Now May Be Best of Times, Worst of Times for Compliance

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

Jan. 27 — While the burgeoning of regulatory actions worldwide may be a nightmare for compliance professionals, it also may make it easier now to justify why compliance programs should receive more funding and attention, Gibson Dunn & Crutcher LLP attorneys said Jan. 27.

In a compliance webcast, the attorneys noted that U.S. regulators—including the Securities and Exchange Commission, the Justice Department and the Commodity Futures Trading Commission—imposed $17.3 billion in sanctions and remedies in 2014.

Compliance officers should bring the fines to the attention of their senior managers and boards and say, “here's why we need” more money, more training and more drills, said F. Joseph Warin, a partner in Gibson Dunn's Washington office. “Here's why we need to have everybody sipping from the compliance cup, because otherwise we're going to find ourselves with these Herculean sanctions after us.”

To get employees' attention, compliance officers also should point to how the DOJ is targeting individuals, said Scott Hammond, also a partner in the firm's Washington office. Hammond noted, for example, that 29 Japanese nationals are serving time in U.S. prisons as a result of ongoing investigations of auto parts suppliers.

Hammond also noted that 2014 marks the first extradition of a foreign national for an antitrust violation. In April, Italian businessman Romano Pisciotti was extradited to the U.S. where he currently is serving a two-year sentence for participating in a bid-rigging conspiracy in the sale of marine hoses. 

“So you should not have trouble getting the attention” of not just your U.S. employees, but also those abroad, given the “long arm of the Justice Department,” Hammond said.

Many Areas 

The significant regulatory activity and ballooning sanctions are occurring in many areas, including antitrust, the Foreign Corrupt Practices Act, U.S. trade sanctions, the False Claims Act, anti-money laundering and the Financial Institutions Reform, Recovery and Enforcement Act. Among other notable events in 2014:

• Alstom SA agreed to pay a record $772 million to settle DOJ bribery charges, the highest ever paid to the department under the FCPA.

• Bank of America Corp. agreed to pay a record $16.65 billion—the largest civil settlement involving a single firm—to resolve federal and state actions alleging misrepresentations in the sale of residential mortgage-backed securities. As part of the resolution, the bank also agreed to pay a record $5 billion penalty under FIRREA, which is the largest penalty under the statute to date.

• The DOJ recovered $5.69 billion from FCA settlements and judgments in fiscal year 2014, which is a new record under the statute.

• The SEC awarded more than $30 million to a foreign whistle-blower, the largest reward to date under its bounty program.

• The DOJ's Antitrust Division collected $1.861 billion in penalties in FY 2014, which is one of the largest annual collections for the division.


In the antitrust arena, Hammond observed that the amounts collected by the DOJ make up only a small fraction—about 10 to 20 percent—of what companies caught up in cartel investigations will pay around the world.

“It’s quite often going to be the case that whatever fine you pay to the Justice Department for cartel activity, you’re going to be writing a bigger check to the private plaintiffs,” whether through follow-on class actions, or damage actions from direct or indirect purchasers, he said. Moreover, in investigations such as those involving auto parts suppliers, there are “at least a dozen different jurisdictions around the world that are investigating the same conduct and have every intention to impose sanctions involving essentially the same conduct,” he said.

In cartel cases, European Union fines are even higher than the DOJ's, Hammond continued. He added that if he were a chief compliance officer, what would keep him awake at night is “knowing that there are all these jurisdictions around the world that are developing new laws with greater sanctions” that they will impose “with great vigor.”

What is even worse is that “in many of those jurisdictions, the local business culture is not keeping pace with the changes in the laws,” he said. Accordingly, U.S. companies with subsidiaries and branches around the world not only have to develop a global code of conduct, but also must ensure that worldwide employees are complying with their local laws.

Cyber Threats 

In other discussions, the Gibson Dunn attorneys noted that cybersecurity has become a pressing reality for companies.

“It's not a question of if you're going to be attacked, it's a question of when you're going to be attacked and how significant the attack is going to be,” said Lori Zyskowski, a partner in Gibson Dunn's New York office. “It's really probably the most important risk oversight priority these days, and it's also a regulatory priority.”

The key to being prepared for a cyber incident is that boards and senior management must focus on the corporation's “mission-critical crown jewel” cyber assets, Zyskowski said. They need to be “aware of what those assets are” and how the company will protect them.

Among other recommendations, Zyskowski said it is important to ensure cyber risk oversight is the function of the full board rather than a committee. The board also must understand the framework for how the company will deal with cyber risks.

Moreover, the company should think about “establishing a threshold at which any cyber incident would be immediately reported to the board committee responsible for oversight,” she said.

The Gibson Dunn attorneys also spoke about emerging issues. These include bitcoin and the SEC's increasing use of its administrative forum.

Warin noted that companies should be thinking about bitcoin. Although new, developments involving bitcoin are “moving very, very quickly,” he noted. At the same time, regulators—including the SEC and the Federal Reserve Board—are paying attention to the virtual currency. Warin predicted that in the next 12 months, corporations will ask their compliance professionals whether there are protections around the use of the currency.

Richard Grime, a partner in Gibson Dunn's Washington office, also warned that corporations must be prepared for the SEC bringing more and more contested enforcement actions in its administrative venue. There are procedural differences between how SEC actions are handled by federal courts and in its administrative forum, such as the availability and scope of discovery, he said. “You want to be thinking about that during the course of your investigations, about how you are essentially going to defend yourself” in a forum with limited discovery.

Warin also noted that in terms of emerging areas, the International Organization for Standardization is developing a new voluntary standard for anti-bribery management: ISO 37001.

The template likely will be available in 2016 and may take hold so that companies will want their suppliers and third-party agents to have it. Yet to be answered is who will be the certifying body, he said. In any case, compliance officers should “be aware of it and track” the new standard's development.

What About Compliance Programs?

Meanwhile, what should compliance programs look like? One point to note is that regulators don't just expect companies to have a program—they now want assurance that companies are assessing their programs and ensuring they are effective, the attorneys said.

A constant theme by regulators is they want to know how companies are measuring their programs and ensuring they are “cascading down into the workforce,” and that employees are living the “values articulated” in the programs, Warin said.

Grime also noted that what metrics the company uses to measure its program's effectiveness is not as important as why it used the metrics in the first place. “My sense is that the government is not really that focused on who you used or what you used, it's why you used it,” he said. Companies probably will use many metrics and “it's going to be an organic process of figuring out which ones” work for the organization, he said.

Zyskowski also urged companies to make sure employees get the message. While the tone at the top is important, “the key is really to make compliance easy to understand and yet hard to ignore,” she said. “It's essential to create a culture of compliance so that every employee sees himself or herself as the steward of the company's reputation.”

Companies also must make the message consistent and make the concepts easy to understand, Zyskowski said. “The simpler the concepts are the more likely people are going to understand it and remember it so that when they’re in a difficult situation, they’re going to be able to make the right decision.”

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at


Request Corporate on Bloomberg Law