Whistleblower Protection Blog : Whistleblower Lawyer & Attorney : National Whistleblower Legal Defense and Education Fund : Whistleblower Protection, Fraud Claims : Washington DC

3. PwC Survey Shows Increased CCO Independence

According to the 2012 PricewaterhouseCoopers State of Compliance study, the number of CCOs reporting to GCs fell by 6 percent—to 35 percent from 41 percent—in the prior year. CCOs reporting to CEOs held steady at 32 percent. This is momentum in the right direction and is consistent with the 2010 amendments to the Federal Sentencing Guidelines, which favor “direct reporting obligations” to the board or its independent committee. According to Keith Darcy, the ECOA’s executive director, “A clear, unfiltered CCO voice in the C-suite is key to a robust program. Without independence, a CCO is mere window-dressing and false security for the board."

4. Madoff’s Brother and CCO Pleads Guilty to Fraud, Gets 10-Year Sentence

Did you know that Ponzi scheme king Bernie Madoff’s brother Peter was also the firm’s chief compliance officer? Oh yeah, I’m not making that up. He’s in jail now, serving a 10-year sentence. Lack of independence is rarely this obvious, but it is incumbent on boards and management to recognize empowerment and independence issues in all their nuanced appearances. Note to the Securities and Exchange Commission: Please add “the CCO is the CEO’s brother” to your list of red flags. And add “independence” to the list of CCO requirements. Thank you.

5. Joint DOJ/SEC FCPA Resource Guide on Adequate Autonomy for CCO (and Incentives)

The widely anticipated Foreign Corrupt Practices Act Resource Guide, issued jointly by the DOJ and SEC, may not have broken new ground—but for CCOs it validated many best practices already in place in the field (ahem, use of incentives in programs- ahem) and also expressly tracked the language of the 2010 OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance, which noted that the CCO must have “adequate autonomy from management” in order to do the job. The Justice Department has been using this language in individual FCPA settlement agreements since 2010, going beyond the letter of the current Federal Sentencing Guidelines for Organizations.

6. Big Milestones for the C&E Profession

In 2012, the Ethics and Compliance Officer Association, the first industry association for C&E professionals, marked its 20th anniversary—a significant milestone for the profession. Also this year, the Society of Corporate Compliance and Ethics, an industry association that traces its founding to 2002, earned its 3,000th member, making it the largest cross-industry compliance and ethics organization, and its annual meeting attracted over 1,000 attendees for the first time. In addition, the SCCE’s sister organization, the Health Care Compliance Association, passed the 8,000-member mark. These important milestones signal the vitality, increased profile, and continued growth of the rapidly evolving profession.

7. HSBC Settlement Agreement Elevates and Empowers CCO

I would make the DOJ settlement agreement with HSBC (for widespread anti money-laundering violations and failure to maintain any semblance of a compliance program) required 2013 reading for boards, if I had that power. The case is notable for many reasons, but CCOs will recognize all manner of glaring missteps in how the firm positioned and structured its compliance function. HSBC has now “elevated” its CCO by separating compliance from the legal function, adding resources, fixing the line-of-sight, and creating levels of independence. And one more thing I’ve never seen before: the CCO was expressly raised to the level of the top 50 employees of the firm. Now that’s what I call a seat at the table. As SCCE CEO Roy Snell said “The real question is, will industry give independence to the compliance officer before the government mandates independence through regulatory action as they have with auditors.” Time will tell.

8. Enforcers Tally a Record $9 Billion in Corporate Settlement Agreements, Warn Boards and Management

As Joe Warin of Gibson Dunn puts it, the “B word”—corporate settlements levied by federal enforcers with totals in the billions—are almost the “new norm.” The 2012 total of $9 billion dwarfs the previous 2006 high of $3 billion. With 35 NPAs and DPAs in 2012, across a broad spectrum of industries, CCOs have significant new input to add to the existing guidance for compliance programs, many of which include positioning, structure, and resources of the compliance function. As Gibson Dunn advised its clients: “Make no mistake: while not formally labeled as such, DOJ and other regulators appear to be promulgating compliance guidance for various industries through the remedial requirements included in the DPAs and NPAs used to resolve real-world cases.” In 2012, officials made a number of public statements and speeches urging boards and management to “elevate the role of compliance” by supporting their CCOs with “adequate resources, independence, standing, and authority” to be effective. Boards and management should take heed.

9. Greg Smith’s Very Public Goldman Sachs Resignation, General Services Adminstration, et al—It’s the Culture, Stupid

In 2012, organizational culture hit the headlines. Greg Smith wrote about it in his spectacular “take-this-job-and-shove-it” New York Times op-ed (key word: “muppets”). And social media was abuzz over photos of Jeff Neely, the former head of the General Services Administration, in a taxpayer-funded hot tub with two glasses of wine at the ready. And don’t get me started on those wild and crazy Secret Service parties in South America. The 2012 RAND Symposium report also zeroed in on this “missing link” in its examination of compliance programs at a crossroads. Of course this is all preaching to the CCO choir.

10. The Year of the Corporate Whistleblower

By the end of 2012, it was clearly the year of the corporate whistleblower on a number of fronts. False Claims Act recoveries totaled over $9 billion, more than double the previous year, including the largest health care fraud settlement in history—a $3 billion settlement paid by British drug maker GlaxoSmithKline. After a slow start to its 2007 whistleblower program, the Internal Revenue Service also paid out at least two eye-popping bounties, including $104 million to former UBS banker Bradley Birkenfeld. Companies continue to scramble to respond to the new Dodd-Frank whistleblower program, which provides a direct line to the SEC for allegations of fraud, and a potential bounty of 10 to 30 percent for penalties collected over $1 million. With 3,001 whistleblower tips in its first year and its first bounty paid in 2012 (and reportedly many more in the pipeline), the new Dodd-Frank whistleblower program is now officially alive and kicking. With so much at stake, companies that fail to empower their CCOs could pay a steep price.

And there you have it. After the chief compliance officer was named 2011 Person of the Year by former federal prosecutor Michael Volkov, who recognized the CCO as the “unsung hero” of the corporate workplace, CCOs made strides in 2012. And that’s a good thing, with 2013 promising to be no less fraught with peril for the overseer of the company compliance and ethics program. As Machiavelli wrote, “There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things."

Donna Boehme is an internationally recognized authority and practitioner in the field of organizational compliance and ethics, designing and managing compliance and ethics solutions within the U.S. and worldwide. As principal of Compliance Strategists LLC, Boehme is the former group compliance and ethics officer for two leading multinationals and currently advises a wide spectrum of private, public, governmental, academic, and nonprofit entities through her NJ-based consulting firm.

UNDENIABLE TRUTH NO. 2

Whistleblower bounty programs help create a level playing field. Without these programs, the deck is always stacked against the mere mortal employee or regulator slaving away in the trenches trying to unravel the facts. The large, well-resourced financial institution holds all the cards (and the data). But the introduction of large financial rewards creates incentives for others, such as plaintiffs law firms (or in some cases, hedge funds investing in a whistleblower case for a percentage of the bounty), to support a whistleblower and thus even the score. Harry Markopolos is, no doubt, well versed in Undeniable Truth No. 2 [PDF].

UNDENIABLE TRUTH NO. 3

Sometimes it takes a thief to catch a thief. Who better to unravel the mysteries of complex business misconduct than a whistleblower steeped in the nuances, tricks, and practices of the fraudulent scheme? Wal-Mart’s alleged massive Mexican bribery scheme, which was splashed across the headlines earlier this year, wasn’t uncovered by a regulator or a compliance officer, but by the ex-Wal-Mart executive who for years was allegedly at the center of the bribery-palooza. See Undeniable Truth No. 1.

Ultimately, all whistleblower bounty cases, whether under the False Claims Act, Dodd-Frank, or IRS programs, are a form of “whistleblower arbitrage.” If companies do not seriously root out misconduct through their internal compliance programs, then someone else probably will. However unpalatable the whistleblower, and however ridiculously large and undeserved the bounty may appear, misconduct left on the table will likely be disclosed for profit. Sometimes a very, very big profit. Time will tell whether that becomes Undeniable Truth No. 4.

Reprinted with permission from the September 20, 2012 edition of Corporate Counsel© 2012 ALM media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com .

• All internal reporting systems are not created equal.

Why would a widespread bribery scheme, reportedly well-known to Wal-Mart employees and managers in Mexico, fail to be detected and raised to the highest governing authority through existing reporting mechanisms?    We now know that the whistleblower first notified the legal department through email.  But what about all the other employees “in the know” in Mexico and elsewhere in Wal-Mart? Did none of them trust the internal mechanisms enough to raise the alarm? Or if they did, what happened?  And where was the chief compliance officer?  So far it is alleged that the 2005 complaint was “hushed up” by the General Counsel and senior execs, and never made it to the boardroom. That’s alarming indeed, but not surprising.

Creating and maintaining an internal reporting system requires a lot more than hiring a third party vendor, turning on the phone lines and hanging posters.  Yet I continue to be amazed by the number of Boards and senior management teams who live with a false sense of security simply because they have a hotline or other employee reporting mechanism in place.  (See my open letter to boards on this point.)  Beyond the initial set-up, companies that are serious about compliance establish and enforce strict protocols for managing internal reports from initial intake to final consequences, whether discipline or process improvement.  And this is where the rubber meets the road, as powerful company forces often resist the very processes required for an objective, independent investigation.  As I have written elsewhere, Wal-Mart is Exhibit A, B and C for an independent chief compliance officer (i.e. not beholden to the General Counsel or any other corporate officer) who can oversee, among other things, the integrity of the investigation and the overall internal reporting system.  See “The Real ‘Happy Marriage’ Between the GC and the Compliance Officer.”  An independent CCO with a seat at the table would have been a cautionary voice in the exec decision-making process, and would have had direct, unfiltered access to report the matter to the board. If I were asked to advise a friend or a family member on how to raise a concern, I would recommend that they look carefully at the independence and rigor of a compliance program and internal reporting mechanism before ever pulling the trigger internally.
 

• How a company reacts to internal whistleblowers is a good barometer of corporate culture.

That the Wal-Mart whistleblower tip may have been “whitewashed” in an allegedly sham investigation, underscores one of the prime reasons employees consistently give for not reporting perceived misconduct:  the belief that nothing will be done. 

Forget codes of conduct, training, CEO speeches and awards for “most ethical company in the universe.”  If you really want a good barometer of a company’s culture, and the priority it places on accountability, transparency and ethical leadership, look no further than how internal whistleblower reports are treated.  This is tough business for organizations because the natural human reaction to whistleblowers is usually “seek and destroy.”  As in:“I’m all for openness and transparency and for blowing the whistle on wrongdoing.  Except if the guy is on my team, and then he’s a no good traitor.”   The enormous challenge for companies is how to turn this human knee-jerk response into a safe, transparent environment where internal reporting is valued (and not merely tolerated) and tips are expeditiously, confidentially and professionally investigated.  Potential whistleblowers are nothing if not observant.  Just as they notice misconduct, they also see what happens to those around them who raise their hands.  According to the New York Times, after finding the company’s initial interest in his complaint fade away, the Wal-Mart whistleblower said “I thought nobody cares about this.  So I left it behind.”  How companies react when whistleblowers come forward drives the organizational culture in a direct and lasting way.
 

• Wal-Mart, Dodd Frank aftermath and the Grimm Act:  Another bite at the apple?

How Wal-Mart botched the internal whistleblower’s claim is an ironic postscript to the 2011 Dodd Frank whistleblower debate.  

Not too long ago, a long list of veritable who’s who in Corporate America, led by the Chamber of Commerce (of which Wal-Mart is a prominent member), lobbied hard against the then-pending Dodd Frank whistleblower rules,  in particular against the provision that permitted employees to go directly to the SEC without reporting internally first.  The main objection was that the potentially enormous rewards (10-30% of penalties over $1M) would incentivize employees to bypass internal reporting systems,  undermine company compliance programs and otherwise cause the sky to fall.  See “The Sky Has Not Yet Fallen.”  In a smart balancing act,  the SEC rejected those objections, but created incentives to encourage internal reporting.  Now one year later,  that same corporate lobby is attempting another bite at the apple through Grimm Act (House Bill 2483), which would amend the Dodd-Frank whistleblower rules in a second attempt to require internal reporting as a condition to access to the law’s protections and financial rewards. 

The Wal-Mart headlines should give legislators considering the Grimm Act serious pause.  One of the disconnects in this debate has always been the divergent views on the effectiveness of internal reporting systems.  As noted in a 2011 RAND Symposium report on the topic, the corporate lobbyists based their arguments on the premise that these reporting mechanisms were working just fine, thank you very much,  and that Dodd-Frank was going to ruin years, even decades, of all that good work. In stark contrast, whistleblower advocates argued that many internal reporting programs might look good on paper, but in reality are so flawed that they fail in their mission.  Judging by reports so far, Wal-Mart could well be the poster child for the latter view. 

It will be worth revisiting this list of takeaways as more details reach the public domain.  At a minimum, the impact of the Wal-Mart spectacle on current efforts to curtail both the Dodd-Frank whistleblower rules and the Foreign Corrupt Practices Act will be interesting to follow. But for now,  it’s safe to say that companies may have a lot more work to do on their internal reporting systems,  and the controls surrounding investigations and reporting up the chain, before crying “the sky is falling”  about the Dodd Frank whistleblower program.