1

COMPLIANCE

CONVERGENCE:

THE NEW

NORMAL

LOUIS SAPIRMAN, CCO DUN &

BRADSTREET

TOM FOX, THE COMPLIANCE

EVANGELIST

SCCE 2017 Compliance and Ethics InstituteOctober 16, 2017Las Vegas, NV

PUBLICATIONS-PARTIAL LIST

2© 2015 Thomas R. Fox / Advanced Compliance Solutions All Rights

Reserved

2

THE COMPLIANCE PODCAST NETWORK

© Thomas R. Fox / tomfoxlaw.com PC

LEGAL DISCLAIMER

� The views stated herein are solely that of the presenters and not their employer.

� Everything in this presentation is a generalization and is subject to numerous exceptions.

3

THE BASICS For the Lawyers

Who or what is

regulated?Basis for regulation

What is

prohibited?

Foreign

Corrupt

Practices Act

people, books

& records

Listing of company’s

securities on U.S. stock

exchange,

nationality

(“domestic concern”)

bribes, inaccurate books and records

Export and

Reexport

controls

goods,

software and

technology

national origin of content

certain end uses,

end users or end

destinations

Money

Launderingpeople

nationality

(such as citizenship,

residency, physical

presence, or employing or

parent company)

transactions involving certain

persons, countries or activities

4

WHAT’S AT STAKE

WARREN BUFFET

“It takes 20 years to build a reputation and five minutes to ruin it.

If you think about that, you'll do things differently.”

5

Compliance as an Essential Element of an Organization’s Culture

Marlow, UK

Miami, FL

Short Hills, NJ (HQ)

Malibu, CA

Mexico City,MEX

Lima,PER

Buenos Aires,ARG

Sao Paulo,BRA

Dublin, IRL Rotterdam, NLD

Brussels, BELBeijing, CHN

Shanghai, CHN

Taipei, TWN

Hong Kong, CHNMumbai, IND

Ho Chi Minh City, VNM

Mississauga, CAN

Tokyo, JPN

Kuala Lumpur,MYS

Singapore,MYS

Melbourne,AUS

Milan, ITA

COMPLIANCE PROGRAMS MUST LIVE WHEREVER YOUR COMPANY OPERATES

In 2013-2015, approximately −10,000 hours on the ground2 million miles traveled

Owned Offices

Partner Offices

HOW DO WE VIEW THE EFFECTIVENESS OF OUR PROGRAMS?

• No one-size fits all program - each program must be tailored to your business

• Companies need to consider a myriad of factors when making their own determination of what is appropriate for their business needs

• Your program cannot just be policies and programs on paper. Compliance programs that employ a “check-the-box” approach may be inefficient and ineffectual

• One of the best discussions of measuring the effectiveness of a compliance program comes from the FCPA Resource Guide to the U.S. Foreign Corrupt Practices Act

• Dun & Bradstreet measures each element of its programs through the 10 “Hallmarks of Effective Compliance Programs”

6

Dun & Bradstreet’s Building Blocks of an Effective Compliance Program(**this chart for illustrative purposes only)

1. Commitment of Senior Management

2. Code of Conduct and Policies

3. Authority, Autonomy & Resources

4. Risk Assessment

5. Training and Advice

6. Disciplinary Measures

7. Third Party Due Diligence

8. Confidential Reporting and Investigation

9. Continuous Improvement

10.Acquisition Due Diligence and Integration

Dun & Bradstreet’s Compliance Program

Social Media / Communications

Compliance & Risk Programs

Compliance & Privacy Reviews

Training Library

Independent Program Reviews

Third Party Compliance

Compliance Hotline

Compliance Fact-Finding

WHO AND WHAT TO

KNOW

7

� Know Your Customer

� Know Your Vendor

� Know Your 3rd Party

� Know Your (JV) Partner

� Know Your Target

EXPORT AND RE-EXPORT CONTROLS

�Many countries have export and re-export

controls

� Export and reexport controls are generally

licensing programs.

- The relevant government may require that a company obtain a license for:

� Actual exports and re-exports

� Deemed exports and re-exports

8

EXPORT CONTROLS

� Cuba � U.S. and non-U.S. persons must not engage in or facilitate transactions

in Cuba or with its government, companies, residents or citizens

� Targeted Programs� U.S. persons must not engage in or facilitate transactions involving

specific activities, persons or governments, including:� parties on the Specially Designated Nationals List or � transactions that could support terrorism or the proliferation of weapons of mass destruction

� Imports � All imports into the United States of goods, software or technology of

Cuban, Iranian or North Korean origin

MONEY LAUNDERING

�General Principle

� U.S. economic sanctions forbid:

� Directly engaging in or

� Facilitating others engaging in

� Prohibited dealings with sanctioned countries, governments, persons or activities

� Facilitation is

� An expansive and indefinable legal term that has a meaning similar to “enable”.

9

�WHAT / WHO ARE U.S. PERSONS?Companies� Entities legally organized in the United States (Examples: Delaware corporations, Texas LLP)

Non-U.S. branches of U.S. banks

� Almost always U.S. persons

Individuals

� U.S. citizens and U.S. legal residents

� Persons physically present in the U.S.

� Employees or other representatives of other U.S. persons

ANTI-TRUST-SECTION 1 VIOLATIONS

� Collusion among competitors

� Price-fixing

� Territory Allocations

� Bid-Rigging

� Customer Allocations

10

ANTI-TRUST HIGH RISK

� Sales-agents and employees. Trade meetings, industrial associations and interactions.

� JVs with competitors.

� Concentrated market-cartel activity risk increases.

© Thomas R. Fox / tomfoxlaw.com PC

Foreign Corrupt

Practices Act

11

© Thomas R. Fox / tomfoxlaw.com PC

10 HALLMARKS1. Commitment from Senior Management and a

Clearly Articulated Policy Against Corruption

2. Code of Conduct, Written Policies and Procedures

3. Oversight, Autonomy, and Resources

4. Risk Assessment

5. CCO Autonomy, Resources & Oversight

6. Training and Continuous Advice

7. 3rd Party DD and Payments

8. Confidential Reporting and Internal Investigation

9. Continuous Improvement

10. Mergers and Acquisitions: Pre-Acquisition Due

Diligence and Post-Acquisition Integration

EXPORT CONTROL COMPLIANCE PROGRAM

� 1. Top and Middle Management Committee.

� 2. Continuous Risk Assessment.

� 3. A written policy back up by a procedures manual.

� 4. Ongoing training of employees.

� 5. Ongoing screening of employees, contractors, customers, products and

transactions.

� 6. Record Keeping.

� 7. Period Audits.

� 8. An internal program for the reporting of violations and appropriate mechanism

for escalation of any export violations.

� 9. Appropriate corrective actions to hold employees accountable under a

progressive disciplinary program and voluntary self-disclosure.

© Thomas R. Fox / tomfoxlaw.com PC

12

AML PROGRAM

� 1. Communications and Training – specific communications and training for the high-risk

market should be designed and implemented with a country-specific approach which

identifies the risks and the compliance response to the risk.

� 2. Enhanced Controls and Review – additional controls for each policy should be

implemented with greater scrutiny of auditing of expenditures.

� 3. Due Diligence – the hiring of third parties should be subject to even greater scrutiny than

typical in the high-risk country. A conservative compliance response to any red flags is

imperative.

� 4. Monitoring and Auditing – the monitoring of activities in a high-risk country is a key aspect

of any high-risk program. Auditing of every aspect of the operation should be conducted on

a regular basis.

© Thomas R. Fox / tomfoxlaw.com PC

ANTI-TRUST COMPLIANCE

� Who are my competitors?

� Where are they located?

� What is respective market share?

� Are they any significant potential entrants to the market?

� Involved in JV(s) with competitors?

13

CYBERSECURITY PER DFS� Controls relating to the governance framework for a robust

cybersecurity program including requirements for a program

that is adequately funded and staffed, overseen by qualified

management, and reported on periodically to the most senior

governing body of the organization;

� Risk-based minimum standards for technology systems

including access controls, data protection including

encryption, and penetration testing;

� Required minimum standards to help address any cyber

breaches including an incident response plan, preservation of

data to respond to such breaches, and notice to DFS of

material events; and

� Accountability by requiring identification and documentation

of material deficiencies, remediation plans and annual

certifications of regulatory compliance.

© Thomas R. Fox / tomfoxlaw.com PC

COMMON RED FLAGS� Named as a Designated Party, SDN or on any similar list.

� Connections to countries identified as non-cooperative with

international efforts against money laundering.

� Providing false or misleading information.

� Refusal to disclose the nature and source of assets.

� Refusal to identify a beneficial owner.

� Acting as the agent for an undisclosed principal.

� Company address is not a physical site but a PO box.

� Use of a shell company.

� Lack of concern regarding risks or transaction costs.

� Structuring transactions to avoid reporting requirements.

� Offering to engage in transaction with no or little business justification.

� A request that funds be transferred to an undisclosed third party or in

another jurisdiction.

� Any transaction designed to evade taxes.

© Thomas R. Fox / tomfoxlaw.com PC

14

THIRD PARTY RELATIONSHIP CHECK UP� Do you have a list or database of all your third parties and their information?

� Have you done a risk assessment of your third parties and prioritized them by level of

risk?

� Do you have a due diligence process for the selection of third parties, based on the

risk assessment?

� Once the risk categories have been determined, create a written due diligence

process.

� One the third party has been selected based on the due diligence process, do you

have a contract with the third party stating all the expectations?

� Is there someone in your organization who is responsible for the management of

each of your third parties?

� What are “red flags” regarding a third party?

© Thomas R. Fox / tomfoxlaw.com PC

HALLIBURTON SEC FCPA SETTLEMENT

15

INTERSECTION OF COMPLIANCE AND SUPPLY CHAIN

1. Third Party Agent or Local Content Provider?

2. Commercial agent or vendor in the Supply Chain?

3. High risk location require greater scrutiny?

4. Friend of government minister or former Hal employee as key indicia?

SEXUAL HARASSMENT IS NOW A COMPLIANCE ISSUE

16

STRATEGIC AND TACTICAL

1. Did ‘everyone’ know?

2. Who is responsible for raising their hand?

3. I am responsible?

4. Did reporting just change forever?

© Thomas R. Fox / tomfoxlaw.com PC

QUESTIONS?