Conflict of Interest Blog

Is Wall Street a bad ethical neighborhood?

For many years I taught ethics in the executive MBA program of a New York area business school. Because of the school’s location, the “day job” for many of the students was in the financial services field, and on average they seemed less ethics-focused than did the others.  I did not find this surprising – since for many years my “day job” was as a white collar criminal defense lawyer, and a disproportionate number of my clients were from that same industry.

Wall Street is not, of course, run by wolves.   And there have been other industries that could be seen as “bad ethical neighborhoods,” at least for a time.  (Indeed, it was from defending several members of a very different, and even more troubled, industry – the specialty pipe business – in the 1980s that I began to be interested in the possibility of what was then seen as preventive corporate criminal law and has now become corporate compliance and ethics.)

But the financial services field has always been different because – by definition – the day-to-day work there is dominated by dealings with money itself.  As described in this earlier post, research published in 2013 showed that “mere exposure to money can trigger unethical intentions…” – and presumably the greater the exposure the greater the ethical peril.

Now, and more directly relevant to the issue of financial services and culture, is the publication this week in Nature of “Business culture and dishonesty in the banking industry” - by Alain Cohn, Ernst Fehr and Michel André Maréchal,   their summary of which is: “Contemporary commentators have attributed scandals [in the financial services sector] to its…business culture … but no scientific evidence supports this claim. Here we show that employees of a large, international bank behave, on average, honestly in a control condition. However, when their professional identity as bank employees is rendered salient, a significant proportion of them become dishonest. This effect is specific to bank employees because control experiments with employees from other industries and with students show that they do not become more dishonest when their professional identity or bank-related items are rendered salient. Our results thus suggest that the prevailing business culture in the banking industry weakens and undermines the honesty norm, implying that measures to re-establish an honest culture are very important.”

So, an important knowledge gap has been filled, even if it is primarily a matter of proving with experimental data what has long been known from observation of real life.

But  identifying a neighborhood as unsafe is  not the same thing as reducing the peril.  In one of our exchanges on the ECOA web site, Steve Priest recommends these five areas to focus on in ethical culture building:  a true “commitment to doing the right thing; clear standards; organizational values put into action (by leaders and employees); accountability, and open communications up, across and down the organization,” to which I add promoting long-term thinking; moderating any undue pressure to perform; and  nurturing employee identification with the company, its customers or its products/services.  Finally, because so much of the ethical trouble in the financial services field has  seemingly sprung less from purposeful lying than from carelessness about the truth, the “culture of care” approach discussed here might be useful for reestablishing an honest culture in this rough neck of the woods.


Conflicts of interest, corruption and fraud: what are the connections?

Whether one is drafting a code of conduct or other C&E policy documents, developing training, designing audit protocols,  conducting a risk or program assessment or creating C&E metrics, it may be useful to bear in mind the relationships between COIs, corruption and fraud – particularly given the extent of overlap among these areas.  The following is offered as an overview of these connections, but note that these are intended only as general principles under US law; aspects of the analysis may differ under various other countries’ legal regimes, and even  some aspects of US law itself.

Corruption  generally involves a breach of a duty of loyalty – either the duty an employee owes her employer or that owed by an agent to her principal. Corruption – at least viewed this way – always involves COIs.

Outbound corruption involves causing such a breach by others – e.g., paying a bribe to an employee of another organization to cause her to breach her duty of loyalty to such entity.  Inbound corruption involves breaching one’s own duty to employer/principal – e.g., by receiving a bribe to betray the employer.

While all corruption involves COIs not all COIs involve corruption.  Typically (but perhaps not always), the added dimension of concealment is required for an act to be considered truly corrupt.  (So, for instance, supervising a family member at work would generally not be viewed as a criminally corrupt act if it were disclosed, although it typically would still be seen as a COI.)

Fraud involves a misrepresentation for the purposes of cheating another.   In some circumstances, particularly where a duty of loyalty exists, a material omission/failure to disclose – even in the absence of an overt falsehood –  is enough for fraud liability.

Outbound fraud can involve cheating shareholders/lenders (through, e.g., misstatements about financial condition/performance); customers (e.g., though deception about the product/service in question);  or regulators (e.g., lying about one’s product/service or general business matters, such as tax). Insider trading is seen as a form of fraud, although in some circumstances the fraud analysis is a stretch.

Inbound fraud involves the organization itself being cheated either by employees (e.g., submission of phony expense reports) or third parties (e.g., suppliers lying about conditions in which a product is manufactured). In such cases the failure to disclose/material omission will often be sufficient for liability, given the nature of the relationships involved.

It is possible to see all forms of corruption as involving a fraud element, in that corrupt schemes presumably always implicate an overt deception or material omission.  And, the nature of deception/omission tends to involve COIs.

However, clearly not all acts of fraud have an element of corruption. For instance, deceiving a customer about the quality of a product would not entail corruption, unless an employee of the customer was “in on it.”

Some closing points:

First, while I think it is important to keep these different categories in mind for different aspects of C&E work (such as those noted in the first paragraph of this post), they – and indeed many other forms of wrongdoing – should be seen as connected to each other, in the sense of how they can affect an organization’s culture.  That is, an employee seeing even small-scale COIs or cheating on expense forms at her company is, I think, more likely to become more vulnerable (through desensitization) to other types of offenses.  Included here would be those involving outbound corruption which, of all the participants in the above-described “parade of horribles,” is often treated most harshly by the legal system in the US and elsewhere. Put otherwise, COIs and small scale frauds can be seen as “gateway offenses.”

Second, even where conceptually distinct, fraud and corruption often have the same controls-related issues.  For instance, weakness in the vendor selection/management process can be an occasion for an inbound fraud (supplier cheats company), an inbound corrupt act (supplier bribes company procurement personnel) or an outbound corrupt act (extra money given to supplier used as a slush fund to pay off company’s customers or regulators).  Or, all three could be happening at once.

Finally, a brief repeat of the opening cautionary note that my framework is not intended to be universal. Indeed, as recently as yesterday we saw an executive jailed for “breach of trust” in Germany under circumstances that might not (at least as I read the story) be considered criminal under US law.

For additional reading:

A post on “slippery slopes.”

Mapping a territory of ethical impairment.

Major laws in the US designed to promote ethical conduct by businesses (from the Ethical Systems web site).

Gifts and entertainment as “soft-core” corruption.

Other people’s conflicts of interest.





Risk assessment: law, economics, morality science…and liquor

Many years ago a client who was in the compliance department of a pharma company told me his strategy for conducting risk assessments.  He would schedule the interviews of sales people – a key, but typically difficult, constituency for nearly any risk assessment – to begin late in the work day, and after a while suggest that the discussion continue in a nearby bar.  As the drinks began to flow, so apparently did the information about risks.

Risk assessment is the foundation of an effective C&E program – certainly as a matter of common managerial sense, and increasingly as a matter of law.  In  connection with the latter, we recently passed the ten-year anniversary of the revised Sentencing Guidelines, which established risk assessment as an official C&E program expectation of the U.S. government; and on virtually the same day, the Italian government published important new competition law compliance  guidelines, discussed in this publication from the Baker & McKenzie law firm, which include a risk assessment component.

Still, meeting such expectations – by getting business people people to talk openly about the uncomfortable topic of risk – is as challenging as is anything in the C&E field.  So, what can you use to make these conversations succeed if, like most C&E professionals, your toolkit doesn’t include a liquor cabinet?

Part of the way for dealing with this challenge is to provide that the assessment is conducted under the company’s attorney-client privilege  and, beyond this, that no attribution to the sources of information will be included in the assessment report.  These are the tools of law, and deploying them can be essential to success in a risk assessment.

But offering confidentiality alone may not be enough because while it is typically in the clear interest of a company to have a thorough risk assessment, individuals’ interests often seem (and sometimes are) out of alignment with those of the organization. This is the realm of the economics-based concept of moral hazard, discussed in various prior posts of this blog that are collected here.

There is no panacea for dealing with this impediment – but hopefully one can make a persuasive appeal to an interviewee’s being a “C&E leader,” a formulation which seeks to blend considerations of personal and organizational benefit, to get the interviewee  to be truly helpful for the  risk assessment. Of course, for an approach such as this to work, it cannot be limited to the risk assessment process. Senior executives, and even the board of directors, need make clear through various intangible and occasionally tangible ways that such leadership is duly appreciated.

Finally, there is also a psychological dimension to the challenge of risk assessment.  As discussed in this recent article in Science  - “Morality beyond the lab” by Jesse Graham (which I learned of from the Ethics Unwrapped web site ),  various  “laboratory  studies have shown a ‘holier-than-thou’  effect, in which people over-optimistically predict their own future moral behavior but accurately predict the not-so-moral future behavior of others” – a view which has now been supported by the results of an important recent field study (by W. Hofmann, D. C. Wisneski, M. J. Brandt, L. J. Skitka, which is published in the same issue of Science). As summarized by Graham: “[T]he study suggests that moral life can largely be characterized by two kinds of events: noting one’s own good deeds and gossiping about the bad deeds of others.”

For those conducting risk assessments, the path suggested by this research is clear:  to the maximum degree possible, one should structure the inquiry so that it is not seen as asking about the interviewee’s own risks but those of others.  And, in providing information about others, at least in the aggregate, employees of an organization will likely be helping you analyze risks that in fact involve themselves.

One other point about the above-discussed research, which is that while I have highlighted its use for risk assessment there are other ways in which this aspect of  what Graham calls “morality science” can enhance the efficacy of a C&E program.  Mostly notably, it can be used in training and other communications to underscore the overarching behavioral ethics notion that “we are not  as ethical as we think,” which should help reinforce an appreciation for the help that C&E staff and other resources can provide to employees when  confronted with legal risks or ethical dilemmas.

For further reading on risk assessment, here’s a link to a complimentary e-book comprised mostly of my risk assessment columns in Corporate Compliance Insights.

For an index of posts on “behavioral ethics and compliance” please click here. 

Internal auditors as compliance program helpers: opportunities and independence challenges

Internal auditors often have the skill set and opportunities to lend an important hand to their respective companies’ C&E programs beyond the program-related audits that they conduct.  But such assistance can raise independence issues where the activity in question itself  should be audited.  This post considers what some of these opportunities are and which are problematic from an independence point of view.

First, in some companies auditors answer the help line.  This seems problematic to me, as a company’s responding to help line inquiries is sufficiently important – particularly under the Caremark case – and challenging that it should be audited, at least in companies with a relatively high degree of compliance risk.

On the other hand, in many companies auditors do receive in-person compliance-related inquiries from employees on an ad hoc basis – particularly during site visits.  Given the relatively infrequent and unplanned nature of this sort of activity, it generally need not be audited – and so I think that no significant independence issues are raised by auditors helping C&E programs in this way.

Related to responding to help line inquiries is, of course, conducting investigations into suspected violations of  C&E policies – which internal auditors often do, particularly on financial-misconduct related matters.  I believe that an internal investigations functions should be audited periodically (either as part of the help line audits or on a stand-alone basis) but for many companies – particularly medium and small sized ones – there is no practical alternative to having auditors conducting investigations.  While not ideal from an independence perspective, I think this is a compromise many companies can live with (although for some having an external assessment for this activity may be warranted).

A somewhat less obvious, but often useful, C&E program role for internal auditors concerns training/other communications.  The line I would draw here is, on the one hand, between an auditor designing training and/or determining who should receive it – which one might want to audit, at least in high-risk companies, as they involve the exercise of a significant amount of judgment; and, on the other hand, acting in a more ministerial/facilitating capacity  – e.g., delivering training that others have developed, particularly on site visits – where there is generally less of a need to audit.

Finally, and perhaps most significantly, internal auditors sometimes assist in designing C&E-related policies, monitoring measures and process controls. Here, too, the appropriate line to draw is between the auditor acting in a facilitating role – which, in my view, is generally acceptable independence wise, versus her having principal responsibility for such activity – which should be avoided, if possible.   But, as with auditors conducting investigations, in some companies independence perfection is not possible with these sorts of efforts, and where that’s the case companies need to do whatever’s reasonably possible to maximize independence possibilities for such situations – including in some cases using external resources for the audit/assessment.

A final point:  I hope I don’t seem overly willing to accept compromises in this area, but in analyzing the involvement of internal auditors in C&E programs I’m mindful of the fact that so long as their pay (and that  of the boards that serve as their protectors) comes from the companies where they are employed total independence is not attainable.  (In this sense, independence issues and conflicts of interest in companies are indeed different – because one can have a zero tolerance approach to COIs, but not to independence challenges.)  So, the task here is striking the right balance and not seeking to attain complete purity.

For additional reading:

- A post regarding internal audit and reporting relationships on the web site of the Institute for Internal Auditors by Mike Jacka – Internal Audit is the Midst of a Great War.

- An important real-world experiment involving conflicts of interest and auditors.

The modern era of compliance and ethics at ten years old

This week will see the tenth anniversary of the advent of the revised Federal Sentencing Guidelines for Organizations – the most influential set of official C&E-program-related expectations ever issued. More than any other legal development,  these revisions – which went into effect on November 1, 2004 – made possible the work that C&E professionals do.

In the latest issue of the SCCE’s Compliance and Ethics Professional magazine (see page 2 of this PDF) I try to sum up in a mere 400 words what the legacy to date of the Guidelines is. (My emphasis in this piece –  being a “compliance guy” – is on the empty part of the glass, but perhaps this is unfair. Indeed, by any measure, the revised Guidelines have had more of an impact in their first decade than did the Sherman Act – which can be viewed as the federal government’s first compliance law – in its first ten years of existence.)

For those with more of an appetite (and budget) for this topic, you might check out the just-published 2014 edition of this 1400-page treatise on the Guidelines which I edited with Joe Murphy, who is the one true founder of our profession (and my one true mentor).

I look forward to watching C&E program law continue to develop – particularly outside the U.S. – and hopefully live up to the full promise of the standards issued a decade ago.


Episode 100

For the 100th episode of his FCPA Compliance and Ethics Report, the amazingly prolific, extremely knowledgeable  and always thoughtful Tom Fox interviews yours truly.

You can hear the interview – which covers  a number of topics, ranging from the early days of the compliance field to the latest views of the Justice Department on what makes a program effective – here.

I hope you find it interesting – and thanks again to Tom, not only for inviting me to be part of the Report but for his many contributions to the field.


Effective C&E Programs: The Justice Department Speaks

Last week, together with David Wilkins of SNC-Lavalin, I chaired the Practising Law Institute’s Advanced Compliance & Ethics Workshop.  Marshall Miller, the number 2 in the Justice Department’s Criminal Division, gave the keynote address, which was subsequently posted on the Department’s web site.  Among the important points he made were the following.

First, Miller said that a principal hallmark of an effective C&E program “is high-level commitment.  When employees truly understand that a company’s leadership is committed to compliance – even when it runs up against profits – only then does a company truly have a successful compliance program.”

A side note on this: I’ve found over the years that one of the most meaningful gauges of the seriousness of a C&E program is whether a company can provide specific examples of where it has in fact sacrificed  potential profits to maintain its C&E-related standards. A company’s having done this often makes a profound impression on employees (and potentially third parties) – and can be seen as more significant than mere words in a code of conduct.

Second, Miller said: “The quickest way to check on that commitment is to take a look at corporate structure.  If you see compliance executives sitting in true positions of authority at a corporation, reporting directly to independent monitoring bodies, like internal audit committees or boards of directors, you likely are looking at a strong compliance program.   Compliance programs also need to be resourced; they need to have teeth and respect.”

A side note on this:  It was clear from Miller’s talk that Justice was not saying that all companies needed to have the C&E officer report administratively – as opposed to informationally  - to the board.  Very few companies take the former approach; indeed, based on a show of hands, none of the conference attendees do this.

Third, Miller said: “Another key hallmark is whether the program grows with the company.  Any good compliance program needs to be periodically evaluated, using risk assessment models aimed at the individual circumstances of the company.  As companies change over time, so must compliance policies.”  Key here is the phrase “risk assessment models aimed at the individual circumstances of the company,” because too many companies assess risk using a one-size-fits-all approach.

Fourth, he noted: “A strong compliance program must also involve enforcement and discipline.  It is human nature to pay more attention to what people do than to what they say.  Compliance must be incentivized; violations disciplined.  And the response must be even-handed.  Too often we see low-level employees who implemented bad conduct fired, but bosses, who did nothing to stop the conduct – and may even have directed it – left in place without sanction.”  To my mind, this has always been a weakness of many C&E programs, as discussed in this earlier post.

Fifth,  Miller said that “expanding corporations must extend their compliance programs to all of their subsidiaries – even, or perhaps especially, those that were recently acquired – and must ensure that compliance policies are understood and implemented by all employees, no matter what country they work in.”  This seems an especially important point, given the history of C&E failures involving subsidiaries, joint ventures and other members of corporations’ “families” – as discussed in this eight-part series from the FCPA Blog.

Finally, there was lots more to the conference than Miller’s fine speech – but I don’t have permission to post all of  it, as it is for PLI members and other conference attendees.  I can, however, post this legal update I gave with Joe Murphy with lots of information about how law promotes – and sometimes impedes – companies developing strong C&E programs.

Risk assessment: frequently asked questions

In addition to the COI Blog, I write a column on risk assessment for Corporate Compliance Insights. My most recent posting there is on various risk assessment FAQ’s that – both in conducting assessments and advising clients on how they can do so themselves – I’ve dealt with over the years.

The column can be accessed here. I hope you find it interesting.

C&E officer reporting relationships: a tale of two recent surveys

More than a decade ago, Iowa senator Charles Grassley famously said of a company’s general counsel also serving as its compliance officer: “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement,…” And since then, there has been a lively (albeit not always as colorfully expressed) debate involving C&E practitioners, lawyers and others concerning the issue of to whom should the C&E officer report.

Earlier this month a survey conducted by NYSE Governance Services and the SCCE  captured considerable attention in the C&E field with its finding that 38% of  persons “with overall responsibility for the compliance program” in their companies reported to the CEO, 19% reported to the board of directors and only 18% did so to the general counsel. This led the Wall Street Journal to proclaim: “Legal [is] losing its grip over risk and compliance.”

However, two caveats should be borne in mind here. First, the specific question in question – “To whom does the person with overall responsibility for the compliance program report?” – could be read to include merely informational reporting (i.e., the C&E officer meets periodically with the CEO) as opposed to the more significant administrative kind (i.e., the CEO is the supervisor of the C&E officer). Having heard  many C&E officers speak over the years about their reporting relationships in a way that uses the two types interchangeably I would be surprised if this ambiguity didn’t account for a slice (and perhaps a large one) of the CEO and BOD numbers.  Second, nearly a third of the survey respondents were from the “health care and social assistance fields” – which is much higher than the percentage of such organizations in the economy generally; this is significant because, for regulatory reasons, reporting to the BOD and CEO are more common than in these types of entities than in most others.

A less noticed but no less notable contribution to this debate was the report of a survey published only a few weeks earlier by Mitratech (a provider of  enterprise legal management solutions for legal departments).  While not posing the same question that the NYSE Governance Services one did, this report noted (among other things) that “[t]he legal department owns the enterprise compliance function in 40% of respondents’ organizations and owns a portion of compliance functions in another 24% of organizations” and also that “[t]he role of the legal department in enterprise compliance is increasing as the responsibilities of the Chief Compliance Officer (CCO) and General Counsel become more tightly intertwined.”  These results feel closer to the actual practices I’ve seen in business organizations than do those in the other survey.

Granted, I have never been a pig farmer from Iowa, but I have been around this issue for a long time (my first experience with it dating back to the mid-1990’s when I was asked by a client whether the C&E officer should report to the GC or its Chief Operating Officer). Based on my experience since then, I can say with some confidence that there is no one-size-fits-all approach to the question of to whom the C&E officer should report.

Certainly, in a company where the GC herself is likely to be a source of risk then the case for independent reporting is clear enough. (This is not about the GC being honest as an individual but, rather,  giving advice regarding or otherwise playing a role in company activities that are relatively likely to be scrutinized in an enforcement context.)   Also, in industries where the government has expressed a preference for not including the GC in the C&E officer’s line of administrative reporting, then that is entitled to a fair bit weight. And, where employees are likely to see the GC as an aggressive defender of the company’s interests – which is sometimes the case where the company is the subject of high-profile litigation – then having the C&E officer subordinate to the GC could inhibit employees reporting suspected wrongdoing.

But there are many other situations where not reporting to the GC would effectively make the C&E officer an organizational “orphan,” because the CEO or BOD – who have a  vast array of responsibilities – would in fact do less for her (and the program) than would a GC whose duties and skill set naturally lend themselves to promoting C&E.   Indeed, I recall one case where the C&E officer did in fact report administratively to the audit committee;  it was a well-intended approach, but the committee gave him little day-to-day guidance, which sadly seemed to contribute to his losing his job. More generally, as C&E program requirements increasingly become part of the sinews of US business law (a trend that seems inevitable), then the case for administrative reporting to the GC may actually be enhanced.

Finally, even if a company does opt for this latter approach, care must be taken to protect the C&E officer’s independence – both actual and apparent – through other means.  One of these is having her reporting periodically to the relevant BOD committee in executive session.  Another is to provide that the C&E officer’s duties and compensation cannot be adversely affected without prior approval of such committee.  Finally, a GC to whom a C&E officer reports should take steps to ensure program independence by other members of the law department – such as through training them on their “reporting up” obligations under S-Ox section 307.

(For additional reading on BOD oversight of C&E programs please see this post by my partner Rebecca Walker and me on the Harvard Law School corporate governance blog.)

Come to the Advanced C&E Workshop

On October 7-8, together with David Wilkins of SNC-Lavalin, I’ll be chairing the annual PLI Advanced Compliance & Ethics workshop in NY, which will also be available by web cast.  My partner Rebecca Walker will be chairing the workshop in SF on November 17-18.

We have assembled an all-star team of C&E officers and law firm practitioners for the conference. We hope to see you there.