Writing Sample #2

Trends in Corporate Compliance

1. Governance

The predominant trends in the realm of corporate compliance governance are the move

toward greater horizontal consolidation under chief compliance officers (CCO) and

compliance committees and the steady increase in the size of compliance department

budgets.

a. Chief compliance officers

The duties of the CCO include defining and disseminating internal compliance policies

(handbooks and best practices) , training, risk and effectiveness measurement (metrics

and scorecards), and overseeing internal investigations and audits. According to a 2014

worldwide survey conducted by Deloitte and Compliance Week, the number of

companies with a CCO had increased from 37 percent to 50 percent since the previous

year.1 Another study by PricewaterhouseCoopers of US and UK companies found that

number to be 80 percent.2 The degree of independence and scope of responsibility

conferred upon the CCO varies, although the trend is toward greater levels of both.

Larger companies, for example, are more likely to employ a standalone CCO.3 When

the CCO is not a standalone position, its duties are most often held by the general

counsel.4 CCOs are increasingly answering directly to CEO’s and are less and less

likely to be answering to boards or incorporated within legal departments and answering

to the general counsel.5 6

b. Compliance committees

In addition to CCO’s, companies are increasingly consolidating various compliance

functions into cross-functional compliance committees to oversee operations throughout

the company.7 In the US and UK, 60 percent have in place a specially-designated

compliance committee—although this is essentially unchanged from 2012—and more

regulated sectors are more likely to have separate compliance committees.8 These

committees can range in size from a handful of individuals to multiple committees

1 http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-

risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-

POyFTNgdU 2 www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf

3 69 percent of companies with at least $50 billion (USD) in revenue, 57 percent of companies with

between $10 and $50 billion, and 39 percent of companies with under $1 billion. Deloitte 4 http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-


POyFTNgdU 5 www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf

66 Although between 2013 and 2014, the number of CCO’s globally reporting to the CEO or the board

actually declined from 50 percent to 44 percent due partially to statistical noise.

http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-


POyFTNgdU 7 http://discover.byallaccounts.com/15-Compliance-Trends-2014-WP-Gen-REG.html

8 www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf

operating under a governing board.9 45 percent of worldwide respondents report having

a compliance staff of under five people, 41 percent report a staff of six to 50, and 12 say

more than 50.10

While most organizations with standalone compliance departments head

these departments with CCO’s, compliance committees seldom have very much

decision-making authority pertaining to the allocation of company resources.11

c. Compliance budgets

The portion of company resources allocated to compliance has been steadily rising,

although recent indicators suggest that the size of compliance budgets still lag behind

the rising demand for compliance services.12

Forty percent of compliance budgets,

including salaries, in the US and UK are under $1 million (USD). 13

The number of

companies whose budgets are expected to increase next year and those whose budgets

are expected to say the same are nearly evenly split; the number who expect to spend

less on compliance is negligible.14

2. Accountability

Other areas of foreseen evolution are in risk management and effectiveness

measurement, where the tide is likely to turn more toward the use of external systems of

accountability.

a. Third party risk management

According to CCOs worldwide, third party risk is the greatest area of concern going

forward, 85 percent saying that they are currently in a process of reassessment regarding

the management of their relationship with third parties.15

While this will, to a small

extent, lead to the resorption of certain outsourced corporate functions (so say 5 percent

of respondents), the more likely progression is toward stricter oversight of third party

relationships. Currently, there is an overreliance on passive methods like simply

distributing codes of conduct to third parties or incorporating anticorruption language in

contracts as the sole means of risk management, only 17 percent of companies reporting

to conduct background checks regularly and only 16 percent regularly conducting

compliance training for third parties.16

This portends a turn toward greater monitoring

of third-party risk in the future, which will be a component of the turn toward more

9 Id.

10 http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-


POyFTNgdU 11

www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf 12



POyFTNgdU 13

Id. 14

Id. 15

Id. 16

Id.

effective risk monitoring and measurement of compliance program effectiveness

generally.

b. Effectiveness measurement

There are two trends that will redefine the way companies measure the effectiveness of

their programs, and those are a turn toward greater use risk-based auditing and external

metrics.

i. Risk-based auditing

Presently among American and British companies, there has been a tendency to rely on

internal measures like training, hotline calls, and surveys that fail to assess specific

risks, including corruption and data security, and that instead are designed to assess

overall compliance.17

Increasingly, however, the move has been toward greater use of

internal compliance audits, which, while not the most timely mechanism for measuring

effectiveness, are geared toward measuring these specific risks.18

The next step, then,

will be to design metrics to gauge the effectiveness of these compliance audits at

specific risk management.19

ii. External metrics

The use of metrics generally has been on the upswing, as only 23 percent of companies

globally report failing to use any metrics at all, down from 38 percent four years ago.20

Most companies currently rely on internal metrics—namely by analyzing data from the

aforementioned internal accountability systems—as the primary apparatus for

measuring the effectiveness of their compliance programs, but this will likely change in

the future as greater emphasis is placed on external metrics such as independent

evaluations, benchmarking studies, regulatory review analyses, etc.21

22

3. Technology

Changes in technology and social media are dramatically reshaping the face of

corporate compliance, both in terms of the sophistication of the oversight tools available

to compliance departments and regulators and in terms of the compliance challenges

posed by the increasing potential for pitfalls in digital privacy and data security.

a. Oversight tools

17


Id. 19

Id. 20



POyFTNgdU 21

Currently, over 70 percent of respondents report using internal metrics, under 45 percent reporting to

use external ones. Id. 22

Id.

Increasingly, regulators are expecting compliance departments to harness the tools of

social media and technology to enhance their risk management and internal compliance

operations.23

This is due in part to regulators and auditors themselves becoming more

reliant on emerging technologies.24

However, as of yet, the use of technology and social

media for compliance purposes lags behind its potential for exploitation. In the US and

UK, new technologies are used just as often for such traditional functions as document

management (51 percent), training (71 percent), and employee surveys (53 percent) as

measuring the effectiveness of compliance functions like compliance audits (71

percent), training data (65 percent), and risk assessment results (65 percent).25

b. Social media

In the UK, social media is used primarily for communicating with the public about

compliance and ethics developments, as opposed to being used as a tool to monitor risk

(although the US embraces this latter function to a greater degree than the UK).26

The

extension of the use of social media beyond public relations toward monitoring risky

behavior and attitudes is likely to accelerate in the near future.27

The mechanisms for

employing social media—and “big data” analytics generally—to this end will include

filtering through data (including online social media conversations), detecting risk

patterns, and using these patterns to forecast future risk.28

29

“Big data” will also be

important for enhancing external metrics for measuring compliance program

effectiveness.30

c. “Bring your own devices”

Part of the compliance challenge posed by technology manifests itself in the

proliferation of “bring your own devices” (BYOD) like smartphones and tablets,

making it imperative for compliance and IT departments to widen the scope of their

efforts beyond traditional company network devices. These devices are democratizing

by nature and render it more difficult for companies to maintain control over their data,

inevitably raising difficult questions about employee privacy and employer liability.

These questions include, specifically, whether it is appropriate to extend the traditional

monitoring, restriction, and security mechanisms of company computers to BYODs,

23

http://discover.byallaccounts.com/15-Compliance-Trends-2014-WP-Gen-REG.html 24

Id. 25


Id. 27

http://www.xconomy.com/san-francisco/2013/12/26/4-tech-trends-will-impact-risk-compliance-efforts-

2014/ 28

In the IT field, this will take the form of aggregating data from vulnerability scanners, fraud detectors,

identity access management systems, and threat advisory feeds to calculate and forecast risk and head off

threats. Id. 29

Id. 30



POyFTNgdU

http://www.xconomy.com/san-francisco/2013/12/26/4-tech-trends-will-impact-risk-compliance-efforts-2014/

http://www.xconomy.com/san-francisco/2013/12/26/4-tech-trends-will-impact-risk-compliance-efforts-2014/

including whether it is appropriate to wipe an employee’s stolen device clean in order to

protect company data.31

d. Digital privacy and data security in the US

However, some of this use of new technology for monitoring risk is prompted by the

new technologies themselves. Although few surveyed in the US and UK anticipated

significant compliance hurdles from social media, this likely reflects their unfamiliarity

with the medium and therefore underscores the scale of the challenge.32

Yet in the US,

regulators are ahead of the game: the private self-regulatory Financial Industry

Regulatory Authority (FINRA), the Federal Financial Institutions Examination Council

(FFIEC), and the Federal Trade Commission (FTC) have all responded to the hazards to

data integrity and security posed by social media (as evinced by recent incidents

involving popular social media platforms like Twitter and Snapchat) and have

accordingly issued their own social media guidelines.33

Companies too will have to

respond to the heightened risk by ramping up their cybersecurity operations, including

by increasing monitoring of internet and social media activity and investing in

strengthening their security resources and protocols.34

Various legislative proposals

have been put forward to address privacy concerns and data breach, but few formal

regulations. These proposals include a Consumer Privacy Bill of Rights, whose

principles include transparency, respect for content, security, access, and accountability,

and a data breach notification law.35

As datasets become increasingly comprehensive—

and therefore valuable—they become increasingly vulnerable to hacking. Legislative

remedies to this problem vary, but one way forward is through stringent notification

requirements for companies to inform victims of data breaches. These requirements can

be very burdensome, so it is in companies’ best interests to invest in adequate data

security measures and data insurance protection to prevent the need for such

notifications.36

e. Digital privacy and data security in the EU

In the European Union, on the other hand, recent activity has changed the compliance

landscape for data security. The case Google Spain v. Costeja established the “right to

be forgotten” for data processing companies in member states, including search engines,

citing the 1995 Data Protection Directive. Recently, a proposal passed the European

Parliament (now awaiting passage by the European Council) to update the 1995 law and

consolidate the 28 national supervisors into one supranational supervisor, codify the

right to be forgotten and the right to transfer one’s personal data between service

31

Id. 32


http://www.xconomy.com/san-francisco/2013/12/26/4-tech-trends-will-impact-risk-compliance-efforts-

2014/?single_page=true 34

Id. 35

https://ipp.mit.edu/sites/default/files/documents/MITBigDataPrivacyComments.pdf 36

http://www.feinstein.senate.gov/public/index.cfm/2014/1/senators-introduce-data-security-bill-to-protect-against-data-breaches

providers, and require consent for data processing, data protection safeguards, and data

breach notification.37

4. Regulatory environment

The enhanced regulatory consciousness of social media by FINRA, the FFEIC, and the

FTC mark only one way in which the changing regulatory environment in the US and

beyond has begun to pose new challenges for compliance departments worldwide. In

the US, for example, there has notably been significant new federal regulatory activity

in a number of different sectors, including healthcare and the environment, but in both

Europe and the US in the wake of the 2008 financial crash, there has been significant

transformation in one in particular: financial services.

f. Financial services

a. The Securities and Exchange Commission

In the United States, recent changes at the Securities and Exchange Commission (SEC)

are a harbinger of the need for companies to recalibrate their approach to compliance.

The SEC is likely to pursue stricter enforcement in coming years due to both political

pressure and the professed agenda of Chairwoman Mary Jo White, who supports

imposing treble damages, greater targeting of individuals, seeking the inclusion of

admissions of responsibility in settlements, and broadening coverage to include the

whole market, including investment advisors to hedge funds, private equity funds and

mutual funds.38

The SEC is also committing to a crackdown on recidivism and pursuing

enforcement actions against failures to address deficiencies, even when clients are not

directly harmed by the deficiencies.39

It is also placing greater emphasis on ensuring

that firms dually registered as investment advisors and broker-dealers have in place

sufficient safeguards against conflicts of interest.40

Additionally, the continued

implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act’s

whistleblower compensation provision for the SEC shall continue spur greater and

greater enforcement actions.41

b. The European Banking Authority

The European Banking Authority, established in 2010, centralizes financial regulatory

oversight and harmonizes banking rules under a “single rulebook” at the EU level.

Regulatory harmonization reduces compliance costs by reducing duplications and

inconsistencies. The US is seeing more regulatory harmonization too, but less in the

form of consolidation of regulators than in consolidation of regulations (and less in the

37

http://www.telegraph.co.uk/technology/internet-security/10692265/Europe-backs-stronger-data-protection-rules.html 38

http://discover.byallaccounts.com/15-Compliance-Trends-2014-WP-Gen-REG.html 39

Id. 40

Id. 41

http://www.marketwired.com/press-release/Compliance-Week-Announces-Top-5-Global-Compliance-

Trends-to-Watch-in-2013-1744480.htm

form of supranational regulation). Cooperation among national regulators for achieving

harmonization is not as effective as consolidation under a supranational regulators.

Supranational regulators are also less susceptible to political capture than national

regulators.42

42

Luca Martino Levi, The European Banking Authority: Legal Framework, Operations and Challenges

Ahead, 28 Tul. Eur. & Civ. L.F. 51, 55 (2013)

Writing Sample #2

Documents

Transcript of Writing Sample #2