting within scope of
job
Negligent hiring: Employee acting outside scope of job
‹#›
Background Checks – Process Regulations
The Fair Credit Reporting Act (“FCRA”)
Applies to background checks conducted by a background
screening company
Employers must:
Disclose that it will obtain a background report
Obtain written consent from the applicant
Provide the applicant with the report and wait a reasonable
amount of time before acting
Provide written notice of adverse action
‹#›
Background Checks – Substantive Regulations
Restrictions on criminal background checks
“Ban the Box” laws
Hawaii
Illinois
Massachusetts
Minnesota
New Jersey
Oregon
Rhode Island
New York City
*Most of these laws exempt certain jobs (e.g., FINRA Reps; law
enforcement)
*Some of these laws (e.g., NYC) allow for inquiries later in the
hiring process
15. ‹#›
21
Background Checks – Substantive Regulations
Laws that require individual assessment (no automatic bar)
e.g., (NY Corrections Law 23-A)
(3) Does a criminal conviction disqualification discriminate
based on race?
U.S. Equal Employment Opportunity Commission 2012
Enforcement Guidance recommends:
eliminating disqualification based on ANY criminal conviction
developing narrowly tailored policies ONLY excluding
applicants with certain criminal convictions from certain jobs
EEOC v. BMW (Dist. S.C.) (EEOC sued BMW for overbroad
exclusion of applicants with criminal convictions) (settled Sept.
2015)
‹#›
Background Checks – Substantive Regulations
Credit Checks
Permitted under federal law (subject to compliance with FCRA
procedures)
Prohibited in 11 state and many local jurisdictions (including
NY)
Exemptions for certain positions and if mandated by law
‹#›
Background Checks – Substantive Regulations
Special Rules for FINRA Registered Representatives (FINRA
16. Rule 3110(e) (approved by SEC effective 7/1/15)
Firms must:
investigate the “good character, business repute, qualifications,
and experience” of an applicant.
adopt written procedures that are reasonably designed to verify
the accuracy and completeness of the information contained in
an applicant’s Form U4 (Uniform Application for Securities
Industry Registration or Transfer).
conduct a national search of reasonably available public records
to verify the accuracy and completeness of the information
contained in an applicant’s Form U4.
‹#›
Health Information
Americans with Disabilities Act (ADA)
Regulates pre-employment inquiries and medical examinations
(3 stages):
pre-conditional offer: no inquiries or medical exams
post-conditional offer: permitted as along as required of
everyone in job category
post-hire: only if the inquiry is job related
The Genetic Information Nondiscrimination Act of 2008
(GINA)
Prohibits discrimination based on genetic information
Prohibits employers from asking about genetic information
(with narrow exceptions)
A Difficult Case: United Airlines and CEO Oscar Munoz
‹#›
Drug Testing
Types of drug tests:
pre-employment
random
17. post-accident
reasonable suspicion
periodic
return to duty
‹#›
Drug Testing
Federal Laws:
ADA: a drug test is not a “medical examination”
Drug Free Workplace Act of 1988
Applies to certain federal contractors and all federal grantees
Does not mandate drug testing
Mandated for certain types of jobs (e.g., truck drivers)
State Laws:
Patchwork of laws
Uncertain impact of legalization of medical marijuana
‹#›
Making Sure the Applicant is the Right “Fit” – the Interview
All Equal Employment Laws Prohibit Discrimination in the
Application Process
Based on race, gender, national origin, color, religion,
disability, age, citizenship (federal); and sexual orientation,
marital status (many states)
Applies to: hiring, job advertisements, recruitment, testing and
training.
Problematic Interview Questions (N.Y.S. Div. on Human Rights
1993):
How old are you?
Do you wish to be addressed as Miss? Mrs.? Ms.?
Are you married?
Inquiry into applicant’s ancestry, national origin or nationality
18. Inquiry into applicant’s religious affiliations or religious
holidays observed
Where were you born?
Are you a U.S. citizen?
What year did you graduate?
What is your native language?
‹#›
Making Sure the Applicant is the Right “Fit” – Formal
Personality Assessments
Personality Assessments:
Tests used to assess personality, skills, cognitive abilities and
other traits.
Used to test the personalities of about 60% to 70% of
prospective workers in the U.S. (up from 30% to 40% about five
years ago).
Typical scaled questions:
Your mood often changes without your knowing why
People say unfair things about you when you are not there
You have difficulty sleeping because of your worries
You often feel that certain people are trying to take advantage
of you
Legal Issues:
Is the personality assessment an inquiry into disability in
violation of the ADA?
Does the personality assessment tend to disproportionately
screen out applicants based on gender or race? EEOC v. Target
(settled 8/24/15; $2.8 million)
‹#›
Can the Applicant Take the Job?
Immigration Reform and Control Act of 1986 (IRCA):
19. Employers can only employ workers authorized to work in the
U.S.
Employers must timely complete Form I-9
Employer must verify expiring or expired employment
authorization documents
But employers cannot discriminate based on national origin or
citizenship status
Is the applicant subject to an enforceable non-competition
agreement with a prior employer?
The applicant is at risk for breach of contract
The (new) employer is at risk for tortious interference with
contract
‹#›
“At-Will” Employment
At-will employment: Either employer or employee may
terminate the employment relationship for any reason or no
reason.
Can be either confirmed or vitiated in a contract, employee
handbook, collective bargaining agreement
Even if employment is “at-will,” employer cannot terminate for
a reason prohibited by law (e.g., discrimination, retaliation or
for whistleblowing).
What employers do in order to confirm at-will employment:
recite “at will” employment in offer letter or employment
contract and reinforced in employee handbook
‹#›
Anti-Discrimination Laws
Federal:
20. State and Local:
marital status
sexual orientation
gender identityStatuteProtected CharacteristicsTitle VII of the
Civil Rights Act of 1964Race, color, national origin, sex,
religion Pregnancy Discrimination
ActPregnancyADADisabilityAge Discrimination in Employment
ActAge 40 and over IRCACitizenship status GINAGenetic
disposition The Uniformed Services Employment
Reemployment Rights Act of 1994 (USERRA)Military service
‹#›
Anti-Discrimination Laws
Types of discrimination:
Failure to hire
Termination
Failure to promote
Demotion
Compensation
Discriminatory employment terms and conditions (e.g., transfer,
training)
Harassment
Failure to provide reasonable accommodation (religion and
disability)
Retaliation
Theories of discrimination:
Disparate treatment: Employee is intentionally subjected to less
favorable treatment because of protected class status
Disparate impact: A seemingly neutral policy or practice
21. unduly disadvantages individuals on the basis of their protected
class (e.g., minimum height requirements may have a disparate
impact on women)
‹#›
The Americans with Disabilities Act – Some Unique
Considerations
What the law prohibits:
Discrimination based on disability
Discriminatory Standards
Associational Discrimination
What the law requires:
Reasonable Accommodation for disabled employees
‹#›
The Americans with Disabilities Act – Some Unique
Considerations
Challenges:
What constitutes a protected disability?
a physical or mental impairment that substantially limits a
major life activity
history of disability
regarded as having an impairment
What is a reasonable accommodation?
A workplace change that enables a disabled employee to
perform the essential functions of the job
Not required if it constitutes an undue hardship
A key compliance challenge: reasonable accommodation may
require exceptions to established policies
‹#›
Anti-Discrimination Laws – Harassment
22. Two forms:
Quid pro quo harassment: “this for that”
Hostile work environment: A workplace characterized by
harassment that is:
Unwelcome
Because of protected class status
Attributable to the employer
Severe or pervasive
‹#›
36
Anti-Discrimination Laws – Harassment
Liability of employer:
If harassment is by co-worker: negligence standard
If harassment is by supervisor:
quid pro quo or tangible employment action strict liability
hostile work environment, employer can avoid liability if:
The employer exercised reasonable care to prevent and promptly
correct the harassing behavior
The employee unreasonably failed to take advantage of
preventative or corrective opportunities provided by the
employer
The Faragher/Ellerth affirmative defense
policies
complaint procedure
‹#›
Anti-Discrimination Laws – Retaliation
Elements of a retaliation claim:
Employee engaged in protected activity
23. complained of discrimination or harassment internally
filed a complaint with an agency or in court
participated in an investigation
Adverse employment action following protected activity (e.g.,
fired, demoted)
Causal connection between (1) and (2)
‹#›
Employee Entitlements
The Family and Medical Leave Act
12 weeks of unpaid leave in a 1 year period
Reasons for leave:
Employee’s serious health condition
Care for family members with serious health conditions
Leave related to pregnancy, birth, adoption
Written policy required
Workers Compensation – injury and work loss compensation
system (state law)
Unemployment Benefits – state law
Disability Benefits – state law
Affordable Care Act
Minimum essential coverage for full-time employees and their
dependents
Coverage that is affordable and provides minimum values
USERRA: unpaid leave (up to 5 years) for military service;
reinstatement obligations
Fair Labor Standards Act (FLSA)
‹#›
FLSA – Special Considerations
FLSA Basics:
Establishes minimum wage
Requires that blue-collar (“non-exempt”) employees be paid
24. overtime (1.5x regular rate) after working 40 hours in a single
work week
Recordkeeping obligations
FLSA Challenges:
employee or independent contractor?
Employee or intern?
overtime eligible or “exempt” from OT (white collar
exemptions):
Administrative employees
Executive employees
Professional employees
Computer professionals
Outside sales employees
Most pharmaceutical sales reps (Christopher v. SmithKline
Beecham Corp., S. Ct. 2012)
‹#›
40
Whistleblower Protections – Public Companies and Financial
Services
Sarbanes-Oxley Act (SOX)
Dodd-Frank
Two types of protected conduct:
Reporting Corporate Wrongdoing
Participating in Proceedings
Employee reports conduct that she “reasonably believes” is a
violation of a “covered law”
mail fraud
wire fraud
bank fraud
securities fraud
violation of SEC rules or regulations
25. fraud against shareholders
Dodd-Frank includes protection of employees involved in
selling consumer financial products or services
Open issue: does internal reporting qualify as protected
activity?
‹#›
Whistleblower Protections – Public Companies and Financial
Services
Examples of violations that can be the basis of a whistleblower
claim:
Market manipulation
Insider trading
Misstatements or omissions in disclosures
Corporate mismanagement resulting in breach of fiduciary duty
to shareholders
Fraudulent accounting practices
Fraud by an employer’s customer:
J.P Morgan money laundering case
FedEx mail fraud case
‹#›
Whistleblower Protections – Pharma
Violations that can be subject to whistleblowing:
Failure to Comply with Current Good Manufacturing Practices
(“cGMPs”): Regulations to ensure proper design, monitoring,
and control of pharma manufacturing processes and facilities
Off-label Marketing: Marketing or promoting a drug for a use
that the FDA has not approved
Kickbacks: Paying physicians or others to order or recommend
drugs that may be paid for by a federal healthcare program
False Claims Act:
Qui Tam “Relator” Complaints
26. Retaliation Against Relators
‹#›
Lawful Termination of Employment
Defense of the legitimate business decision:
Documented performance problems?
Progressive discipline? warnings?
Compliance with disciplinary processes?
Temporal proximity to protected activity? (the retaliation
concern)
Exposure to a potential discrimination claim?
comparison to “similarly situated” employees outside of
protected class
“stray remarks”
consider the demographics of the department
Identify and maintain relevant documents, including policies
and performance reviews, warnings
‹#›
Lawful Termination of Employment
Enforceable separation agreement and release of claims?
Consideration ($ not otherwise entitled to)
Plainly worded
Reasonable time to consider
Special rules for release of ADEA claims
Not all claims can be releases (e.g., FLSA, workers
compensation, whistleblower)
Overbroad confidentiality provisions may be challenged by
EEOC, NLRB, SEC
‹#›
27. 45
Risks Posed by Former Employees
Disclosure or unauthorized use of confidential information and
trade secrets
Have the employee execute a confidentiality agreement at hire
Employee claims ownership of intellectual property she
developed while employed
Have the employee execute a “work-for-hire” agreement
Disparagement of company, products, employees
Have the employee execute a non-disparagement agreement (in
employment or separation agreement)
‹#›
Risks Posed by Former Employees
Working for a competitor or unfairly competing
Have the employee execute a non-competition agreement
not enforceable in certain states (e.g., CA)
generally disfavored by courts
most courts require a “protectable interest” beyond desire to
limit competition
restrictions must be narrowly tailored in terms of geographic
scope and time period
Soliciting business’s employees or customers
Have the employee execute a non-solicit agreement
in addition to or in lieu of a non-competition agreement
courts are more likely to enforce, but still generally impose a
reasonableness requirement
‹#›
28. Wells Fargo Update Part 4
FINRA Form U-5 Filings
Form U-5s are required to be fired when a FINRA registered
employee leaves a FINRA registered organization.
Form U-5s must give provide information about the employee’s
departure. Was it Voluntary or Involuntary?
If involuntary, did it relate to a violation of law, rules or
internal policy? The U-5 also asks for a description.
Senators are now asking how many of the approximate 5000
terminated Wells Fargo employees in the Cross-Selling matter
were registered and would have required the filing of a Form U-
5.
Answer is about 600 but the problem is that 400 of the U-5s did
not accurately disclose what happened.
The next question was whether someone at Wells Fargo
reviewed the U-5s for trends and patterns – particularly the 200
that were accurate
Isn’t what the Senators are suggesting is that the Form U-5
filings are helpful metrics?
Discussion of Assignment 8
Develop a background checklist for an entry level employee at
your company and then draft a table of contents for an employee
29. handbook based on the employment law topics discussed in
class.
Background Checklist should be 2-3 pages and include the
information you would like to know about a potential employee
that is also legally permissible.
Table of Contents for the Employee Handbook should cover the
appropriate areas of Employment Law discussed in the
employee law risk lecture.
Glaxo Smith Kline -- Sex, Bribes and Videotape
November 2, 2016 news story in The New York Times outlines
bribery allegations from a whistleblower that the Board failed to
act on and a smear campaign on the supposed whistleblower
Allegations gain credibility when a videotape surfaces involving
the Head of GSK China having sex with a partner allegedly
procured by a travel agency GSK was using to facilitate the
bribery . . .
But there’s more . . . look back to GSK’s $3 billion settlement
in 2012 . . .
GSK Case Study
30. Also, review the GSK story in the New York Times and then
research GSK’s 2012 $3 Billion settlement relating to Paxil,
Wellbutrin and Avandia
GSK Settlements: Come to class prepared to present the issues
raised in both the 2012 and 2016 Settlements focusing your
presentation on indentifying the compliance risks in each of the
settlements and the Compliance Program elements that could
have prevented them. Also, you should be prepared to discuss
how a Compliance Risk Assessment would or could have pre-
identified these risks.
In class on November 9, I will select a group of three to
discuss the 2012 settlement and another group of three to
discuss the 2016 settlement. Selection will be random. Those
not selected to present will be expected to contribute and
participate in the discussion.
‹#›
Third Party Risks Overview
Who are third parties?
What are the risks that are associated with third parties?
What are the controls for third party risks?
31. ‹#›
Third Party Risks
Who are third parties?
Clients?
Employees?
Those parties with whom the company has an association or
relationship that is neither a client/customer or an employee.
Suppliers
Vendors
Distributors
Agents
Consultants
Joint Venture Partners
‹#›
Third Party Risks
What are the risks of doing business with third parties?
Association Risks
Solvency Risks
Competency Risks
Compliance Risks
These four risks lead to the following broader risks:
Financial Risks
Regulatory Risks
Reputational Risks
Variable Factors to Consider
Extent and level of relationship
Special characteristics/considerations of third party (e.g.,
32. jurisdiction, regulated, etc.)
‹#›
Third Party Risks
JP Morgan Chase/Madoff Case Study
Background -- Exhibit B; Page 3 Paragraphs 7-8
Madoff as Third Party -- Exhibit C; Page 8 Paragraphs 33-36
Understanding the JPMC Madoff Linked Structured Product
(linked to the performance of Madoff Hedge Fund)
Madoff as Client Exhibit C; Page 2 Paragraphs 7 – 12 and 22-28
Understanding the account balance inflation arrangement
Suspicions Begin
Exhibit C Page 9 Paragraphs 37-53
And the third party risks for JPMC become real
‹#›
Third Party Risks
JP Morgan Chase/Madoff Case Study
Understanding the JPMC Structured Product (linked to the
performance of Madoff Hedge Fund)
33. Client buys a 3 year fixed income note in the principal amount
of $500,000 (bond that is issued by JPMC) that pays 2% interest
Client and JPMC agree that interest payments will be treated as
if the 2% interest payment is invested in the Madoff Hedge
Fund
JPMC Note matures in 3 years and client receives the principal
amount of note plus any money that might be due from being
linked to the Madoff Fund
Client buys $500,000 note
With $10,000 in
Interest
JPMC treats $10,000
interest payment as if
it were invested in Madoff
Note matures and client
receives principal back
plus returns of Madoff
This is a derivative instrument
‹#›
Third Party Risks
JP Morgan Chase/Madoff Case Study
What are the risks posed by Madoff as a Third Party to JP
Morgan Chase?
34. What are the controls to mitigate/manage that risk?
‹#›
JP Morgan Chase
Madoff Hedge Fund linked to JPMC Structured Products
Madoff Securities as JPMC Client
Third Party Risks
Examples of Other Third Party Relationships
Controls for Third Party Risk Management
Policies and Procedures
Due Diligence (perhaps modified from regular client due
diligence or perhaps not depending on the complexity and level
of association)
Written Agreement
On-going monitoring
Periodic Review of Relationship and Controls
Laboratory: Design the components of a policy to manage third
party risk at Merck.
35. ‹#›
Third Party Risks
Back to the JPMC/Madoff Case Study
The Rest of the Story
Deferred Prosecution Agreement with JPMC over its AML
Program and failure to file SARs
$1.7 billion in penalties
Our class comes full circle . . .
Compliance Program Exhibit C Paragraphs 13-21
KYC: Exhibit C Paragraphs 22-28 The Check Scheme
Due Diligence of Clients and Third Parties (Exhibit C and
Paragraph 32 and then Paragraphs 37-53)
Client and Provider information sharing
Penalty of JPMC
Who accepted the Deferred Prosecution Agreement?
‹#›
Third Party Risk: A Risk Topic or Risk Driver?
Third Party Risk resembles Client Risk
Think back to AML and Client ID
The type of client (high risk, low risk) tends to drive inherent
risk
PEPs
Clients from sensitive countries
Third Party Risk is similar to AML/Client ID
The type of third party relationship tend to drive inherent risk
Geographic jurisdiction of third parties
36. Regulated Status
Public or private company
‹#›
Third Party Risk: A Risk Area or Risk Driver?
Third Party Risk resembles Client Risk
Think back to AML and Client ID
The type of client tends to drive inherent risk
PEPs
Clients from sensitive countries
Third Party Risk is similar to AML/Client ID
The type of third party relationship tends to drive inherent risk
Geographic jurisdiction of third parties
Regulated status
Public or private company
‹#›
Intellectual Property Overview
What is “Intellectual Property?”
Black’s Law Dictionary: Category of intangible rights
protecting commercially valuable products of the human
intellect
Inventions
Creative Expressions
Trademark
For which there is a public interest in conferring property right
s on the creators
37. What are the primary legal protections associated with
intellectual property?
Patent
Copyright
Trademark
Also includes trade secrets, trade dress and publicity rights,
‹#›
Intellectual Property Overview
Rule Mapping for IP
US Patent Laws
US Trademark Act of 1946
Patent Cooperation Treaty 1978
World Intellectual Property Organization (UN)
US Copyright Act of 1976
Digital Millennium Copyright Act of 1998
Berne Convention for Copyrights
Protections
Patents for 14 years from the date of filing EXCEPT for food
and drugs which is 7 years from the date of filing or 5 years
from the date of patent whichever is earlier
Copyright is generally 70 years after date of creation in a fixed,
tangible form
Questions abound about what is patentable/protectable
‹#›
Intellectual Property and Pharmaceuticals
Hatch – Waxman Act of 1984 (the Drug Price Competition and
Patent Term Restoration Act)
38. Designed to speed up generic drugs to compete with patented
pharmaceuticals
Established the Abbreviated New Drug Application (“ANDA”)
Abbreviated Process for Generics
Generic manufacturer files an “Abbreviated New Drug
Application” that must demonstrate:
The generic is “bioequivalent” to the protected drug AND
The patent is invalid or will not be infringed
If the original patent holder decides to challenge the ANDA, the
ANDA is then given a 30 month stay while patent owner can
challenge the bio-equivalency and patent claims in court
ANDA Filer receives a 180 day exclusivity
‹#›
Intellectual Property and Pharmaceuticals
What are the IP Risks?
Loss of money and market share if intellectual property is not
properly protected
Subject to penalties and litigation when a company infringes
another company’s properly protected intellectual property
Special considerations for generic drug applications
Downstream consequential risk: Off-label marketing
Controls
Policies and procedures
Training for Research and Development Employees
Monitoring of R&D activities
Market surveillance for infringement by others
‹#›
Third Party and Intellectual Property Risks
39. Third Party Risk Controls
Policies and Procedures
Written Agreement
Due Diligence (perhaps modified from regular client due
diligence or perhaps not depending on the complexity and level
of association)
On-going monitoring
Periodic Review of Relationship and Controls
IP Risk Controls
Policies and procedures
Training for Research and Development Employees
Monitoring of R&D activities for infringement
Market surveillance for infringement by others
‹#›
Classes 11 and 12
Class 11
A Closer Look at Metrics and Inherent Risk
Rating and Reporting the Risk Assessment
Putting It Together: CRA from Start to Finish and Preparing for
the Laboratory
Exam Discussion
Class 12
CRA Laboratory
Employee Interviews for Inherent Risk and Control
Effectiveness
Determining Residual Risk
40. ‹#›
Assignment 9 (final scored assignment)
Draft notes and questions for an interview with a senior
executive in charge of manufacturing in your pharmaceutical
company about the use of third party suppliers. Be prepared to
hand in this assignment at the beginning of class on November
23.
Drafting questions for an interview with a senior executive.
Start with questions about the basics of the business unit that
the senior executive is in charge of
Move next to questions about the risks presented by the use of
third party providers
Remember to have questions that seek to determine the variable
factors of complexity and extent of the third party relationship
Move to questions about the controls in place for third party
providers – remember the critical piece is assessing the
effectiveness of the controls
Try to have your questions logically follow each other and
avoid jumping around
Use topic headers to signal a change in subject area of your
questions
Use notes to explain additional information/potential
answers/analysis behind questions/decision behind not asking
‹#›