The CTA was developed in 2021 as a way to restrict the use of shell companies to conceal flows of illicit money. With the Act, eligible businesses were originally required to file information of any owner who either has a major influence on the reporting company’s decisions or operations, owns at least 25% of the company’s shares, or has a similar level of control over the company’s equity.

The CTA would apply to nearly 34 million businesses and would exclude many from the requirement including those businesses with more than $5 million in gross sales and more than 20 full-time employees. Businesses and owners that didn’t comply with the reporting rules could face fines of up to $591 a day. They could also face up to $10,000 in criminal fines and up to two years in prison.

The Fifth Circuit granted the injunction to put the law on hold in the case of Texas Top Cop Shop v. Garlandwhere Texas Top argued that to have such a rule in place would be to unconstitutionally invade small-business owners and associations. The court said that it has paused enforcement of the reporting requirement in order to “preserve the constitutional status quo while the merits panel considers the parties’ weighty substantive arguments.”

The Financial Crimes Enforcement Network clarified the court’s ruling by putting out of the following statement: “In light of a recent federal court order, reporting companies are not currently required to file beneficial ownership information with FinCEN and are not subject to liability if they fail to do so while the order remains in force. However, reporting companies may continue to voluntarily submit beneficial ownership information reports.”

Before the Fifth Cicuit’s ruling, FincCEN announced that it has extended the deadline to file to January 13^thhowever due to the court’s ruling, it remains clear that such a deadline will not be enforced at that time. “While it is not known how long the injunction will remain in effect, the case is calendared for oral argument en banc on March 25, 2025, so we expect that the injunction will be effective at least through March,” Daniel Stipano, a partner at law firm Davis Polk & Wardwell, wrote in an email.

FinCEN said that it still believes that the law is constitutional and will continue to pursue an appeal. As a result, the rule may ultimately be placed into effect which will require companies to gather information of its owners. Therefore, while business owners may be in favor of invalidating the CTA, it may make sense to continue to gather ownership information.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post Fifth Circuit Halts Corporate Transparency Act Amid Constitutional Challenge appeared first on Compliance Chief 360.

e all know about the great migration to “work from home” that occurred during COVID-19 pandemic starting in 2020 and lasting into 2021 and 2022. While many organizations have moved employees back to the office for some or part of the work week, the remote work movement has remained a far more prevalent aspect of working life.

According to a 2023 Pew Research Center study, around 22 million employed adults in the U.S. work from home all the time, equal to roughly 14 percent of all employed adults, while 41 percent are at least part-time remote on a hybrid setup. By 2025, that same survey finds 32.6 million Americans will be working remotely.

While the flexibility creates favorable conditions for the acquisition and retention of top talent, it also contributes to some new challenges. Managing a compliance team in a remote work environment can be difficult. This is especially true for highly regulated sectors, such as finance, health care, defense, and others, but it could impact a business operating in any field.

Identifying the challenges of remote work and coming up with a solid compliance plan will allow employers and workers to fully utilize remote or hybrid work models without worries about security risks, audits, or subsequent fines. Whether or not you utilize a third-party risk monitoring solution, it’s critical to understand the risks associated with remote work.

Compliance Challenges of a Remote Work Environment

The EY 2023 Mobility Re-imagined Survey suggests that while 92 percent of participants believe workplace mobility is important, 71 percent lack confidence in their organization’s ability to handle compliance and other risks stemming from a remote work environment.

Some of the most common compliance challenges work from home creates for organizations include:

• Determining which labor laws and regulations apply to employees on the basis of their home office location
• Employee monitoring and oversight
• Ensuring workplace safety
• Data security and privacy
• Safety of communication carried out in a remote work environment
• Employment verification processes

Having a solid compliance plan in place and adapting to the hybrid work model realities are both essential to mitigate those risks.

Onboarding and Ongoing Training

The first rule of onboarding compliance is understanding applicable rules regarding employment, data privacy, and security. Onboarding processes have to address all those concerns and adhere to regulatory frameworks within the respective jurisdiction.

If your company hires international employees who work from their own location, you’ll have to go through a few important considerations when doing onboarding. Find out if:

• The respective person has the right to work
• Whether they’re entitled to receive home office equipment
• You will have to provide any kind of training during the onboarding process

The agreements and contracts you sign as a part of onboarding should also account for national or regional regulatory specifics. A well-crafted employment contract should have stipulations on job responsibilities, performance expectations, communication protocols, confidentiality clauses, data protection, dispute resolution, and performance reviews.

The next step would be to train remote workers on anything that may lead to compliance issues. Data privacy and security training is non-negotiable. Authentication and access control training can also reduce the risk of violations or security threats stemming from the remote work environment.

The Importance of a Foolproof Remote Work Policy

A remote work policy is a document that outlines expectations and guidelines for all employees to follow. It’s a comprehensive how-to guide that focuses on procedures, safety protocols, workplace specifics, and technologies employed to do one’s job while following a regulatory framework.

As hybrid work is becoming the norm, standard workplace policies have to account for the new reality and the way it’s changing professional interactions.

Well-crafted remote work policies should contain:

• Rules on eligibility for remote work
• Guidelines on mandatory work hours, equipment, and tools made available to each employee
• Provisions on designing and equipping a remote workplace
• Cybersecurity stipulations and protocols
• Guidelines on communication between coworkers
• Guidelines on employee well-being

Good workflow management is also dependent on effective performance tracking, building trust and transparency through daily communication, having clearly defined roles within teams, and offering the right incentives (like career growth opportunities).

Maximizing Cybersecurity in Remote Environments

Cybersecurity is crucial for all organizations, especially those operating in highly regulated sectors.

Remote work has created numerous challenges that concern executives and make IT security managers sweat. In 2023, 72 percent of respondents in a survey responded they are very concerned or at least somewhat concerned about the online risks related to employees working from home. The number of respondents not at all concerned was only 6 percent.

Without concrete policies and being a part of a shared on-site work environment, common cyber threats like ransomware are more likely to evade defense mechanisms, group head of cyber governance at FWD Insurance in Singapore Pritish Purohit told Forbes.

Overcoming these new challenges depends on:

• Educating employees on recognizing cybersecurity threats
• Strengthening the corporate network through good password policies, multi-factor authentication, the selection of the right antivirus applications, frequent updates, and backups
• Securing remote connections by leveraging VPNs and setting device usage boundaries
• Implementing company-wide cybersecurity policies that apply to both in-office and remote workers
• Carrying out regular security assessments and vulnerability audits
• Adhering to data protection laws like HDPR and HIPAA
• Using an extra layer of protection to safeguard the most sensitive information (for example, only having certain individuals accessing such files and maintaining detailed access logs)

A Focus on Employee Well-being Is Crucial

Finally, don’t forget to maintain the focus on employee well-being, regardless of the workplace model your organization has embraced.

To improve the mental and physical well-being of employees, consider the following:

• Maintain regular communication, preferably using video conferencing tools to make everyone feel connected
• If possible, schedule in-person meetings at least a few times per month
• Discourage overwork and promote better work-life balance (by selecting the right compensation models that will keep workers from spending too much time as the lines between personal and professional get blurred)
• Offer personalized health benefits (89 percent of remote workers value having some kind of health benefit as a part of their employment package)
• Make sure everyone is aware of the available paid time off within the organization
• Provide mental health and well-being resources
• Allow work-hour flexibility

Working from home creates legal considerations that some organizations aren’t prepared to face, while others have been attempting to address those ineffectively.

To reduce the risk of compliance issues, come up with a robust remote work policy. Ensure employees are properly trained and stick to those rules to reduce risks. All other challenges can be addressed via regular performance reviews and audits. Identifying challenges and threats quickly is essential to determine viable remedies and implement those before the issue turns into a major compliance problem.   

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction screening and license monitoring, and workforce eLearning software and services.

The post Managing Compliance in a Remote Work Environment appeared first on Compliance Chief 360.

ompliance management has traditionally been marked by accessibility issues, which lead to barriers to adhering to regulations. These long-established frameworks can be so complicated that they make it hard for those who don’t have specialized knowledge to navigate them. Automated solutions, however, have marked a shift in the landscape, making regulatory compliance something that a broader audience can better understand

So how have they done that? Automation can streamline processes and reduce associated risks so that as regulations change over time, compliance can keep up with the pace. Businesses are facing increased scrutiny from regulatory bodies, so conducting smoother audits and staying in good financial condition are important considerations.

In the United States, for example, businesses must consider state and local regulations, in addition to federal regulations, when developing strategic plans or plans for new lines of business.  Whether this is through investing in compliance software or hiring specific legal experts they need to stay on top of the rapidly developing regulatory environment. Let’s dive into the reasons why automation is redefining compliance management.

Reducing Errors and Streamlining Compliance

Compliance management has traditionally involved so many manual processes that were time-consuming and prone to human errors. Processes such as audits, vulnerability assessments, and remediation efforts have often required tight-knit coordination between different teams, which can cause huge gaps in communication and missed compliance risks. This is where automation can be a game-changer, by integrating compliance tasks and automating manual processes.

Automated systems, for example, can assess IT environments for vulnerability, compare any configurations against regulatory standards, and then let the team know if there are any discrepancies. This lessens the manual workload and the possibility of overlooked patches or misconfigured systems. This type of monitoring also means that organizations can identify issues before they escalate into regulatory violations or costly breaches.

Automation also permits businesses to be able to handle complex compliance requirements more effectively. For example, regulations like the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) need to be consistently analyzed, but automation in this case enables regular audits without compliance teams getting overwhelmed.

Avoiding Regulatory Penalties and Ensuring Smooth Audits

If businesses don’t comply with regulations, the costs can be severe, with hefty fines and reputational damage both possibilities. Data breaches can lead to fines of up to $500,000 per incident, alongside ongoing monthly fines. So as these regulations tighten and audits keep coming in, businesses need to be wary to avoid penalties.

Automation means that businesses can be on top of records and generate reports to reflect their compliance status. Automated compliance tools also mean that reports can be more accurate and comprehensive, and the time and effort required for audit preparation are reduced. Documentation is the other aspect that can give real-time access to compliance records and demonstrate adherence to regulators.

Systems like asset inventory and PC lifecycle management solutions can help to bridge the gap between security and operations by integrating vulnerability assessments with remediation processes. This allows for the streamlining of security handoffs and accelerates patching, which in turn, reduces the window of vulnerability and prevents non-compliance issues from accumulating.

Further Strategies for Complying with Changing Regulations

To be able to maintain compliance while federal, state, and even global regulations are constantly changing is obviously a massive challenge. However, businesses can follow a few additional best practices to stay on top of things. First, organizations should define the compliance states with sufficient detail. Predefined policies that we briefly touched on, such as SOX, HIPAA, or PCI DSS, can serve as templates, and businesses can customize these policies to address their specific needs.

Automation needs to work in tandem with any change management processes to ensure that compliance actions are governed in line with the business’ priorities. By documenting changes and tracking exceptions, organizations can avoid compliance drift and maintain control over their compliance efforts.

Automation is undoubtedly transforming compliance management by reducing the amount of manual work while minimizing costly errors, and finally ensuring that organizations are ready for an audit when called upon. Due to the fact that processes like discovery, audit, and remediation are unified and integrated, businesses can stay compliant with the shifting regulatory landscape.  

Shagun Malhotra is founder of SkyStem LLC, a provider of automated account reconciliation software.

The post How Automation Is Redefining Compliance Management appeared first on Compliance Chief 360.

While these elements are important for the board to understand, the actual compliance presentation at board meetings often misses the mark by failing to showcase the proactive work that a compliance team is doing. Compliance officers are often not effectively demonstrating how they are aligned with the evolving and innovative strategies of their business, industry, and environment.

Compliance officers occupy a unique vantage point in their companies. They have unparalleled visibility into almost every facet of an organization’s operations. This allows them to understand the workings and interplay between technology, ever-evolving regulations, and day-to-day business practices. In my experience, the most engaging board presentations are the ones where the compliance officer can articulate what the compliance department is proactively doing to address emerging phenomena, discussing both the risks and the mitigation strategies in place. It positions the compliance officer as a strategic partner, not one who impedes progress.

This proactive approach not only progresses the compliance agenda at the highest levels of the organization, it also directly aligns with the expectations of the U.S. Department of Health and Human Services – Office of Inspector General (HHS-OIG), Department of Justice (DOJ), Securities and Exchange Commission (SEC), and other relevant regulators.

Next, we’ll consider five key topics compliance officers should be actively discussing with their boards in 2024. We’ll explore how to move beyond reactive reporting and demonstrate your role as a strategic partner. While we’ll focus on the life sciences sector, many of the topics are relevant to all compliance functions.

1 Digital Enablement
Digital enablement continued to increase in importance during in the first six months of 2024. Artificial Intelligence and Machine Learning (AI/ML) are revolutionizing drug development and clinical trials by enabling the analysis of vast amounts of data and accelerating the discovery of new treatments. AI/ML algorithms can identify patterns and predict outcomes, aiding in the selection of potential drug candidates and predicting patient response to treatments. By optimizing trial design, AI/ML can improve the efficiency of clinical trials, leading to faster and more accurate results. Outside the life sciences sector, AI is quickly inhabiting nearly every aspect of the organization, raising endless possibilities for innovation and efficiency, while also unveiling several complex risks.

Drug Discovery

• AI/ML algorithms are being used to analyze vast amounts of data from genomics, proteomics, and other sources to identify potential drug candidates and predict their efficacy and safety.

Clinical Trial Design

• AI/ML can be used to optimize clinical trial design, such as identifying the most appropriate patient population, optimal dosing levels, and predicting potential adverse events.

Trial Data Analysis

• AI/ML can be used to analyze clinical trial data more efficiently and identify potential safety signals or trends, allowing for faster course correction and improved drug development outcomes.

Similarly, AI/ML is transforming the way nearly all companies approach commercial activities. Using predictive analytics, AI/ML can assist companies in identifying potential customers, creating personalized marketing strategies, and predicting future market trends.

Content Personalization

• AI can generate personalized marketing materials, such as email content, website landing pages, and social media posts, tailored to the specific needs and interests of customers and other stakeholders.

Sales Optimization

• AI can analyze sales data with healthcare professionals (HCPs) and Healthcare Organizations (HCOs) to prioritize them based on likelihood of Rx conversion, helping sales teams focus their efforts on the most promising opportunities.

Sentiment Analysis

• AI can analyze patient and caregiver feedback and social media conversations to identify trends and potential issues, allowing for proactive customer service and reputation management.

Action Items: Compliance officers should be proactive in establishing robust data governance policies, collaborating with the AI/ML team to mitigate potential algorithmic bias, and working across the company to develop a comprehensive compliance framework for AI/ML use. When communicating with the board, keep them informed about how you are tracking with the company’s AI/ML initiatives, highlighting the potential benefits and associated risks. Discuss the steps your compliance team is taking to mitigate these risks, including partnering on data governance policies, bias mitigation strategies, and adherence to regulatory frameworks.

2 The Talent Shuffle
The life sciences industry in 2024 presents a tale of two realities. While a wave of innovation is fueling growth for some, established players are resorting to cost-cutting measures, leading some companies to institute major layoffs. These same forces are impacting companies in just about every industry.

Cost Cutting: Life sciences companies often face the need to reduce costs to remain competitive. We’ve seen several announcements thus far this year:

• Pfizer – $4 billion cost-cutting by end of 2024 + $1.5 billion over next 3 years
• Bristol Myers Squibb – 2,000 employees impacted by layoffs
• Bayer – reduced headcount by 1,500 employees
• Takeda – 641 workers impacted by layoffs

Talent Retention: Retaining talented employees contributes to the long-term success of the company. Companies are using a variety of mechanisms to attract and retain talent. These include: highlighting the company’s unique mission and culture; innovative compensation models; hybrid work arrangements; upskilling programs; wellbeing offerings; Diversity, Equity, and Inclusion (DEI) focus; and commitment to career development.

Depending on the stage of a company’s product lifecycle and market, different strategies may be implemented. Some life sciences companies may focus on cost-cutting, while others prioritize talent retention. In certain cases, companies may simultaneously pursue both objectives.

Action Items: Compliance officers need to be proactive as the employee landscape shifts. With new hires and role changes, a crucial focus should be on providing targeted training and education on role-specific compliance requirements. However, this isn’t the only concern. Compliance officers should also identify areas where existing controls may become inadequate or even disappear entirely due to staffing changes. The compliance officer should inform the board about these potential control gaps and propose solutions, such as increased monitoring or adjustments to existing processes and controls. More importantly, these changes may necessitate a revision of the company’s risk assessment. If key personnel with deep operational and compliance knowledge depart or controls are weakened, the overall risk profile of the company can shift significantly. The compliance officer should work with relevant departments to re-evaluate the risks, identify new vulnerabilities, and update the risk assessment accordingly.

3Decentralized Clinical Trials
Decentralized Clinical Trials (DCTs) are a growing trend in the pharmaceutical industry. These trials leverage technology to collect data remotely, reducing the need for in-person visits. This allows for greater patient participation, especially from geographically dispersed populations or those with mobility limitations. Examples include telehealth-based trials using video conferencing, wearable devices collecting health data like heart rate and activity levels, and mobile apps for patient-reported outcomes and communication.

However, DCTs also raise compliance concerns. Data security and privacy require robust security measures, clear data governance policies, and strong encryption protocols. Patient privacy is another consideration, as remote data collection necessitates carefully adapted informed consent procedures to address potential coercion or undue influence. Finally, regulatory bodies are still developing guidelines for DCTs, creating some uncertainty for companies.

Action Items: To navigate the evolving DCT landscape, compliance officers must stay informed about changing regulations and develop clear policies for ethical conduct in DCTs. This includes adapting informed consent procedures for the remote setting, implementing robust patient data protection protocols, and establishing clear communication channels to address patient concerns. Compliance officers should be proactively informing their boards on how the compliance program is helping the company leverage the benefits of DCTs while minimizing risks and maintaining ethical practices.

4ESG Considerations
Environmental, Social, and Governance (ESG) factors continue to remain important for investors and stakeholders. Boards are discussing how to integrate ESG principles into their corporate strategy and demonstrate their commitment to sustainability and social responsibility. Boards are facing challenges in this space.

Lack of Standardized Regulations

• Currently, there’s no single, overarching set of ESG regulations globally. Different countries have varying regulations and reporting and disclosure requirements, making it complex for companies with international operations.
• Action Item: Compliance officers must stay updated on these diverse regulations to ensure adherence across all markets.

Greenwashing Concerns

• Regulatory bodies are increasingly scrutinizing ESG claims to prevent “greenwashing,” where exaggerated information is presented about a company’s sustainability efforts.
• Action Item: Compliance officers should be working cross-functionally and sharing with the board how the company’s is ensuring its ESG reporting is accurate, transparent, and verifiable to avoid potential penalties and reputational damage.

Consumer Protection

• Consumer protection regulations are evolving to address misleading environmental claims in marketing.
• Action Item: Compliance officers must collaborate with commercial teams, corporate affairs, and their PRC committees to ensure all ESG-related messaging is accurate and substantiated.

Cybersecurity Risks

• The increasing collection and use of ESG data introduces new cybersecurity risks.
• Action Item: Compliance officers need to work with IT and other groups gathering data in the organization to implement policies and robust data security measures to protect sensitive ESG information from breaches or misuse.

5 Economic and Geopolitical Headwinds
The life sciences industry is continuing to face several disruptive macro forces in 2024. Beyond the ongoing challenges of scientific advancement and regulatory compliance, boards of directors are grappling with a complex economic and geopolitical landscape. This is across all industries, not just life sciences. The war in Ukraine, ongoing tensions between major powers, and escalation in the Israeli-Palestinian conflict are creating significant supply chain disruptions, potentially impacting research collaborations and access to critical resources. Coupled with a persistent inflationary environment, boards are strategizing on how to navigate these economic headwinds. This could involve cost-cutting measures (previously explored), investigating alternative sourcing options, or even raising prices to maintain profitability.

Action Items: For compliance officers, these disruptions present unique challenges. Inflationary pressures may incentivize corners being cut, potentially impacting quality control measures or adherence to Good Manufacturing Practices (GMP). Compliance officers should be informing the board about potential risks associated with cost-cutting measures, as well as the potential legal and reputational consequences of non-compliance. Additionally, compliance officers should be prepared to advise the board on navigating the complexities of a shifting geopolitical landscape. This could involve ensuring robust due diligence on new suppliers and research partners, mitigating the risk of sanctions violations, and helping the business ensure continued access to critical resources.

From Reactionary to Proactive

Compliance officers have a golden opportunity to continue to transform their role. By proactively tackling the aforementioned topics and demonstrating a strategic grasp of the industry’s evolving landscape, they can become invaluable partners to their boards. This shift transcends mere reporting. Instead of simply reacting to events, compliance officers can anticipate risks, propose solutions, and actively align with the company’s strategic goals. This proactive approach will only strengthen their compliance program.

Key Takeaways

• Compliance officers must align with board priorities to truly become a strategic partner.
• Compliance officers should discuss with the board how they are helping mitigate digital enablement risks, including partnering on data governance, adherence to regulatory frameworks, and bias mitigation strategies.
• High turnover weakens controls, raising risk. When the employee landscape shifts, compliance officers need to identify gaps and refresh risk assessments.
• Compliance officers need to ensure their programs are adapting for decentralized clinical trials (DCTs).
• Compliance officers must continue to advise the board on responsible ESG reporting and navigating sanctions and supply chain risks.

Amy Pawloski, CCEP, CFE, PMP (amy.pawloski@strategicversatility.com) is the president of Strategic Versatility LLC a healthcare compliance consulting practice in Phoenixville, Pennsylvania.

The post The Top Five Boardroom Issues Compliance Officers Should Be Discussing appeared first on Compliance Chief 360.

“Confronted with economic volatility, a tight labor market, and rising geopolitical tensions, compliance departments are adapting their workflows to an increasingly complex landscape,” said Chris Audet, Chief of Research at  Gartner’s Legal, Risk, and Compliance Leaders practice. “To successfully manage these challenges, compliance leaders should focus on optimizing their spending and staffing decisions, adjusting existing budgets, optimizing department productivity, and making technology investments where necessary.”

Tighter Compliance Budgets

High inflation rates and ongoing fears of an impending recession have put some companies under a strain in resources, and some compliance departments are being asked to do more with less. “Compliance leaders are now tasked to operate in a more cost-conscious environment,” said Gartner in a statement announcing the study. “At the same time, workloads have increased due to the effects of the pandemic and there is greater regulatory scrutiny and complexity.”

“The majority of a typical compliance budget is spent on personnel,” said Audet. “Given that budgets are flat and wage demands are increasing with inflation, retention becomes doubly important.”

Recent years have also driven an accelerating interest in technology solutions that is now getting tailwinds from organization wide pushes towards automation to boost business productivity during an economic downturn.

Smaller or Frozen Compliance Headcounts

Compliance departments have seen a decrease in full-time employee headcounts since 2020, says Gartner, and for 2023 most compliance departments did not forecast a change to the full-time employee headcounts.

“Increased regulatory scrutiny and rising geopolitical tensions have burdened compliance staff in recent years. Coupled with a more competitive talent market, it has been difficult for many compliance leaders to hold on to their existing staff, let alone increase the size of their departments,” said Audet.

Increased Investments in Compliance Technology

Even while compliance budgets are decreasing and compliance headcounts are remaining constant or going down, there is one place companies are willing to spend more: technology. Compliance leaders anticipate technology will be one of the areas of highest spend increases this year with systems to manage hotlines, compliance and ethics training, and risk management systems high on the list.

“This projected increase is likely a response to growing inflation rates and a highly competitive labor market,” said Audet. “Rather than rely solely on capital to execute on these increased workloads, many compliance leaders are turning to technology tools to support their work.”  

The post Report: Compliance Departments Facing Belt Tightening, Smaller Staffs appeared first on Compliance Chief 360.

With so many possibilities, though, what metrics should you include in your compliance report? Which ones offer the most insight to you and to management? Which metrics will best help the company manage risks?

The goal of compliance is to adhere to the rules and regulations within its industry and avoid expensive fines and enforcement actions that can also damage the company’s reputation. A compliance program must follow a multitude of processes and procedures to keep the organization fully compliant. Compliance metrics are indicators that help determine the effectiveness of these processes and procedures.

Packed heavily with data, these compliance metrics provide detailed information on your compliance program’s effectiveness and efficiency. This data can then be used to extract insights that can help fix any flaws within your existing processes.

From identifying the root causes behind violations and misconduct within the workplace to tracking your team’s response time to an issue, here are the compliance metrics to consider when reporting to the management.

Total Violations

Every industry is governed by specific laws and regulations that are meant to protect customers and employees. Failing to comply with these laws and regulations can prove catastrophic for an organization.

By keeping track of this compliance metric, you ensure the management is fully aware of any instances of noncompliance with these regulations. It also helps them understand the severity of the repercussions that may follow. Finally, by helping the organization abide by compliance laws, this metric helps fix the organization’s standing within the industry.

Complaints About Misconduct

An organization can become vulnerable to serious reputational and financial damages if misconduct of any kind goes unnoticed. For this reason, it’s important to keep track of complaints of misconduct alongside understanding their nature. When measuring complaints, focus on the type of allegation. This could include fraud, harassment, discrimination, illegal activities, and so on. To gather the right data, answer questions such as:

• How many complaints did your team receive?
• How did you receive the complaint? Was it through direct contact with the supervisor or through an anonymous hotline?
• What were your employees alleging?

Cost Per Incident

Your compliance budget incurs an expense for each incident your organization deals with. The cost per incident metric can help understand why certain incidents may cost more than others to resolve. As a result, you can determine solutions that would be more efficient.

For instance, if you’re spending large sums on due diligence, you might want to consider investing in automation. Or, if you’re spending a fortune on investigating workplace harassment issues, you might want to invest in quality training to prevent those issues from occurring in the first place.

Key Risk Indicators (KRIs)

Risks are a part of running just about any business. Successful organizations are often armed with the capacity to determine which risks are “worth it” and how they can shield their business should something go wrong. Your final compliance report must inform the management of any KRIs or key risk indicators that could affect their decision-making.

For instance, if your organization operates in the banking sector, it might include clients with high-risk accounts. These accounts would then be considered a major KRI. If the management is informed by financial compliance software of the risks associated with these accounts, they will most likely lower the number of similar accounts that can be opened per quarter. This, in turn, can prevent the organization from taking a risk it might not be prepared for before.

Mean Time to Issue Discovery (MTTD)

As with everything in the world, time is of the essence in business. For instance, the speed of your response often determines where a compliance issue can be fixed without any losses or before it transforms into a full-blow corporate scandal. The mean time to issue discovery metric unveils how quickly your team can detect a compliance hiccup. It also helps you understand if you have efficient monitoring capabilities in place to spot issues. Determining MTTD includes:

• Finding out when the incident first started
• Finding when the team discovered it

Mean Time to Issue Resolution (MTTR)

The mean time to issue resolution (MTTR) metric reveals how swiftly your team resolves an issue they discover. But what makes this metric so important?

Simply put, MTTR indicates cracks such as a lack of technology, resource shortages, or a lack of automation that may be crippling your compliance program.  Determining MTTR involves:

• Adding the total time for all incidents to be resolved
• Diving this figure by the total number of incidents

Remember to track this metric for each type of incident instead of merging all incidents into a single MTTR metric.

Compliance Investigations and Audits

Any significant audits, investigations, and QA findings performed to measure your compliance process’s efficiency must be recorded and reported. Moreover, any valuable elements such as specific findings and follow-ups must also enter the record.

Once this data is placed in a single place, your compliance team and management can establish better risk management processes. Most regulators also expect companies to maintain and produce these records when necessary.

You Can’t Manage what You Don’t Measure

Carefully measured compliance metrics not only reveal where your compliance program stands but also allow your compliance team and management to strengthen your processes.

Determining and analyzing these metrics, however, is not a one-and-done process. The management can have a clearer picture of an organization’s compliance landscape only when they’re presented with detailed and insightful metrics compared over time.

To handle evolving compliance risks, stay up to date with compliance regulations, and consistently strengthen your compliance culture, it is critical to focus on these metrics periodically.  

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction and license monitoring, and workforce eLearning software and services.

The post Compliance Metrics that Matter appeared first on Compliance Chief 360.

Last week, Deputy Attorney General Lisa Monaco announced several policy changes intended to clarify how the agency prioritizes and prosecutes corporate crime. At a high level, the policy changes address four key areas: individual accountability and what information or documents companies must produce to show individual culpability; corporate recidivism; the benefits of voluntary self-disclosure and cooperation; and what considerations prosecutors will give in deciding whether a compliance monitor is required.

In follow-up remarks made at the University of Texas Law School on Sept. 16, Assistant Attorney General Kenneth Polite shared two new issues the Criminal Division is currently reconsidering in its prosecution of corporate wrongdoing, and what impact those changes are expected to have on companies moving forward. Those two isses are:

Personal devices and third-party messaging apps: The first area of enforcement focus is on the use of personal devices and third-party messaging applications by executives. Specifically, Polite said the Criminal Division will examine whether additional guidance is necessary regarding best practices for companies on the use of personal devices and third-party messaging apps, including ephemeral messaging, such as Snapchat.

“We have seen a rise in companies and individuals using these types of messaging systems, and companies must ensure that they can monitor and retain these communications as appropriate,” he warned. Until the agency issues additional guidance, however, the use of personal devices and third-party apps remains a heightened enforcement risk.

Compensation clawback policies: A second focus area for the Criminal Division, Polite said, will be to examine “whether, in some cases, we may be able to shift the burden of corporate financial penalties away from shareholders—who in many cases do not have a role in misconduct—onto those more directly responsible.” One potential option still being weighed, he said, is “how prosecutors will consider and reward corporations that develop and apply compensation clawback policies.” This is another area where more guidance may be forthcoming.

Voluntary self-disclosure
In addition to the two areas being examined by the Criminal Division, Polite provided further details about some of the major policy changes announced by Monaco, including relating to voluntary self-disclosure. In this regard, DoJ officials have noted that, even companies with a long history of prior misconduct may still benefit from voluntarily self-disclosing known misconduct.

“A history of misconduct will not necessarily mean an automatic guilty plea, unless aggravating factors—such as misconduct posing a national security threat, or deeply pervasive conduct—are present,” Polite said. How much comfort that actually brings to companies, however, remains to be seen.

Polite further shared what aggravating factors the Criminal Division will consider going forward that all companies should be aware of. These include, but are not limited to, “involvement by executive management of the company in the misconduct, significant profit to the company from the misconduct, or pervasive or egregious misconduct,” he said.

“Unless these factors are present, even a company with a history of misconduct has a powerful incentive to make a timely self-disclosure,” Polite added. “Why? Because it could make all the difference between a deferred prosecution agreement and a guilty plea resolution, assuming that the company has also cooperated, and timely and appropriately remediated the criminal conduct.”

CCO certifications
In March, Polite announced for the first time that, for all Criminal Division corporate resolutions—including guilty pleas, DPAs, and non-prosecution agreements—the agency would consider requiring both the chief executive officer and chief compliance officer (CCO) to sign a certification at the end of the term of the agreement certifying that the company’s compliance program is “reasonably designed, implemented to detect and prevent violations of the law, and is functioning effectively.”

In his Sept. 16 remarks, Polite restressed that the certifications are “designed to give compliance officers an additional tool that enables them to raise and address compliance issues within a company or directly with the Department early and clearly” and is “meant to guarantee a seat at the table that all compliance officers should have in an organization with a functioning compliance program.”

There have now been two cases in which the agency has used CCO certifications: the DoJ’s resolution with Glencore, and for the first time in a DPA reached with Brazil-based GOL Airlines related to violations of the Foreign Corrupt Practices Act.

“We did not impose a monitor in [GOL’s] case,” Polite explained, “because at the time of the resolution, the company had redesigned its entire anti-corruption compliance program, demonstrated through testing that the program was functioning effectively, and committed to continuing to enhance its compliance program and internal controls.”

The agency did, however, require that the CEO and CCO certify at the end of the DPA term that the “compliance program is reasonably designed to detect and prevent violations of the [FCPA] and other applicable anti-corruption laws throughout the company’s operations.”

“We will continue to use similar certifications in our corporate resolutions as appropriate for each case,” Polite stated.

As in his previous remarks, Polite, once again, tried to ease concerns within the compliance community about the certification process creating personal liability risk. “A corporate leader who ignores the emphasis we are placing on compliance does so at his or her own risk—but [compliance personnel] cannot shy away from this role,” he said. “You cannot run away from the responsibility. My call is that you embrace it, knowing full well that stronger, more empowered voices are exactly what we need.” 

Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.

The post DoJ Details Policy Changes to Corporate Law Enforcement appeared first on Compliance Chief 360.

Staffing struggles in the banking industry come at a time when compliance risk remains heightened “as banks navigate the current operational environment, regulatory changes, and policy initiatives,” the OCC stated.

“A lack of access to subject-matter expertise may result in increased compliance and operational risks, particularly if existing compliance processes, controls, testing, and training become subject to funding cutbacks or limitations, or if future compliance management program enhancements and maintenance are delayed,” the OCC stated in its report.

Compliance and operational risk may increase or evolve if banks begin using, or expand their current use of, third parties to support or fill critical compliance roles, “especially if banks do not conduct appropriate due diligence on third parties or select inexperienced or unqualified third parties,” the OCC warned. “Such risk also may increase if banks expand the use of telework either to remain competitive or retain employees; or if they hire from different geographical areas to fill openings.”

Operational risks
The OCC report also discussed elevated operational risks due to evolving cyberattacks. To mitigate cyber risk, banks should “maintain heightened threat and vulnerability monitoring processes and implement more stringent security measures, including the use of multifactor authentication, hardening of systems configurations, and timely patch management,” the OCC advised in its report. “Banks should also consider how to effectively implement, regularly test, and isolate system backups from network connections to provide operational resilience.”

Cyberattacks are also increasingly threatening global supply chains. “These attacks demonstrate the importance of banks assessing the risks emanating from their third parties, inclusive of the supply chain, and developing a comprehensive approach to operational resilience,” the OCC stated.

Climate-related risks
The OCC report also discussed climate-related financial risks facing banks. The OCC said it “views climate-related financial risks as raising significant risk management issues due to their impact on bank safety and soundness and financial stability,” and that it will “continue to monitor the development of climate-related financial risk management frameworks at large banks.”

As banks’ climate-related financial risk management practices continue to evolve, with many still being in their early stages, “bank management should continue to ensure that their public statements about their institutions’ climate risk management efforts are consistent with their institutions’ actions,” the OCC stated. “OCC supervisory activities at these large banks will focus on safety and soundness considerations and integration of climate-related financial risk into bank risk management frameworks.” 

Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.

The post Banks Struggling on Compliance Hiring, Says OCC Report appeared first on Compliance Chief 360.