Compliance Chief 360

SEC Sets Record Year in Enforcement with $8.2 Billion in Fines

Joseph McCafferty — Fri, 13 Dec 2024 19:41:46 +0000

he Securities and Exchange Commission announced that it filed 583 total enforcement actions in fiscal year 2024, while obtaining orders for $8.2 billion in financial remedies, the highest amount in SEC history.

That record amount consisted of $6.1 billion in disgorgement and prejudgment interest, also the highest amount on record, and $2.1 billion in civil penalties, the second-highest amount on record. Approximately 56 percent of the $8.2 billion financial remedies ordered is attributable to a monetary judgment obtained following the SEC’s jury trial win against Terraform Labs and Do Kwon, who were charged with one of the largest securities frauds in U.S. history.

The 583 enforcement actions represent a 26 percent decline in total enforcement actions compared to fiscal year 2023. Of those cases, the Commission filed 431 “stand-alone” actions, 93 “follow-on” administrative proceedings, and 59 actions against issuers who were allegedly delinquent in making required filings with the SEC.

“The Division of Enforcement is a steadfast cop on the beat, following the facts and the law wherever they lead to hold wrongdoers accountable,” said outgoing SEC Chair Gary Gensler. “As demonstrated by this year’s results, the Division helps promote the integrity of our capital markets to benefit investors and issuers alike.”

Last month Gensler announced that he would step down as chair of the SEC. President elect Donald Trump has announced that he intends to nominate former SEC Commissioner Paul Atkins, a longtime advocate of deregulation, as the next chairman of the Commission. Market watchers have said that they expect the SEC under Atkins to be far less enforcement minded.

“He has been a strong supporter of the asset management industry and sympathizes with the challenges faced by the industry trying to comply with often-ambiguous SEC rules,” said Brad Bondi, global co-chair of the investigations and white-collar defense practice at Paul Hastings, who served as counsel to Atkins during his time at the SEC.

Protecting Investors

“In fiscal year 2024, the Division continued to vigorously enforce the federal securities laws by recommending to the Commission high-impact enforcement actions addressing noncompliance throughout the securities industry and resulting in robust financial remedies,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “What our numbers do not reflect, however, are countless investigations that may not have resulted in an enforcement action for evidentiary or other reasons, or where we declined to pursue an enforcement action, but that shined a spotlight on potentially problematic conduct. All of this adds up to protecting innumerable investors and promoting trust in our capital markets.”

In addition, in fiscal year 2024, the SEC obtained orders barring 124 individuals from serving as officers and directors of public companies, the second-highest number of such bars obtained in a decade.

In fiscal year 2024, the SEC distributed $345 million to harmed investors, marking more than $2.7 billion returned to investors since the start of fiscal year 2021. The SEC also received 45,130 tips, complaints, and referrals in fiscal year 2024, the most ever received in one year, including more than 24,000 whistleblower tips. The SEC issued whistleblower awards totaling $255 million.

Securing Credit for Self Reporting and Cooperation

In fiscal year 2024, public companies, investment advisers, and broker-dealers self-reported or remediated securities law violations or otherwise cooperated meaningfully with the Division’s investigations, answering the Division’s call to practice a culture of proactive compliance. In response, the Division recommended, and the Commission approved, resolutions imposing reduced civil penalties or even no civil penalties, including in cases involving very large firms.

To help promote investor trust in the securities market, the Division continued and commenced a number of proactive initiatives to address issues of widespread noncompliance, including the following:

Off-Channel Communications

The Division continued its initiative to ensure that regulated entities, including broker-dealers, investment advisers, and credit ratings agencies, comply with the recordkeeping requirements of the federal securities laws. Compliance with those requirements is essential to investor protection and well-functioning markets. In fiscal year 2024, the Commission brought recordkeeping cases resulting in more than $600 million in civil penalties against more than 70 firms, including the Commission’s first cases charging recordkeeping violations against municipal advisors. Since December 2021, the initiative has resulted in charges against more than 100 firms and more than $2 billion in penalties.

Marketing Rule

The Enforcement Division’s ongoing initiative investigating non-compliance with the Marketing Rule resulted in settled charges against more than a dozen investment advisers. The firms were charged for advertising hypothetical performance to the general public without adopting and implementing policies and procedures reasonably designed to ensure that the hypothetical performance was relevant to the likely financial situation and investment objectives of the advertisement’s intended audience; using untrue or unsubstantiated statements of material fact and/or testimonials, endorsements, or third-party ratings that lacked required disclosures; and advertising misleading performance that was not fair and balanced.

Whistleblower Protection Cases

In fiscal year 2024, the Division recommended, and the Commission authorized, a series of settled enforcement actions to address violations of the Dodd-Frank whistleblower protection rule, which prohibits market participants from taking any action to impede would-be whistleblowers from contacting the SEC, including where firms purported to limit customers’ ability to voluntarily contact the SEC or required employees to waive the right to a possible whistleblower monetary award. The actions included an $18 million civil penalty against J.P. Morgan, the largest penalty on record for a standalone violation of the whistleblower protection rule.

Disclosures of Holdings and Transactions by Insiders and Investment Managers

The federal securities laws require certain insiders and market participants to disclose their securities holdings and transactions. Compliance with those laws is essential for investors to make informed investment decisions.

In fiscal year 2024, the SEC announced settled charges against more than two dozen entities and individuals for failures to timely report information about their holdings and transactions in public company stock or for contributing to filing failures by their officers and directors. The SEC also settled charges against 11 institutional investment managers for failing to disclose certain securities holdings in reports they were required to file because they have discretion over more than $100 million in certain securities.

Robust Financial Remedies

In fiscal year 2024, the Division’s investigations led to orders imposing robust financial remedies in litigated and settled matters.

For example, after a jury verdict finding Terraform Labs and founder Do Kwon liable for fraud, defendants agreed to a final judgment ordering them to pay more than $4.5 billion in disgorgement, prejudgment interest, and civil penalties, the highest remedies ever obtained by the SEC following a trial.

In addition, the Commission filed settled charges with strong financial remedies against:

Morgan Stanley for a multi-year fraud involving the disclosure of confidential information about the sale of large quantities of stock known as “block trades.” The firm agreed to pay approximately $166 million in disgorgement and prejudgment interest and an $83 million civil penalty to resolve the SEC’s charges;
FirstEnergy Corp. for a multi-year political corruption scheme in which FirstEnergy and affiliates made payments to an entity controlled by a state legislator in exchange for official action benefitting FirstEnergy. FirstEnergy agreed to a pay a $100 million civil penalty to resolve the SEC’s charges;
SAP for violations of the Foreign Corrupt Practices Act arising out of bribery schemes in South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia, and Azerbaijan. The company agreed to pay disgorgement and prejudgment interest of more than $98 million to resolve the SEC’s charges. Up to $59 million will be offset by payments from SAP to the South African government in connection with its parallel investigations into the same conduct; and
Advisory firm Macquarie for overvaluing approximately 4,900 largely illiquid collateralized mortgage obligations held in 20 advisory accounts and for executing hundreds of cross trades between advisory clients that favored certain clients over others. The firm agreed to pay disgorgement and prejudgment interest of $9.8 million and a $70 million civil penalty to resolve the SEC’s charges.

Major Fraud

In fiscal year 2024, the Division continued to focus on holding individuals and entities accountable for preying on investors.

The Division’s investigations led to charges alleging frauds ranging from Ponzi schemes targeting specific communities to billion dollar frauds with thousands of victims;
The SEC charged Xue Lee (aka Sam Lee) and Brenda Chunga (aka Bitcoin Beautee) for their involvement in an allegedly fraudulent crypto asset pyramid scheme known as HyperFund that raised more than $1.7 billion from investors worldwide;
The SEC charged Cynthia and Eddy Petion and their company, NovaTech Ltd., for allegedly operating a fraudulent scheme that raised more than $650 million in crypto assets from more than 200,000 investors worldwide;
The SEC charged five unregistered brokers and their companies in connection with an alleged pre-IPO fraud scheme that raised at least $528 million from more than 4,000 investors around the world; and
The SEC charged Abraham Shafi, the founder and former CEO of Get Together Inc., a privately held social media startup known as “IRL,” for raising approximately $170 million from investors by allegedly fraudulently portraying IRL as a viral social media platform that organically attracted the vast majority of its purported 12 million users.

Emerging Technologies and Emerging Risks

Fiscal year 2024 saw heightened investor risk from emerging technologies and cybersecurity incidents and from market participants using social media to exploit elevated investor interest in emerging investment products and strategies. The Division kept pace, investigating noncompliance and false or misleading disclosures involving artificial intelligence, social media, cybersecurity, crypto, and more.

Artificial Intelligence

The SEC charged QZ Asset Management for allegedly falsely claiming that it would use its proprietary AI-based technology to help generate extraordinary weekly returns while promising “100%” protection for client funds; and
The SEC settled charges against investment advisers Delphia and Global Predictions with making false and misleading statements about their purported use of AI in their investment process.

Relationship Investment Scams

The SEC charged multiple entities and individuals in connection with two relationship investment scams involving fake crypto asset trading platforms NanoBit and CoinW6. The SEC’s two complaints allege that the defendants solicited investors via social media apps, lied to them to gain their trust and confidence, and then stole their money. These charges are the SEC’s first enforcement actions alleging these types of scams.

Cybersecurity

The SEC settled charges against The Intercontinental Exchange, Inc. and nine wholly owned subsidiaries, including the New York Stock Exchange, for failing to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity;
The SEC settled charges against transfer agent Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, for failures to ensure that client securities and funds were protected against theft or misuse, which led to losses of millions of dollars in client funds; and
The SEC settled charges against R.R. Donnelley & Sons for disclosure and internal control failures relating to cybersecurity incidents.

Crypto

The SEC settled charges against Silvergate Capital for false and misleading disclosures to investors about the strength of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program and the monitoring of crypto customers, including FTX, by its wholly owned subsidiary, Silvergate Bank; and
The SEC settled charges against Barnbridge DAO, a purportedly decentralized autonomous organization, for failing to register its offer and sale of structured crypto assets offered and sold as securities.

Individual Accountability

Charging individuals for securities law violations, where appropriate, is essential for accountability and deterrence and for enhancing public trust in the markets. Fiscal year 2024 enforcement actions against individuals included the following:

Following a jury verdict finding Terraform Labs and founder Do Kwon liable for fraud, Do Kwon agreed to a final judgment ordering him to pay financial remedies of more than $200 million and imposing an officer and director bar.
The former CEO and former Chief Risk Officer of Silvergate Capital settled charges for misleading investors about the strength of the compliance program and the monitoring of crypto customers by Silvergate’s wholly owned subsidiary. The individuals agreed to five-year officer-and-director bars and civil penalties of $1 million and $250,000 respectively, as part of the resolution. In addition, the SEC charged the former CFO with misleading investors about the company’s losses from expected securities sales.
The CEO of formerly registered investment adviser Mass Ave settled charges arising out of false and misleading statements about Mass Ave’s flagship fund. To settle the SEC’s charges, the CEO, who is also the chief investment officer and portfolio manager at MassAve, agreed to pay a $250,000 civil penalty and was suspended for 12 months from industry-related work.
The former head of Morgan Stanley’s equity syndicate desk settled charges connected to a multi-year fraud involving the disclosure of confidential information about the sale of large quantities of stock known as “block trades.” As part of the resolution, the former head agreed to an order requiring him to pay a $250,000 civil penalty and imposing associational, penny stock, and supervisory bars.
The SEC permanently suspended Benjamin Borgers, the managing partner of audit firm BF Borgers from appearing and practicing as an accountant before the Commission as part of a resolution of an alleged fraud affecting hundreds of SEC filings. Borgers also agreed to pay a $2 million civil penalty as part of the resolution;
The former CEO and former Senior Vice President of Cassava Sciences agreed to be subject to officer-and-director bars of three and five years, respectively, to settle charges related to misleading statements about the results of a clinical trial for the company’s purported therapeutic for the treatment of Alzheimer’s disease. They also agreed to pay civil penalties of $175,000 and $85,000, respectively; and
The SEC charged now-defunct digital pharmacy startup Medly Health’s former CEO, former CFO, and former head of RX Operations with fraudulently overstating Medly’s revenue in connection with capital raising efforts that netted the company more than $170 million.

Public Company Misstatements

It is foundational to the proper operation of the securities markets that public companies provide materially accurate information to investors. In fiscal year 2024, the Division investigated misstatements by public companies leading to a number of enforcement actions, including:

Settled charges against Cassava Sciences for misleading statements about the results of a Phase 2 clinical trial for its purported therapeutic for the treatment of Alzheimer’s disease;
Settled charges against Ideanomics for misleading statements about the company’s financial performance; and
Charges against former executives of Kubient for their alleged roles in a scheme in which the company allegedly overstated and misrepresented its revenue in connection with public stock offerings.

Safeguarding Material Nonpublic Information

The Division investigated market abuse and potential abuse of material nonpublic information (MNPI) in fiscal year 2024, including by using advanced data analytics and technology. The Division’s investigations resulted in enforcement actions addressing a range of violations, including:

Settled charges against Morgan Stanley and the former head of its equity syndicate desk with a multi-year fraud involving the disclosure of confidential information about the sale of large quantities of stock known as “block trades;”
Settled charges against several investment advisers for failing to establish, maintain, or enforce written policies and procedures reasonably designed to prevent the misuse of MNPI;
Charges against former investment adviser representatives for conducting multi-year cherry-picking schemes that allegedly defrauded their clients out of millions of dollars;
Charges against a U.K. citizen for allegedly hacking into the computer systems of public companies to obtain material nonpublic information and using that information to make millions of dollars in illicit profits;
Charges against three individuals for allegedly perpetrating a multi-year $2 million “free-riding” scheme, which is when a brokerage customer buys and sells securities without having the funds to pay for the trading; and Settled insider trading charges against a founder and former chair of a public company

The SEC’s 2024 fiscal year includes the period from October 1, 2023 to September 30, 2024.

Joseph McCafferty is editor & publisher of Compliance Chief 360°

The post SEC Sets Record Year in Enforcement with $8.2 Billion in Fines appeared first on Compliance Chief 360.

Managing Compliance in a Remote Work Environment

Giovanni Gallo — Thu, 12 Dec 2024 22:50:13 +0000

e all know about the great migration to “work from home” that occurred during COVID-19 pandemic starting in 2020 and lasting into 2021 and 2022. While many organizations have moved employees back to the office for some or part of the work week, the remote work movement has remained a far more prevalent aspect of working life.

According to a 2023 Pew Research Center study, around 22 million employed adults in the U.S. work from home all the time, equal to roughly 14 percent of all employed adults, while 41 percent are at least part-time remote on a hybrid setup. By 2025, that same survey finds 32.6 million Americans will be working remotely.

While the flexibility creates favorable conditions for the acquisition and retention of top talent, it also contributes to some new challenges. Managing a compliance team in a remote work environment can be difficult. This is especially true for highly regulated sectors, such as finance, health care, defense, and others, but it could impact a business operating in any field.

Identifying the challenges of remote work and coming up with a solid compliance plan will allow employers and workers to fully utilize remote or hybrid work models without worries about security risks, audits, or subsequent fines. Whether or not you utilize a third-party risk monitoring solution, it’s critical to understand the risks associated with remote work.

Compliance Challenges of a Remote Work Environment

The EY 2023 Mobility Re-imagined Survey suggests that while 92 percent of participants believe workplace mobility is important, 71 percent lack confidence in their organization’s ability to handle compliance and other risks stemming from a remote work environment.

Some of the most common compliance challenges work from home creates for organizations include:

Determining which labor laws and regulations apply to employees on the basis of their home office location
Employee monitoring and oversight
Ensuring workplace safety
Data security and privacy
Safety of communication carried out in a remote work environment
Employment verification processes

Having a solid compliance plan in place and adapting to the hybrid work model realities are both essential to mitigate those risks.

Onboarding and Ongoing Training

The first rule of onboarding compliance is understanding applicable rules regarding employment, data privacy, and security. Onboarding processes have to address all those concerns and adhere to regulatory frameworks within the respective jurisdiction.

If your company hires international employees who work from their own location, you’ll have to go through a few important considerations when doing onboarding. Find out if:

The respective person has the right to work
Whether they’re entitled to receive home office equipment
You will have to provide any kind of training during the onboarding process

The agreements and contracts you sign as a part of onboarding should also account for national or regional regulatory specifics. A well-crafted employment contract should have stipulations on job responsibilities, performance expectations, communication protocols, confidentiality clauses, data protection, dispute resolution, and performance reviews.

The next step would be to train remote workers on anything that may lead to compliance issues. Data privacy and security training is non-negotiable. Authentication and access control training can also reduce the risk of violations or security threats stemming from the remote work environment.

The Importance of a Foolproof Remote Work Policy

A remote work policy is a document that outlines expectations and guidelines for all employees to follow. It’s a comprehensive how-to guide that focuses on procedures, safety protocols, workplace specifics, and technologies employed to do one’s job while following a regulatory framework.

As hybrid work is becoming the norm, standard workplace policies have to account for the new reality and the way it’s changing professional interactions.

Well-crafted remote work policies should contain:

Rules on eligibility for remote work
Guidelines on mandatory work hours, equipment, and tools made available to each employee
Provisions on designing and equipping a remote workplace
Cybersecurity stipulations and protocols
Guidelines on communication between coworkers
Guidelines on employee well-being

Good workflow management is also dependent on effective performance tracking, building trust and transparency through daily communication, having clearly defined roles within teams, and offering the right incentives (like career growth opportunities).

Maximizing Cybersecurity in Remote Environments

Cybersecurity is crucial for all organizations, especially those operating in highly regulated sectors.

Remote work has created numerous challenges that concern executives and make IT security managers sweat. In 2023, 72 percent of respondents in a survey responded they are very concerned or at least somewhat concerned about the online risks related to employees working from home. The number of respondents not at all concerned was only 6 percent.

Without concrete policies and being a part of a shared on-site work environment, common cyber threats like ransomware are more likely to evade defense mechanisms, group head of cyber governance at FWD Insurance in Singapore Pritish Purohit told Forbes.

Overcoming these new challenges depends on:

Educating employees on recognizing cybersecurity threats
Strengthening the corporate network through good password policies, multi-factor authentication, the selection of the right antivirus applications, frequent updates, and backups
Securing remote connections by leveraging VPNs and setting device usage boundaries
Implementing company-wide cybersecurity policies that apply to both in-office and remote workers
Carrying out regular security assessments and vulnerability audits
Adhering to data protection laws like HDPR and HIPAA
Using an extra layer of protection to safeguard the most sensitive information (for example, only having certain individuals accessing such files and maintaining detailed access logs)

A Focus on Employee Well-being Is Crucial

Finally, don’t forget to maintain the focus on employee well-being, regardless of the workplace model your organization has embraced.

To improve the mental and physical well-being of employees, consider the following:

Maintain regular communication, preferably using video conferencing tools to make everyone feel connected
If possible, schedule in-person meetings at least a few times per month
Discourage overwork and promote better work-life balance (by selecting the right compensation models that will keep workers from spending too much time as the lines between personal and professional get blurred)
Offer personalized health benefits (89 percent of remote workers value having some kind of health benefit as a part of their employment package)
Make sure everyone is aware of the available paid time off within the organization
Provide mental health and well-being resources
Allow work-hour flexibility

Working from home creates legal considerations that some organizations aren’t prepared to face, while others have been attempting to address those ineffectively.

To reduce the risk of compliance issues, come up with a robust remote work policy. Ensure employees are properly trained and stick to those rules to reduce risks. All other challenges can be addressed via regular performance reviews and audits. Identifying challenges and threats quickly is essential to determine viable remedies and implement those before the issue turns into a major compliance problem.

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction screening and license monitoring, and workforce eLearning software and services.

The post Managing Compliance in a Remote Work Environment appeared first on Compliance Chief 360.

McKinsey Unit to Pay $122 Million to Settle Bribery Charges

CC360 Staff — Fri, 06 Dec 2024 20:04:10 +0000

cKinsey and Company Africa, which operates in South Africa as a subsidiary of international consulting firm McKinsey & Co., will pay over $122 million to resolve an investigation by the Justice Department into a scheme to pay bribes to government officials in South Africa between 2012 and 2016. A former McKinsey senior partner who participated in the bribery scheme has also pleaded guilty in the case.

McKinsey Africa also entered into a three-year deferred prosecution agreement (DPA) with the department in connection with criminal information filed in the Southern District of New York charging the company with one count of conspiracy to violate the anti-bribery provisions of the Foreign Corrupt Practices Act (FCPA). Vikas Sagar, a former senior partner of McKinsey who worked in McKinsey Africa’s South Africa office, previously pleaded guilty to one count of conspiracy to violate the FCPA.

According to court documents and admissions, McKinsey Africa, acting through a senior partner, agreed to pay bribes to then-officials at Transnet, South Africa’s state-owned custodian of ports, rails, and pipelines, and at Eskom, South Africa’s state-owned energy company. Between at least 2012 and 2016, McKinsey Africa obtained sensitive confidential and non-public information from Transnet and Eskom regarding the award of lucrative consulting contracts and submitted proposals for multimillion-dollar consulting engagements, while knowing that South African consulting firms with which McKinsey Africa had partnered would pay a portion of their fees as bribes to officials at Transnet and Eskom. As a result of the bribery scheme, McKinsey and McKinsey Africa earned profits of approximately $85,000,000.

“McKinsey Africa bribed South African officials in order to obtain lucrative consulting business that generated tens of millions of dollars in profits,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, in a statement. “The resolution announced today — the department’s third coordinated resolution with South African authorities in only two years — is evidence that our International Corporate Anti-Bribery (ICAB) initiative, which we announced in November 2023, is bearing fruit.”

“This settlement underscores our unwavering commitment to holding companies accountable that willfully engage in corrupt activities around the world,” said Assistant Director Chad Yarbrough of the FBI Criminal Investigative Division. “This misconduct is a blatant violation of law and a breach of public trust. No matter what country the crime occurs in, the FBI will always work closely with our international partners to root out corruption.”

Details of McKinsey Africa’s Credit for Cooperation

The Justice Department has agreed to credit up to one-half of the criminal penalty against amounts McKinsey pays to authorities in South Africa in related proceedings. In addition, both McKinsey and McKinsey Africa have agreed to, among other things, continue cooperating with the Criminal Division’s Fraud Section and the U.S. Attorney’s Office for the Southern District of New York in any ongoing or future criminal investigation arising during the term of the DPA. McKinsey and McKinsey Africa have also agreed to enhance their compliance program where necessary and appropriate and to report to the government regarding remediation and implementation of their enhanced compliance program.

The Justice Department reached this resolution with McKinsey Africa based on a number of factors, including, among others, the nature and seriousness of the offense. McKinsey Africa received credit for its cooperation with the department’s investigation, which included:

Immediately and proactively cooperating from the inception of the department’s investigation.
Making numerous factual presentations to the department over the course of its investigation, derived from information obtained through the company’s internal investigation.
Collecting, reviewing, and producing voluminous records, including those located abroad, in response to requests from the department.
Promptly reporting the discovery of document-deletion efforts by the McKinsey partner involved in the conduct found during its internal investigation, taking additional investigative steps to uncover information and evidence regarding those efforts, and producing such information and evidence to the department.
Reporting, in real time, newly discovered information and documents that allowed the department to preserve and obtain evidence as part of its independent investigation.
Tracing complex internal accounting money-flows and currency exchange-information in response to requests from the department
Preserving, collecting, and producing to the department documents located abroad, and engaging a third-party forensics consultant to analyze key electronic devices and providing to the department the results of that analysis.

McKinsey and McKinsey Africa also engaged in timely remedial measures, including:

Putting the McKinsey partner involved in the criminal scheme on leave when it learned of the partner’s role in the scheme, subsequently separating that partner from McKinsey after discovering his deletion activity, and requiring that partner’s continued cooperation post-separation.
Conducting additional anti-corruption training for employees in South Africa and elsewhere in Africa, and ceasing work with all state-owned enterprises (SOEs) for a period of time while it conducted its internal investigation.
Enhancing due diligence processes for third-party partners, including instituting controls to ensure that due diligence is completed before work begins on an engagement and imposing a more rigorous risk-review for public sector clients.
Carrying out an enhanced review process for all sole-source work that requires advance-approval before the engagement can begin.
Voluntarily repaying, in 2018 and 2021, all revenues that McKinsey and McKinsey Africa received from potentially tainted contracts to the SOEs in South Africa from which they received contracts as a result of the criminal scheme.

In light of these considerations as well as McKinsey’s prior history, the criminal penalty calculated under the U.S. Sentencing Guidelines reflects a 35 percent reduction off the fifth percentile of the otherwise applicable guidelines fine range.

The post McKinsey Unit to Pay $122 Million to Settle Bribery Charges appeared first on Compliance Chief 360.

The Complete Guide to Vendor Risk Assessment

AuditBoard — Wed, 20 Nov 2024 21:52:14 +0000

Vendor risk assessment and vendor risk management are crucial aspects of any business, especially in today’s interconnected world. Fill out the form at right and hit “Submit” to get the report.

As companies increasingly rely on third-party vendors for various services and products, it becomes essential to assess and manage the risks associated with these relationships. A robust vendor risk assessment program can help organizations identify potential risks, mitigate them, and ensure the security and compliance of their vendor network. In this comprehensive guide, we will dive deep into the world of vendor risk assessment, covering everything from the basics of vendor risk management to best practices for third-party vendor risk assessments and steps to take in case of a vendor breach.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

The Complete Guide to Vendor Risk Assessment

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name

First

Last

Business Email

Company or Organization

Job Title

Name Address Job

Address

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

Country

Phone (optional)

The post The Complete Guide to Vendor Risk Assessment appeared first on Compliance Chief 360.

Are You Ready for Compliance with EU’s DORA?

Nikos Vassakis — Fri, 15 Nov 2024 21:22:12 +0000

t has been said that if a butterfly flaps its wings in the Serengeti, it can change the climate half a world away. Similarly, if an EU regulator enacts regulation in the EU Commission, it can have a major impact as far away as the United States.

We saw this through the ubiquity of website cookie notices and recent state-level laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which, if nothing else, took some inspiration from the EU’s General Data Protection Regulation (GDPR).

Get ready for another EU regulation that, while not directly applicable in the United States, will nonetheless have a major impact on compliance at U.S. organizations. The Digital Operational Resilience Act (DORA) will be similarly impactful once it comes into force on January 17, 2025—especially for those in the financial services industry.

Nominally, DORA is a cyber-resilience regulation aimed at protecting the operational stability of the European financial services industry. It is the first ever EU regulation of its kind that targets resilience at a sectoral level and, partially speaking, is an extensive suite of requirements for financial institutions and businesses that provide services to them around how information and communication technology (ICT) contracts should be written, risks assessed, incidents reported and security systems tested, among other things.

Like any good EU regulation, DORA will come with large potential fines (one percent of global turnover) for violators.

DORA Is Not Just an EU Regulation

The key thing auditors need to understand about DORA, especially as they are being asked to take on more risk-based responsibilities, is that DORA is very broad. It creates significant regulatory risk for potentially tens of thousands of entities in and outside the EU.

According to a recent McKinsey survey, most EU financial entities have started their journey towards DORA compliance, but only a third expect they will be ready on time for January 17. Globally, the state of DORA readiness is likely far lower.

This is important because, like the GDPR, DORA does not just apply to the 22,000 or so financial entities based in the EU. Instead, it is enforced based on where an organization’s customers are based. This means that if a financial institution in the United States, the United Kingdom, or any other location outside the EU deals with EU customers, there is a strong chance that DORA applies to them.

The best starting point for a compliance officer or internal auditor to see whether their organization falls under DORA is to look at the list of financial entities that are not in DORA’s scope.

Organizations excluded from DORA include non-financial entities, (some) alternative investment fund managers, very small insurance and reinsurance firms, financial entities outside the EU that do not serve the EU financial sector, and some others like post office GIRO institutions and small occupational pension funds.

As a rule, if a financial institution trades actively and is large enough to have EU-based customers, it will need to comply with DORA’s rule sets. Fintechs, crypto brokers, hedge funds, asset managers, and more traditional banks and financial institutions will all be impacted.

What Types of Companies Does DORA Cover?

Some organizations will have more stringent DORA requirements than others. A large multinational bank, for example, with complicated ICT systems and a lot of interdependent relationships will have relatively tough requirements.

To comply with DORA, an entity like this will likely have to conduct threat-led penetration testing (a form of offensive cybersecurity exercise in which you test IT systems against realistic cyber-attack scenarios and threats) at least every three years and other security testing on an annual basis.

They will also need to be able to report ICT incidents, such as data breaches, within 24 hours for significant events and conduct detailed third-party risk assessments for all critical ICT service providers. Ideally, the entity in question will already be ahead of this task, and the compliance officer or internal auditor’s job will not change to a great degree due to DORA.

A smaller organization, like an investment firm with a more basic ICT infrastructure that is less critical to the overall financial services industry, will have different requirements. They will have longer windows for incident reporting (72 hours) and simpler third-party risk requirements. Testing will still be required but on a less stringent basis.

Although many smaller organizations may have slightly less to do to become DORA compliant, they may find that many of DORA’s requirements, like threat-led penetration testing, are completely new to them.

Microenterprises, “very small entities,” defined as having a revenue of less than €2 million per year ($2.11 million) and less than 10 employees, and simple IT environments will have much lighter compliance requirements.

Critical Third Parties Covered by DORA

Another quirk of DORA is that it’s not just applicable to financial institutions but will also impact businesses that serve them, such as companies that provide services that are essential to the EU financial services industry, but are not financial institutions themselves. Some of these businesses will be designated as Critical ICT Third-Party Service Providers (CTPP) and have especially strict requirements.

An essential requirement for ICT third-party service providers to be considered critical by DORA is that they must provide ICT services that support critical or important functions to at least 10 percent of the financial entities for any given category, as defined in DORA. “Critical or important functions” refer to functions whose discontinued, defective, or failed performance would materially impair the financial entity.

In a broad sense, a CTPP is a service that, if it fails, would cause serious damage to a significant portion of the EU financial services industry. A company is designated as such, either by voluntarily declaring itself to be a CTPP or by being appointed as such by a European Supervisory Authority, such as the European Banking Authority. Major cloud service providers like Google Cloud, for example, will likely become CTPPs and have been taking steps to comply with DORA for quite some time.

Compliance Matters

Sectoral, global, and coming into force in less than six months by the European Commission, DORA will become a mainstay of boardroom conversation in 2025.

Hopefully, this article will help compliance officers and internal auditors better understand who is and isn’t covered by DORA. In practice, DORA compliance is a significant top-down effort. The average major financial services industry organization will dedicate significant resources to DORA compliance.

Nikos Vassakis is the Head of Consulting Services at SECFORCE, an IT security and cybersecurity firm based in London, U.K.

The post Are You Ready for Compliance with EU’s DORA? appeared first on Compliance Chief 360.

Report: Compliance Functions Could Double Tech Spend by 2027

IA360 Staff — Wed, 13 Nov 2024 23:18:12 +0000

new report predicts that compliance and assurance functions could double the amount they spend on new technology by 2027. According to the research, issued by Gartner Inc., generative AI, machine learning, and large language models will fuel a surge in spending by compliance, risk management, and assurance functions.

The news isn’t all good. The report also predicts a wave of disillusionment with advanced technologies as expectations are exceeding capabilities in many cases. Accordingly, Gartner experts have placed AI at the “peak of inflated expectations” in the 2024 “Hype Cycle” for legal, risk, compliance and audit technologies.

“Some assurance leaders are prematurely expecting AI technology to greatly enhance productivity,” said Weston Wicks, senior director analyst in the Gartner Legal & Compliance Practice. “While these technologies show promise, in the near-term Gartner recommends assurance leaders identify where they can pilot and experiment with them while maintaining healthy skepticism as they are implemented.”

Gartner experts believe that GenAI will have a foreseeable impact on adjacent innovations in the analytics space, and therefore certain innovations, such as data and analytics governance, audit analytics, legal analytics, and advanced contract analytics, have moved further toward the trough as the te to plateau for these innovations becomes nearer-term — two-to-five years.

“Certain notable movements on the 2024 Hype Cycle are driven by assurance leaders convinced that incorporating new technology and generative AI (GenAI) tools is necessary to manage the growing burden of new rules and regulations imposed on executives and enterprises globally,” said Wicks. “Select emerging innovations, such as compliance monitoring solutions, have been directly impacted by GenAI and have seen substantial movement along the Hype Cycle as a result.”

Proceed with Caution

While there are some expectations that the advancements in GenAI will be transformative in assurance, Gartner experts caution that early adopters must acknowledge the risks of these new advancements and their impact on teams’ ability to manage them.

“Early lessons learned by assurance leaders include understanding the importance of information management and data governance, and the importance of intentionally including humans in the loop to mitigate bias and other risks,” said Wicks. “For these reasons, Gartner estimates the innovations will achieve high benefit ratings across the next five years.”

The post Report: Compliance Functions Could Double Tech Spend by 2027 appeared first on Compliance Chief 360.

SEC Fines Invesco Advisers $17.5M for Misleading ESG Statements

IA360 Staff — Mon, 11 Nov 2024 22:41:21 +0000

nvesco Advisers is paying the price for misleading clients and investors about how much of its assets were truly aligned with environmental, social, and governance principles. The Atlanta-based investment firm has agreed to pay a $17.5 million civil penalty to settle the Securities and Exchange Commission’s charges that it issued misleading statements on ESG.

According to the SEC’s order, from 2020 to 2022, Invesco told clients and stated in marketing materials that between 70 and 94 percent of its parent company’s assets under management were “ESG integrated.” However, in reality, these percentages included a substantial amount of assets that were held in passive ETFs that did not consider ESG factors in investment decisions. Furthermore, the SEC’s order found that Invesco lacked any written policy defining ESG integration.

“As stated in the order, Invesco saw commercial value in claiming that a high percentage of company-wide assets were ESG integrated. But saying it doesn’t make it so,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, in a statement. “Companies should be straightforward with their clients and investors rather than seeking to capitalize on investing trends and buzzwords.”

The order charges Invesco with willfully violating the Investment Advisers Act of 1940. Without admitting or denying the order’s findings, Invesco agreed to cease and desist from violations of the charged provisions, be censured, and pay the aforementioned $17.5 million civil penalty.

The post SEC Fines Invesco Advisers $17.5M for Misleading ESG Statements appeared first on Compliance Chief 360.

New Report Identifies Fastest Growing Risks for Companies

CC360 Staff — Thu, 31 Oct 2024 19:42:20 +0000

igital disruption and climate change have emerged as the two fasting-growing risk areas for organizations across industries, according to a new report.

Based on feedback from more than 3,500 internal audit leaders around the world, global risk levels for digital disruption and climate change are projected to increase 20 percent and 16 percent, respectively, over the next three years, outpacing other risk areas. The research was conducted by the Institute of Internal Auditor’s Internal Audit Foundation for its latest Risk in Focus report.

Despite the growing intensity of these risks, most audit plans do not currently prioritize them, the study found. In fact, neither digital disruption nor climate change were named among the top five areas where internal audit functions allocate the most time and effort, with both ranked in the lower half of audit priorities. Globally, internal audit functions focus predominantly on cybersecurity, governance and corporate reporting, and business continuity, indicating a gap between evolving threats and current areas of attention.

“Our latest research tells us cybersecurity, business continuity, and human capital continue to hold the top three spots in risk ratings. However, respondents anticipate significant changes as risks related to climate change and digital disruption accelerate in the coming years,” said Anthony Pugliese, president and CEO of the IIA. “To ensure both short-term success and long-term sustainability, organizations and their internal audit functions must adapt risk management practices to keep pace with the changing risk landscape.”

Risk in Focus offers a comprehensive view of the current global risk landscape and how it is expected to evolve in the coming years. Because threats are expected to rise steeply for technological advancements and climate change, the 2025 reports focus on leading practices for mitigation of these risks.

Keeping Pace with Digital Disruption

Approximately 39 percent of survey respondents worldwide ranked digital disruption as a top five risk, with that number expected to jump to 59 percent in three years. For North America, these figures are even higher at 48 percent and 70 percent, respectively. Furthermore, respondents worldwide expect digital disruption to rise from the fourth to the second highest ranked risk area in three years.

Artificial intelligence (AI) has introduced new risks to track, especially related to cybersecurity, according to 75 percent of respondents. AI has also impacted many other risk areas, including human capital, fraud, communications, reputation, and more.

AI is a particular focus for internal audit leaders concerning technology-related risks. Specifically, challenges include upskilling and adopting new tools, as well as global disparities in access to and knowledge of emerging technology.

Climate Regulations Driving New Risks

Climate-related risks are currently ranked relatively low, but they are expected to rise substantially soon. About one in four (23 percent) of global respondents view climate change as a top five risk today. However, nearly 40 percent of respondents anticipate it will reach the top five in the next three years, climbing from 13^th place to 5^th.

Globally, roundtable participants agree that sustainability reporting and compliance requirements are the primary drivers for boards, management, and internal audit functions to allocate resources to climate change. The report revealed significant regional differences in climate-related risk perceptions. For instance, 33 percent of European audit leaders and 30 percent of Canadian audit leaders rate climate change as a top five risk, compared to 9 percent for U.S. audit leaders. Despite the U.S. position, North American respondents expect ratings for climate change as a top 5 risk will double from 13 percent to 27 percent in three years.

“While climate change has long been recognized as a growing risk for organizations, these findings reveal the extent to which climate-related risks are expected to surge in the near term,” said Pugliese. “It is imperative for organizations, stakeholders, and internal audit leaders to objectively assess the short-term and longer-term risks to their organizations beyond basic compliance with regulations.”

Extreme weather can cause supply chain disruptions, higher operational costs, flooding, famine, and more. Some consumers and investors are calling on organizations to implement more sustainability initiatives. These sustainability initiatives, however, must be reported accurately to avoid greenwashing and reputational damage.

Regional Risk Differences

The study also explored regional differences in the risk landscape through roundtables and separate Risk in Focus reports for Africa, Asia Pacific, Europe, Latin America, the Middle East, and North America. These regional reports outline proactive steps that organizations and audit leaders across industries can take today to mitigate threats and embrace opportunities.

Embracing artificial intelligence and emerging technologies will be critical, as well as prioritizing upskilling, technology-oriented training, and recruitment to manage these risks effectively.

“The IIA has strongly advocated for internal audit functions to take a more strategic advisory role to better serve organizations and stakeholders,” said Pugliese. “The Risk in Focus findings underscore the importance of agile collaboration and partnership among internal audit functions, boards, and management to stay ahead of emerging threats and improve understanding of potential risk exposures.”

The post New Report Identifies Fastest Growing Risks for Companies appeared first on Compliance Chief 360.

Compliance Lessons from Wells Fargo: Four Questions to Ask Your Payment Solution Provider

Anna Fron — Thu, 31 Oct 2024 16:12:43 +0000

ells Fargo’s recent disclosure of regulatory investigations related to its anti-money laundering (AML) and sanctions programs and agreement to “work with U.S. bank regulators to shore up its financial crimes risk management” serves as a timely reminder of the ongoing importance of robust compliance measures in the financial sector.

These events underscore the need for vigilance at all levels of the industry, from major institutions to smaller financial companies, and further highlight the critical role of due diligence in selecting and monitoring payment solution providers for compliance officers, risk practitioners, and internal audit executives.

To that end, here are four essential questions to ask when evaluating potential partners, informed by the latest industry developments:

1. How comprehensive is the BSA/AML compliance program?

A robust Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance program is vital to any financial institution’s risk management strategy. When evaluating a provider’s program, look for well-defined internal policies and controls. These should include a documented BSA/AML policy that outlines the organization’s approach to identifying, assessing, and managing money laundering and terrorist financing risks.

The policy should encompass clear customer identification procedures, risk-based customer due diligence processes, and transaction monitoring systems. Additionally, it should detail suspicious activity reporting procedures and record-keeping practices that meet or exceed regulatory requirements. Equally important is a defined process for staying current with regulatory changes and implementing updates promptly.

A dedicated compliance officer should oversee these efforts. This individual should possess relevant experience in BSA/AML compliance, appropriate certifications, and have direct access to senior management and the board of directors. They should be empowered to implement necessary changes across the organization.

Another crucial element is ongoing, comprehensive training. Look for providers that offer role-specific training tailored to different departments, annual refresher courses for all staff, and ad-hoc training to address new regulations or emerging risks. The training program should include testing to ensure comprehension and retention of key concepts, with all activities documented for audit purposes.

Finally, the provider should conduct rigorous auditing and monitoring. This includes regular internal audits of all BSA/AML processes, periodic independent third-party audits, and continuous monitoring of transactions and customer activity. There should be a straightforward process for addressing and remediating audit findings, with regular reporting to senior management and the board on audit results and program effectiveness.

2. Who comprises the compliance team?

The expertise of the compliance team is crucial in navigating complex regulatory landscapes. Look for a diverse team with a mix of legal, financial, and technological expertise.

A well-rounded team might include a chief legal & compliance officer, corporate counsel, senior compliance analysts, a finance settlement manager, information security leaders, and an operations director. This diversity helps ensure a comprehensive approach to compliance and security, reducing the risk of oversight that could lead to regulatory issues.

3. How does the organization embed compliance responsibilities across all departments?

Compliance should not be confined to a single department but should be integrated throughout the organization. A company-wide commitment to compliance should be evident through clear statements from leadership emphasizing its importance, inclusion of compliance objectives in departmental and individual performance metrics, and regular compliance updates in company-wide communications.

Training should extend beyond the compliance department. Look for providers that offer role-specific training illustrating how compliance impacts different job functions. Scenario-based learning can help employees identify and respond to potential compliance issues. The use of multiple training formats can cater to different learning styles, ensuring comprehensive understanding across the organization.

Clear communication channels for reporting potential issues are essential. This includes an anonymous whistleblowing hotline or reporting system, a defined escalation process for compliance concerns, and protection for employees who report potential violations. Regular reminders about these reporting channels reinforce the importance of speaking up.

A culture of compliance is characterized by the incorporation of compliance considerations into all business decisions and processes. This might include recognition for employees who demonstrate strong compliance behavior, zero tolerance for willful non-compliance regardless of an employee’s position, and regular compliance “town halls” or Q&A sessions to foster open dialogue about compliance matters.

4. What is the approach to regular internal audits and regulatory examinations?

In light of increased regulatory scrutiny, regular, independent audits are crucial. Inquire about the frequency and scope of their audits, including how often internal audits are conducted, what areas they cover, and how findings are categorized and addressed.

The provider’s relationship with regulatory bodies and sponsor banks is also important. Ask about their interaction with regulators outside of formal examinations, participation in regulatory outreach events or industry working groups, and their track record with past regulatory examinations.

A strong provider will have a formal process for reviewing and acting on audit and examination findings. This should include tracking and validating corrective actions, measuring the effectiveness of implemented changes, and sharing learnings across the organization.

Staying updated on regulatory changes and industry best practices is crucial. Look for providers that subscribe to regulatory update services, have relationships with outside counsel or consultants for complex regulatory matters, and participate in industry associations or forums.

Finally, inquire about their approach to continuous improvement. This might include using data analytics to enhance compliance programs, conducting regular risk assessments to identify potential gaps or emerging risks, and benchmarking their practices against industry peers.

Proactive Compliance in a Complex Regulatory Environment

The recent Wells Fargo disclosure reminds us that compliance is an ongoing process requiring constant attention and proactive measures. For compliance officers, risk practitioners, and internal audit executives, this underscores the importance of thorough due diligence when selecting and monitoring payment solution providers.

By asking these four key questions and critically evaluating the responses, you can significantly mitigate risks and ensure a more secure financial ecosystem for your organization. Remember, in today’s regulatory environment, compliance isn’t just about meeting minimum requirements—it’s about fostering a culture of integrity and security that permeates every aspect of your operations.

As you evaluate potential payment solution providers, look for partners who share this philosophy and demonstrate a commitment to excellence in compliance and security. In doing so, you’ll not only meet regulatory requirements but also build a foundation of trust with your customers, stakeholders, and regulators—a crucial asset in navigating today’s financial landscape.

Anna Fron is Chief Legal and Compliance Officer at Dash Solutions, a platform that provides digital payments and engagement program management to thousands of customers.

The post Compliance Lessons from Wells Fargo: Four Questions to Ask Your Payment Solution Provider appeared first on Compliance Chief 360.

7 Steps to Incorporate Continuous Monitoring in Your Compliance Program

AuditBoard — Mon, 28 Oct 2024 20:58:44 +0000

With risks constantly changing and driving new compliance requirements, compliance programs must be able to respond to changes with agility. This highlights the importance of incorporating a continuous monitoring approach. Fill out the form at right and hit “Submit” to get the report.

NIST defines continuous monitoring as: “Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This enables an organization to quickly pivot and respond strategically as new compliance requirements come into scope. Compliance programs are often developed with short-term goals in mind; for example, complying with an industry standard. However, compliance is not stagnant. Without scalable policies and procedures in place, no matter how well-conceived your program is, decentralization will ultimately hinder the growth and scalability of your program as time goes on.

A strong continuous monitoring foundation can help enable an organization to pivot as new requirements come into scope. Learn seven steps to incorporate continuous monitoring into your compliance program at any stage, including a checklist of key metrics to track.