Writing Sample #2
-
Upload
dhruv-singhal -
Category
Documents
-
view
99 -
download
0
Transcript of Writing Sample #2
Trends in Corporate Compliance
1. Governance
The predominant trends in the realm of corporate compliance governance are the move
toward greater horizontal consolidation under chief compliance officers (CCO) and
compliance committees and the steady increase in the size of compliance department
budgets.
a. Chief compliance officers
The duties of the CCO include defining and disseminating internal compliance policies
(handbooks and best practices) , training, risk and effectiveness measurement (metrics
and scorecards), and overseeing internal investigations and audits. According to a 2014
worldwide survey conducted by Deloitte and Compliance Week, the number of
companies with a CCO had increased from 37 percent to 50 percent since the previous
year.1 Another study by PricewaterhouseCoopers of US and UK companies found that
number to be 80 percent.2 The degree of independence and scope of responsibility
conferred upon the CCO varies, although the trend is toward greater levels of both.
Larger companies, for example, are more likely to employ a standalone CCO.3 When
the CCO is not a standalone position, its duties are most often held by the general
counsel.4 CCOs are increasingly answering directly to CEO’s and are less and less
likely to be answering to boards or incorporated within legal departments and answering
to the general counsel.5 6
b. Compliance committees
In addition to CCO’s, companies are increasingly consolidating various compliance
functions into cross-functional compliance committees to oversee operations throughout
the company.7 In the US and UK, 60 percent have in place a specially-designated
compliance committee—although this is essentially unchanged from 2012—and more
regulated sectors are more likely to have separate compliance committees.8 These
committees can range in size from a handful of individuals to multiple committees
1 http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU 2 www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf
3 69 percent of companies with at least $50 billion (USD) in revenue, 57 percent of companies with
between $10 and $50 billion, and 39 percent of companies with under $1 billion. Deloitte 4 http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU 5 www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf
66 Although between 2013 and 2014, the number of CCO’s globally reporting to the CEO or the board
actually declined from 50 percent to 44 percent due partially to statistical noise.
http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU 7 http://discover.byallaccounts.com/15-Compliance-Trends-2014-WP-Gen-REG.html
8 www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf
operating under a governing board.9 45 percent of worldwide respondents report having
a compliance staff of under five people, 41 percent report a staff of six to 50, and 12 say
more than 50.10
While most organizations with standalone compliance departments head
these departments with CCO’s, compliance committees seldom have very much
decision-making authority pertaining to the allocation of company resources.11
c. Compliance budgets
The portion of company resources allocated to compliance has been steadily rising,
although recent indicators suggest that the size of compliance budgets still lag behind
the rising demand for compliance services.12
Forty percent of compliance budgets,
including salaries, in the US and UK are under $1 million (USD). 13
The number of
companies whose budgets are expected to increase next year and those whose budgets
are expected to say the same are nearly evenly split; the number who expect to spend
less on compliance is negligible.14
2. Accountability
Other areas of foreseen evolution are in risk management and effectiveness
measurement, where the tide is likely to turn more toward the use of external systems of
accountability.
a. Third party risk management
According to CCOs worldwide, third party risk is the greatest area of concern going
forward, 85 percent saying that they are currently in a process of reassessment regarding
the management of their relationship with third parties.15
While this will, to a small
extent, lead to the resorption of certain outsourced corporate functions (so say 5 percent
of respondents), the more likely progression is toward stricter oversight of third party
relationships. Currently, there is an overreliance on passive methods like simply
distributing codes of conduct to third parties or incorporating anticorruption language in
contracts as the sole means of risk management, only 17 percent of companies reporting
to conduct background checks regularly and only 16 percent regularly conducting
compliance training for third parties.16
This portends a turn toward greater monitoring
of third-party risk in the future, which will be a component of the turn toward more
9 Id.
10 http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU 11
www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf 12
http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU 13
Id. 14
Id. 15
Id. 16
Id.
effective risk monitoring and measurement of compliance program effectiveness
generally.
b. Effectiveness measurement
There are two trends that will redefine the way companies measure the effectiveness of
their programs, and those are a turn toward greater use risk-based auditing and external
metrics.
i. Risk-based auditing
Presently among American and British companies, there has been a tendency to rely on
internal measures like training, hotline calls, and surveys that fail to assess specific
risks, including corruption and data security, and that instead are designed to assess
overall compliance.17
Increasingly, however, the move has been toward greater use of
internal compliance audits, which, while not the most timely mechanism for measuring
effectiveness, are geared toward measuring these specific risks.18
The next step, then,
will be to design metrics to gauge the effectiveness of these compliance audits at
specific risk management.19
ii. External metrics
The use of metrics generally has been on the upswing, as only 23 percent of companies
globally report failing to use any metrics at all, down from 38 percent four years ago.20
Most companies currently rely on internal metrics—namely by analyzing data from the
aforementioned internal accountability systems—as the primary apparatus for
measuring the effectiveness of their compliance programs, but this will likely change in
the future as greater emphasis is placed on external metrics such as independent
evaluations, benchmarking studies, regulatory review analyses, etc.21
22
3. Technology
Changes in technology and social media are dramatically reshaping the face of
corporate compliance, both in terms of the sophistication of the oversight tools available
to compliance departments and regulators and in terms of the compliance challenges
posed by the increasing potential for pitfalls in digital privacy and data security.
a. Oversight tools
17
www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf 18
Id. 19
Id. 20
http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU 21
Currently, over 70 percent of respondents report using internal metrics, under 45 percent reporting to
use external ones. Id. 22
Id.
Increasingly, regulators are expecting compliance departments to harness the tools of
social media and technology to enhance their risk management and internal compliance
operations.23
This is due in part to regulators and auditors themselves becoming more
reliant on emerging technologies.24
However, as of yet, the use of technology and social
media for compliance purposes lags behind its potential for exploitation. In the US and
UK, new technologies are used just as often for such traditional functions as document
management (51 percent), training (71 percent), and employee surveys (53 percent) as
measuring the effectiveness of compliance functions like compliance audits (71
percent), training data (65 percent), and risk assessment results (65 percent).25
b. Social media
In the UK, social media is used primarily for communicating with the public about
compliance and ethics developments, as opposed to being used as a tool to monitor risk
(although the US embraces this latter function to a greater degree than the UK).26
The
extension of the use of social media beyond public relations toward monitoring risky
behavior and attitudes is likely to accelerate in the near future.27
The mechanisms for
employing social media—and “big data” analytics generally—to this end will include
filtering through data (including online social media conversations), detecting risk
patterns, and using these patterns to forecast future risk.28
29
“Big data” will also be
important for enhancing external metrics for measuring compliance program
effectiveness.30
c. “Bring your own devices”
Part of the compliance challenge posed by technology manifests itself in the
proliferation of “bring your own devices” (BYOD) like smartphones and tablets,
making it imperative for compliance and IT departments to widen the scope of their
efforts beyond traditional company network devices. These devices are democratizing
by nature and render it more difficult for companies to maintain control over their data,
inevitably raising difficult questions about employee privacy and employer liability.
These questions include, specifically, whether it is appropriate to extend the traditional
monitoring, restriction, and security mechanisms of company computers to BYODs,
23
http://discover.byallaccounts.com/15-Compliance-Trends-2014-WP-Gen-REG.html 24
Id. 25
www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf 26
Id. 27
http://www.xconomy.com/san-francisco/2013/12/26/4-tech-trends-will-impact-risk-compliance-efforts-
2014/ 28
In the IT field, this will take the form of aggregating data from vulnerability scanners, fraud detectors,
identity access management systems, and threat advisory feeds to calculate and forecast risk and head off
threats. Id. 29
Id. 30
http://www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/governance-regulatory-
risk-strategies/center-regulatory/511fb48847af5410VgnVCM3000003456f70aRCRD.htm#.U-
POyFTNgdU
including whether it is appropriate to wipe an employee’s stolen device clean in order to
protect company data.31
d. Digital privacy and data security in the US
However, some of this use of new technology for monitoring risk is prompted by the
new technologies themselves. Although few surveyed in the US and UK anticipated
significant compliance hurdles from social media, this likely reflects their unfamiliarity
with the medium and therefore underscores the scale of the challenge.32
Yet in the US,
regulators are ahead of the game: the private self-regulatory Financial Industry
Regulatory Authority (FINRA), the Federal Financial Institutions Examination Council
(FFIEC), and the Federal Trade Commission (FTC) have all responded to the hazards to
data integrity and security posed by social media (as evinced by recent incidents
involving popular social media platforms like Twitter and Snapchat) and have
accordingly issued their own social media guidelines.33
Companies too will have to
respond to the heightened risk by ramping up their cybersecurity operations, including
by increasing monitoring of internet and social media activity and investing in
strengthening their security resources and protocols.34
Various legislative proposals
have been put forward to address privacy concerns and data breach, but few formal
regulations. These proposals include a Consumer Privacy Bill of Rights, whose
principles include transparency, respect for content, security, access, and accountability,
and a data breach notification law.35
As datasets become increasingly comprehensive—
and therefore valuable—they become increasingly vulnerable to hacking. Legislative
remedies to this problem vary, but one way forward is through stringent notification
requirements for companies to inform victims of data breaches. These requirements can
be very burdensome, so it is in companies’ best interests to invest in adequate data
security measures and data insurance protection to prevent the need for such
notifications.36
e. Digital privacy and data security in the EU
In the European Union, on the other hand, recent activity has changed the compliance
landscape for data security. The case Google Spain v. Costeja established the “right to
be forgotten” for data processing companies in member states, including search engines,
citing the 1995 Data Protection Directive. Recently, a proposal passed the European
Parliament (now awaiting passage by the European Council) to update the 1995 law and
consolidate the 28 national supervisors into one supranational supervisor, codify the
right to be forgotten and the right to transfer one’s personal data between service
31
Id. 32
www.pwc.com/us/en/risk-management/assets/soc-survey-2013-final.pdf 33
http://www.xconomy.com/san-francisco/2013/12/26/4-tech-trends-will-impact-risk-compliance-efforts-
2014/?single_page=true 34
Id. 35
https://ipp.mit.edu/sites/default/files/documents/MITBigDataPrivacyComments.pdf 36
http://www.feinstein.senate.gov/public/index.cfm/2014/1/senators-introduce-data-security-bill-to-protect-against-data-breaches
providers, and require consent for data processing, data protection safeguards, and data
breach notification.37
4. Regulatory environment
The enhanced regulatory consciousness of social media by FINRA, the FFEIC, and the
FTC mark only one way in which the changing regulatory environment in the US and
beyond has begun to pose new challenges for compliance departments worldwide. In
the US, for example, there has notably been significant new federal regulatory activity
in a number of different sectors, including healthcare and the environment, but in both
Europe and the US in the wake of the 2008 financial crash, there has been significant
transformation in one in particular: financial services.
f. Financial services
a. The Securities and Exchange Commission
In the United States, recent changes at the Securities and Exchange Commission (SEC)
are a harbinger of the need for companies to recalibrate their approach to compliance.
The SEC is likely to pursue stricter enforcement in coming years due to both political
pressure and the professed agenda of Chairwoman Mary Jo White, who supports
imposing treble damages, greater targeting of individuals, seeking the inclusion of
admissions of responsibility in settlements, and broadening coverage to include the
whole market, including investment advisors to hedge funds, private equity funds and
mutual funds.38
The SEC is also committing to a crackdown on recidivism and pursuing
enforcement actions against failures to address deficiencies, even when clients are not
directly harmed by the deficiencies.39
It is also placing greater emphasis on ensuring
that firms dually registered as investment advisors and broker-dealers have in place
sufficient safeguards against conflicts of interest.40
Additionally, the continued
implementation of the Dodd-Frank Wall Street Reform and Consumer Protection Act’s
whistleblower compensation provision for the SEC shall continue spur greater and
greater enforcement actions.41
b. The European Banking Authority
The European Banking Authority, established in 2010, centralizes financial regulatory
oversight and harmonizes banking rules under a “single rulebook” at the EU level.
Regulatory harmonization reduces compliance costs by reducing duplications and
inconsistencies. The US is seeing more regulatory harmonization too, but less in the
form of consolidation of regulators than in consolidation of regulations (and less in the
37
http://www.telegraph.co.uk/technology/internet-security/10692265/Europe-backs-stronger-data-protection-rules.html 38
http://discover.byallaccounts.com/15-Compliance-Trends-2014-WP-Gen-REG.html 39
Id. 40
Id. 41
http://www.marketwired.com/press-release/Compliance-Week-Announces-Top-5-Global-Compliance-
Trends-to-Watch-in-2013-1744480.htm
form of supranational regulation). Cooperation among national regulators for achieving
harmonization is not as effective as consolidation under a supranational regulators.
Supranational regulators are also less susceptible to political capture than national
regulators.42
42
Luca Martino Levi, The European Banking Authority: Legal Framework, Operations and Challenges
Ahead, 28 Tul. Eur. & Civ. L.F. 51, 55 (2013)