2. REPRINT | FW November 2016 | www.financierworldwide.com
Corporate fraud is a global issue that damages reputations, costs millions (if not
billions) and ruins untold lives. That said, in recent years there has been a crackdown
on a broad range of corporate fraud, with the DOJ’s Yates Memorandum in the US and
the first DPAs in the UK among the high-profile attempts at redress. Ultimately though,
corporate fraud respects no boundaries of any kind and remains a pervasive problem
with the capacity to seriously impact any business, at any time.
C O R P O R A T E F R A U D
R O U N D T A B L E
C O R P O R AT E F R A U D
8
James D. Ratley
President and CEO, Association of Certified
Fraud Examiners
T: +1 (800) 245 3321
E: jratley@acfe.com
www.acfe.com
James D. Ratley, CFE, has worked as part of the Association of Certified Fraud Examiners (ACFE)
since 1988 and now serves as president and CEO. In this role, he works to promote the ACFE to the
public and other professional organisations and continues to assist in the development of anti-fraud
products and services to meet the needs of the ACFE’s members. In addition, he is a member of the
ACFE’s faculty, and teaches regularly at workshops and conferences.
THE MODERATOR
3. ROUNDtable
www.financierworldwide.com | November 2016 FW | REPRINT
Greg D. Andres
Partner, Davis Polk & Wardwell LLP
T: +1 (212) 450 4000
E: greg.andres@davispolk.com
www.davispolk.com
Greg Andres is a litigation partner at Davis Polk, concentrating in white-collar defence. He
has represented individuals, financial institutions and other entities in regulatory and criminal
investigations involving market manipulation, insider trading, securities, procurement and tax fraud,
and money laundering. He previously held senior positions at the Department of Justice, including
Deputy Assistant Attorney General in the Criminal Division and Criminal Division Chief at the US
Attorney’s Office in the Eastern District of New York.
Maxwell Carr-Howard
Partner, Dentons
T: +44 (0)20 7320 5508
E: maxwell.carr-howard@dentons.com
www.dentons.com
Maxwell Carr-Howard is a partner and member of Dentons’ Litigation and Dispute Resolution
practice specialising in white-collar and government investigations. As a former assistant United
States attorney and a longtime practitioner, Mr Carr-Howard is experienced in conducting
complex transnational investigations and defending cross-border enforcement actions involving
anticorruption, antitrust and money laundering regulatory schemes, as well as litigation involving
US economic sanctions, embargoes and export controls.
Nick Matthews
Managing Director, Duff & Phelps LLP
T: +44 (0)20 7089 4813
E: nicolas.matthews@duffandphelps.com
www.duffandphelps.com
Nick Matthews is a managing director in Duff & Phelps’ UK Dispute and Investigations practice. He
has led projects in the UK, Europe, Caribbean and the US. A particular focus has been financial crime,
including AML and ABC. Mr Matthews previously managed the firm’s Cayman Islands practice and
was appointed liquidator over a number of collapsed investment funds.
Ali Sallaway
Partner, Freshfields
T: +44 (0)20 7936 4000
E: ali.sallaway@freshfields.com
www.freshfields.com
Ali Sallaway is a partner in the Corporate Crime team and co-head of Freshfields Global Investigations
practice in London. With a record of acting on significant cross-border and domestic investigations for
clients in all sectors, Ms Sallaway specialises in corporate and financial crime defence and regulatory
enforcement actions. She has significant expertise handling fraud, bribery/corruption, money laundering
and terrorism related matters and in relation to market abuse, disclosure and listing obligations for
listed companies.
Ellen Zimiles
Managing Director, Navigant, Inc.
T: +1 (212) 554 2602
E: ellen.zimiles@navigant.com
www.navigant.com
Ellen Zimiles is head of Navigant’s financial risk and compliance business segment and its global
investigations & compliance practice. She has more than 30 years of litigation and investigation
experience, including 10 years as a federal prosecutor. Ms Zimiles is a leading authority on fraud
control, anti-money laundering programmes, corporate governance, foreign and domestic public
corruption matters, regulatory and corporate compliance and monitorships.
THE PANELLISTS
Andrew Grantham
Managing Director, AlixPartners UK LLP
T: +44 (0)20 7098 7474
E: agrantham@alixpartners.com
www.alixpartners.com
Andrew Grantham has dealt with financial investigations and expert witness assignments since
1991. His experience as a forensic accountant includes corporate investigations, financial
accounting and reporting, litigation consulting and auditing. Mr Grantham has also been involved
in major financial investigations, particularly in assisting corporate clients with fraud investigations
or by way of carrying out forensic audits of transactions or companies. He has also given expert
evidence in criminal proceedings brought against a director in respect of fraudulent trading.
Robert N. Sikellis
Chief Counsel Compliance, Siemens AG
T: +49 89 636 32523
E: robert.sikellis@siemens.com
www.siemens.com
Robert N. Sikellis is chief counsel compliance for Siemens AG. In this capacity, Mr Sikellis leads
the global compliance governance organisation for the legal compliance management, compliance
policies, internal investigations, disciplinary sanctions and remediation and compliance in mergers
and acquisitions. Prior to assuming his current position, Mr Sikellis held a number of important
leadership roles within Siemens, including most recently senior vice president & general counsel of
Siemens North East Asia and Siemens Ltd., China.
Elizabeth Robertson
Partner, Skadden, Arps, Slate, Meagher & Flom
(UK) LLP
T: +44 (0)20 7519 7115
E: elizabeth.robertson@skadden.com
www.skadden.com
Elizabeth Robertson is a partner in Skadden’s Government Enforcement and White Collar Crime
practice, based in London. Ms Robertson has more than 20 years of experience advising on
multijurisdictional white-collar crime cases involving allegations of fraud, corruption and money
laundering, and on internal investigations. She regularly represents clients facing prosecution by
the Serious Fraud Office, the Financial Conduct Authority and other regulatory agencies around the
globe.
4. ROUNDtable
REPRINT | FW November 2016 | www.financierworldwide.com
Ratley: Could you provide an overview of the types of corpo-
rate fraud that are typically being seen across the current fi-
nancial and economic landscape?
Grantham: The types of corporate frauds we are seeing are noth-
ing new, however, the methods by which they are perpetrated con-
tinues to evolve as technology advances. For example, we are see-
ing an uptick in activity involving compromised email as well as
cyber crime targeting senior executives. Through hacking and open
source research, criminals can gain unauthorised access to com-
pany systems and individuals and make credible requests for funds
to be transferred to a false bank account. Once the transaction has
been made, it is quite difficult to recover the stolen funds. This is an
example of a traditional fraud employing modern technology.
Zimiles: Corporate related fraud and white-collar crime trends con-
tinue to be the traditional crimes observed in previous years, with
augmentation through technology. The increased use of phishing
and malware programs has led to large scale identity theft schemes
in both the public and private sector. Hackers are illegally trading
through consumer bank and brokerage accounts and stealing funds.
Denial of service schemes have shut down company websites, pre-
venting them from conducting business. Digital currency such as
bitcoin has given criminals a new way to mask their identity. The
insider threat puts company assets and sensitive and proprietary
data at risk as well as presenting the potential for compromise of
employee personally identifiable information (PII). Simultane-
ously, typical fraud and misconduct schemes such as embezzle-
ment and misappropriation of corporate assets, insider trading and
money laundering continue to occur.
Matthews: While ‘traditional’ frauds such as false suppliers and
misappropriation continue, cyber crime in its various guises is a
major issue. This includes intellectual property theft by outsiders,
insiders or ex-employees, through to theft of a company’s own fi-
nancial information or that of its clients and customers. The use of
‘ransomware’, where hackers threaten to disable systems or delete
data unless a ransom is paid is also becoming an industry itself.
There is a perfect storm of greater access to technology and tech-
nological advances, coinciding with businesses of all sizes being
increasingly reliant on web-enabled business. Payment channels,
procurement, relationships with remote and unknown third parties
and sales transactions all offer potential entry points for fraud-
sters.
Sikellis: Globally, the enforcement environment remains very ac-
tive. Currently in the US, there does not seem to be a clear single
focus area, as the Foreign Corrupt Practices Act (FCPA) had been
in the past, for example. That is not to say that the FCPA is not a
priority – the Department of Justice (DOJ) has doubled the num-
ber of attorneys in the FCPA unit. Financial service sector fraud
has been in the spotlight after the Libor and other bank issues and
it will be interesting to see what happens in the aftermath of the
Wells Fargo scandal. Export enforcement was predicted to be on
the rise, but that now may not be such a hot topic with the easing
of sanctions on Iran and Cuba. Healthcare is always a focus. In Eu-
rope, as a reaction to the Volkswagen scandal, it seems likely that
authorities will begin focusing on similar or other forms of techni-
cal fraud, such as when companies improperly influence tenders or
defraud consumers with manipulated technical data.
Carr-Howard: Fraud is fraud. It is simply using deception to gain
financially. I think that focusing on types of fraud can take us away
from the simplicity of both the act of fraud and the means to fight
it. Fraud is nothing more than a lie intended to produce monetary
gain. It doesn’t matter if the victim is an employer, a business part-
ner, a government, a consumer, a supplier or a customer. If some-
thing of value is provided based on a lie, it is fraud. That conduct
may be called money-laundering, corruption, embezzlement, or
something else. But the common element is a lie – sometimes a
lie by omission. As soon as one scheme to defraud becomes suc-
cessful it is often mimicked, and then as it proliferates systems are
adopted to fight that particular scheme. A focus on the lie common
to all forms of fraud – by requiring transparency and confirmation,
not mere trust – is the key to minimising the risk of fraud. Not
merely chasing the fraud du jour.
Andres: The types of fraud that have roiled corporations for the
past decade – money laundering, market manipulation and bribery,
to name a few – are unfortunately still prevalent, but with advances
in technology and the increasingly global nature of business, the
challenges posed by these issues are growing more complex. In-
creased use of technology has facilitated real-time communication
between industry players, leading to new issues like inter-bank
manipulation, as seen with the recent Libor and foreign exchange
cases. New technology has also led to the proliferation of contro-
versial and possibly illegal trading practices. Similarly, as relation-
ships and operations spread across the globe, corporations are con-
fronting new business cultures and expectations while navigating
varied, and not always harmonious, legal and regulatory systems.
Sallaway: In recent years we have seen a broad range of types
of corporate fraud being investigated and prosecuted in the UK.
Bribery and corruption makes up a significant proportion of known
investigations and prosecutions, including the first deferred pros-
ecution agreements (DPAs) for Standard Bank and XYZ, but other
instances of corporate fraud are also increasingly attracting the at-
tention of prosecutors. Of course, the Libor and Euribor cases re-
lating to the alleged manipulation of interest rates are well-known.
In addition to this, we are seeing that cyber fraud is an area of real
concern and focus for financial institutions in particular.
Ratley: Using recent and noteworthy corporate-fraud cases,
could you describe the current landscape of corporate fraud
in your region? What are the most important lessons from the
outcome of those cases for the corporate world?
Zimiles: Cases such as Volkswagen and 1MDB demonstrate signif-
icant allegations of compliance violations which can occur without
a system of ethics and compliance that starts at the top of an organi-
sation. Compliance lessons from those investigations are similar 8
Corporate related fraud and white-
collar crime trends continue to be the
traditional crimes observed in previous
years, with augmentation through
technology.
ELLEN ZIMILES
5. ROUNDtable
www.financierworldwide.com | November 2016 FW | REPRINT
to past cases wherein companies were subjected to forfeitures and
fines in the millions and billions of dollars. Board members should
be regularly apprised of the status of the company’s fraud and com-
pliance programme, its enforcement, and any current or potential
violations under review. Company leadership must take ownership
in compliance to reduce fraud in their organisations. Improved ed-
ucation and training on regulatory requirements and expectations
that impact the organisation is necessary. Boards should have an
enhanced understanding of the risks their organisations face that
could expose them to criminal and regulatory liability, and under-
stand the processes, procedures and controls that the organisation
has developed and implemented to mitigate those risks.
Grantham: In the UK, the Serious Fraud Office (SFO) secured
its second DPA in July and its director, David Green, intimated
that others are in the pipeline. This case highlights the importance
of operating an effective compliance programme, as the criminal-
ity only came to light when the parent company implemented a
global compliance programme, which enabled it to detect possible
concerns regarding the way in which some contracts had been
awarded. This discovery enabled the company to conduct an inter-
nal investigation and initiate self-disclosure to the SFO. The case
also highlighted the importance of self-reporting and cooperation
with the prosecutor, both of which were mitigating factors that
were taken into account when approving the DPA.
Sallaway: It is interesting to compare the UK’s first section 7 Brib-
ery Act resolutions: the Standard Bank and XYZ DPAs and Sweett
Group’s guilty plea. Companies hoping to enter into a DPA should
note that the SFO set the bar for cooperation at a very high level
with Standard Bank. By law, any financial penalty under a DPA
must be broadly comparable to a fine the court would impose fol-
lowing a guilty plea proffered at the earliest opportunity. In its DPA,
Standard Bank received a one-third discount, which is what Sweett
– the first section 7 conviction – received. In the second DPA in-
volving XYZ Ltd, a 50 percent discount was considered appropri-
ate, principally “to encourage others how to conduct themselves”.
If DPAs are to effectively encourage self-reporting, then discounts
of – at least – the magnitude given in XYZ need to be on offer. In
such circumstances, the SFO itself recognises that companies need
to see that they are better off if they have fully cooperated.
Robertson: Without doubt, the SFO’s two DPAs and the prosecu-
tion of two companies for bribery and corruption are noteworthy.
Important issues should be considered in settling a DPA. First, the
company is required to make a declaration stating that it has pro-
vided accurate and non-misleading information. In practice it is
not straightforward to provide this declaration and care should be
taken. Second, the statement of facts is a crucial document and
should be negotiated carefully. Third, the naming of individuals is
still an area of uncertainty – issues could arise where the individual
has been named in the US but not in the UK. Fourth, a confidential-
ity undertaking regarding the terms and content of negotiations is
usually made, however this can be an issue if the company is listed
and has obligations to announce on the market. Finally, in XYZ,
the American model was adopted, where the company provided
oral summaries while still preserving the actual witness accounts
as privileged.
Andres: One lesson is that misconduct is rarely isolated to one
institution. If regulators find an issue at one entity, other companies
in that field should take notice and look at their own practices. Reg-
ulators are increasingly pursuing industry-wide investigations as a
means of regulating and enforcing market integrity. For instance,
regulators looked at a broad swathe of players around foreign ex-
change price-fixing and mortgage fraud as specific issues came
to light. Another trend is that the DOJ is increasingly willing to
require a corporation to plead guilty, as it and other US regulators
are raising the bar to receive a non-prosecution agreement (NPA)
or DPA. Self-disclosure and cooperation are more important than
ever to obtaining a favourable resolution.
Carr-Howard: The DOJ’s historic loss in McDonnell v. United
States will have a dramatic impact for years to come in corruption
prosecutions. While it was clearly established that the disgraced
governor of Virginia had accepted lavish gifts and loans from a
prominent businessman, the US Supreme Court reversed his con-
viction. It held that the complained of gifts could not constitute
bribery as the governor merely organised meetings with key gov-
ernment officials. Because he took no “official act” – such as mak-
ing a formal decision or signing a contract – the lavish gifts did not
constitute bribery under US law. The evidentiary burden on the
prosecution has grown dramatically in domestic bribery and this
may well present serious challenges to foreign corruption prosecu-
tions as well.
Sikellis: The Volkswagen case is probably the most noteworthy
case this year. In many ways, that scandal was unlike anything we
had seen before because it stemmed from engineering problems
and not business operations. Many companies are now evaluating
what risk they may have in this area and whether engineering is-
sues should be a focus of compliance. Another interesting matter is
the impact of the wide variety of internal fraud cases in banks. The
Berlin Airport case and some other cases in Germany show us that
the public and prosecutors remain focused on cases where it is sus-
pected that companies defrauded the state in connection with major
building projects that are delayed or significantly over budget.
Ratley:Apart from specific case examples, what were the other
major regulatory or legal developments in the corporate fraud
landscape over the past 12 months? What impact have those
developments had on corporate governance?
Matthews: UK financial regulators are ramping up the pressure on
firms and individuals, increasing accountability in the banking and
financial services sector. Specifically, the Senior Managers Regime
and Certification Regimes place a greater burden on firms to define
the role of senior management and ensure that only suitable individ-
uals fill those roles, as well as placing a statutory responsibility on
senior managers to prevent breaches in their area of responsibility.
Meanwhile, the regulators continue to require firms to ‘attest’ that 8
Companies hoping to enter into a DPA
should note that the SFO set the bar
for cooperation at a very high level with
Standard Bank.
ALI SALLAWAY
6. ROUNDtable
REPRINT | FW November 2016 | www.financierworldwide.com
controls are adequate. Recent developments in the financial sector
have also been aimed at ensuring that whistleblowing reports are
dealt with appropriately and whistleblowers are protected. Further
ahead, fraudsters will undoubtedly seek to exploit the uncertainty
surrounding Brexit, whether via cyber-based routes or more tradi-
tional means, seeking to take advantage of confusion over potential
changes to contractual terms and regulations, especially firms with
cross-border operations.
Sikellis: There have been quite a few important and interesting
developments. Two that come to mind involve developments in
the US. In April, the DOJ introduced a one-year programme that
offered significant credit for the self-disclosure, full cooperation
and remediation of unlawful activity. It will be very interesting
to see the results of the programme next year. And of course, we
are now one year into application of the so-called ‘Yates Memo’,
which signalled a focus on the prosecution of individuals and set a
high bar for companies that seek credit for cooperation. Companies
must now provide all relevant information pertaining to employee
misconduct as a prerequisite for any cooperation credit.
Sallaway: The past 12 months have seen an increasing appetite by
the authorities to hold individuals to account for corporate failings.
In financial services this is, to some extent, driven by a percep-
tion that shareholders of public companies have effectively been
punished for corporate wrongdoing, due to penalties imposed on
companies, whereas senior management who may allegedly have
been involved in misconduct, or turned a blind eye to it, escaped
punishment. This trend has been brought into sharp focus with the
introduction of the Senior Managers Regime, which requires banks
and certain other financial institutions to identify the functions se-
nior individuals are responsible for, thereby increasing individual
accountability. Investors, governments and the general public,
aided by the media, are increasingly scrutinising the actions and
knowledge of management. This means that effective corporate
governance and compliance is more important than ever.
Andres: US regulators have been trying to set clear guidelines for
corporations to follow when they discover misconduct, in the hope
that transparency will incentivise greater cooperation and disclo-
sure. The clearest example of this is the Yates Memo, which sets
forth a list of factors for obtaining cooperation credit and refocuses
the DOJ’s energy on prosecuting individuals. More tailored exam-
ples are the DOJ’s new FCPA Pilot Program, which lists require-
ments for obtaining a DPA or NPA after an FCPA violation, and
DOJ Tax Division’s Swiss Bank Program, which concluded its first
phase this year with at least 78 NPAs reached with Swiss banks that
disclosed criminal tax offences.
Carr-Howard: The biggest change in US enforcement is the
renewed focus on the individual as outlined in the Yates Memo,
issued by the US Deputy Attorney General Sally Quillian Yates.
While initially viewed as a reiteration of past policy, it is apparent
that the DOJ is seeking far greater detail about specific individuals’
role in corporate decisions under review. The impact this new focus
will have on corporations’ ability to effectively conduct internal
investigations is yet to be determined, but it certainly raises new
challenges.
Grantham: Aggressive pursuit of bribery and corruption viola-
tions remains high on the agenda for global prosecutors. In the US,
the DOJ announced that it had substantially increased its resources
to investigate and prosecute FCPAviolations and the Securities and
Exchange Commission (SEC) reported in September that it had
filed more actions in 2016 than it had compared to the same time
last year. In the UK, we continue to see indications that the SFO
foresee additional charges under the Bribery Act. These would fol-
low the first two DPAs and the first conviction under section 7 for
failing to prevent bribery, all of which occurred in the last year.
Authorities are increasingly demanding a more proactive and par-
ticipative approach from those under investigation, encouraging
timely self-reporting and ongoing cooperation.
Zimiles: Shareholder activism continues to be a major influence
affecting corporate governance. Boards are under tremendous
pressure to not only strengthen company controls in response to
continuing corporate scandals but shareholders are also demanding
greater accountability. Shareholders are seeking more influence
and stronger tools to promote greater transparency and account-
ability from their boards.
Ratley: What regulatory or legislative changes directed at
curbing corporate fraud and misconduct do you expect to see
emerge in the next 12 months or so?
Sikellis: This is hard to predict of course. Common sense dictates
that two likely areas for regulation are in the financial service in-
dustry and cyber fraud. Both of these areas have a direct impact on
consumers and that normally puts pressure on executive branch-
es and legislators to do something. Similarly, privacy will likely
remain in the spotlight as WikiLeaks-like and hacking activity
continues to occur. In Germany, there are also discussions about
increasing the rights of whistleblowers and their protection under
the law.
Robertson: I anticipate that the area of tax transparency will con-
tinue to be a big issue in the UK and globally. The UK’s proposal
for corporate criminal penalties for failure to prevent tax evasion
are part of an expanding universe of domestic and international
measures aimed at transparency and preventing tax evasion. The
consultation for the proposed failure to prevent criminal tax eva-
sion draft legislation ended this summer and most commentators
expect it to come into force by spring 2017. The Act, if implement-
ed, will have extraterritorial effect. There are two different tests for
the two categories of tax evasion: UK and non-UK. For evasion
of UK tax liabilities, the facilitation offence can be committed by
a UK or non UK corporate anywhere in the world. For evasion of
non-UK tax liabilities, the tax evasion offence must be an offence
in both the non-UK jurisdiction and the UK. The statute aims to
improve governance and make it easier to prosecute the corporate
‘directing mind’, not just employees. The draft bill has broad appli- 8
I anticipate that the area of tax
transparency will continue to be a big
issue in the UK and globally.
ELIZABETH ROBERTSON
7. ROUNDtable
www.financierworldwide.com | November 2016 FW | REPRINT
cation with limited carve outs and will extend to third parties and
overseas subsidiaries under the control of the business.
Andres: The next 12 months will be a transition period as a new
administration enters the White House. Amid personnel changes
and time spent taking stock of the past eight years, we are unlikely
to see major regulatory or legislative changes absent a significant
market event. We may start to see clues that hint at new priorities,
but any administration will likely be looking to build on previous
enforcement successes in its first year in office. Companies can
expect a continued focus on individual accountability, expanded
coordination between US regulators and those abroad – which as-
sistant attorney general Leslie Caldwell recently called the “future
of major white-collar criminal enforcement” – as well as increased
whistleblower actions and assessments of recent initiatives like the
FCPA Pilot Program, currently scheduled to expire in April 2017.
Sallaway: The next year or so looks like it will be quite an active
one as far as legislative and regulatory changes are concerned, with
the introduction of registers of beneficial ownership, strengthening
of the anti-money laundering regime and, notably, the extension
of the ‘failure to prevent’ model for corporate criminal liability,
which already applies to bribery. Next year, two new offences on
the failure to prevent the facilitation of tax evasion are expected.
In the longer term, the government has said it plans to extend this
model to other economic crimes such as money-laundering, fraud
and false accounting. Law enforcers complain that attributing li-
ability to large multinational companies through the identification
principle – where someone who is effectively the embodiment or
directing mind and will of the company must be involved in the
criminal conduct – can make it very difficult to secure convictions
of large companies. The ‘failure to prevent economic crime’ of-
fence, if it does come into force, would overcome this obstacle by
creating a strict liability regime akin to vicarious liability. The con-
sultation is expected soon, although the government has changed
its position on this previously. In September 2015, the government
indicated the reform had been dropped, only to revive the plans
earlier this year.
Grantham: In the next 12 months I expect to see tougher legis-
lation to combat money laundering and the financing of terror-
ism. Although this has been a priority for some time, and banks
have naturally taken the lead by strengthening their compliance
programmes and transaction monitoring processes, there is an in-
creasing risk of funds being funnelled through other organisations,
such as charities or non-profit organisations and investment funds.
Additional risks are beginning to surface through the use of virtual
currencies and prepaid cards.
Zimiles: There will be a new administration and Congress in Janu-
ary 2017. It can be assumed that there is likely to be a continued
focus on how well corporate governance is addressing and combat-
ing corporate fraud and misconduct as recent corporate scandals
continue to be investigated and adjudicated. The specific direction,
priorities and objectives of the Congress and the administration is
difficult to predict.
Matthews: The UK corporate offence of failing to prevent eco-
nomic crime is now back in play with the new government, having
previously been proposed and discarded. Hot on its heels is the
corporate offence of failing to prevent the criminal facilitation of
tax evasion, which will impact the offshore and onshore financial
sector. Fund managers, trustees and directors will need to ensure
that their procedures are ‘reasonable in all the circumstances’ to
ensure that vehicles for which they are responsible are not abused.
The concept of ‘adequate procedures’as a defence came in with the
UK Bribery Act 2010, and its extension to other corporate crimi-
nality is not unexpected. The Ministry of Justice stresses that it is
for businesses to design procedures appropriate to their own needs.
Separately, in the data security arena, the General Data Protection
Regulations will impact how EU businesses protect their custom-
ers and employees’ information.
Ratley: In your opinion, do boards and senior executives take
a sufficiently proactive approach toward reducing the risk of
fraud within their organisation?
Robertson: It is difficult to generalise and inevitably the larger or-
ganisations have more sophisticated systems and controls and are
often better resourced. Also, extractive industries such as pharma
and the financial services sectors are used to a more regulated en-
vironment and have been the subject of more enforcement. The
recent focus on individual criminal liability by the DOJ in the US
and by the SFO in the UK has made board members, non-execu-
tive directors and senior executives more cognisant of the need to
ensure that proper procedures and system are in place.
Andres: Boards and senior executives increasingly understand
the need for a compliance-oriented corporate culture that perme-
ates all levels and divisions of the business. Regulators have made
clear that an effective compliance programme requires constant
vigilance and adaptation at all levels of a company, and that those
in charge cannot insulate themselves from liability for corporate
misconduct. As recently demonstrated when the SEC charged the
CEO of a financial services firm for an FCPA violation, and again
when the CEO of Wells Fargo saw his compensation clawed back,
there are consequences when executives do not play an active role
in their corporation’s compliance efforts.
Grantham: There are steps that companies and their senior man-
agement can take to stay ahead of the risks posed by both external
and insider threats. As innovation in technology becomes more
advanced, fraudsters are developing new means of accessing and
exploiting company information and assets for their personal ben-
efit. The consequences of failing to sufficiently address the risk of
fraud can be significant: lengthy and costly investigations, poten-
tial intervention by regulators, reputational damage and potential
criminal sanctions.
Matthews: Some may prefer not to complicate fraud prevention
measures unduly, especially if they perceive the risk as low. In
particular, management may underestimate their attractiveness and 8
The UK corporate offence of failing to
prevent economic crime is now back in
play with the new government, having
previously been proposed and discarded.
NICK MATTHEWS
8. ROUNDtable
REPRINT | FW November 2016 | www.financierworldwide.com
vulnerability to cyber criminals, especially if they are not operat-
ing in the financial services space. In regulated industries, C-suite
executives are more focused on these issues, not least due to regu-
latory, political and public scrutiny on the sector.
Zimiles: Increasingly, boards and senior executives are more pro-
active as they react to law enforcement and regulatory actions that
their peers are undergoing. Moreover, senior executives face in-
creasingly aggressive shareholder demands for restitution of eco-
nomic losses and to claw-back senior executive compensation.
Carr-Howard: It is human nature to believe that while fraud ex-
ists, it is ‘out there’ and wouldn’t be committed by ‘our people’.
The desire to trust your own, and distrust others is natural. But
it is a human reaction that fraudsters take advantage of everyday.
Unfortunately, this aspect of human nature often blinds boards to
the substantial risk of fraud from within. Boards are made up of
human beings, of course, and they have the same blind-spots and
natural desire to trust their own as any other person. Key is recog-
nising these blind-spots and the fact that they create the greatest
risk of fraud so that boards can create compliance programmes that
require inquiries even when trust is well established.
Sallaway: It is difficult to generalise as to the approach of boards
and senior executives to managing and reducing the risk of fraud.
Each company faces different risks, depending on, among other
things, the sector it operates in, the jurisdictions where it is present,
and the policies and procedures it already has in place. It is trite to
say that in any company there is always room for improvement.
And we have seen an increasingly proactive approach by boards
and senior management to reducing the risk of fraud.
Sikellis: I would find it very surprising if today boards and senior
executives fail to take such topics seriously. The experience quite
clearly is that clean business is good business. This is especially
true in our current regulatory environment where compliance mis-
steps could have very serious and wide ranging consequences for
companies and the executives themselves.
Ratley: How would you advise companies to go about setting
up systems to detect potential fraud and corruption? Further-
more, what measures should they take to strengthen their in-
ternal procurement and supply chain processes?
Andres: Every compliance programme will vary by company, de-
pending on factors like its nature, size and corporate personality.
However, best practices are frequently lauded by regulators and
industry groups. Companies should pursue a fundamental set of
goals in designing and updating their internal controls, examin-
ing whether their programmes address root issues, empowering
ground-level employees to serve as gatekeepers and ensuring that
a compliance mentality pervades all aspects of the organisation.
Companies must maintain open communication between different
groups responsible for legal and regulatory compliance, fostering
an atmosphere where employees are encouraged to raise issues. A
successful programme must also be proactive, looking for issues
before they arise and evolving to respond to new challenges.
Matthews:Arisk-based approach, tailored to the business’s needs,
can work best when establishing systems to prevent and detect po-
tential fraud and corruption. First, conduct a risk assessment, in-
cluding internal and external risks, asset security, ABC and cyber
threat assessment. Second, design mitigating controls that are ap-
propriate for the business. Third, implement, including training and
communication. Finally, monitor compliance and review adequacy
as the business evolves. Having an incident response plan is an im-
portant element, especially for cyber issues. A key element to any
effective system is the corporate culture set by senior management,
the ‘tone from the top’, as well as nurturing an effective, indepen-
dent whistleblowing system.
Zimiles: An effective system of controls to detect potential fraud
and corruption requires several components that are well designed,
effectively communicated, properly executed, and adapted as nec-
essary to address new emerging risks. The system should include
a comprehensive risk assessment that addresses the potential im-
pact from both internal and external risks, which is also monitored
and revised in order to strengthen existing controls and develop
new controls as necessary. It should have internal controls that are
not only designed consistent with the risk assessment, but also ex-
ecuted by everyone involved in the various processes. Significant
fraudulent activity does not always require a systemic failure in
controls, but can also exploit weaknesses caused by failures of a
small number of stakeholders with key roles in the process. In ad-
dition, a code of conduct and ethics policies must be endorsed by
the board and top management, and requires accountability from
the top and throughout the organisation.
Carr-Howard: A business’ commitment to compliance with anti-
bribery, antitrust, anti-money laundering, and know your customer
(KYC) laws can provide an opportunity to fight the risk of both
external and internal fraud and corruption. Too often this is thought
of as the responsibility of the compliance or legal departments. But
fighting fraud is critical to the bottom line. That is, effective com-
pliance is good business because it reduces waste and improves
profit. I can hear the groans and see the eye-rolling. But it is true.
Every pound, euro or dollar spent on a bribe or stolen by fraud is
taken from the corporation’s bottom line. Compliance should not
be synonymous with bureaucracy; it should be an effective pro-
gramme to maximise the return for shareholders.
Sallaway: Improving controls should always start with a risk as-
sessment tailored to reflect the nature and business of the company.
This will involve at least identifying where, in terms of both sector
and geography, the company operates, as well as identifying those
business units most at risk of fraud, reviewing existing policies and
procedures, establishing the recruitment, vetting and training needs
of staff, and considering what information the board and senior ex-
ecutives need in order to manage risk. The end product should be a
policy that is as succinct as possible, accessible and easy to imple-
ment, backed up by training. Overly detailed or complex policies 8
The experience quite clearly is that clean
business is good business.
ROBERT N. SIKELLIS
9. ROUNDtable
www.financierworldwide.com | November 2016 FW | REPRINT
and procedures that are difficult to follow or which set unattainable
standards and are therefore ignored in practice are of little use.
Sikellis: The basics for such a system are the tone set by the top
management of a company, policies and controls around the key
risk areas, well developed training and mechanisms for the report-
ing and handling of potentially non-compliant behaviour. Supply
chain management is a major contributing factor to the sustainable
success of many companies. Legal compliance and sustainability
should be considered a primary duty, and suppliers should be held
to that same standard.
Grantham: Pre-appointment due diligence and proactive reviews
often represent best practices in the defence against possible fraud
and corruption violations. Meaningful due diligence on prospective
suppliers, partners and customers, before entering into a transac-
tion, can give a company greater clarity about who they are doing
business with. Once prospective parties are appointed, proactive
reviews using data analytics across books and records can help to
identify potential vulnerabilities and risks, which could result in
damaging financial or reputational harm if undetected.
Robertson: The key is to begin with a comprehensive risk assess-
ment that takes into account factors such as the size of the business,
its sector and the countries in which it operates. Due diligence is
key – it is essential to know who you are doing business with and
to fully understand the nature of that relationship.
Ratley: How important are internal training programmes to a
successful compliance programme?
Zimiles: Effective communication of a compliance programme’s
requirements is essential and should convey the ‘tone at the top’
and cascade throughout the organisation. A training programme
should provide all employees with an understanding of the compa-
ny’s policies, procedures, processes and controls and how they are
designed to ensure compliance with the law and regulatory expec-
tations. Training, however, should not be ‘one size fits all’– rather,
it should be tailored to the audience.
Grantham: Training is key. It is important for companies to en-
sure that training is not just seen as a box that needs to be checked
as part of a compliance programme checklist. Employees need to
learn the importance of compliance, and that it is the responsibility
of each member of the organisation, no matter what position they
hold. Training can also help set the ‘tone from the top’as it allows a
company to demonstrate to its workforce that they are taking their
compliance obligations seriously. However, as with all elements
of an effective compliance programme, training materials should
be updated on a regular basis to ensure the content remains current
and relevant, given developments within the company’s industry
and the regulatory landscape.
Sikellis: Regular training sessions are indispensible to a successful
compliance programme and their importance to creating a strong
compliance culture cannot be understated. We take training very
seriously and are constantly reminded to ‘do the right thing’. But
this message is not presented in a vacuum or in dogmatic fashion.
Rather, by acknowledging the workplace pressures to perform and
through the use of real-world examples – including those where
employees have not acted consistent with the company’s values
– the training becomes particularised to the business, resonates bet-
ter with employees, and provides meaningful guidance on a practi-
cal level.
Carr-Howard: Internal compliance training is a fact of life in
the modern multinational. And there is a place for online train-
ing, evaluation and record keeping. It is not merely a ‘check the
box’ exercise designed to document that each employee was told
the rules of the road, though that is part of it. The key is to target
the training subject and manner to the audience to ensure engage-
ment and understanding. Too often, training it is viewed by both
the presenter and the audience as a lecture, not a discussion. But
real engagement comes from the opportunity to talk about what is
happening in the field and how the compliance rules and the laws
to fight fraud impact that conduct. Training can only prevent mis-
conduct when it is understood and it is only effectively understood
and internalised when it is discussed.
Sallaway: Training is absolutely key to successful policy imple-
mentation. In the post-financial crisis world, boards need to un-
derstand what regulators and governments are trying to achieve
– namely, higher standards of corporate integrity. Companies need
to reflect those aims by building strong internal cultures that mini-
mise risk while also enabling growth. Global buy-in to that culture
is central to a successful compliance programme. CEOs need to
communicate their personal values to their companies, and boards
need to convince employees that they want them to behave com-
pliantly, rather than simply giving the appearance of doing so. In-
ternal training programmes are a real opportunity to propagate and
reinforce the company’s compliance culture, which is particularly
important in multinational companies where local norms may re-
quire reconciliation.
Robertson: Training programmes are important for two reasons.
Firstly, they are important in establishing ‘tone from the top’. Sec-
ondly, they are an important demonstration of the systems and con-
trols that a company needs to establish a defence to the section 7
offence in the Bribery Act covering failure of a corporate organisa-
tion to prevent bribery.
Matthews: Internal training programmes are important for two
reasons: firstly, imparting knowledge and informing staff of policy,
procedures and consequences, and secondly, demonstrating that
‘adequate procedures’ were in place should an incident occur. Of
course, training programmes need to be culturally effective, em-
phasising zero tolerance. The training needs to be spearheaded
from senior management and permeate throughout the organisa-
tion. The best training programmes are dynamic and up-to-date,
for example drawing on topical events and news items, or recent
developments in the business itself, rather than relying on more 8
Training can only prevent misconduct
when it is understood and it is only
effectively understood and internalised
when it is discussed.
MAXWELL CARR-HOWARD
10. ROUNDtable
REPRINT | FW November 2016 | www.financierworldwide.com
staid annual sessions alone.
Andres: Training is a cornerstone of any successful compliance
programme. State-of-the-art policies and procedures lose meaning
if they are not understood by those expected to implement them.As
seen in the DOJ’s 2012 decision not to charge Morgan Stanley with
FCPA violations despite charging one of its executives, a robust
anticorruption compliance programme that features varied and fre-
quent training can protect a company from liability for misconduct
of rogue employees.
Ratley: How have whistleblower protection laws and related
regulations affected the way companies manage and respond to
fraud? Is enough work being done to ensure that whistleblow-
ing is adequately encouraged?
Sallaway: The regulatory climate is increasingly favourable to
whistleblowers. Guidance for employers issued by the Depart-
ment for Business, Innovation and Skills in March 2015, for
example, promotes an open culture in which employees are not
only protected, but are actively encouraged to make disclosures.
Whistleblowers are also incentivised in a number of jurisdictions,
but this is itself a delicate area. Whistleblowers want protection
but if incentives are too attractive, there is a risk that the credibil-
ity of those who speak up may be impugned. In this environment,
companies are starting to implement comprehensive whistleblow-
ing policies.
Sikellis: A corporate compliance programme cannot successfully
manage risk without providing unfettered whistleblower protec-
tion. Regardless of the local legal or regulatory norms, whistle-
blowers should be given various means of reporting such as an
Ombudsman and an anonymous hotline, ensured anonymity dur-
ing all stages of a complaint from first reporting through closure
of any investigative process, and be shielded from retaliation. The
cornerstones of protection for a whistleblower are confidentially,
anonymity, ease of access to filing a complaint and zero tolerance
to retaliation.
Carr-Howard: Whistleblower protections are generally good
public policy. But they do create new incentives for individuals,
including those involved in wrongdoing who are concerned that
their misconduct has been or will be disclosed. Bounties that pro-
vide whistleblowers with a portion of the fines recovered or some
other financial reward create particular challenges to the internal
investigator and often can unintentionally warp the reporting of
facts. The best means to address these requirements and to enhance
compliance is to ensure true non-retaliation, full engagement of
the whistleblower by investigators, and, when possible, thought-
ful regular feedback to the whistleblower to ensure that they un-
derstand their concerns were heard and evaluated by independent
instigators.
Matthews: Clearly, the laws and related regulations are important,
but whistleblowers really need to believe that the process is truly
independent and safe. Whistleblowing is less of a focus in the UK
compared with other jurisdictions, partly because there are not the
same financial rewards; instead, whistleblowing relies on other
motivations.
Andres: Whistleblower protection is a constant issue. As regula-
tors increasingly rely on whistleblowers to root out corporate fraud
and misconduct – chair Mary Jo White called the SEC’s whistle-
blower programme a “game changer for the agency” in August
– those regulators are going to increasing lengths to ensure that
whistleblowers are encouraged to report potential violations and
are protected once they do so. Companies must regularly look at
whether their policies and procedures encourage employees to be
open and honest and, conversely, whether those policies might un-
intentionally have a potential chilling effect.
Zimiles: Andrew Ceresney, director of enforcement at the SEC,
recently stated that the SEC Whistleblower Program has had a
“transformational” impact on the enforcement programme. More
than 14,000 whistleblower tips from all 50 states and 95 foreign
countries have been received and significant financial rewards
have been paid out, including the first ever payment to a whistle-
blower in an FCPA related matter. In addition to the United States,
comprehensive whistleblower protection laws have been adopted
in more than a dozen countries and several other countries provide
more limited protections.
Grantham: The prevalence of whistleblowers varies significantly
between jurisdictions and industries. The US is leading the way
with the SEC’s well-established whistleblower programme, which,
since its inception, has seen a 30 percent growth in the number of
whistleblowers who have come forward. The success of this pro-
gramme is largely a result of the reward whistleblowers can receive
but can also be attributed to the protection afforded to those that
come forward. Over the past year, the SEC has demonstrated its
commitment to whistleblower protection by taking action against
companies which have imposed conditions on employees in an
attempt to discourage whistleblowing. In order to encourage em-
ployees to report misconduct internally, companies need to recog-
nise the value of implementing effective programmes, which take
tips seriously as well as ensuring anonymity can be provided to the
whistleblower.
Ratley: Could you highlight the main fraud-related risks that
can emerge from third-party relationships? What types of
third parties – such as suppliers, agents, intermediaries and
consultants – pose the greatest risks?
Matthews: The greatest risks include inadequate due diligence
and reduced vigilance towards third parties once they become
trusted, but without the same level of control as over internal par-
ties. Further risks include third-party access to corporate systems
and information, and over-reliance on the third party, especially in
a sector or region with which management is less familiar. Third
parties in physically remote locations pose increased risks, as do
those with autonomy to act as agent for the corporate, and those
Regulators are going to increasing
lengths to ensure that whistleblowers are
encouraged to report potential violations
and are protected once they do so.
GREG D. ANDRES
11. ROUNDtable
www.financierworldwide.com | November 2016 FW | REPRINT
handling cash. Controlling what the third party does and the access
the third party has within the company is integral to managing the
risk. Specifically, when considering business in other jurisdictions
with third-party vendors, a risk assessment should be performed
for each individual country and each vendor.
Sikellis: There are many possible risks associated with business
partners and third-party intermediaries. They include antitrust is-
sues such as collusion and price-fixing, along with disclosures
of external competitor information, FCPA concerns and facilita-
tion payments. In an effort to best manage these risks, companies
should employ a thorough vetting process during the selection of
third-parties. Compliance plays a critical role in supporting this
process by offering a systematic and risk-based approach, which is
guided by lessons and red flags from past cases. Even after selec-
tion, third-party relationships need to be monitored.
Grantham: The most serious risks posed by third parties are re-
lated to potential exposure to bribery and corruption violations, for
which the company could be held liable.Any third party could pres-
ent a potential risk to an organisation, which is why a meaningful
due diligence and onboarding process is a critical component of any
company’s compliance programme. It is important for companies
to fully understand whom they are doing business with in order to
reduce the risks of financial and reputational harm that may come
with them. An important component of effective due diligence is
that it is updated on a continual basis in order to detect any changes
of ownership or concerning media reports, which would trigger the
company to re-evaluate its relationship with the third party.
Andres: Companies should be aware of the particular risks of the
regions where they operate. Business dealings in countries with
documented corruption issues warrant additional scrutiny, no mat-
ter how remote the connection between the company and govern-
ment officials or other parties. Simultaneously, companies must
ensure that their systems adequately protect information and data.
Material non-public information that leaks outside of the company
can put an organisation at risk for insider trading violations, while
gaps in data security and other issues expose corporations – and
their clients – to hacking and cyber crime.
Carr-Howard: All business partners pose risk which is why com-
pliance officers have so much anxiety about them. But not all third-
parties pose the same level of risk. Indeed, many pose very little
risk, such as the supplier of your paper stock. Understanding which
suppliers pose the greatest risk is fairly simple and focusing on
them reduces your risk and your compliance costs. Those who have
the authority to act on your behalf and those who provide you with
information upon which you base your decisions pose the most seri-
ous risk and the greatest direct threat for liability. As your alter-ego
or the source of your decision making, they can dramatically impact
your liability by taking actions that will be viewed as yours or they
can provide you with such a limited view of critical information that
you take a decision that creates liability you would have recognised
if you had the full picture. Ensuring you fully vet and supervise
these partners can dramatically reduce your compliance risk.
Zimiles: The majority of bribery-related enforcement actions
brought by regulators involve improper payments facilitated
through third-party intermediaries. Third-parties with government
touch points in high risk geographies present the greatest risk to a
global company and a question that should be asked at the outset
is whether there is a valid business purpose for the third-party’s
services. If there is no valid business purpose, that is a major red
flag. If the answer to that threshold question is yes, risk-based due
diligence to identify and assess the nature and scope of the specific
risks presented by the third-party should be conducted.
Sallaway: This issue very much depends on the business and sec-
tor. When dealing with agents and intermediaries, a key risk area is
bribery and corruption. With suppliers, the risks include overcharg-
ing and the payment of kick-backs to staff responsible for award-
ing contracts or managing the relationship. However, these risks
should be capable of mitigation, and perhaps more readily than the
risks associated with agents and intermediaries, through the use of
regular competitive tenders and because, absent a monopoly situ-
ation, the price for goods or services can be benchmarked against
the market.
Ratley: If a company finds itself subject to a government inves-
tigation or dawn raid, how should it respond? Furthermore, to
what lengths should the company go to aid an investigation?
Carr-Howard: The traditional answer is to cooperate. And coop-
eration is key to successfully resolving government investigations
and dawn raids. But cooperation does not mean capitulation. Upon
learning of the inquiry or the raid, the most important thing to do
is to establish a direct line of communication limited to one or two
persons, preferably a lawyer on the company side. This will help
avoid contradictory responses, begin to develop a level of trust
between the government agency and the company, and create an
opportunity for proactive communication as more details of the
concerns are disclosed. It will also ensure prompt and effective
responses to any requests from the government and give the com-
pany a clear understanding of the full scope of the inquiry.
Sikellis: Within many countries, the risk-reward analysis for self-
disclosure is continually evolving. Should companies cooperate
when there is no perceived benefit? What about if there is a pos-
sible detriment, such as the possibility of prosecution that would
not exist but for the self-disclosure? Companies that voluntarily
self-disclose not only face uncertainty with authorities in many
countries, but there is also the potential for negative media cover-
age and public reactions because it is not always understood that
‘cleaning up’ is a good sign for a functioning compliance system.
Stronger support from the public sector is needed in these areas.
Andres: When a company finds itself subject to an investigation,
the most important issue is to maintain open lines of communica-
tion with its regulators. Transparency and a good working relation-
ship with government investigators can help prevent surprises by 8
The most serious risks posed by
third parties are related to potential
exposure to bribery and corruption
violations, for which the company could
be held liable.
ANDREW GRANTHAM
12. ROUNDtable
REPRINT | FW November 2016 | www.financierworldwide.com
regulators, allow companies and agencies to tailor investigations
to the particular issues, and secure cooperation credit in the event
of a resolution.
Grantham: My first piece of advice would be to involve legal
counsel and at an early stage of an investigation. I would also rec-
ommend issuing a document preservation notice, as destruction of
potentially relevant documents is an offence that could make a bad
situation even worse. Recently, regulators have indicated that the
level of cooperation provided to investigators can have a conse-
quential impact on the ultimate penalties imposed. Cooperation in
the early stages of an investigation can therefore be critical.
Zimiles: Mistakes made early on in a government investigation
can have costly and far reaching consequences, thus it is important
to have a protocol in place to ensure that counsel is contacted im-
mediately in the event of a dawn raid or the receipt of a subpoena.
In each case, the facts and circumstances will drive the specific re-
sponse, but considerations should include document and electronic
data preservation, public disclosure requirements, and whether
separate counsel is required for officers and employees. With the
Yates Memo and DOJ FCPA Pilot Program pronouncements, full
cooperation with the government and remediation of the compa-
ny’s compliance programme can lead to significant reductions in
fines and also DPAs and NPAs. In the UK, DPAs are now a pos-
sibility as well for companies that cooperate and reform.
Sallaway: The company’s first step should be to assemble its core
team – both internal and, if necessary, external lawyers, and con-
stituents from the key internal departments within the company. In
a raid situation, officials should be dealt with cooperatively, but the
company should not answer any substantive questions or hand over
any documents without first consulting its lawyers. More gener-
ally, cooperation in the course of investigations is important. There
are often mandatory cooperation requirements, but even if not,
having an open and engaged approach may mean that a company
avoids a formal investigation from being opened, avoids criminal
charges from being brought, or receives a lesser fine or charge than
if they had not cooperated. Companies also need to think about
their strategic response to investigations, particularly where mul-
tiple jurisdictions and hence multiple authorities may be involved,
as is increasingly the case.
Matthews: An incident response plan is an important part of a
comprehensive compliance and corporate governance programme.
This should outline who would be mobilised and their responsibili-
ties, dealing with matters like escalation, privilege, internal com-
munications, document retention, public relations and coordination
with regulators or law enforcement. It is also worth considering
‘on call’ arrangements with external advisers such as lawyers or
investigative accountants. It is worth remembering that the investi-
gation or dawn raid may be groundless, but not before the publicity
has caused damage. Cooperation will depend partly on statutory
and regulatory obligations, but deliberately obstructive or delaying
behaviour is never to be advised. There can be benefits all round in
retaining some control in the early-stages of an enquiry to under-
stand what, if anything, happened and how.
Ratley: What final piece of advice can you give to companies
in terms of implementing a sophisticated and effective compli-
ance programme?
Grantham: It is important that leadership embrace compliance so
that there may be an appropriate ‘tone from the top’ and culture of
compliance within the organisation. Without endorsement from the
senior leadership team, even the most effective compliance pro-
grammes may fail to achieve their desired objectives: protecting
the organisation from fraud and other risks and the potential dam-
age that may come about as a result of them.
Andres: A sophisticated and effective compliance programme is
one that permeates the company’s culture. Employees at all lev-
els should view compliance as their responsibility and compliance
controls should be embedded throughout a company’s operations.
That said, even the best compliance programme will, at times, be
violated. When that happens, learn what went wrong, remediate
meaningfully and consider self-disclosure and full cooperation
with regulators.
Sallaway: Corporate culture and leadership are absolutely key.
Boards are best protected from liability if they implement a com-
pliance programme that has their strong support and which reflects
their personal values and where employees understand and promote
those cultures. To be really effective, a compliance programme
needs to be more than just words – it needs to reflect the core cul-
ture of the company, and to impress upon employees their role in
promoting and upholding that culture. Of course, a company’s
compliance culture and policies need to be supported by robust
systems and controls, and rogue employees will always be able to
circumvent even the most sophisticated systems and controls.
Zimiles: Senior executives must clearly demonstrate they take
compliance seriously and convey that priority to their subordinates.
Executives should demonstrate there is a strong culture of compli-
ance within the organisation. Leadership should actively support
and understand compliance efforts, ensure compliance interests
are not compromised by the revenue interests of the organisation,
share relevant information up and down and across the organisa-
tion, provide adequate resources in terms of numbers and qualifica-
tions which are dedicated and trained to compliance, and identify
and assess the controls that are in place to mitigate those risks.
Matthews: Companies should involve senior management, and
the programmes should be risk based, and seen to be reasonable
and proportionate for the business, with an audit trail for decisions.
The programmes should aim to change behaviour through culture
not compulsion. Unless employees ‘buy in’ to the programme and
the controls are reasonable, they will find ways around them.
Sikellis: Without backing and support from the upper echelons
of management, a compliance programme will forever be handi-
capped, unable to implement even the most basic policies. To that
end, compliance cannot only exist in the breaths and words of man-
agement, but it must also live in acts of the whole company to be
truly successful.
Carr-Howard: Just as your business is constantly evolving and
growing, so too is the risk of fraud and corruption. Keeping an
eye on the risk of fraud goes hand-in-hand with your most basic
mission: keeping an eye on the bottom line. Just as you must be
dynamic in your response to the marketplace, you must be dynamic
in your response to the risk of fraud and corruption. Though fraud
is simply a lie and transparency is its simple cure, it is easy to be
lulled into compliancy by grand promises or distraction. Compli-
ance must remain at the forefront if the bottom line is to be pro-
tected.
