risk & compliance · ONE-ON-ONE INTERVIEW CCOs: managing responsibilities and liability risks...
Transcript of risk & compliance · ONE-ON-ONE INTERVIEW CCOs: managing responsibilities and liability risks...
www.riskandcompliancemagazine.com
APR-JUN 2019
risk &complianceRC&
Inside this issue:
FEATURE
IT disasterrecovery planning
EXPERT FORUM
Risk, culture and ethics assessments to stress test compliance programmes
HOT TOPIC
Impact of CFIUS reforms for PE houses
�����������������������������������������������������������
��������������������������������������������������������������
�����������������������������������������������������
�����������������������������������������������������
��������������������������������������
�������������������������������������������������������������
�����������������������������������������������������
��������������������������������������������������
�����������������������������
���������������
����������
�������������������������������������������
�������������������������������������������
����������������������������������������������
�������������������������������������������
���������������������
����������������������������
����������������������������������������
������������������������������������
��������������������������������������������������
RISK & COMPLIANCE Apr-Jun 2019 3
RC& CONTENTS
CONTENTS
www.riskandcompliancemagazine.com
FOREWORD
FEATURE
IT disaster recovery planning
FEATURE
Analysing and improving internal investigations
EDITORIAL PARTNERS
EXPERT FORUM
Risk, culture and ethics assessments to stress test compliance programmesThe Ethics & Compliance Initiative; A.P. Moeller-Maersk;
Novartis International AG; Zinser, Esponda y Gomez Mont,
Abogados
PERSPECTIVES
Crisis and the protective power of trustEdelman Intelligence
MINI-ROUNDTABLE
Advanced technology for complianceFTI Consulting
ONE-ON-ONE INTERVIEW
Compliance risks and considerations for family officesAcuris Risk Intelligence
MINI-ROUNDTABLE
Managing trade compliance screeningNasdaq
PERSPECTIVES
Data privacy and the IS auditorISACA Pune Chapter
ONE-ON-ONE INTERVIEW
Building a sustainable programme around data privacySAI Global
MINI-ROUNDTABLE
Asset-liability management (ALM) in the concept of stress testingSAS
Editor: Mark WilliamsAssociate Editor: Fraser TennantAssociate Editor: Richard SummerfieldPublisher: Peter LivingstonePublisher: James SpavinProduction: Mark TrumanDesign: Karen Watkins Risk & CompliancePublished by Financier Worldwide Ltd23rd Floor, Alpha TowerSuffolk Street, QueenswayBirmingham B1 1TTUnited Kingdom +44 (0)845 345 0456riskandcompliance@financierworldwide.comwww.riskandcompliancemagazine.com
ISSN: 2056-8975 © 2019 FINANCIER WORLDWIDE LTDAll rights reserved. No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers. Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or omissions, nor for any claims made as a result of such errors or omissions. Views expressed by contributors are not necessarily those of the publishers. Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or financial advice. Opinions expressed herein do not necessarily represent the views of the author’s firms or clients. Financier Worldwide reserves full rights of international use of all published materials and all material is protected by copyright. Financier Worldwide retains the right to reprint any or all editorial material for promotional or nonprofit use, with credit given.
006009016
189
023
039
044
052
057
065
069
074
RISK & COMPLIANCE Apr-Jun 20194
CONTENTS
www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
Insurers – preparing for IFRS 17KPMG; SAS
MINI-ROUNDTABLE
Segmentation and AI in AML alertsNavigant
PERSPECTIVES
Ensuring the future of auditICSA: The Governance Institute
MINI-ROUNDTABLE
Audit committee disclosuresCrowe Global
PERSPECTIVES
General counsel has quickly become the vigilant sentinel of reputation risk and the corporate conscienceEdelman
ONE-ON-ONE INTERVIEW
CCOs: managing responsibilities and liability risksZinser, Esponda y Gomez Mont, Abogados
PERSPECTIVES
You may never be free of liability from old conduct, if the SEC has its wayJenner & Block LLP
PERSPECTIVES
Role of risk culture in effective implementation of risk governanceIndian School of Business (ISB)
MINI-ROUNDTABLE
Automated third-party risk assessmentKPMG
PERSPECTIVES
Protecting the crown jewels: a guide to safeguarding trade secrets and confidential business informationFisher Phillips
PERSPECTIVES
Compliance with the evolving US sanctions and export control lawsVenable LLP
PERSPECTIVES
A wave of export regulation to hit US technologiesSheppard, Mullin, Richter & Hampton
PERSPECTIVES
Artificial intelligence and competitionClifford Chance
ONE-ON-ONE INTERVIEW
Compliance considerations for marijuana businessesAcuris Risk Intelligence
PERSPECTIVES
The shortage of fuels in Mexico – managing crisis and complianceScottHulse PC
HOT TOPIC
Impact of CFIUS reforms for PE housesDechert LLP; Mayer Brown LLP; Skadden, Arps, Slate,
Meagher & Flom LLP
084 138
095 146
102152
106158120
162124
167129
172134
176
RISK & COMPLIANCE Apr-Jun 20196 www.riskandcompliancemagazine.com
FOREWORD
FOREWORD
– Editor
Welcome to the twenty-sixth issue of Risk & Compliance, an e-magazine dedicated to the latest
developments in corporate risk management and regulatory
compliance. Published quarterly by Financier Worldwide, Risk &
Compliance draws on the experience and expertise of leading
experts in the field to deliver insight on the myriad risks facing
global companies, the insurance solutions available to mitigate
them, and the in-house processes and controls companies must
adopt to manage them.
In this issue we present features on IT disaster recovery
planning and on improving internal investigations. We also
look at: stress testing compliance programmes; advanced
technology for compliance; compliance risks for family offices;
trade compliance screening; sustainable programmes for data
privacy; asset-liability management (ALM); preparing for IFRS 17;
segmentation and AI in AML alerts; audit committee disclosures;
responsibilities and liability risks for CCOs; automated third-
party risk assessment; compliance considerations for marijuana
businesses; the impact of CFIUS reforms on PE houses; and more.
Thanks go to our esteemed editorial partners for their valued
contribution: Acuris Risk Intelligence; Crowe; Edelman; FTI
Consulting; KPMG; Nasdaq; Navigant Consulting; SAI Global;
SAS; Zinser, Esponda and Gómez Mont; ICSA: The Governance
Institute; and ISACA.
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
�����������������������������������
��������������������������������������������������������������
�����������������������������������������������������
��������������������������������������������������
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 9
FEATURE
FEATURE
IT DISASTER RECOVERY PLANNINGBY RICHARD SUMMERFIELD
When a company suffers an outage that
takes down essential systems, including
IT, the importance of disaster recovery
planning becomes immediately apparent.
Disaster recovery can help companies get vital
systems back up and running and reduce the
financial and reputational cost of any downtime
experienced. A successful plan will have realistic
and attainable objectives based on the business’s
needs. This requires meticulous preparation,
from undergoing a business impact analysis, to
understanding and quantifying the company’s risks,
to classifying and prioritising data for recoverability.
Although, according to the Allianz ‘Risk Barometer:
Top Business Risks for 2018’ survey, 42 percent of
companies of all sizes named business interruption
as the most important risk they faced, a large
number are insufficiently prepared for an outage and
thus may suffer the consequences.
However, as IT becomes more integral to
protecting business value, attitudes will need to
change. Retaining and attracting customers following
a poorly-handled outage can be very difficult,
especially if trust has been lost.
Planning for the future, learning from the past
While it is impossible for companies to prepare
for every potential threat, they can put adequate
response mechanisms in place. IT disaster recovery
RISK & COMPLIANCE Apr-Jun 201910 www.riskandcompliancemagazine.com
FEATURE
plans must be drawn up within overall business
continuity plans, and companies must understand
their priorities and recovery times. These objectives
should be set out during the business impact
analysis. Strategies should be developed to restore
hardware, applications and data necessary to
achieve business recovery.
IT disaster recovery planning has quickly
ascended the corporate agenda. This is partly due
to the increasing sophistication of cyber criminals
and the frequency of their attacks. According to
SonicWall, the number of cyber attacks across the
world rose by 18 percent year on year in 2017.
In addition, natural disasters appear to be more
common. According to the Centre for Research on
the Epidemiology of Disasters, the number of flood
and storm catastrophes has risen by 7.4 percent
annually in recent decades. Other risk factors, such
as human error or terrorist attacks, are further cause
for concern. Companies must consider the complete
spectrum of ‘potential interrupters’ when recovery
planning.
This financial case is compelling. According to
Gartner, the average cost of IT downtime is $5600
per minute, or more than $300,000 per hour. For
large organisations, that cost can exceed $500,000.
Furthermore, according to Appdynamics, in 2017,
organisations were losing an average of $100,000
for every hour of downtime on their websites. When
one considers the impact of some disasters –
Hurricane Rita in 2005 caused 384 hours of outages
IT DISASTER RECOVERY PLANNING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 11
FEATUREIT DISASTER RECOVERY PLANNING
RISK & COMPLIANCE Apr-Jun 201912 www.riskandcompliancemagazine.com
FEATURE
and Hurricane Sandy in 2012 caused 337 hours of
outages, for example – companies cannot afford to
neglect recovery plans.
Companies must prepare their employees for the
worst, as well as members of their supply chain.
“Contingency planning and training should be part
of the day-to-day priorities of a business,” says
Mark Adair, a partner at Mason Hayes & Curran.
“From a legal perspective, it is important that the
disaster recovery and business continuity roles
and obligations on the customer and supplier are
described with clarity in the services contract. Some
of the most important initial considerations are how
the contract defines what constitutes a ‘disaster’
and what functional areas of the organisation the
disaster recovery or business continuity plan is
stated as applying to. Good planning should apply to
everything from a disaster that wipes out an entire
data centre, right down to the unavailability of a
single server.”
Part of drawing up a sound disaster recovery plan
is learning from failures. Mistakes can compromise
the recovery process and cost millions. Lengthy
and embarrassing IT outages can offer important
lessons. “A good take away point from major system
failures, such as the one that crippled British Airways
in 2017, is that having recovery systems which are
purely a tick-box capability, rather than ensuring
that recovery systems have been thoroughly tested,
is very much a false economy,” says Chris Bates,
a partner at Ashurst. “That being said, much time
and expense can be saved where disaster recovery
is automated, thereby ensuring that the disaster
recovery procedures activate automatically in the
event of a failure, minimising impact,” he explains.
Asset prioritisation and recoveryPrior to an outage, companies must consider how
they are going to protect and recover vital assets.
If they do not have a detailed inventory of IT assets
– both tangible and intangible – creating one is the
first step.
The next is to back up data. Disaster Recover
as a Service (DRaaS) solutions provide access to
virtual backups and infrastructure in the cloud in
the event of a disaster. Many companies are also
utilising hybrid cloud strategies to provide additional
security measures. Rather than storing all key data
on-premises or with a cloud provider only, a hybrid
strategy can be a simple and affordable alternative.
The efficiencies and scale of cloud infrastructure has
changed disaster recovery. “Many enterprises now
have the cloud, and cloud providers, at the heart
of their disaster recovery plans,” explains Matthew
Bennett, a partner at CMS. “More interestingly,
as more production systems are being hosted in
the cloud, disaster recovery is becoming baked
into enterprise IT architecture rather than being a
component on the side.”
Asset management and the approach companies
take to it can determine the success of a disaster
recovery process. “Assets to be prioritised in disaster
IT DISASTER RECOVERY PLANNING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 13
FEATURE
recovery planning will depend largely on the nature
of the business and what assets are critical to the
functioning of that business,” says Mr Bates. “A
risk-based approach to prioritisation on a case-by-
case basis is clearly the most sensible
way to assess this, however, generally
speaking, the key assets will be those
with direct customer interaction or
those which are core to the execution
of a service offering.”
Importance of insurance solutions
As part of their disaster recovery
preparations, many companies are
arranging business interruption
insurance. “This can be a helpful way
to help mitigate the damage an incident causes and
may fill certain gaps,” says Mr Adair. Insurance can
act as a financial catalyst to help get organisations
back up and running. The policy should consider
the different types of disaster which may befall a
company, and provide coverage for each. Regular
asset inventory assets are needed to ensure they get
the right protection.
“Business interruption insurance covers a
business’ net income and the normal expenses in
the restoration period following a disaster,” explains
Mr Bates. “IT is critical to the operations of most
businesses today and therefore any IT failures that
affect the functioning of the business will need to
be covered by insurance. However, such insurance
will not typically cover customer liability issues, so
ensuring the priority of systems required for service
continuity is key. Due to the increasing risk of cyber
attack, business interruption insurance as a subset
of a portfolio of cyber insurances has evolved
significantly over recent years. Businesses now must
clearly identify and understand high impact cyber
business interruption scenarios in order to secure
the appropriate cover for these situations.”
However, insurance is just one element of disaster
recovery and does not replace risk assessment,
planning and training.
Regulatory developmentsRegulatory developments are also influencing
disaster recovery planning. The European Union’s
(EU’s) General Data Protection Regulation (GDPR)
“Prior to an outage, companies must consider how they are going to protect and recover vital assets. If they do not have a detailed inventory of IT assets – both tangible and intangible – creating one is the first step.”
IT DISASTER RECOVERY PLANNING
RISK & COMPLIANCE Apr-Jun 201914 www.riskandcompliancemagazine.com
FEATURE
is having a profound impact. Given the financial
penalties companies may face under GDPR, recovery
plans must be compliant. Companies need to
demonstrate that the security, availability, recovery
and testing of their IT systems are of an adequate
standard to ensure timely and effective recovery
without risk to the confidentiality and integrity of
a consumer’s personal information. Failure to do
so could have serious financial and reputational
consequences.
“The GDPR applies to both primary systems and
recovery and backup systems,” notes Mr Adair.
“Companies must look at the type of data they are
backing up. If dealing with any personal data, which
is broadly defined, special care must be taken. Under
the GDPR, organisations have to ensure the ongoing
integrity, availability and resilience of systems and
be able to restore the availability and access to
personal data in the event of a physical or technical
incident. For EU organisations, if a vendor is storing
backups containing personal data on a server
located outside the European Economic Area, the
parties may fall foul of regulators in the absence of
completing the necessary GDPR paperwork.”
Disaster recovery planners should also consider
the impact of the new EU Network and Information
Systems Directive (NIS Directive), which requires
operators of critical infrastructure and digital service
providers to take appropriate measures to prevent
and minimise the impact of incidents to ensure
continuity of their operations.
These regulatory changes are indicative of
the future of IT disaster recovery. Technological
advances will also reshape the process in the
coming years, much like managed services and
cloud-based recovery products have improved
resilience and response processes.
Test, test, testGoing forward, companies will make mistakes with
disaster recovery. Whether it is making the wrong
decision at the wrong time, failing to test recovery
processes or ignoring disaster recovery solutions
entirely, companies will be susceptible to costly
and embarrassing outages. The design of a disaster
recovery plan can mitigate such failures, but only
if it has been put through its paces. “Testing needs
to encompass technical systems and enterprise
rehearsal,” says Mr Bates. “The involvement of
employees is crucial and this needs to be from all
parts of the enterprise, not just IT. Rehearsals should
try to emulate previously untested threats, as well as
the more obvious scenarios. There could always be
unexpected events and it will be how the people in
an organisation react and work together in the face
of that which will determine success,” he adds.
Members of the C-suite must also embrace the
need to change with the times, however. This will
require sufficient, managed investment in disaster
recovery planning and preparation to overcome
disasters, both natural and man-made. RC&
IT DISASTER RECOVERY PLANNING
RISK & COMPLIANCE Apr-Jun 201916 www.riskandcompliancemagazine.com
FEATURE
FEATURE
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONSBY FRASER TENNANT
An investigation should never be initiated on a
whim. But in a scenario where an allegation
of wrongdoing has been made, a company
needs to launch an investigation as swiftly as
possible, with an internal inquiry often the first port
of call.
Once an internal investigation is underway
– perhaps as a result of allegations of bribery,
sabotage, embezzlement, tax fraud, insider trading,
antitrust collusion, workplace assault, environmental
crimes, audit and accounting fraud or conflicts
of interest – how it is conducted is of paramount
importance, given there is always the potential for
it to become an expensive and time-consuming
endeavour.
To help ensure careful and discreet handling,
appropriate investigatory models are required
to coordinate those involved in an investigation,
such as employees, internal counsel and forensic
accountants, so that a speedy and satisfactory
conclusion can be reached. Moreover, depending on
the gravity of the allegation, the stakes may be high,
so an investigation needs to be streamlined in order
to reduce disruption to operations.
“Companies launch internal investigations for a
number of reasons, but rarely is it due to a single
event, unless identified as being so serious as to
suggest a systemic failing that would be uncovered
by an investigation,” explains Craig Weston, a
senior associate barrister at Irwin Mitchell LLP.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 17
FEATURE
“Investigations are launched into subject matter
across the breadth of a business, from regulatory
breaches to employment matters to payment and
invoicing anomalies and allegations of criminal
conduct.
“A common trigger for an internal investigation is
a confidential report to a whistleblowing hotline, the
use of which is often written into company policies
such as modern slavery, bribery, harassment at
work, and health and safety policies,” he continues.
“Companies usually investigate to ascertain and
mitigate their own liability. In recent years, we
have seen an increase in three particular areas
of investigation: sexual harassment, in no small
part due to the #MeToo movement, bribery and
corruption, and financial regulatory.”
In the view of Franziska Janorschke, global head of
the SpeakUp Office at Novartis, the primary purpose
of an internal investigation is to gather facts so
that a company can determine the pervasiveness
of the situation, the root cause of the issue and
to determine what steps the company can take
to prevent similar cases in future. “A proper and
successful internal investigation also allows a
company to assess its systems and controls, and to
develop an appropriate approach to measure and
address any deficiencies,” she says. “Thoughtful
and diligent fact-finding during the early steps of
an investigation may show that those suspected of
misconduct are not involved in any wrongdoing. This
can save you time and valuable resources and at the
same time protect an employee’s reputation.”
Models and prioritiesBetween deciding upon an investigation and it
physically getting underway is when an appropriate
investigatory model needs to be selected – a
decision driven by a number of factors, including
the availability and capacity of suitably trained
investigators, the precise nature of the issue,
ease of evidence retrieval, jurisdictional legal
requirements, and whether the allegation involves
senior management, such as board members. Also
a significant influence on the choice of model is the
extent to which a speedy resolution is required.
In the experience of Melissa S. Geller, a partner
at Duane Morris LLP, it is the investigation priorities
which control the investigation model. “An
investigation prompted by a subpoena may prioritise
document collection and review, whereas one
raised internally may prioritise secrecy,” she says.
“Too often, priorities are unspoken or glossed over,
resulting in miscommunication and misalignment. An
early discussion that sets the company’s priorities
ensures a solid foundation for good communication
and an orderly investigation. It also creates a
semi-formal understanding that encourages
further conversation should priorities shift as an
investigation evolves.”
According to Mr Weston, jurisdiction is another
key factor in how an investigation is conducted.
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS
“Jurisdictional
law, which is likely
to cover the conduct,
bears heavily on how to
investigate,” he explains. “For example,
if it is an employment matter, a company
may want to conduct interviews with employees
in a way that an employment tribunal can relate
or would expect. If it is a bribery and corruption
investigation, an investigation is likely to be
conducted in a much more robust way.
“If the conduct occurred in a foreign jurisdiction,
a company will want to ensure that the way in
which the investigation is conducted is legal in that
jurisdiction, and that the way evidence is gathered
would be admissible in any litigious proceedings in
that jurisdiction,” he continues. “A particular issue in
recent years has been the difference in approach to
privilege between the US and the UK. As such, many
multinational companies have to decide where to
run the investigation from and whether to include
US lawyers, for example, to ensure protection over
privileged material from a US perspective.”
PitfallsAvoiding the pitfalls that accompany an internal
investigation – such as inadequate investigation
planning, a lack of documenting and preserving
of evidence, unrealistic timelines, insufficient
understanding of evidence collection limits, and an
over-reliance on information provided by an alleger
RISK & COMPLIANCE Apr-Jun 201918 www.riskandcompliancemagazine.com
and witnesses – is essential, especially when airing a
company’s dirty laundry, even internally, can have a
severe impact on its reputation and standing.
“One pitfall of internal investigations is ‘mission
creep’,” says Ms Geller. “In today’s market, almost
every investigation involves large amounts of
documents, along with witness interviews, experts
where necessary and, in some cases, government
involvement. It can therefore be easy to lose sight
of the central objective. A company launching an
investigation should have clear goals and
objectives developed in consultation
with the company’s lawyers
at the beginning of the
investigation. If an
investigation
expands
into another area, it should be done deliberately,
after a full and complete analysis and in a controlled
manner.”
In Mr Weston’s experience, companies often
investigate without proper scoping and planning. “A
good investigation should start with a considered
and well-thought-out plan, which includes setting up
a small investigation team and empowering them
to seek and receive legal advice by way of a board
resolution,” he explains. “A company should give the
investigation a project name, define the scope of the
investigation, create an email group for the project
team, consider the instruction of external legal
advisers, and communicate to all team members
that the matter under investigation is to remain
confidential and not be discussed outside the project
team. Also, it is important to preserve evidence and
ensure that no key documents are destroyed.”
Another pitfall that investigators must avoid is
a failure to maintain an audit trail during an
investigation, i.e., the decisions taken,
the reasons for those decisions,
and the documents and
evidence upon which
decisions were
based. “A
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 19
FEATURE
RISK & COMPLIANCE Apr-Jun 201920 www.riskandcompliancemagazine.com
FEATURE
robust audit trail helps investigators engage
meaningfully with regulators,” affirms Mr Weston.
“Also, regulators and prosecutors have come
to expect such audit trials and may criticise an
investigation or treat it as a separate failing if such a
trail is not present.”
Coordinating partiesWith multiple parties potentially
involved in an investigation – including
the alleger, the accused, witnesses,
senior management, external advisers,
regulators, as well as the investigation
team itself – coordinating their
contributions is a major challenge,
which requires a systematic approach.
David Herring, head of global
security at Novartis, believes such an
approach should be coordinated by an experienced
investigative lead, with dedicated support from
a team of multi-skilled and diverse investigators.
“Having an internal investigative team or capability
to conduct internal investigations enables company
management and directors to diligently fulfil their
duties and responsibilities and satisfy regulatory
expectations,” he asserts.
Similarly convinced as to the merits of a small,
dedicated team of investigators is Mr Weston.
“A company should use a small project team to
coordinate all of the various parties, from their
instruction to receiving the advice and work product,
and its wider dissemination, if appropriate,” he
suggests. “A project diary should also be kept with
access restricted to those identified as project team
members. If external lawyers are being used, I would
recommend that they coordinate external experts,
as it may help a claim of privilege over the work
product and communication and, similarly, when
conducting interviews with witnesses.
“We would also encourage thinking carefully about
the timeline and order of the witnesses and experts
you engage with,” he continues. “For example, does
your expert need material from witnesses that you
have not interviewed yet, or would you like to put
information material to one witness that you can
only get from another? Alternatively, do you want
to interview more junior people first and then more
senior people later?”
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS
“A successful internal investigation reaches an answer, without alienating or panicking employees or causing some other harm to a company.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 21
FEATURE
Ultimate successSo, when the dust settles, how should a company
measure the merits of its investigatory efforts?
Ultimately, what factors determine whether an
internal investigation has been successful?
“A successful internal investigation reaches an
answer, without alienating or panicking employees
or causing some other harm to a company,” believes
Ms Geller. “Internal investigations are usually
highly confidential and the timing of disclosure
to witnesses carefully controlled. But, people
increasingly communicate outside of email, using
text messages, social media and other platforms.
Often, the employee, not the company, controls
access to this data. Access to employee-held data
and employee privacy are key areas where the field
will evolve and continue to change over the next few
years. Therefore, all companies should have policies
about use of technology for company business that
addresses employee privacy.”
For his part, Mr Weston believes the coming years
will likely see an increase in the number of internal
investigations. “Companies will attempt to use an
internal investigation as a way of demonstrating they
are taking positive action, to placate employees or
to demonstrate cooperation and engagement with
a regulatory or criminal process. They also provide
an opportunity to companies to understand their
potential liabilities before they reach the point of
having to self-report or being outed by journalists,”
he adds.
In virtually any sphere, success can be a difficult
metric to measure. As far as an internal investigation
is concerned, the definition of success for one
company is different to another and very much
depends on the nature of the conduct being
investigated. That said, a successful internal
investigation is generally one that robustly identifies
unethical, illegal or unwanted conduct and prevents
it from ever happening again. RC&
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� ������������������������������������
�����������������������������������
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uncover third-party risks. Protect your business.�������������������������������������������������������
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 23
EXPERT FORUM
EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST COMPLIANCE PROGRAMMES
RISK & COMPLIANCE Apr-Jun 201924 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
PANEL EXPERTS
Patricia J. Harned is chief executive officer of the Ethics & Compliance Initiative (ECI), America’s oldest non-profit in the ethics & compliance industry. ECI empowers organisations to build and sustain high-quality ethics & compliance programmes (HQPs). ECI is a research and membership organisation comprised by institutions across every sector, and each member organisation is dedicated to promoting the highest levels of integrity in their operations.
Alexander Ghazvinian is the chief compliance officer at A.P. Moeller-Maersk. He is experienced in designing and implementing ethics and compliance programmes and he specialises in anti-bribery compliance, competition law, export compliance and data protection. He has implemented compliance programmes in several companies and jurisdictions. He has led major multinational investigations and interacted with several regulators. He has special experience and knowledge of US Foreign Corrupt Practices Act (FCPA) and UK Bribery Act compliance related topics.
Klaus Moosmayer is chief ethics, risk and compliance officer and a member of the executive committee at Novartis. Mr Moosmayer previously was chief compliance officer of Siemens AG. He is chair of the Anti-Corruption Committee of the Business and Industry Advisory Committee at the Organization for Economic Co-operation and Development (OECD), co-founder and chair of the European Chief Compliance and Integrity Officers’ Forum, former co-chair of the B20 Integrity & Compliance Task Force under the G20 presidency of Argentina and former chair of the task force under the G20 presidency of Germany.
Alejandro Hernández Oseguera is a partner at Zinser, Esponda y Gomez Mont, Abogados. Having begun his career as an intern at Zinser in 2003, he is now a specialist in criminal proceedings, in local and federal matters, related to fiscal offences, financial crimes, crimes in the securities market, crimes in corporate matters and environmental offences, among others. He has also given his advice on various financial restructuring matters.
Alberto Zinser Cieslik specialises in complex white-collar crime investigations and criminal proceedings in both local and federal jurisdictions, and has had extensive experience in highly complex local and cross-border litigation. He has participated in multiple international extradition and mutual legal assistance treaty (MLAT) proceedings between Mexico and the US, Switzerland, France and Australia, among others. He has a Masters degree in Corporate Law, and has been a lecturer on Masters degree programmes and post graduate legal studies since 1998.
Patricia Harned
Chief Executive Officer
The Ethics & Compliance Initiative
T: +1 (571) 480 4426
Alexander Ghazvinian
Chief Compliance Officer
A.P. Moeller-Maersk
T: +45 33 63 33 63
Dr Klaus Moosmayer
Chief Ethics, Risk and Compliance
Officer
Novartis International AG
T +41 61 32 42247
Alejandro Hernández Oseguera
Partner
Zinser, Esponda y Gomez Mont,
Abogados
T: +52 55 5202 8610
Alberto Zinser Cieslik
Founding Partner
Zinser, Esponda y Gómez Mont,
Abogados
T: +52 55 5202 8610
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 25
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
R&C: In today’s regulatory environment, why is it important for companies to stress test their compliance programmes? How often should they do this?
Harned: It is important for compliance
professionals to ensure that their company
has met regulatory expectation, so as to
avoid the negative consequences that
come from non-compliance. Regulators
around the world are becoming more
sophisticated in their evaluation of
compliance programme effectiveness, so
their standards remain a critical area of
focus for a programme. That said, today’s
regulatory environment is just one of
several reasons why companies should
stress test their compliance programme.
We live in a world of fast-paced sharing
of public opinion. A single misstep by a company
can become global news in a short period of
time. Additionally, as millennials rapidly grow as
a population in the workforce, communicating
organisational standards and also meeting their
expectations of transparency and trust will be equally
important. Every programme should be assessed
and measured. Measurement toward a standard
allows an organisation to evaluate its efforts, review
its budget allocations and make judgments about
its programme. The frequency depends on the
pace of change the organisation faces. As a rule of
thumb, a programme should be assessed every two
years. But an organisation with recent M&A history,
multinational operations, history of misconduct, and
so on, should do its assessment more frequently.
Moosmayer: To achieve sustainable and ongoing
verification of a compliance programme’s adequacy
and effectiveness, there should be a clear internal
audit plan in place based on solid risk assessments.
Digitalisation, in today’s corporate world, provides a
platform for much better monitoring of compliance
and control activities. External validation or
certification of a compliance programme would
also qualify as a ‘stress test’, but this should be in
addition to internal efforts. From a timing perspective,
a modern and digital monitoring system should allow
for an ongoing check for red flags, audit plans should
Dr Klaus Moosmayer,Novartis International AG
“Digitalisation, in today’s corporate world, provides a platform for much better monitoring of compliance and control activities.”
RISK & COMPLIANCE Apr-Jun 201926 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
annually focus on deep dives, and comprehensive
external assessments realistically could be
conducted only every three years at maximum.
Hernández: By their very nature, compliance
programmes must be able to adapt to reality. For a
company to implement a compliance programme
tailored to suit its needs, its activities and the social
context in which it operates, it must establish a
mechanism, within its own programme,
that will allow it to constantly stress test
the effectiveness of its policies. The very
dynamics of the compliance programme
must include constant reviewing of
the programme by a ‘good practices’
committee. One of the contributions
of German doctrine to compliance
programmes is the concept of ‘duty
of vigilance’, understood not only as a
benchmark for monitoring actions that are
carried out in the context of business, but
also as a duty to stress test compliance
programmes by constantly reviewing the measures
taken to prevent and eradicate corrupt practices.
This is especially relevant in legislative contexts
such as the Mexican one, in which, stemming
from the gaps which still exist in compliance
regulations, due to their recent incorporation, not
only must companies comply with the requirement
to implement a compliance programme, but the
compliance programmes that are implemented
must be sufficiently solid and effective to pass a
final review by the judicial authorities. It is the duty
of the judicial authorities to eventually determine
whether the compliance programme is adequate
enough to prevent its employees or officers from
committing criminal acts on the company’s behalf,
for the company’s benefit or for their own personal
advantage. For this reason, companies adopting
compliance programmes must establish a committee
charged with constantly stress testing and improving
their programmes, at all times considering the
company’s needs, its activities and the context in
which the programmes are developed.
Zinser: If companies assume proper control of
their compliance programmes and continually check
their effectiveness, their risk of incurring criminal
liability is significantly reduced. This is because they
Alexander Ghazvinian,A.P. Moeller-Maersk
“Stress testing compliance programmes is not a new requirement. For most regulators, it is known as testing of the adequacy and effectiveness of the compliance programme.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 27
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
have put an ongoing prevention system in place,
ensuring that they have all the necessary anti-money
laundering (AML) controls in place, in accordance
with the Mexican Federal Law for the Prevention and
Identification of Operations with Resources of Illegal
Origin, and all the requisite crime prevention systems,
in accordance with the National Code for Criminal
Procedures and the Prevention of Acts of Corruption,
which form part of the new national anti-corruption
system, consisting of several complementary laws
that govern citizens, companies, organisations and
public servants. The frequency with which companies
should stress test their compliance programmes
very much depends on how many employees they
have and their corporate purposes, and on knowing
when to carry out periodic reviews of the proper
functioning of prevention controls. Nevertheless,
they should be reviewed and tested every year,
with this revision being carried out ahead of time
if the company is changing its structure, corporate
purposes or anything else that requires special
oversight.
Ghazvinian: Stress testing compliance
programmes is not a new requirement. For most
regulators, it is known as testing of the adequacy and
effectiveness of the compliance programme. As a
compliance officer, you should ask yourself everyday
if your programme is ‘working’, or if something you
have designed and implemented really works in a
way you want it to. Re-evaluation is perhaps the most
important part of any compliance programme and it
must be done on an ongoing basis and based on a
plan, but at different levels of intensity. If companies
implement a new element in their compliance
programme, it should be ‘stress tested’ frequently
and intensively until the company is confident that it
works as intended.
R&C: What measures and metrics might companies use to assess their risk, culture and ethics profile as it relates to compliance? What are the essential elements of a stress testing programme in this regard?
Moosmayer: Measures and metrics should
derive from different sources to give a holistic view.
Results from ongoing digital monitoring and control
activities should be combined with the results of
on-site monitoring visits, investigations and audits.
Employee surveys and pulse checks have become
well-established methods to measure the culture of
a company. And last but not least, it is important to
screen external sources in order to detect risks which
may not yet be visible within the company. Having
all this data is very important to assess the results
against each other using modern dashboards instead
of excel files.
Hernández: The elements of a compliance
programme entirely depend on the company’s
RISK & COMPLIANCE Apr-Jun 201928 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
main activities. From the point of view of corporate
criminal responsibility, the essential components of a
compliance programme and its evaluation are aimed
at avoiding corporate criminal liability. In Mexico, as
in other countries, the main purpose of compliance
programmes is to avoid corporate criminal liability.
Hence, each company must take decisive normative
steps so that, in the event that its compliance
programme comes to be tested before a judge, the
latter is satisfied with the measures adopted.
Zinser: Companies must have an adequate
organisational structure which can identify risks and
mitigate them in accordance with the laws governing
corporate criminal liability. In addition, depending on
the company’s line of business, it can evaluate the
effectiveness of different technologies for recording
information provided to both the company and its
staff. Companies must keep records of all complaints
made on their complaint lines and must follow up on
them until they are resolved. In other words, once
periodic risk assessments have been carried out in
sensitive operational areas, a risk assessment of the
pertinent policy must be made to ensure that the
oversight process does not expose the company.
Also, it is essential that companies have a corporate
compliance management system that enables them
to prevent any crime from being committed on
foreign soil, and thus allows them to avoid criminal
liability due to lack of due organisational control, as
well as reducing the risk of theft, fraud and other
crimes.
Ghazvinian: If a company’s risk is related to
corruption, competition, data protection or foreign
trade controls, it will utilise a very different set
of measures than it would for ethics and culture.
Companies can assess many of their corruption
risks with quantitative measures. Risk assessments
should focus on quantitative measures such as
revenue in a certain country or revenue with state-
owned entities. In addition, introducing a qualitative
component allows companies to get a status of the
maturity of their risk assessment and assurance on
certain elements. For ethics and culture, companies
can utilise the employee survey and other tools, as
it is much more subjective. Identifying risk factors
and mitigating measures will outline the essential
elements that require stress testing. If an interaction
with a third party is a significant risk, it is obvious
that effectiveness testing will be implemented. This
could be a spot check, a periodic review of contracts
and an in-depth review of those relationships, and
assurance that all required measures are being
implemented and are effective. This can be done by a
company’s compliance team, but also by an external
party.
Harned: There are several dimensions that
an organisation should consider in assessing
its profile from an ethics and compliance (E&C)
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 29
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
perspective. One dimension pertains to the design
and implementation of the programme. Have we
identified objectives for the programme that are in
alignment with the key compliance risks we face?
How well are we accomplishing those objectives,
and are we – in fact – actually reducing those risks?
The second dimension of measurement pertains
to the impact of the programme. Do our stated
values and standards, and the resources we provide,
actually impact employee conduct? Are
we effectively holding people accountable
if they overstep our standards? Our
research found five principles that are
common to high-quality E&C programmes
(HQPs), which serve as worthy objectives
and metrics for an E&C programme.
First, ethics and compliance is central
to business strategy. Second, ethics and
compliance risks are identified, owned,
managed and mitigated. Third, leaders at
all levels across the organisation build and
sustain a culture of integrity. Fourth, the
organisation encourages, protects and values the
reporting of concerns and suspected wrongdoing.
Finally, the organisation takes action and holds itself
accountable when wrongdoing occurs.
R&C: To what extent is technology being used to enhance the process of assessing risk, culture and ethics for compliance purposes?
Hernández: Mexico’s ongoing struggle against
corruption has opened up the possibility of
implementing blockchain technology for public
tenders. Blockchain will make it possible for
bureaucratic processes to be digital, transparent
and permanently documented, thus strengthening
anti-corruption mechanisms and facilitating their
implementation. The same technology can also be
used to regulate internal corporate processes. By
deploying these mechanisms in order to achieve
more effective internal controls, companies,
particularly in the public sector, will become more
competitive.
Zinser: The recent guidelines issued by the
financial intelligence unit of the Mexican Ministry of
Finance and Public Credit state that all individuals
and companies are obliged to review their business
Alberto Zinser Cieslik,Zinser, Esponda y Gómez Mont, Abogados
“Companies must have an adequate organisational structure which can identify risks and mitigate them in accordance with the laws governing corporate criminal liability. ”
RISK & COMPLIANCE Apr-Jun 201930 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
processes in order to verify the obligations related
to the correct identification of clients and users, the
identification of the vulnerable activities listed in
article 17 of the AML Law and the presentation of
reports or notifications via the prevention of money
laundering portal of the Mexican tax authority, which
sets forth the provisions of the pertinent Mexican
laws. Also, it is recommended that ethics codes
and compliance information be disseminated to all
employees, and this is usually done electronically.
Furthermore, companies must keep records of all
information relating to compliance, usually storing
such data electronically.
Harned: The actual technological processes
for capturing and analysing data are very mature.
However, it has only been within the last three years
that enterprise risk management (ERM) systems have
included culture, workplace integrity and ethics. E&C
lags even farther behind. For example, in a recent
poll of our members, we found that 52 percent of
E&C professionals believe that they are keeping pace
with the technical solutions that are being developed
to improve their programmes and bring efficiencies.
Where technology is being used, E&C professionals
say that it is primarily utilised for training and
helpline support – 93 percent and 91 percent of
practitioners respectively. Surprisingly, technology is
being utilised for risk assessment by only 47 percent
of respondents. Where companies are not able to
leverage the solutions that are available today, the
primary reason is budgetary constraints.
Ghazvinian: Technology will be the main driver
of ‘Compliance 3.0’. For the moment, however,
technology is merely useful, nothing more.
Neither IT systems nor data itself are of sufficient
quality today that you could use technology in a
consistent manner.
Moosmayer: Companies possess an immense
amount of data which needs to be utilised for
a proper risk assessment. Although technical
hurdles are still high – especially for companies
with a diverse IT landscape – and there is always
a budget challenge, data mining, data analytics
and visualisation of the results are essential for a
modern, holistic assessment. Behavioural science
has also significantly developed and allows insights
into ethical and cultural dilemma situations, but
here companies still have a long way to go – and
to respect, of course, the data privacy laws of their
employees.
R&C: In your experience, what are some of the typical red flags that might signal lapses and shortcomings in relation to risk, culture and ethics?
Zinser: There are a number of red flags which
might indicate that the company has shortcomings.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 31
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
RISK & COMPLIANCE Apr-Jun 201932 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
For, example, the company might not have identified
the ‘vulnerable activities’, listed in Article 17 of the
AML Law. The company might not have presented
any report or notification about a ‘vulnerable activity’.
It might have failed to appoint a compliance officer
or instigate an ethics code. Equally, the
company may have an ethics code, but
might have failed to adequately inform its
employees or third parties about it. A lack
of commitment from company leadership
can be extremely damaging. There must
be an adequate ‘tone at the top’. If the
company’s senior management is not
totally committed, it will be impossible
for the company to achieve a good
organisational structure at all levels.
Ghazvinian: There are two different
signals that a compliance officer can use to
identify lapses and shortcomings in relation to
risk, culture and ethics. The first signals can be
identified by reviewing the results of the risk and
ethics assessment. These risks are easy to mitigate.
Focusing on them is important, but neglecting
the second group will expose the organisation
over time. The more important group of red flags
are those companies identify by analysing the
data and identifying correlations. Companies can
have a set of risks that are low exposure if they
are reviewed in isolation. But if those risks occur
together in a particular combination, they might
signal the lapses and shortcomings of the company’s
ethical standards. The challenge is to identify the
correlations. This requires a deep understanding of
the organisation, good data and a strong mindset.
Moosmayer: In order to be able to draw adequate
conclusions, a ‘risk radar’ needs several sources.
Singular cases of misconduct may not necessarily
qualify as evidence of systemic problems. But if you
see in the same entity declining quality controls and
the absence of a ‘speak up’ culture, those cases that
do come to light may only be the tip of the iceberg.
Also ‘white spots’ may turn into red flags if, in a risky
environment, you have steadily increasing sales
volume but no reports of potential problems at all, for
example. So, it is always a combination of different
indicators which should trigger the alert button.
Patricia Harned,The Ethics & Compliance Initiative
“The bottom line is that it would be better for an organisation to not undertake an assessment at all than for a company to assess itself and then to do nothing about it.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 33
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
Harned: Our research has shown that there are
three primary metrics that serve as red flags of
trouble ahead. The first is employee expression that
they feel pressure to compromise organisational
standards or the law, in order to do their jobs.
The vast majority of individuals who feel pressure
– 85 percent – also say that they have observed
misconduct taking place around them. The
second metric is employee reporting of suspected
misconduct. We know that misconduct happens
in every organisation; what matters is whether
or not employees make management aware that
problems are taking place. The third metric is the
extent to which employees perceive that they will
experience retaliation if they report suspected
wrongdoing. When people believe that there will be
ramifications for reporting, there is a silencing effect
in the organisation. That leads to a significant and
detrimental erosion of the organisational culture.
Hernández: A company that fails to appoint a
chief compliance officer (CCO) will not be able to
establish an orderly and documented procedure
for carrying out its transactions. Moreover, if the
CCO does not have the required autonomy and
independence to effectively implement these
procedures, the compliance will fail.
R&C: Following an assessment, how important is it for a company’s senior leaders to fully understand the results and respond accordingly?
Moosmayer: For senior leaders, it is much more
than just understanding the process. Management is
the true risk owner. It is therefore key to involve them
fully in the stress test exercises and any follow-up
remedial activities.
Harned: It is mission critical for senior leaders to
understand the results of an assessment. Even more
importantly, it is essential for them to communicate
to employees what they learned and what they
will do differently in order to address any areas of
shortcoming. Failure to do so risks losing employee
confidence in leadership. It also signals that
assessments do not really make any difference to
leadership. The bottom line is that it would be better
for an organisation to not undertake an assessment
at all than for a company to assess itself and then to
do nothing about it. Response to the findings must be
transparent and honest. Executives also have to ‘own
their role’ in the E&C process. When executives and
managers recognise their responsibility for shaping
the conduct of the organisation, E&C becomes a part
of the culture.
RISK & COMPLIANCE Apr-Jun 201934 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
Hernández: Currently, all managers must
be properly trained in, and updated on, good
compliance-related practices, regardless of the
area they operate in. Failing this, the compliance
programme will be ineffective and, therefore, will
not fulfil its purpose of preventing corruption, and
the company adopting it should not expect to have
a rosy future, particularly in public-sector markets,
which will become increasingly demanding in this
regard going forward.
Ghazvinian: It is crucial that a company’s
senior management understands the results of
any assessment. Management should understand
those results as well d as they understand all the
other numbers. They do not need to understand all
of the details per se, but they must understand the
results, which are often based on the risk appetite
defined by senior management, and therefore it has
consequences for the daily business and the mid-
term strategy, but also whether the company can
pursue a certain type of business or not. On the other
hand, it will help senior management to channel
resources and focus their attention. In addition, and
related to culture, it will help senior management
to identify the right measures to start a change
management process.
Zinser: It is very important for the company’s
senior management to know how to identify and
evaluate risks. Only in this way can the company
mitigate those risks and implement or modify the
controls or protocols that are necessary for due
corporate control and the avoidance of criminal
liability. The size of the company, its corporate
purpose, the size of its workforce, its risks and its
operation must be taken into account in order to
implement suitable strategies. Senior management
must ensure that lower level managers understand
that they must have an adequate compliance
programme in place, and that they must comply with
all the legal requirements regarding crime prevention,
money laundering and corruption.
R&C: What steps should firms take to ensure that strong governance and controls are in place for an effective compliance framework that functions as intended?
Ghazvinian: There are two steps firms should
take to ensure that strong governance and controls
are in place. First, they should have an open and
honest discussion about the target of the compliance
framework. What kind of governance and controls
does the company want and what does the company
want the framework to achieve? This relates to the
identified risks, the culture and the business model of
the company. Second, the company needs to have an
open review, particularly if the framework has been
implemented and how far it is in its process. This
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 35
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
cannot be achieved overnight, but companies need
to have a plan and an honest review.
Hernández: Corporate governance is very
similar to the governance of a country. Risks must
be constantly analysed, an internal control or
compliance department must be set
up, internal disciplinary controls must
be implemented, as must internal and
external audit procedures. Companies
must also find effective ways and tools to
communicate their values.
Harned: There are a number of industry
control standards that outline effective
compliance and governance – COSO,
COBIT, ISO37000 and ISO27001, to name
a few. The key to making these standards
successful is understanding your
organisational risk, applying the standards
based on this risk profile, measuring performance
using benchmarked key performance indicators, and
creating a speak-up culture.
Zinser: It is essential, in the event of a compliance
incident, to verify the error, to check whether
a given standard is effective and to verify that
risk assessments have been carried out and
whether they are reflected in the compliance
programmes. Also, it is necessary to ascertain
how the programmes were transmitted within the
organisation. This implies employee training aimed
at making employees understand the importance
of statistically analysing incidents and, above all,
using the results of such analysis. The company
must identify the controls which it has already put
in place and have a compliance officer who can
identify defects in these controls, along with the
needs, effectiveness and functionality of the controls
that have already been established. The business
processes of the company, its organisational
structure, its areas and the size of its workforce
must also be identified in order to have a complete
understanding of the organisation and the risks that
it faces.
Alejandro Hernández Oseguera,Zinser, Esponda y Gomez Mont, Abogados
“Currently, all managers must be properly trained in, and updated on, good compliance-related practices, regardless of the area they operate in. Failing this, the compliance programme will be ineffective.”
RISK & COMPLIANCE Apr-Jun 201936 www.riskandcompliancemagazine.com
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
Moosmayer: The future of good governance
and compliance in corporations is an integrated
risk management system which combines the
different risk workstreams in a company – including
compliance – and also takes into account ethical
considerations and risks. Compliance should lead
this development, given its significant experience
of how to create risk-based organisational models
and processes across the three columns of ‘prevent,
detect, respond’.
R&C: Looking ahead, do you expect more companies to actively stress test their compliance programmes? Are any innovations likely to enhance this process and produce even more insightful results?
Hernández: The Mexican press recently revealed
that HSBC was involved in a criminal investigation,
making it the first bank to face possible criminal
charges in Mexico, and thus it is one of the first
companies to have the validity and effective
implementation of its compliance programme put
to the test. Undoubtedly, the market is placing
greater demands on companies to have an effective
compliance programme, particularly in the public
sector. Therefore, a company that wishes to survive
in the long term and remain competitive must
keep itself continually updated about innovations
and mechanisms that will improve its compliance
programme. It is no longer enough to simply have
a compliance programme in place. In order to be
effective, a company’s compliance programme must
be constantly updated, and this can only be achieved
through regular stress testing.
Harned: Businesses today are becoming more
and more data driven, so it is reasonable to expect
that stress testing of the compliance programme
will increase. Even further, pressure will increase for
E&C to demonstrate the return on investment of its
efforts. Professionals should assume that collecting
and truly understanding the data behind compliance
programmes will be the only way for compliance
programmes to be successful moving forward.
Zinser: The challenge for Mexico is to make
companies aware that, once best practices and
organisational tools have been implemented
to eradicate corrupt practices and to identify
irregularities, justice can be slow, tedious and
often costly, but is worth all the effort in the end.
On a national level, we are still learning, and more
companies are seeing that it is possible to improve
their controls and are drafting internal organisational
manuals that comply with best international practice.
Those companies that have the most effective risk
standards relating to bribery, anti-corruption and
money laundering are the ones with an international
presence. Many large Mexican companies directly
cooperate with US companies or are subsidiaries of
them.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 37
EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
Moosmayer: Stress testing compliance is a trend
which, more and more, will evolve into a standard
expected by investors, analysts and society. The
art will be to create an integrated enterprise risk
management system which is not perceived as a
bureaucratic burden. It is therefore key to emphasise
management responsibility and accountability in the
whole process.
Ghazvinian: Companies must actively stress
test their compliance programmes. If a company
intends to prove that it has an adequate and
effective compliance programme, there is no other
way it can be done. This is ‘Compliance 3.0’. While
companies should focus on design, implementation
and selective effectiveness testing, stress testing
compliance programmes will become standard.
Blockchain will be an interesting option, although
no one really knows how this will work out. The next
three to five years will be decisive for blockchain’s
growth. RC&
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 39
PERSPECTIVES
PERSPECTIVES
CRISIS AND THE PROTECTIVE POWEROF TRUSTBY KARI BUTCHER
> EDELMAN INTELLIGENCE
In today’s tumultuous media environment, rising
callout culture and tense sociopolitical landscape,
issues develop into crises quickly, often wielding
significant and long lasting fiscal and reputational
impact in a matter of minutes. This reality has
underscored the value of trust as the data clearly
shows trusted companies are far more resilient
in the face of crisis, experiencing shorter and less
damaging crisis lifecycles.
Trust mattersThe benefits of trust extend beyond crisis
management as well. Trusted companies, for
example, financially outperform their respective
sectors, are better able to retain and recruit key
talent and are generally more resilient in the face of
risk, operational and competitive threats. People are
six times more likely to recommend their friends,
family members or colleagues seek a job at trusted
businesses, and 58 percent say they would defend
a trusted company if they heard someone criticising
it. Further, trust lowers demand for regulatory
scrutiny; only one in five say they would lobby for
more regulations for companies they trust versus
two in five for distrusted businesses. As technology,
financial services, health and transportation sectors
experience unprecedented levels of consumer and
regulatory scrutiny, trust becomes both a distinct
competitive advantage and key indicator of a
RISK & COMPLIANCE Apr-Jun 201940 www.riskandcompliancemagazine.com
PERSPECTIVES
business’ resilience and ability to maintain fiscal
health.
Simply stated, trust capital is perhaps a business’
best insurance policy against crises, risk and
disruption today – and further, is also its best
investment toward driving positive business impact
tomorrow.
Central to this truth is that trust, unlike reputation,
is a forward-looking metric. Trust looks beyond the
current state of play, inherently offering a projection
of the relationship dynamics and behaviour
exchange between an individual and a business or
organisation. In this way, trust serves as a predictor
for how stakeholders will engage with and act
on behalf of the business or organisation in the
future, removing much of the guesswork from risk
management and giving the business and its leaders
the confidence to pursue bold ideas and innovations
without the fear of business-ending failure or
inability to rebound quickly from strategic missteps
or true crises events.
In short, trust capital is highly precious and
valuable.
Measuring and managing trustIt comes as no surprise that cashing in trust
capital is much easier than accruing it. Establishing
and managing trust is a highly nuanced exercise
requiring careful planning, continuous measurement
and investment of resources specific to the
business’ needs and abilities. An additional challenge
is that many of the traditional mediums for reaching
stakeholders to build trust are now fraught with their
own trust deficits.
Media, previously among the most authoritative
and trusted sources of information, for example,
plummeted to the least trusted institution in 2018. As
fear of fake news surged – with individuals worried
about their ability to discern objective facts from
misinformation and nearly seven in 10 fearing false
information could be used as a weapon – trust in
and engagement with news fell.
In a striking reversal of that trend, this year’s
Trust Barometer tracked a 22 point jump in news
engagement over 2018. On its face, this data point
might suggest that trust in media has rebounded, but
a closer review reveals that fears of misinformation
and perceived roadblocks to acquiring facts remain
and that the fabric of trust in media, and in all
institutions in 2019, is largely fragmented and fragile.
Polarities in trust in 2019 are perhaps most evident
upon exploration of trust in media and political
party affiliation. In the US, for example, people who
voted in the 2018 midterm elections identifying as
Democrats were significantly more trusting of the
media than their Republican counterparts – apparent
in the seismic 36 point trust gap between the two
political groups.
Further, as people seek answers in a world marked
by deep sociocultural and political divides, channels
like social media are met with more scepticism than
ever. Concerns about fake news and data privacy
CRISIS AND THE PROTECTIVE POWER OF TRUST
PERSPECTIVES
continue to cloud the media ecosystem, especially in
Europe, Canada and the US, where the gap between
trust between mainstream media and social media is
as high as 40 points in some markets.
This data begs the question: in a world where
establishing trust is so important, and the traditional
channels for building and communicating it are
compromised, how can it be done?
Employers lead in trustSustained and emerging trends in valued and
trusted voices provide promise and direction. Owned
platforms – blogs, websites, non-paid media – are
now true table stakes for corporate communications
in a low trust media environment. They must be
used more heavily to supplement earned and paid
strategies.
CRISIS AND THE PROTECTIVE POWER OF TRUST
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 41
RISK & COMPLIANCE Apr-Jun 201942 www.riskandcompliancemagazine.com
PERSPECTIVES
Also of note is the evolved expectation society has
for C-suite leaders to drive positive societal change
within the environments they operate. As people
seek reliable information, they are also looking for
leadership. While trust in government lags business,
CEOs are tasked with speaking up and out on issues
that extend beyond delivering on the bottom line,
including on matters like equal pay, discrimination,
sustainability and job training.
Further, today, people hold more trust in their
employer than in any single institution, with trust
levels at 75 percent globally, 19 points more than
business in general and 27 points more than
government. Importantly, employees’ expectation
that their employers join them in taking action on
societal issues (67 percent) is nearly as high as
their expectations of personal empowerment (74
percent) and job opportunity (80 percent). In this
context, employees should be both critically and
carefully considered as a key audience, and potential
distributor of messages.
In summary, an investment in employees,
addressing their fears and expectations, establishing
a platform for the C-suite that allows them to clearly
articulate where business strategy and values
intersect, and careful selection of owned and select
earned channels that authentically deliver those
messages, are the stepping stones to building trust
and achieving the many benefits trust capital yields. RC&
Kari Butcher
Managing Director
Edelman Intelligence Eastern Region
(New York and Washington DC)
T: +1 (202) 551 9840
CRISIS AND THE PROTECTIVE POWER OF TRUST
RISK & COMPLIANCE Apr-Jun 201944 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
MINI-ROUNDTABLE
ADVANCED TECHNOLOGY FOR COMPLIANCE
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 45
MINI-ROUNDTABLE
Andrew Pimlott is a senior managing director in FTI Consulting’s data & analytics practice. He brings sophisticated analytics and regulatory expertise to large-scale financial services investigations, particularly in the area of financial crime, including anti-money laundering (AML) , terrorist financing, economic sanctions and anti-bribery and corruption. He has led his clients, which are among the largest financial institutions, through exceptionally complex and impactful regulatory and legal matters, and has on numerous occasions represented them before the US Treasury/OFAC, DOJ and FBI as well as EMEA regulators.
Andrew Pimlott
Senior Managing Director, Financial Crime
and Investigative Analytics, EMEA
FTI Consulting
T: +44 (0)20 3727 1285
PANEL EXPERTS
Jamilia Parry is a managing director in FTI Consulting’s financial services practice. She is a senior regulation professional with significant experience in dealing with the EU, US and UK regulators, including conducting AML, sanctions, conduct and governance investigations and delivering remediation programmes to fix the root causes of the identified issues. She has practical experience of leading and implementing regulatory changes and remediation programmes, having held senior executive positions in large financial services firms as head of change and head of group compliance.
Jamilia Parry
Managing Director, Financial Crime,
Governance and Conduct, EMEA
FTI Consulting
T: +44 (0)20 3727 1417
ADVANCED TECHNOLOGY FOR COMPLIANCE
RISK & COMPLIANCE Apr-Jun 201946 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
R&C: To what extent is the international regulatory landscape becoming more complex and challenging? How would you describe the compliance burden that companies now face?
Pimlott: The international regulatory
landscape is particularly complex and
challenging at present because new
sanctions on entities and individuals are
used to apply political pressure, placing
a greater burden on companies already
under heavy regulatory scrutiny. In the
past few years, we have seen banks
agree to pay settlements in the billions
to US prosecutors over allegations of
sanctions violations – penalties that
regulators intend to be a clear warning signal. A
regulatory breach does not just impact a business
financially, but also causes severe reputational
damage. Compliance teams are expected to detect
and prevent regulatory violations taking place, yet
money launderers are becoming increasingly savvy
with their technical applications, navigating almost
with ease through any barriers applied. The constant
increase of data, new technological developments,
FinTech, Cloud innovations, GDPR, Brexit – to
name just a few – are all adding to the pressure
and escalating expectations on the compliance
department.
R&C: In what ways are advanced technologies helping companies to meet their regulatory compliance obligations?
Parry: Fortunately, advanced technologies can
help companies to meet regulatory obligations.
Today’s technology is capable of bringing together
and analysing disparate data to find out what
someone has attempted to conceal. It is now
possible to link together not just structured data
like core banking transactions, SWIFT messages
and Know Your Customer (KYC) data, but also
unstructured data such as emails and even audio.
Once you can integrate all these different types
of data into one environment, you can really get
at the truth of what has been going on, answering
essential questions such as who, what, when and
Jamilia Parry,FTI Consulting
“Machine learning (ML) is further empowering the compliance function, giving teams the necessary tools to focus and drill down on those transactions that raise high risk red flags.”
ADVANCED TECHNOLOGY FOR COMPLIANCE
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 47
MINI-ROUNDTABLE
how much. Data visualisation tools can help explore
the resultant information, for example by displaying
data graphically and showing transactional
movements in a particular geographical area that is
subject to sanctions. Sentiment analysis technology
is enabling compliance functions and management
to monitor culture and emerging misconduct issues,
thus providing an opportunity to intervene before
major issues occur. Machine learning (ML) is further
empowering the compliance function, giving teams
the necessary tools to focus and drill down on those
transactions that raise high risk red flags.
R&C: Drilling down, could you explain the benefits of utilising software that can bring together and analyse disparate data for compliance purposes?
Pimlott: As a first step, analysts
teach the machine what ‘normal’ data
behaviour looks like, or what typical data
relating to a compliance breach would
look like. This knowledge is converted
into algorithms that can be applied
automatically to masses of historical data. The
application then refines the algorithms in light of
known outcomes associated with that data. The
identification of future anomalous behaviours can
then be automated, with the application raising red
flags on unusual patterns to be further explored
by human investigators. The investigators in turn
provide the application with feedback about which
patterns have proved to be associated with crime.
In this way, a feedback mechanism continually trains
the application and optimises its performance. The
crucial difference between new ML tools and legacy
approaches is that ML allows the application to
continuously improve its capabilities, which means
that when criminals apply technically advanced
methods, the application can quickly adapt.
R&C: What recent innovations have you seen in artificial intelligence (AI) and intelligent tagging that are having an impact in this space? How are these systems getting better at analysing data
Andrew Pimlott,FTI Consulting
“In the past few years, we have seen banks agree to pay settlements in the billions to US prosecutors over allegations of sanctions violations – penalties that regulators intend to be a clear warning signal.”
ADVANCED TECHNOLOGY FOR COMPLIANCE
RISK & COMPLIANCE Apr-Jun 201948 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
and identifying trends, patterns and outliers?
Parry: ML and predictive technology can, to a
great extent, automate the process of looking for
signs of fraud or misconduct. Predictive technology
enables rapid processing of large amounts of
data while highlighting potential concerns to be
scrutinised by compliance experts. ML capability
means the application learns continuously
through the process of internal reviews of alerts,
progressively improving the accuracy and relevance
of alerts and the prioritisation of key documents
for review. Other sophisticated tools include
sentiment analysis, which can be used to provide
predictive assessment of cultural risk and changes
in behaviour. These predictions enable firms to
investigate potential compliance – and conduct
– related matters early, and intervene before they
become a problem. This technology can also
help firms build a heat map of the organisation’s
culture risks, and identify emerging patterns of fear,
pressure, deceit or disregard for internal rules, all of
which are known to be associated with significant
misconduct events such as foreign exchange
manipulation, payment protection insurance mis-
selling, and many others. All this can be done by
combining and applying these technologies to data
in day-to day communications such as emails,
voice and chat data. The resultant information
about cultural risks can be used in conjunction with
other alerts, for example relating to sales, trading
activities or expenses, to see if further investigation
is needed.
R&C: How is compliance-related technology being extended to assist with screening customers and third parties? Why is this so important in today’s regulatory environment?
Pimlott: Financial institutions have been
reluctant to collaborate on these issues because
of their desire to keep valuable KYC information to
themselves. However, they will need to overcome
this obstacle. FinTech companies are showing what
is possible, with their willingness to pool information
with one another. Technologists may make this
approach more acceptable to traditional financial
institutions by providing platforms that share
information selectively. Already, there are several
pools of shared KYC information available. Being
able to check a new customer against a shared
master database might be a better governance
model than the current one, and might help
overcome any political barriers to collaboration.
R&C: What considerations should compliance professionals take into account when assessing which
ADVANCED TECHNOLOGY FOR COMPLIANCE
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 49
MINI-ROUNDTABLE
technology solutions are right for their organisation?
Parry: It is important to have an open mind,
and a broad familiarity with the options available.
Modern analytic techniques do not call for ditching
traditional approaches, but rather complement
existing methods. They are partly a response
to the ever-increasing volume and complexity
of data, which would be impossible to handle
otherwise. Looking at the full range of techniques
available, including the latest, widens the options
for compliance teams, and means situations that in
the past could have not been dealt with efficiently,
can now be brought to a successful resolution.
If partnering with an external organisation, it is
advisable to look at firms that field an integrated
team of data scientists, traditional analysts and
deep subject matter experts. These multidisciplinary
teams can work with compliance departments
seamlessly to apply all this knowledge and help
them stay compliant.
R&C: Based on your experience, what advice would you offer to companies on integrating compliance technology into their existing systems and processes, to ensure the roll-out is as smooth as possible, with minimal disruption to the business?
Pimlott: A step-by-step approach is essential, as
is the ability to stay agile in order to take advantage
of fast-moving developments in technology. To start
the process, existing systems in the enterprise
need to be mapped out, including how they
connect and communicate with each other. Once
a clear understanding is gained of what system
and process sits where, the team can analyse
the requirements for the specific enterprise
environment, and how best to apply and integrate
compliance technology – either as a completely
new system integration, or as an add-on to existing
technology. In our experience, for the roll-out to be
smooth, with minimal disruption to the business,
it is absolutely essential to work alongside the
relevant teams within the business and get buy-in
from the top-down, offering workshops and training
sessions for all staff throughout the process. That
way, the business understands why a new system
has been installed and how it impacts the future
wellbeing of the company.
R&C: What are your predictions for compliance technology over the coming months and years? What innovations are we likely to see in this area?
Parry: Advanced analytics will accelerate, and
methods available will become more and more
sophisticated, addressing ever more savvy financial
crime methods, including politically driven cyber
ADVANCED TECHNOLOGY FOR COMPLIANCE
RISK & COMPLIANCE Apr-Jun 201950 www.riskandcompliancemagazine.com
MINI-ROUNDTABLEADVANCED TECHNOLOGY FOR COMPLIANCE
attacks on institutional enterprises. Compliance
technology will enable compliance teams to
manage the volumes of data and cut through the
noise to focus on high-risk red flags. We believe
global collaboration platforms that share those red
flags plus KYC information, can help to prevent illicit
money from flowing through jurisdictions with no
means of control. The need for compliance teams to
understand advanced analytics technology will only
grow, as it will become more of an extension to their
capabilities, allowing them to deliver on regulatory
demands and protect the business from financial
crime and ultimately reputational damage. RC&
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
����������
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
������������������������������������������������������
���������������������������������������������������������������������������������������������
����������������������������������������������������������������������������������������������
���������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������
������������������������������������������������
RISK & COMPLIANCE Apr-Jun 201952 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
Nick Parfitt
Head of Market Planning
Acuris Risk Intelligence
T: +44 (0)20 3741 1200
Nick Parfitt is responsible for determining Acuris Risk Intelligence’s approach to the market and building subject-matter expertise. He has 18 years’ experience in project and programme management, business process change and in implementing technology and business solutions at financial services, telecoms and public sector organisations. His experience in the financial crime sector spans seven years, helping tier one financial institutions assess and improve AML, KYC and sanctions operations. Mr Parfitt has worked for several tier one banks in the UK and holds an MBA (Distinction) from Cardiff University, and a BA (Hons) in Biochemistry from Imperial College.
ONE-ON-ONE INTERVIEW
COMPLIANCE RISKS AND CONSIDERATIONS FOR FAMILY OFFICES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 53
ONE-ON-ONE INTERVIEW
R&C: What, in your opinion, are the most significant compliance issues currently facing family offices?
Parfitt: We see parallels with traditional small to
medium and even large organisations, where it is a
challenge to keep abreast of regulatory and compliance
obligations – and one that is often exacerbated by the
jurisdictional reach and nature of the operation. When
single or multi-family offices are subject to
anti-money laundering (AML) regulations,
compliance is a key challenge due to the
depth of knowledge and experience needed
around the subject and the implications
for the office in question. Beyond specific
compliance requirements, family offices also
should consider reputational risk exposure.
They need to look at what this means
for business relationships – either direct
relationships with partners and organisations
or throughout the vendor supply chain – and
how they are identifying and managing this
risk.
R&C: What do you consider to be the most notable legal and regulatory developments presently impacting the way family offices approach risk, compliance and reporting processes?
Parfitt: In the UK, a family office can operate in
various ways: from being run by trusted family members
or individuals to being managed by a professional
service provider. UK law requires that investment
advice can only be given by a stockbroker or financial
adviser, who must be registered with the Financial
Conduct Authority (FCA), or in the case of certain larger
institutions, the Prudential Regulatory Authority (PRA).
Another key aspect of risk for family offices is around
limitation of liability and how different legal structures
can be used to limit liability if required. The three primary
entities used to achieve this in the UK are limited liability
companies (Ltd), limited partnerships (LPs) and limited
liability partnerships (LLPs), all of which protect the
owner, in general, from financial penalties according to
the level of equity invested in the family office entity.
COMPLIANCE RISKS AND CONSIDERATIONS FOR FAMILY OFFICES
Nick Parfitt,Acuris Risk Intelligence
“Beyond specific compliance requirements, family offices should consider reputational risk exposure.”
RISK & COMPLIANCE Apr-Jun 201954 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
R&C: How important is it for family offices to cultivate a robust compliance and risk management culture across the organisation? What strategies can be deployed to take this process well beyond a box-ticking exercise?
Parfitt: If we look at good practices for AML and
countering of terrorist financing (CTF) over the last
decade, the adoption of a shared culture throughout
the organisation has been central to success. More
importantly, it is good business sense to have well-
articulated, documented and implemented risk
processes and procedures, particularly if the family
office has a low appetite for reputational risk exposure,
as nearly all of them do. Regularly refreshed training
that is tailored to the family office’s unique business
operations, scope of jurisdiction and articulated risk
appetite is a successful way of embedding good
practices. From a governance perspective, a suitable risk
and compliance governance operating model, including
appropriate committees for risk escalation and decision
making, provides a key control point for implementing
and managing risk policies and procedures.
R&C: Are you seeing more family offices apply data analytics to help them meet their risk management and compliance obligations? What benefits can technological innovations offer?
Parfitt: Data analytics is an exciting and fast-
developing area with the potential for significant
business impact. It is becoming possible to track and
report on key risk indicators (KRIs) automatically and
in real time, supporting faster and more informed
business decisions. This topic is still front-of-mind for
global financial services providers, because the degree
to which data within the organisation is actionable
depends on its quality and scope. Technology should be
at the heart of accelerating processes, providing greater
insight into critical business relationships and alerting
personnel to trends or breaches that may materially
impact operations or crucial decisions. As an example,
we see risk-averse organisations making extensive use
of enhanced due diligence (EDD) reports to inform and
manage business relationships, whether at the start
of a new venture or at periodic intervals during the
relationship to monitor any material changes in risk.
Speed of delivery is critical here and new technology,
data and automation is an enabler. But we also
recognise the importance of human interpretation in
faster decision making.
R&C: To what extent can technology enhance collaboration between the different functions within a family office?
Parfitt: Technology is fundamental for providing
efficiencies and improving the quality of decision
making but must be balanced with the scope and needs
of the family office. The security of the information
COMPLIANCE RISKS AND CONSIDERATIONS FOR FAMILY OFFICES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 55
ONE-ON-ONE INTERVIEW
and the sensitivity of what is being collaborated on
should also be risk assessed and ideally have an
associated information security policy. This ensures
that standards and regulatory compliance, for example
with the EU General Data Protection Regulation (GDPR),
are ‘baked in’. It is encouraging that there are many
relatively inexpensive IT solutions on the market that
offer great collaboration, security and usability across
multiple platforms, providing rich functionality at a
relatively low cost. However, it is very important to have
corresponding IT security policies and procedures to
support IT usage and adoption.
R&C: What essential advice would you offer to family offices on adjusting their internal frameworks and processes to achieve higher levels of risk management and governance?
Parfitt: Perform an enterprise-wide risk assessment
that looks at your office’s operations, product
and service offerings, jurisdictional exposure and
the policies, systems and governance across the
organisation. Then, overlay regulatory requirements
– and importantly, make this an annual event so that
you can identify changes in risk. If your office does
require adherence to AML/CTF rules, then you need
to make sure your risk rating of business relationships
is accurate and that you can adjust risk controls
accordingly. Governance and control are at the heart
of risk management. This approach will enable a risk
framework to be overlaid with actual processes and
controls to indicate where there are gaps or areas for
improvement. It may also indicate where your office is
being overcautious.
R&C: Looking ahead, how do you expect the risks and compliance challenges for family offices to unfold and evolve over the coming years? What factors will separate those family offices that can successfully meet their obligations from those that fall short?
Parfitt: The global macro trends of the last 10 to 15
years point to a continued increase in regulatory and
compliance rules and requirements that will only ensure
a more complex operating environment, and this is
unlikely to slow down anytime soon. The opportunity,
though, is to be more proactive and use compliance
as a competitive advantage. It can demonstrate to the
wider business community that you know your risks
and can manage them accordingly, and even allow you
to take on higher risk as long as it can be identified and
mitigated at a cost that does not break the business.
Take a three- to five-year view of where the office is
now and where it needs to be, factoring in expansion
plans. Not taking this approach will only store up issues,
putting the office on the ‘back foot’, which is draining for
all involved and will ultimately limit business growth and
profitability. RC&
COMPLIANCE RISKS AND CONSIDERATIONS FOR FAMILY OFFICES
www.riskandcompliancemagazine.com
Visit the new website
1
Sign-up to our free emailing list
2
Forward the link to colleagues and clients
3
Receive and enjoy future copies of Risk & Compliance
4
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 57
MINI-ROUNDTABLE
MINI-ROUNDTABLE
MANAGING TRADE COMPLIANCE SCREENING
RISK & COMPLIANCE Apr-Jun 201958 www.riskandcompliancemagazine.com
MINI-ROUNDTABLEMANAGING TRADE COMPLIANCE SCREENING
Taras Chaban is the global head of buy-side solutions for market technology at Nasdaq. Previously, he was co-founder and CEO of the London-based behavioural analytics expert, Sybenetix. He was also responsible for pioneering the development of organisational behavioural analytics and leading a team of world-class experts in technology, behavioural science and finance, working with financial institutions to manage the strategic impact of behaviour on operations and culture.
Taras Chaban
Vice President, Global Head of Buy Side
Solutions
Nasdaq
PANEL EXPERTS
Paul Young is head of buy-side product management for market technology at Nasdaq. With over 20 years of experience working in financial technology, Mr Young’s career has focused on investment management and the research and development of systematic strategies. His career has involved managing funds as a portfolio manager at some of the world’s largest hedge funds, such as Man AHL and GLG, co-founding hedge fund Harnett & Partners, and leading research and development teams within data science focused FinTech startups.
Paul Young
Associate Vice President, Head of Product
Management, Buy Side
Nasdaq
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 59
MINI-ROUNDTABLEMANAGING TRADE COMPLIANCE SCREENING
R&C: Could you explain why it has become so important for financial institutions (FIs) to actively detect red flags in trade transactions? To what extent have the associated risks increased?
Young: Detecting trade risks is very much about
reputation. Financial institutions (FIs) are
increasingly conscious about their public
profile, particularly as it affects larger
institutions which allocate capital, such
as pension funds and sovereign wealth
funds. Many of these allocators are public
bodies that cannot afford to have any
aspersions cast on their trustworthiness.
When trusting someone with a billion
dollars of capital, there can be absolutely
no question about their behaviour. From
an FI’s point of view, it is very important
to stay within regulations and avoid fines.
But what hurts most is when they hit the headlines
for the wrong reasons. In such circumstances,
institutional investors may perceive any bad publicity
as a red flag, rethink their allocations and move
money away from the FI. Some institutions have
lost hundreds of millions, sometimes billions, in
the space of a few days as the result of a scandal.
Although they may actually be squeaky clean, mud
sticks and investors will not come back immediately.
Reputation is paramount to FIs, and once it is
damaged, it is nearly impossible to regain the trust
of investors.
Chaban: In terms of the process of detecting red
flags, trading and portfolio management is likely to
become more data intensive and automated, so the
complexities are increasing. It is becoming harder
for compliance officers to monitor all the extant
regulations, and manage, prioritise and identify
the tiniest signals among all of the noise. The vast
majority of trading involves individuals going about
their regular jobs, and it is very difficult to find that
one bad apple who is doing their best to hide.
Taras Chaban,Nasdaq
“It is becoming harder for compliance officers to monitor all the extant regulations, and manage, prioritise and identify the tiniest signals among all of the noise.”
RISK & COMPLIANCE Apr-Jun 201960
MINI-ROUNDTABLE
R&C: How have regulations in this space evolved in recent years? What kinds of obligations do they place on FIs, and what penalties can they expect to face if they are deemed to have facilitated criminal activity, knowingly or otherwise?
Young: Regulations such as the revised Markets in
Financial Instruments Directive (MiFID II) and the UK
Senior Managers and Certification Regime (SM&CR)
are quite specialised and specific, and have had a
particular impact on surveillance. For example, the
SM&CR states that senior managers have a duty or
responsibility to ensure they are aware of what goes
on in the firm, and are doing everything possible
to detect when abuse or inappropriate behaviour
occurs. They need to be able to demonstrate to the
regulator that all necessary steps have been taken
and that the firm’s senior managers are on top of
things.
Chaban: In terms of penalties, there are two
sides to consider. Penalties can be applied directly
by governments, regulators or a form of legal action
that either regulators or investors may take. And
these do occur. In a recent case, the UK’s Financial
Conduct Authority (FCA) investigated fund managers
that colluded on initial public offering (IPO) trading,
where they tried to set prices for IPOs. The FCA
does pick specific scenarios, such as IPO trading
collusion and front running of customers, which
fall under the market abuse regulation. But, apart
from the penalties, it is reputational damage that is
most dangerous for FIs, with investors potentially
withdrawing their assets – an action that may be far
more devastating to an FI than a financial penalty.
R&C: What benefits can technology bring to trade compliance screening? How effective has it proven in terms of detecting and analysing trade data?
Young: For modern, high-tech organisations,
trade flow can be immense, so the amount of
data involved in trade compliance screening is
correspondingly enormous. Large organisations
with diverse trade strategies and investment
processes typically have complex trade data analysis
procedures and multiple management systems.
Certainly, all this is a headache for compliance. So,
how do organisations come up with a systemic,
unbiased way of looking at all trade activity and
then matching that with regulation in different
regions? In a global trading context, it becomes
a mammoth task. What it requires is identifying
rare bad behaviour among an immense amount of
trading volume. Even with well-designed testing, with
a very low false positive rate, you are still going to be
overwhelmed with numerous alerts that are benign,
MANAGING TRADE COMPLIANCE SCREENING
www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
just by the fiscal nature of what you
are trying to achieve.
Chaban: FIs are concerned about regulators’
capabilities, and how they analyse the data they
receive. The FCA, for example, has increased its
spending on data analytics and hired a substantial
number of data scientists. Across Europe, MiFID II
collects data in vast volumes which is being stored
in the Cloud. In the US, the Securities and Exchange
Commission (SEC) has the national exam analytics
tool (NEAT) which, since late 2014, has increased
its analytical capabilities. Asset management firms
in the US say that NEAT has shortened the time it
takes to analyse data. Typically, the SEC will visit
a firm and take a set or subset of data, including
orders and transactions, then go away and analyse
that data before returning with questions in perhaps
one to three days. Prior to this, the process would
MANAGING TRADE COMPLIANCE SCREENING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 61
RISK & COMPLIANCE Apr-Jun 201962 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
take weeks. So, analytical capabilities have increased
substantially on the regulatory side, meaning FIs’
in-house analytics need to respond to keep ahead of
the game.
R&C: For trade compliance screening to be effective, it needs to highlight potential violations while allowing legitimate trades to continue seamlessly. What advances are you seeing on this front?
Chaban: In terms of post-trade
analysis, conducted once a trade has
been executed, the system picks up what
has been collected and highlights what
it believes to be positive. Behavioural
analytics and a risk-based approach
allow alerts that are specific to individuals
and are adaptive to changes in market and fund
conditions. Suspicious alerts that merit investigations
from compliance are not false positives because
compliance must demonstrate that they reviewed
these alerts – even if no abuse was carried out.
Young: FIs need to have complete confidence
that, were a regulator were to ask an FI six months
later what it was doing on a particular day in the
past, the FI has already investigated and logged
everything that was done. This data can be captured
using the right kind of system. To avoid being
blindsided by a request from a regulator, FIs need to
provide deeper context and greater understanding
to their normal business operations, to build a
better quality case. Thinking in terms of trade alerts
helps to identify what has happened and capture
the investigation. Positioning within portfolios, for
example, allows us to identify whether a particular
trade is suspicious or not, or if a portfolio manager
has ever traded in a particular sector before. This can
provide an insight into the trade. All this information
is used to improve the approach.
R&C: In your opinion, what are the essential elements of a workable trade compliance screening framework?
Paul Young,Nasdaq
“Regulation will continue to increase because there are big incentives for individuals willing to circumvent the rules.”
MANAGING TRADE COMPLIANCE SCREENING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 63
MINI-ROUNDTABLE
Chaban: According to regulators, frameworks
need to be fit for purpose. Julia Hoggett, director of
market oversight at the Financial Conduct Authority
(FCA), in her recent speech at the AFME event,
spoke about the importance of a dynamic response
to a changing risk profile. This means FIs need to
think about the risks they are likely to be exposed
to and how their surveillance programmes and
technologies are addressing those risks. It is not a
one size fits all world today. A good trade compliance
framework needs to take these factors into account.
It also needs to be adaptable and specific to the
context of the company and individuals – whether
an investment is turning a profit, for example, will
be one of the factors affecting their behaviour. The
alternative of having ‘one system that fits all’ is
frankly too simplistic, as it would create too many
false positives and make the approach ineffective.
Young: FIs need to demonstrate that they are
using compliance screening tools appropriate for
their organisation. This is one weakness of a rules-
based approach, which has strict parameters. It
puts FIs at great risk of appearing, from a regulator’s
point of view, to be reducing workloads by adjusting
these parameters. That said, regulators may also
be concerned that FIs have been setting their
parameters incorrectly. This leads to ‘near misses’
and regulators will want to know about trades that
were not investigated because they fell just below
certain thresholds. A rules-based approach means
setting up even more alerts and doing even more
work to demonstrate ‘near misses’. In contrast, a
risk-based approach allows FIs to go back and reflect
on lower risk cases and ask whether they can see
a pattern emerge – a cluster of transactions which
may appear to be low risk at first, but together may
add up to something which demands more attention.
R&C: What are your expectations for trade compliance screening in the months and years to come? Is it set to remain a key risk area that demands adequate attention and resources?
Young: We are likely to see greater competition
among FIs, as well as more demand to reduce costs
and increase efficiencies. We are also seeing a
relentless continuation of technology trends. Finance
has always used cutting edge technologies to gain
an edge in terms of performance and cost reduction.
That will only continue. We should expect finance,
as a whole, to become more complex and data
intensive, with more machines making decisions.
This, in turn, will create greater data flow and make it
harder for compliance officers to manage. Regulation
will continue to increase because there are big
incentives for individuals willing to circumvent the
rules. Regulators will always be looking to close
loopholes, so we expect the regulatory load to
increase. We do not expect the pressure to ease off
compliance any time soon.
MANAGING TRADE COMPLIANCE SCREENING
RISK & COMPLIANCE Apr-Jun 201964 www.riskandcompliancemagazine.com
MINI-ROUNDTABLEMANAGING TRADE COMPLIANCE SCREENING
Chaban: We have had several years of increasing
compliance budgets, but this will end. In time,
instead of throwing money at the problem, FIs will
attempt to extract more value from the investment
they have already made – and optimise it. This will
be the next stage where technology helps FIs get
more from their compliance spend. In terms of
actual technology capabilities, if we look forward a
few years, we will see more data sources appearing
in systems, since data is getting progressively
cheaper to collect and store. We have also made
great strides in how we analyse data, which will
continue. Along with more sources of data, there will
be interesting dynamics around what companies
are allowed to do with personal data, and there may
be further regulatory developments in this regard.
The systems being built are data hungry – they want
to learn from our personal data. How this space
evolves will be interesting because there are two
highly conflicting aims: data privacy and protection,
and market surveillance. RC&
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 65
PERSPECTIVES
PERSPECTIVES
DATA PRIVACY ANDTHE IS AUDITORBY SANDEEP GODBOLE
> ISACA
Information systems (IS) auditors continue to
play an important role in providing assurance
related to governance and control of information
systems. The IS audit profession has grown over the
last few decades in line with the ubiquitous growth
of information systems.
Increased automation, greater efficiencies and the
advantage resulting from innovative solutions have
been achieved by deploying information systems.
The systems have been diverse in terms of the
technology, size as well as the specific benefits. The
principles that guide the systems have, however,
been relatively uniform irrespective of the nature
of the systems. Delivery of reliable, efficient and
effective solutions, ensuring an appropriate level of
security and supporting compliance requirements,
have been a common set of expectations across
diverse systems. Many of the performance and
security requirements related to information
systems can be supported by deploying appropriate
technology. Ensuring that systems comply with
regulatory and legal requirements needs knowledge
of the requirements that may be technology-neutral
and expertise to translate them to the appropriate
technology. For example, if the requirement expects
the stored data to be protected, it is necessary to
interpret the requirement so that the expectation
can be translated to specific technology including
encryption, digital rights management or any
XXX
RISK & COMPLIANCE Apr-Jun 201966 www.riskandcompliancemagazine.com
other approach that satisfies the data protection
requirement.
As systems have grown in number and
pervasiveness, a large volume of sensitive, personal
or confidential data is being processed and
maintained. Increasing awareness and sensitivity
of individuals related to protection of their
personal details and information have resulted in
the adoption of laws and regulations that aim to
protect data privacy. These laws and regulations set
the expectations and boundaries that impact the
implementation and usage of information systems.
The last few years have seen a heightened level of
expectations related to data privacy, and it seems
that the trend will continue and possibly accelerate,
at least in the immediate future. The penalties
specified for non-compliances are extremely severe
and impact the finances, image and trust of the
organisations. Most organisations therefore choose
to be sensitive and consciously comply with data
privacy requirements.
The complexities and technical aspects associated
with regulations require the services of experts
who can guide organisations. Many organisations
PERSPECTIVES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 67
PERSPECTIVES
therefore have created a Data Privacy Officer (DPO)
role. Data privacy is increasingly recognised as a
discipline with a distinct body of knowledge. The
DPO role is therefore emerging as
one of the assurance and compliance
functions within an organisation.
Given that data privacy has emerged
recently as a specific function, the
roles, responsibilities and associated
activities are still in a relatively nascent
stage compared to other traditional
compliance functions. Other assurance
and compliance functions therefore
have a responsibility to support the
activities of the data privacy function.
The IS auditor role came into prominence over
three decades ago, with the increased adoption
and implementation of information systems across
organisations. Over time, the IS audit role has
developed its body of knowledge and has been
successfully established within many organisations.
IS auditor expertise has helped to manage risk
and delivery value in information systems. Multiple
aspects, including technology, efficiency, processes
as well as compliance requirements relevant to
information systems, are routinely reviewed and
enhanced by IS auditors’ relevant inputs. While
the IS audit role is not specific or limited to data
privacy aspects alone, an IS auditor can play
a complementary and supporting role in data
privacy within the organisation. Considering that
most information in a modern organisation is
maintained and processed by information systems,
the contribution of the IS auditor can significantly
support the DPO function and contribute to data
privacy compliance.
Including data privacy requirements, controls
and processes as part of the IS auditor’s scope of
work can ensure that data privacy is adequately
addressed. The IS auditor needs to consciously
weave data privacy into the IS audit scope wherever
feasible. Experienced IS auditors are capable
and experienced in reviewing and interpreting
compliance and regulatory requirements. In addition,
IS auditors also have a good understanding of
technology inherent to information systems. The
ability to address both aspects – compliance
as well as regulatory – equips the IS auditor
with skills to review data privacy compliance. IS
auditors who keep themselves up to date on data
“Data privacy is increasingly recognised as a discipline with a distinct body of knowledge. The DPO role is therefore emerging as one of the assurance and compliance functions within an organisation.”
DATA PRIVACY AND THE IS AUDITOR
RISK & COMPLIANCE Apr-Jun 201968 www.riskandcompliancemagazine.com
PERSPECTIVES
privacy principles and requirements are therefore
well equipped to review data privacy as part of
information systems. Some areas where an IS
auditor can contribute include evaluating: (i) whether
data privacy requirements are understood, defined
and addressed in the system; (ii) whether personal
data is protected and data privacy is enabled as part
of the system design; (iii) technology and process
controls around the information systems that
protect data privacy; (iv) data management practices
including data collection, processing, archival and
destruction; and (v) the awareness of data privacy
among system developers as well as users.
The above examples are representative and not
a comprehensive list of IS auditor involvement
with data privacy initiatives within an organisation.
Activities similar to the above can support the DPO
organisation in ensuring data privacy compliance.
Organisational structures evolve based on business
imperatives. Considering that the DPO function is
relatively new among other assurance functions,
it is important to integrate activities across other
assurance functions in a manner that supports data
privacy requirements. The compliance and assurance
functions need to identify elements within their
scope of work that touch data privacy and contribute
effectively.
The IS auditor role has evolved, along with
changing expectations and newer technologies. In
the same manner it is important that the IS auditor
modify techniques and processes that address data
privacy across the lifecycle of information systems.
Upgrading knowledge related to data privacy
regulations and enhancing work methods to include
data privacy aspects can greatly enhance IS auditors’
contributions. The skills, knowledge and abilities
possessed by IS auditors enable them to contribute
significantly to implementing and maintaining strong
data privacy. RC&
Sandeep Godbole
Past President
ISACA Pune Chapter
DATA PRIVACY AND THE IS AUDITOR
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 69
ONE-ON-ONE INTERVIEW
ONE-ON-ONE INTERVIEW
BUILDING A SUSTAINABLE PROGRAMME AROUND DATA PRIVACY
Rebecca Turco
Vice President of Learning
SAI Global
Rebecca Turco is the vice president of Learning at SAI Global, a recognised leader of integrated risk management. She leads SAI’s global compliance and ethics solutions for product portfolio. She has helped transform the way companies think about their compliance programme and how they can reach and impact learners. She is passionate about helping organisations change their cultures and helping employees feel empowered and educated to do the right thing.
RISK & COMPLIANCE Apr-Jun 201970 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
R&C: Could you provide an insight into how evolving data privacy regulations present challenges to companies? What have been the most notable developments in recent years?
Turco: It is not news that data privacy regulations
are changing rapidly. Many jurisdictions are passing
new regulations and sometimes those regulations
conflict. For multinational organisations, a mix of
national data privacy and US state regulations creates
a patchwork regulatory landscape that is difficult to
manage. The most prominent development of late
has clearly been the EU General Data Protection
Regulation (GDPR), which effectively set the bar
for personal data privacy. GDPR puts strict barriers
around the use of personal data, which are only
beginning to be tested in the courts. It is important
to recognise the shift happening among the general
population as a result of GDPR. The proliferating
nature of high-profile data breaches among well
known corporations, along with a string of revelations
about use of personal data provided to social
media platforms, has raised the importance of data
privacy among the general public and has seen a
groundswell of a new consumer activism. Amid this
growing consumer discomfort about exchanging
personal data with industry, consumers now feel, and
are, empowered. The effects of this are significant
and far-reaching, including your company’s brand
and reputation being damaged, erosion of consumer
and business partner confidence – all of which will
significantly affect your bottom line.
R&C: Against this backdrop, could you explain the importance of building a sustainable data privacy programme that protects customers’ personal data?
Turco: The overall objectives at the core of data
privacy regulations like GDPR, the Singapore Personal
Information Protection and Electronics Document Act
(PIPEDA) and the California Consumer Privacy Act
(CCPA) is protecting customer privacy, strengthening
customer trust and supporting the expansion of
sustainable digital services. These are becoming
essential to businesses as they expand their digital
offerings. By strategically implementing a sustainable
data privacy programme, a company can move
beyond avoiding regulatory penalties, and have
a real opportunity to improve its trustworthiness
among customers and differentiate its position on
a topic of increasing importance to end consumers.
By utilising the right tools, creating tighter controls,
and implementing modern approaches to learning
and employee communication, you can build a data
privacy strategy that incorporates customer rights
and the ethical use of data that adheres to legal and
compliance obligations, ultimately strengthening your
company’s brand and resilience.
BUILDING A SUSTAINABLE PROGRAMME AROUND DATA PRIVACY
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 71
ONE-ON-ONE INTERVIEW
R&C: How should companies go about identifying gaps and vulnerabilities in their existing data privacy framework? What are some of the common red flags?
Turco: To find gaps in a data privacy
framework, the first step is to begin with
the appropriate privacy framework. The
regions an organisation operates in and
the standards bodies it chooses to follow
play a part in making that determination.
Once a framework is chosen and in place,
it is important to undertake a control audit
to determine which required controls
are already in place, which ones are in
place but are not effective, and which
ones need to be implemented. The work
must be performed in order to determine process
and control gaps. Red flags to consider are signs of
transparency and visibility. Is there the ability to see
vulnerabilities and gaps across the organisation to
ensure resources are being deployed to address
the most critical? Are enough resources available to
address the vulnerability landscape? Is the risk team
able to communicate current risks in business terms
that stakeholders will understand in order to secure
enough resources?
R&C: In your opinion, what are the essential aspects of an effective subject rights management system?
Turco: Subject rights represent the rights of an
individual – for example, a consumer, web visitor or
employee – to make decisions and take actions on
the data about themselves. These include portability
and access rights, the right to correction and the right
to erasure. An effective subject rights management
system should be flexible to capture, catalogue and
respond to requests from individuals. Workflows must
be in place to ensure these requests are handled
in the appropriate amount of time as mandated by
the regulations. The perception of effectiveness of
a data privacy programme is driven primarily by the
responsiveness of an organisation to these requests.
BUILDING A SUSTAINABLE PROGRAMME AROUND DATA PRIVACY
Rebecca Turco,SAI Global
“It is not news that data privacy regulations are changing rapidly. Many jurisdictions are passing new regulations and sometimes those regulations conflict.”
RISK & COMPLIANCE Apr-Jun 201972 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
A single instance of a slow response can be amplified
via social media to diminish the perception of a
brand. The system has to be in place in order to
respond and act quickly.
R&C: How is technology helping companies with breach management, including obligations to notify affected subjects and relevant regulatory authorities under certain laws?
Turco: While some companies are deploying
breach detection technology, others leave that in
the hands of their security teams. In some cases,
technology has been deployed to help with the
organisational and human elements of breach
management – the tasks that must be performed
once a breach has occurred. Effective software
can provide value to expedite and choreograph the
workflow that must take place when a breach occurs.
This allows companies to understand whether a
breach has occurred, what action it can take to
respond to a breach, and how to investigate gaps
in its process to mitigate further penetration or
future breaches. Regulations in many jurisdictions
require that a response takes place within a short
amount of time – GDPR, for instance, has a 72-hour
window. Within that time frame, a company must
take action on the breach to determine the impact,
notify regulatory bodies, begin remediation actions
internally, craft a message to those affected, and
deliver it. This requires a number of people acting
quickly and in parallel. If a tool is not already in place
that can enforce the exact steps, sequences and
dependencies, an organisation is very unlikely to
respond in time.
R&C: How important are people to a sustainable data privacy programme? Can such a programme only operate effectively if employees are educated and trained on data privacy best practices?
Turco: Many organisations have focused on
investing in solutions to manage the risks associated
with data privacy. They look to put in tools, process
and people to make sure they understand their
risks and what to do if something happens. Tools
and systems are one component of a successful
programme, but the other component is the culture
and knowledge of your employees. The culture that
you have within your business will drive the risk your
employees will take. After all, employees making
the right decisions is one of the most important risk
mitigation strategies. Employees must be trained
to understand what the risks are, they must know
what to do when faced with this risk, and they must
understand what the right decision is. Building
effective training programmes will help employees
make the right decisions when it comes to protecting
your infrastructure, identifying a breach, and
following the right process when something happens.
BUILDING A SUSTAINABLE PROGRAMME AROUND DATA PRIVACY
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 73
ONE-ON-ONE INTERVIEW
R&C: Once a robust system is in place, do you believe companies should proactively communicate their efforts to internal stakeholders and regulators? What are the benefits of doing so?
Turco: Employees are one of the biggest assets
and risks to an organisation. They are also one of the
hardest risks to manage because most of the risks
that employees face are ones that organisations
cannot see. With the change in technology and the
way people consume content and use social media,
engaging employees is even more critical than
ever. The relationship between culture and risk has
strengthened over the past few years. Employees
are more engaged, productive and likely to follow
the company’s security guidelines if they feel like
they are driven by the organisation’s leadership and
are applied consistently. We recommend internal
communications plans are implemented not only to
teach process, but to provide reassurance that the
organisation does the right thing.
R&C: How do you expect data privacy challenges to evolve in the coming years? In your opinion, do companies need to do more to address this issue?
Turco: We expect to see recent trends amplified.
Consumers are continuing to pay more attention
to how their data is used. Over the next few years,
this awareness and continued understanding of the
rights and mechanisms that regulations like the GDPR
have made available will strengthen their ability to
manage and protect their data. And as the drumbeat
of data breaches continues, we predict the public
at large will continue to demand more effective
legislation in many jurisdictions – and will call for
more enforcement and transparency. RC&
BUILDING A SUSTAINABLE PROGRAMME AROUND DATA PRIVACY
RISK & COMPLIANCE Apr-Jun 201974 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
MINI-ROUNDTABLE
ASSET-LIABILITY MANAGEMENT (ALM)IN THE CONCEPT OF STRESS TESTING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 75
MINI-ROUNDTABLE
PANEL EXPERTS
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
Wei Chen
Director, Global Risk Consulting
SAS
T: +1 (919) 531 0390
Wei Chen has led several initiatives including enterprise stress testing and IFRS 9/CECL in recent years. He has worked closely with major financial institutions around the world on business process and requirements, methodology, solution design and implementation. He has more than 15 years of banking and insurance experience in the areas of credit risk, market risk, asset and liability management and liquidity risk from both regulatory and internal management perspectives.
Xavier Vandermosten
Principal Business Solutions Manager
SAS
T: +32 (473) 33 20 17
Xavier Vandermosten is a risk domain expert who advises financial institutions on how best to improve their operational, market, ALM and liquidity risks measurements and regulatory compliance. Before joining SAS in 2011, he worked in the financial sector for 20 years, spending around half of his career leading a team in charge of measuring operational, credit, market and business risks, and the other half in IT, leading application development projects. He is a certified financial risk manager of the Global Association of Risk Professionals.
Prashant Dinodia
Solution Lead, ALM
SAS
T: +1 (919) 531 5144
Prashant Dinodia is a subject matter expert with over 14 years of experience in several areas of risk management, particularly ALM. He has spent considerable time across several geographical regions globally, as a banker and consultant. Currently, he is the solution lead for ALM solutions at SAS, where he helps financial institutions derive maximum value from their balance sheet management initiatives.
RISK & COMPLIANCE Apr-Jun 201976 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
R&C: Could you outline some of the main asset and liability management (ALM) challenges financial institutions (FIs) face? How have the risks and exposures evolved in recent years?
Chen: Given the increasing sophistication of the
banking business and the development of
funding and risk management instruments,
asset-liability management (ALM) requires
modernisation. The interactions of the
inherent risks underlying banking business
call for a comprehensive approach to risk
management. The original idea of ALM
at banks was to centralise interest risk
management, freeing the bank’s business
units to handle other risks, including
credit risk. The global financial crisis
demonstrated how increasing interest
rates can drive up credit risk which, in turn,
quickly leads to funding liquidity issues, which can
further damage a bank’s equity and start a vicious
cycle in the entire financial system. Interest rates,
credit risk, liquidity risk, reputation risk and so on,
cannot be managed in isolation. One challenge to
the traditional ALM function is the incorporation of
the behavioural and contingent cash flows from both
banking and trading activities that are dynamic to
the underlying macroeconomic environment. The
importance of a coherent view of the underlying
cash flows to a bank’s net interest income, funds
transfer pricing, credit provisioning, liquidity risk
and equity risk becomes more obvious to both
bank management and regulators. The enterprise
stress testing pioneered by US regulators has led
the industry to think about total balance sheet
management and optimisation.
Dinodia: ALM has always been a tricky area in
the sense of determining which business function
should be responsible for it. Depending upon the
organisation, we have seen it being housed in risk
management, treasury or finance. While operationally
it may be owned by a particular department, it is
something which needs to be enterprise wide as it
has implications across these areas. There is hardly
any other area of risk management which is as
pervasive as ALM. Recently, this has become even
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
Prashant Dinodia,SAS
“ALM has always been a tricky area in the sense of determining which business function should be responsible for it.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 77
MINI-ROUNDTABLE
more challenging as the scope of ALM has widened
and the need for some of these stakeholders to
be operationally involved with ALM has deepened.
This has meant that ALM is no longer a reporting
or analytical exercise but is something which is a
shared infrastructure. However, most organisations
have not been able to reorganise their ALM function,
including people, processes and technology, with
this enterprise-wide orientation. The other aspect,
in terms of the evolution of ALM, has been around
what an ALM function is now expected to achieve.
While reporting and compliance around interest rate
risk and liquidity continues to be important, most
institutions expect their ALM processes to deliver in
areas far beyond traditional ALM – not only the scope,
but also in terms of their interaction. FIs no longer
need a data cruncher which produces an asset-
liability committee (ALCO) pack, but an interactive and
intelligent analytical engine which provides answers
and insights around balance sheet management.
Vandermosten: Over the last decade, the financial
services business has become more competitive,
with very small, even sometimes negative, interest
rates, and with rising costs caused by higher capital
requirements and higher quality liquidity reserve
requirements. All of this has increased pressures on
profit margins. In that context, the scenario-based
approach to anticipate liquidity and interest rate risk
mismatches, and to anticipate margin profitability,
might not be enough anymore to be competitive.
Having performance analytical tools identifying the
optimum balance sheet composition which provides
maximum profitability while respecting all the
regulatory and internal policy constraints, is required.
Performing such an optimisation of the balance sheet
considering not only ALM, but all the risk areas, is one
of the biggest challenges in the years to come for
financial institutions (FIs).
R&C: What steps can FIs take to measure and manage various risks related to ALM?
Chen: A fundamental change to ALM is to
recognise the inherent risks to an FI’s business. The
industry has taken a few important steps in recent
years. First, there has been the introduction of
macroeconomic scenario-based risk management
and financial planning. This is a good approach
toward enhancing coherence. This step brings risk
quantification in the industry to a new level. A lot
of banks have found challenges in data scarcity
and quality, as well as qualified modelling skills.
Several risk management and accounting reporting
initiatives, such as BCBS 239, regulatory stress
testing, interest rate risk in the banking book (IRRBB),
liquidity coverage ratio (LCR)/net stable funding ratio
(NSFR) and IFRS 9, and current expected credit losses
(CECL) in the US, are pushing banks to address these
challenges. More specifically to ALM, this change
requires scenario and model-based cash flow and
economic value projection. The next step is applying
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
RISK & COMPLIANCE Apr-Jun 201978 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
the same scenarios and underlying cash flows and
values across net interest income (NII), economic
value of equity (EVE), funds transfer pricing (FTP), and
credit and liquidity risk management for a coherent
view by management. Integrating this view into
financial and capital planning is a step forward which
will allow a dynamic view and proactive management
of the fundamental business. For an FI with certain
maturity, scenario-based risk and finance integration
balance sheet management and optimisation can
be achieved for financial stability and competitive
strength. Of course, these steps do not have to be
strictly sequential. A phased approach is often seen in
practice.
Dinodia: We have seen many institutions struggle
because their approach to ALM is tactical and
narrowly defined. ALM framework is often scoped
out to perform things which are required by current
regulation or immediate needs. This leads to a
situation where, when any new regulation or business
situations arise, ALM is not able to help or add
adequate value. So, to manage ALM risks proactively,
the underlying ALM framework should be defined
in conjunction with the overall risk management
framework and with a target-state roadmap in mind.
What may be best practice today could be lagging
practice in a few years. Banks need to continuously
benchmark themselves and make sure that ALM
evolves over time. In many cases, we have seen
organisations fall into the trap of not touching things
for fear of breaking something. ALM is a dynamic area
of risk where the various aspects are evolving. Data
processes, models, reports and ALM strategies should
mimic the underlying nature of ALM risks.
Vandermosten: In the journey from Excel-based
solutions to an ALM solution that allows for ALM to
be managed in an integrated way and complies with
the liquidity and IRRBB regulatory requirements, to a
solution that allows for managing the balance sheet
considering not only ALM, but all the risk domains,
to a solution that allows for optimising the balance
sheet, all those steps while adapting to the constantly
evolving models, best practices and regulations, it
is important and cheaper overall to make the right
strategic choices from the beginning. Banks need to
choose a flexible and scalable solution, for which the
solution provider shares the bank’s vision.
R&C: What benefits can customisable modelling systems bring to an effective ALM framework?
Chen: Risk and financial modelling is crucial to
building an effective ALM framework because the
challenges in data, methodology and skills modelling
are evolving quickly. This evolution requires modelling
systems to be more agile than ever before. This is why
artificial intelligence (AI) and machine learning (ML)
techniques are getting a lot of attention. Generally
speaking, the modelling evolution itself will drive up
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 79
MINI-ROUNDTABLE
the number of models and the number of model
versions. Proper model life cycle management and
governance, as well as performance monitoring, is
becoming more important than ever. FIs can no longer
rely on spreadsheet based, semi-manual labour
intensive and error-prone approaches. Powerful
data management and integration tools are certainly
critical in this Big Data era. But equally critical is
powerful data exploration, visualisation and analysis
tools that can provide more insights to the modelling
teams. Efficient model implementation and execution
is another key to the success of a good
modelling framework. Banks cannot sustain
a long implementation and validation cycle
in the information age. A componentised,
highly configurable, self-service model
implementation platform would help
significantly. Given the sophistication of
the models and the large volume of data, a
good modelling system should be able to
take advantage of the scalability that the
new technology offers. An efficient model
execution can give management valuable
time to react.
Dinodia: ALM managers would often say that
ALM is more an art than a science. This is because
if you compare ALM to other financial risks, such as
market risk or credit risk, you will find that the risk
factors, such as the deposit behaviour of a customer,
customer loyalty, market wide liquidity availability,
reputational events and the pricing strategies of
peer banks, are quasi-quantitative. Deterministic
models and traditional analysis will not capture
the risks and outcomes which are most probably
the areas where ALM can add value. This is where
customisable and integrated modelling concepts
can help. In the ALM world, models need to talk to
each other and need to cater for risk factors and
situations which are multidimensional. This does not
mean ALM models and frameworks need to become
black boxes; rather, they should support common
business scenarios which can happen in the business
environment, enabling banks to use the solution as
a realistic and smart analytical tool. AI/ML models
in ALM certainly have several use cases, but again,
it is not the complexity of the model which will add
value but whether the model allows you to simulate
the risk events and factors which matter, and provide
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
Wei Chen,SAS
“Risk and financial modelling is crucial to building an effective ALM framework because the challenges in data, methodology and skills modelling are evolving quickly.”
RISK & COMPLIANCE Apr-Jun 201980 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
reasonably accurate results. It is much better to be
roughly right than precisely wrong.
Vandermosten: The most important factor with
ALM models is their forecasting accuracy and their
easy integration into decision making. This is a shift
from simply paying attention to a model’s
technical capability or description. Model
performances will be measured constantly,
and if a new model performs better, it will
replace the previous one. ALM solutions
thus need to allow for multiple models
to be tested in parallel and to be able
to dynamically replace one model with
another very quickly. This flexibility provides
a competitive advantage.
R&C: How important is it to stress test aspects such as interest rates and liquidity risk? What insights can this process provide to FIs?
Chen: Stress testing, or more generally scenario-
based analysis, of the key risks, including interest
rates and liquidity risk, will provide banks with an
insightful and forward-looking understanding of the
risks inherent to an institution’s core business and its
future growth. Many institutions have used so-called
‘what-if’ analysis for management to proactively
examine potential vulnerabilities and to increase the
confidence in planning. Again, this benefit can only be
achieved if the institution has a good stress testing
framework in place. Institutions that do not have
this vision, and thus do not sufficiently invest, will
certainly not see these benefits. We have seen several
US institutions that have invested in stress testing,
initially under pressure from the US comprehensive
capital analysis review (CCAR) requirement, start to
reap the benefits. The chief risk officer (CRO) of one of
the world’s largest banks gave a specific example of
how he was able to understand the bank’s resilience
to the dangers of the Chinese housing bubble through
the bank’s stress testing capability.
Dinodia: It is not uncommon for institutions to
dismiss regulatory stress testing as a compliance
burden with little business value. However, stress
testing is extremely useful, particularly if institutions
perform it as a means of gaining insight, rather than
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
Xavier Vandermosten,SAS
“The most important factor with ALM models is their forecasting accuracy and their easy integration into decision making.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 81
MINI-ROUNDTABLE
simply being a ‘check box’ process. This is particularly
true for liquidity risk, because, by definition, it is
something which emerges during stress events.
Therefore, it is almost impossible to capture liquidity
risk without some degree of stress testing. Even
liquidity ratios like LCR and NSFR are frameworks
based on stress testing. In general, stress testing
forces institutions to model and contemplate
scenarios which normally may never be modelled
and analysed in day to day analysis, and stress testing
results can be challenged as something that is very
unlikely or imprecise, but the insights and risks that
they uncover are real and extremely valuable.
Vandermosten: While stress testing has become
increasingly important over the last decade for
regulators and boards, it has been quite common
in the ALM field for some time, at least for large FIs.
This is probably because ALM is the most naturally
forward-looking domain: FIs want to anticipate
potential liquidity or profitability shortages, even in
stressed but still possible conditions. We even see
‘stresses of the stress’.
R&C: To maximise the results of ALM stress testing, is it necessary to run different internal and regulatory scenarios, and compare a range of risk exposures? How can FIs achieve this level of analysis?
Chen: A scenario-based approach has many
benefits, but it still largely depends on scenarios.
Flexibility to define and run different scenarios is
very important to a true ALM stress testing capability.
If an ALM system can only accommodate certain
predefined scenarios it will obviously suffer. It is
important that ALM systems can manage a flexible
configuration of a wide range of scenarios. A
configurable and powerful system is a good way to
achieve this level of analysis.
Dinodia: Scenarios need to be diverse and cover
all plausible situations. Some institutions make the
mistake of stopping at testing against just one or
two extreme scenarios. The outcome is often that
stakeholders may dismiss the scenario as unrealistic
or a risk-manager’s fear-mongering. Or worse, that
it fails to capture the range of outcomes by being
too restricted. One of the reasons that regulatory
scenarios are often made common across the
industry is to allow horizontal comparisons of results
across the peer group. It does not mean that the
scenario adequately captures the plausible risk
factor events applicable to a particular institution.
Similarly, scenarios used by one institution may not be
appropriate for another. Or, for that matter, a scenario
used a few years ago may not be appropriate now.
Institutions should employ a range of scenarios, both
regulatory and internal, allowing them to unearth risks
according to their businesses and environment.
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
RISK & COMPLIANCE Apr-Jun 201982 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
Vandermosten: Stress testing is also about
making assumptions on the future evolution of the
balance sheet, taking into consideration stressed
conditions. This requires FIs to consult almost all the
divisions and business lines of an organisation, not
only for the base case, but also for stress scenarios.
What are the most relevant business stresses that
FIs can incur? What is the potential impact on each
business line, and on each market interest or FX
rate of a stress scenario? These questions must be
answered from a business perspective, and must
then be translated in ALM calculation scenario
parameters. For instance, before the referendum of
the 23 June 2016, Brexit could have been a relevant
stress scenario for many FIs. Instead, it is now a
base case scenario. Therefore, it is important to be
able to analyse dynamic scenarios, where the size
of the balance sheet and the market data is evolving
through time, as the horizon of such analysis is
typically between one and five years, and to have the
capability to easily ‘translate’ business assumptions
into parameters.
R&C: To what extent can ALM stress testing assist FIs to meet their regulatory requirements, particularly in terms of analysis, reconciliation and reporting?
Chen: Meeting regulatory requirements should not
be the only goal of any risk and financial analysis in
an institution, but it is still essential. The requirements
to achieve model governance, analysis and reporting
accuracy, timeliness and adaptability have significantly
increased in recent years. Reconciliation between risk
and finance data, analysis results and reports is an
inevitable requirement today. A modern ALM system
is well positioned to assist institutions to meet these
requirements because of its importance to an FI’s
core business and the fundamental handling of both
assets and liabilities. Of course, the key to success is
an ALM function that overcomes myriad challenges.
With a traditional, inflexible ALM framework, it is
difficult to achieve the ultimate benefits. Many banks
have painful experiences to share in their CCAR and
Dodd-Frank Act Stress Tests (DFAST) exercises.
Dinodia: Traditionally, there has been a tendency
by some institutions to look at ALM as a pure risk
management or internal reporting exercise where
process robustness, governance and control, and
data quality, were not given due importance. However,
most institutions are starting to realise that an ALM
framework is a foundation aspect which, in turn,
needs to feed and support several other areas of risk
and finance, often involving regulatory reporting. Also,
it makes sense to get things like data and models
right once, rather than having to invest time and
money each time the same data element or result
needs to be used for regulatory or internal reporting
purposes.
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 83
MINI-ROUNDTABLE
Vandermosten: An ALM stress testing
solution must be sufficiently flexible and scalable
to incorporate changes in an FI’s balance sheet
activities, portfolio composition, and any new risk
that may appear. It should also allow for calculating
new stress scenarios in a timely manner to address
rapidly emerging risks. In a period of important stress,
it might even be critical for the regulators, and the FI
itself, to be able to run some scenarios allowing the
right regulatory and management decisions to be
taken in time.
R&C: What essential advice would you offer to FIs looking to enhance their ALM processes? Does the regulatory outlook suggest this issue will only become increasingly important in the years ahead?
Chen: It is difficult to say for sure where the
regulatory requirement will go because there are
multiple considerations for regulators. However, the
benefit of a sound ALM process is beyond regulatory
compliance. ALM has not been primary for regulatory
compliance but for an institution’s own management.
An institution will likely only see the benefits that it
wants to see. Learning from the past and the mistakes
of others would be helpful.
Dinodia: FIs should not look at ALM as merely a
regulatory or reporting exercise. Rather, they should
design a framework which helps the institution
to gain business insight and strategically manage
its balance sheet. FIs should also automate their
business and spend more time on analysing results,
improving assumptions and scenarios and performing
business relevant ad hoc analysis. Finally, FIs should
concentrate on building capabilities and a strong ALM
foundation.
Vandermosten: The new final European
Central Bank (ECB) guidelines for Internal Capacity
Adequacy Assessment Process (ICAAP) and Internal
Liquidity Adequacy Assessment Process (ILAAP)
are clearly underlining the need to integrate ICAAP
and ILAAP into banks’ global risk management and
business decision-making processes. They also
both confirm the need for adequate stress testing.
ALM must become better governed, actually be
used in decision-making processes by all relevant
stakeholders, such as finance, treasury, risk, business
lines and management, and become part of global
risk management and stress testing. To reach those
goals, the automation, integrability, flexibility and
scalability of an ALM system are key. RC&
ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...
RISK & COMPLIANCE Apr-Jun 201984 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
MINI-ROUNDTABLE
INSURERS – PREPARING FOR IFRS 17
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 85
MINI-ROUNDTABLE
PANEL EXPERTS
INSURERS – PREPARING FOR IFRS 17
David Anderson
Director, Risk Consulting
KPMG
T: +1 (919) 664 7100
David Anderson is a director in KPMG’s risk consulting practice and has extensive experience developing customised solutions to solve the largest and most complex operational, regulatory and accounting-driven changes in the banking, insurance and asset management industries. He has proven leadership experience driving finance transformation projects throughout the financial services sector, including the rollout of risk and credit-based frameworks for CECL and IFRS 9. Additionally, Mr Anderson leads global IFRS 17 adoption projects, overseeing workstreams including technical accounting and actuarial change, data management, solution development and implementation, and regulatory and audit management.
Agustin Terrile
Business Manager
SAS
T: +54 (11) 4878 4539
Agustin Terrile has over 10 years of experience in financial services industries, with a focus on actuarial modelling, economic capital, IFRS17 and IFRS9. Prior to joining SAS, he was an actuarial manager at Deloitte.
Jim Zhang
Senior Industry Consultant
SAS
T: +1 (416) 307 5056
Jim Zhang is a senior consultant for the insurance solutions at SAS. He had more than seven years of experience in the insurance space. Mr Zhang specialises in measurement techniques, treatments and reporting for IFRS 17. Prior to joining SAS, he was an actuary at Manulife.
RISK & COMPLIANCE Apr-Jun 201986 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
R&C: Could you outline the main reasons behind the introduction of IFRS 17? What impact do you believe it will have on companies?
Anderson: IFRS 17 was introduced by the
International Accounting Standards Board (IASB) to
bring consistency and increased transparency to
insurance accounting. Under IFRS 4, insurers were
permitted to use a broad variety of practices which
commonly amounted to local generally accepted
accounting principles (GAAP) and accounting for
similar contracts under different accounting policies,
depending on the jurisdiction. Under IFRS 17, which
represents the first international accounting model
specifically for insurance contracts, insurers are
required to apply consistent accounting policies for
all insurance contracts which will make it easier to
compare results across products, geographies and
companies that apply the standard.
Zhang: The reasons behind IFRS 17 are to improve
transparency and comparability in the measurement
of insurance contracts, ensure consistency in
the recognition, as well as in the timing, of profits
earned, ensure revenue from insurance servicing
and investment income is clearly segregated, and
standardise the presentation of financial statements
and disclosures. In addition, the IASB has also
tried to ensure insurers use updated assumptions
and discount rates in the valuation of insurance
liabilities – thus continuing to move towards a
market-consistent valuation approach. We also
see similar themes in the Financial Accounting
Standard Board’s (FASB’s) targeted improvements
to the accounting for long-duration contracts – that
standard is also pushing for updated assumptions,
fair value treatments for market risk benefits and
more transparency around judgements embedded
in financial statements. As regards impact, both
standards will have a dramatic impact on accounting
policy, financial disclosure, data requirements and
exposures held – but, most importantly, the new
accounting approach will shed more light on the risks
and performance of insurance contracts held.
Terrile: The standard in ‘Reasons for issuing the
Standard’ states that IFRS 4 allowed the use of a wide
variety of accounting practices “making it difficult for
investors and analysts to understand and compare
insurers’ results”. To overcome this situation, the
IASB is proposing a “unique framework” on how to
recognise, measure, present and disclose insurance
contracts. The introduction of IFRS 17 will affect
the entire information system, but the main impact
will be related to how earnings are measured and
recognised, based on patterns.
R&C: What challenges does IFRS 17 present? What steps should affected companies take to prepare for its
INSURERS – PREPARING FOR IFRS 17
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 87
MINI-ROUNDTABLE
introduction, scheduled for 1 January 2021?
Zhang: IFRS 17 is a radical change to the way
insurers’ measure and report on their liability. There
are challenges in the interpretation of the standard,
challenges in the implementation and there will likely
be challenges post adoption – so it will be some
time before the dust settles. First, interpretation of
the standard has been difficult and there are several
decisions to make – for example, deciding the right
grouping criteria to use, the discount rate approach
to use and the right pattern to use for contractual
service margin (CSM) release. There are still several
open items that industry and the Transition Resource
Group (TRG) are debating, such as treatment of
reinsurance contracts. So, several accounting and
actuarial challenges remain. Implementation is
equally challenging – from change in accounting
policy, actuarial models, business assumptions, data
requirements, technology requirements, and audit
and governance requirements. The widespread
impact has also created organisational challenges,
accelerating the need for greater alignment across
functions, to ensure there is a common set of
assumptions and interpretations of the standard. One
insurer joked that IFRS 17 has led to the creation of a
new ‘accountuary’ role and has helped break some
internal silos. Last but not least, resourcing is a critical
challenge for the industry at large.
Terrile: There are several challenges when
implementing IFRS 17 related to data preparation,
measurements, reporting, process orchestration and
auditability. An analysis gap for each individual task,
as well as together, is key to being well-prepared
when the standard comes into effect. Examples
include understanding the variety of sources and
the availability of information. Data quality rules are
also important to ensure that all relevant information
is used. In addition, companies should ensure they
have the capability to measure all possible scenarios,
including onerosity and its reversion – a key aspect in
validating the correctness of the valuation. Otherwise,
remedy action should be put in place, including
analysis of its materiality.
Anderson: IFRS 17 introduces more granular
estimates, assumptions and data requirements that
are not part of insurance accounting today. The
primary concern for many insurers is the availability
and sourcing of quality, controlled data required to
derive the estimates and complete the calculations
used in the preparation of the financial statements.
If they have not already, companies should conduct
an impact assessment to evaluate how the change
will affect their accounting, operations, data, actuarial
modelling and, ultimately, their financial statements.
Companies should plan for a year of parallel runs
prior to the effective date to understand and master
the full impact on their business and operations,
INSURERS – PREPARING FOR IFRS 17
RISK & COMPLIANCE Apr-Jun 201988 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
working their implementation plans backward from
there.
R&C: What governance and oversight considerations do companies need to make, to manage the risks associated with IFRS 17 implementation?
Anderson: There are multiple layers of
governance and oversight for such a broad reaching
standard. Companies need to appoint a steering
committee with appropriate executive leadership
and oversight to ensure consistent messaging and
to drive progress across the company. Risks include
implementation risk, audit risk and timing risk. Due to
the complexity of CSM calculations, more technical
skills are also needed to produce and interpret
results, which will require tight interactions between,
and oversight of, cross-functional accounting,
actuarial and technology teams.
Terrile: IFRS 17 is an accounting process and, as
such, certain requisites are required to guarantee
the reasonability of each accounting statement.
Validating the integrity, existence, measurement
and exposure are key elements in ensuring the
correctness of each statement. A robust process
also needs to ensure data traceability and generate
auditable evidence of the work done by each
employee so that they can be accountable for their
actions. The highest risk associated with an IFRS
17 implementation is to end up with a process that
cannot provide values with a certain ‘degree’ of
accuracy. In this sense, the implementation process
is as important as the accounting process itself,
and as such, top executive involvement is key to
guaranteeing suitable governance. Clear plans with
defined responsible, expected outcome and cross-
controllers by task are essential in order to achieve
this.
Zhang: The broader impact of IFRS 17 requires
governance across the entire programme. First,
governance around the accounting policy and
decisions on materiality, as well as implications
around the methodology applicable for these
portfolios, for instance portfolios that may qualify
for the premium allocation approach (PAA). Second,
governance around the models, scenarios and
cashflow assumptions used for different products.
Third, governance around ensuring that insurers’
interpretation of the standard is properly relayed and
implemented by their data, IT and vendors. Finally, it
is important to ensure the software implementation
of the standard is built with the right controls and
transparency to ensure governance and auditability
of all the pieces that go into the financial reporting
and disclosures.
R&C: What benefits and opportunities might conversion to IFRS 17 present to proactive, forward-thinking companies?
INSURERS – PREPARING FOR IFRS 17
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 89
MINI-ROUNDTABLE
Terrile: The inclusion of a risk adjustment (RA)
in the reserving process could help entities in
the decision-making process, by showing the
performance of each business unit under a risk-
return basis as opposed to only return.
An onerous contract could be profitable
in absolute terms, but not in terms of the
risk it is generating. The RA reflects the
compensation that the entity requires
for bearing no financial risk, being the
best representation of the cost capital
method. In this context, the CSM could
be considered as excessive profit in
relation to the risk the entity is exposed to,
and could provide a good view of those
businesses that are adding or destroying
value from a risk perspective. The use of
CSM for business planning, strategic decisions or risk
premiums definition could be the first step in using
risk as a decision driver.
Zhang: It is still a bit early to know the broader
impacts of IFRS 17. That said, what is clear is that
IFRS 17 is driving institutions to rethink a number of
their internal processes, business drivers, product
strategy, pricing, data landscape and implementation
approaches. We see two broad trends: institutions
that view IFRS 17 as a minimal compliance exercise
and institutions that view IFRS 17 as an opportunity
to modernise their processes and systems. Some
institutions see IFRS 17 as purely a compliance
exercise, necessary but with no long-term benefits.
That said, these institutions do plan to leverage
the IFRS exercise to achieve greater operational
efficiency through improved data, processes and
automation capabilities and look to reuse these for
other parts of the business. Other institutions view
IFRS 17 as an opportunity to modernise. In addition
to operational efficiencies, these institutions seek to
integrate the IFRS 17 measures and approaches in
the financial planning process. This means aligning
pricing and business decisions based on their
IFRS reporting structures and hierarchies. These
institutions will also look to drive business decisions
using the data as well as analytics developed as part
of the IFRS 17 exercise – from product redesign to
internal cost transfers and asset-liability management
(ALM).
Agustin TerrileSAS
“The implementation process is as important as the accounting process itself, and as such, top executive involvement is key to guaranteeing suitable governance.”
INSURERS – PREPARING FOR IFRS 17
RISK & COMPLIANCE Apr-Jun 201990 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
Anderson: Companies are encouraged to move
beyond a minimal compliance model that adds few
incremental benefits to the organisation and look
instead toward tangible, value-added approaches
which improve management ability to monitor and
operate the business. The incremental data and
processes required by IFRS 17 provide a significant
opportunity to maximise value and look
at the business from a fresh perspective.
Industry analytical tools can provide a
vehicle to assess trends and forecasts
for products, and link forward-looking
predictive results to underwriting,
accounting policy and reinsurance
decisions. IFRS 17 offers a once-in-a-
generation opportunity to modernise
data sourcing and analysis tools, while
leveraging the non-negotiable investments
required to achieve compliance. Carriers
that make this strategic incremental
investment today will realise lower operating costs
and more closely aligned financial and operational
business decisions tomorrow.
R&C: With some of the most significant accounting changes in the history of the insurance industry all going into effect at the same time – for example, IFRS 17, IFRS 9, CECL, LDTI, and so on – what are companies doing to streamline accounting and reporting processes across the
organisation based on the breadth and scale of these new standards?
Zhang: Global multinational insurers reporting
under GAAP and IFRS have a rough road ahead,
with several new standards emerging, from IFRS
17/long duration targeted improvements (LDTI)
to current expected credit losses (CECL) and IFRS
9. In terms of IFRS, there has not been adequate
debate or consensus on the interactions between
IFRS 17 and IFRS 9. It is quite common to see these
standards being addressed and solved separately.
However, some leading institutions are starting to
look at things more holistically to ensure there are no
accounting mismatches between the assumptions
and allocations between the asset and liability side.
For example, is there any impact of electing to flow
David Anderson,KPMG
“The incremental data and processes required by IFRS 17 provide a significant opportunity to maximise value and look at the business from a fresh perspective.”
INSURERS – PREPARING FOR IFRS 17
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 91
MINI-ROUNDTABLE
interest rate changes on the IFRS 17 side via other
comprehensive income (OCI)? What is the interaction,
if any, of similar elections on IFRS 9 for Fair Value
through OCI (FVOCI)? If we now layer on CECL and
LDTI, there is additional complexity for consistency in
measurement across the standards, reporting across
different accounting regimes, consolidation and,
more importantly, profit and loss (P&L) impacts. What
is clear is that it is important to get the foundational
design structures right from the start. It will be
important to make longer term design and platform
decisions that allow insurers to analyse impacts
across the standards.
Anderson: One of the greatest and most
immediate opportunities to maximise efficiency and
value is to leverage concurrent workstreams for
accounting-driven change – IFRS 17, IFRS 9, CECL and
LDTI – rather than completing each in a silo. Software
solutions in the industry provide the opportunity for a
centralised approach which can handle data sourcing
through the requisite calculations and financial
reporting, all within a common platform. Entities
will be able to configure separate workflows within
a centralised solution to encompass the specific
requirements of each standard, but the usage of a
common interface across the organisation leads to
synergies from a reduction in redundant training and
technology or IT support to streamlined process and
controls.
Terrile: Entities have different strategies to
comply with busy timelines generated by the new
standards. Nonetheless, there are two things worth
mentioning. First, entities that have existing platforms
to cover one of the standards are trying to extend
functionality by adding new content, such as IFRS
9 and IFRS 17, so that they can leverage existing
knowledge. Second, entities are trying to cover more
than one standard with one platform, so that the
learning curve is done only once. These strategies are
based on the idea that most standards compliance
processes – data management, engine provision
and reserving, accounting and process orchestration
and most of the time relay on the same persona and
manager – are similar.
R&C: What is the current state of implementation with IFRS 17? What is the impact of the one-year delay on implementation plans?
Terrile: The two main drivers that affected the
state of the IFRS 17 implementations were the size of
the entity and jurisdiction. Tier 1 entities were most
concerned about the complexity of implementation
and started the process of selecting software earlier.
The delay partially affected implementation plans,
because IFRS 17 teams were already in place and
they decided to continue with the process. Mid-size
entities, on the other hand, were just starting the
selection process when regulation was delayed
INSURERS – PREPARING FOR IFRS 17
RISK & COMPLIANCE Apr-Jun 201992 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
and, in general, decisions were delayed for around
six months. Regarding jurisdiction, those with high
expectation of adoption by local regulation, like
Canada and Europe, started the process earlier,
unlike Latin America and the US. The delay gave them
time to re-evaluate their plans, but also to review
controversial topics such as mirroring, allocation, risk
mitigation and analysis of change.
Anderson: The IASB delayed implementation
by a year due to reopening the standard, and
insurers should capitalise on this time to optimise
their implementation efforts. Many insurers were
significantly behind in their assessments and
implementation planning. This delay provides
issuers with the opportunity to get back on track
and optimise their implementation plans. There
is a significant risk that certain insurers will try to
de-prioritise IFRS 17 and will end up in the exact
same situation the following year. Carriers that wait
face higher implementation risk, and may find that
‘A-team’ talent has been committed to projects that
stayed the course. Optimising implementations will
allow companies to add value to their organisations
through more productive enterprise finance
transformation activities rather than relying on
minimal effort now, which will often lead to higher
expenditure in the long run.
Zhang: Some insurers started implementation
early last year while others are only now performing
their impact analysis. The early adopters have
completed their impact analysis, established an initial
view on accounting policy, and identified products for
which the applicability of IFRS 17 is clear. For other
products, such as reinsurance or products that may
or may not qualify for PAA, there are ongoing policy
and methodological discussions on the best way to
classify and measure liabilities. These insurers have
also completed their IFRS 17 solution selections
and are in the process of installing and testing their
initial set of use cases and portfolios using their
platform of choice. The emerging best practice is to
use a sandbox-type environment to test out multiple
use cases end-to-end; that is, take a single product
and go from grouping to measurement to postings.
This allows insurers to not only effectively test their
technology solutions, but also gives them a better
understanding of all flows and control points that will
need to be implemented in their final business as
usual (BAU) process. The end-to-end run also gives
insurers a better understanding of the desired level
of information needed to support various reporting
and analytical requirements.
R&C: What are the big implementation challenges that you see with IFRS 17? How are insurers approaching reporting and analytics needed for IFRS 17?
INSURERS – PREPARING FOR IFRS 17
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 93
MINI-ROUNDTABLE
Anderson: Producing more granular source data
will strain many carriers, as will the need to link
accounts receivable to specific policies for
asset-liability presentation. The standard’s
requirement to more tightly link financial
reporting, reserving and underwriting
views in the portfolio-grouping decisions
also represents a new interconnectivity
requirement. Efficiently flowing this
underwriting information into the
financial close and controls frameworks is
needed to maintain operating costs and
close calendars. On the plus side, these
requirements will allow underwriters and
local managers to access more relevant
financial information that is composed ‘bottom up’
from their policy portfolios, compared to current
processes which rely on more ‘top down’ allocations.
Zhang: There are several implementation
challenges with IFRS 17 – from interpretation
of guidance to actuarial models, systems, data,
processes and resources. First, fixing data gaps will
be time consuming. This ranges from availability
of data – historical data as well as going forward
– granularity of data, the number of source systems
and the structure of the data. For example, many
companies may have expenses at a different
aggregation level and this needs to be reallocated to
their IFRS 17 grouping hierarchies. Second, depending
on the methodology selected, actuaries will have
to update their models to reflect new scenarios,
assumptions and outputs required for measurement.
Third, decisions need to be made about the
measurement components – from the approach
to calculate discount rate to the valuation of the
time value of the guarantee (TVOG) and embedded
guarantees for the variable fee approach (VFA).
Fourth, converting actuarial output into accounting
events and postings that roll into the IFRS 17-specific
chart of accounts will require reengineering. Fifth, a
configurable framework for reporting will be critical.
The standard is still evolving, and hence flexibility
to change drivers and orderings for reporting on
movements or analysis of change (AoC) will be
important. Finally, automating all the processes in
a governed and automated fashion will require the
right technology solutions.
Jim Zhang,SAS
“The standard is still evolving, and hence flexibility to change drivers and orderings for reporting on movements or analysis of change (AoC) will be important.”
INSURERS – PREPARING FOR IFRS 17
RISK & COMPLIANCE Apr-Jun 201994 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
Terrile: One of the main challenges during the
implementation phase is the definition of the groups
of contracts (GoC), because it affects the entire
process: input data, the number of extract, transform
and load (ETL) processes, methodology, the allocation
of RA and reporting. If the GoC is calculated at a low
level, the number of ETL processes that are required
to feed the engine could be problematic. Also, the
time required to process the information could
increase exponentially if the software cannot scale
horizontally. From a methodological point of view,
allocation could be a big challenge, such as expense
risk adjustment. On the other hand, when GoC is
selected at a high level, other challenges could
come up, such as detailed information and analysis
of change of CSM. Low granularity may be required
for internal reports, such as by channel and region.
In these cases, a reporting problem is transformed
into a post-measurement allocation problem, and
approximation methodology is required. RC&
INSURERS – PREPARING FOR IFRS 17
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 95
MINI-ROUNDTABLE
MINI-ROUNDTABLE
SEGMENTATION AND AI IN AML ALERTS
RISK & COMPLIANCE Apr-Jun 201996 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
Alma Angotti is a managing director and co-head of the Global Investigations & Compliance practice at Navigant. With over 25 years of regulatory practice, Ms Angotti has held senior enforcement positions at the SEC, Treasury’s Financial Crimes Enforcement Network (FinCEN) and FINRA (Financial Industry Regulatory Authority). In these positions, she was responsible for conducting investigations involving securities fraud, insider trading, financial fraud, anti-money laundering (AML) and counter terrorist financing, market manipulation, investor and market protection, and other regulatory violations.
Alma Angotti
Managing Director
Navigant
T: +44 (0)738 702 730
PANEL EXPERTS
Salvatore LaScala is a managing director and co-head of Navigant’s Global Investigations and Compliance Practice in New York, NY. Possessing a broad range of subject matter knowledge and expertise, Mr LaScala applies his 20-plus years of hands-on experience to conduct investigations and compliance reviews on behalf of financial institution clients responding to regulatory or law enforcement matters concerning anti-money laundering, the Bank Secrecy Act, the USA PATRIOT Act and the Office of Foreign Assets Control.
Salvatore LaScala
Managing Director
Navigant
T: +1 (212) 554 2611
SEGMENTATION AND AI IN AML ALERTS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 97
MINI-ROUNDTABLESEGMENTATION AND AI IN AML ALERTS
R&C: Could you provide an overview of how technology is transforming financial institution’s (FI’s) anti-money laundering (AML) processes?
Angotti: Technology enhancements in financial
institutions (FIs) are becoming indispensable to
managing financial crime risk. Regulators expect FIs
to make use of the enormous amount of data they
have about their customers and their customers’
transactions. The only way to effectively identify
risk from all of this data is through technology. The
United Nations Office on Drugs and Crime estimates
that money laundered globally is about 2-5 percent
of world GDP annually, about $3 trillion. In addition,
the number of noncash transactions will increase
as mobile technology – mobile wallets and mobile
money transfers – are introduced into the global
market and emerging markets. For the past few
years, FIs have wrestled with methods to minimise
loss, remain efficient and maintain proper regulatory
compliance. Technology is transforming FIs’ anti-
money laundering (AML) processes by efficiently
sorting through large amounts of data, developing
more useful predictive modelling and using client
segmentation and behavioural patterning. Technology
has the potential to better identify risk, by eliminating
some of the ‘noise’ in the data and by enabling
compliance personnel to concentrate on actual risk.
LaScala: Over the past few years, FIs have begun
to embrace robotic process automation to expedite
their more tedious work. This is achieved by either
business process automation or by using ‘bots’
designed to perform automated and repetitive tasks.
As such, AML analysts and investigators derive
increased efficiencies and get to focus on the AML
typologies, rather than gathering and exhibiting
investigative artefacts. This shift in focus results
in increased quality, productivity and employee
satisfaction. At the same time, tremendous strides
in artificial intelligence (AI) and machine learning
(ML) are working to increase the quality of AML
alerts while decreasing the volume. Access to this
broader collection of cognitive tools, which have
evolved significantly in recent years to include ML,
deep learning and advanced cognitive analytics,
will, no doubt, yield remarkable benefits relating to
the effectiveness and efficiency of AML transaction-
monitoring systems.
R&C: With AML departments sifting through many alerts to pinpoint suspicious activity, can you outline specifically how artificial intelligence (AI) and segmentation help FIs to avoid wasting time and effort on too many low value alerts?
LaScala: FIs typically interrogate activity of one
large business without segmenting that business
RISK & COMPLIANCE Apr-Jun 201998 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
into the different kinds of customers. For example,
in retail banking, there might be ‘premium banking’,
which covers students, recent graduates and middle-
class to upper-middle-class-income customers, with
a split only at the ‘private banking’ level.
This can result in applying only one set of
rules with one set of parameters to all the
‘premium banking’ customers. Applying
AI to the ‘premium banking’ segment can
result in the identification of four or five
separate subgroups of customers that
behave similarly and, as a result, now
have their own segments. Customising
the parameters of the detection scenarios
to each of those additional segments, in
our experience, has resulted in significant
efficiencies by reducing the false positives
caused by applying one set of detection scenario
parameters to very diverse groups. Segmenting
and customising the scenarios has been shown
to identify previously undetected suspicious
transactional activity with many fewer false positives.
This combination of more effective and more efficient
monitoring is our goal.
R&C: What should be the key strategic considerations for FIs when using AI as part of the AML alert process? How would you characterise the importance of AML alert analysis along the suspicious activity decision chain?
Angotti: The AI process requires a strategic
approach. Regulators need to see a clear objective;
therefore, it is important that an FI start small. The
FI should target specific areas with proper testing
and controls. Second, be transparent. Regulators
and auditors need the opportunity to access and
understand the solutions that have been provided.
Third, be effective. The AI must efficiently and
effectively address the risks and concerns of the
FI and provide apparent improvements. Next, the
institution should document a clear justification for
the results of the AI. Subject matter experts (SMEs)
must support, review and test the results. The FI must
utilise technology with an industry-proven and vetted
track record. Lastly, the AI should not be considered
a replacement for investigators, analysts and quality
assurance professionals, but rather AI should support
them. This strategic AML analysis plays a very
SEGMENTATION AND AI IN AML ALERTS
Alma Angotti,Navigant
“The AI process requires a strategic approach. Regulators need to see a clear objective; therefore, it is important that an FI start small.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 99
MINI-ROUNDTABLE
important role along the suspicious activity decision
chain. The data captured through the AML process is
used to justify and develop the potential suspicious
activity report (SAR). Therefore, it is important that
the AML process employ a strategic approach when
analysing suspicious activity.
R&C: What transaction data is typically utilised in the AML alert analysis process? What key data needs to be made available to the recipient of an analysis, such as an auditor or regulator?
LaScala: The transaction-monitoring
systems consume many data points to
generate alerts. In some respects, it is
better to define which information not to
include, which might consist of automatic,
accounting or administrative financial
events. Nearly everything customer-
activated is in scope. Deposits, withdrawals
– by cash, check, monetary instrument,
wire or automated clearing house – are
just a few. Transaction codes, product
codes and any predetermined risk codes
or industry designations are also frequently
consumed. In addition to the transactional
data and the transaction codes, customer reference
data is key. This can include account name, number,
opening date, closing date, occupation, politically
exposed person status, and more. Additionally, the
list of products the customer uses, such as custody,
trading, online banking, remote deposit capture and
international wires impact transaction monitoring. All
the data above will be used by an astute investigator
or analyst to disposition an alert. In fact, typically
all detection scenario alerts are reviewed to ensure
that the data points that compose them were
appropriately identified. If any of the data points
were not appropriately identified, the alert could be
a false positive. When the investigator dispositions
the alert, he or she should be working from a defined
investigative protocol specific enough to be tested.
Moreover, the documentation included to support
the alert should consist of enough exhibits for a
third party to repeat the work and come to the
same conclusion as the investigator. As such, other
stakeholders such as internal audit or examiners
SEGMENTATION AND AI IN AML ALERTS
Salvatore LaScala,Navigant
“Segmenting and customising the scenarios has been shown to identify previously undetected suspicious transactional activity with many fewer false positives.”
RISK & COMPLIANCE Apr-Jun 2019100 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
should receive the entire investigative file and the
exhibits prepared by the investigator.
R&C: In what format should alerts and resolutions be presented to an auditor or regulator in order to reduce the number of analysis failures? To what extent are alert analysis failures a root cause of AML problems?
Angotti: AI can help make the alerts more
productive, but alert analysis will continue to be
heavily dependent on SMEs evaluating the output
– that is, identifying suspicious activity. Transaction
monitoring is a combination of people, processes
and systems. Alert analysis failures sometimes do
contribute to the failure to identify risk. If the FI is
not properly trained and lacks robust documented
processes, protocols or decision matrices, then the
analysts may not properly identify the risk of the
alerted transactions. In addition, the FI must institute
a good quality control programme, to make sure the
analysts are following the procedures, and a good
quality assurance programme to make sure the
procedures are fit for purpose. Institutions need to
focus on those aspects of the programme to show
regulators that the current Bank Secrecy Act (BSA) or
AML programme can effectively identify transactions
or accounts that may be suspicious and reportable.
LaScala: Alerts and resolutions or dispositions
should be given to an auditor or regulator with the
investigative protocols that the investigator used
for the case. Additionally, the investigative memo
and any exhibits should be provided in one physical
or electronic folder. If stored electronically, the
exhibits should have standard naming conventions
to facilitate review. In essence, provide the reviewers
everything they need in a very organised fashion so
that they can focus on the analysis rather than being
distracted by trying to figure out the process.
R&C: What steps should FIs take to develop an action plan that allows them to research and resolve AML alerts and maximise the effectiveness of their AML protocols?
Angotti: AI requires human tuning and input
and human analysis of the output. Data scientists
and SMEs must work with AI to test and tune it
appropriately so that it works as intended. The FI
should prioritise two things: first, analysing the
high-quality alerts, and second, creating a symbiotic
relationship between the SMEs and the domain
experts. The FI should prioritise the most productive
alerts produced by AI because AI and intelligent
segmentation are able to identify behavioural
patterns that traditional transaction monitoring is
not. The domain experts alongside the SMEs should
play a leading role in assessing the relevancy of
SEGMENTATION AND AI IN AML ALERTS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 101
MINI-ROUNDTABLE
the data used by the AI. If the integrity of the data
input into the AI is inadequate, the AI output will be
inadequate and create low-quality alerts. The priority
should be on building a team of data scientists and
SMEs who work in conjunction to create an efficient
and effective BSA or AML AI programme. The overall
process needs to be connected throughout.
R&C: Going forward, do you anticipate segmentation and AI will continue to improve AML processes? What innovations are in the pipeline?
Angotti: Intelligent segmentation and AI will
improve as they become more mainstream.
Eventually, intelligent segmentation and AI will
become more widely recognised and they will not
only become a requirement in the financial services
industry, but regulators will begin to expect intelligent
AI as a best practice in compliance. Segmentation will
also become smarter as technology focuses more
on behavioural and transactional patterns instead
of traditional static coarse segments. Data scientists
and SMEs will continue to improve supervised and
unsupervised ML through tuning and evaluation.
For example, the initial review of alerts may be
completed by AI with little to no human interaction.
Human analysts can then review the alerts most
likely to identify true risk.
LaScala: We have only just begun to exploit the
insights to be gained by AI in the AML process. It is
important to proceed with highly documented and
transparent protocols to help ensure the continued
support of regulators and law enforcement. Cloud-
based software can potentially answer millions of
questions by scanning financial information, as well
as drug approvals, economic reports, monetary
policy changes and political events. The possibilities
are endless. RC&
SEGMENTATION AND AI IN AML ALERTS
RISK & COMPLIANCE Apr-Jun 2019102 www.riskandcompliancemagazine.com
PERSPECTIVES
The audit profession has been under pressure
in recent years, with much publicised scandals
at Tesco, Patisserie Valerie, BHS and Carillion
propelling the usually quiet world of audit to the
forefront of public consciousness for all the wrong
reasons. Presumably with cries of ‘where were the
auditors?’ resounding in her ears, Rachel Reeves, the
chair of the Business, Energy and Industrial Strategy
Select Committee, commented in November
2018, when launching an inquiry into the future of
auditing, that “Misleading audits have been at the
heart of corporate failures over recent decades.
Recent accounting scandals at BHS, Carillion, and
at Patisserie Valerie have shown accounts bearing
closer resemblance to works of fiction than an
accurate reflection of the true financial performance
of the business. Repeated accounting failures have
contributed to the collapse of major businesses and
undermined public and investor confidence. The
audit market is broken.”
Consequently, the profession has come under
enormous scrutiny, with the Competition and
Markets Authority (CMA) undertaking a study ‘to see
if the market is working as well as it should’ and Sir
John Kingman carrying out an independent review
for the government on the role and performance of
the regulator, the Financial Reporting Council (FRC).
With the dominance of the ‘Big Four’ audit firms
� KPMG, PwC, EY and Deloitte � being called into
question, and even the performance of individual
PERSPECTIVES
ENSURINGTHE FUTUREOF AUDITBY PETER SWABEY
> ICSA: THE GOVERNANCE INSTITUTE
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 103
PERSPECTIVES
audit partners coming under challenge, there are
some serious governance concerns that also need
to be addressed.
The expectation gapFirstly, there is a marked difference between what
an auditor would say audit is supposed to achieve
and what the press and public believe this to be. As
the CMA consultation showed, there is a definite
‘expectation gap’: “Stakeholders’ expectations of
statutory audit may differ from what it is required
to provide by law. Sources of this gap may include
expectations some stakeholders have of auditors
in providing assurance on the business’s future
viability.”
There needs to be a much better understanding
of who the stakeholders of a statutory audit are and
what purpose it serves. As we noted in our response
to Sir John Kingman’s review, “There is an important
education issue here – the political, press and public
expectation of the role of audit is very different from
what an auditor would perceive it to be. Whether this
education should be undertaken by the FRC, perhaps
through the Auditing Practices Board and funded by
an increased levy on audit firms, which we believe
to be the better solution or by the accountancy
profession itself is a matter for them. Equally,
whether the law or regulation should be changed
to bring those two views into line is a matter for the
government and/or the FRC.”
Separating fact from opinionA number of the ‘accounting scandals’ that
we have seen in recent years have questions of
judgement at their heart. We believe that particular
value being regarded as crystallised in the accounts
should be a question of fact rather than opinion
– either it is yours or it is not. It should not be
possible for one accountant to draw up the books
for a period and have them audited against current
accounting standards and come up with ‘X’ and for
another to perform the same exercise, for the same
period, have it audited by a different auditor and
they find a difference of millions. Such restatements
are not to the benefit of shareholders and a detailed
examination of the appropriateness of the use of fair
value accounting would be an extremely useful first
step in improving the quality of the audit.
A question of choiceAppointing, replacing and ensuring the
independence of the auditor are key areas of
responsibility for the audit committee. While there
is a perception of a cosy club of unchallenged
members in some quarters, in our experience the
audit committees of most larger corporates consist
of independent non-executive directors who have
been appointed by shareholders to address this
‘principal-agent problem’.
Competition in the audit market between the
‘Big Four’ and other firms is a much debated topic.
ENSURING THE FUTURE OF AUDIT
RISK & COMPLIANCE Apr-Jun 2019104 www.riskandcompliancemagazine.com
PERSPECTIVES
The CMA study refers to “the unwillingness of
larger corporates to appoint the mid-tier auditors”
and goes on to state that “the majority of audit
committee chairs for FTSE 350 companies would not
consider a mid-tier firm to be a credible
auditor for the scale and complexity of
their businesses. In particular, for FTSE
350, or other large companies with
significant international operations,
there is a perception that only the
Big Four have sufficiently developed
international networks to service such
accounts.”
Such an analysis places responsibility
on larger corporates alone, which is
unfair. The chief weakness of the audit
market is the lack of confidence, not
just on the part of companies, but also on the part
of investors and some regulators, in the ability of
auditors outside the Big Four to provide an audit
of an adequate standard for large, multinational
companies. While this perception may be unfounded
in some cases, in others there is some evidence
to suggest that only the very largest audit firms
have sufficient range to carry out an audit of an
appropriate standard for more complex international
companies.
The accuracy of this perception should be tested
by an independent body to prove if mid-tier firms
are indeed capable of auditing the very largest
companies. That said, even if these firms were willing
to make the necessary investment to encourage
greater confidence in their auditing ability, there is no
certainty that larger corporates would take them up
on their offer.
According to Grant Thornton, larger corporates
have been more willing to consider a mid-tier
firm as part of the audit tender process following
the intervention of the Competition Commission,
but are no more willing to actually move to one.
The attitudes of their shareholders and regulators
inevitably play a part in this reluctance. This is
probably one of the most important issues affecting
the competitiveness of the audit market.
How to improve the quality of auditThere have been various suggestions as to how to
improve the quality of audit, ranging from breaking
down the dominance of the ‘Big Four’ to replacing
ENSURING THE FUTURE OF AUDIT
“Ending the dominance of the ‘Big Four’ is not a panacea and it is unlikely that such action will prevent accounting failures in the future.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 105
PERSPECTIVES
the FRC with a new body, the Audit, Reporting and
Governance Authority.
Ending the dominance of the ‘Big Four’ is not
a panacea and it is unlikely that such action will
prevent accounting failures in the future. Refining the
quality of the work done by the appointed auditor is
where the real focus should lie: improving training
to foster a greater spirit of professional scepticism
among auditors. Revisiting accounting standards to
give greater clarity on where judgement has been
applied by both the preparer and auditor would also
help.
Separating the audit function from the non-audit
practices of audit firms is unlikely to be a magic
bullet either. In many cases, non-audit services
are more remunerative than audit services. If
the ‘brightest and best’ move toward the better
remunerated consultancy roles and leave the basic
audit work to others, this is unlikely to improve
the standards of auditing. Furthermore, there is
anecdotal evidence that partners in other areas
of practice within the Big Four firms are becoming
increasingly irked by the need to defend audit
scandals when they are pitching for business.
Internal pressures of this kind provide a commercial
imperative for audit firms to improve their own
quality and this will be lost if the businesses are
separated.
Similarly, there is no independent evidence that
joint audit is effective and there are legitimate
concerns that it will increase costs for companies,
both financially and in terms of management time, as
well as create confusion if the joint auditors disagree
about a particular treatment.
One of the key challenges for the FRC has been
the fact that its role has changed incrementally over
time, but its powers have failed to keep pace with its
changed responsibilities and the expectations that
politicians, the media and public have of its role. As
Sir John Kingman so succinctly put it, “some of the
biggest and most important economic actors in the
UK are still regulated not by an independent body
but, in effect, by their trade association”, one which
has limited or non-existent powers.
The fact that the suggested new regulator would
have statutory powers and clear terms of reference
from the government is more important than the
fact that it is a new regulator or that it has a new
name. More proactive enforcement by the regulator
in the event that audits are found to be substandard,
and the increased focus on the responsibility of the
audit committee for ensuring the quality of the audit
received, are the best chance of improving auditing.
RC&
ENSURING THE FUTURE OF AUDIT
Peter Swabey
Policy and Research Director
ICSA: The Governance Institute
T: +44 (0)20 7612 7014
RISK & COMPLIANCE Apr-Jun 2019106 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
MINI-ROUNDTABLE
AUDIT COMMITTEE DISCLOSURES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 107
MINI-ROUNDTABLE
David Chitty is responsible for the global leadership of accounting and auditing services at Crowe Global. He supports the development of the network’s global audit methodology and audit technology, leads the global quality assurance programme, presents seminars and supports business development initiatives. He is also a member of the Institute of Chartered Accountants in England and Wales’ (ICAEW) Independent Regulatory Board, is a former member of ICAEW’s governing Council and ICAEW’s Audit Committee.
David Chitty
International Accounting & Audit Director
Crowe Global
T: +1 (212) 808 2027
Steve Gale is head of audit at Crowe in the UK. He has nearly 30 years’ experience within the audit field and has a particular specialism in dealing with professional services firms and listed companies. He has recently been appointed to the Auditors’ Advisory Group for the Brydon Review into the quality and effectiveness of audit, commissioned by the UK Department of Business, Energy and Industrial Strategy. He is a member of Crowe Global’s International Audit and Accounting Committee.
Steve Gale
Partner
Crowe U.K. LLP
T: +44 (0)20 7842 7262
Jennifer Knecht is the Securities and Exchange Commission (SEC) practice leader for Crowe LLP. She has over 22 years of experience conducting audits and providing other financial assurance services. She also has experience with SEC reporting requirements, including initial public offerings (IPOs) and reverse merger transactions. These projects include working directly with clients and other stakeholders on registration statements, SEC comment letters and comfort letters.
Jennifer Knecht
Partner
Crowe LLP
T: +1 (317) 706 2697
Diana Huang’s practice is focused on public company auditing, including mining and oil and gas companies, as well as the high-tech industry, and she is able to bring a vast amount of knowledge and expertise to industry-specific issues. She routinely assists lawyers and clients with IPOs, reverse takeovers, spinout transactions, prospectus offerings and filings statements. She takes great pleasure in identifying complicated issues and in providing sound, technical solutions.
Diana Huang
Incorporated Partner
Crowe MacKay LLP
T: +1 (604) 697 5274
Michael Jetter is an audit partner responsible for providing audit and accounting services to international, listed and non-listed, companies in Germany. His clients are drawn from sectors including manufacturing, automotive and consumer goods. In addition to his audit work, he provides International Financial Reporting Standards (IFRS) conversion services, as well as financial accounting advisory work for German subsidiaries of foreign owned business in US-generally accepted accounting principles (GAAP) and IFRS reporting matters.
Michael Jetter
Partner
RWT Crowe GmbH
T: +49 7121 489 544
PANEL EXPERTS
AUDIT COMMITTEE DISCLOSURES
RISK & COMPLIANCE Apr-Jun 2019108 www.riskandcompliancemagazine.com
MINI-ROUNDTABLEAUDIT COMMITTEE DISCLOSURES
R&C: Could you provide an overview of the main trends and developments affecting audit committees in recent times? How has their role evolved and have you seen a general improvement in quality and oversight?
Chitty: Audit committee disclosures provide
important information for stakeholders about the
audit committee’s activities and exercise of its
responsibilities. The audit committee has a vital
role in corporate governance, including providing
oversight to the financial reporting process led
on a day to day basis by the chief financial officer
(CFO), appointing and maintaining close contact
with the external auditor, and receiving reports
from and providing guidance and support to the
internal auditor. The role of many committees has
evolved into overseeing risk management as well
as financial and ‘traditional’ audit affairs. Legislation
and regulation, as well as codes of practice, may
specify the minimum disclosures expected of an
audit committee, whether in the annual report or
other media issued by the company. However, in
the interests of transparency and good investor
and stakeholder relations, the disclosures may go
beyond this minimum. The 2014 European Union
(EU) Audit Directive extended the list of functions
assigned to the audit committee, as follows.
First, inform the administrative or supervisory
body of the audited entity of the outcome of the
statutory audit and explain its contribution to
the integrity of the financial statements. Second,
monitor the financial reporting process and submit
recommendations. Third, monitor the effectiveness
of the internal quality control and risk management
system. Fourth, monitor the process of the audit
of statutory or consolidated financial statements,
mainly the findings and conclusions. Fifth, review
and monitor the independence of the statutory
auditor. Finally, be responsible for the procedure
for the selection of the statutory auditor or audit
firm. The Directive has been transposed in law
in the Member States of the EU and it ought to
influence disclosures by audit committees, as the
committee has more responsibilities to comment
upon. In practice, disclosures will be influenced by
national requirements, as well as convention, in
the Member State. Studies are beginning to show
how committees are reporting on their extended
responsibilities.
Gale: The UK Financial Reporting Council (FRC)
conducted research under the auspices of the
Audit and Assurance Lab, which resulted in a report,
‘Audit Committee Reporting’, being published at the
end of 2017. Key themes that were addressed in
that publication were the interaction between the
audit committee and the auditors, how the audit
committee reports on significant matters impacting
the financial statements, and internal control matters
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 109
MINI-ROUNDTABLEAUDIT COMMITTEE DISCLOSURES
including risk management and internal audit. With
increased focus on mandatory retendering and
rotation – in light of the adoption of the EU 2014
Audit Directive and Regulation, implemented in
2016 – there has been encouragement for audit
committees to describe in their reports the steps
they have taken when undertaking tender
processes, including the key criteria they
are using to assess the firms taking part
in the tender, as well as how they are
assessing the effectiveness of the auditor
and the audit process.
Knecht: US Securities and Exchange
Commission (SEC) regulations require
certain minimum disclosures by audit
committees. Some of the disclosures
required by SEC regulations include
whether the audit committee has
reviewed and discussed the audited financial
statements with management, discussed with the
independent auditors the matters required to be
discussed by Public Company Accounting Oversight
Board (PCAOB) Rule 3200T, received from and
discussed with the auditors disclosures regarding
the auditors’ independence, and whether the audit
committee members are independent as defined
in the applicable listing standards. While these
disclosures provide some transparency to audit
committee oversight, they do not cover the full range
of an audit committee’s activities. Audit committees
play a key role in the oversight of management and
the independent auditor. Effective oversight of the
financial reporting process is absolutely critical to
upholding the integrity of the capital markets. As
more emphasis continues to be placed on disclosure
effectiveness, a natural evolution is for audit
committees to provide more transparency to the full
range of their activities – which go well beyond the
required disclosures. There have not been significant
regulatory or legislative developments around
required audit committee disclosures in the US for
some time. However, in public statements, the SEC
continues to emphasise the importance of effective
audit committee disclosure. For example, in a 2017
speech, Wes Bricker, chief accountant of the SEC,
encouraged audit committees to “consider whether
providing additional insight into how the audit
committee executes its responsibilities would make
Jennifer Knecht,Crowe LLP
“As more emphasis continues to be placed on disclosure effectiveness, a natural evolution is for audit committees to provide more transparency to the full range of their activities.”
RISK & COMPLIANCE Apr-Jun 2019110 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
the disclosures more effective in communicating
with investors”. Mr Bricker also referenced the
SEC’s 2015 concept release on possible revisions to
audit committee disclosures as a potential tool to
assist audit committees in considering disclosure
enhancements. Our experience in practice
is that US public companies of all sizes
have continued to expand voluntary
disclosures within their proxy statements
on oversight responsibilities, for the
benefit of their stakeholders. This push for
additional transparency is understandable
given the rapid pace of change seen
in the economy. Going forward, calls
for increased transparency into audit
committee duties, including oversight of
the independent auditor, are expected
to grow. Audit committees can respond
by providing more meaningful disclosures that
increase awareness of their responsibilities and how
individual committees carry them out.
Huang: In Canada, larger companies are
disclosing more on the background of audit
committee members. There is more focus on
providing investors with information regarding the
experience and expertise that members bring to
the company, and also more transparency with
respect to diversity – such as female representation
on the board. Another trend we have noted is audit
committee members of larger companies starting
to formalise the process of evaluating their external
auditors and providing transparency regarding the
process. Overall, for smaller public companies, in
our view the majority of audit committee disclosures
continue to inadequately address, or completely
disregard, how the committee oversees the external
auditor and assesses the auditor’s qualifications
and work quality. We feel that there have been
improvements in the number of disclosures in
recent years, however this movement has not
been universally or consistently adopted, especially
with junior issuers. The content and adequacy of
disclosures continues to evolve, but largely remains
a work in progress.
Jetter: In Germany, the audit profession recently
adopted the revised ISA 260 ‘Communication With
Those Charged With Governance’, requiring more
Diana Huang,Crowe MacKay LLP
“The content and adequacy of disclosures continues to evolve, but largely remains a work in progress.”
AUDIT COMMITTEE DISCLOSURES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 111
MINI-ROUNDTABLE
intense and more frequent communication between
the auditor and the audit committee compared to
what we have seen previously. This should further
improve oversight quality and may influence external
disclosures by the committee. The main trends and
developments that we are seeing are independence
of the auditor and the provision of non-audit services
by the auditor, as well as tendering. Tendering is
spurred by the need for public interest entities (PIEs)
to change their auditor as a result of EU-imposed
restrictions on the maximum term an auditor can
serve a PIE.
R&C: What factors are influencing and shaping the content of audit committee proxy disclosures issued by small to large public companies?
Gale: The principal factors that would appear
to impact the content of audit committee reports
are the sophistication of the corporate governance
framework adopted by the company, as well as the
nature of the external shareholders. In the UK, not
all listed companies are required to prepare audit
committee reports, for example those listed on AIM.
Where companies do prepare a report, then those
companies with less sophisticated arrangements are
more likely to have reports that are less granular and
detailed than those from larger companies.
Huang: Financial reporting has become more
complex as a result of new standards, disclosure
requirements, cyber security risks, technology
risks and challenges, and additional focus by
regulators, thereby adding more pressure on audit
committees to have appropriate expertise and
engagement, in providing oversight and challenge
to management and providing additional disclosures
to build confidence among investors in their roles of
oversight.
Jetter: In Germany, the supervisory board is
required by law to issue and publish a separate
report to the shareholders on their work during the
preceding year. This supervisory report includes
sections on how the audit committee fulfilled
its legal and statutory obligation to ‘audit’ the
company’s annual and consolidated financial
statements using the auditor’s work – for example
whether the audit committee concurs with the
results of the audit’s work. This statutory obligation
is also relevant for non-PIEs, which means for all
entities in the legal form of a stock corporation,
known as Aktiengesellschaft or a large limited
liability company, known as a GmbH.
AUDIT COMMITTEE DISCLOSURES
Knecht: The growing pressure for increased
disclosures is a reflection of the increasing
importance investors and stakeholders are placing
on corporate governance and audit quality. An
increasingly complex business environment has
propelled stakeholder interest in more detailed
audit committee disclosures. Investors are
keenly focused on audit committee oversight as
companies innovate, expand into new markets, and
implement emerging technologies. One topic where
stakeholders are seeing increased audit committee
voluntary disclosure is cyber security. We are seeing
a positive trend with respect to enhanced voluntary
disclosures by audit committees. Some audit
committees are now providing robust disclosures in
areas such as considerations in the appointment of
the audit firm, criteria used in evaluating the audit
firm, and involvement in lead partner selection.
In the US, the Center for Audit Quality (CAQ) has,
for the last five years, published an annual ‘Audit
Committee Transparency Barometer’ which,
among other objectives, summarises trends in
audit committee voluntary disclosures. The
2018 report indicates positive trends in
a number of key metrics the CAQ uses
to assess voluntary audit committee
disclosures.
www.riskandcompliancemagazine.comRISK & COMPLIANCE Apr-Jun 2019112
MINI-ROUNDTABLE
MINI-ROUNDTABLE
R&C: How would you characterise the general
effectiveness of audit committee disclosures? Do you believe
increased transparency is required in certain areas?
Gale: With the current focus in the UK on
corporate governance and the role of audit, there
is increased scrutiny of how audit committees are
considering audit quality. As the rules from the
EU Audit Directive and Regulation take full effect,
one might expect greater scrutiny of the degree to
which the audit firm provides non-audit services
and how the audit committee assesses whether
or not this might impact the independence of the
audit firm. In terms of financial reporting, investors
are keen to understand the role that the audit
committee has taken in understanding, reviewing
and challenging the key estimates and judgements
made by management in preparing the financial
statements. In addition, audit committees are being
expected to challenge management further in their
use of alternative performance measures (APMs),
which are measures not immediately apparent from
the financial statements but which management
consider are most appropriate for assessing
the performance of the business. The
challenge and transparency
should include
assessing whether the APMs used are most
appropriate for the business as well as the adequacy
of how those APMs reconcile with the measures
evident from the financial statements.
Huang: For larger companies in Canada, there are
general disclosures regarding the presence of audit
committee charter and limited descriptions around
their general responsibilities. For smaller companies
we feel this is an area that is lacking and would
benefit from additional disclosure. Disclosure of the
topics discussed, their risk assessments and the
work performed by the audit committee are lacking.
Many disclose their overall responsibilities, yet fail to
provide transparency around their actual processes,
assessments and conclusions.
Jetter: We still see a lot of ‘boilerplate’ language in
supervisory board reports. As the legal requirements
for stock corporation laws are rather ‘vague’, there is
a need to further clarify, customise and individualise
supervisory board or audit committee reporting
requirements, in order to improve communication
quality with shareholders. One example is the
introduction of reporting key audit matters (KAMs) in
audit reports.
Knecht: One area to look at is the area
of disclosure of fees paid to the auditor. SEC
regulations require companies to disclose fees paid
to the principal auditor in four categories: audit,
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 113
RISK & COMPLIANCE Apr-Jun 2019114 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
audit-related, tax, and all other for the two most
recent years. Beyond the required disclosures,
audit committees are not yet providing significant
voluntary disclosures in the area of audit firm
compensation. Audit committees may want to
consider explaining their role in the fee
negotiation process. For example, audit
committees might consider enhanced
disclosure about how the committee
determines and evaluates auditor
compensation, as well as significant
changes in fees paid to the audit firm.
Chitty: It is interesting to consider the
perspective of internal auditors about
how audit committees disclose their
relationship with internal audit. Internal
auditors see the benefit of the audit
committee being to enhance the status of the
internal audit function. An effective audit committee
can strengthen the position of the internal auditors
by acting as an independent forum for internal
auditors to raise matters affecting management.
The chief audit executive (CAE) should report
functionally to the audit committee, which is critical
to good corporate governance. The effectiveness
of the relationship between internal audit and
the audit committee should have an impact on
committee disclosures. Regular meetings between
the audit committee and internal audit make it more
likely that the audit committee remains informed
and knowledgeable about relevant accounting
and auditing issues. Maximum benefit from this
interaction can be expected, however, if members of
the audit committee have the technical expertise to
understand the work of the internal audit function,
together with the independence to enhance the
status of the internal audit. In the absence of this,
the audit committee is a rather theoretical and
obligatory concept without much decisive influence.
Instead of considering the internal auditor as a
valuable and independent information provider, the
audit committee chair may prefer to rely almost
exclusively on the external auditor. Consequently, the
reciprocal relationship between the audit committee
and the internal auditor is underdeveloped, which
can be considered a missed opportunity for
both parties. Therefore, disclosure by the audit
committee internally to the board and externally
David Chitty,Crowe Global
“The reciprocal relationship between the audit committee and the internal auditor is underdeveloped, which can be considered a missed opportunity for both parties.”
AUDIT COMMITTEE DISCLOSURES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 115
MINI-ROUNDTABLE
to stakeholders is less than effective. Due to this
mismatch of interests, there will be cases where
there is an under emphasis on the internal audit
oversight role by the audit committee. In order to
reduce this mismatch, both parties should broaden
their interests in a converging way, in conjunction
with clear communication about the mission and
roles of internal audit. Internal auditors value audit
committee support and seek to be proactive in
achieving it, often by means of educating audit
committee members. An effective relationship
between internal audit and the audit committee
ought to be disclosed and will be positive for
stakeholders to be informed about.
R&C: What are the benefits of increasing transparency in audit committee disclosures?
Huang: Increased transparency provides investors
with information to evaluate audit committee
performance and helps with understanding the audit
committee process and rationale for doing certain
things, for example when appointing auditors. It also
helps with increasing investor confidence.
Knecht: It is important for audit committees to
engage with regulators, auditors and stakeholders.
Proactively engaging in communication with others
on these topics can have a meaningful impact on
the development of future standards. In addition,
it can provide valuable insight to audit committees
about the types of disclosures that are important to
stakeholders. For example, the PCAOB is currently
conducting research on how auditors and audit
committees interact with respect to PCAOB Rule
3526, ‘Communication with Audit Committees
Concerning Independence’.
Gale: For investors, there is the benefit of
reassurance that the audit committee is providing
an appropriate challenge to management and are
focused on ensuring there is high quality corporate
reporting – not only in terms of the reported results,
but also that the auditors will be conducting an audit
of the appropriate quality.
Chitty: Enhancing the transparency of disclosure
could make the financial information more credible
to investors and increase investors’ confidence. This
should have a very positive result in the company’s
development in the long term.
Jetter: Generally, increased trust in the audit
committee strengthens the shareholders’ interests.
In the two tier-board system in Germany, the auditor
explicitly serves and supports the work of the
supervisory board. So, increasing transparency also
means better information about the key aspects of
an audit and how the supervisory board deals with
these issues.
AUDIT COMMITTEE DISCLOSURES
RISK & COMPLIANCE Apr-Jun 2019116 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
R&C: How might enhanced transparency around corporate governance help underscore audit committee improvements?
Gale: It is not a matter only of transparency but
also of the quality of the corporate governance
framework adopted by the company and, as part
of that, the quality of the individuals involved. There
is also the element that might be summed up in
the phrase ‘corporate culture’. If the culture that is
nourished within the company is based on quality,
openness, integrity and transparency, then that
should permeate through all the company’s financial
reporting obligations, including reporting by the audit
committee.
Huang: Increased transparency should lead to
greater accountability and improved oversight. If
audit committees were required to disclose specific
processes, information considered and conclusions
reached, as opposed to a general mandate,
stakeholders would have the ability to monitor,
measure and assess the operational effectiveness
of the audit committee and the degree of their
oversight.
R&C: Have there been any notable legal and regulatory developments in this area? If so, what has been the impact?
Gale: The UK adopted the EU Audit Directive and
Regulation in 2016, which introduced mandatory
audit tendering and rotation. As a result, there has
been an increase in the frequency of audit tenders.
In February 2017, the FRC also published a ‘best
practice’ note for audit committees surrounding
the process for conducting an audit tender. We
might expect to see an increase in the quality of
disclosures around the appointment process for
auditors, including identifying the principal factors
that the audit committee is using in assessing the
firms participating in the tender process. The FRC
publication ‘Audit committee reporting’, published
in December 2017, provides examples of good
practice in various elements of audit committee
reports, which the FRC hopes will stimulate further
improvements in audit committee reports.
Huang: External audit effectiveness has been
subject to increased regulatory focus, by bodies
such as the Canadian Public Accountability Board
(CPAB) and the US PCAOB. Evaluation of external
audit effectiveness is also becoming an important
part of the audit committee role. The Securities
Commission in Canada has also been allocated
additional resources to review public disclosures
– including other than financial statements – and
challenging management on their disclosures. This
requires deep expertise from audit committees in
the areas of financial and non-financial reporting.
We have noted regulators working with companies
AUDIT COMMITTEE DISCLOSURES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 117
MINI-ROUNDTABLE
to establish and monitor key performance indicators
(KPIs). This is a tool that helps to engage audit
committees, establishes an approach to measure
and improves performance, including audit quality.
The Canadian regulator had launched an exploratory
audit quality indicators (AQIs) project with certain
Canadian audit committees to get
feedback on the usefulness of AQIs
and to support broader national and
international discussions. The result of
the project was that AQIs provide a better
understanding among management, the
audit committee and external auditors of
roles and responsibilities related to audit
quality, and their expectations of others.
They also result in more efficient and
effective interactions between the audit
committee and the auditors. There are
now discussions around whether audit
committees should disclose AQIs in their
annual filings, which some see as evidence of robust
audit committee oversight of the external auditor.
Canadian companies that have disclosed their AQIs
publically include Magna, Royal Bank of Canada,
Telus, Intact Financial and Sun Life Financial.
Chitty: There have been developments in China
as the China Securities Regulatory Commission
(CSRC) issued the ‘Code of Corporate Governance
of Listed Companies’ in 2001, for the purpose of
standardising the operation of listed companies
and protecting the legitimate rights and interests
of investors. The code was recently revised and
implemented with effect from 30 September 2018.
The revised guidelines require listed companies
to strengthen the audit committee function and
establish the basic framework for environmental,
social and governance (ESG) information disclosure.
In general, Chinese listed companies are used
to disclose information pursuant to mandatory
provisions, and the revised guidelines encourage
listed companies to voluntarily disclose relevant
information which may have an impact on decision
making, in order to provide more comprehensive
information to shareholders and other stakeholders.
Jetter: Except for the introduction of the new IDW
PS 470 – equivalent to the revised ISA 260 – there
Steve Gale,Crowe U.K. LLP
“If the culture that is nourished within the company is based on quality, openness, integrity and transparency, then that should permeate through all the company’s financial reporting obligations.”
AUDIT COMMITTEE DISCLOSURES
RISK & COMPLIANCE Apr-Jun 2019118 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
have been no significant developments in Germany.
As the standard increases an auditor’s obligation
only in respect of communications between the
audit committee and the auditor, the effect on
shareholders and other stakeholders is probably not
that significant.
R&C: What advice would you offer to companies on drafting voluntary disclosures within their proxy statements that provide stakeholders with greater insight into oversight responsibilities?
Knecht: Invest some time
engaging with stakeholders to gain an
understanding of the voluntary disclosures
they believe are most important. Evaluate
the cost-benefit of voluntary disclosures and seek
ways to enhance disclosures so they will provide the
most benefit.
Huang: Provide more than the basic minimum
requirements. This will help with holding the
committee accountable and also builds investor
confidence in the various governance roles. In
addition to ‘what’ you do, also explain ‘how’ you do
it. In other words, explain the committee’s process.
Gale: If audit committees want to make sure
they are providing valuable insight to readers, an
important element is to really understand what
it is that readers want to know. Engaging with
stakeholders and key shareholder groups will be an
important part of this.
Chitty: In the Chinese market, listed companies
are advised to pay attention to the quality of
voluntary disclosed information (VDI), which may
result in misunderstanding by the market. Care
has to be taken with such voluntary disclosures in
case they have price-sensitive implications. Turning
to audit committee interaction with internal audit,
good practice disclosures could: monitor whether
the internal audit function has adequate resources;
follow up on the internal audit department’s scope,
the results of its operations and recommendations,
and on management’s responses thereto; and
challenge management on critical findings reported
Michael Jetter,RWT Crowe GmbH
“I doubt that in the near term we will see a great expansion of voluntary disclosures in Germany, although stakeholder expectations on this front may change.”
AUDIT COMMITTEE DISCLOSURES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 119
MINI-ROUNDTABLE
by internal audit, and report internal audit’s
perspective to the board.
R&C: How do you expect voluntary audit committee disclosures to evolve in the years ahead? Is there an inevitable trend toward even greater transparency and accountability?
Huang: We see trends towards additional
transparency and more focus around processes and
controls being described in proxy statements. We
expect that regulations will continue to evolve to
require more transparency.
Chitty: In the past few years in China,
audit committees have continued to enhance
transparency and accountability regarding VDI
as required by relevant authorities in China. The
revised Code will have an effect in this area. It
is expected that audit committees could make
improvements to the effectiveness of VDI. Turning
to the EU, we can anticipate that the expansion of
audit committee responsibilities resulting from the
2014 Audit Directive will result in more disclosures
by the committee, because stakeholders will expect
to hear about how these responsibilities are being
discharged.
Jetter: I doubt that in the near term we will see a
great expansion of voluntary disclosures in Germany,
although stakeholder expectations on this front may
change.
Knecht: In the near term, it is possible that
changes to external audit standards may help
facilitate enhanced disclosures by audit committees
– specifically, through auditors’ required disclosures
of critical audit matters (CAMs) under PCAOB
Auditing Standard 3101, ‘The Auditor’s Report on
an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion’. Auditor disclosure
of CAMs later this year will provide audit committees
with a great opportunity to communicate through
enhanced disclosure their oversight activities with
respect to the critical areas identified within the
audit. CAMs are similar to KAMs that are required
in other countries, where the reporting of KAMs has
had an impact on disclosures. RC&
AUDIT COMMITTEE DISCLOSURES
RISK & COMPLIANCE Apr-Jun 2019120 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
GENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT SENTINEL OF REPUTATION RISK AND THE CORPORATE CONSCIENCEBY HARLAN LOEB
> EDELMAN
In September 2018, Danske Bank’s CEO resigned
amid the swirl of whistleblower allegations of
Russian interference in European economies and
allegations of massive money laundering. In their
account of that crisis in Raconteur Opinions, Veta
Richardson and Leisbeth De Ridder contend the case
was largely avoidable based on the findings of an
internal review.
The authors concluded that the board of directors
lacked an essential ally – the general counsel (GC).
Sometime before the allegations surfaced, the GC
ceased reporting to the CEO and began reporting to
the chief financial officer. In 2014, in-house counsel
sought to further investigate the whistleblower
allegations, but two executives overruled him. A
modern legal department, the authors contend,
might have averted one of Europe’s biggest
scandals.
A recent global study by the Association of
Corporate Counsel (ACC) delivers a timely and
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 121
PERSPECTIVESGENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT...
fascinating footnote to the Danske event. The ACC
concluded that GC who report directly to the CEO
provide a leading indicator of their influence on
critical corporate events and crises, while also
illuminating a new mandate to create a culture that
reinforces ethics and integrity driven by behaviour.
Indeed, the GC is becoming the most important C-
suite executive on reputation, crisis and non-market
risk, among other critical issues that have sparked a
‘constant crisis’ environment at many corporations
with unprecedented operational uncertainty.
As damaging issues increasingly erupt, from
internal espionage and privacy invasions to
consumer outrage and executive misconduct,
the GC has become the crisis management
quarterback with discernibly impressive
impact, influence and positive results.
GCs are leading from the front on
a variety of diverse crisis, reputation
and cultural matters. They include: (i)
rules-based compliance systems that
frequently mortgage common sense
and good judgment; (ii) inadequate
measurement and alignment on top
tier corporate risks; (iii) behavioural risk and
potentially toxic performance incentives; (iv)
inadequate information sharing processes and
networks; (v) top-down management structures
that commoditise promising young talent and future
leaders; and (vi) corporate values that are merely
words on a website.
Like no other corporate officer, the GC is
positioned uniquely to advise business decision
makers proactively on both destabilising market and
non-market risks. In fact, many GCs suggest their
biggest challenges do not involve legal risk.
Consider how the GC of pharmaceutical giant
Sanofi effectively crafted the perfect response
to shut down Roseanne Barr’s attempt to blame
Sanofi’s Ambien for her abhorrent rant that led to
RISK & COMPLIANCE Apr-Jun 2019122 www.riskandcompliancemagazine.com
PERSPECTIVES
her TV show’s cancellation. Barr contended Ambien
explained her late-night tweet attack against former
Obama presidential adviser Valerie Jarrett. The Sanofi
GC approved the perfect response: “People of all
races, religions and nationalities work at Sanofi every
day to improve lives of people around
the world. While all pharmaceutical
treatments have side effects, racism is
not a known side effect of any Sanofi
medication.”
Above the Law noted that in vetting
the tweet, the GC asked three basic
questions before unilaterally hitting
the ‘go button’: Is it truthful and not
misleading? Is it consistent with our
values? Is it legal?
Still, against today’s backdrop of
continual fear of a reputational crisis, it is not
surprising GCs feel quite vulnerable. Eighty-five
percent of GCs surveyed recently by Morrison &
Foerster ALM Intelligence (ALM) ranked reputation
and brand crises as their number one concern,
followed distantly by corporate risk at 58 percent.
One GC recently said that the reputation risks that
keep her up at night include consumer activism,
rising operating uncertainties, immediate digital and
iPhone ‘reporting’, and the klieg lights that shine on
workplace and corporate misconduct.
ALM also asked GCs who experienced a significant
corporate crisis in the previous 12 months to rate
their company’s level of preparedness for it. Few
gave themselves high grades, although two-thirds
felt they had been well prepared. That is a significant
improvement over an earlier survey in which only 29
percent of companies experiencing a crisis felt that
they were adequately prepared.
Most GCs noted that a solid crisis response plan
must at least contain fundamental information
tested through simulation scenarios. Swift and
decisive action – especially within the first few hours
– ranks among the most effective ways to diminish
the negative impacts of a crisis. Yet, as emphasised
by many including ALM, only senior leaders – the
CEO and the GC, in particular – are authorised to
make decisions.
Companies must put clear and vigorously
tested escalation procedures in place, and each
senior leader should tap a deputy as a stand-in, if
necessary. Many small issues bust into full-blown
crises because information winds its way too slowly
GENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT...
“Many small issues bust into full-blown crises because information winds its way too slowly through the corporate hierarchy before an executive leader is found with the authority to make a final decision.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 123
PERSPECTIVES
through the corporate hierarchy before an executive
leader is found with the authority to make a final
decision. ALM maintains that this is a clear and
costly vulnerability for over one-third of companies
that do not include necessary escalation procedures
in their crisis management plans.
Unlike any other professional discipline, lawyers
are trained rigorously to be issue spotters, experts
in multivariable risk and fluent on both sides of
every issue that arises. And, perhaps distinctly,
fully committed to the ‘sanctity of facts’. Thus, they
are equipped to make decisions with imperfect
information and that take calculated risks to manage
and avoid potentially franchise crises.
Multifaceted problem-solving skills,
multidirectional thinking and training to vet all
contingencies are the province of outstanding
lawyers. Against this backdrop, the GC’s broadening
mandate leads to better outcomes on challenges
including crisis management, corporate culture,
values-based leadership and organisational
resilience. GCs are incresasingly the ‘challenger in
chief’ on the most vexing risks, issues and crises
organisations confront.
Ms Richardson, the ACC’s president and chief
executive, notes that as chief advocates and
initiators for developing a collaborative relationship
with the board, GCs increasingly set and oversee
a corporation’s cultural, ethical and performance
values. In-house counsel are essential actors in their
company’s ability to achieve its long-term strategies.
As the ‘defender and challenger in chief’ in
promoting and protecting dynamic corporate values
and performance cultures, GCs prove to be the
stewards of principles-based compliance anchored
in an operating mindset that includes integrity
as well as ethical and cultural values. Because
the GC is accountable to corporate directors and
shareholders, they must educate and direct them
on new operating realties, particularly those rooted
in corporate culture that present reputational
threats. Additionally, the multifaceted thinking skills
of the GC have become imperative in stress-testing
the business, cultural and social repercussions
of corporate decisions and enable durable and
proactive risk management.
Today’s GC has become an essential participant in
setting the tone at the top and driving a corporate
culture that creates long-term and enduring
reputational value by being more responsive to all
stakeholders. RC&
GENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT...
Harlan Loeb
Global Practice Chair, Crisis & Reputation
Risk Advisory
Edelman
T: +1 (312) 240 2624
RISK & COMPLIANCE Apr-Jun 2019124 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
José Antonio López Alonso
Partner
Zinser, Esponda y Gomez Mont, Abogados
T: +52 55 5202 8610
José Antonio López Alonso has been involved in criminal law practice since 1994. He has participated in multiple international extradition proceedings between Mexico and countries such as the US, Argentina, Switzerland and Australia. For more than 20 years, his practice has been oriented toward economic, banking, tax, environmental, copyright, intellectual property, election and corruption offences, as well as criminal liabilities related to public service.
ONE-ON-ONE INTERVIEW
CCOS: MANAGING RESPONSIBILITIES AND LIABILITY RISKS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 125
ONE-ON-ONE INTERVIEW
R&C: To what extent has the role of chief compliance officer (CCO) gained greater importance in recent years? How would you characterise its evolution, and where it should rank within the corporate hierarchy today?
López Alonso: Although foreign companies with
US Foreign Corrupt Practices Act (FCPA) and other
compliance regulations are used to having a chief
compliance officer (CCO), this is something new
for Mexican companies. Mexico is only just starting
to develop a compliance culture, having passed its
first compliance laws just a few years ago. Given
that, compliance is only just beginning to form an
integral part of Mexican corporate governance. As
this process advances, in some Mexican companies
the CCO function is frequently assumed – often
temporarily, and sometimes permanently – by the
legal department, whose opinions are seriously
taken into consideration by the board, or at least
should be. Other companies are only just starting to
appoint a CCO as part of their corporate governance
system. In our view, the CCO should be at the top of
the corporate hierarchy in order to ensure that her
recommendations are not disregarded for operational
reasons. She should have direct communication
with the board and the shareholders’ meeting, and
we believe that she should work hand-in-hand with
other executives in order to implement precautionary
measures in a way that does not prejudice the
company’s functionality, since any measure that
prevents a company from running normally will not
be heeded by the employees.
R&C: How has increasing regulatory scrutiny impacted organisations which do not have a CCO?
López Alonso: Since compliance laws have
only recently been passed in Mexico, companies
are only just starting to adjust to this new culture
and take precautionary steps, given that they
may now be deemed criminally liable under the
country’s laws. Furthermore, in order to attenuate
such corporate criminal liability, Mexican judges are
obliged to examine their controls and policies in
order to prevent unlawful actions that would benefit
a company. Some companies have been indicted
for offences committed by their employees, due to
their lack of control, and it is almost impossible to
guarantee that a firm is doing everything it can to put
an end to unlawful practices if it has no executive
who is exclusively devoted to implementing
compliance measures and updating them as she
sees fit. Given that compliance systems should be
tailor-made for each company, it is a full-time job to
implement and update such systems. Companies
that do not have a CCO among their executives
will have a hard time showing that they are really
committed to compliance, and hence run a greater
CCOS: MANAGING RESPONSIBILITIES AND LIABILITY RISKS
RISK & COMPLIANCE Apr-Jun 2019126 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
risk of being held criminally liable, with serious
consequences that may even include dissolution.
R&C: What challenges face today’s CCOs in terms of managing a range of responsibilities and liability risks?
López Alonso: Today, CCOs in Mexico are facing
a huge cultural challenge, given that the concept of
compliance is new here and corporate leaders and
boards do not understand why there is a need to
implement compliance programmes and policies
as part of their governance practices. Mexican
companies are used to running their business a
certain way, being resistant to change and doubtful
as to whether it is needed and will benefit them.
CCOs face the challenge of changing the mindsets
of everyone in the company, from board members
and other leaders to directors and employees,
helping them to understand why such changes are
important. Before making these changes, corporate
leaders and employees should be educated on the
importance of compliance and the risks that the
company is seeking to minimise, so that they will help
to implement compliance policies and observe them
once they are in place.
R&C: Do you believe many organisations, from top to bottom, fail to understand the mechanics and importance of the CCO role?
López Alonso: In Mexico, organisations have
been doing things their own way for many years and
saw no need to implement new ideas, programmes
or policies in their day-to-day practice. Every day,
more organisations are willing to change their modus
operandi as long as they remain successful, but a
lot of companies still consider compliance systems
to be useless. A huge cultural change is needed in
Mexico in order for all companies to understand and
implement compliance policies. Even though their
organisations are subject to criminal charges, many
corporate leaders will only implement systems in
order to comply with the law, being unwilling to make
a genuine commitment to compliance. Perhaps such
firms will only understand the role and importance
of the CCO if they are charged with criminal offences
and fail to prove, in the judge’s opinion, that they
have implemented sufficient controls to prevent
unlawful actions from being committed for their
benefit.
R&C: Are you seeing more CCOs work alongside chief risk officers (CROs) to jointly achieve their company’s compliance objectives?
López Alonso: It is extremely important for
CCOs to work alongside chief risk officers (CROs). A
successful compliance programme should be tailor-
made considering the risks that the company faces
and its structure, areas of risk, directors and staff.
CCOS: MANAGING RESPONSIBILITIES AND LIABILITY RISKS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 127
ONE-ON-ONE INTERVIEW
Compliance programmes should be adapted to the
company’s specific needs. A programme designed
for one company will not serve to prevent problems
from arising in another. CCOs and CROs should work
together to educate the company’s board, leaders
and employees, and to change their mindset about
the need to implement a compliance
programme, and the convenience of doing
so.
R&C: In terms of compliance breaches, how would you characterise the extent to which a CCO should be held responsible? How frequently are CCOs essentially used as scapegoats in the event of non-compliance?
López Alonso: A CCO should be
considered successful to the extent that she ensures
commitment to company policies and procedures,
reports to the board and directors, and oversees
the steps taken by her company in response to
specific incidents. Given that most CCOs have to deal
with blindness and indifference on the part of their
colleagues, before assessing their effectiveness,
one should analyse the company environment,
determining whether they are supported by their
bosses and colleagues, or whether the latter use
them as scapegoats. The success of a CCO can be
measured in terms of the number of complaints
filed by employees and measures taken in response
to them. It is impossible for a company to have
no compliance issues, but it should not be held
responsible if one of its directors or employees
commits a criminal act, if it has successfully
implemented a compliance programme and taken
serious steps to prevent the criminal act.
R&C: What broad advice would you offer to CCOs on effectively overseeing company policies, procedures, products and services to ensure they are compliant with regulatory requirements? How important is company-wide compliance training in this regard?
José Antonio López Alonso,Zinser, Esponda y Gomez Mont, Abogados
“A huge cultural change is needed in Mexico in order for all companies to understand and implement compliance policies.”
CCOS: MANAGING RESPONSIBILITIES AND LIABILITY RISKS
RISK & COMPLIANCE Apr-Jun 2019128 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
López Alonso: It is very important for a CCO
to have adequate training and to implement
programmes and measures in conjunction with
the CRO and other executives that improve the
company’s functionality and ensure employees
maintain compliance. A compliance programme that
makes a company less successful or less competitive
is useless. However, the most important advice is to
record everything, from incidents, communications
and recommendations to the board, and the steps
taken in response to these communications and
recommendations. Even if they face apathy or
indifference on the part of leadership and directors,
CCOs should record all their efforts to implement
compliance policies, and all their recommendations
on these matters.
R&C: How do you see the role of the CCO evolving in the years ahead? With regulatory compliance perhaps more complex than ever, to what extent can we say that a CCO is an essential appointment?
López Alonso: Given that compliance legislation
is new to Mexico, in the coming years we will only
see it being taken on board by corporate hierarchies.
Since leaders and directors are facing a cultural
change, they are finding it hard to understand the
importance of including a CCO within the corporate
hierarchy. The evolution of the CCO role in Mexico,
and the importance assigned to it, depend on
companies’ commitment to compliance. Eventually,
companies will be classified into two groups – those
that are really committed to compliance, where the
CCO plays a crucial role, and those that superficially
implement compliance policies and programmes just
to minimally comply with their obligations, where
the CCO is only appointed in order ‘save face’ and
make the company appear as if it is committed to
compliance. RC&
CCOS: MANAGING RESPONSIBILITIES AND LIABILITY RISKS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 129
PERSPECTIVES
PERSPECTIVES
YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT, IF THE SEC HAS ITS WAYBY GABRIEL K. GILLETT, HOWARD S. SUSKIN AND ADAM G. UNIKOWSKY
> JENNER & BLOCK LLP
An important component of evaluating risk
is determining when the risk abates. In the
context of enforcement actions brought by
the US Securities and Exchange Commission (SEC),
the risk abates when the SEC runs out of time to
seek relief in court. So, when does that time run out?
For years, the SEC’s position has been never – that
it may seek certain relief at any time, regardless of
how long ago the allegedly improper conduct took
place.
Over the past decade, however, the US Supreme
Court has steadily reined in the SEC by enforcing
the five-year statute of limitations in 28 U.S.C. §
2462, which applies to government actions seeking
“any civil fine, penalty, or forfeiture”. The Court first
applied § 2462 to SEC claims for money penalties.
Then the Court applied § 2462 to SEC claims for
disgorgement. Now, some wonder whether § 2462
applies to SEC claims for an injunction on being
employed in the securities industry or serving as
an officer or director. Although courts have not yet
squarely addressed that question, there are good
reasons to think the answer is yes.
Some brief history may help understand where
we may be going. In the watershed case of Gabelli
v. SEC, the Supreme Court unanimously held that
the SEC must bring claims for money penalties
within five years of when the underlying alleged
misconduct occurred. 568 U.S. 442 (2011). It did
not matter that the SEC had not uncovered the
RISK & COMPLIANCE Apr-Jun 2019130 www.riskandcompliancemagazine.com
misconduct until later, or that the SEC was acting
in the public interest, the Court explained; “even
wrongdoers are entitled to assume that their sins
may be forgotten”. And five years was viewed as
plenty of time for the SEC, with its powerful tools to
root out fraud, to discover any untoward activity. As
a result, targets of SEC investigations had a complete
defence if the allegedly improper acts occurred
more than five years before the SEC initiated an
enforcement action.
In 2017, the unanimous Court again constrained
the SEC’s authority to bring claims based on conduct
that had occurred more than five years before the
SEC filed suit. In Kokesh v. SEC, the Court held that
“SEC disgorgement constitutes a penalty within the
meaning of §2462” for three main reasons. 137 S.
Ct. 1635 (2017). First, “[t]he violation for which the
remedy is sought is committed against the United
States rather than an aggrieved individual”. Second,
“disgorgement is imposed for punitive purposes”
– often to “‘label defendants wrongdoers’ as a
consequence of violating public laws” and to deter
future violations – and “[s]anctions imposed for
the purpose of deterring infractions of public laws
are inherently punitive”. Third, “in many cases, SEC
disgorgement is not compensatory” because the
YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT... PERSPECTIVES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 131
PERSPECTIVES
disgorged funds are frequently not returned to
victims. The Court then concluded that because
disgorgement “bears all the hallmarks of a penalty”
under this framework, the “5-year statute of
limitations in § 2462 therefore applies when the SEC
seeks disgorgement”.
Neither Kokesh nor Gabelli had occasion to
address whether § 2462 also applies to SEC claims
for an injunction that bars an individual from being
employed in the securities industry or serving as an
officer or director. Yet the logic of those unanimous
decisions suggests that a bar operates as a penalty,
and so the SEC is limited in when it may seek that
form of relief. As of the time of this writing, no
appellate court post-Kokesh has yet held that § 2462
applies to an employment or officer/director bar.
But the road to that conclusion has arguably been
paved, should a litigant in the right case persuade a
court to take it.
Before Kokesh, some courts of appeals had held
that in some situations § 2462 applies to injunctions
on employment or serving as an officer or director.
The US Court of Appeals for the DC Circuit, most
notably in Johnson v. SEC, held that if the injunction
was directed to remedying bad acts and not to
deterring future misconduct, then it must be based
on conduct within the prior five years. 87 F.3d 484
(D.C. Cir. 1996); but see McCurdy v. SEC, 396 F.3d
1258 (D.C. Cir. 2005) (finding a one-year suspension
“was not to punish... but rather to protect the
public”). The US Court of Appeals for the Fifth Circuit
built on that precedent, in SEC v. Bartek, and found
that lifetime officer/director bars are punitive if
they “have a stigmatizing effect and long-lasting
repercussions”, but neither address “past harm
allegedly caused by the Defendants” nor “the
prevention of future harm in light of the minimal
likelihood of similar conduct in the future”. 484 F.
App’x 949 (5th Cir. 2012). That court also suggested
that a lifetime bar may be punitive in every case,
based on its “severity and permanent nature”. The
US Court of Appeals for the Eleventh Circuit reached
a contrary conclusion – in SEC v. Graham, which
was decided shortly before Kokesh – by holding that
injunctions are never penalties because they look
forward, whereas punishments look backward. 823
F.3d 1357 (11th Cir. 2016).
As of this writing, appellate courts have not yet
waded into this pre-Kokesh disagreement. The US
Court of Appeals for the Eighth Circuit rejected
the SEC’s argument that § 2462 categorically does
not apply to injunctions in SEC v. Collyard, but the
case involved an “obey the law” injunction not an
employment or officer/director bar. 861 F.3d 760
(8th Cir. 2017). And an appeal pending in the US
Court of Appeals for the Third Circuit, SEC v. Gentile,
raises the question whether § 2462 applies to a
“penny stock bar” that enjoined a defendant from
participating in penny stock offerings. The District
Court said yes, finding that the bar was punitive
based on the reasoning in Kokesh. No. 16-1619 (D.N.J.
Dec. 13, 2017). During oral argument in the appeal,
YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT...
RISK & COMPLIANCE Apr-Jun 2019132 www.riskandcompliancemagazine.com
PERSPECTIVES
Circuit Judge Thomas Hardiman strongly suggested
that he agreed, openly wondering “how could
barring [Gentile] from an industry not be punitive”.
But whether the appellate panel reaches that issue,
what the panel concludes and how far the panel
goes – including whether it discusses employment
or officer/director bars, or just penny
stock bars – will not be clear until its
decision issues.
In the meantime, the DC Circuit’s
decision in Saad v. SEC, and particularly
a concurring opinion by then-Judge
Brett Kavanaugh before his elevation
to the US Supreme Court, may shed
the most light on how employment
and officer/director bars will fare
after Kokesh. In Saad, an employee
misappropriated his employer’s
funds and repeatedly attempted to cover up his
wrongdoing. His efforts failed, and FINRA “imposed a
bar that permanently forbade Saad from associating
with any FINRA member firm in any capacity”. The
SEC eventually “affirmed the permanent bar finding
it to be ‘remedial, not punitive’”. The DC Circuit
vacated that decision in part and remanded “for
the Commission to determine in the first instance
whether [Kokesh], has any bearing on Saad’s case”.
873 F.3d 297 (D.C. Cir. 2017).
Then-Judge Kavanaugh concurred, writing
separately to explain why he viewed the
employment bar as a penalty after Kokesh. Noting
that Kokesh “was not limited to the specific
statute at issue there”, he reasoned that the
employment bar – which the court had earlier
called the “securities industry equivalent of capital
punishment” – deters but does “not provide a
remedy to the victim”. Therefore, following Kokesh’s
logic, the employment bar was “a penalty, not a
remedy”.
Applying then-Judge Kavanaugh’s reasoning, if the
SEC sought an employment or officer/director bar
more than five years after the alleged misconduct
occurred, then § 2462 would provide a complete
defence. But no court has yet reached that
conclusion or faced a case presenting that situation.
So it remains to be seen whether courts will extend
Kokesh, adopt then-Judge Kavanaugh’s view, or take
a contrary position.
The history of Kokesh, and prior cases interpreting
the reach of § 2462, suggest that the SEC will
YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT...
“The history of Kokesh, and prior cases interpreting the reach of § 2462, suggest that the SEC will ardently maintain its narrow view of the five-year limitations period until the Supreme Court forces the agency to change positions.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 133
PERSPECTIVES
ardently maintain its narrow view of the five-year
limitations period until the Supreme Court forces
the agency to change positions. Indeed, the SEC
has continued to insist post-Kokesh that it may
seek injunctions, including employment and
officer/director bars, based on alleged misconduct
regardless of how long ago it occurred. So those
in the financial industry – including officers and
directors of public companies – and targets of SEC
enforcement actions should be sure to argue that
employment and office/director bars are punitive,
and that the five-year limitations period applies
to SEC claims seeking those bars as a result.
Targets would also be wise to preserve and press
those arguments in court and on appeal, to both
encourage a court to apply § 2462 to an employment
or officer/director bar, and to take full advantage
should another court apply the statute in a different
case. RC&
Gabriel Gillett
Litigation Associate
Jenner & Block LLP
T: +1 (312) 840 7220
Howard Suskin
Partner
Jenner & Block LLP
T: +1 (312) 923 2604
Adam Unikowsky
Partner
Jenner & Block LLP
T: +1 (202) 639 6041
YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT...
RISK & COMPLIANCE Apr-Jun 2019134 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK GOVERNANCEBY RUCHI AGARWAL AND SANJAY KALLAPUR
> ISB
Poor risk culture is a major reason for many
financial institutions’ failure. It often manifests
in top management not walking the talk – the
vision and mission statements are on paper only and
do not hold in practice. The recent incident at Wells
Fargo provides several insights into the financial
industry’s risk culture and its association with poor
leadership, improper incentives, weak controls and
unethical employee behaviour.
While the importance of culture is well recognised,
boards have a tendency to take it as a given rather
than something they can create and influence. Risk
culture is all about behaviours by organisational
actors that translate into organisational norms,
values and practices. The UK Financial Conduct
Authority (FCA) has highlighted that culture is not
optional; it exists everywhere, whether we like it or
not. Companies and their boards need to think about
what the right culture is, and how to achieve it.
Risk culture in financial organisations has received
the attention of financial regulators and professional
bodies worldwide. The International Institute of
Finance (IIF), the Financial Stability Board (FSB), the
Institute of Risk Management (IRM) and very recently
the Australian Prudential Regulation Authority (APRA)
have emphasised that organisations are responsible
for their risk culture. The split of the UK regulator,
Financial Service Authority (FSA), into the Prudential
Regulatory Authority (PRA) and the Financial Conduct
Authority (FCA) in 2013 was a stepping stone in this
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 135
direction. The FCA’s primary role was to develop
and inculcate good risk culture in UK financial
institutions. Companies have repeatedly found that
merely establishing structures and policies for risk
governance is insufficient until these are aligned with
culture and good practices.
This raises a question for practitioners: how to
develop a good risk culture? To understand this, we
studied several organisations in India and the UK and
found three types of risk culture, described below.
Compliance-based risk culture – do what you are being told
Financial institutions operate in a strict regulatory
environment. Following the 2007-08 crisis,
regulations became more stringent worldwide. In
some companies, regulation rules risk governance
and sets the bar. Their primary interest is in meeting
the regulatory standards in form rather than
substance. This leads to a compliance-based risk
culture, with a tick-box approach. These companies
often find that by the time they make changes in
the system to accommodate changed regulations,
newer regulations are introduced.
Defensive risk culture – do what pleases the management and protects you if something backfires
In many organisations, truthfulness in risk
reporting is not encouraged, and senior executives
ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK... PERSPECTIVES
RISK & COMPLIANCE Apr-Jun 2019136 www.riskandcompliancemagazine.com
PERSPECTIVES
have been fired for revealing problems in the
system. Employees wonder why they should put in
the effort to manage risk effectively when they are
asked only to report it at the end of the year. The
actual quality of risk management does
not matter; rather, top management
wants to hear good news in the
short term by prioritising profits over
professional ethics. Defensive attitudes
and behaviours are inculcated: “If
something goes wrong, somebody
else made the decision, not me.”
Fear of action and litigation has led to
defensive behaviour being ingrained
in a defensive risk culture. Over-
reporting of risk is one such behaviour:
the reporting employee is protected
because he or she reported it, never mind that the
higher-ups to whom it is reported do not have the
time or the understanding to process everything that
has been reported. But higher-ups are also protected
because decisions are made by committees,
so either nobody is responsible or everybody is
responsible for any mishap.
Cognitive risk culture – understand your risks, roles and responsibility and report adequate risk to management
In contrast to compliance-based risk culture and
defensive risk culture, a few companies worked
on understanding the root cause of poor risk
culture. The board of a British insurance company
began with the three lines of defence model of risk
governance (frontline employees being the first line,
CRO’s office the second line and internal audit the
third). The company found that the root cause lies
in poor risk reporting: the control self assessment
(CSA) method fails to engage employees and
promotes a defensive attitude. Another challenge
it identified was that risk reporting was considered
to be a year-end activity rather than a regular
activity. The company understood that it is not
possible to improve risk culture until everyone in the
organisation understands the risks, and their roles
and responsibilities in the three lines of defence
model of risk governance. The company created
new rules and introduced several tools to improve
risk culture. Some frontline employees were trained
to become risk champions who bridged the gap
ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK...
“Tick-box or quick-fix approaches backfire and limit the usefulness of risk management efforts.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 137
PERSPECTIVES
between the first line and the second line. Risk apps
were developed to update senior executives and the
board regularly, while roles and responsibilities of
every employee were mapped using a management
awareness of risk (MAR) index.
ConclusionCognitive risk culture in the organisation supports
good practices in risk governance and thereby
promotes the sustainability of the organisation
in the long term. It must be encouraged, and
organisations must approach risk management
efforts by understanding them holistically from a
system perspective. Tick-box or quick-fix approaches
backfire and limit the usefulness of risk management
efforts. RC&
Ruchi Agarwal
Senior Researcher
Indian School of Business (ISB)
T: +91 981 098 6496
Sanjay Kallapur
Professor of Accounting and Deputy Dean
Indian School of Business (ISB)
T: +91 40 2318 7138
ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK...
RISK & COMPLIANCE Apr-Jun 2019138 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
MINI-ROUNDTABLE
AUTOMATED THIRD-PARTY RISK ASSESSMENT
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 139
MINI-ROUNDTABLE
PANEL EXPERTS
Greg Matthews
Partner, Advisory, Operations &
Compliance Risk
KPMG
T: +1 (212) 954 7784
Greg Matthews has significant experience helping his clients to transform their risk management operations based on regulatory and business drivers. Mr Matthews has worked with clients as they seek to manage disruption in their industry, meet regulatory expectations and use technology to drive both effective and efficient risk management practices. He brings his global experience to his clients to provide perspectives on how to implement changes in culture and balance risk and performance drivers. Mr Matthews leads third-party risk management for KPMG.
Lisa D. Rawls
Principal, Advisory, Governance, Risk and
Compliance
KPMG
T: +1 (703) 286 8591
Lisa D. Rawls is a principal in KPMG’s Advisory Services practice and is the Americas leader for the Governance, Risk and Compliance (GRC) Technology service network. Ms Rawls has over 15 years of experience assisting organisations in navigating complex risk transformation initiatives by leveraging her analytical and design-focused thinking, technology and process-engineering skills.
Jon Dowie
Partner, Financial Services Consulting
KPMG
T: +44 (0)20 7311 5295
Jon Dowie has over 20 years experience of delivering and leading third-party risk management projects within the financial services market. With a specialism in third parties, technology and data security, his work often involves working with clients to help improve their maturity and comply with regulatory expectations and best practice. Mr Dowie regularly works with the UK regulators on these topics and has assisted clients with compliance and in improving governance, risk, process and control across the end-to-end vendor lifecycle.
Jorge Blanco
Principal, Advisory
KPMG
T: +1 (212) 872 2173
Jorge Blanco is a principal in KPMG Advisory and leads the Spectrum organisation, which helps clients solve complex ongoing business challenges (e.g., third-party risk management, lease accounting) through insights-driven, outcome-based solutions which leverage a managed services delivery model. He has extensive leadership experience in strategic marketing and product management for companies in the communications, collaboration application, advanced analytics and business consulting industries. Mr Blanco joined KPMG in October 2015 as head of Products and Solutions, responsible for driving the growth of KPMG Spectrum’s global solution portfolio.
AUTOMATED THIRD-PARTY RISK ASSESSMENT
RISK & COMPLIANCE Apr-Jun 2019140 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
R&C: How would you characterise the level of risk that can arise from third-party relationships in today’s business world? To what extent are potential liabilities increasing in this area?
Matthews: Outsourcing is where a service you
traditionally performed is handed over to a third party
to deliver. Outsourcing exposes an organisation to
the risk that the third party will not manage risk in
a manner consistent with the outsourcer’s policies
and expectations. For example, if confidential data is
shared with a third party, and that data is lost because
the third party did not safeguard the data in line with
the outsourcer’s policies, the outsourcer’s reputation
is negatively impacted, and the cost of remediation
efforts can severely impact the bottom line.
Dowie: Outsourcing continues to increase, driven
by the need to manage costs and to meet customer
demands. This trend is likely to continue as the
ecosystems of product/service support and client
experiences becomes ever more complex.
Blanco: The ultimate responsibility for managing
risk and negative consequence remains with the
outsourcer. Therefore, third-party risk management
(TPRM) programmes have been evolving to ensure
that each of the responsible risk oversight functions
– such as compliance, information security and
business continuity, among others – and the business
unit itself are deeply involved in assessing how
the third party is managing risk on behalf of the
outsourcer, both pre- and post-contracting. The
business unit which engaged the third-party has the
responsibility to ensure that the service is delivered in
line with expectations and that the requisite controls
deemed essential by the oversight functions are in
place and operating as expected.
R&C: What are some of the common failures and shortcomings you see among companies trying to manage third-party risk?
Matthews: One common failure is the lack of
involvement by the risk oversight functions in the
decision to use a third party to perform activities
previously conducted in-house. These risk oversight
functions are made aware after a contract is signed
and the third party has commenced delivery of its
services. At this point, it is very difficult to demand
the third party improve the control environment to
enhance risk management.
Rawls: Another common failure is lack of clarity
on roles and responsibilities between the various
functions within the organisation – meaning, who
is doing what and when. Coordinating among the
various stakeholders – in some organisations there
can be up to 20 functions – to assess the third
AUTOMATED THIRD-PARTY RISK ASSESSMENT
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 141
MINI-ROUNDTABLE
party’s ability to deliver the service in line with the
outsourcer’s expectations is time consuming and
complex. The need for clearly defined roles and
responsibilities is the key to successful coordination
of both pre- and post-contracting activities.
Dowie: Ongoing monitoring by multiple
stakeholders over the life of the contract
is required to confirm that the services
delivered remain in line with expectations,
given the constantly changing environment
in which organisations operate. For
example, as data privacy rules change,
is there a change management process
in place to ensure existing contracts
and services are amended to maintain
compliance?
R&C: What advice can you offer to companies on carrying out an effective third-party risk assessment? How important is technology as a means to help detect potential red flags?
Dowie: The starting point is involving the right
set of stakeholders that have a deep understanding
of the service being outsourced and the potential
risks associated with that service. For example, if the
third party requires access to your system, knowing
which system and what data they have access to
helps with identifying the appropriate individual from
the information security function who needs to be
involved, and the control evaluation questions the
outsourcer will need responses to in order to assess
the third party’s ability to manage information and
network security.
Blanco: Advances in technology have greatly
assisted with both pre-contract risk assessment as
well as post-contract risk monitoring of services
delivered. Pre-contracting, given the service delivery
has not yet commenced, the assessment performed
on the third party centres on review of the applicable
control environment. Here, technology can be
leveraged to assist with the identification of anomalies
in responses, for example a service category being
‘cloud storage’ and ‘no data is shared’. Additionally,
gathering intelligence on the third party, such as
negative news, pending lawsuits, regular change in
AUTOMATED THIRD-PARTY RISK ASSESSMENT
Lisa D. RawlsKPMG
“The need for clearly defined roles and responsibilities is the key to successful coordination of both pre- and post-contracting activities.”
RISK & COMPLIANCE Apr-Jun 2019142 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
senior management and so on, is important to assess
potential reputational risk.
Rawls: Post-contracting, now that the service
is being delivered, the outsourcer has access to a
greater amount of data to be used to assess the third
party’s compliance with contract terms.
Here, technology can be utilised to assess
compliance with the various service-
level agreements (SLAs) that have been
established within the contract, and assist
the outsourcer with managing the complex
terms of a contract.
Matthews: For critical service contracts,
the need to understand when non-
conformance has occurred is far greater
as the potential impact – in terms of fines
or restitutions – is also exponentially
greater. An example of technology use is call centre
monitoring, where calls are converted to text and
compared to the approved scripts that the agent
should have followed, then deviations are identified,
promptly remediated and the call centre operators
are retrained. This allows for monitoring compliance
with consumer protection requirements.
R&C: Could you outline how automation can be introduced into the third-party risk assessment process? What are some of the advantages and disadvantages associated with automation?
Rawls: Technology automation plays a major
role in the enablement of a programme, helping
with assigning owners to tasks to minimise manual
handoff via email system and storage of individual
files on share folders, establishing workflow based on
third-party risk levels, enabling sharing of assessment
results across third parties which may provide
multiple products or services to the organisation, and
providing the third-party oversight function with the
ability to generate management reporting on a timely
basis.
AUTOMATED THIRD-PARTY RISK ASSESSMENT
Greg Matthews,KPMG
“For critical service contracts, the need to understand when non-conformance has occurred is far greater as the potential impact – in terms of fines or restitutions – is also exponentially greater.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 143
MINI-ROUNDTABLE
Matthews: Using the example of leveraging
technology automation to continuously monitor the
performance of a critical contract and the established
SLAs within, the required SLAs should be defined
along with acceptable operating tolerances. These
operating tolerances drive the metrics required to
be provided by the third party and measured for
conformance. Upon periodic provision of service
conformance data, technology can be configured to
monitor the data against predefined tolerances. Upon
breach of a predefined risk or performance tolerance,
the various stakeholders, including risk oversight
functions and leadership structures, can be informed.
Remediation can be then be put in place
to bring the service back to acceptable
tolerance levels.
Dowie: Automation has a role to play at
many stages in the TPRM lifecycle. Where
automation can have a transformative
effective is helping to manage workflow
across stakeholder groups. At some
organisations, this can involve 15-20
groups. Automation can centralise the
production and storage of due diligence
and monitoring questionnaires, plus the
associated results, and maintain an audit trail of
evidence.
Blanco: The upside of leveraging advanced
technology for oversight of critical and large complex
contracts is having the ability to monitor the delivery
of a service near real-time, in a cost-effective and risk-
based approach. The downside of current technology
is that it can be time consuming and expensive to
configure, as some types of monitoring can take
upwards of six months, and the configuration may not
easily lend itself to monitoring other critical contracts.
R&C: What types of automated solutions are available? What considerations should companies make when evaluating their options?
Matthews: When looking to automate key
aspects of a TPRM programme, there are a number
of available technology options to consider. It is
important to distinguish between the procurement
technology architecture and the risk architecture.
AUTOMATED THIRD-PARTY RISK ASSESSMENT
Jon Dowie,KPMG
“Automation can centralise the production and storage of due diligence and monitoring questionnaires, plus the associated results, and maintain an audit trail of evidence.”
RISK & COMPLIANCE Apr-Jun 2019144 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
Rawls: Organisations with a large inventory
of third-party services require automation of the
workflow to assess the third-party’s ability to manage
risk, collect evidence of review and facilitate the
ongoing monitoring of that contract. These types of
workflow solutions can be purchased off-the-shelf,
or built internally. Both approaches have pros and
cons and the decision is largely determined by an
organisation’s preference.
Dowie: Certain risk assessments,
such as negative news, geopolitical risk,
cyber risk and financial viability risk,
have become more cost effective due to
automation, with many service providers
in the market providing services of this
nature. Further, the emergence of industry
utilities that facilitate the collection of
responses to third-party risk assessment
questionnaires and execution of onsite
review are also saving effort in the risk
assessment process.
Blanco: Managing the ongoing performance of
third-party services relative to contract terms and
conditions is an area that is well-suited to automation,
as there are often many components that need to
be assessed as part of the delivery of a complex
service. Additionally, advances in cognitive contracting
solutions further improve the onerous analysis
necessary in the event that changes to terms and
conditions are required across a large set of contracts.
R&C: To what extent should the assessment process be customised or tailor-made for different types of third parties a company interacts with? How can automation assist on this front?
Dowie: Our view is that organisations would
benefit greatly from being ‘intelligence-led’ in their
risk assessment process, in order to customise the
focus and question set. A standardised, blanket
approach may work for low risk third parties, but we
would advocate customisation and risk are the focus
for the remaining population.
AUTOMATED THIRD-PARTY RISK ASSESSMENT
Jorge Blanco,KPMG
“It is not enough to expect technology to solve all the problems of a TPRM programme, but rather to use technology to automate and facilitate a well-designed process.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 145
MINI-ROUNDTABLE
Matthews: The more complex the service
delivered by the third party, the more detailed the
risk assessment is generally. Each organisation has
a different risk appetite and organisational structure,
and therefore a slightly different risk assessment
process is required for similar services. This risk-based
approach to tailoring third-party risk assessment
is foundational in establishing a successful TPRM
programme that is fit for purpose for an organisation.
R&C: What innovations are set to improve automated third-party risk assessments? How do you see the process evolving in the coming months and years?
Matthews: One of the more onerous aspects of
the TPRM process is collecting responses to the risk
assessment questionnaires posed to the third party.
In a number of industries and locations globally,
industry utilities or consortiums are being established
to collect responses to a standard set of questions
asked of a third-party and the validation of the
responses. While this is not technology automation
per se, it does save time and money in the gathering
and evaluation of information connected to the
provision of third-party process. While at the
moment these industry utilities may not cover the
full inventory of third parties used by a large global
organisation, this concept of cost sharing is gathering
a lot of focus.
Rawls: New TPRM workflow solutions continue to
be introduced every year. They provide a high degree
of flexibility in configuration and customisation that
is desirable given the different needs of the ultimate
end-users. Certain providers of workflow solutions
are newer entrants to the market, while others
are established risk management solution and IT
providers moving into having an integrated module
for TPRM. Organisations should conduct a thorough
review of potential solutions to ensure their choice is
aligned to their specific needs.
Dowie: We are seeing organisations re-
evaluate the risk assessment process, challenge
the segmentation approach to ensure it remains
fit for purpose, re-examine their ownership and
operating model, and create a Centre of Excellence.
These efforts are to better understand where the
bottlenecks are and whether the internal stakeholders
are evaluating potential risk and the mitigating
controls in line with their role and responsibilities.
Removing these bottlenecks is helping organisations
to gain greater efficiencies in the process, which
further augment the efficiencies provided through use
of advanced technologies.
Blanco: It is not enough to expect technology to
solve all the problems of a TPRM programme, but
rather to use technology to automate and facilitate a
well-designed process. RC&
AUTOMATED THIRD-PARTY RISK ASSESSMENT
RISK & COMPLIANCE Apr-Jun 2019146 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
PROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING TRADE SECRETS AND CONFIDENTIAL BUSINESS INFORMATIONBY ROBERT YONOWITZ
> FISHER PHILLIPS
Companies constantly search for new
advantages over their competition. They
dedicate significant financial and human
capital resources to research and development of
new or improved products and services, marketing
and pricing strategies, and strategic business
plans. However, these same companies often do
not implement appropriate procedures to ensure
that their employees do not take this valuable
information with them when they leave to join a
competitor or start their own competitive enterprise.
It is essential that businesses understand that, in
order to enjoy judicial protection over confidential
or trade secret information, they must be able to
demonstrate that they took reasonable measures to
ensure the secrecy of the information. The purpose
of this article is to provide a practical approach
for companies to take to protect this valuable
information asset and to demonstrate that the
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 147
PERSPECTIVES
business has taken reasonable steps to protect the
company’s crown jewels.
Identify the ‘crown jewels’The first step in protecting the crown jewels in
your organisation is to identify to employees what
the jewels are. You should effectively
communicate a sufficient description
and identification of the types of
information that you want treated as
confidential. Each employee should
sign a nondisclosure/confidentiality
agreement. These are valid in every
US state – even in those that do not
permit covenants not to compete
(which are beyond the scope of this
article).
A nondisclosure/confidentiality
agreement accomplishes a variety
of goals, the most important of which is that it
confirms that the employee has been or will be
exposed to certain company trade secrets and other
confidential and proprietary information. Even in
states that do not permit non-compete agreements,
most will enforce a nondisclosure/confidentiality
agreement that contains a non-solicitation provision.
These provisions prohibit a departing employee
from soliciting, directly or indirectly, your customers
or clients through the use of confidential or trade
secret information, regardless of where they are
located, to do business with them.
While the existence of a nondisclosure/
confidentiality agreement is one measure that
demonstrates that your company has taken
reasonable measures to protect your confidential/
trade secret information, you still need to treat the
paper/electronic information like the diamond you
want to protect. Therefore, you must also implement
physical and cyber security measures to control
access to company confidential/trade secret
information.
Setting up security measuresIn terms of physical security, you should restrict
access to servers, routers and other network
technology to those whose job responsibilities
require access. You should keep wire closets, server
rooms, phone closets and other locations containing
sensitive equipment locked at all times and should
PROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...
“The first step in protecting the crown jewels in your organisation is to identify to employees what the jewels are.”
RISK & COMPLIANCE Apr-Jun 2019148 www.riskandcompliancemagazine.com
PERSPECTIVESPROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...
lock file cabinets and offices that store sensitive
information. You should utilise sign-in and sign-out
sheets for physical files to establish a traceable
chain of custody that shows who had the files last
before any alleged misappropriation. Finally, you
should implement procedures to watermark or
stamp all documents containing trade secrets or
confidential information as “confidential information
of X company”.
In terms of computer and cyber security
measures, you should start with the basics. Not only
should access to computers and computer networks
be password-protected, but you should also require
a separate level of password protection on sensitive
databases and documents along with the encryption
of key files and documents. Employees should not
be permitted to select their own passwords but
should instead utilise software programs that use
an algorithm to randomly assign passwords that are
a series of random letters and numbers. Passwords
should be changed at regular intervals (e.g., every
10 to 30 days) or, for better protection, can be
changed daily by using access medallions
or similar technology. Have a policy that
prohibits sharing of passwords among
employees. Company policy should require
the immediate deletion of an employee’s
password and all of that employee’s network
access rights on an employee’s termination or
resignation from the company.
You must also have a policy in your handbook that
permits your company to monitor and inspect all
employee usage of company computers, internet,
networks, external electronic storage devices,
company-owned smart phones and other similar
devices. The policy should clearly indicate that the
employee should have no expectation of privacy in
their use or access of any of these devices, networks
or company internet. The policy should provide for
employee consent to the company’s inspection of
an employee’s home or other personal computer
and electronic storage devices to recover the
company’s confidential and trade secret information
if necessary. An increasing number of companies are
utilising keystroke surveillance software to monitor,
record and audit employee usage of company
computers and information to detect in real time
any improper access, copying, downloading, cloud
access or misappropriation of company confidential/
trade secret information.
Regardless of whether you are using a cloud-
based email server or an onsite physical email
server, you should utilise an enterprise vault that
PERSPECTIVESPROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...
automatically retains a copy of every sent and
received email. This will prevent employees from
being able to steal the crown jewels by sending
emails containing this information to their personal
email addresses and then deleting those emails
to avoid detection. It is also an excellent way to
preserve emails that may be useful in the event of
litigation over the theft of such data.
TrainingTraining employees not to discuss or disclose
your company’s trade secrets or confidential
information to third parties is also an essential tool
in demonstrating the reasonable measures that
you take to protect your confidential/trade secret
information. This should occur during the on-
boarding process for all new employees.
Exit proceduresNone of the measures discussed
so far will be sufficient if
your company does not
have an established exit
interview procedure to
make sure that, before an
employee separates from
the company, they have
returned all of the crown
jewels in their possession,
custody or control.
The importance of a comprehensive exit interview
cannot be overstated. An employer who does
not take reasonable steps to retrieve any and all
confidential and trade secret information that was in
the possession, custody or control of the soon-to-be-
departing employee will not be afforded protection
of that information by a court. It is not sufficient
to require the employee to sign a confidentiality
agreement during the term of their employment. You
must be able to demonstrate that your exercised
reasonable measures to: (i) prevent the employee
from taking confidential or trade secret information
to a competitor; and (ii) recover the information from
the departing employee, regardless of whether the
information is in paper or electronic form.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 149
RISK & COMPLIANCE Apr-Jun 2019150 www.riskandcompliancemagazine.com
PERSPECTIVES
The establishment of exit interview protocols as
a pattern and practice creates positive evidence
of the required reasonable measures, even if the
departing employee misappropriates confidential or
trade secret information. The exit interview protocol
should start with having the departing employee
inform you of and deliver to you all records, files,
electronic data, documents, plans, reports, books,
notebooks, notes, memoranda, correspondence,
contracts and the like, whether in paper or electronic
form, that are in their possession, custody or
control that pertain in any way to the business of
the company, including those that the employee
prepared, used or came in contact with while
employed by the company. During the exit interview,
which should be attended by two members of
management, your managers should remind the
departing employee of their continuing duty not to
disclose, use or misuse your company’s confidential
and trade secret information. The managers should
also remind the departing employee of all other
critical obligations the employee has under the
signed confidentiality agreement, including but not
limited to any non-solicitation of customers through
the use of confidential/trade secret information
provisions. In that regard, the managers should try to
obtain information about the departing employee’s
new employer (which could help determine
the potential risk of misuse of the company’s
confidential or trade secret information).
Particularly in the age of increased telecommuting,
exit interviewers should also request that
the departing employee allow the company’s
representative to inspect the employee’s personal
(including home-based) desktop computers, laptop
computers and removable storage media (such as
CD-ROM discs, thumb drives and zip drives). This
will help determine whether any of your company’s
confidential/trade secret information resides on
these computers or removable storage media and
to remove any such information. You should be
mindful of an employee’s right of privacy; but this is
why good confidentiality agreements should require
the employee to consent to a company search of
such personal devices if used to access company
confidential/trade secret information. It is also a
better practice to only permit employees to access
company confidential/trade secret information on
company-issued devices. You should then have all
accounts, network and remote access privileges and
passwords of the departing employee immediately
disabled.
Secure hardware and mediaBecause of departing employees’ access to
confidential/trade secret information while employed
with the company, all work desktop computers,
laptop computers, hard drives, and removable
storage media (such as CD-ROM discs, thumb drives
and zip drives) used by the departing employee
should be set aside and secured and not reissued to
PROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 151
PERSPECTIVES
new employees. This allows these memory storage
devices to be copied so that the copies can be
examined for any evidence of misuse of confidential
or trade secret information. It is important to put the
original storage devices in a secure place to maintain
chain of custody. The inspection should be done only
on copies of the information in the storage devices.
Once forensic examination is completed, the original
devices can be wiped clean if there are no issues
and then reinstalled or reused. If issues of potential
misappropriation arise, retain the originals in safe
custody for further use and examination in litigation.
EmailNext, you should have the employee’s entire email
mailbox for their last 60 to 90 days of employment
– including inbox, outbox, sent items and deleted
items – immediately copied from your email backup
medium or enterprise vault and preserved for
possible examination for evidence of misuse of the
company’s confidential or trade secret information.
A copy of the employee’s email mailbox may also be
made from the live email server.
Termination certificateFinally, you should request that the departing
employee sign a termination certificate that certifies
they have returned all confidential/trade secret
information. If a departing employee refuses to
sign the termination certificate, that refusal can be
used as circumstantial evidence of at least a threat
of misappropriation of confidential or trade secret
information.
By deploying these procedures, you can not only
detect and prevent theft before it happens, but can
demonstrate that you are entitled to the protection
of your crown jewels. RC&
PROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...
Robert Yonowitz
Partner
Fisher Phillips
T: +1 (949) 798 2113
RISK & COMPLIANCE Apr-Jun 2019152 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT CONTROL LAWSBY LINDSAY B. MEYER AND DEVIN SEFTON
> VENABLE LLP
In the world of sanctions and export controls, the
only constant is that they are constantly changing.
US sanctions and export controls most readily
reflect the president’s prerogative and can easily
change based on a given president’s agenda and
the evolving geopolitical environment. Furthermore,
US sanctions and export controls can present
extraterritorial risks for non-US businesses, which, in
certain cases, could be exposed to US sanctions or
export controls for transactions that have no nexus
to the US.
Monitoring and processing changes in this area
can present significant compliance challenges,
particularly under the current administration. Here,
we discuss significant developments regarding US
sanctions and export controls that have occurred
over the past year and present guidelines for
anticipating and adapting to such changes.
Key changes to US sanctions and export controls in 2018
On 8 May 2018, president Trump announced
that the US would withdraw from the Joint
Comprehensive Plan of Action (JCPOA) and re-
impose sanctions previously lifted under the deal.
As of 5 November 2018, all sanctions that had
been removed became effective again. Importantly,
non-US persons can now be subject to sanctions
for engaging in transactions involving certain
industries in Iran, including Iran’s energy, shipping
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 153
PERSPECTIVES
and automotive sectors. Furthermore, US-owned or
controlled non-US businesses are broadly prohibited
from engaging in any transactions involving Iran.
The US’s withdrawal from the
JCPOA created a peculiar situation,
with European Union (EU) and United
Nations (UN) sanctions on Iran
largely lifted while the US maintains
comprehensive sanctions on Iran. To
complicate matters further, on 7 August
2018, the EU imposed measures to
prohibit EU-based companies from
complying with US sanctions on Iran.
This has put EU businesses ‘between a
rock and a hard place’, forcing them to
choose between violating EU law or US
law.
Although many suspected that the Trump
administration would ease sanctions on Russia,
US sanctions on Russia have continued largely
unabated. This is due, in part, to the Countering
America’s Adversaries Through Sanctions Act
(CAATSA), which Congress passed on 27 July 2017,
and which codified certain sanctions imposed
through executive orders issued by president
Obama. CAATSA further authorised the president
to impose sanctions on non-US persons who help
persons listed on the Office of Foreign Assets
Control’s (OFAC’s) Specially Designated Nationals
(SDNs) list or Sectoral Sanctions Identifications (SSI)
list to ‘evade’ US sanctions.
Since CAATSA’s enactment on 2 August 2018,
the administration has designated numerous
Russian entities and individuals, including a number
of high-profile oligarchs and senior government
officials. Furthermore, on 27 August 2018, the US
State Department imposed new sanctions on Russia
under the Chemical and Biological Weapons Control
and Warfare Elimination Act of 1991 (CBW Act)
in response to Russia’s involvement in poisoning
two UK citizens. On 6 November 2018, the State
Department notified Congress that it would impose
a second round of potentially severe sanctions
on Russia, however the State Department has
not stated when or exactly what sanctions will be
imposed.
The administration has aggressively enforced
export controls, with a clear focus on China. On 15
April 2018, the Bureau of Industry and Security (BIS)
COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT...
“Although many suspected that the Trump administration would ease sanctions on Russia, US sanctions on Russia have continued largely unabated.”
PERSPECTIVES
issued a Denial Order on ZTE, sending shockwaves
through the international business community.
The Denial Order, which prohibited any person
from supplying US-origin goods to ZTE, sent the
company’s supplier base scrambling to determine
whether they were supplying ZTE with any US-origin
goods or technology. However, on 13 July 2018, BIS
reversed course and lifted the Denial Order after ZTE
paid a $1bn fine and replaced its executive team,
among other measures.
Just months later, Huawei’s chief financial officer,
Meng Wanzhou was arrested in Canada at the
request of the US, because of allegations that Ms
Wanzhou defrauded a number of banks regarding
COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT...
RISK & COMPLIANCE Apr-Jun 2019154 www.riskandcompliancemagazine.com
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 155
PERSPECTIVES
Huawei’s ties to Iran. The arrest has raised ongoing
concerns among Huawei’s business partners that
Huawei could suffer the same fate as ZTE, or worse.
On 13 August 2018, the Export Control Reform Act
of 2018 (ECRA) and Foreign Investment Risk Review
Modernisation Act (FIRRMA) were signed into law,
introducing reforms to US export controls and the
Committee on Foreign Investment in the US (CFIUS),
which reviews and approves foreign investment
in the US for national security concerns. The ECRA
requires, among other things, that BIS identify
“emerging and foundational technologies” that are
“essential to the national security of the United
States” and that are not currently controlled under
the Export Administration Regulations (EAR). Once
identified by BIS, these items will, at a minimum,
require licences for export to countries subject to US
arms embargoes, such as China.
Meanwhile, FIRRMA requires foreign investors
in certain US businesses involving “critical
technologies” to obtain approval from CFIUS. FIRRMA
defines “critical technologies” to include items
controlled under the EAR or International Traffic in
Arms Regulations (ITAR), as well as “emerging and
foundational technologies”. FIRRMA also expanded
CFIUS’s jurisdiction to cover certain investments
where a non-US person does not gain control over
the target US business, including in cases where
the non-US person will have access to “material
non-public technical information” possessed by the
US business. Starting 10 November 2018, certain
foreign investors must submit a notification to
CFIUS for “covered transactions” under CFIUS’s pilot
programme.
On 25 January 2019, the Trump administration
issued an Executive Order expanding sanctions on
Venezuela, and shortly thereafter added Venezuela’s
state-owned oil company, Petroleos de Venezuela,
S.A. (PDVSA) to the SDN List. As a result, PDVSA’s
US subsidiary, CITGO Holding, Inc., is now blocked.
However, the administration issued certain general
licences, which, among other things, allow US
persons to wind down transactions with PDVSA and
CITGO.
On 16 January 2019, the Trump administration
announced that it was considering allowing US
nationals to file lawsuits against certain persons,
including non-US persons, that do business with
Cuba. Namely, Title III of the Helms-Burton Act,
enacted on 12 March 1996, provides a private right
of action to US nationals to sue persons that ‘traffic’
in property confiscated by the government of Cuba
on or after 1 January 1959. Since enactment, no
claims could be filed under Title III because every
administration has used its authority under the
statute to suspend the right to file claims. However,
on 1 February 2019, the Trump administration issued
a shortened suspension of 45 days, instead of the
full six months authorised under Title III. On 4 March
2019, the State Department issued a notice that it
was suspending claims for an additional 30 days
through 17 April 2019, except for claims against
COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT...
RISK & COMPLIANCE Apr-Jun 2019156 www.riskandcompliancemagazine.com
PERSPECTIVES
Cuban entities or sub-entities identified by name on
the State Department’s list of restricted entities and
sub-entities associated with Cuba (Cuba Restricted
List). Thus, starting on 18 April 2019, US nationals can
sue persons, including non-US persons, that ‘traffic’
in confiscated property, unless the administration
issues another suspension.
Title III could be a major source of liability for
both US and non-US businesses alike that do
business with Cuba, as the statute defines ‘traffic’
broadly to include virtually any use or benefit from
confiscated property, with exceptions for travel-
related transactions, among other things. Currently,
there are more than 5900 claims certified with the
US Foreign Claims Settlement Commission (FCSC)
relating to the government of Cuba’s confiscation
of property owned by US nationals. These claims
are valued at approximately $8.5bn, indicating the
substantial liability arising from Title III for persons
that do business with Cuba.
In addition to allowing Title III claims, there is
reason to believe that the administration may
implement further restrictions on travel to Cuba
under the Cuban Assets Control Regulations (CACR).
Namely, the CACR authorises US persons to engage
in certain forms of travel that could potentially
create liability under Title III, resulting in a somewhat
inconsistent sanctions regime. Therefore, there is a
good chance that the administration will revise the
CACR to align with Title III, by imposing additional
restrictions, including restrictions on travel and travel
service providers.
Best practices for adapting to changeThe whirlwind of changes in 2018 has presented
unique challenges to both US and non-US
businesses alike. Nonetheless, among the practices
that businesses can use to anticipate and adapt to
changes in US sanctions and export controls are: (i)
monitoring legal and regulatory developments on
a continual basis and revising policies as needed;
(ii) including clauses within all agreements that
ensure such agreements automatically terminate
if, for whatever reason, the agreement violates US
sanctions or export controls; and (iii) engaging in
periodic due diligence of vendors, customers and
other business partners.
To properly monitor, for legal and regulatory
developments, businesses should ensure that
someone is explicitly tasked with this responsibility
and provided with sufficient resources for the task.
Furthermore, among the language that should be
explicitly stated in termination clauses is a statement
that the agreement will automatically terminate if
the counterparty is designated as an SDN, or as a
restricted party or becomes blocked by virtue of the
counterparty’s ownership by an SDN or restricted
party.
Finally, in addition to having a risk-based screening
programme for screening new vendors, customers
and other business partners, it is important to
COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT...
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 157
PERSPECTIVES
conduct periodic screening of existing business
partners, given the almost daily changes that are
made to the SDN List and other restricted party lists.
Furthermore, as noted, because of the ‘50 percent
rule’, companies that are not listed on a restricted
parties list can become blocked parties by virtue of
being owned or controlled 50 percent or more by
an SDN or SSI. Therefore, periodic screening should
include conducting due diligence on each business
partner’s ownership in addition to confirming
whether the company is on the SDN List. RC&
Lindsay B. Meyer
Partner and Co-Chair International Trade
Venable LLP
T: +1 (202) 344 4829
Devin A. Sefton
Associate
Venable LLP
T: +1 (202) 344 4161
COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT...
RISK & COMPLIANCE Apr-Jun 2019158 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
A WAVE OF EXPORT REGULATION TO HIT US TECHNOLOGIESBY REID WHITTEN AND LISA MAYS
> SHEPPARD, MULLIN, RICHTER & HAMPTON
A wave is coming. An enormous wave of
regulation will soon crash on Silicon Valley,
Boston and other tech centres around
the United States, and very few people have their
surfboards ready.
From biomedicines to virtual reality goggles to
robotics, technologies in exciting emerging fields
will soon be subject to strict export controls that
will limit who can receive them, use them and even
research them. A swell of US export controls is
building and will break across a sweeping expanse of
leading-edge technology that Americans have come
to think of as the new normal.
Forthcoming export controls will disrupt logistics
planning, information sharing, R&D and acquisition
strategies for companies in the US and all around the
world.
A swell on the horizon – the coming controls
In the past, export controls and other regulations
lag a step or two behind the times. That trend
has accelerated with the pace of technological
advancement. As a result, for many years,
commercial technical innovations in fields like data
analytics, microprocessors and navigation could
be freely exported without significant restrictions
because they had simply gone beyond what
regulators could think to name in their regulations.
As long as the items were not designed for military
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 159
PERSPECTIVES
application, and no significant encryption technology
was involved, new ideas developed in the US were
simply unaccounted for by the export controls in the
US Export Administration Regulations (EAR).
However, the US Department of Commerce,
Bureau of Industry and Security (BIS) is about to
make up a lot of ground in a single, large leap. The
tsunami it will unleash in its regulatory overhaul will
splash down on sectors like biotech, computing,
artificial intelligence, positioning and navigation,
data analytics, additive manufacturing, robotics,
brain-machine interface, advanced materials, and
surveillance.
Controlling the break – commenting on the rules before they take effect
BIS is in the process of writing the regulations.
Since the regulations are not yet set in stone, you
may formulate and submit the arguments to BIS that
may limit the impact of these regulations on your
business.
On 19 November 2018, BIS published essentially
an open invitation to comment on the criteria for
establishing new export controls on what it calls
“emerging and foundational technologies”. The new
controls are authorised under the Export Control
Reform Act of 2018 and the Foreign Investment Risk
Review Modernization Act of 2018 (FIRRMA).
The list of technology fields targeted for review is
as follows: (i) biotechnology; (ii) artificial intelligence
(AI) and machine learning technology; (iii) position,
A WAVE OF EXPORT REGULATION TO HIT US TECHNOLOGIES
RISK & COMPLIANCE Apr-Jun 2019160 www.riskandcompliancemagazine.com
PERSPECTIVES
navigation and timing (PNT) technology; (iv)
microprocessor technology; (v) advanced computing
technology; (vi) data analytics technology; (vii)
quantum information and sensing technology; (viii)
logistics technology; (ix) additive manufacturing;
(x) robotics; (xi) brain-computer interfaces; (xii)
hypersonics; (xiii) advanced materials; and (xiv)
advanced surveillance technologies.
Interested parties submitted public comments
on the proposed rule before 10 January 2019
deadline. This rule was an Advance Notice of
Proposed Rulemaking (ANPRM), so before finalising
the regulations, BIS will likely publish a Notice of
Proposed Rulemaking, again inviting interested
parties to comment on the proposed regulations. In
addition, BIS will issue a separate ANPRM regarding
identification of foundational technologies that may
be important to US national security.
These rulemakings represent your opportunities to
be heard. There is no guarantee that public comment
will alter the course of the new restrictions, but it
may be worth a try to argue for changes that may
help preserve your options for the future.
Feeling the curl – understanding the coming controls
The controls are not yet in final form so we cannot
predict in detail the implications of those controls.
However, we have seen and ridden waves before.
Based upon our experience and the information BIS
provided in its request for comments and industry
chatter, we can provide the following information.
General implications. If your company creates
technology or products in an emerging technology
sector, new export restrictions will not only limit who
can receive your exports, but will also restrict the
disclosure of technology to foreign nationals even
within the US. If the controls follow the pattern of
most EAR controls, the export of products and the
disclosure of related technology and know-how
will require licences, depending on the destination,
end-user and end-use of the product or information.
Where technologies are already widely available
outside of the US, BIS may not be able to restrict that
technology.
Implications for collaboration. Depending on the
criteria BIS develops for these controls, persons who
are not US citizens or green-card holders may need
licences to participate in researching and developing
some of these emerging technologies.
Implications for exports. As the new regulations
are developed, exports of your products, parts and
components in these sectors may require export
controls. This may be true for final shipments as well
as for movements throughout your manufacturing
supply chain. For example, if your logistics chain
includes fabrication in Mexico, or assembly, testing
and packaging (ATP) in China, you may need to plan
for the potential impacts on your manufacturing
process.
A WAVE OF EXPORT REGULATION TO HIT US TECHNOLOGIES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 161
PERSPECTIVES
Implications for mergers, acquisitions and
investments. The emerging technology sector
continues to see historic volumes of investment
and M&A activity in a vibrant US economy. The new
regulations will also affect US national security
review of foreign investments in these sectors.
Specifically, when the list of technologies is finalised,
many types of foreign investments in these sectors
(including not only outright acquisitions of US
companies, but also certain minority investments)
will be subject to review by the Committee on
Foreign Investment in the United States (CFIUS).
CFIUS has the power to halt or unwind a deal,
and the power to impose restrictions on a foreign
acquirer’s access to technology. This development
has the potential to radically alter the structuring,
timing and valuation of foreign investments in these
sectors.
Getting ready to ride – planning for the controls
Recently, we have seen companies caught off
guard by the rapid pace of regulatory change in the
Trump administration. This has been the case even
when the president and the administration have
clearly signalled policy changes in advance (as in
the case of the immigration ban, tariffs on China and
changes to NAFTA).
BIS’s announcement of these forthcoming rules
signals a real and substantive movement toward
limiting foreign access to leading-edge technologies.
Companies in the affected sectors could gain an
advantage over their competition if they act early.
They can paddle a bit ahead and ride this coming
wave, rather than tumbling in its wash.
Your company may wish to consider adjustments
to your research, manufacturing, export and
investment strategies to handle the forthcoming
changes. In our view, this wave of regulation will
have a big impact on US advanced technology
sectors. Companies should continue to monitor and
consider submitting comments and implementing
internal controls to account for the upcoming
changes. RC&
A WAVE OF EXPORT REGULATION TO HIT US TECHNOLOGIES
Reid Whitten
Managing Partner, London Ofice
Sheppard, Mullin, Richter & Hampton
T: +44 (0)20 3178 7831
Lisa Mays
Associate
Sheppard, Mullin, Richter & Hampton
T: +1 (202) 747 2307
RISK & COMPLIANCE Apr-Jun 2019162 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
ARTIFICIAL INTELLIGENCE AND COMPETITIONBY KATRIN SCHALLENBERG, AMELIE LAVENIR AND FILIP SALAMITOV
> CLIFFORD CHANCE
Antitrust enforcement in the digital space is
one of the hot topics of the moment and
is likely to remain one during the years to
come. The internet economy does indeed attract
increased scrutiny from competition authorities
across the globe. The European Commission’s (EC)
record fines against Google and the recent Facebook
decision by the German Bundeskartellamt (BKA) are
just two prominent examples of this development.
An area that has attracted a lot of media attention
and public debate is how artificial intelligence
(AI) can facilitate anti-competitive behaviour. We
have seen headlines claiming that algorithms will
outsmart consumers by allowing companies to
coordinate and fix higher prices without the need for
any human contact. But is that actually true?
So far the verdict seems to be: no. No (artificial)
smoke without (human) fire; collusion between
competitors animated by technology can always
be linked back to human conspiracy and no matter
how fancy the algorithm, at the end of the day the
machine executes what competitors A and B agreed.
But it would be too simplistic to stop here, as AI
can play a role in increasing a company’s antitrust
risk exposure in various situations: companies or
consultants that use similar algorithms to maximise
profits resulting in aligned pricing strategies. Or the
financial industry’s use of algorithms to obtain and
exchange information among banks for the trading
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 163
PERSPECTIVES
floor. AI can help companies with market intelligence
and thus increase market transparency. Another
area where AI can play a powerful role is to help
companies with market power to strengthen their
dominance. One illustration of this is the EC’s Google
shopping case, where Google algorithms favoured
search results for Google’s own shopping sites over
competing sites.
This article aims to address these various
situations and the way AI can expose companies to
an antitrust risk.
Collusion through algorithmsAs stated from the outset, AI has not (yet) replaced
humans when it comes to cheating the system. But
what AI can very efficiently do is to help humans
implement their nefarious plans.
For instance, in 2018 the EC sanctioned Asus,
Denon & Marantz, Philips and Pioneer a total of
over €111m for imposing online resale price to their
distributors, in cases where internal software tools
were used to monitor effectively compliance of the
distributors with instructions and especially with the
set resale price.
In 2016, the UK Competition and Market Authority
(CMA) sanctioned two companies that had agreed
not to undercut each other’s prices on Amazon
Market Place, and had used automated re-pricing
software to implement their agreement. In addition
to a fine, the CMA also sought, for the first time, the
disqualification of the managing director of one of
the undertakings, who undertook not to act as a
director of any UK company for five years.
These examples illustrate that current competition
rules accommodate traditional forms of explicit
collusion implemented through algorithms.
That said, competition authorities will take account
of all relevant factors when assessing the functioning
and effect of an algorithm. For instance, the
Competition Authority of Luxembourg found recently
that although the pricing algorithm implemented
within a taxi booking platform constituted essentially
a horizontal price fixing agreement, as it allowed
companies using the platform to adopt the same
pricing strategy, it also enabled customers to benefit
from improved service and consistent offers that
outweigh the potential unlawful character of the
algorithm.
The situation is less clear when it comes to AI that
helps companies gather market intelligence to adapt
their pricing strategy. In principle, competition law
does not prohibit market parallelism resulting from
companies monitoring the commercial strategy of
their competitors and adjusting their own strategy
accordingly. In other words, tacit collusion is not in
itself illegal, at least in most competition regimes.
Where this can potentially raise concerns, though,
is where markets are concentrated, and where such
increased transparency leads to higher prices and
ultimately consumer harm. Such concerns might
arise in outright agreements between competitors,
but also in ‘hub & spoke’ agreements, e.g., cases
ARTIFICIAL INTELLIGENCE AND COMPETITION
RISK & COMPLIANCE Apr-Jun 2019164 www.riskandcompliancemagazine.com
PERSPECTIVES
where competitors use the same third-party
software to help them determine their respective
strategies, and that third-party software feeds the
confidential data provided by each company into
an algorithm to maximise pricing for the industry.
For example, petrol stations in the Netherlands and
Denmark allegedly already use the same third-party
software that allows pricing optimisation based on
dynamic profiles of customers and competitors.
This situation might be regarded as problematic,
as it essentially enables the indirect exchange of
business-sensitive information. There are currently
no decisions sanctioning such behaviour, but as
Maureen Ohlhausen, former Commissioner of the US
Federal Trade Commission, said in a speech: “[i]s it
ok for a guy named Bob to collect confidential price
strategy information from all the participants in a
market, and then tell everybody how they should
price? If it isn’t ok for a guy named Bob to do it, then
it probably isn’t ok for an algorithm to do it either”
(FTC, 2017, p.10).
Personalised pricing: pro- or anti-competitive?
Competition authorities are also turning their
attention to unilateral conduct, which the use of
data and algorithms may allow, and in particular
personalised pricing, i.e., situations where
companies charge different prices to consumers for
the same good or service.
In such cases, prices are set, for each customer,
taking into account a number of additional factors
which can be market-related, notably prices of other
competitors, but also customer-related, especially
the price sensibility of each customer.
Dynamic pricing can therefore be pro-competitive
because it makes prices flexible, hindering collusion
between market players.
However, personalised pricing can also amount to
abusive practice when implemented by a dominant
undertaking, if it leads to discriminatory or excessive
pricing. The CMA launched research into this area
in the autumn of 2018 to assess how widespread
this is in practice, how it is applied and whether it
may indeed prevent customers from getting the best
deals.
Some competition authorities initiated
investigations in situations involving dynamic
pricing, but cases were concluded without finding an
infringement of competition rules.
The French Competition Authority (FCA) looked
into software used by car manufacturers for the
pricing of spare parts whose prices allegedly
increased significantly. Although there were
allegations of excessive prices, the FCA did not
initiate a full investigation.
In Germany, the significant increase in prices
charged by Lufthansa (and set through an algorithm)
on certain routes after the insolvency of Air Berlin
caught the eye of the BKA. The case was, however,
closed as the BKA considered the price increase did
ARTIFICIAL INTELLIGENCE AND COMPETITION
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 165
not justify proceedings for an abuse of dominance,
emphasising that “the question whether the price
increases were the result of a price algorithm or
human intervention was of no significance” (BKA
Lufthansa case, Press Release 2018).
Companies should nevertheless be aware that the
approach taken to excessive pricing varies across
jurisdictions. Moreover, authorities dealing with
consumer protection might find appropriate legal
basis for further action – in this regard, it is worth
noting that in the UK, the Financial Conduct Authority
is also investigating personalised pricing (in relation
to car and home insurance).
‘Compliance by design’Some features of the incurred liability remain
uncertain – and the development of artificial
neural networks, and algorithms that move away
from implementing pre-designed functions to
‘autonomous’ reasoning, will no doubt raise
additional issues in this regard.
Companies cannot invoke the involvement of
algorithms to escape liability: in the same way that
a company is liable if one of its employees takes
part in a cartel, even when that individual is acting
alone, the company can also be liable for any
anticompetitive action undertaken through or even
by an algorithm it uses. Companies must respect
ARTIFICIAL INTELLIGENCE AND COMPETITION PERSPECTIVES
RISK & COMPLIANCE Apr-Jun 2019166 www.riskandcompliancemagazine.com
PERSPECTIVES
the rules, and may not use algorithms to implement
strategies in blatant violation of antitrust rules – i.e.,
agreements not to undercut a competitor’s prices.
To be on the safe side, before using any AI tool,
companies should always ask the right question:
“Would I do this in the absence of the technology?”
Further, competition authorities consider that
companies have a responsibility to ensure any AI
tool they might use does not enable any violation
of competition law rules. Margrethe Vestager, EU
Commissioner for Competition, thus recommends
a ‘compliance by design’ approach, i.e., that pricing
algorithms be designed in a way which prevents
their collusion (EC, 2017, p.5). For instance, the
actions of algorithms can be restricted in light of
competition rules and show a warning sign in case
of potential infringement. The CMA also presented
helpful red flags for companies, by identifying three
main risk factors where algorithms may lead to some
form of anticompetitive coordination: first, the time
horizon of the designed decision-making process
(short-term objective functions reducing the chances
of collusion); second, the number of actors using the
same algorithm in the market; and third, the type
of data input into the algorithm (i.e., whether data
from many competitors is being used) (CMA, 2018,
pp.48-49).
While traditional antitrust rules seem to
sufficiently capture collusive behaviour facilitated
or implemented by AI, the risk may be more difficult
to manage where companies have strong market
positions and use AI to optimise their market
behaviour. Discrimination is the obvious area where
companies, through technology, discriminate against
competitors (the Google shopping example) or
among customers (through personalised pricing).
However, it is at least questionable whether the
ability to discriminate comes from the technology
or the access to data allowing such discrimination.
In this regard, Peter Norvig, Google’s Chief Scientist,
when asked about the secret to Google’s success,
contended: “We don’t have better algorithms than
anyone else; we just have more data”. RC&
ARTIFICIAL INTELLIGENCE AND COMPETITION
Katrin Schallenberg
Partner
Clifford Chance
T: +33 1 4405 2457
Amelie Lavenir
Associate
Clifford Chance
T: +33 1 4405 5917
Filip Salamitov
Trainee Lawyer
Clifford Chance
T: +33 1 4405 2497
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 167
ONE-ON-ONE INTERVIEW
ONE-ON-ONE INTERVIEW
COMPLIANCE CONSIDERATIONS FOR MARIJUANA BUSINESSES
Nick Parfitt
Head of Market Planning
Acuris Risk Intelligence
T: +44 (0)20 3741 1200
Nick Parfitt is responsible for determining Acuris Risk Intelligence’s approach to the market and building subject-matter expertise. He has 18 years’ experience in project and programme management, business process change and in implementing technology and business solutions at financial services, telecoms and public sector organisations. His experience in the financial crime sector spans seven years, helping tier one financial institutions assess and improve AML, KYC and sanctions operations. Mr Parfitt has worked for several tier one banks in the UK and holds an MBA (Distinction) from Cardiff University, and a BA (Hons) in Biochemistry from Imperial College.
RISK & COMPLIANCE Apr-Jun 2019168 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
R&C: How would you describe the regulatory and compliance challenges currently facing businesses in the regulated cannabis industry?
Parfitt: Regulatory and compliance challenges
in this industry are very much dependent on the
jurisdiction. There is a lot of variation around the
world, and just because cannabis is legalised in one
country does not necessarily mean that it is legal
to do business from another country with entities
that are involved in the industry. As it stands today,
three countries have legalised the recreational use
of marijuana: Canada, Uruguay and Portugal. The
US poses a specific challenge: while most states
have either legalised or decriminalised marijuana
use, at a federal level it remains illegal. Consider
the international dimension too, and the legality
of doing business with legal marijuana-related
businesses (MRBs). In Canada, for example, Deloitte
estimates the value of the legal cannabis industry at
approximately $4.34bn in 2019. Could UK businesses
participate? The UK’s Proceeds of Crime Act (POCA)
only considers whether the predicate activity
– ‘criminal conduct’ – is legal in the UK, and not the
legal status where it was undertaken. So, any revenue
derived by a UK company from a Canadian MRB
would constitute the proceeds of crime.
R&C: What legal and regulatory hurdles do marijuana businesses need to overcome when operating in this market? To what extent are dispensaries, growers and infused products companies struggling to meet these demands?
Parfitt: From a US perspective, the challenge
remains in the banking sector and in anti-money
laundering (AML) regulations, which make banks
reluctant to do business with legitimate MRBs. While
the federal government has been clear that banks
can work with MRBs, they must file suspicious
activity reports (SARs) regardless of whether or not
the related state has legalised marijuana. This is
further complicated by legal requirements to report
on anyone depositing funds ‘derived from illegal
activity’. In theory, this even means a bank should file
a report on a state government that derives taxes
from legal MRBs. So if a dispensary cannot obtain
banking and financial services, it will find it almost
impossible to operate – banking cash, paying wages,
and so on, just becomes too difficult. And, given this
activity is still illegal at the federal level in the US,
then businesses and individuals can still become a
focus for federal law enforcement that can result
in investigation and civil asset forfeiture for non-
compliance. It is therefore imperative that MRBs
understand their regulatory requirements and adhere
to them so that financial institutions can successfully
COMPLIANCE CONSIDERATIONS FOR MARIJUANA BUSINESSES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 169
ONE-ON-ONE INTERVIEW
comply with the Financial Crimes Enforcement
Network’s (FinCEN’s) 2014 guidance and formula for
assessing risk.
R&C: Have you seen an uptick in regulatory enforcement activity and scrutiny of compliance transgressions? What kinds of penalties might marijuana businesses expect to face if they are found to be in breach?
Parfitt: Just considering the US, to
date reports suggest there has been no
instance where federal law enforcement
has cracked down on a legal cannabis
operation, and there is little evidence
either of increasing compliance
transgression enforcement. The whole MRB industry
is really in its infancy, but will change as marijuana
licensing authorities know that the long-term survival
of the industry requires enforcement of rules and
regulations. The main challenge for MRBs operating
legally is that they do not become the subject of
traditional federal AML violations or non-compliance
of regulations or state law, which could invite
official federal investigation. Federal prosecution for
money laundering remains a top concern for MRBs
and the financial institutions with whom they have
relationships. A recent example is the owner of a
Maine company that is licensed to grow medical
marijuana but has a business association with an
individual who is currently facing illegal firearm
possession and marijuana trafficking charges in the
federal district court in Maine. This association left
the business owner open to allegations of non-
compliance with both Maine’s medical marijuana
laws and federal money laundering rules, as well
as drug trafficking. The result is that some of the
business owner’s properties are subject to civil
federal forfeiture, the business is undergoing federal
investigation and a deal to acquire the company for
$8.3m allegedly fell through.
R&C: What essential advice can you offer to marijuana businesses looking to maintain compliance in the regulated cannabis industry? Do you believe they
COMPLIANCE CONSIDERATIONS FOR MARIJUANA BUSINESSES
Nick Parfitt,Acuris Risk Intelligence
“Federal prosecution for money laundering remains a top concern for MRBs and the financial institutions with whom they have relationships.”
RISK & COMPLIANCE Apr-Jun 2019170 www.riskandcompliancemagazine.com
ONE-ON-ONE INTERVIEW
need to do more to meet compliance requirements?
Parfitt: Be ‘squeaky clean’, know your compliance
obligations and treat them very seriously, and expect
your compliance spend to be significant. A good
place to start is to understand FinCEN’s guidance to
financial organisations for customer due diligence
compliance, and ensure that you are compliant.
Furthermore, MRBs need to understand that they
are still high-risk businesses and the relevant AML
obligations should be ‘baked’ into everything they
do, along with policies, procedures and controls
to mitigate risks. Many companies that need to
comply with AML regulations fall short in some way
or another. Given the nature of this industry and its
newness, we suspect there will be many gaps and,
more importantly, a lack of real understanding from
businesses as to what their regulatory obligations
are.
R&C: What processes and tools should marijuana businesses consider as they work to remain compliant with regulatory requirements, and create a programme in which they can proactively manage associated risks?
Parfitt: The challenge currently for US MRBs is
that compliance generally refers to state licensing
compliance requirements throughout the whole
‘seed-to-sale’ supply chain. There do not appear
to be AML regulations on the MRBs themselves,
but rather on the financial institutions that provide
financial services to them. This supply chain is long
and includes growers, processors, manufacturers,
wholesalers and retailers who sell cannabis products
to the end consumer. All parts of the chain must be
compliant and ensure each is duly licensed. So, to
be in a good place when it comes to demonstrating
compliance with state licensing, businesses have a
long list of obligations. This list includes performing
due diligence, having a system to record each
party within the supply chain, knowing who the
beneficial owners are, identifying whether there is
any reputational risk exposure hidden within any
of the entities, and proactively monitoring these
relationships. While MRBs are some way from being
required to implement formal AML policies, there
are lessons to be learned which will benefit their
business practices and help meet future regulatory
requirements. As with the Maine example, knowing
your business relationships is very important, so
enhanced due diligence should be applied where
necessary.
R&C: To what extent are marijuana businesses struggling to keep pace with the operational costs of compliance? How can technology help to enhance or upgrade existing systems?
COMPLIANCE CONSIDERATIONS FOR MARIJUANA BUSINESSES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 171
ONE-ON-ONE INTERVIEW
Parfitt: The issue for financial institutions is
whether they have a business risk appetite to
provide services to this sector given the current
legal situation. Although revenues can be significant,
so too can the cost of compliance. The opportunity
is highly material. BDS Analytics forecasts legal
cannabis spending in North America to reach $47.3bn
by 2027, with significant innovations predicted.
Financial institutions need to look for supporting
data and information to support their due diligence
procedures in a more streamlined approach similar
to due diligence performed on entities today under
AML requirements. Who are the beneficial owners?
What licences do they hold and under which state?
Is there are a reputational risk exposure? Current
systems should be looked at to support this niche,
but rapidly expanding, business segment so that
appropriate controls can be implemented to achieve
compliance.
R&C: What is the outlook for the regulated cannabis industry? Are compliance challenges set to increase over the months and years ahead?
Parfitt: Directionally, this industry is only going
to go from strength to strength, albeit at different
paces depending on the jurisdiction. In Canada,
initial public offering (IPO) activity for 2019 is likely to
slow, according to Jason Wilson, a partner at ETFMG
Alternative Harvest ETF, who states that this is likely
due to the existing MRB companies that did achieve
IPO in 2018 and now must deliver to their investors.
In the US, while the legal stance is still precarious, the
likelihood of federal investigations into businesses
that can demonstrate that they are acting legally in
their own states is waning. This follows the dismissal
of attorney general Geoff Sessions, who was seen to
be very biased against the legalisation of cannabis,
the apparent endorsement by FinCEN, and the
hope that a bill proposed in June 2018 by Charles
Schumer gains traction. This bill would remove
marijuana from its difficult place on the Controlled
Substances Act list, effectively decriminalising it at
a federal level. From a global perspective, there are
some 26 countries where cannabis is in effect legal
or decriminalised, and this trend is like to increase
over time. In terms of compliance challenges, as with
any AML programme, as a business becomes more
complex and multijurisdictional, and as revenues
increase, it will become more complex and expensive
to ensure effective controls and to comply with each
jurisdiction’s nuances. RC&
COMPLIANCE CONSIDERATIONS FOR MARIJUANA BUSINESSES
RISK & COMPLIANCE Apr-Jun 2019172 www.riskandcompliancemagazine.com
PERSPECTIVES
PERSPECTIVES
THE SHORTAGE OF FUELS IN MEXICO – MANAGING CRISIS AND COMPLIANCEBY JAVIER LOPEZ DE OBESO
> SCOTTHULSE PC
On 1 December 2018, Andres Manuel Lopez
Obrador (popularly known as ‘AMLO’) took
office as president of Mexico after being
defeated in two previous presidential campaigns. One
of AMLO’s principal campaign promises was that he
would end the carcinogenic corruption in Mexico,
generated by the previous governments.
During several years, criminal gangs popularly
known as ‘Huachicoleros’ (and the stolen product
known as ‘Huachicol’) have long targeted the
pipelines that run through Mexico transporting refined
products, from refineries to distribution points. The
Huachicoleros tap into a pipeline, siphon gasoline and
diesel and resell it, all under the blind eye of allegedly
corrupt officials of Pemex, the state-run energy
company, local authorities and security agencies.
The Huachicoleros apparently receive sensitive
information from Pemex’s officials that help the
Huachicoleros tap the pipeline, and allegedly corrupt
officials omit to report any technical sign of an illegal
tap, such as a decrease of pressure in the pipeline
or differences between the product sent into the
pipeline and product received at the distribution
centre. Local authorities and the securities agencies
allegedly provide protection to the Huachicoleros.
This network of allegedly corrupt officials and
Huachicoleros has generated an illegal market of
fuels that authorities estimate costs Pemex, and thus
Mexico, more than US$3bn every year. To fight these
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 173
PERSPECTIVES
criminal bands, in the final days of December 2018,
AMLO ordered a shutdown of Pemex’s pipelines that
feed the country with refined fuels. This shutdown
caused a shortage of fuels in several areas of Mexico
for as long as for three weeks. Even today, the
situation has not been resolved in certain areas.
AMLO’s decision to shut down the pipelines,
causing widespread shortage in several areas of the
country, was generally welcomed by the population,
who saw it as necessary to stop the theft of fuels.
However, the overall strategy of the government to
reduce fuel theft have raised several red flags of
corruption such as those outlined below.
Lack of law enforcement. The government
has not announced the commencement of legal
proceedings against all of the Pemex officials who
for years have allegedly allowed the theft of fuels.
Government efforts have been focused on finding and
destroying the illegal taps, but have not advanced to
enforcement of criminal and administrative sanctions
against the corrupt officials who allowed these crimes
over the years, including Pemex officials, local law
enforcement and other authorities that decided to
ignore the problem.
Enforcement against the Pemex union has also
been lacking. The union has more than 200,000
members and has been controlled by Carloss
Romero Deschamps since 1996. This leader was
mentioned by Forbes Magazine as one of the most
corrupt Mexicans of the year 2013. Romero has
THE SHORTAGE OF FUELS IN MEXICO – MANAGING CRISIS AND...
RISK & COMPLIANCE Apr-Jun 2019174 www.riskandcompliancemagazine.com
PERSPECTIVES
been implicated in various scandals while head of
the union, including the so-called Pemexgate case
in which the union was found to have diverted 500m
pesos to the 2000 presidential campaign of PRI
candidate Francisco Labastida. He has also been
criticised for his ostentatious lifestyle, including giving
a limited-edition Ferrari to his son and picking up the
tab for his daughter’s lavish wedding.
The lack of supervision and control over the
product transported by the pipelines, allowing the
Huachicoleros to make numerous illegal taps, is
difficult to imagine without the possible participation
of the Pemex union, which may have provided the
technical knowledge to tap the pipeline, insider
information such as possible security operatives
or looked the other way instead of reporting lost
product.
Soon after AMLO launched his crusade against
the Huachicoleros, and the possible participation
of the Pemex union in the theft of gasoline was
raised, Romero obtained a judge order (‘Amparo’ or
Habeas Corpus) that prevents the authorities from
arresting Romero to face charges related to the
alleged cooperation of the Pemex union with the
Huachicoleros.
There cannot be a real strategy against corruption
without exemplary sanctions brought against
offenders, and preventive actions taken to avoid
similar situations arising in the future.
Shady purchase of tanker trucks. In order to avoid
shortages in several regions of the country, Pemex
first had to guarantee supply in those areas affected
by pipeline closure, guarantee supply after closure, by
means of distribution with tanker trucks, and not the
reverse, close the pipeline and then try to normalise
the supply with pipes. Since the need for tanker
trucks arose, the federal government has spent
approximately US$92m to purchase 571 new tanker
trucks that will deliver fuel to states where supplies
have been scarce since the pipeline was shut down.
As a general rule, all governmental purchases
must be made through a public and open bidding
process. Without any explanation or comment, simple
citing the urgent need to address fuel shortages,
the government bypassed the usual public bidding
process and purchased tanker fuels by direct award
to an unknown suppliers of tanker trucks.
In addition to the absence of public bidding, the
tanker trucks did not comply with the technical and
safety regulations required for the transportation
of petroleum products on Mexico’s roads. Once the
press revealed this situation, the Ministry of Transport
changed the security standard, to adapt it to the
tanker trucks purchased, allowing the trucks to roam
freely on Mexican roads.
Following the direct purchases, the Mexican
Association of Ethics and Compliance Professionals
(Asociación Mexicana de Profesionales de Ética y
Cumplimiento, or ‘AMPEC’) among other professionals
organisations, issued a press release in which advised
the federal government to be extremely cautious
during the execution of these ‘panic’ purchases,
THE SHORTAGE OF FUELS IN MEXICO – MANAGING CRISIS AND...
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 175
PERSPECTIVES
as were not necessarily transparent government
spending.
The decision to skip a bidding process and expedite
a change to transport security standards sends the
wrong message about an apparent lack
of commitment to transparency and to
obtaining the best prices in the market
available to the government.
Alejandro Hope, a security consultant
in Mexico City, recalls the war on drugs
launched by President Felipe Calderon
after he took office in 2006. It was
popular at first, but then the bodies
started piling up – and Mexicans started
to wonder if their government knew
what it was doing. AMLO has opted for
“an epic crusade instead of a permanent, systematic
effort to end gasoline theft,” said Hope, as reported by
Bloomberg. “They’ve focused their strategy on closing
supply and stopping the commercial network, but not
on taking apart the groups that control theft.”
Fuel distribution presents several compliance
challenges, such as those described here. The most
relevant insight from this shortage of fuels is that was
created by action to fight corruption inside Pemex
and in various state and municipals governments; but
such actions to fight corruption should be executed
without affecting citizens.
In recent days, the Mexican government has
announced its investigation into several companies
involved in the resale of Huachicol, and the dismissal
of some Pemex officials involved in the support given
to the Huachicoleros. Many actions are pending,
but in the end, all actions taken in order to fight
corruption must be welcomed, revised and improved.
Is still too early to tell whether this new government
will apply the best international practices to fight
corruption – practices tested and proven in private
industry or in other countries. One thing is certain:
AMLO’s government is going in a different direction
than the previous government regarding its strategy
to fight corruption, with a strong and direct tone-at-
the-top from AMLO. RC&
THE SHORTAGE OF FUELS IN MEXICO – MANAGING CRISIS AND...
“Many actions are pending, but in the end, all actions taken in order to fight corruption must be welcomed, revised and improved.”
Javier Lopez de Obeso
Attorney At Law
ScottHulse PC
T: +1 (210) 202 2316
RISK & COMPLIANCE Apr-Jun 2019176 www.riskandcompliancemagazine.com
HOT TOPIC
HOT TOPIC
IMPACT OF CFIUS REFORMS FOR PE HOUSES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 177
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
Jeremy B. Zucker, co-chair of the firm’s International Trade and Government Regulation practice, advises clients on international trade regulatory compliance matters, including in relation to anti-bribery (the US Foreign Corrupt Practices Act (FCPA)), export controls (the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR)), economic sanctions programmes administered by the Office of Foreign Assets Control (OFAC) and the anti-money laundering (AML) provisions of the USA Patriot Act. Mr Zucker is a member of the Sanctions Subcommittee of the US Department of State Advisory Committee on International Economic Policy.
Jeremy B. Zucker
Partner
Dechert LLP
T: +1 (202) 261 3322
Tim Keeler, an attorney in the Government Relations & Public Law and International Trade practices, joined Mayer Brown in 2009, and brings an in-depth knowledge of international trade law and economic policy matters, and a history of working in the Executive Branch and Congress on major economic, legislative and regulatory issues.
Timothy J. Keeler
Partner
Mayer Brown LLP
T: +1 (202) 263 3774
Michael Leiter is a partner in the National Security practice of Skadden, Arps, Slate, Meagher & Flom, LLP. Mr Leiter represents clients in matters involving US national security and cyber security, cross-border transactions and government investigations. Mr Leiter has served in a number of senior national security positions in the federal government, including as the director of the National Counterterrorism Center from 2007 until 2011 for both Presidents Bush and Obama. Mr Leiter has also served in senior positions within the private sector including at Leidos and Palantir.
Michael E. Leiter
Partner
Skadden, Arps, Slate, Meagher & Flom LLP
T: +1 (202) 371 7540
PANEL EXPERTS
RISK & COMPLIANCE Apr-Jun 2019178 www.riskandcompliancemagazine.com
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
R&C: Could you provide an overview of the expanded scope of transactions subject to review by the US Committee on Foreign Investment in the United States (CFIUS), following the Foreign Investment Risk Review Modernization Act (FIRRMA) signed into law in August 2018?
Zucker: FIRRMA is the first overhaul of CFIUS
in the past decade; it is the result of longstanding
debates about how best to balance protecting
national security while promoting inbound
investment in the United States. Historically, CFIUS
reviewed ‘covered transactions’, which included
mergers, acquisitions and takeovers that could
result in non-US control of a US business. FIRRMA
significantly expanded this authority to include:
review of inbound real estate investments that
are co-located near US defence installations or
other US national security facilities; investments or
changes in rights involving a US business working
in critical infrastructure or critical technology or
possessing sensitive personal data regarding US
citizens; and investments intended to evade CFIUS
review. Though CFIUS has always been empowered
to initiate reviews on its own, prior to FIRRMA,
the Committee review process generally involved
voluntary notifications by transaction parties.
FIRRMA added a mandatory filing requirement for
certain investments, ‘whether or not controlling’, in
critical US businesses.
Leiter: Before FIRRMA, CFIUS’ jurisdiction was
limited to transactions resulting in foreign control of
a US business. FIRRMA expanded CFIUS’ jurisdiction
in a few key respects. First, CFIUS may now review
some non-controlling investments that concern
critical technology, critical infrastructure or sensitive
personal data of US citizens. CFIUS will consider
how these transactions give foreign investors
access to non-public information and provide
authority to make decisions to develop and use
that information. In October, CFIUS began a ‘Pilot
Program’ to implement this expanded jurisdiction for
critical technology transactions, including FIRRMA’s
requirement for filing mandatory declarations
about these transactions before closing. Second,
FIRRMA expanded CFIUS’ jurisdiction over real
estate transactions, including to properties that are
undeveloped, or that will be leased. Third, certain
changes in rights are now covered transactions,
even if not tied to new investment. Extending
jurisdiction to these transactions and creating
mandatory filing requirements are paradigm-shifting
changes.
Keeler: FIRRMA amended the definition of what
constitutes a ‘covered transaction’. As a result, CFIUS
now has the authority to review non-controlling
investments in certain categories of US businesses
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 179
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
– and under CFIUS rules and practice, ‘control’ is
already a low threshold, for example 15 percent and
one board seat in one publicly known transaction.
FIRRMA defines these categories as US businesses
that own, operate, manufacture, supply or service
critical infrastructure, that produce, design, test,
fabricate or develop ‘critical technologies’, or
that maintain or collect the personal identifying
information (PII) of US citizens that could
be used in a manner that threatens
national security. FIRRMA has defined
such non-controlling investments as any
investment by a foreign person in any of
these three categories of US businesses
that provides the foreign person with
access to material non-public technical
information in the possession of such
US businesses, provides membership or
observer rights on the board of directors,
or provides involvement in substantive
decision making regarding the sensitive
PII of US citizens, critical technologies and critical
infrastructure. FIRRMA also authorises CFIUS to
review transactions that involve the purchase or
lease by, or concession to, a foreign person of
private or public real estate that is located in the US
and is in close proximity to a US military installation
or other sensitive US government facility or property
or that is located within, or will function as part of, an
air or maritime port.
R&C: How might the greater scope of CFIUS impact private equity (PE) deals specifically, and the wider asset class more generally?
Leiter: By expanding CFIUS’ jurisdiction over non-
controlling investments, more PE deals are likely to
come under review. But FIRRMA also provides some
relief for PE by clarifying that US investment funds
and their foreign limited partners will be considered
passive investors whose investments are not subject
to CFIUS’ jurisdiction when certain conditions are
met. These conditions include the fact that the
fund is being managed by a US general partner
or equivalent, that the fund places limitations on
the ability of the foreign limited partner to impact
investment decisions, and that the limited partner
Jeremy Zucker,Dechert LLP
“FIRRMA is the first overhaul of CFIUS in the past decade; it is the result of longstanding debates about how best to balance protecting national security while promoting inbound investment in the United States.”
RISK & COMPLIANCE Apr-Jun 2019180 www.riskandcompliancemagazine.com
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
is foreclosed from making decisions about hiring
or firing the fund manager. CFIUS is expected to
issue rulemaking further clarifying the exemption’s
application, but the exemption was included
in CFIUS’ ‘Pilot Program’ for critical technology
transactions. The fund exemption is already creating
an incentive for foreign investors to
strengthen or develop relationships with
US-led PE firms.
Keeler: As a general matter, CFIUS’s
expanded jurisdiction now has the
potential to capture a wider range of
deals. PE firms therefore have to be more
vigilant, as both buyer and seller, to ensure
that investments that previously were
not captured under CFIUS’s jurisdiction
undergo proper diligence for potential
CFIUS concerns. It is worth noting
that there is an exception to CFIUS’s expanded
jurisdiction that impacts PE funds. FIRRMA exempts
a foreign person’s investment from its expanded
jurisdiction if that foreign person’s investment is
indirect through an investment fund, where the
foreign person is a limited partner or a member
of an advisory board or a committee of the fund,
provided that, firstly, the fund is exclusively managed
by a US general partner, secondly, the advisory board
or committee does not have the ability to control
investment decisions of the fund or decisions made
by the general partner, thirdly, the foreign person
does not otherwise have the ability to control the
fund, and finally, the foreign person does not have
the ability to access material non-public information
as a result of its participation on the advisory board
or committee.
Zucker: While FIRRMA may make regulatory
compliance more complicated for certain
transactions, there also may be market opportunities
associated with these changes. For example,
investors from countries that enjoy good relations
with the US may have a relatively easier time
securing CFIUS clearance, while investors from
countries of relatively greater concern might find
that, while investments in critical US businesses
might become even more challenging, opportunities
remain with respect to targets operating in less
sensitive sectors of the US economy. Significantly,
Timothy J. Keeler,Mayer Brown LLP
“PE firms have to be more vigilant to ensure that investments that previously were not captured under CFIUS’s jurisdiction undergo proper diligence for potential CFIUS concerns.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 181
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
FIRRMA also includes an investment fund exception
that clarifies circumstances where investments are
not within CFIUS’ jurisdiction. An indirect investment
through an investment fund that affords a non-US
investor membership as a limited partner is not a
covered transaction as long as certain requirements
are met, including that, first, the fund is managed
by a US general partner or equivalent, second, the
fund board or committee on which the non-US
limited partner sits does not have control over the
US fund’s management or investment decisions
and, third, the non-US limited partner does not have
access to material non-public technical information
of the target company, among other potential
requirements. There may be significant opportunities
for PE funds availing themselves of this exception.
R&C: What types of investment by PE funds could fall under the expanded jurisdiction of CFIUS? Under what circumstances is a CFIUS review triggered under the new regime?
Zucker: FIRRMA places particular focus on US
technologies and industries where the competitive
advantage of the US is perceived to be under
threat from other countries. To that end, FIRRMA
authorises the Committee to review investments
that relate to a critical US business, even when such
an investment does not result in control by a non-US
person. FIRRMA also gives CFIUS jurisdiction over
any action that results in any change in the rights of
a non-US person that could result in either foreign
control of the US business or in an investment in
a company involved in a critical US business. If a
non-US investor will acquire certain rights – such as
access to material non-public technical information
other than financial information, membership or
observer rights on a board, or certain other decision-
making authority – investments in these types of
entities are subject to review. This new authority
allows the Committee to assert jurisdiction based
solely on a change in rights, even when no formal
merger, acquisition or other investment transaction
has occurred.
Keeler: It was widely known that China was at
the forefront of Congress’ mind during the drafting
of FIRRMA, particularly with respect to Chinese
investment involving technology, infrastructure,
Big Data and real estate transactions that present
potential espionage concerns. Given this intent,
investments involving any of these areas raise the
spectre that a CFIUS review may be necessary,
or even mandatory. To be sure, even investments
that do not involve Chinese buyers must consider
whether a CFIUS review is necessary when investing
in these areas. However, deals in these areas that
involve China are certain to draw heightened
scrutiny from CFIUS. It is worth noting that critical
technologies will be an expanding area that investors
will need to pay attention to. FIRRMA was drafted in
RISK & COMPLIANCE Apr-Jun 2019182 www.riskandcompliancemagazine.com
IMPACT OF CFIUS REFORMS FOR PE HOUSES
conjunction with
the Export Control
Reform Act, which
mandates a process
to identify ‘emerging and
foundational’ technologies – which
will be controlled for export and trigger
mandatory CFIUS filings. This area is
certain to evolve with advancements
in technology. Investments in pure real
estate transactions are also no longer
perfunctory. Given CFIUS’s expanded
jurisdiction to cover non-controlling
investments, the circumstances under
which a review is triggered has
broadened beyond the traditional
‘control’ analysis under the old
regime.
Leiter: FIRRMA granted
CFIUS jurisdiction over certain
non-controlling investments
implicating critical technology,
critical infrastructure and personal
information of US citizens. Specifically,
these investments will be subject to
CFIUS review when they convey board
rights, access to material non-public
information or the ability to be involved in
certain substantive decision making. And, in
the case of critical technology, CFIUS review
will be mandatory, as spelled out in CFIUS’ recently
implemented ‘Pilot Program’. In addition, FIRRMA
also provides that a change in rights affording new
board representation, access to information or
involvement in substantive decision making is also a
covered transaction, even if not associated with new
investment. Accordingly, when PE funds with foreign
limited partners make new investments or exercise
options for existing investments, particularly in the
technology sector, they should consider whether
that will trigger a mandatory notice requirement and
whether they qualify for FIRMMA’s exemption for
certain investment funds.
R&C: To what extent should a PE fund’s non-US limited partners expect additional CFIUS scrutiny during reviews and investigations?
Keeler: The scrutiny will vary depending on the
level of involvement by the non-US limited partner
in the fund and the organisation of the fund. FIRRMA
exempts certain foreign investors from its expanded
jurisdiction based on set criteria. If all such criteria
are met, non-US limited partners could avoid any
scrutiny from CFIUS in the context of its expanded
jurisdiction. Outside of this exemption, non-US
limited partners will likely undergo varying degrees
of scrutiny. Certain investors – such as Chinese
investors – are likely to undergo heightened scrutiny,
which could be amplified if the investment involves
HOT TOPIC
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 183
RISK & COMPLIANCE Apr-Jun 2019184 www.riskandcompliancemagazine.com
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
certain industries, such as critical technologies,
critical infrastructure, Big Data, and so on.
Leiter: Even before FIRRMA, PE funds with foreign
limited partners were coming under increased
scrutiny by CFIUS. FIRRMA adds to this scrutiny, for
example by making more PE investments subject to
CFIUS’ jurisdiction. But FIRRMA also provides some
relief by codifying the circumstances under which
investment involving foreign limited partners will be
considered passive and, thus, not subject to review.
This provision is subject to additional rulemaking,
which could narrow its application – CFIUS is unlikely
to exempt captive funds, for example. For non-
exempt funds, their foreign limited partners will
receive the greatest scrutiny if they are controlled by
a foreign government. FIRRMA requires mandatory
declarations for transactions that will result in
a foreign government acquiring a ‘substantial
interest’ in certain companies. But FIRRMA grants
CFIUS the authority to waive this requirement for
a foreign person if CFIUS determines that a foreign
government is not directing the foreign person’s
investments.
Zucker: Non-US limited partners might avoid
scrutiny altogether if, pursuant to FIRRMA’s
investment fund exception, the fund making
the investment is considered a US person
notwithstanding the participation in the fund of
non-US limited partners. Non-US limited partners
in a fund that does not qualify for the investment
fund exception – either because of the rights
afforded to the limited partners, or because the
general partner also is a non-US entity – should
expect to be subjected to CFIUS scrutiny. The level
of attention, and the details required to be provided,
then may vary depending on the limited partner’s
level of participation in the fund or the rights and
authorities enjoyed by the limited partner. FIRRMA
also provides parties to a transaction the opportunity
to file voluntarily a ‘declaration’ – an abbreviated
notification that should not exceed five pages in
length – instead of a formal written notice of a
covered transaction. CFIUS is required to conclude
its review of a declaration within 30 days, offering
a relatively quick means for transaction parties
to receive confirmation whether CFIUS believes it
has jurisdiction to review a transaction – or if, by
contrast, it believes the investment fund exception
applies.
R&C: In light of these developments, what key considerations do fund managers need to make?
Leiter: Fund managers should look closely at
their funds, their investors and their investments.
For funds, fund managers must consider whether
they are poised to meet the requirements for
exemption including whether they qualify as US-
led and whether their fund agreements reflect the
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 185
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
limitations required for foreign limited partners. Fund
managers may begin updating agreements and side
letters now to reflect the intent to qualify for an
exemption, and consider the impact of exemption
requirements on everything from existing advisory
board composition to most favoured nations clauses.
Second, fund managers should evaluate
who their current foreign limited partners
are, what level of state ownership or
control they are subject to, and any
other CFIUS risk factors they present
– for example, ties to China through joint
ventures. Third, fund managers should
evaluate whether they have current
investments in critical technology areas
because certain changes to existing
investments may trigger mandatory
reviews.
Zucker: Even if non-US investors show a
continued willingness to invest in the United States,
US fund managers may be less willing to accept
investments from non-US investors – or at least
some non-US investors – because of the uncertainty
and delay posed by a CFIUS review. In addition, US
funds might be less willing to accept capital from
non-US investors due to concerns that the funds’
investments might be subject to greater scrutiny
depending on their non-US sources of capital
– though FIRRMA does provide exceptions for
investment funds, subject to certain requirements.
Investment agreements defining the rights of
limited partners will merit careful consideration
in this regard. Funds should consider the types of
information and other rights they grant foreign LPs
in any fund side letters they may execute with the
foreign LPs. Investors from countries like China,
which CFIUS has scrutinised closely in recent years,
may continue to face difficulty securing clearance for
investments in a critical US business.
Keeler: Proper diligence has always been critical
in any deal and this has not changed in light of
FIRRMA. However, diligence efforts may need
to be more robust and, in the context of certain
deals, they may need to be tailored to account for
FIRRMA’s expanded jurisdiction. For example, in
deals that involve real estate or technology, fund
managers should tailor diligence efforts to account
Michael E. Leiter,Skadden, Arps, Slate, Meagher & Flom LLP
“Even before FIRRMA, PE funds with foreign limited partners were coming under increased scrutiny by CFIUS.”
RISK & COMPLIANCE Apr-Jun 2019186 www.riskandcompliancemagazine.com
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
for proximity concerns or emerging and foundational
technologies. These efforts can present challenges,
as the US government’s proximity concerns may
not be immediately obvious – for example, top
secret activities at a US military or government
facility are not known to the public. Similarly, if a
deal involves brand new technology, it may not be
immediately clear whether it constitutes emerging
or foundational technology, once defined by the
Commerce Department. Fund managers also need
to consider the timing of such diligence efforts. It
is often critical that parties to a deal start thinking
about potential CFIUS issues early on at the outset
of a deal.
R&C: In your opinion, what does the introduction of the new law mean for the capacity of the US to protect strategic industries while remaining open to investment? How might it affect inbound PE investment in this respect?
Keeler: FIRRMA certainly enhances CFIUS’s
capacity to deal with national security concerns by
allowing it to tackle the changes in technology that
have occurred since the legal framework was last
amended over 10 years ago. Given FIRRMA’s early
stages of implementation, it is not entirely clear
how CFIUS will balance its new authorities while
maintaining an open foreign investment environment
in the US. To be sure, Chinese investment in the
US has already taken a marked dive in the last two
years. While US policy, vis-à-vis CFIUS, is partly the
reason for this change, the Chinese government’s
efforts to rein in foreign investment has also played
a large role. It is worth noting that FIRRMA’s ‘findings’
emphasise the benefits of foreign investment in
the US and note that the new law is intended to
preserve an open investment environment. Notably,
FIRRMA directs CFIUS to “continue to review
transactions for the purpose of protecting national
security and should not consider issues of national
interest absent a national security nexus”.
Zucker: FIRRMA expands government jurisdiction
and makes regulatory compliance more complicated
for certain transactions, especially those touching
on strategic industries involving critical technologies
or critical infrastructure. US companies may be
less willing to accept investments from non-US
investors – especially from certain countries, such
as China – because of the uncertainty and delay
posed by a CFIUS review. In addition, US funds
might be less willing to accept capital from non-US
investors due to concerns about greater scrutiny
depending on their non-US sources of capital. At the
same time, these changes may also provide market
opportunities. For example, investors from countries
under relatively less scrutiny may have a relatively
easier time securing CFIUS clearance. Similarly,
investors from countries of relatively greater
concern might move toward opportunities involving
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 187
HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES
US industries that are less associated with critical
technologies or critical infrastructure.
Leiter: FIRRMA itself states that the US maintains
an open investment policy, and CFIUS has continued
to reiterate this since FIRRMA’s enactment. In reality,
it is difficult to draw a line that will allow a non-
passive foreign investor to maximise returns on an
investment in a US business without allowing any
sensitive information or critical technology to flow
from that business to the investor. FIRRMA, along
with the Export Control Reform Act of 2018, has
given CFIUS greater leeway to review transactions
and to identify which technologies and industries
are most critical to US national security. FIRRMA
makes passive investment a more attractive option
for many foreign parties looking to invest within
sensitive sectors with lower regulatory risk. PE firms
with foreign limited partners are likely to takes steps
to qualify for FIRRMA’s fund exemption rather than
try to keep pace with CFIUS’ evolving application of
its national security concerns.
R&C: Looking ahead, what are your predictions for PE activity under expanded CFIUS review, over the short and long term?
Zucker: Over the short-run, the new law may
affect both investment and fundraising strategies
of PE funds. For example, PE funds with non-US
limited partners that invest in critical US businesses
will have incentives to utilise the investment
fund exception, shaping the size and nature of
participation by non-US limited partners. Over
the long term, much will depend on how CFIUS’
regulations develop in response to FIRRMA. There is
uncertainty regarding some of the details, such as
how CFIUS will use country-specific considerations
to differentiate the levels of scrutiny and to which
critical US businesses the new requirements will
apply.
Leiter: In the short term, we expect PE firms to
carefully review new investments in technology
areas, and to be mindful of expanding existing
investments in sensitive areas. Many PE firms are
also already looking at their fund agreements and
seeking to revise them to comply with anticipated
exemption requirements. In the longer term, once
CFIUS has completed its full rulemaking under
FIRRMA, PE funds with investments from sovereign
wealth funds or other foreign government-controlled
investors are especially likely to change their
structure to benefit from the US fund exemption or
at least not to be subject to mandatory declarations.
For those PE firms that ultimately qualify for
exemption, we expect to see a greater number
of foreign limited partners investing through their
structures. PE firms that engage experts and do the
legwork to understand FIRRMA and address CFIUS’
RISK & COMPLIANCE Apr-Jun 2019188 www.riskandcompliancemagazine.com
HOT TOPIC
concerns are most likely to benefit from continuing
foreign investment.
Keeler: In the short term, there is likely to be more
uncertainty as CFIUS rolls out new regulations under
FIRRMA. This could result in more reluctance on the
part of investors to pursue deals in an uncertain
regulatory environment. At the same time, investors
may also view this interim period as an opportunity
to close deals before CFIUS fully implements its
expanded authorities under FIRRMA. In the long
term, PE activity will likely normalise as investors
acclimate to the new regulatory landscape. It is
possible that PE funds will adjust to take advantage
of the new exemption, which could lead to a normal
level of PE activity. RC&
IMPACT OF CFIUS REFORMS FOR PE HOUSES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 189
EDITORIAL PARTNERS
Nick Parfitt
Head of Market Planning
London, UK
T: +44 (0)20 3741 1200
KE
Y
CO
NT
AC
T
Acuris Risk Intelligence helps organisations
to build safer business relationships. The firm
combines human expertise with a world-class
compliance dataset, and makes this intelligence
available to subscribers in a way that suits
how they operate. Using Acuris services,
subscribers can manage risk and compliance
in real time, with minimal effort. A trusted and
independent provider of data intelligence for
anti-money laundering (AML), anti-corruption
and cyber security professionals, the firm
provides a powerful overview and enhanced
risk management service, as well as a unique
database exceeding all expectations.
E D I T O R I A L PA RT N E R
Acuris Risk Intelligencewww. acur i s. com
RISK & COMPLIANCE Apr-Jun 2019190 www.riskandcompliancemagazine.com
EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R
Crowe
For almost 100 years, Crowe has been making
smart decisions for multinational clients working
across borders. Crowe’s leaders work with
governments, regulatory bodies and industry
groups to shape the future of the profession
worldwide. Their exceptional knowledge of
business, local laws and customs provides
lasting value to clients undertaking international
projects. Crowe provides global reach on a
personal scale. Firms are focused on the future
and the client experience, working with clients
to build something valuable, substantial, and
enduring. At Crowe, our professionals all share
one commitment: to deliver excellence.
www. c rowe.com
KE
Y
CO
NT
AC
TS David Chitty
International Accounting & Audit Director
New York, NY, US
T: +1 (212) 808 2027
Steve Gale
Partner, Head of Partner
London, UK
T: +44 (0)20 7842 7262
Jennifer Knecht
Partner
Indianapolis, IN, US
T: +1 (317) 706 2697
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 191
EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R
Edelmanwww. ede lman .com
At Edelman, critical issues, reputation risk and
crisis management is not a resource that lies
dormant until called into battle reactively by a
situation or event. Instead, we implement an
ongoing process of creating a strong foundation
to protect reputational asset value. Using data
and analytics, we build a strategic framework
based on your brand’s positive, day-to-day public
associations, strengthening your reputation
to survive and flourish in the ‘age of constant
crisis.’ Our connected global network of experts
is available to supply insights and counsel at any
time and provide personal service and custom
solutions.
Harlan Loeb
Global Practice Chair, Crisis & Reputation
Risk Advisory
Chicago, IL, US
T: +1 (312) 240 2624
KE
Y
CO
NT
AC
T
RISK & COMPLIANCE Apr-Jun 2019192 www.riskandcompliancemagazine.com
EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R
FTI Consulting
FTI Consulting’s Financial Services (FS)
practice works with clients ranging from high
street banks, investment banks and insurance
companies, to the newer challenger banks,
online gaming firms and casinos. We help
clients to navigate often complex challenges
with their regulators. We also assist regulators
with investigations and thematic reviews often
relating to financial crime, fraud, corruption
and bribery. Our team works with FS firms
both ahead of and during such regulatory
episodes, to help implement robust governance,
policies, procedures controls and systems. FTI
Consulting’s technology expertise is key – either
when back-testing transactional data or when
designing solutions to onerous management
information and reporting requirements.
Jamilia Parry
Managing Director, Financial Crime,
Governance and Conduct, EMEA
London, UK
T: +44 (0)20 3727 1417
Andrew Pimlott
Senior Managing Director, Financial Crime
and Investigative Analytics, EMEA
London, UK
T: +44 (0)20 3727 1285
KE
Y
CO
NT
AC
TS
www. f t i consu l t i ng . com
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 193
EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R
KPMGwww. kpmg .com
KPMG is a global network of professional
services firms providing audit, tax and advisory
services. We operate in 154 countries and
territories and have 197,263 people working
in member firms around the world. KPMG’s
industry focus allows our professionals to
develop a rich understanding of their clients’
businesses and the insight, skills and resources
required to address industry specific issues and
opportunities. A worldwide presence, KPMG
continues to build on its success thanks to a
clear vision, defined values and, above all, its
people.
KE
Y
CO
NT
AC
TS Greg Matthews
Partner, Advisory, Operations &
Compliance Risk
New York, NY, US
T: +1 (212) 954 7784
Jorge Blanco
Principal, Advisory
New York, NY, US
T: +1 (212) 872 2173
Jon Dowie
Partner, Financial Services Consulting
London, UK
T: +44 (0)20 7311 5295
RISK & COMPLIANCE Apr-Jun 2019194 www.riskandcompliancemagazine.com
EDITORIAL PARTNERS
Nasdaq is a diversified technology provider
for thousands of global firms and the leading
technology and information services provider to
the capital markets. Its global trading and market
service business has become a significant part
of our client offerings. Founded in 1971, Nasdaq
focuses on synchronising and optimising market
movement – an essential principle in the growth
of business economies. With a high level of
infrastructure, tools and strategic insight, Nasdaq
is acclaimed for its top-rated data offerings
and for the Nasdaq 100 – home to many of the
world’s most heralded securities.
E D I T O R I A L PA RT N E R
Nasdaq www. nasdaq .com
Taras Chaban
Vice President, Global Head of Buy Side
Solutions
London, UK
Paul Young
Associate Vice President, Head of Product,
Buy Side
London, UK
KE
Y
CO
NT
AC
TS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 195
EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R
Navigant Consultingwww. nav igan t . com
Navigant Consulting is a specialised, global
professional services firm that helps clients take
control of their future. Navigant’s professionals
apply deep industry knowledge, substantive
technical expertise, and an enterprising
approach to help clients build, manage and
protect their business interests. With a focus
on markets and clients facing transformational
change and significant regulatory or legal
pressures, the firm primarily serves clients in
the healthcare, energy and financial services
industries. Across a range of advisory, consulting,
outsourcing and technology and analytics
services, Navigant’s practitioners bring sharp
insight that pinpoints opportunities and delivers
powerful results.
KE
Y
CO
NT
AC
TS
Salvatore LaScala
Managing Director
New York, NY, US
T: +1 (212) 554 2611
Alma Angotti
Managing Director
London, UK
T: +44 (0)738 702 730
RISK & COMPLIANCE Apr-Jun 2019196 www.riskandcompliancemagazine.com
EDITORIAL PARTNERS
SAI Global helps companies take a more
integrated approach to managing risk. Our
world-class solutions and renowned team of
experts provide advice at every step, ensuring
companies have the information they need to
make the decisions required to protect and
grow their businesses and their reputation. We
have global reach with locations across Europe,
the Middle East, Africa, the Americas, Asia and
the Pacific, powered by local expertise and
knowhow.
Rebecca Turco
Vice President of Learning
Boston, MA, US
KE
Y
CO
NT
AC
T
E D I T O R I A L PA RT N E R
SAI Global www.sa ig loba l . com
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 197
EDITORIAL PARTNERS
SAS is the leader in analytics. Through
innovative software and services, SAS empowers
and inspires customers around the world to
transform data into intelligence. SAS solutions
are used by more than 3500 financial institutions
worldwide, including 97 percent of the banks on
the Fortune Global 500.
Thomas Kimner
Director, Global Risk Marketing and
Operations
Washington, DC, US
T: +1 (919) 531 1410
KE
Y
CO
NT
AC
T
www. sas.comE D I T O R I A L PA RT N E R
SAS
RISK & COMPLIANCE Apr-Jun 2019198 www.riskandcompliancemagazine.com
EDITORIAL PARTNERS
KE
Y
CO
NT
AC
TS
Zinser, Esponda and Gómez Mont is one
of Mexico’s leading law firms in the area of
white-collar criminal defence and prosecution.
Its experience in both local and international
matters has made it the firm of choice for
financial institutions, international corporations
with interests in Mexico, and high-profile
individuals. Zinser, Esponda and Gómez Mont
has a long history of representing institutions
and individuals in complex criminal cases,
providing advice on strategic matters and cross-
border issues involving anti-corruption and
criminal compliance. Its white-collar practice
includes advice and representation in criminal
investigations and trials involving allegations of
tax, securities and bank fraud.
E D I T O R I A L PA RT N E R
Zinser, Esponda and Gómez Mont www. zegm.mx
Alejandro Hernández Oseguera
Partner
Naucalpan de Juárez, Mexico
T: +52 55 5202 8610
Alberto Zinser Cieslik
Founding Partner
Naucalpan de Juárez, Mexico
T: +52 55 5202 8610
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 199
EDITORIAL PARTNERS
O R G A N I S A T I O N
ICSA: The Governance Institute
ICSA: The Governance Institute is the professional body
for governance. With over 125 years’ experience working
with regulators and policymakers, the organisation supports
its members across all sectors of the economy, including
large corporates, SMEs, the public sector, charities, sports
bodies and academies. ICSA is the only organisation to confer
chartered secretary status on those who are suitably qualified
and experienced. Established in 1891, the knowledge and
expertise of ICSA is rooted in history and continues to lead
current thinking and practice. ICSA’s stated guiding values are
openness, integrity and authority.
Peter SwabeyPolicy and Research Director
London, UK
T: +44 (0)20 7612 7014
WWW.icsa.org.uk
O R G A N I S A T I O N
ISACA
Now in its 50th anniversary year, ISACA is a global
association helping individuals and enterprises achieve the
positive potential of technology. Today’s world is powered by
information and technology, and ISACA equips professionals
with the knowledge, credentials, education and community to
advance their careers and transform their organisations. With
a presence in 188 countries, including more than 220 chapters
worldwide and offices in both the US and China, ISACA
leverages the expertise of its 460,000 engaged professionals
– including its 140,000 members – in information and cyber
security, governance, assurance, risk and innovation, as well as
its enterprise performance subsidiary, CMMI Institute.
Sandeep GodbolePast President of ISACA Pune Chapter
Pune, India
www.isaca.org