Kroll’s Jordan Strauss, Mariellen Davies-DeMarco and Alyssa Heim discuss what they view as the most significant threats to good governance and offer suggestions on how best to mitigate these risks.
The worst pandemic in over 100 years. A frail global supply chain. The temporary reduction in global government investigations and enforcement. For most firms, the current environment poses the greatest revenue challenges in a generation. And millions of people are out of work, desperate to make ends meet. Together, these ingredients paint a grim picture for the next year of compliance.
Though temporarily restrained by the same realities the rest of us face, regulators show no signs that they will look with compassion at firms that do not address compliance challenges proactively. On March 23, 2020, the U.S. Securities and Exchange Commission’s (SEC) Division of Enforcement specifically warned the industry about the potential increase in insider trading cases. The statement noted, “corporate insiders are regularly learning new material nonpublic information that may hold an even greater value than under normal circumstances.” Certain nonpublic information may be particularly meaningful given the current environment and could have a substantial impact on the price of a security. Although insider trading has always been an area of focus, the Division of Enforcement also made it clear that they intend to prioritize insider trading amidst COVID-19. Meanwhile, grand juries are starting to resume their work across the U.S., and global enforcement agencies are learning to do their work remotely. While the temporary lull in enforcement may have created a more treacherous marketplace – particularly for firms dealing with foreign counterparts – make no mistake: Enforcement will return vigorously.
The SEC guidance – and the fervor with which the U.S. Department of Justice (DOJ) is pursuing price-gouging personal protective equipment vendors – should serve as a reminder to all that while we may be working and living in extraordinary times, the expectations the law imposes on us have not changed. As with other compliance requirements, firms must continue to review their insider trading policies and procedures, remind and train employees on the policies and monitor for both employee and firm trading activities. Working remotely may make it more challenging to supervise employees, run oversight programs and monitor corporate compliance. But regulators expect the same level of oversight and diligence with a remote working environment, and the consequences for failure will be high. Although diligence has become harder, it has never been more important. What should a compliance officer be messaging up, down and over at a time like this?
(Re)Assess Risk
First, a good compliance program is guided not only by regulatory requirements but also a comprehensive understanding of the risks a firm may face. As these risks may have changed due to the pandemic, now is a good time to complete a comprehensive risk assessment of your operations and business. Recognize that the risks you face with a remote workforce are different than they were last year, but also that remote work may mitigate some traditional risk. Refreshing your view of risk and threats is important, because remote work will change them.
Re-Evaluate Oversight
Second, revisit your training, hotline and awareness programs. A few questions you should ask:
- Have the programs changed to accommodate new risks, and should they?
- Will what you had before still work, given the realities your people are living now?
- Do you have a regulatory or other requirement to prominently display whistleblower hotline phone numbers?
- Have you thought about how to fulfill this requirement while people are at home?
- Have you scrupulously analyzed how you are keeping confidential information safe and off of non-company-registered devices?
- Have you reminded your people that they should not use their personal devices, even in an emergency, to handle this sort of information?
Supervising employees can be challenging when you are not working in the same office space. However, frequent employee communication is key for monitoring their behavior and maintaining employee morale and loyalty. Staying connected can help to identify whether an employee may go rogue and if heightened supervision should be applied. Are you conducting regular anti-phishing campaigns and instituting positive controls for treasury, wire and redemption operations? If not, you may have difficulty defending yourself in the event of a future incident.
Review Investments
Third, make sure you are thinking about the pandemic’s tertiary effects. For many industries, COVID-19 will have a material impact on the valuation of certain investments, like commercial real estate, airplane leases and leisure investments. By not revaluing investments on an ongoing basis or neglecting to account for certain impairments, firms may be over valuing assets and receiving higher fees than appropriate. Additionally, some firms may be less likely to allocate expenses to the firm (or management company), but rather have the client foot the bill to assist with cash flow or preservation. As such, advisers should continue to ensure multiple layers of review for valuing assets, calculating fees and determining proper expense allocations to be consistent with the terms of the client agreement or offering documents.
Rethink Due Diligence
Fourth, think carefully about your current diligence processes. Along with training and monitoring, effective due diligence forms the backbone of a healthy compliance program. Due diligence is a particular challenge (and particularly important) in these times. Global supply chains are weak and require redundancy like never before, new vendors are being onboarded quickly to facilitate shifts in business focus and time pressures are skyrocketing. Meanwhile, while many jurisdictions maintain limited online records that can be accessed remotely, many do not. Those jurisdictions that still require in-person checks of on-site records are operating with reduced staff, if they are open. And this sort of records access may not be deemed essential during periods of flare-up.
How can you conduct effective diligence when something as simple as travel to a target company site might be impossible? Due diligence is most effective when baked into the overall investment process, but its success relies largely on the interaction and exchange of information between all involved parties. That interaction has been complicated by lack of physical access to information, dispersed remote working locations and the reliance on external communication systems. Fortunately, source interviews and other sorts of background research have been conducted virtually for many years – so deep investigation is still possible. However, compliance officers should be aware of the likelihood of delays in diligence, and the absence of certain information during the pandemic.
It is not possible to completely mitigate this risk, but careful documentation and consideration of the challenge will help reduce the risk of enforcement agency misunderstanding in the future. Compliance officers should ensure that deal teams and senior leaders understand these challenges, begin conducting diligence earlier and seek additional contractual protections to provide remedies if problematic information is discovered later. Normal operating procedures will need to be tailored to adhere to post-COVID-19 SEC standards, Foreign Corrupt Practices Act requirements and Anti-Money Laundering/Combating the Financing of Terrorism guidelines issued by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and other financial regulators. Any modifications to internal controls will need to be documented, as legal and regulatory bodies will need to know what new processes have been implemented to ensure a company has met its legal and compliance obligations.
Re-Examine Support Services
Finally, in addition to the obvious concerns with global supply chain networks, pay constant attention to other needed support services. The increased exposure of global supply chains and third-party risk during COVID-19 and the challenges in mitigating these risks are well-documented. Companies will face some of the same difficulties when onboarding new vendors and service providers, which must be done to build redundancies and ensure resiliency against the effects of the pandemic. There may be temptation to circumvent certain internal due diligence requirements in order to expedite the onboarding of new vendors and providers; this temptation must be resisted, especially because those same vendors may have also cut corners, in response to the same financial stresses. To ameliorate this risk, a company should independently obtain and review corporate registry and ownership information, in addition to checks of government watchlists and in-depth media research in multiple languages; all of these measures can be done remotely.
In short, the post-COVID-19 world presents us with challenges that militate against a check-the-box approach to onboarding vendors and service providers. It demands creativity, a willingness to adapt and a focus on reconfiguring practices to address an inherently riskier, less convenient compliance landscape.
Remember, in all cases, it is important not just to have effective, well-thought-out, risk-driven compliance programs, but also to be able to prove that you had them. The DOJ, for example, will evaluate the effectiveness of your compliance programs at the time they were in place, when deciding the appropriate outcome for a serious problem. Document carefully and often, and make sure that you have a process in place to continually improve.
How do you prepare now? As discussed above, watch that your internal audit and oversight functions are not caught up in the budget crossfire. Given the temporary lull in enforcement, it has never been more important to not only have strong internal controls, but to be able to demonstrate to others later that these controls exist and are effective. As the global enforcement environment continues to be in a COVID-induced lull, this is particularly true for dealings with new vendors and overseas entities. In fact, a recent Association of Certified Fraud Examiners member survey shows that 72 percent of respondents to expect bribery and corruption issues to increase in the next year. Senior leadership must understand that they will encounter an unforgiving enforcement environment when this is over and that any suggestion of an alleged act of corruption (or of supporting a corrupt enterprise) will be met with skepticism.
Documenting what is being done now may help later. This includes due diligence efforts, justifications for any higher-than-usual risk transactions and any variations in the way you handle taxation, reserves and fiscal reporting.
Failure to anticipate and properly address the risks discussed here is nothing less than existential. And those who believe that the laissez-faire approach that the pandemic has forced on enforcement authorities will continue will find themselves sorely disappointed (or worse) in the near future. Compliance leads must strenuously message this reality to leadership.