Corporate Compliance Evolution:
Solving Operational Issues Through Integrated Strategies & Solutions
In today’s increasingly stringent business and regulatory environment, organizations and their legal departments have to keep up with an onslaught of ever-evolving corporate governance principles and complex compliance regulations. The need to constantly monitor compliance issues is straining corporate budgets, creating an ongoing demand for cost-effective, innovative strategies that address corporate compliance needs.
This white paper will examine the latest corporate governance best practices and compliance regulations and offer solutions to help organizations improve efficiency, maximize productivity, and reduce expenses related to compliance.
Why Corporate Compliance?
Put simply, corporate compliance exists because the alternative is unthinkable. At one time, the existence of a compliance department was an afterthought for many companies. Today, it is something no forward-thinking business would ever go without.
In today’s highly regulated corporate landscape, the cost of regulatory noncompliance is high, and growing ever faster. A leading survey of corporate legal officers reported that nearly one in three companies had been targeted by regulators for enforcement or investigation within the previous two years. (ACC Chief Legal Officers 2017 Survey, at 4.) In the financial services sector, upwards of $321 billion in fines and penalties have been assessed against banks and other financial institutions since the 2008 financial crisis (Boston Consulting Group, Global Risk 2017: Staying the Course in Banking, at 16.)
And that pace shows no signs of slowing down. In 2016 alone, banks paid $42 billion in fines and penalties, a 68% increase over previous years. (Ibid.) Of course, it is not only banks that are subject to penalties for noncompliance with regulations. In 2016 the federal government recovered $4.7 billion in corporate settlements from False Claims Act cases alone, while 702 new False Claims Act suits were filed. (Practicing Law Institute, Corporate Compliance Answer Book, at 1-15, 1-21 (2018 edition).)
1 in 3 companies targeted
Over the last 2 years by regulators for enforcement or investigation
$321 billion in fines & penalties
Against banks and other financial institutions since the 2008 financial crisis
$42 billion in fines & penalties
Against banks in 2016 – a 68% increase over previous years
And as the world gets smaller, the risk of regulatory action becomes larger. Companies increasingly have to be aware, not only of regulatory systems in the United States, but also those in Europe, Asia, and the rest of the business world. In the United Kingdom, companies have paid over £26 billion – about $35 billion – for the misselling of payment protection insurance since 2011. (Thomson Reuters, Cost of Compliance 2017, at 8.) The future is likely to bring even more exposure to fines and penalties for companies with operations in Europe. Under the General Data Protection Regulation, European regulators have the power to fine companies up to four million Euros – or four percent of the company’s total annual revenues – for failure to safeguard electronic data. (Ibid., at 7.)
Fines for noncompliance are bad enough, but for many companies that is only the beginning. Companies that violate the law can find themselves on the wrong end of civil suits from customers, shareholder lawsuits for breach of fiduciary duty, and civil enforcement actions by the SEC or the DOJ. In the extreme case, a corporation can find itself subject to criminal charges. And any one of these things can have a snowball effect, because a mounting array of fines and legal actions can lead employees and customers alike to lose confidence in businesses. The cumulative effect can drive companies out of business entirely – as companies like WorldCom, Adelphia, Tyco, Enron, Arthur Andersen, and BellSouth have all discovered in recent years. (Practicing Law Institute, Corporate Compliance Answer Book, at 1-14 (2018 edition))
Compliance as a Strategic Function
“American corporate governance has undergone a quiet revolution. Much of its basic role—the oversight and control of internal corporate affairs—has been overtaken by compliance.” — Sean J. Griffith, Corporate Governance in an Era of Compliance, 57 William & Mary Law Review 2075 (2016).
A robust corporate compliance program is essential, but it is far from easy. Effective compliance is more than just making a list of rules and distributing them to personnel. An effective corporate compliance program is administered on a regular basis from the most senior levels of management and integrated throughout the company’s activities. It is not just another corporate function, but truly a strategic function of the company.
Under guidelines administered by the DOJ and other federal agencies, the breadth and extent of preexisting corporate compliance programs can be taken into consideration when deciding whether – and how severely – to punish corporations for the wrongdoing of their employees. These guidelines, used by the DOJ, the SEC, and sentencing judges, among others, have long been considered the “gold standard” for evaluating the effectiveness of corporate compliance programs.
Under standards elaborated by the U.S. Sentencing Commission, the severity of punishment for a company for the wrongdoing of its employees depends on the adequacy of the company’s preexisting compliance program, which “minimally require[s] the following”:
- The company “shall establish standards and procedures to prevent and detect criminal conduct.”
- Responsibility for administering the compliance program shall be given to individuals who report directly to high-level personnel and, as necessary, directly to the company’s board of directors or other governing authority.
- The company shall prevent anyone with a history of illegal or unethical conduct from administering the compliance program.
- The company shall make sure that its employees and agents, including its high-level personnel, receive periodic training on corporate compliance.
- The company shall take reasonable steps to make sure that its compliance program is assessed regularly for effectiveness and that employees and agents have a mechanism to report violations without fear of retaliation.
- The company’s compliance program shall be promoted and enforced throughout the company on a consistent basis and disciplinary measures shall be taken against those who engage in unlawful conduct.
- If unlawful conduct does occur, the compliance program shall be evaluated and any necessary modifications shall be made to ensure that the violations do not recur.
(United States Sentencing Commission, 2014 Federal Sentencing Guidelines Manual, at §8B2.1(b).)
The Department of Justice also considers the existence of a corporate compliance program in deciding whether to bring criminal charges against a company. Under the DOJ’s so-called “Filip Factors,” as published in the U.S. Attorneys’ Manual, some of the questions to be considered are:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith?”
- “Does the corporation’s compliance program work?”
- Was the compliance program “merely a ‘paper program’” or was it designed and implemented in a truly effective manner?
- Can the corporation’s compliance efforts be audited and document?
- Are the corporation’s employees “adequately informed about the compliance program and are convinced of the corporation’s commitment to it”?
(U.S. Attorneys’ Manual, Principles of Federal Prosecution Of Business Organizations, at 9-28.800.)
These standards are by now well-established, but they continue to evolve. In 2017, the Fraud section of the DOJ’s Criminal Division – just one of the sections of the DOJ with authority to prosecute corporate crimes – issued a circular elaborating in further detail the factors it considers in applying the Filip Factors. (US Department of Justice, Criminal Division, Fraud Section, “Evaluation of Corporate Compliance Programs,” 2017, at 1). While largely consistent with prior publications, the Guidance breaks down the issues into 11 broad categories, 46 subcategories, and 119 specific questions. As one commentator noted: “[T]he clear import of the Guidance is that companies will be asked detailed and challenging questions regarding the scope and effectiveness of their compliance programs. Accordingly, companies will need to seriously consider how their programs will withstand such scrutiny, or risk the possible consequences of loss of credit for their compliance programs, higher penalties, or even separate violations for inadequate internal controls.” (Harvard Law School Forum on Corporate Governance and Financial Regulation, DOJ’s New Guidance for Compliance Programs, March 19, 2017).
Over $25.8 Billion
In monetary fines, penalties, or borrower restitution was ordered or improper mortgage lending practices Q4 ‘16-Q4 ‘17
In monetary fines, penalties, or borrower restitution in Q4 2017
The Rising Cost of Compliance
The need for compliance is high, but so too is the cost. With a growing number of complex regulatory requirements to adhere to, especially in the finance and mortgage lending industries, many companies are forced to maintain compliance efforts that weigh heavily on corporate budgets and sideline other important business functions of key personnel. Add to these constraints the constant pressure from shareholders to rein in operating costs, and it’s easy to see why organizations are on the hunt for alternative, budget-friendly corporate compliance solutions.
Regulatory changes are a significant factor. In the banking sector alone, the number of regulatory revisions on a worldwide basis has tripled since 2011, to more than 200 revisions per day. (Boston Consulting Group, Global Risk 2017: Staying the Course in Banking, at 4.) Not surprisingly, about one-third of companies spend more than one day a week simply tracking and analyzing changes in regulations. (Thomson Reuters, Cost of Compliance 2017, at 5.)
Regulatory Revisions Tripled
In the banking sector alone since 2011
200 Revisions Per Day
On a worldwide basis to regulations
1 Day Per Week by 1/3 of Companies
Spent tracking/analyzing changes in regulations
The global pace of change is hardly slowing. Companies doing business in Europe have to contend with several major new regulations that have come or are coming into effect in 2018, including the Markets in Financial Instruments Directive II, the Insurance Distribution Directive and the General Data Protection Regulation. (Thomson Reuters, Cost of Compliance 2017, at 5, 23.) These major European reforms, along with Brexit and the regulatory revisions coming from the Trump administration, combine to create what some have called “a perfect storm” of regulatory change. (Ibid. at 23.)
And while tracking regulations is a burden, it is only the beginning. In 2017 compliance officers typically spent only 15% of the week tracking revisions to regulations. The rest of the week was consumed with reporting to boards, interacting with regulators, maintaining licenses, compliance monitoring and training, assessing lessons learned from compliance reviews, oversight of conduct risk issues, and many other activities that all have to be addressed in order to manage compliance properly. (Thomson Reuters, Cost of Compliance 2017, at 21-22.) Surveys of corporate legal officers consistently show that ethics and compliance are the top issues “keeping them up at night.” (ACC Chief Legal Officers 2016 Survey, at 5; ACC Chief Legal Officers 2017 Survey, at 4.)
Technology and Outsourcing Offer Value-Creating Compliance Solutions
The strain on in-house compliance functions continues to escalate—and the consequences for failing to meet increased demands are rapidly following suit. Because of heightened regulatory scrutiny, organizations often respond by expending extensive resources that cause overall operational costs to skyrocket. An increasingly complex regulatory framework, ongoing talent shortages, and constant pressure to rein in operating expenses leave many organizations looking for alternative strategies, from investments in compliance tracking technology to selective outsourcing solutions.
- In-House Compliance
In order to mitigate risk and stay abreast of the latest regulatory compliance developments in-house, organizations must invest in qualified, experienced compliance personnel, retain regulatory experts, and become masters of procedural and process technology and improvements.
Investing in technology to track global entity records and regulatory actions can sometimes alleviate strain on compliance personnel and, in some situations, make up for resource constraints — but unleashing the full benefits of the technology often requires a certain time commitment and level of expertise. Add to that increasingly strict privacy and data security requirements and correspondingly vague cybersecurity statutes and directives, and compliance teams are now faced with an entirely new set of challenges.
In many cases, the most effective, budget-conscious solution is to outsource compliance tasks to a third party that specializes in regulatory compliance and management.
- Legal Process Outsourcing (LPO)
As they grow and evolve, in-house compliance teams often don’t have the capacity to handle everyday compliance tasks — and this is where outside experts come in. Known as legal process outsourcing, LPO firms have joined the ranks of long-established business process outsourcing (BPO) as an accepted practice and a viable solution to corporate operational needs. LPOs are experts in their field and understand compliance regulations, industry standards, valuation, and data analytics to offer solutions based in industry expertise.
A reputable compliance outsourcing team evaluates and reports on internal and external compliance efforts. They may assist with collecting and compiling compliance information and data and with testing and monitoring business systems and processes. They manage compliance efforts across a variety of areas including:
- Compliance and regulatory document review
- Disclosure generation
- Contract analysis and review
- Forensic file review
- Risk assessment
- Due diligence (including mergers and acquisitions).
- The Hybrid Model—Selective Outsourcing
The selective outsourcing strategy allows organizations to realize the resource-saving benefits of working with an LPO on an as-needed basis. Specific operational functions are placed with a third-party outsource provider that delivers a budget-friendly strategy with a high level of responsiveness, high quality of service, and innovative technology processes. In addition to conserving resources, selective outsourcing enables compliance teams to focus on core business activities while maintaining control of specific compliance functions in-house.
The right compliance-outsourcing partner should provide the following benefits:
- Process gains in efficiency and quality
- Access to subject matter experts
- Scalability of resources up or down as necessary
- Consistent execution of end-to-end compliance processes from assessment through remediation
- Minimize strain on internal resources and infrastructure
- Reduced labor expense with respect to in-house training, hiring, and attrition
(Deloitte, Meeting Compliance Challenges, Leveraging the Value of Outsourcing, at 4.)
By freeing up financial, technological, and human resources, in-house compliance officers and their legal teams regain the bandwidth necessary to focus on value-creating core business practices and market strategies.
Finding and Vetting the Right LPO Support Team
With more respondents viewing service providers as key business enablers, service providers are becoming purveyors of innovation and enabling transformation rather than just providing a source of price arbitrage. Moreover, respondents say that innovation is a key component of the value derived from an outsourcing relationship.
– Simon Tarsh, Managing Director, Deloitte Consulting LLP, and leader of its Business Process Outsourcing Advisory Practice (Wall Street Journal, Outsourcing Accelerates, Taking on a ‘Transformational’ Role: Global Survey)
Organizations considering compliance outsourcing – whether on a full-time or hybrid basis – should develop a strategic, phased approach at the outset. Before selecting a legal outsourcing provider, create a master list of compliance processes and develop a partner strategy that considers risk assessment and cost- benefit analysis.
After the initial consultation phase:
- Select a Third-Party Provider
Develop compliance provider evaluation criteria. Consider the cost benefits of the provider and their reporting and risk management capabilities.
- Plan the Integration
Draft service level agreements (SLAs) and develop transition strategies to include shared risk philosophies. Evaluate and designate in-house and provider technologies to maximize efficiency.
- Execute the Integration
Compile data and internal/external reports, populate IT systems, and flag any potential instances of noncompliance. Establish procedures to handle regulatory changes and evolving compliance demands.
- Conduct Ongoing Testing and Internal Audits
Assess systems and processes against current compliance requirements and monitor key performance indicators. Conduct compliance provider quality/risk reviews and audits and analyze performance data.
In addition to the above strategy, assessing risks to data security—including operational strategy and intellectual property—is a critical step in choosing the right legal compliance partner. To ensure that adequate data security measures are taken, consider the following precautions:
- Clearly define data security requirements and expectations during the RFP phase
- When selecting a provider, evaluate cybersecurity protocols and disaster response plans
- Define the parameters of provider audits (frequency, ad hoc, scheduled)
Outsourcing Compliance: Facts and Figures
With the right compliance partner, outsourcing all or part of an organization’s compliance efforts can be an effective approach to mitigating risk, prioritizing value-driven business functions, and conserving valuable company resources. According to Deloitte’s 2016 Global Outsourcing Survey, 57% of organizations chose to outsource because it allowed them to focus on vital core business processes, and 59% relied on it as a cost-savings tool. 75% of respondents felt confident in their outsourced provider’s legal and regulatory capabilities.
57% of Organization
Choose to outsource because it allows them to focus on vital core business processes
75% of Respondents
Feel confident in their outsource provider’s legal and regulatory capabilities
59% of Organizations
Rely on outsourcing as a cost-savings tool
When it comes to choosing an outsourced compliance team, evaluating its qualifications is a critical step towards a successful partnership. And it is important to note the difference in legal education and bar exam requirements in different locations when deciding between compliance service partners.
Baer Reed: Corporate Compliance as a Service Solution
When providing compliance as a service, the right compliance outsourcing partner will offer advanced industry knowledge and expertise, a tested and tailored compliance framework, cost-effective scalable processes, and global reach. Because the costs of staying abreast of the latest compliance and regulatory requirements are distributed across the client base, compliance outsource providers can address the needs of in-house compliance teams with budget-friendly, value-driven compliance strategies that free up company resources and allow compliance teams to refocus on important core business functions.
Baer Reed is a leading offshore compliance provider for law firms and corporations. Our company and its systems are built from the ground up to assist global organizations in establishing and maintaining corporate compliance in the face of an increasingly complex regulatory landscape. For more information on how Baer Reed can help your compliance team conserve valuable resources while maintaining compliance to the strictest standards, contact us for a consultation.