Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Round-up on emerging compliance disciplines in diverse industries

Compliance programs of the last 20 years have taken the firmest roots in industries that are by definition highly-regulated or in those which have most potential for widespread damage from wrongdoing.  These range from pharmaceutical companies in the former group to financial services firms in the latter group.  Current trends indicate, however, that many other industries’ practices are being assertively investigated by the media, concerned citizens, and filmmakers. These investigations bring to light processes and practices that are governed by insufficient controls and often unethical cultures.

  • Doping in professional sport is under increased public scrutiny in the aftermath of scandals such as state-sponsored cheating by Russian athletes in the Olympics and the dramatic fall from grace of Lance Armstrong, who cheated without detection for years; as society deals with the fallout of these discoveries, far-reaching change in anti-doping programs is necessary:  Icarus: A Doping House of Cards Tumbles Down
  • Evolving tech company organizational culture is under fire again, this time at Google, with an employee-authored document questioning diversity initiatives going viral and suggesting that gender inequality and treatment of people of color remain systemic problems in Silicon Valley that current corporate governance systems are insufficient to address.  The employee in question was dismissed immediately, and Google leadership immediately started disclaiming the statements and apologizing, but it remains to be seen what substantive steps might be taken to actually address the root causes of this conduct and openly analyze the culture of compliance at Google.  Hopefully a self-appraising, progressive conversation can take place in Silicon Valley rather than denial of the systemic issues that lead to these events time after time: Google Employee’s Anti-Diversity Manifesto Goes ‘Internally Viral’ 
  • Cybersecurity grows all the time as a risk factor to businesses, with hackers constantly outpacing efforts to prevent their intrusions; now moving beyond breaking into office e-mail servers or ransoming files from zombie computers, these cyber-thieves are exploiting differences in national laws and vulnerable devices to rig slot machines in casinos around the world:  Meet Alex, the Russian Casino Hacker Who Makes Millions Targeting Slot  
  • Campaign finance laws are a perennial hot issue in US politics; these laws are often intended to avoid corruption and increase transparency, but with the number of committees, groups, and shell companies participating in election fundraising constantly growing, following the money is becoming harder, complicating along with it efforts to establish accountability:  Soft Money Is Back — And Both Parties Are Cashing In
  • Fascinating intersection of business and politics, with all the risks inherent in both, as consumer technology giant Samsung struggles against an increasingly complicated government relationship, intense corporate work culture, legal dramas, and public protests, despite an impressive commercial rebound:  Summer of Samsung: A Corruption Scandal, a Political Firestorm—and a Record Profit

All the foregoing represents many growth areas for the welcome expertise of compliance practitioners and a possibility to drive change toward a society that places a higher value on accountability and integrity.

READ MORE

Tinder and the role of compliance in fostering professionalism in start-ups

Tinder is a well-known dating app which matches users based on location and social media profile compatibility. It is infamous for its “swipe” interface where users register their reaction to potential matches by swiping right on the screen to register an interest in connecting or swiping left to dismiss.

Tinder was founded by a group of childhood and university friends, most prominent among them Sean Rad. The spirit during the early days of Tinder is presented as rowdy, social, creative, and disruptive – a start-up with a millennial energy where the fun and approachability embodied in its product was inspired by its corporate identity.

Eventually, however, friendships began to sour, the novelty started to wear off, and controversy began to take seed. One of the co-founders, Whitney Wolfe, fell out with Rad and another co-founder, Justin Mateen and filed a lawsuit alleging discrimination, sexual harassment, and retaliation. Wolfe has gone on to found a competitor dating app, Bumble, in which only women can initiate communicate with their male matches. Gender imbalance, public health, personal security, and data privacy are all major concerns which have been raised against Tinder’s operating model.

In all cases, Tinder has only been able to be reactive to these issues, not to preventively address them. This goes down directly to the fact that Tinder has no native culture of compliance. Tinder has a start-up culture as described above – entrepreneurial, excitable, informal, and innovation-focused. In these dynamic cultures there is a tendency to eschew traditional foundations as staid, too likely to impose restrictions or rules that will stunt growth and prevent transformative achievements. All the focus goes on being fast-moving.

Indeed, the image of the plucky entrepreneur starting a business by maxing out personal credit cards and taking customer calls from the garage at home is an endearing and enduring one. However, when this start-up gets some cash and energy and scales up, often the investment is concentrated on people who will bring the product to market – engineers, designers, marketing and sales staff.   The below the line functions – HR, operations, finance, and indeed compliance – often stay with the principals or outside vendors for as long as possible, to the detriment of the development of compliance values at the core of the organization. This may be practical to achieve profit objectives, but it’s not professional.

A forced culture of compliance will never be a natural one. In the complex business and regulatory environment today, it would be wise to include among the early employees someone who can set the stage for a genuine culture of compliance from the beginning. A company that grows up aware of compliance and ethics obligations and has an authentic, competent champion for employee integrity will not have to try to develop this later on when it may be too late for it to take genuine hold.

For a deeper look into Tinder’s roots and Rad’s growing pains, check out this story by Nellie Bowles for The California Sunday Magazine.

READ MORE

Compliance 101: A quick guide

As this blog intends to demonstrate, compliance is both a subject for practitioners as well as a topic of general interest that shows up in business and the news all the time. Current and historical events, popular culture, and all types of jobs touch upon compliance subjects on a daily basis. Just as the law is everywhere in life, so are regulations and questions of ethics and integrity.

However, for such a ubiquitous subject, typical awareness of compliance matters is often very low. People may be very used to asking themselves whether events they read about in the news match with their own general norms. There is often a challenge between existing rules and what may be morally acceptable. This perceived discrepancy is nuanced and can prove hard to navigate without frustration.

As a prelude, ask yourself: have you ever heard of any current events regarding compliance? Or, perhaps, have you ever encountered any problematic dilemmas in your own life, which provoked curiosity about ethical choices and integrity? These could be perhaps news stories, personal experiences, or commercial situations you have observed in work or at school. These can include moral dilemmas and “catch 22” situations where commercial interests and personal obligations collide, as well as stories of crises and scandals. What have you heard, if anything, about the meaning and function of compliance?

Generally speaking, the main definitions of compliance as a discipline include:

  • Conforming to relevant laws, regulations, principles, and rules, standards and codes of conduct applicable to an organization’s activities, in letter and in spirit, or the process of doing so. This may concern gray areas, with no strict answer or universal judgment.
  • The aspiration that informs organizations in their efforts to ensure that they are aware of, and take steps to comply with, all relevant laws and regulations. This can be both prescriptive, referring to such laws and regulations that already exist, or predictive, referring to attempts to anticipate future laws and regulations.
  • Also describes efforts to ensure that organizations are abiding by both industry regulations and government legislation. This practice area is often called regulatory compliance.
  • Finally, emphasizes acting with integrity and therefore draws heavily from the study of ethics and morality, even extending philosophy and psychology. A modern goal of an effective compliance program is to design governance and control structures that encourage employee and organizational integrity and create disincentives against and penalties for dishonest or unethical behavior.

Typical tasks and responsibilities of a compliance professional include:

  • Advising business partners in identifying and assessing compliance risks (of legal or regulatory sanctions, material financial loss, or reputational damage) and effectively managing and mitigating these risks
  • Modeling good conduct and proscribed values of integrity and ethical behavior
  • Training employees and management on compliance matters
  • Monitoring business implementation of key compliance policies and procedures, and reporting accordingly to management on efficacy and accuracy of same
  • Coordinating regulatory stakeholder management

Now, check your impressions about what compliance means, and consider this in concrete terms and from your own perspective. Hopefully you now have a more meaningful insight on what compliance is and means in context of both current and historical events

READ MORE

Tips for e-mail handling of confidential information

To most people it’s impossible to imagine the modern office without e-mail as the primary mode of communication. With the widespread popularity of tablets and smartphones moving our e-mail accounts from our desktops to our cell phone screens and everywhere in between, the risks attendant to this ubiquitous use of e-mail is always at the forefront of compliance concerns surrounding the handling of confidential information. To handle this, ongoing controls are advisable to ensure that the flow of information is protected and restricted to sharing on a need-to-know basis only.

  • Determine recipients carefully: Recipients should be determined case-by-case by the purpose of the e-mail. Senders should also consider whether the information is intended to be used internally (for information purposes only) or also at a later stage externally (such as for promotional purposes). In general, recipients should be as limited as possible. Include broader stakeholders more remote to the work that the confidential information concerns only insofar as they are known to be interested (for example Compliance, Legal, or other functions serving the business line). Seek to avoid administrative burden on the sender to update standing lists to tailor them to a particular message, as this is where human error can lead to inadvertent dissemination.
  • Consider most appropriate method of distribution: Use individual addresses, not group mailboxes, to control the recipients, as group mailboxes can be under collective and changing ownership. Posting messages on shared, secure intranet or internet sites may be an attractive alternative to e-mails. This can help to prevent accidentally incorporating unintended recipients, but the community or site needs to be closed and carefully administered.
  • Remember strict criteria for sharing confidential information: Generally, confidential information should only be shared on a need-to-know basis, not like-to-know. Possessing confidential information should be seen as a responsibility, not a privilege, and seeking access to this information or inclusion in communications that share confidential information should be discouraged unless there is a work necessity. As a broad rule, e-mails sent to individuals or groups without first informing them of their responsibilities with handling confidential information should contain public information only.
  • Seek review/approval before dissemination: Think of clicking “send” on an e-mail as publishing the information contained within it. Are your messages up to publication standards? It would be wise to have those which contain confidential information reviewed first by business management before circulation. Management should also be comfortable seeking advice from Compliance on whether sharing the information is appropriate in terms of content or recipients if necessary.
  • Include disclaimer language regarding forwarding/use of information therein: Even with the above points considered, it still could be wise to add disclaimer language to the e-mail to discourage erroneous distribution or misuse. E-mails can easily be printed, forwarded, or copied and pasted. Standard disclosure language could be, for an example: “Information in this transmission is intended only for the person(s) to whom it is directed. Any disclosure, copying, forwarding, re-publishing, or other dissemination of the information is unauthorized. No liability is accepted for any unauthorized use of the information contained herein.”

Using e-mail has become second nature to most people, but communicating confidential information always merits extra caution. Considering the above control framework can help to use e-mail more carefully and wisely to ensure that confidential information is not mishandled or inadvertently disseminated

READ MORE

This week on Compliance Culture

Be sure to visit Compliance Culture this week for posts on these topics.

  • Monday: E-mails and confidential information
  • Tuesday: Compliance 101
  • Wednesday: Tinder as an example of compliance culture at start-ups
  • Thursday: Emerging compliance disciplines in diverse industries
  • Friday: Documentaries on the 2008 global financial crisis

Don’t miss it!

READ MORE

Last week on Compliance Culture

Check out last week’s posts on Compliance Culture, in case you missed or want to revisit them.

Many thanks for reading!

READ MORE

Margin Call and unethical crisis management in the financial services industry

The 2011 movie Margin Call focuses on the conduct of the employees of an investment bank in disaster mode. The movie takes place in the prelude to the 2008 global financial crisis. During a reduction in workforce, an analyst reveals that the firm’s predictive models are showing that its portfolio of mortgage-backed securities will soon experience losses which will exceed the highly-leveraged value of the firm and lead to its bankruptcy.

The rest of the movie centers on the behavior of the firm’s employees and senior management and the choices they make in handling this discovery. Unsurprisingly, many of them model unethical decision-making and provide cautionary examples from which governance and compliance structures can take advice for what to prevent.

  • Key man dependency and lack of transparency – The entire movie revolves around the too-late discovery of the projected losses by an analyst. His boss was working on a project to try to figure out what was wrong with the firm’s models, but he was laid off before he finished his analysis. This scenario suggests the conclusion that if the boss had not been working alone or had been sharing his work in progress sufficiently, then the problems could have been discovered earlier and the entire dilemma could have been avoided or at least mitigated. An insecure overdependence on the work of one vulnerable man and a lack of honest disclosure led to this firm’s undoing from the very start.

  • Corporate code of ethics and culture drivers – A firm’s compliance program sets a tone and provides a rules-based structure for employees. Ultimately each individual still has the freedom to make unethical or inappropriate decision for his or herself, but the choice architecture provided by a firm’s governance controls matters for setting expectations. Corporate enablement of immoral or ethical behavior starts at its simplest practices, such as reimbursement of expenses, especially in a business where the financial upside for compensation is immense. In a firm where an anything goes culture reigns, the downside of this culture is also immense.

  • Tone at the top and unethical executive decision-making – In a series of overnight meetings, the firm’s senior management decides to hold a “fire sale” and dump their toxic assets to limit their own exposure by dispersing the risk through the markets and ripping off their counterparty broker-dealers. They also know that their customers will quickly realize what they are doing and be disenchanted by the deceptive sale of only their troubled mortgage-backed securities holdings. Senior management justifies and solidifies their choice to destabilize the entire market and subject counterparties and clients to losses to avoid their own bankruptcy.

  • Lack of business sustainability due to dishonest practices – By selling the toxic mortgage-backed securities to the counterparty firms which should be their trusted partners, the traders end their careers, as no one will do business with them again in the future. They are compensated handsomely with promised bonus pay-outs, but there is another large reduction in workforce once their dirty work is done. The principals of the firm plan to profit from the coming financial crisis, but their business as it was, as an investment bank, is over.

  • “It’s just money” – moral relativism as justification of unethical behavior – The CEO and chairman of the board takes an apparent long view on the actions of his firm, seeing their choice to deceptively unload toxic assets on the market in order to stem their own losses by kicking off systemic disorder, as a mere reaction. “It’s just money” is a wilful disconnection from the human and integrity costs; believing that the entire economic system is a historic construct makes wrongdoing within it blameless. However, this is not reality; financial crises have real impacts and victims, and money is not just “pieces of paper with pictures on it.”

At every turn, Margin Call exemplifies bad corporate conduct, insufficient compliance and governance controls, and unethical decision-making. This movie provides a primer as to the devolving organizational accountability that set the stage for the 2008 financial crisis.

READ MORE

Round-up on developments in client due diligence in the financial services industry

Client due diligence and related processes in financial services – client acceptance, know your customer, anti-money laundering, sanctions monitoring – are central to modernizing and improving compliance programs. Current trends indicate that cultural differences, technological advances, and cooperation of enforcement authorities are all driving investigation and improvement.

In the ever-increasingly complicated global marketplace, client due diligence as a practice will continue to involve, taking into account local practices, changes in technology, and shifting regulatory priorities.

READ MORE

Zappos and the ethics of change management

Zappos is a leading online retailer and presents an interesting ethics case as it copes with the challenges of remaining competitive. A remaining pioneer of the dot-com boom and now a subsidiary of Amazon, Zappos has thrived and innovated under the leadership of Tony Hsieh, known not only for the selection of products it offers, but also for its customer services standards and social media engagement.

Like all enduring enterprises, Zappos faces the challenge of reinventing itself to strive for longevity and sustainability. Paradoxically, one way leaders try to retain relevance and stay appealing to both customers and employees is to embrace change. The thinking often goes that fixing things before they are broken is better than turning up one day and realizing suddenly nothing works. This self-inflicted evolution can lead to positive growth and a more forward-facing structure that is built for the future, but it can also be destructive to a corporate culture that people rely on for consistency and security. In these times of change, ethical considerations taking a backseat to a lean business model is not a sustainable approach.

The 2008 financial crisis has seemingly convinced an entire generation of leaders that business has entered new, uncharted territory and leaders must continually attempt novel structural disruptions to their organizations as a response. Established companies seek to retain their footing or get a leg up on their competitors, both for customers and for employees, by reimagining management in unusual and often highly-conceptualized ways. This took shape at Zappos in 2015 via a new management structure called Holacracy. This abstract system eliminates managers and much of the corporate hierarchy in favour of esoteric, philosophical concepts and flat, self-directed leadership.

These modern visions of management seek to enfranchise the individual. However, if not carefully implemented, they can have the opposite effect. Instead, they create a leadership vacuum and a change process where no one is in charge because everyone is, at least in theory, empowered. The efforts of Zappos to reinvent itself as a flatter, evolved organization with far-out corporate-speak structures, ambitious manifestos, and abstract solutions to common sources of modern employee dissatisfaction are interesting to study but challenging to implement. At their worst, they can lead to employee disengagement and a company that proceeds rudderless, having been stripped of its long-tenured employees via voluntary leave packages and its conventions through generic, buzzword-driven processes that have no intrinsic meaning or applicability to the specific needs of that business.

Change management is a delicate process which must be grounded in a sensitivity for the humans experiencing the change and concretely connected to real considerations like individual development, pay, and productivity. Making choices about the direction of a business which affect people’s livelihoods directly cannot be done ethically if it is done experimentally. Prepared, careful communication and incremental change with absolute transparency and clarity, especially toward the way people will work and be trained and paid, is imperative to maintain integrity.

For a comprehensive look at the radical corporate reorganization efforts at Zappos and their effects on employees, Roger D. Hodge’s 2015 story for New Republic is a great read.

READ MORE

Enron and the mood in the middle

The Enron scandal is one of the most famous examples of modern corporate fraud and corruption. The publicity of the fraud, subsequent bankruptcy of the firm, trial of principals Kenneth Lay and Jeffrey Skilling, and the cascading negative impact on employees and shareholders form a notorious history of corporate malfeasance and misleading investors.

Enron was an energy company that dominated its market in the 1980s and 1990s. Originally involved in the distribution of electricity and natural gas and creation of the related infrastructure, through a series of mergers and acquisitions and expansions of corporate strategy, Enron extended its business into commodities trading, retail energy, water distribution, and data management. Enron was well-known for its commercial success, immense corporate wealth, and aggressive marketing and promotion strategies. Enron was also a fraud, with many of its purported assets overestimated in value or non-existent, and its immense liabilities and losses hidden in other entities so that its financial statements appeared much more positive than they ever actually were.

More has been written about the pervasively fraudulent practices that led to Enron scandal, and the individuals and motivations behind them, than probably any other corporate bankruptcy in history. Many of the principles of, and the unfortunate justifications for, a robust compliance and ethics program can be illustrated by this case. One of the more interesting points of analysis involves the conduct of employees during the fraud and their reaction to signs they may have noticed but not reported, followed by the eventual widespread discovery of the scandal.

Professional skepticism is undervalued in many corporate cultures. Enron employees were so enchanted by the aspirational allure that the company offered that they too often became blind to risks and unethical behavior, and missed or refused the opportunity to get out or to report the fraud.   The focus in discussions over corporate governance and compliance programs often focuses on “tone at the top” (senior management and supervisory boards) or the impact corporate collapses have on shareholders and the public – but a more important question is what about these employees who were there during the fraud, may have noticed signs, did not or could not do anything, and after are left with nothing but a sense of betrayal? The question of how to encourage these employees to mitigate risks or report wrongdoing, even in the face of personal loss or certain reprisals, challenges and inspires compliance professionals to strive for positive change.

This tale of corporate non-governance, as it was, demonstrates that putting compliance and ethics on the back burner in favor of commercial and competitive pursuits can have a far-reaching disastrous impact. The intersection of business and compliance will always be a tense spot, underscored by commercial pressures, cultural differences, and never-ending change. However, a closer, more understanding relationship between the two disciplines is the best path to modelling the employee conduct that is necessary for longevity and sustainability of success.

For compelling anecdotes from a personnel perspective of the Enron scandal, this 2002 article by Charles Fishman is a good read.

READ MORE