risk & compliance · ONE-ON-ONE INTERVIEW CCOs: managing responsibilities and liability risks Zinser, Esponda y Gomez Mont, Abogados PERSPECTIVES You may never be free of liability

www.riskandcompliancemagazine.com

APR-JUN 2019

risk &complianceRC&

Inside this issue:

FEATURE

IT disasterrecovery planning

EXPERT FORUM

Risk, culture and ethics assessments to stress test compliance programmes

HOT TOPIC

Impact of CFIUS reforms for PE houses

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

https://business.nasdaq.com/market-tech/

RISK & COMPLIANCE Apr-Jun 2019 3

RC& CONTENTS

CONTENTS


FOREWORD

FEATURE

IT disaster recovery planning

FEATURE

Analysing and improving internal investigations

EDITORIAL PARTNERS

EXPERT FORUM

Risk, culture and ethics assessments to stress test compliance programmesThe Ethics & Compliance Initiative; A.P. Moeller-Maersk;

Novartis International AG; Zinser, Esponda y Gomez Mont,

Abogados

PERSPECTIVES

Crisis and the protective power of trustEdelman Intelligence

MINI-ROUNDTABLE

Advanced technology for complianceFTI Consulting

ONE-ON-ONE INTERVIEW

Compliance risks and considerations for family officesAcuris Risk Intelligence

MINI-ROUNDTABLE

Managing trade compliance screeningNasdaq

PERSPECTIVES

Data privacy and the IS auditorISACA Pune Chapter


Building a sustainable programme around data privacySAI Global

MINI-ROUNDTABLE

Asset-liability management (ALM) in the concept of stress testingSAS

Editor: Mark WilliamsAssociate Editor: Fraser TennantAssociate Editor: Richard SummerfieldPublisher: Peter LivingstonePublisher: James SpavinProduction: Mark TrumanDesign: Karen Watkins Risk & CompliancePublished by Financier Worldwide Ltd23rd Floor, Alpha TowerSuffolk Street, QueenswayBirmingham B1 1TTUnited Kingdom +44 (0)845 345 0456riskandcompliance@financierworldwide.comwww.riskandcompliancemagazine.com

ISSN: 2056-8975 © 2019 FINANCIER WORLDWIDE LTDAll rights reserved. No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers. Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or omissions, nor for any claims made as a result of such errors or omissions. Views expressed by contributors are not necessarily those of the publishers. Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or financial advice. Opinions expressed herein do not necessarily represent the views of the author’s firms or clients. Financier Worldwide reserves full rights of international use of all published materials and all material is protected by copyright. Financier Worldwide retains the right to reprint any or all editorial material for promotional or nonprofit use, with credit given.

006009016

189

023

039

044

052

057

065

069

074

RISK & COMPLIANCE Apr-Jun 20194

CONTENTS


MINI-ROUNDTABLE

Insurers – preparing for IFRS 17KPMG; SAS

MINI-ROUNDTABLE

Segmentation and AI in AML alertsNavigant

PERSPECTIVES

Ensuring the future of auditICSA: The Governance Institute

MINI-ROUNDTABLE

Audit committee disclosuresCrowe Global

PERSPECTIVES

General counsel has quickly become the vigilant sentinel of reputation risk and the corporate conscienceEdelman


CCOs: managing responsibilities and liability risksZinser, Esponda y Gomez Mont, Abogados

PERSPECTIVES

You may never be free of liability from old conduct, if the SEC has its wayJenner & Block LLP

PERSPECTIVES

Role of risk culture in effective implementation of risk governanceIndian School of Business (ISB)

MINI-ROUNDTABLE

Automated third-party risk assessmentKPMG

PERSPECTIVES

Protecting the crown jewels: a guide to safeguarding trade secrets and confidential business informationFisher Phillips

PERSPECTIVES

Compliance with the evolving US sanctions and export control lawsVenable LLP

PERSPECTIVES

A wave of export regulation to hit US technologiesSheppard, Mullin, Richter & Hampton

PERSPECTIVES

Artificial intelligence and competitionClifford Chance


Compliance considerations for marijuana businessesAcuris Risk Intelligence

PERSPECTIVES

The shortage of fuels in Mexico – managing crisis and complianceScottHulse PC

HOT TOPIC

Impact of CFIUS reforms for PE housesDechert LLP; Mayer Brown LLP; Skadden, Arps, Slate,

Meagher & Flom LLP

084 138

095 146

102152

106158120

162124

167129

172134

176

https://www.acurisriskintelligence.com/

RISK & COMPLIANCE Apr-Jun 20196 www.riskandcompliancemagazine.com

FOREWORD

FOREWORD

– Editor

Welcome to the twenty-sixth issue of Risk & Compliance, an e-magazine dedicated to the latest

developments in corporate risk management and regulatory

compliance. Published quarterly by Financier Worldwide, Risk &

Compliance draws on the experience and expertise of leading

experts in the field to deliver insight on the myriad risks facing

global companies, the insurance solutions available to mitigate

them, and the in-house processes and controls companies must

adopt to manage them.

In this issue we present features on IT disaster recovery

planning and on improving internal investigations. We also

look at: stress testing compliance programmes; advanced

technology for compliance; compliance risks for family offices;

trade compliance screening; sustainable programmes for data

privacy; asset-liability management (ALM); preparing for IFRS 17;

segmentation and AI in AML alerts; audit committee disclosures;

responsibilities and liability risks for CCOs; automated third-

party risk assessment; compliance considerations for marijuana

businesses; the impact of CFIUS reforms on PE houses; and more.

Thanks go to our esteemed editorial partners for their valued

contribution: Acuris Risk Intelligence; Crowe; Edelman; FTI

Consulting; KPMG; Nasdaq; Navigant Consulting; SAI Global;

SAS; Zinser, Esponda and Gómez Mont; ICSA: The Governance

Institute; and ISACA.

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 7

FOREWORD

��

��

��

��

��

https://www.fticonsulting.com/about/locations/regions/united-kingdom


FEATURE

FEATURE

IT DISASTER RECOVERY PLANNINGBY RICHARD SUMMERFIELD

When a company suffers an outage that

takes down essential systems, including

IT, the importance of disaster recovery

planning becomes immediately apparent.

Disaster recovery can help companies get vital

systems back up and running and reduce the

financial and reputational cost of any downtime

experienced. A successful plan will have realistic

and attainable objectives based on the business’s

needs. This requires meticulous preparation,

from undergoing a business impact analysis, to

understanding and quantifying the company’s risks,

to classifying and prioritising data for recoverability.

Although, according to the Allianz ‘Risk Barometer:

Top Business Risks for 2018’ survey, 42 percent of

companies of all sizes named business interruption

as the most important risk they faced, a large

number are insufficiently prepared for an outage and

thus may suffer the consequences.

However, as IT becomes more integral to

protecting business value, attitudes will need to

change. Retaining and attracting customers following

a poorly-handled outage can be very difficult,

especially if trust has been lost.

Planning for the future, learning from the past

While it is impossible for companies to prepare

for every potential threat, they can put adequate

response mechanisms in place. IT disaster recovery


FEATURE

plans must be drawn up within overall business

continuity plans, and companies must understand

their priorities and recovery times. These objectives

should be set out during the business impact

analysis. Strategies should be developed to restore

hardware, applications and data necessary to

achieve business recovery.

IT disaster recovery planning has quickly

ascended the corporate agenda. This is partly due

to the increasing sophistication of cyber criminals

and the frequency of their attacks. According to

SonicWall, the number of cyber attacks across the

world rose by 18 percent year on year in 2017.

In addition, natural disasters appear to be more

common. According to the Centre for Research on

the Epidemiology of Disasters, the number of flood

and storm catastrophes has risen by 7.4 percent

annually in recent decades. Other risk factors, such

as human error or terrorist attacks, are further cause

for concern. Companies must consider the complete

spectrum of ‘potential interrupters’ when recovery

planning.

This financial case is compelling. According to

Gartner, the average cost of IT downtime is $5600

per minute, or more than $300,000 per hour. For

large organisations, that cost can exceed $500,000.

Furthermore, according to Appdynamics, in 2017,

organisations were losing an average of $100,000

for every hour of downtime on their websites. When

one considers the impact of some disasters –

Hurricane Rita in 2005 caused 384 hours of outages

IT DISASTER RECOVERY PLANNING


FEATUREIT DISASTER RECOVERY PLANNING


FEATURE

and Hurricane Sandy in 2012 caused 337 hours of

outages, for example – companies cannot afford to

neglect recovery plans.

Companies must prepare their employees for the

worst, as well as members of their supply chain.

“Contingency planning and training should be part

of the day-to-day priorities of a business,” says

Mark Adair, a partner at Mason Hayes & Curran.

“From a legal perspective, it is important that the

disaster recovery and business continuity roles

and obligations on the customer and supplier are

described with clarity in the services contract. Some

of the most important initial considerations are how

the contract defines what constitutes a ‘disaster’

and what functional areas of the organisation the

disaster recovery or business continuity plan is

stated as applying to. Good planning should apply to

everything from a disaster that wipes out an entire

data centre, right down to the unavailability of a

single server.”

Part of drawing up a sound disaster recovery plan

is learning from failures. Mistakes can compromise

the recovery process and cost millions. Lengthy

and embarrassing IT outages can offer important

lessons. “A good take away point from major system

failures, such as the one that crippled British Airways

in 2017, is that having recovery systems which are

purely a tick-box capability, rather than ensuring

that recovery systems have been thoroughly tested,

is very much a false economy,” says Chris Bates,

a partner at Ashurst. “That being said, much time

and expense can be saved where disaster recovery

is automated, thereby ensuring that the disaster

recovery procedures activate automatically in the

event of a failure, minimising impact,” he explains.

Asset prioritisation and recoveryPrior to an outage, companies must consider how

they are going to protect and recover vital assets.

If they do not have a detailed inventory of IT assets

– both tangible and intangible – creating one is the

first step.

The next is to back up data. Disaster Recover

as a Service (DRaaS) solutions provide access to

virtual backups and infrastructure in the cloud in

the event of a disaster. Many companies are also

utilising hybrid cloud strategies to provide additional

security measures. Rather than storing all key data

on-premises or with a cloud provider only, a hybrid

strategy can be a simple and affordable alternative.

The efficiencies and scale of cloud infrastructure has

changed disaster recovery. “Many enterprises now

have the cloud, and cloud providers, at the heart

of their disaster recovery plans,” explains Matthew

Bennett, a partner at CMS. “More interestingly,

as more production systems are being hosted in

the cloud, disaster recovery is becoming baked

into enterprise IT architecture rather than being a

component on the side.”

Asset management and the approach companies

take to it can determine the success of a disaster

recovery process. “Assets to be prioritised in disaster



FEATURE

recovery planning will depend largely on the nature

of the business and what assets are critical to the

functioning of that business,” says Mr Bates. “A

risk-based approach to prioritisation on a case-by-

case basis is clearly the most sensible

way to assess this, however, generally

speaking, the key assets will be those

with direct customer interaction or

those which are core to the execution

of a service offering.”

Importance of insurance solutions

As part of their disaster recovery

preparations, many companies are

arranging business interruption

insurance. “This can be a helpful way

to help mitigate the damage an incident causes and

may fill certain gaps,” says Mr Adair. Insurance can

act as a financial catalyst to help get organisations

back up and running. The policy should consider

the different types of disaster which may befall a

company, and provide coverage for each. Regular

asset inventory assets are needed to ensure they get

the right protection.

“Business interruption insurance covers a

business’ net income and the normal expenses in

the restoration period following a disaster,” explains

Mr Bates. “IT is critical to the operations of most

businesses today and therefore any IT failures that

affect the functioning of the business will need to

be covered by insurance. However, such insurance

will not typically cover customer liability issues, so

ensuring the priority of systems required for service

continuity is key. Due to the increasing risk of cyber

attack, business interruption insurance as a subset

of a portfolio of cyber insurances has evolved

significantly over recent years. Businesses now must

clearly identify and understand high impact cyber

business interruption scenarios in order to secure

the appropriate cover for these situations.”

However, insurance is just one element of disaster

recovery and does not replace risk assessment,

planning and training.

Regulatory developmentsRegulatory developments are also influencing

disaster recovery planning. The European Union’s

(EU’s) General Data Protection Regulation (GDPR)

“Prior to an outage, companies must consider how they are going to protect and recover vital assets. If they do not have a detailed inventory of IT assets – both tangible and intangible – creating one is the first step.”



FEATURE

is having a profound impact. Given the financial

penalties companies may face under GDPR, recovery

plans must be compliant. Companies need to

demonstrate that the security, availability, recovery

and testing of their IT systems are of an adequate

standard to ensure timely and effective recovery

without risk to the confidentiality and integrity of

a consumer’s personal information. Failure to do

so could have serious financial and reputational

consequences.

“The GDPR applies to both primary systems and

recovery and backup systems,” notes Mr Adair.

“Companies must look at the type of data they are

backing up. If dealing with any personal data, which

is broadly defined, special care must be taken. Under

the GDPR, organisations have to ensure the ongoing

integrity, availability and resilience of systems and

be able to restore the availability and access to

personal data in the event of a physical or technical

incident. For EU organisations, if a vendor is storing

backups containing personal data on a server

located outside the European Economic Area, the

parties may fall foul of regulators in the absence of

completing the necessary GDPR paperwork.”

Disaster recovery planners should also consider

the impact of the new EU Network and Information

Systems Directive (NIS Directive), which requires

operators of critical infrastructure and digital service

providers to take appropriate measures to prevent

and minimise the impact of incidents to ensure

continuity of their operations.

These regulatory changes are indicative of

the future of IT disaster recovery. Technological

advances will also reshape the process in the

coming years, much like managed services and

cloud-based recovery products have improved

resilience and response processes.

Test, test, testGoing forward, companies will make mistakes with

disaster recovery. Whether it is making the wrong

decision at the wrong time, failing to test recovery

processes or ignoring disaster recovery solutions

entirely, companies will be susceptible to costly

and embarrassing outages. The design of a disaster

recovery plan can mitigate such failures, but only

if it has been put through its paces. “Testing needs

to encompass technical systems and enterprise

rehearsal,” says Mr Bates. “The involvement of

employees is crucial and this needs to be from all

parts of the enterprise, not just IT. Rehearsals should

try to emulate previously untested threats, as well as

the more obvious scenarios. There could always be

unexpected events and it will be how the people in

an organisation react and work together in the face

of that which will determine success,” he adds.

Members of the C-suite must also embrace the

need to change with the times, however. This will

require sufficient, managed investment in disaster

recovery planning and preparation to overcome

disasters, both natural and man-made. RC&


https://www.crowe.com/global


FEATURE

FEATURE

ANALYSING AND IMPROVING INTERNAL INVESTIGATIONSBY FRASER TENNANT

An investigation should never be initiated on a

whim. But in a scenario where an allegation

of wrongdoing has been made, a company

needs to launch an investigation as swiftly as

possible, with an internal inquiry often the first port

of call.

Once an internal investigation is underway

– perhaps as a result of allegations of bribery,

sabotage, embezzlement, tax fraud, insider trading,

antitrust collusion, workplace assault, environmental

crimes, audit and accounting fraud or conflicts

of interest – how it is conducted is of paramount

importance, given there is always the potential for

it to become an expensive and time-consuming

endeavour.

To help ensure careful and discreet handling,

appropriate investigatory models are required

to coordinate those involved in an investigation,

such as employees, internal counsel and forensic

accountants, so that a speedy and satisfactory

conclusion can be reached. Moreover, depending on

the gravity of the allegation, the stakes may be high,

so an investigation needs to be streamlined in order

to reduce disruption to operations.

“Companies launch internal investigations for a

number of reasons, but rarely is it due to a single

event, unless identified as being so serious as to

suggest a systemic failing that would be uncovered

by an investigation,” explains Craig Weston, a

senior associate barrister at Irwin Mitchell LLP.


FEATURE

“Investigations are launched into subject matter

across the breadth of a business, from regulatory

breaches to employment matters to payment and

invoicing anomalies and allegations of criminal

conduct.

“A common trigger for an internal investigation is

a confidential report to a whistleblowing hotline, the

use of which is often written into company policies

such as modern slavery, bribery, harassment at

work, and health and safety policies,” he continues.

“Companies usually investigate to ascertain and

mitigate their own liability. In recent years, we

have seen an increase in three particular areas

of investigation: sexual harassment, in no small

part due to the #MeToo movement, bribery and

corruption, and financial regulatory.”

In the view of Franziska Janorschke, global head of

the SpeakUp Office at Novartis, the primary purpose

of an internal investigation is to gather facts so

that a company can determine the pervasiveness

of the situation, the root cause of the issue and

to determine what steps the company can take

to prevent similar cases in future. “A proper and

successful internal investigation also allows a

company to assess its systems and controls, and to

develop an appropriate approach to measure and

address any deficiencies,” she says. “Thoughtful

and diligent fact-finding during the early steps of

an investigation may show that those suspected of

misconduct are not involved in any wrongdoing. This

can save you time and valuable resources and at the

same time protect an employee’s reputation.”

Models and prioritiesBetween deciding upon an investigation and it

physically getting underway is when an appropriate

investigatory model needs to be selected – a

decision driven by a number of factors, including

the availability and capacity of suitably trained

investigators, the precise nature of the issue,

ease of evidence retrieval, jurisdictional legal

requirements, and whether the allegation involves

senior management, such as board members. Also

a significant influence on the choice of model is the

extent to which a speedy resolution is required.

In the experience of Melissa S. Geller, a partner

at Duane Morris LLP, it is the investigation priorities

which control the investigation model. “An

investigation prompted by a subpoena may prioritise

document collection and review, whereas one

raised internally may prioritise secrecy,” she says.

“Too often, priorities are unspoken or glossed over,

resulting in miscommunication and misalignment. An

early discussion that sets the company’s priorities

ensures a solid foundation for good communication

and an orderly investigation. It also creates a

semi-formal understanding that encourages

further conversation should priorities shift as an

investigation evolves.”

According to Mr Weston, jurisdiction is another

key factor in how an investigation is conducted.

ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS

“Jurisdictional

law, which is likely

to cover the conduct,

bears heavily on how to

investigate,” he explains. “For example,

if it is an employment matter, a company

may want to conduct interviews with employees

in a way that an employment tribunal can relate

or would expect. If it is a bribery and corruption

investigation, an investigation is likely to be

conducted in a much more robust way.

“If the conduct occurred in a foreign jurisdiction,

a company will want to ensure that the way in

which the investigation is conducted is legal in that

jurisdiction, and that the way evidence is gathered

would be admissible in any litigious proceedings in

that jurisdiction,” he continues. “A particular issue in

recent years has been the difference in approach to

privilege between the US and the UK. As such, many

multinational companies have to decide where to

run the investigation from and whether to include

US lawyers, for example, to ensure protection over

privileged material from a US perspective.”

PitfallsAvoiding the pitfalls that accompany an internal

investigation – such as inadequate investigation

planning, a lack of documenting and preserving

of evidence, unrealistic timelines, insufficient

understanding of evidence collection limits, and an

over-reliance on information provided by an alleger


and witnesses – is essential, especially when airing a

company’s dirty laundry, even internally, can have a

severe impact on its reputation and standing.

“One pitfall of internal investigations is ‘mission

creep’,” says Ms Geller. “In today’s market, almost

every investigation involves large amounts of

documents, along with witness interviews, experts

where necessary and, in some cases, government

involvement. It can therefore be easy to lose sight

of the central objective. A company launching an

investigation should have clear goals and

objectives developed in consultation

with the company’s lawyers

at the beginning of the

investigation. If an

investigation

expands

into another area, it should be done deliberately,

after a full and complete analysis and in a controlled

manner.”

In Mr Weston’s experience, companies often

investigate without proper scoping and planning. “A

good investigation should start with a considered

and well-thought-out plan, which includes setting up

a small investigation team and empowering them

to seek and receive legal advice by way of a board

resolution,” he explains. “A company should give the

investigation a project name, define the scope of the

investigation, create an email group for the project

team, consider the instruction of external legal

advisers, and communicate to all team members

that the matter under investigation is to remain

confidential and not be discussed outside the project

team. Also, it is important to preserve evidence and

ensure that no key documents are destroyed.”

Another pitfall that investigators must avoid is

a failure to maintain an audit trail during an

investigation, i.e., the decisions taken,

the reasons for those decisions,

and the documents and

evidence upon which

decisions were

based. “A


FEATURE


FEATURE

robust audit trail helps investigators engage

meaningfully with regulators,” affirms Mr Weston.

“Also, regulators and prosecutors have come

to expect such audit trials and may criticise an

investigation or treat it as a separate failing if such a

trail is not present.”

Coordinating partiesWith multiple parties potentially

involved in an investigation – including

the alleger, the accused, witnesses,

senior management, external advisers,

regulators, as well as the investigation

team itself – coordinating their

contributions is a major challenge,

which requires a systematic approach.

David Herring, head of global

security at Novartis, believes such an

approach should be coordinated by an experienced

investigative lead, with dedicated support from

a team of multi-skilled and diverse investigators.

“Having an internal investigative team or capability

to conduct internal investigations enables company

management and directors to diligently fulfil their

duties and responsibilities and satisfy regulatory

expectations,” he asserts.

Similarly convinced as to the merits of a small,

dedicated team of investigators is Mr Weston.

“A company should use a small project team to

coordinate all of the various parties, from their

instruction to receiving the advice and work product,

and its wider dissemination, if appropriate,” he

suggests. “A project diary should also be kept with

access restricted to those identified as project team

members. If external lawyers are being used, I would

recommend that they coordinate external experts,

as it may help a claim of privilege over the work

product and communication and, similarly, when

conducting interviews with witnesses.

“We would also encourage thinking carefully about

the timeline and order of the witnesses and experts

you engage with,” he continues. “For example, does

your expert need material from witnesses that you

have not interviewed yet, or would you like to put

information material to one witness that you can

only get from another? Alternatively, do you want

to interview more junior people first and then more

senior people later?”


“A successful internal investigation reaches an answer, without alienating or panicking employees or causing some other harm to a company.”


FEATURE

Ultimate successSo, when the dust settles, how should a company

measure the merits of its investigatory efforts?

Ultimately, what factors determine whether an

internal investigation has been successful?

“A successful internal investigation reaches an

answer, without alienating or panicking employees

or causing some other harm to a company,” believes

Ms Geller. “Internal investigations are usually

highly confidential and the timing of disclosure

to witnesses carefully controlled. But, people

increasingly communicate outside of email, using

text messages, social media and other platforms.

Often, the employee, not the company, controls

access to this data. Access to employee-held data

and employee privacy are key areas where the field

will evolve and continue to change over the next few

years. Therefore, all companies should have policies

about use of technology for company business that

addresses employee privacy.”

For his part, Mr Weston believes the coming years

will likely see an increase in the number of internal

investigations. “Companies will attempt to use an

internal investigation as a way of demonstrating they

are taking positive action, to placate employees or

to demonstrate cooperation and engagement with

a regulatory or criminal process. They also provide

an opportunity to companies to understand their

potential liabilities before they reach the point of

having to self-report or being outed by journalists,”

he adds.

In virtually any sphere, success can be a difficult

metric to measure. As far as an internal investigation

is concerned, the definition of success for one

company is different to another and very much

depends on the nature of the conduct being

investigated. That said, a successful internal

investigation is generally one that robustly identifies

unethical, illegal or unwanted conduct and prevents

it from ever happening again. RC&


��

��

��

Uncover third-party risks. Protect your business.��

https://advisory.kpmg.us/services/risk-strategy-compliance/operations-and-compliance-risk/third-party-risk.html?utm_source=3pidigadriskcomplmagazin03_18_19&utm_medium=referral&mid=m-00002812&utm_campaign=c-00069534&cid=c-00069534


EXPERT FORUM

EXPERT FORUM

RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST COMPLIANCE PROGRAMMES


EXPERT FORUMRISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...

PANEL EXPERTS

Patricia J. Harned is chief executive officer of the Ethics & Compliance Initiative (ECI), America’s oldest non-profit in the ethics & compliance industry. ECI empowers organisations to build and sustain high-quality ethics & compliance programmes (HQPs). ECI is a research and membership organisation comprised by institutions across every sector, and each member organisation is dedicated to promoting the highest levels of integrity in their operations.

Alexander Ghazvinian is the chief compliance officer at A.P. Moeller-Maersk. He is experienced in designing and implementing ethics and compliance programmes and he specialises in anti-bribery compliance, competition law, export compliance and data protection. He has implemented compliance programmes in several companies and jurisdictions. He has led major multinational investigations and interacted with several regulators. He has special experience and knowledge of US Foreign Corrupt Practices Act (FCPA) and UK Bribery Act compliance related topics.

Klaus Moosmayer is chief ethics, risk and compliance officer and a member of the executive committee at Novartis. Mr Moosmayer previously was chief compliance officer of Siemens AG. He is chair of the Anti-Corruption Committee of the Business and Industry Advisory Committee at the Organization for Economic Co-operation and Development (OECD), co-founder and chair of the European Chief Compliance and Integrity Officers’ Forum, former co-chair of the B20 Integrity & Compliance Task Force under the G20 presidency of Argentina and former chair of the task force under the G20 presidency of Germany.

Alejandro Hernández Oseguera is a partner at Zinser, Esponda y Gomez Mont, Abogados. Having begun his career as an intern at Zinser in 2003, he is now a specialist in criminal proceedings, in local and federal matters, related to fiscal offences, financial crimes, crimes in the securities market, crimes in corporate matters and environmental offences, among others. He has also given his advice on various financial restructuring matters.

Alberto Zinser Cieslik specialises in complex white-collar crime investigations and criminal proceedings in both local and federal jurisdictions, and has had extensive experience in highly complex local and cross-border litigation. He has participated in multiple international extradition and mutual legal assistance treaty (MLAT) proceedings between Mexico and the US, Switzerland, France and Australia, among others. He has a Masters degree in Corporate Law, and has been a lecturer on Masters degree programmes and post graduate legal studies since 1998.

Patricia Harned

Chief Executive Officer

The Ethics & Compliance Initiative

T: +1 (571) 480 4426

E: [email protected]

Alexander Ghazvinian

Chief Compliance Officer

A.P. Moeller-Maersk

T: +45 33 63 33 63


Dr Klaus Moosmayer

Chief Ethics, Risk and Compliance

Officer

Novartis International AG

T +41 61 32 42247


Alejandro Hernández Oseguera

Partner

Zinser, Esponda y Gomez Mont,

Abogados

T: +52 55 5202 8610


Alberto Zinser Cieslik

Founding Partner

Zinser, Esponda y Gómez Mont,

Abogados

T: +52 55 5202 8610




R&C: In today’s regulatory environment, why is it important for companies to stress test their compliance programmes? How often should they do this?

Harned: It is important for compliance

professionals to ensure that their company

has met regulatory expectation, so as to

avoid the negative consequences that

come from non-compliance. Regulators

around the world are becoming more

sophisticated in their evaluation of

compliance programme effectiveness, so

their standards remain a critical area of

focus for a programme. That said, today’s

regulatory environment is just one of

several reasons why companies should

stress test their compliance programme.

We live in a world of fast-paced sharing

of public opinion. A single misstep by a company

can become global news in a short period of

time. Additionally, as millennials rapidly grow as

a population in the workforce, communicating

organisational standards and also meeting their

expectations of transparency and trust will be equally

important. Every programme should be assessed

and measured. Measurement toward a standard

allows an organisation to evaluate its efforts, review

its budget allocations and make judgments about

its programme. The frequency depends on the

pace of change the organisation faces. As a rule of

thumb, a programme should be assessed every two

years. But an organisation with recent M&A history,

multinational operations, history of misconduct, and

so on, should do its assessment more frequently.

Moosmayer: To achieve sustainable and ongoing

verification of a compliance programme’s adequacy

and effectiveness, there should be a clear internal

audit plan in place based on solid risk assessments.

Digitalisation, in today’s corporate world, provides a

platform for much better monitoring of compliance

and control activities. External validation or

certification of a compliance programme would

also qualify as a ‘stress test’, but this should be in

addition to internal efforts. From a timing perspective,

a modern and digital monitoring system should allow

for an ongoing check for red flags, audit plans should

Dr Klaus Moosmayer,Novartis International AG

“Digitalisation, in today’s corporate world, provides a platform for much better monitoring of compliance and control activities.”



annually focus on deep dives, and comprehensive

external assessments realistically could be

conducted only every three years at maximum.

Hernández: By their very nature, compliance

programmes must be able to adapt to reality. For a

company to implement a compliance programme

tailored to suit its needs, its activities and the social

context in which it operates, it must establish a

mechanism, within its own programme,

that will allow it to constantly stress test

the effectiveness of its policies. The very

dynamics of the compliance programme

must include constant reviewing of

the programme by a ‘good practices’

committee. One of the contributions

of German doctrine to compliance

programmes is the concept of ‘duty

of vigilance’, understood not only as a

benchmark for monitoring actions that are

carried out in the context of business, but

also as a duty to stress test compliance

programmes by constantly reviewing the measures

taken to prevent and eradicate corrupt practices.

This is especially relevant in legislative contexts

such as the Mexican one, in which, stemming

from the gaps which still exist in compliance

regulations, due to their recent incorporation, not

only must companies comply with the requirement

to implement a compliance programme, but the

compliance programmes that are implemented

must be sufficiently solid and effective to pass a

final review by the judicial authorities. It is the duty

of the judicial authorities to eventually determine

whether the compliance programme is adequate

enough to prevent its employees or officers from

committing criminal acts on the company’s behalf,

for the company’s benefit or for their own personal

advantage. For this reason, companies adopting

compliance programmes must establish a committee

charged with constantly stress testing and improving

their programmes, at all times considering the

company’s needs, its activities and the context in

which the programmes are developed.

Zinser: If companies assume proper control of

their compliance programmes and continually check

their effectiveness, their risk of incurring criminal

liability is significantly reduced. This is because they

Alexander Ghazvinian,A.P. Moeller-Maersk

“Stress testing compliance programmes is not a new requirement. For most regulators, it is known as testing of the adequacy and effectiveness of the compliance programme.”



have put an ongoing prevention system in place,

ensuring that they have all the necessary anti-money

laundering (AML) controls in place, in accordance

with the Mexican Federal Law for the Prevention and

Identification of Operations with Resources of Illegal

Origin, and all the requisite crime prevention systems,

in accordance with the National Code for Criminal

Procedures and the Prevention of Acts of Corruption,

which form part of the new national anti-corruption

system, consisting of several complementary laws

that govern citizens, companies, organisations and

public servants. The frequency with which companies

should stress test their compliance programmes

very much depends on how many employees they

have and their corporate purposes, and on knowing

when to carry out periodic reviews of the proper

functioning of prevention controls. Nevertheless,

they should be reviewed and tested every year,

with this revision being carried out ahead of time

if the company is changing its structure, corporate

purposes or anything else that requires special

oversight.

Ghazvinian: Stress testing compliance

programmes is not a new requirement. For most

regulators, it is known as testing of the adequacy and

effectiveness of the compliance programme. As a

compliance officer, you should ask yourself everyday

if your programme is ‘working’, or if something you

have designed and implemented really works in a

way you want it to. Re-evaluation is perhaps the most

important part of any compliance programme and it

must be done on an ongoing basis and based on a

plan, but at different levels of intensity. If companies

implement a new element in their compliance

programme, it should be ‘stress tested’ frequently

and intensively until the company is confident that it

works as intended.

R&C: What measures and metrics might companies use to assess their risk, culture and ethics profile as it relates to compliance? What are the essential elements of a stress testing programme in this regard?

Moosmayer: Measures and metrics should

derive from different sources to give a holistic view.

Results from ongoing digital monitoring and control

activities should be combined with the results of

on-site monitoring visits, investigations and audits.

Employee surveys and pulse checks have become

well-established methods to measure the culture of

a company. And last but not least, it is important to

screen external sources in order to detect risks which

may not yet be visible within the company. Having

all this data is very important to assess the results

against each other using modern dashboards instead

of excel files.

Hernández: The elements of a compliance

programme entirely depend on the company’s



main activities. From the point of view of corporate

criminal responsibility, the essential components of a

compliance programme and its evaluation are aimed

at avoiding corporate criminal liability. In Mexico, as

in other countries, the main purpose of compliance

programmes is to avoid corporate criminal liability.

Hence, each company must take decisive normative

steps so that, in the event that its compliance

programme comes to be tested before a judge, the

latter is satisfied with the measures adopted.

Zinser: Companies must have an adequate

organisational structure which can identify risks and

mitigate them in accordance with the laws governing

corporate criminal liability. In addition, depending on

the company’s line of business, it can evaluate the

effectiveness of different technologies for recording

information provided to both the company and its

staff. Companies must keep records of all complaints

made on their complaint lines and must follow up on

them until they are resolved. In other words, once

periodic risk assessments have been carried out in

sensitive operational areas, a risk assessment of the

pertinent policy must be made to ensure that the

oversight process does not expose the company.

Also, it is essential that companies have a corporate

compliance management system that enables them

to prevent any crime from being committed on

foreign soil, and thus allows them to avoid criminal

liability due to lack of due organisational control, as

well as reducing the risk of theft, fraud and other

crimes.

Ghazvinian: If a company’s risk is related to

corruption, competition, data protection or foreign

trade controls, it will utilise a very different set

of measures than it would for ethics and culture.

Companies can assess many of their corruption

risks with quantitative measures. Risk assessments

should focus on quantitative measures such as

revenue in a certain country or revenue with state-

owned entities. In addition, introducing a qualitative

component allows companies to get a status of the

maturity of their risk assessment and assurance on

certain elements. For ethics and culture, companies

can utilise the employee survey and other tools, as

it is much more subjective. Identifying risk factors

and mitigating measures will outline the essential

elements that require stress testing. If an interaction

with a third party is a significant risk, it is obvious

that effectiveness testing will be implemented. This

could be a spot check, a periodic review of contracts

and an in-depth review of those relationships, and

assurance that all required measures are being

implemented and are effective. This can be done by a

company’s compliance team, but also by an external

party.

Harned: There are several dimensions that

an organisation should consider in assessing

its profile from an ethics and compliance (E&C)



perspective. One dimension pertains to the design

and implementation of the programme. Have we

identified objectives for the programme that are in

alignment with the key compliance risks we face?

How well are we accomplishing those objectives,

and are we – in fact – actually reducing those risks?

The second dimension of measurement pertains

to the impact of the programme. Do our stated

values and standards, and the resources we provide,

actually impact employee conduct? Are

we effectively holding people accountable

if they overstep our standards? Our

research found five principles that are

common to high-quality E&C programmes

(HQPs), which serve as worthy objectives

and metrics for an E&C programme.

First, ethics and compliance is central

to business strategy. Second, ethics and

compliance risks are identified, owned,

managed and mitigated. Third, leaders at

all levels across the organisation build and

sustain a culture of integrity. Fourth, the

organisation encourages, protects and values the

reporting of concerns and suspected wrongdoing.

Finally, the organisation takes action and holds itself

accountable when wrongdoing occurs.

R&C: To what extent is technology being used to enhance the process of assessing risk, culture and ethics for compliance purposes?

Hernández: Mexico’s ongoing struggle against

corruption has opened up the possibility of

implementing blockchain technology for public

tenders. Blockchain will make it possible for

bureaucratic processes to be digital, transparent

and permanently documented, thus strengthening

anti-corruption mechanisms and facilitating their

implementation. The same technology can also be

used to regulate internal corporate processes. By

deploying these mechanisms in order to achieve

more effective internal controls, companies,

particularly in the public sector, will become more

competitive.

Zinser: The recent guidelines issued by the

financial intelligence unit of the Mexican Ministry of

Finance and Public Credit state that all individuals

and companies are obliged to review their business

Alberto Zinser Cieslik,Zinser, Esponda y Gómez Mont, Abogados

“Companies must have an adequate organisational structure which can identify risks and mitigate them in accordance with the laws governing corporate criminal liability. ”



processes in order to verify the obligations related

to the correct identification of clients and users, the

identification of the vulnerable activities listed in

article 17 of the AML Law and the presentation of

reports or notifications via the prevention of money

laundering portal of the Mexican tax authority, which

sets forth the provisions of the pertinent Mexican

laws. Also, it is recommended that ethics codes

and compliance information be disseminated to all

employees, and this is usually done electronically.

Furthermore, companies must keep records of all

information relating to compliance, usually storing

such data electronically.

Harned: The actual technological processes

for capturing and analysing data are very mature.

However, it has only been within the last three years

that enterprise risk management (ERM) systems have

included culture, workplace integrity and ethics. E&C

lags even farther behind. For example, in a recent

poll of our members, we found that 52 percent of

E&C professionals believe that they are keeping pace

with the technical solutions that are being developed

to improve their programmes and bring efficiencies.

Where technology is being used, E&C professionals

say that it is primarily utilised for training and

helpline support – 93 percent and 91 percent of

practitioners respectively. Surprisingly, technology is

being utilised for risk assessment by only 47 percent

of respondents. Where companies are not able to

leverage the solutions that are available today, the

primary reason is budgetary constraints.

Ghazvinian: Technology will be the main driver

of ‘Compliance 3.0’. For the moment, however,

technology is merely useful, nothing more.

Neither IT systems nor data itself are of sufficient

quality today that you could use technology in a

consistent manner.

Moosmayer: Companies possess an immense

amount of data which needs to be utilised for

a proper risk assessment. Although technical

hurdles are still high – especially for companies

with a diverse IT landscape – and there is always

a budget challenge, data mining, data analytics

and visualisation of the results are essential for a

modern, holistic assessment. Behavioural science

has also significantly developed and allows insights

into ethical and cultural dilemma situations, but

here companies still have a long way to go – and

to respect, of course, the data privacy laws of their

employees.

R&C: In your experience, what are some of the typical red flags that might signal lapses and shortcomings in relation to risk, culture and ethics?

Zinser: There are a number of red flags which

might indicate that the company has shortcomings.





For, example, the company might not have identified

the ‘vulnerable activities’, listed in Article 17 of the

AML Law. The company might not have presented

any report or notification about a ‘vulnerable activity’.

It might have failed to appoint a compliance officer

or instigate an ethics code. Equally, the

company may have an ethics code, but

might have failed to adequately inform its

employees or third parties about it. A lack

of commitment from company leadership

can be extremely damaging. There must

be an adequate ‘tone at the top’. If the

company’s senior management is not

totally committed, it will be impossible

for the company to achieve a good

organisational structure at all levels.

Ghazvinian: There are two different

signals that a compliance officer can use to

identify lapses and shortcomings in relation to

risk, culture and ethics. The first signals can be

identified by reviewing the results of the risk and

ethics assessment. These risks are easy to mitigate.

Focusing on them is important, but neglecting

the second group will expose the organisation

over time. The more important group of red flags

are those companies identify by analysing the

data and identifying correlations. Companies can

have a set of risks that are low exposure if they

are reviewed in isolation. But if those risks occur

together in a particular combination, they might

signal the lapses and shortcomings of the company’s

ethical standards. The challenge is to identify the

correlations. This requires a deep understanding of

the organisation, good data and a strong mindset.

Moosmayer: In order to be able to draw adequate

conclusions, a ‘risk radar’ needs several sources.

Singular cases of misconduct may not necessarily

qualify as evidence of systemic problems. But if you

see in the same entity declining quality controls and

the absence of a ‘speak up’ culture, those cases that

do come to light may only be the tip of the iceberg.

Also ‘white spots’ may turn into red flags if, in a risky

environment, you have steadily increasing sales

volume but no reports of potential problems at all, for

example. So, it is always a combination of different

indicators which should trigger the alert button.

Patricia Harned,The Ethics & Compliance Initiative

“The bottom line is that it would be better for an organisation to not undertake an assessment at all than for a company to assess itself and then to do nothing about it.”



Harned: Our research has shown that there are

three primary metrics that serve as red flags of

trouble ahead. The first is employee expression that

they feel pressure to compromise organisational

standards or the law, in order to do their jobs.

The vast majority of individuals who feel pressure

– 85 percent – also say that they have observed

misconduct taking place around them. The

second metric is employee reporting of suspected

misconduct. We know that misconduct happens

in every organisation; what matters is whether

or not employees make management aware that

problems are taking place. The third metric is the

extent to which employees perceive that they will

experience retaliation if they report suspected

wrongdoing. When people believe that there will be

ramifications for reporting, there is a silencing effect

in the organisation. That leads to a significant and

detrimental erosion of the organisational culture.

Hernández: A company that fails to appoint a

chief compliance officer (CCO) will not be able to

establish an orderly and documented procedure

for carrying out its transactions. Moreover, if the

CCO does not have the required autonomy and

independence to effectively implement these

procedures, the compliance will fail.

R&C: Following an assessment, how important is it for a company’s senior leaders to fully understand the results and respond accordingly?

Moosmayer: For senior leaders, it is much more

than just understanding the process. Management is

the true risk owner. It is therefore key to involve them

fully in the stress test exercises and any follow-up

remedial activities.

Harned: It is mission critical for senior leaders to

understand the results of an assessment. Even more

importantly, it is essential for them to communicate

to employees what they learned and what they

will do differently in order to address any areas of

shortcoming. Failure to do so risks losing employee

confidence in leadership. It also signals that

assessments do not really make any difference to

leadership. The bottom line is that it would be better

for an organisation to not undertake an assessment

at all than for a company to assess itself and then to

do nothing about it. Response to the findings must be

transparent and honest. Executives also have to ‘own

their role’ in the E&C process. When executives and

managers recognise their responsibility for shaping

the conduct of the organisation, E&C becomes a part

of the culture.



Hernández: Currently, all managers must

be properly trained in, and updated on, good

compliance-related practices, regardless of the

area they operate in. Failing this, the compliance

programme will be ineffective and, therefore, will

not fulfil its purpose of preventing corruption, and

the company adopting it should not expect to have

a rosy future, particularly in public-sector markets,

which will become increasingly demanding in this

regard going forward.

Ghazvinian: It is crucial that a company’s

senior management understands the results of

any assessment. Management should understand

those results as well d as they understand all the

other numbers. They do not need to understand all

of the details per se, but they must understand the

results, which are often based on the risk appetite

defined by senior management, and therefore it has

consequences for the daily business and the mid-

term strategy, but also whether the company can

pursue a certain type of business or not. On the other

hand, it will help senior management to channel

resources and focus their attention. In addition, and

related to culture, it will help senior management

to identify the right measures to start a change

management process.

Zinser: It is very important for the company’s

senior management to know how to identify and

evaluate risks. Only in this way can the company

mitigate those risks and implement or modify the

controls or protocols that are necessary for due

corporate control and the avoidance of criminal

liability. The size of the company, its corporate

purpose, the size of its workforce, its risks and its

operation must be taken into account in order to

implement suitable strategies. Senior management

must ensure that lower level managers understand

that they must have an adequate compliance

programme in place, and that they must comply with

all the legal requirements regarding crime prevention,

money laundering and corruption.

R&C: What steps should firms take to ensure that strong governance and controls are in place for an effective compliance framework that functions as intended?

Ghazvinian: There are two steps firms should

take to ensure that strong governance and controls

are in place. First, they should have an open and

honest discussion about the target of the compliance

framework. What kind of governance and controls

does the company want and what does the company

want the framework to achieve? This relates to the

identified risks, the culture and the business model of

the company. Second, the company needs to have an

open review, particularly if the framework has been

implemented and how far it is in its process. This



cannot be achieved overnight, but companies need

to have a plan and an honest review.

Hernández: Corporate governance is very

similar to the governance of a country. Risks must

be constantly analysed, an internal control or

compliance department must be set

up, internal disciplinary controls must

be implemented, as must internal and

external audit procedures. Companies

must also find effective ways and tools to

communicate their values.

Harned: There are a number of industry

control standards that outline effective

compliance and governance – COSO,

COBIT, ISO37000 and ISO27001, to name

a few. The key to making these standards

successful is understanding your

organisational risk, applying the standards

based on this risk profile, measuring performance

using benchmarked key performance indicators, and

creating a speak-up culture.

Zinser: It is essential, in the event of a compliance

incident, to verify the error, to check whether

a given standard is effective and to verify that

risk assessments have been carried out and

whether they are reflected in the compliance

programmes. Also, it is necessary to ascertain

how the programmes were transmitted within the

organisation. This implies employee training aimed

at making employees understand the importance

of statistically analysing incidents and, above all,

using the results of such analysis. The company

must identify the controls which it has already put

in place and have a compliance officer who can

identify defects in these controls, along with the

needs, effectiveness and functionality of the controls

that have already been established. The business

processes of the company, its organisational

structure, its areas and the size of its workforce

must also be identified in order to have a complete

understanding of the organisation and the risks that

it faces.

Alejandro Hernández Oseguera,Zinser, Esponda y Gomez Mont, Abogados

“Currently, all managers must be properly trained in, and updated on, good compliance-related practices, regardless of the area they operate in. Failing this, the compliance programme will be ineffective.”



Moosmayer: The future of good governance

and compliance in corporations is an integrated

risk management system which combines the

different risk workstreams in a company – including

compliance – and also takes into account ethical

considerations and risks. Compliance should lead

this development, given its significant experience

of how to create risk-based organisational models

and processes across the three columns of ‘prevent,

detect, respond’.

R&C: Looking ahead, do you expect more companies to actively stress test their compliance programmes? Are any innovations likely to enhance this process and produce even more insightful results?

Hernández: The Mexican press recently revealed

that HSBC was involved in a criminal investigation,

making it the first bank to face possible criminal

charges in Mexico, and thus it is one of the first

companies to have the validity and effective

implementation of its compliance programme put

to the test. Undoubtedly, the market is placing

greater demands on companies to have an effective

compliance programme, particularly in the public

sector. Therefore, a company that wishes to survive

in the long term and remain competitive must

keep itself continually updated about innovations

and mechanisms that will improve its compliance

programme. It is no longer enough to simply have

a compliance programme in place. In order to be

effective, a company’s compliance programme must

be constantly updated, and this can only be achieved

through regular stress testing.

Harned: Businesses today are becoming more

and more data driven, so it is reasonable to expect

that stress testing of the compliance programme

will increase. Even further, pressure will increase for

E&C to demonstrate the return on investment of its

efforts. Professionals should assume that collecting

and truly understanding the data behind compliance

programmes will be the only way for compliance

programmes to be successful moving forward.

Zinser: The challenge for Mexico is to make

companies aware that, once best practices and

organisational tools have been implemented

to eradicate corrupt practices and to identify

irregularities, justice can be slow, tedious and

often costly, but is worth all the effort in the end.

On a national level, we are still learning, and more

companies are seeing that it is possible to improve

their controls and are drafting internal organisational

manuals that comply with best international practice.

Those companies that have the most effective risk

standards relating to bribery, anti-corruption and

money laundering are the ones with an international

presence. Many large Mexican companies directly

cooperate with US companies or are subsidiaries of

them.



Moosmayer: Stress testing compliance is a trend

which, more and more, will evolve into a standard

expected by investors, analysts and society. The

art will be to create an integrated enterprise risk

management system which is not perceived as a

bureaucratic burden. It is therefore key to emphasise

management responsibility and accountability in the

whole process.

Ghazvinian: Companies must actively stress

test their compliance programmes. If a company

intends to prove that it has an adequate and

effective compliance programme, there is no other

way it can be done. This is ‘Compliance 3.0’. While

companies should focus on design, implementation

and selective effectiveness testing, stress testing

compliance programmes will become standard.

Blockchain will be an interesting option, although

no one really knows how this will work out. The next

three to five years will be decisive for blockchain’s

growth. RC&

https://www.navigant.com/


PERSPECTIVES

PERSPECTIVES

CRISIS AND THE PROTECTIVE POWEROF TRUSTBY KARI BUTCHER

> EDELMAN INTELLIGENCE

In today’s tumultuous media environment, rising

callout culture and tense sociopolitical landscape,

issues develop into crises quickly, often wielding

significant and long lasting fiscal and reputational

impact in a matter of minutes. This reality has

underscored the value of trust as the data clearly

shows trusted companies are far more resilient

in the face of crisis, experiencing shorter and less

damaging crisis lifecycles.

Trust mattersThe benefits of trust extend beyond crisis

management as well. Trusted companies, for

example, financially outperform their respective

sectors, are better able to retain and recruit key

talent and are generally more resilient in the face of

risk, operational and competitive threats. People are

six times more likely to recommend their friends,

family members or colleagues seek a job at trusted

businesses, and 58 percent say they would defend

a trusted company if they heard someone criticising

it. Further, trust lowers demand for regulatory

scrutiny; only one in five say they would lobby for

more regulations for companies they trust versus

two in five for distrusted businesses. As technology,

financial services, health and transportation sectors

experience unprecedented levels of consumer and

regulatory scrutiny, trust becomes both a distinct

competitive advantage and key indicator of a


PERSPECTIVES

business’ resilience and ability to maintain fiscal

health.

Simply stated, trust capital is perhaps a business’

best insurance policy against crises, risk and

disruption today – and further, is also its best

investment toward driving positive business impact

tomorrow.

Central to this truth is that trust, unlike reputation,

is a forward-looking metric. Trust looks beyond the

current state of play, inherently offering a projection

of the relationship dynamics and behaviour

exchange between an individual and a business or

organisation. In this way, trust serves as a predictor

for how stakeholders will engage with and act

on behalf of the business or organisation in the

future, removing much of the guesswork from risk

management and giving the business and its leaders

the confidence to pursue bold ideas and innovations

without the fear of business-ending failure or

inability to rebound quickly from strategic missteps

or true crises events.

In short, trust capital is highly precious and

valuable.

Measuring and managing trustIt comes as no surprise that cashing in trust

capital is much easier than accruing it. Establishing

and managing trust is a highly nuanced exercise

requiring careful planning, continuous measurement

and investment of resources specific to the

business’ needs and abilities. An additional challenge

is that many of the traditional mediums for reaching

stakeholders to build trust are now fraught with their

own trust deficits.

Media, previously among the most authoritative

and trusted sources of information, for example,

plummeted to the least trusted institution in 2018. As

fear of fake news surged – with individuals worried

about their ability to discern objective facts from

misinformation and nearly seven in 10 fearing false

information could be used as a weapon – trust in

and engagement with news fell.

In a striking reversal of that trend, this year’s

Trust Barometer tracked a 22 point jump in news

engagement over 2018. On its face, this data point

might suggest that trust in media has rebounded, but

a closer review reveals that fears of misinformation

and perceived roadblocks to acquiring facts remain

and that the fabric of trust in media, and in all

institutions in 2019, is largely fragmented and fragile.

Polarities in trust in 2019 are perhaps most evident

upon exploration of trust in media and political

party affiliation. In the US, for example, people who

voted in the 2018 midterm elections identifying as

Democrats were significantly more trusting of the

media than their Republican counterparts – apparent

in the seismic 36 point trust gap between the two

political groups.

Further, as people seek answers in a world marked

by deep sociocultural and political divides, channels

like social media are met with more scepticism than

ever. Concerns about fake news and data privacy

CRISIS AND THE PROTECTIVE POWER OF TRUST

PERSPECTIVES

continue to cloud the media ecosystem, especially in

Europe, Canada and the US, where the gap between

trust between mainstream media and social media is

as high as 40 points in some markets.

This data begs the question: in a world where

establishing trust is so important, and the traditional

channels for building and communicating it are

compromised, how can it be done?

Employers lead in trustSustained and emerging trends in valued and

trusted voices provide promise and direction. Owned

platforms – blogs, websites, non-paid media – are

now true table stakes for corporate communications

in a low trust media environment. They must be

used more heavily to supplement earned and paid

strategies.




PERSPECTIVES

Also of note is the evolved expectation society has

for C-suite leaders to drive positive societal change

within the environments they operate. As people

seek reliable information, they are also looking for

leadership. While trust in government lags business,

CEOs are tasked with speaking up and out on issues

that extend beyond delivering on the bottom line,

including on matters like equal pay, discrimination,

sustainability and job training.

Further, today, people hold more trust in their

employer than in any single institution, with trust

levels at 75 percent globally, 19 points more than

business in general and 27 points more than

government. Importantly, employees’ expectation

that their employers join them in taking action on

societal issues (67 percent) is nearly as high as

their expectations of personal empowerment (74

percent) and job opportunity (80 percent). In this

context, employees should be both critically and

carefully considered as a key audience, and potential

distributor of messages.

In summary, an investment in employees,

addressing their fears and expectations, establishing

a platform for the C-suite that allows them to clearly

articulate where business strategy and values

intersect, and careful selection of owned and select

earned channels that authentically deliver those

messages, are the stepping stones to building trust

and achieving the many benefits trust capital yields. RC&

Kari Butcher

Managing Director

Edelman Intelligence Eastern Region

(New York and Washington DC)

T: +1 (202) 551 9840



https://www.saiglobal.com/en-gb/risk/integrated_risk_management/


MINI-ROUNDTABLE

MINI-ROUNDTABLE

ADVANCED TECHNOLOGY FOR COMPLIANCE


MINI-ROUNDTABLE

Andrew Pimlott is a senior managing director in FTI Consulting’s data & analytics practice. He brings sophisticated analytics and regulatory expertise to large-scale financial services investigations, particularly in the area of financial crime, including anti-money laundering (AML) , terrorist financing, economic sanctions and anti-bribery and corruption. He has led his clients, which are among the largest financial institutions, through exceptionally complex and impactful regulatory and legal matters, and has on numerous occasions represented them before the US Treasury/OFAC, DOJ and FBI as well as EMEA regulators.

Andrew Pimlott

Senior Managing Director, Financial Crime

and Investigative Analytics, EMEA

FTI Consulting

T: +44 (0)20 3727 1285


PANEL EXPERTS

Jamilia Parry is a managing director in FTI Consulting’s financial services practice. She is a senior regulation professional with significant experience in dealing with the EU, US and UK regulators, including conducting AML, sanctions, conduct and governance investigations and delivering remediation programmes to fix the root causes of the identified issues. She has practical experience of leading and implementing regulatory changes and remediation programmes, having held senior executive positions in large financial services firms as head of change and head of group compliance.

Jamilia Parry

Managing Director, Financial Crime,

Governance and Conduct, EMEA

FTI Consulting

T: +44 (0)20 3727 1417




MINI-ROUNDTABLE

R&C: To what extent is the international regulatory landscape becoming more complex and challenging? How would you describe the compliance burden that companies now face?

Pimlott: The international regulatory

landscape is particularly complex and

challenging at present because new

sanctions on entities and individuals are

used to apply political pressure, placing

a greater burden on companies already

under heavy regulatory scrutiny. In the

past few years, we have seen banks

agree to pay settlements in the billions

to US prosecutors over allegations of

sanctions violations – penalties that

regulators intend to be a clear warning signal. A

regulatory breach does not just impact a business

financially, but also causes severe reputational

damage. Compliance teams are expected to detect

and prevent regulatory violations taking place, yet

money launderers are becoming increasingly savvy

with their technical applications, navigating almost

with ease through any barriers applied. The constant

increase of data, new technological developments,

FinTech, Cloud innovations, GDPR, Brexit – to

name just a few – are all adding to the pressure

and escalating expectations on the compliance

department.

R&C: In what ways are advanced technologies helping companies to meet their regulatory compliance obligations?

Parry: Fortunately, advanced technologies can

help companies to meet regulatory obligations.

Today’s technology is capable of bringing together

and analysing disparate data to find out what

someone has attempted to conceal. It is now

possible to link together not just structured data

like core banking transactions, SWIFT messages

and Know Your Customer (KYC) data, but also

unstructured data such as emails and even audio.

Once you can integrate all these different types

of data into one environment, you can really get

at the truth of what has been going on, answering

essential questions such as who, what, when and

Jamilia Parry,FTI Consulting

“Machine learning (ML) is further empowering the compliance function, giving teams the necessary tools to focus and drill down on those transactions that raise high risk red flags.”



MINI-ROUNDTABLE

how much. Data visualisation tools can help explore

the resultant information, for example by displaying

data graphically and showing transactional

movements in a particular geographical area that is

subject to sanctions. Sentiment analysis technology

is enabling compliance functions and management

to monitor culture and emerging misconduct issues,

thus providing an opportunity to intervene before

major issues occur. Machine learning (ML) is further

empowering the compliance function, giving teams

the necessary tools to focus and drill down on those

transactions that raise high risk red flags.

R&C: Drilling down, could you explain the benefits of utilising software that can bring together and analyse disparate data for compliance purposes?

Pimlott: As a first step, analysts

teach the machine what ‘normal’ data

behaviour looks like, or what typical data

relating to a compliance breach would

look like. This knowledge is converted

into algorithms that can be applied

automatically to masses of historical data. The

application then refines the algorithms in light of

known outcomes associated with that data. The

identification of future anomalous behaviours can

then be automated, with the application raising red

flags on unusual patterns to be further explored

by human investigators. The investigators in turn

provide the application with feedback about which

patterns have proved to be associated with crime.

In this way, a feedback mechanism continually trains

the application and optimises its performance. The

crucial difference between new ML tools and legacy

approaches is that ML allows the application to

continuously improve its capabilities, which means

that when criminals apply technically advanced

methods, the application can quickly adapt.

R&C: What recent innovations have you seen in artificial intelligence (AI) and intelligent tagging that are having an impact in this space? How are these systems getting better at analysing data

Andrew Pimlott,FTI Consulting

“In the past few years, we have seen banks agree to pay settlements in the billions to US prosecutors over allegations of sanctions violations – penalties that regulators intend to be a clear warning signal.”



MINI-ROUNDTABLE

and identifying trends, patterns and outliers?

Parry: ML and predictive technology can, to a

great extent, automate the process of looking for

signs of fraud or misconduct. Predictive technology

enables rapid processing of large amounts of

data while highlighting potential concerns to be

scrutinised by compliance experts. ML capability

means the application learns continuously

through the process of internal reviews of alerts,

progressively improving the accuracy and relevance

of alerts and the prioritisation of key documents

for review. Other sophisticated tools include

sentiment analysis, which can be used to provide

predictive assessment of cultural risk and changes

in behaviour. These predictions enable firms to

investigate potential compliance – and conduct

– related matters early, and intervene before they

become a problem. This technology can also

help firms build a heat map of the organisation’s

culture risks, and identify emerging patterns of fear,

pressure, deceit or disregard for internal rules, all of

which are known to be associated with significant

misconduct events such as foreign exchange

manipulation, payment protection insurance mis-

selling, and many others. All this can be done by

combining and applying these technologies to data

in day-to day communications such as emails,

voice and chat data. The resultant information

about cultural risks can be used in conjunction with

other alerts, for example relating to sales, trading

activities or expenses, to see if further investigation

is needed.

R&C: How is compliance-related technology being extended to assist with screening customers and third parties? Why is this so important in today’s regulatory environment?

Pimlott: Financial institutions have been

reluctant to collaborate on these issues because

of their desire to keep valuable KYC information to

themselves. However, they will need to overcome

this obstacle. FinTech companies are showing what

is possible, with their willingness to pool information

with one another. Technologists may make this

approach more acceptable to traditional financial

institutions by providing platforms that share

information selectively. Already, there are several

pools of shared KYC information available. Being

able to check a new customer against a shared

master database might be a better governance

model than the current one, and might help

overcome any political barriers to collaboration.

R&C: What considerations should compliance professionals take into account when assessing which



MINI-ROUNDTABLE

technology solutions are right for their organisation?

Parry: It is important to have an open mind,

and a broad familiarity with the options available.

Modern analytic techniques do not call for ditching

traditional approaches, but rather complement

existing methods. They are partly a response

to the ever-increasing volume and complexity

of data, which would be impossible to handle

otherwise. Looking at the full range of techniques

available, including the latest, widens the options

for compliance teams, and means situations that in

the past could have not been dealt with efficiently,

can now be brought to a successful resolution.

If partnering with an external organisation, it is

advisable to look at firms that field an integrated

team of data scientists, traditional analysts and

deep subject matter experts. These multidisciplinary

teams can work with compliance departments

seamlessly to apply all this knowledge and help

them stay compliant.

R&C: Based on your experience, what advice would you offer to companies on integrating compliance technology into their existing systems and processes, to ensure the roll-out is as smooth as possible, with minimal disruption to the business?

Pimlott: A step-by-step approach is essential, as

is the ability to stay agile in order to take advantage

of fast-moving developments in technology. To start

the process, existing systems in the enterprise

need to be mapped out, including how they

connect and communicate with each other. Once

a clear understanding is gained of what system

and process sits where, the team can analyse

the requirements for the specific enterprise

environment, and how best to apply and integrate

compliance technology – either as a completely

new system integration, or as an add-on to existing

technology. In our experience, for the roll-out to be

smooth, with minimal disruption to the business,

it is absolutely essential to work alongside the

relevant teams within the business and get buy-in

from the top-down, offering workshops and training

sessions for all staff throughout the process. That

way, the business understands why a new system

has been installed and how it impacts the future

wellbeing of the company.

R&C: What are your predictions for compliance technology over the coming months and years? What innovations are we likely to see in this area?

Parry: Advanced analytics will accelerate, and

methods available will become more and more

sophisticated, addressing ever more savvy financial

crime methods, including politically driven cyber



MINI-ROUNDTABLEADVANCED TECHNOLOGY FOR COMPLIANCE

attacks on institutional enterprises. Compliance

technology will enable compliance teams to

manage the volumes of data and cut through the

noise to focus on high-risk red flags. We believe

global collaboration platforms that share those red

flags plus KYC information, can help to prevent illicit

money from flowing through jurisdictions with no

means of control. The need for compliance teams to

understand advanced analytics technology will only

grow, as it will become more of an extension to their

capabilities, allowing them to deliver on regulatory

demands and protect the business from financial

crime and ultimately reputational damage. RC&

��

��

��

��

��

��

��

��

��

http://www.sas.com/risk



Nick Parfitt

Head of Market Planning

Acuris Risk Intelligence

T: +44 (0)20 3741 1200


Nick Parfitt is responsible for determining Acuris Risk Intelligence’s approach to the market and building subject-matter expertise. He has 18 years’ experience in project and programme management, business process change and in implementing technology and business solutions at financial services, telecoms and public sector organisations. His experience in the financial crime sector spans seven years, helping tier one financial institutions assess and improve AML, KYC and sanctions operations. Mr Parfitt has worked for several tier one banks in the UK and holds an MBA (Distinction) from Cardiff University, and a BA (Hons) in Biochemistry from Imperial College.


COMPLIANCE RISKS AND CONSIDERATIONS FOR FAMILY OFFICES



R&C: What, in your opinion, are the most significant compliance issues currently facing family offices?

Parfitt: We see parallels with traditional small to

medium and even large organisations, where it is a

challenge to keep abreast of regulatory and compliance

obligations – and one that is often exacerbated by the

jurisdictional reach and nature of the operation. When

single or multi-family offices are subject to

anti-money laundering (AML) regulations,

compliance is a key challenge due to the

depth of knowledge and experience needed

around the subject and the implications

for the office in question. Beyond specific

compliance requirements, family offices also

should consider reputational risk exposure.

They need to look at what this means

for business relationships – either direct

relationships with partners and organisations

or throughout the vendor supply chain – and

how they are identifying and managing this

risk.

R&C: What do you consider to be the most notable legal and regulatory developments presently impacting the way family offices approach risk, compliance and reporting processes?

Parfitt: In the UK, a family office can operate in

various ways: from being run by trusted family members

or individuals to being managed by a professional

service provider. UK law requires that investment

advice can only be given by a stockbroker or financial

adviser, who must be registered with the Financial

Conduct Authority (FCA), or in the case of certain larger

institutions, the Prudential Regulatory Authority (PRA).

Another key aspect of risk for family offices is around

limitation of liability and how different legal structures

can be used to limit liability if required. The three primary

entities used to achieve this in the UK are limited liability

companies (Ltd), limited partnerships (LPs) and limited

liability partnerships (LLPs), all of which protect the

owner, in general, from financial penalties according to

the level of equity invested in the family office entity.


Nick Parfitt,Acuris Risk Intelligence

“Beyond specific compliance requirements, family offices should consider reputational risk exposure.”



R&C: How important is it for family offices to cultivate a robust compliance and risk management culture across the organisation? What strategies can be deployed to take this process well beyond a box-ticking exercise?

Parfitt: If we look at good practices for AML and

countering of terrorist financing (CTF) over the last

decade, the adoption of a shared culture throughout

the organisation has been central to success. More

importantly, it is good business sense to have well-

articulated, documented and implemented risk

processes and procedures, particularly if the family

office has a low appetite for reputational risk exposure,

as nearly all of them do. Regularly refreshed training

that is tailored to the family office’s unique business

operations, scope of jurisdiction and articulated risk

appetite is a successful way of embedding good

practices. From a governance perspective, a suitable risk

and compliance governance operating model, including

appropriate committees for risk escalation and decision

making, provides a key control point for implementing

and managing risk policies and procedures.

R&C: Are you seeing more family offices apply data analytics to help them meet their risk management and compliance obligations? What benefits can technological innovations offer?

Parfitt: Data analytics is an exciting and fast-

developing area with the potential for significant

business impact. It is becoming possible to track and

report on key risk indicators (KRIs) automatically and

in real time, supporting faster and more informed

business decisions. This topic is still front-of-mind for

global financial services providers, because the degree

to which data within the organisation is actionable

depends on its quality and scope. Technology should be

at the heart of accelerating processes, providing greater

insight into critical business relationships and alerting

personnel to trends or breaches that may materially

impact operations or crucial decisions. As an example,

we see risk-averse organisations making extensive use

of enhanced due diligence (EDD) reports to inform and

manage business relationships, whether at the start

of a new venture or at periodic intervals during the

relationship to monitor any material changes in risk.

Speed of delivery is critical here and new technology,

data and automation is an enabler. But we also

recognise the importance of human interpretation in

faster decision making.

R&C: To what extent can technology enhance collaboration between the different functions within a family office?

Parfitt: Technology is fundamental for providing

efficiencies and improving the quality of decision

making but must be balanced with the scope and needs

of the family office. The security of the information




and the sensitivity of what is being collaborated on

should also be risk assessed and ideally have an

associated information security policy. This ensures

that standards and regulatory compliance, for example

with the EU General Data Protection Regulation (GDPR),

are ‘baked in’. It is encouraging that there are many

relatively inexpensive IT solutions on the market that

offer great collaboration, security and usability across

multiple platforms, providing rich functionality at a

relatively low cost. However, it is very important to have

corresponding IT security policies and procedures to

support IT usage and adoption.

R&C: What essential advice would you offer to family offices on adjusting their internal frameworks and processes to achieve higher levels of risk management and governance?

Parfitt: Perform an enterprise-wide risk assessment

that looks at your office’s operations, product

and service offerings, jurisdictional exposure and

the policies, systems and governance across the

organisation. Then, overlay regulatory requirements

– and importantly, make this an annual event so that

you can identify changes in risk. If your office does

require adherence to AML/CTF rules, then you need

to make sure your risk rating of business relationships

is accurate and that you can adjust risk controls

accordingly. Governance and control are at the heart

of risk management. This approach will enable a risk

framework to be overlaid with actual processes and

controls to indicate where there are gaps or areas for

improvement. It may also indicate where your office is

being overcautious.

R&C: Looking ahead, how do you expect the risks and compliance challenges for family offices to unfold and evolve over the coming years? What factors will separate those family offices that can successfully meet their obligations from those that fall short?

Parfitt: The global macro trends of the last 10 to 15

years point to a continued increase in regulatory and

compliance rules and requirements that will only ensure

a more complex operating environment, and this is

unlikely to slow down anytime soon. The opportunity,

though, is to be more proactive and use compliance

as a competitive advantage. It can demonstrate to the

wider business community that you know your risks

and can manage them accordingly, and even allow you

to take on higher risk as long as it can be identified and

mitigated at a cost that does not break the business.

Take a three- to five-year view of where the office is

now and where it needs to be, factoring in expansion

plans. Not taking this approach will only store up issues,

putting the office on the ‘back foot’, which is draining for

all involved and will ultimately limit business growth and

profitability. RC&



Visit the new website

1

Sign-up to our free emailing list

2

Forward the link to colleagues and clients

3

Receive and enjoy future copies of Risk & Compliance

4

http://www.riskandcompliancemagazine.com


MINI-ROUNDTABLE

MINI-ROUNDTABLE

MANAGING TRADE COMPLIANCE SCREENING


MINI-ROUNDTABLEMANAGING TRADE COMPLIANCE SCREENING

Taras Chaban is the global head of buy-side solutions for market technology at Nasdaq. Previously, he was co-founder and CEO of the London-based behavioural analytics expert, Sybenetix. He was also responsible for pioneering the development of organisational behavioural analytics and leading a team of world-class experts in technology, behavioural science and finance, working with financial institutions to manage the strategic impact of behaviour on operations and culture.

Taras Chaban

Vice President, Global Head of Buy Side

Solutions

Nasdaq


PANEL EXPERTS

Paul Young is head of buy-side product management for market technology at Nasdaq. With over 20 years of experience working in financial technology, Mr Young’s career has focused on investment management and the research and development of systematic strategies. His career has involved managing funds as a portfolio manager at some of the world’s largest hedge funds, such as Man AHL and GLG, co-founding hedge fund Harnett & Partners, and leading research and development teams within data science focused FinTech startups.

Paul Young

Associate Vice President, Head of Product

Management, Buy Side

Nasdaq




R&C: Could you explain why it has become so important for financial institutions (FIs) to actively detect red flags in trade transactions? To what extent have the associated risks increased?

Young: Detecting trade risks is very much about

reputation. Financial institutions (FIs) are

increasingly conscious about their public

profile, particularly as it affects larger

institutions which allocate capital, such

as pension funds and sovereign wealth

funds. Many of these allocators are public

bodies that cannot afford to have any

aspersions cast on their trustworthiness.

When trusting someone with a billion

dollars of capital, there can be absolutely

no question about their behaviour. From

an FI’s point of view, it is very important

to stay within regulations and avoid fines.

But what hurts most is when they hit the headlines

for the wrong reasons. In such circumstances,

institutional investors may perceive any bad publicity

as a red flag, rethink their allocations and move

money away from the FI. Some institutions have

lost hundreds of millions, sometimes billions, in

the space of a few days as the result of a scandal.

Although they may actually be squeaky clean, mud

sticks and investors will not come back immediately.

Reputation is paramount to FIs, and once it is

damaged, it is nearly impossible to regain the trust

of investors.

Chaban: In terms of the process of detecting red

flags, trading and portfolio management is likely to

become more data intensive and automated, so the

complexities are increasing. It is becoming harder

for compliance officers to monitor all the extant

regulations, and manage, prioritise and identify

the tiniest signals among all of the noise. The vast

majority of trading involves individuals going about

their regular jobs, and it is very difficult to find that

one bad apple who is doing their best to hide.

Taras Chaban,Nasdaq

“It is becoming harder for compliance officers to monitor all the extant regulations, and manage, prioritise and identify the tiniest signals among all of the noise.”

RISK & COMPLIANCE Apr-Jun 201960

MINI-ROUNDTABLE

R&C: How have regulations in this space evolved in recent years? What kinds of obligations do they place on FIs, and what penalties can they expect to face if they are deemed to have facilitated criminal activity, knowingly or otherwise?

Young: Regulations such as the revised Markets in

Financial Instruments Directive (MiFID II) and the UK

Senior Managers and Certification Regime (SM&CR)

are quite specialised and specific, and have had a

particular impact on surveillance. For example, the

SM&CR states that senior managers have a duty or

responsibility to ensure they are aware of what goes

on in the firm, and are doing everything possible

to detect when abuse or inappropriate behaviour

occurs. They need to be able to demonstrate to the

regulator that all necessary steps have been taken

and that the firm’s senior managers are on top of

things.

Chaban: In terms of penalties, there are two

sides to consider. Penalties can be applied directly

by governments, regulators or a form of legal action

that either regulators or investors may take. And

these do occur. In a recent case, the UK’s Financial

Conduct Authority (FCA) investigated fund managers

that colluded on initial public offering (IPO) trading,

where they tried to set prices for IPOs. The FCA

does pick specific scenarios, such as IPO trading

collusion and front running of customers, which

fall under the market abuse regulation. But, apart

from the penalties, it is reputational damage that is

most dangerous for FIs, with investors potentially

withdrawing their assets – an action that may be far

more devastating to an FI than a financial penalty.

R&C: What benefits can technology bring to trade compliance screening? How effective has it proven in terms of detecting and analysing trade data?

Young: For modern, high-tech organisations,

trade flow can be immense, so the amount of

data involved in trade compliance screening is

correspondingly enormous. Large organisations

with diverse trade strategies and investment

processes typically have complex trade data analysis

procedures and multiple management systems.

Certainly, all this is a headache for compliance. So,

how do organisations come up with a systemic,

unbiased way of looking at all trade activity and

then matching that with regulation in different

regions? In a global trading context, it becomes

a mammoth task. What it requires is identifying

rare bad behaviour among an immense amount of

trading volume. Even with well-designed testing, with

a very low false positive rate, you are still going to be

overwhelmed with numerous alerts that are benign,



MINI-ROUNDTABLE

just by the fiscal nature of what you

are trying to achieve.

Chaban: FIs are concerned about regulators’

capabilities, and how they analyse the data they

receive. The FCA, for example, has increased its

spending on data analytics and hired a substantial

number of data scientists. Across Europe, MiFID II

collects data in vast volumes which is being stored

in the Cloud. In the US, the Securities and Exchange

Commission (SEC) has the national exam analytics

tool (NEAT) which, since late 2014, has increased

its analytical capabilities. Asset management firms

in the US say that NEAT has shortened the time it

takes to analyse data. Typically, the SEC will visit

a firm and take a set or subset of data, including

orders and transactions, then go away and analyse

that data before returning with questions in perhaps

one to three days. Prior to this, the process would




MINI-ROUNDTABLE

take weeks. So, analytical capabilities have increased

substantially on the regulatory side, meaning FIs’

in-house analytics need to respond to keep ahead of

the game.

R&C: For trade compliance screening to be effective, it needs to highlight potential violations while allowing legitimate trades to continue seamlessly. What advances are you seeing on this front?

Chaban: In terms of post-trade

analysis, conducted once a trade has

been executed, the system picks up what

has been collected and highlights what

it believes to be positive. Behavioural

analytics and a risk-based approach

allow alerts that are specific to individuals

and are adaptive to changes in market and fund

conditions. Suspicious alerts that merit investigations

from compliance are not false positives because

compliance must demonstrate that they reviewed

these alerts – even if no abuse was carried out.

Young: FIs need to have complete confidence

that, were a regulator were to ask an FI six months

later what it was doing on a particular day in the

past, the FI has already investigated and logged

everything that was done. This data can be captured

using the right kind of system. To avoid being

blindsided by a request from a regulator, FIs need to

provide deeper context and greater understanding

to their normal business operations, to build a

better quality case. Thinking in terms of trade alerts

helps to identify what has happened and capture

the investigation. Positioning within portfolios, for

example, allows us to identify whether a particular

trade is suspicious or not, or if a portfolio manager

has ever traded in a particular sector before. This can

provide an insight into the trade. All this information

is used to improve the approach.

R&C: In your opinion, what are the essential elements of a workable trade compliance screening framework?

Paul Young,Nasdaq

“Regulation will continue to increase because there are big incentives for individuals willing to circumvent the rules.”



MINI-ROUNDTABLE

Chaban: According to regulators, frameworks

need to be fit for purpose. Julia Hoggett, director of

market oversight at the Financial Conduct Authority

(FCA), in her recent speech at the AFME event,

spoke about the importance of a dynamic response

to a changing risk profile. This means FIs need to

think about the risks they are likely to be exposed

to and how their surveillance programmes and

technologies are addressing those risks. It is not a

one size fits all world today. A good trade compliance

framework needs to take these factors into account.

It also needs to be adaptable and specific to the

context of the company and individuals – whether

an investment is turning a profit, for example, will

be one of the factors affecting their behaviour. The

alternative of having ‘one system that fits all’ is

frankly too simplistic, as it would create too many

false positives and make the approach ineffective.

Young: FIs need to demonstrate that they are

using compliance screening tools appropriate for

their organisation. This is one weakness of a rules-

based approach, which has strict parameters. It

puts FIs at great risk of appearing, from a regulator’s

point of view, to be reducing workloads by adjusting

these parameters. That said, regulators may also

be concerned that FIs have been setting their

parameters incorrectly. This leads to ‘near misses’

and regulators will want to know about trades that

were not investigated because they fell just below

certain thresholds. A rules-based approach means

setting up even more alerts and doing even more

work to demonstrate ‘near misses’. In contrast, a

risk-based approach allows FIs to go back and reflect

on lower risk cases and ask whether they can see

a pattern emerge – a cluster of transactions which

may appear to be low risk at first, but together may

add up to something which demands more attention.

R&C: What are your expectations for trade compliance screening in the months and years to come? Is it set to remain a key risk area that demands adequate attention and resources?

Young: We are likely to see greater competition

among FIs, as well as more demand to reduce costs

and increase efficiencies. We are also seeing a

relentless continuation of technology trends. Finance

has always used cutting edge technologies to gain

an edge in terms of performance and cost reduction.

That will only continue. We should expect finance,

as a whole, to become more complex and data

intensive, with more machines making decisions.

This, in turn, will create greater data flow and make it

harder for compliance officers to manage. Regulation

will continue to increase because there are big

incentives for individuals willing to circumvent the

rules. Regulators will always be looking to close

loopholes, so we expect the regulatory load to

increase. We do not expect the pressure to ease off

compliance any time soon.




Chaban: We have had several years of increasing

compliance budgets, but this will end. In time,

instead of throwing money at the problem, FIs will

attempt to extract more value from the investment

they have already made – and optimise it. This will

be the next stage where technology helps FIs get

more from their compliance spend. In terms of

actual technology capabilities, if we look forward a

few years, we will see more data sources appearing

in systems, since data is getting progressively

cheaper to collect and store. We have also made

great strides in how we analyse data, which will

continue. Along with more sources of data, there will

be interesting dynamics around what companies

are allowed to do with personal data, and there may

be further regulatory developments in this regard.

The systems being built are data hungry – they want

to learn from our personal data. How this space

evolves will be interesting because there are two

highly conflicting aims: data privacy and protection,

and market surveillance. RC&


PERSPECTIVES

PERSPECTIVES

DATA PRIVACY ANDTHE IS AUDITORBY SANDEEP GODBOLE

> ISACA

Information systems (IS) auditors continue to

play an important role in providing assurance

related to governance and control of information

systems. The IS audit profession has grown over the

last few decades in line with the ubiquitous growth

of information systems.

Increased automation, greater efficiencies and the

advantage resulting from innovative solutions have

been achieved by deploying information systems.

The systems have been diverse in terms of the

technology, size as well as the specific benefits. The

principles that guide the systems have, however,

been relatively uniform irrespective of the nature

of the systems. Delivery of reliable, efficient and

effective solutions, ensuring an appropriate level of

security and supporting compliance requirements,

have been a common set of expectations across

diverse systems. Many of the performance and

security requirements related to information

systems can be supported by deploying appropriate

technology. Ensuring that systems comply with

regulatory and legal requirements needs knowledge

of the requirements that may be technology-neutral

and expertise to translate them to the appropriate

technology. For example, if the requirement expects

the stored data to be protected, it is necessary to

interpret the requirement so that the expectation

can be translated to specific technology including

encryption, digital rights management or any

XXX


other approach that satisfies the data protection

requirement.

As systems have grown in number and

pervasiveness, a large volume of sensitive, personal

or confidential data is being processed and

maintained. Increasing awareness and sensitivity

of individuals related to protection of their

personal details and information have resulted in

the adoption of laws and regulations that aim to

protect data privacy. These laws and regulations set

the expectations and boundaries that impact the

implementation and usage of information systems.

The last few years have seen a heightened level of

expectations related to data privacy, and it seems

that the trend will continue and possibly accelerate,

at least in the immediate future. The penalties

specified for non-compliances are extremely severe

and impact the finances, image and trust of the

organisations. Most organisations therefore choose

to be sensitive and consciously comply with data

privacy requirements.

The complexities and technical aspects associated

with regulations require the services of experts

who can guide organisations. Many organisations

PERSPECTIVES


PERSPECTIVES

therefore have created a Data Privacy Officer (DPO)

role. Data privacy is increasingly recognised as a

discipline with a distinct body of knowledge. The

DPO role is therefore emerging as

one of the assurance and compliance

functions within an organisation.

Given that data privacy has emerged

recently as a specific function, the

roles, responsibilities and associated

activities are still in a relatively nascent

stage compared to other traditional

compliance functions. Other assurance

and compliance functions therefore

have a responsibility to support the

activities of the data privacy function.

The IS auditor role came into prominence over

three decades ago, with the increased adoption

and implementation of information systems across

organisations. Over time, the IS audit role has

developed its body of knowledge and has been

successfully established within many organisations.

IS auditor expertise has helped to manage risk

and delivery value in information systems. Multiple

aspects, including technology, efficiency, processes

as well as compliance requirements relevant to

information systems, are routinely reviewed and

enhanced by IS auditors’ relevant inputs. While

the IS audit role is not specific or limited to data

privacy aspects alone, an IS auditor can play

a complementary and supporting role in data

privacy within the organisation. Considering that

most information in a modern organisation is

maintained and processed by information systems,

the contribution of the IS auditor can significantly

support the DPO function and contribute to data

privacy compliance.

Including data privacy requirements, controls

and processes as part of the IS auditor’s scope of

work can ensure that data privacy is adequately

addressed. The IS auditor needs to consciously

weave data privacy into the IS audit scope wherever

feasible. Experienced IS auditors are capable

and experienced in reviewing and interpreting

compliance and regulatory requirements. In addition,

IS auditors also have a good understanding of

technology inherent to information systems. The

ability to address both aspects – compliance

as well as regulatory – equips the IS auditor

with skills to review data privacy compliance. IS

auditors who keep themselves up to date on data

“Data privacy is increasingly recognised as a discipline with a distinct body of knowledge. The DPO role is therefore emerging as one of the assurance and compliance functions within an organisation.”

DATA PRIVACY AND THE IS AUDITOR


PERSPECTIVES

privacy principles and requirements are therefore

well equipped to review data privacy as part of

information systems. Some areas where an IS

auditor can contribute include evaluating: (i) whether

data privacy requirements are understood, defined

and addressed in the system; (ii) whether personal

data is protected and data privacy is enabled as part

of the system design; (iii) technology and process

controls around the information systems that

protect data privacy; (iv) data management practices

including data collection, processing, archival and

destruction; and (v) the awareness of data privacy

among system developers as well as users.

The above examples are representative and not

a comprehensive list of IS auditor involvement

with data privacy initiatives within an organisation.

Activities similar to the above can support the DPO

organisation in ensuring data privacy compliance.

Organisational structures evolve based on business

imperatives. Considering that the DPO function is

relatively new among other assurance functions,

it is important to integrate activities across other

assurance functions in a manner that supports data

privacy requirements. The compliance and assurance

functions need to identify elements within their

scope of work that touch data privacy and contribute

effectively.

The IS auditor role has evolved, along with

changing expectations and newer technologies. In

the same manner it is important that the IS auditor

modify techniques and processes that address data

privacy across the lifecycle of information systems.

Upgrading knowledge related to data privacy

regulations and enhancing work methods to include

data privacy aspects can greatly enhance IS auditors’

contributions. The skills, knowledge and abilities

possessed by IS auditors enable them to contribute

significantly to implementing and maintaining strong

data privacy. RC&

Sandeep Godbole

Past President

ISACA Pune Chapter

DATA PRIVACY AND THE IS AUDITOR




BUILDING A SUSTAINABLE PROGRAMME AROUND DATA PRIVACY

Rebecca Turco

Vice President of Learning

SAI Global

Rebecca Turco is the vice president of Learning at SAI Global, a recognised leader of integrated risk management. She leads SAI’s global compliance and ethics solutions for product portfolio. She has helped transform the way companies think about their compliance programme and how they can reach and impact learners. She is passionate about helping organisations change their cultures and helping employees feel empowered and educated to do the right thing.



R&C: Could you provide an insight into how evolving data privacy regulations present challenges to companies? What have been the most notable developments in recent years?

Turco: It is not news that data privacy regulations

are changing rapidly. Many jurisdictions are passing

new regulations and sometimes those regulations

conflict. For multinational organisations, a mix of

national data privacy and US state regulations creates

a patchwork regulatory landscape that is difficult to

manage. The most prominent development of late

has clearly been the EU General Data Protection

Regulation (GDPR), which effectively set the bar

for personal data privacy. GDPR puts strict barriers

around the use of personal data, which are only

beginning to be tested in the courts. It is important

to recognise the shift happening among the general

population as a result of GDPR. The proliferating

nature of high-profile data breaches among well

known corporations, along with a string of revelations

about use of personal data provided to social

media platforms, has raised the importance of data

privacy among the general public and has seen a

groundswell of a new consumer activism. Amid this

growing consumer discomfort about exchanging

personal data with industry, consumers now feel, and

are, empowered. The effects of this are significant

and far-reaching, including your company’s brand

and reputation being damaged, erosion of consumer

and business partner confidence – all of which will

significantly affect your bottom line.

R&C: Against this backdrop, could you explain the importance of building a sustainable data privacy programme that protects customers’ personal data?

Turco: The overall objectives at the core of data

privacy regulations like GDPR, the Singapore Personal

Information Protection and Electronics Document Act

(PIPEDA) and the California Consumer Privacy Act

(CCPA) is protecting customer privacy, strengthening

customer trust and supporting the expansion of

sustainable digital services. These are becoming

essential to businesses as they expand their digital

offerings. By strategically implementing a sustainable

data privacy programme, a company can move

beyond avoiding regulatory penalties, and have

a real opportunity to improve its trustworthiness

among customers and differentiate its position on

a topic of increasing importance to end consumers.

By utilising the right tools, creating tighter controls,

and implementing modern approaches to learning

and employee communication, you can build a data

privacy strategy that incorporates customer rights

and the ethical use of data that adheres to legal and

compliance obligations, ultimately strengthening your

company’s brand and resilience.




R&C: How should companies go about identifying gaps and vulnerabilities in their existing data privacy framework? What are some of the common red flags?

Turco: To find gaps in a data privacy

framework, the first step is to begin with

the appropriate privacy framework. The

regions an organisation operates in and

the standards bodies it chooses to follow

play a part in making that determination.

Once a framework is chosen and in place,

it is important to undertake a control audit

to determine which required controls

are already in place, which ones are in

place but are not effective, and which

ones need to be implemented. The work

must be performed in order to determine process

and control gaps. Red flags to consider are signs of

transparency and visibility. Is there the ability to see

vulnerabilities and gaps across the organisation to

ensure resources are being deployed to address

the most critical? Are enough resources available to

address the vulnerability landscape? Is the risk team

able to communicate current risks in business terms

that stakeholders will understand in order to secure

enough resources?

R&C: In your opinion, what are the essential aspects of an effective subject rights management system?

Turco: Subject rights represent the rights of an

individual – for example, a consumer, web visitor or

employee – to make decisions and take actions on

the data about themselves. These include portability

and access rights, the right to correction and the right

to erasure. An effective subject rights management

system should be flexible to capture, catalogue and

respond to requests from individuals. Workflows must

be in place to ensure these requests are handled

in the appropriate amount of time as mandated by

the regulations. The perception of effectiveness of

a data privacy programme is driven primarily by the

responsiveness of an organisation to these requests.


Rebecca Turco,SAI Global

“It is not news that data privacy regulations are changing rapidly. Many jurisdictions are passing new regulations and sometimes those regulations conflict.”



A single instance of a slow response can be amplified

via social media to diminish the perception of a

brand. The system has to be in place in order to

respond and act quickly.

R&C: How is technology helping companies with breach management, including obligations to notify affected subjects and relevant regulatory authorities under certain laws?

Turco: While some companies are deploying

breach detection technology, others leave that in

the hands of their security teams. In some cases,

technology has been deployed to help with the

organisational and human elements of breach

management – the tasks that must be performed

once a breach has occurred. Effective software

can provide value to expedite and choreograph the

workflow that must take place when a breach occurs.

This allows companies to understand whether a

breach has occurred, what action it can take to

respond to a breach, and how to investigate gaps

in its process to mitigate further penetration or

future breaches. Regulations in many jurisdictions

require that a response takes place within a short

amount of time – GDPR, for instance, has a 72-hour

window. Within that time frame, a company must

take action on the breach to determine the impact,

notify regulatory bodies, begin remediation actions

internally, craft a message to those affected, and

deliver it. This requires a number of people acting

quickly and in parallel. If a tool is not already in place

that can enforce the exact steps, sequences and

dependencies, an organisation is very unlikely to

respond in time.

R&C: How important are people to a sustainable data privacy programme? Can such a programme only operate effectively if employees are educated and trained on data privacy best practices?

Turco: Many organisations have focused on

investing in solutions to manage the risks associated

with data privacy. They look to put in tools, process

and people to make sure they understand their

risks and what to do if something happens. Tools

and systems are one component of a successful

programme, but the other component is the culture

and knowledge of your employees. The culture that

you have within your business will drive the risk your

employees will take. After all, employees making

the right decisions is one of the most important risk

mitigation strategies. Employees must be trained

to understand what the risks are, they must know

what to do when faced with this risk, and they must

understand what the right decision is. Building

effective training programmes will help employees

make the right decisions when it comes to protecting

your infrastructure, identifying a breach, and

following the right process when something happens.




R&C: Once a robust system is in place, do you believe companies should proactively communicate their efforts to internal stakeholders and regulators? What are the benefits of doing so?

Turco: Employees are one of the biggest assets

and risks to an organisation. They are also one of the

hardest risks to manage because most of the risks

that employees face are ones that organisations

cannot see. With the change in technology and the

way people consume content and use social media,

engaging employees is even more critical than

ever. The relationship between culture and risk has

strengthened over the past few years. Employees

are more engaged, productive and likely to follow

the company’s security guidelines if they feel like

they are driven by the organisation’s leadership and

are applied consistently. We recommend internal

communications plans are implemented not only to

teach process, but to provide reassurance that the

organisation does the right thing.

R&C: How do you expect data privacy challenges to evolve in the coming years? In your opinion, do companies need to do more to address this issue?

Turco: We expect to see recent trends amplified.

Consumers are continuing to pay more attention

to how their data is used. Over the next few years,

this awareness and continued understanding of the

rights and mechanisms that regulations like the GDPR

have made available will strengthen their ability to

manage and protect their data. And as the drumbeat

of data breaches continues, we predict the public

at large will continue to demand more effective

legislation in many jurisdictions – and will call for

more enforcement and transparency. RC&



MINI-ROUNDTABLE

MINI-ROUNDTABLE

ASSET-LIABILITY MANAGEMENT (ALM)IN THE CONCEPT OF STRESS TESTING


MINI-ROUNDTABLE

PANEL EXPERTS

ASSET-LIABILITY MANAGEMENT (ALM) IN THE CONCEPT OF...

Wei Chen

Director, Global Risk Consulting

SAS

T: +1 (919) 531 0390


Wei Chen has led several initiatives including enterprise stress testing and IFRS 9/CECL in recent years. He has worked closely with major financial institutions around the world on business process and requirements, methodology, solution design and implementation. He has more than 15 years of banking and insurance experience in the areas of credit risk, market risk, asset and liability management and liquidity risk from both regulatory and internal management perspectives.

Xavier Vandermosten

Principal Business Solutions Manager

SAS

T: +32 (473) 33 20 17


Xavier Vandermosten is a risk domain expert who advises financial institutions on how best to improve their operational, market, ALM and liquidity risks measurements and regulatory compliance. Before joining SAS in 2011, he worked in the financial sector for 20 years, spending around half of his career leading a team in charge of measuring operational, credit, market and business risks, and the other half in IT, leading application development projects. He is a certified financial risk manager of the Global Association of Risk Professionals.

Prashant Dinodia

Solution Lead, ALM

SAS

T: +1 (919) 531 5144


Prashant Dinodia is a subject matter expert with over 14 years of experience in several areas of risk management, particularly ALM. He has spent considerable time across several geographical regions globally, as a banker and consultant. Currently, he is the solution lead for ALM solutions at SAS, where he helps financial institutions derive maximum value from their balance sheet management initiatives.


MINI-ROUNDTABLE

R&C: Could you outline some of the main asset and liability management (ALM) challenges financial institutions (FIs) face? How have the risks and exposures evolved in recent years?

Chen: Given the increasing sophistication of the

banking business and the development of

funding and risk management instruments,

asset-liability management (ALM) requires

modernisation. The interactions of the

inherent risks underlying banking business

call for a comprehensive approach to risk

management. The original idea of ALM

at banks was to centralise interest risk

management, freeing the bank’s business

units to handle other risks, including

credit risk. The global financial crisis

demonstrated how increasing interest

rates can drive up credit risk which, in turn,

quickly leads to funding liquidity issues, which can

further damage a bank’s equity and start a vicious

cycle in the entire financial system. Interest rates,

credit risk, liquidity risk, reputation risk and so on,

cannot be managed in isolation. One challenge to

the traditional ALM function is the incorporation of

the behavioural and contingent cash flows from both

banking and trading activities that are dynamic to

the underlying macroeconomic environment. The

importance of a coherent view of the underlying

cash flows to a bank’s net interest income, funds

transfer pricing, credit provisioning, liquidity risk

and equity risk becomes more obvious to both

bank management and regulators. The enterprise

stress testing pioneered by US regulators has led

the industry to think about total balance sheet

management and optimisation.

Dinodia: ALM has always been a tricky area in

the sense of determining which business function

should be responsible for it. Depending upon the

organisation, we have seen it being housed in risk

management, treasury or finance. While operationally

it may be owned by a particular department, it is

something which needs to be enterprise wide as it

has implications across these areas. There is hardly

any other area of risk management which is as

pervasive as ALM. Recently, this has become even


Prashant Dinodia,SAS

“ALM has always been a tricky area in the sense of determining which business function should be responsible for it.”


MINI-ROUNDTABLE

more challenging as the scope of ALM has widened

and the need for some of these stakeholders to

be operationally involved with ALM has deepened.

This has meant that ALM is no longer a reporting

or analytical exercise but is something which is a

shared infrastructure. However, most organisations

have not been able to reorganise their ALM function,

including people, processes and technology, with

this enterprise-wide orientation. The other aspect,

in terms of the evolution of ALM, has been around

what an ALM function is now expected to achieve.

While reporting and compliance around interest rate

risk and liquidity continues to be important, most

institutions expect their ALM processes to deliver in

areas far beyond traditional ALM – not only the scope,

but also in terms of their interaction. FIs no longer

need a data cruncher which produces an asset-

liability committee (ALCO) pack, but an interactive and

intelligent analytical engine which provides answers

and insights around balance sheet management.

Vandermosten: Over the last decade, the financial

services business has become more competitive,

with very small, even sometimes negative, interest

rates, and with rising costs caused by higher capital

requirements and higher quality liquidity reserve

requirements. All of this has increased pressures on

profit margins. In that context, the scenario-based

approach to anticipate liquidity and interest rate risk

mismatches, and to anticipate margin profitability,

might not be enough anymore to be competitive.

Having performance analytical tools identifying the

optimum balance sheet composition which provides

maximum profitability while respecting all the

regulatory and internal policy constraints, is required.

Performing such an optimisation of the balance sheet

considering not only ALM, but all the risk areas, is one

of the biggest challenges in the years to come for

financial institutions (FIs).

R&C: What steps can FIs take to measure and manage various risks related to ALM?

Chen: A fundamental change to ALM is to

recognise the inherent risks to an FI’s business. The

industry has taken a few important steps in recent

years. First, there has been the introduction of

macroeconomic scenario-based risk management

and financial planning. This is a good approach

toward enhancing coherence. This step brings risk

quantification in the industry to a new level. A lot

of banks have found challenges in data scarcity

and quality, as well as qualified modelling skills.

Several risk management and accounting reporting

initiatives, such as BCBS 239, regulatory stress

testing, interest rate risk in the banking book (IRRBB),

liquidity coverage ratio (LCR)/net stable funding ratio

(NSFR) and IFRS 9, and current expected credit losses

(CECL) in the US, are pushing banks to address these

challenges. More specifically to ALM, this change

requires scenario and model-based cash flow and

economic value projection. The next step is applying



MINI-ROUNDTABLE

the same scenarios and underlying cash flows and

values across net interest income (NII), economic

value of equity (EVE), funds transfer pricing (FTP), and

credit and liquidity risk management for a coherent

view by management. Integrating this view into

financial and capital planning is a step forward which

will allow a dynamic view and proactive management

of the fundamental business. For an FI with certain

maturity, scenario-based risk and finance integration

balance sheet management and optimisation can

be achieved for financial stability and competitive

strength. Of course, these steps do not have to be

strictly sequential. A phased approach is often seen in

practice.

Dinodia: We have seen many institutions struggle

because their approach to ALM is tactical and

narrowly defined. ALM framework is often scoped

out to perform things which are required by current

regulation or immediate needs. This leads to a

situation where, when any new regulation or business

situations arise, ALM is not able to help or add

adequate value. So, to manage ALM risks proactively,

the underlying ALM framework should be defined

in conjunction with the overall risk management

framework and with a target-state roadmap in mind.

What may be best practice today could be lagging

practice in a few years. Banks need to continuously

benchmark themselves and make sure that ALM

evolves over time. In many cases, we have seen

organisations fall into the trap of not touching things

for fear of breaking something. ALM is a dynamic area

of risk where the various aspects are evolving. Data

processes, models, reports and ALM strategies should

mimic the underlying nature of ALM risks.

Vandermosten: In the journey from Excel-based

solutions to an ALM solution that allows for ALM to

be managed in an integrated way and complies with

the liquidity and IRRBB regulatory requirements, to a

solution that allows for managing the balance sheet

considering not only ALM, but all the risk domains,

to a solution that allows for optimising the balance

sheet, all those steps while adapting to the constantly

evolving models, best practices and regulations, it

is important and cheaper overall to make the right

strategic choices from the beginning. Banks need to

choose a flexible and scalable solution, for which the

solution provider shares the bank’s vision.

R&C: What benefits can customisable modelling systems bring to an effective ALM framework?

Chen: Risk and financial modelling is crucial to

building an effective ALM framework because the

challenges in data, methodology and skills modelling

are evolving quickly. This evolution requires modelling

systems to be more agile than ever before. This is why

artificial intelligence (AI) and machine learning (ML)

techniques are getting a lot of attention. Generally

speaking, the modelling evolution itself will drive up



MINI-ROUNDTABLE

the number of models and the number of model

versions. Proper model life cycle management and

governance, as well as performance monitoring, is

becoming more important than ever. FIs can no longer

rely on spreadsheet based, semi-manual labour

intensive and error-prone approaches. Powerful

data management and integration tools are certainly

critical in this Big Data era. But equally critical is

powerful data exploration, visualisation and analysis

tools that can provide more insights to the modelling

teams. Efficient model implementation and execution

is another key to the success of a good

modelling framework. Banks cannot sustain

a long implementation and validation cycle

in the information age. A componentised,

highly configurable, self-service model

implementation platform would help

significantly. Given the sophistication of

the models and the large volume of data, a

good modelling system should be able to

take advantage of the scalability that the

new technology offers. An efficient model

execution can give management valuable

time to react.

Dinodia: ALM managers would often say that

ALM is more an art than a science. This is because

if you compare ALM to other financial risks, such as

market risk or credit risk, you will find that the risk

factors, such as the deposit behaviour of a customer,

customer loyalty, market wide liquidity availability,

reputational events and the pricing strategies of

peer banks, are quasi-quantitative. Deterministic

models and traditional analysis will not capture

the risks and outcomes which are most probably

the areas where ALM can add value. This is where

customisable and integrated modelling concepts

can help. In the ALM world, models need to talk to

each other and need to cater for risk factors and

situations which are multidimensional. This does not

mean ALM models and frameworks need to become

black boxes; rather, they should support common

business scenarios which can happen in the business

environment, enabling banks to use the solution as

a realistic and smart analytical tool. AI/ML models

in ALM certainly have several use cases, but again,

it is not the complexity of the model which will add

value but whether the model allows you to simulate

the risk events and factors which matter, and provide


Wei Chen,SAS

“Risk and financial modelling is crucial to building an effective ALM framework because the challenges in data, methodology and skills modelling are evolving quickly.”


MINI-ROUNDTABLE

reasonably accurate results. It is much better to be

roughly right than precisely wrong.

Vandermosten: The most important factor with

ALM models is their forecasting accuracy and their

easy integration into decision making. This is a shift

from simply paying attention to a model’s

technical capability or description. Model

performances will be measured constantly,

and if a new model performs better, it will

replace the previous one. ALM solutions

thus need to allow for multiple models

to be tested in parallel and to be able

to dynamically replace one model with

another very quickly. This flexibility provides

a competitive advantage.

R&C: How important is it to stress test aspects such as interest rates and liquidity risk? What insights can this process provide to FIs?

Chen: Stress testing, or more generally scenario-

based analysis, of the key risks, including interest

rates and liquidity risk, will provide banks with an

insightful and forward-looking understanding of the

risks inherent to an institution’s core business and its

future growth. Many institutions have used so-called

‘what-if’ analysis for management to proactively

examine potential vulnerabilities and to increase the

confidence in planning. Again, this benefit can only be

achieved if the institution has a good stress testing

framework in place. Institutions that do not have

this vision, and thus do not sufficiently invest, will

certainly not see these benefits. We have seen several

US institutions that have invested in stress testing,

initially under pressure from the US comprehensive

capital analysis review (CCAR) requirement, start to

reap the benefits. The chief risk officer (CRO) of one of

the world’s largest banks gave a specific example of

how he was able to understand the bank’s resilience

to the dangers of the Chinese housing bubble through

the bank’s stress testing capability.

Dinodia: It is not uncommon for institutions to

dismiss regulatory stress testing as a compliance

burden with little business value. However, stress

testing is extremely useful, particularly if institutions

perform it as a means of gaining insight, rather than


Xavier Vandermosten,SAS

“The most important factor with ALM models is their forecasting accuracy and their easy integration into decision making.”


MINI-ROUNDTABLE

simply being a ‘check box’ process. This is particularly

true for liquidity risk, because, by definition, it is

something which emerges during stress events.

Therefore, it is almost impossible to capture liquidity

risk without some degree of stress testing. Even

liquidity ratios like LCR and NSFR are frameworks

based on stress testing. In general, stress testing

forces institutions to model and contemplate

scenarios which normally may never be modelled

and analysed in day to day analysis, and stress testing

results can be challenged as something that is very

unlikely or imprecise, but the insights and risks that

they uncover are real and extremely valuable.

Vandermosten: While stress testing has become

increasingly important over the last decade for

regulators and boards, it has been quite common

in the ALM field for some time, at least for large FIs.

This is probably because ALM is the most naturally

forward-looking domain: FIs want to anticipate

potential liquidity or profitability shortages, even in

stressed but still possible conditions. We even see

‘stresses of the stress’.

R&C: To maximise the results of ALM stress testing, is it necessary to run different internal and regulatory scenarios, and compare a range of risk exposures? How can FIs achieve this level of analysis?

Chen: A scenario-based approach has many

benefits, but it still largely depends on scenarios.

Flexibility to define and run different scenarios is

very important to a true ALM stress testing capability.

If an ALM system can only accommodate certain

predefined scenarios it will obviously suffer. It is

important that ALM systems can manage a flexible

configuration of a wide range of scenarios. A

configurable and powerful system is a good way to

achieve this level of analysis.

Dinodia: Scenarios need to be diverse and cover

all plausible situations. Some institutions make the

mistake of stopping at testing against just one or

two extreme scenarios. The outcome is often that

stakeholders may dismiss the scenario as unrealistic

or a risk-manager’s fear-mongering. Or worse, that

it fails to capture the range of outcomes by being

too restricted. One of the reasons that regulatory

scenarios are often made common across the

industry is to allow horizontal comparisons of results

across the peer group. It does not mean that the

scenario adequately captures the plausible risk

factor events applicable to a particular institution.

Similarly, scenarios used by one institution may not be

appropriate for another. Or, for that matter, a scenario

used a few years ago may not be appropriate now.

Institutions should employ a range of scenarios, both

regulatory and internal, allowing them to unearth risks

according to their businesses and environment.



MINI-ROUNDTABLE

Vandermosten: Stress testing is also about

making assumptions on the future evolution of the

balance sheet, taking into consideration stressed

conditions. This requires FIs to consult almost all the

divisions and business lines of an organisation, not

only for the base case, but also for stress scenarios.

What are the most relevant business stresses that

FIs can incur? What is the potential impact on each

business line, and on each market interest or FX

rate of a stress scenario? These questions must be

answered from a business perspective, and must

then be translated in ALM calculation scenario

parameters. For instance, before the referendum of

the 23 June 2016, Brexit could have been a relevant

stress scenario for many FIs. Instead, it is now a

base case scenario. Therefore, it is important to be

able to analyse dynamic scenarios, where the size

of the balance sheet and the market data is evolving

through time, as the horizon of such analysis is

typically between one and five years, and to have the

capability to easily ‘translate’ business assumptions

into parameters.

R&C: To what extent can ALM stress testing assist FIs to meet their regulatory requirements, particularly in terms of analysis, reconciliation and reporting?

Chen: Meeting regulatory requirements should not

be the only goal of any risk and financial analysis in

an institution, but it is still essential. The requirements

to achieve model governance, analysis and reporting

accuracy, timeliness and adaptability have significantly

increased in recent years. Reconciliation between risk

and finance data, analysis results and reports is an

inevitable requirement today. A modern ALM system

is well positioned to assist institutions to meet these

requirements because of its importance to an FI’s

core business and the fundamental handling of both

assets and liabilities. Of course, the key to success is

an ALM function that overcomes myriad challenges.

With a traditional, inflexible ALM framework, it is

difficult to achieve the ultimate benefits. Many banks

have painful experiences to share in their CCAR and

Dodd-Frank Act Stress Tests (DFAST) exercises.

Dinodia: Traditionally, there has been a tendency

by some institutions to look at ALM as a pure risk

management or internal reporting exercise where

process robustness, governance and control, and

data quality, were not given due importance. However,

most institutions are starting to realise that an ALM

framework is a foundation aspect which, in turn,

needs to feed and support several other areas of risk

and finance, often involving regulatory reporting. Also,

it makes sense to get things like data and models

right once, rather than having to invest time and

money each time the same data element or result

needs to be used for regulatory or internal reporting

purposes.



MINI-ROUNDTABLE

Vandermosten: An ALM stress testing

solution must be sufficiently flexible and scalable

to incorporate changes in an FI’s balance sheet

activities, portfolio composition, and any new risk

that may appear. It should also allow for calculating

new stress scenarios in a timely manner to address

rapidly emerging risks. In a period of important stress,

it might even be critical for the regulators, and the FI

itself, to be able to run some scenarios allowing the

right regulatory and management decisions to be

taken in time.

R&C: What essential advice would you offer to FIs looking to enhance their ALM processes? Does the regulatory outlook suggest this issue will only become increasingly important in the years ahead?

Chen: It is difficult to say for sure where the

regulatory requirement will go because there are

multiple considerations for regulators. However, the

benefit of a sound ALM process is beyond regulatory

compliance. ALM has not been primary for regulatory

compliance but for an institution’s own management.

An institution will likely only see the benefits that it

wants to see. Learning from the past and the mistakes

of others would be helpful.

Dinodia: FIs should not look at ALM as merely a

regulatory or reporting exercise. Rather, they should

design a framework which helps the institution

to gain business insight and strategically manage

its balance sheet. FIs should also automate their

business and spend more time on analysing results,

improving assumptions and scenarios and performing

business relevant ad hoc analysis. Finally, FIs should

concentrate on building capabilities and a strong ALM

foundation.

Vandermosten: The new final European

Central Bank (ECB) guidelines for Internal Capacity

Adequacy Assessment Process (ICAAP) and Internal

Liquidity Adequacy Assessment Process (ILAAP)

are clearly underlining the need to integrate ICAAP

and ILAAP into banks’ global risk management and

business decision-making processes. They also

both confirm the need for adequate stress testing.

ALM must become better governed, actually be

used in decision-making processes by all relevant

stakeholders, such as finance, treasury, risk, business

lines and management, and become part of global

risk management and stress testing. To reach those

goals, the automation, integrability, flexibility and

scalability of an ALM system are key. RC&



MINI-ROUNDTABLE

MINI-ROUNDTABLE

INSURERS – PREPARING FOR IFRS 17


MINI-ROUNDTABLE

PANEL EXPERTS


David Anderson

Director, Risk Consulting

KPMG

T: +1 (919) 664 7100


David Anderson is a director in KPMG’s risk consulting practice and has extensive experience developing customised solutions to solve the largest and most complex operational, regulatory and accounting-driven changes in the banking, insurance and asset management industries. He has proven leadership experience driving finance transformation projects throughout the financial services sector, including the rollout of risk and credit-based frameworks for CECL and IFRS 9. Additionally, Mr Anderson leads global IFRS 17 adoption projects, overseeing workstreams including technical accounting and actuarial change, data management, solution development and implementation, and regulatory and audit management.

Agustin Terrile

Business Manager

SAS

T: +54 (11) 4878 4539


Agustin Terrile has over 10 years of experience in financial services industries, with a focus on actuarial modelling, economic capital, IFRS17 and IFRS9. Prior to joining SAS, he was an actuarial manager at Deloitte.

Jim Zhang

Senior Industry Consultant

SAS

T: +1 (416) 307 5056


Jim Zhang is a senior consultant for the insurance solutions at SAS. He had more than seven years of experience in the insurance space. Mr Zhang specialises in measurement techniques, treatments and reporting for IFRS 17. Prior to joining SAS, he was an actuary at Manulife.


MINI-ROUNDTABLE

R&C: Could you outline the main reasons behind the introduction of IFRS 17? What impact do you believe it will have on companies?

Anderson: IFRS 17 was introduced by the

International Accounting Standards Board (IASB) to

bring consistency and increased transparency to

insurance accounting. Under IFRS 4, insurers were

permitted to use a broad variety of practices which

commonly amounted to local generally accepted

accounting principles (GAAP) and accounting for

similar contracts under different accounting policies,

depending on the jurisdiction. Under IFRS 17, which

represents the first international accounting model

specifically for insurance contracts, insurers are

required to apply consistent accounting policies for

all insurance contracts which will make it easier to

compare results across products, geographies and

companies that apply the standard.

Zhang: The reasons behind IFRS 17 are to improve

transparency and comparability in the measurement

of insurance contracts, ensure consistency in

the recognition, as well as in the timing, of profits

earned, ensure revenue from insurance servicing

and investment income is clearly segregated, and

standardise the presentation of financial statements

and disclosures. In addition, the IASB has also

tried to ensure insurers use updated assumptions

and discount rates in the valuation of insurance

liabilities – thus continuing to move towards a

market-consistent valuation approach. We also

see similar themes in the Financial Accounting

Standard Board’s (FASB’s) targeted improvements

to the accounting for long-duration contracts – that

standard is also pushing for updated assumptions,

fair value treatments for market risk benefits and

more transparency around judgements embedded

in financial statements. As regards impact, both

standards will have a dramatic impact on accounting

policy, financial disclosure, data requirements and

exposures held – but, most importantly, the new

accounting approach will shed more light on the risks

and performance of insurance contracts held.

Terrile: The standard in ‘Reasons for issuing the

Standard’ states that IFRS 4 allowed the use of a wide

variety of accounting practices “making it difficult for

investors and analysts to understand and compare

insurers’ results”. To overcome this situation, the

IASB is proposing a “unique framework” on how to

recognise, measure, present and disclose insurance

contracts. The introduction of IFRS 17 will affect

the entire information system, but the main impact

will be related to how earnings are measured and

recognised, based on patterns.

R&C: What challenges does IFRS 17 present? What steps should affected companies take to prepare for its



MINI-ROUNDTABLE

introduction, scheduled for 1 January 2021?

Zhang: IFRS 17 is a radical change to the way

insurers’ measure and report on their liability. There

are challenges in the interpretation of the standard,

challenges in the implementation and there will likely

be challenges post adoption – so it will be some

time before the dust settles. First, interpretation of

the standard has been difficult and there are several

decisions to make – for example, deciding the right

grouping criteria to use, the discount rate approach

to use and the right pattern to use for contractual

service margin (CSM) release. There are still several

open items that industry and the Transition Resource

Group (TRG) are debating, such as treatment of

reinsurance contracts. So, several accounting and

actuarial challenges remain. Implementation is

equally challenging – from change in accounting

policy, actuarial models, business assumptions, data

requirements, technology requirements, and audit

and governance requirements. The widespread

impact has also created organisational challenges,

accelerating the need for greater alignment across

functions, to ensure there is a common set of

assumptions and interpretations of the standard. One

insurer joked that IFRS 17 has led to the creation of a

new ‘accountuary’ role and has helped break some

internal silos. Last but not least, resourcing is a critical

challenge for the industry at large.

Terrile: There are several challenges when

implementing IFRS 17 related to data preparation,

measurements, reporting, process orchestration and

auditability. An analysis gap for each individual task,

as well as together, is key to being well-prepared

when the standard comes into effect. Examples

include understanding the variety of sources and

the availability of information. Data quality rules are

also important to ensure that all relevant information

is used. In addition, companies should ensure they

have the capability to measure all possible scenarios,

including onerosity and its reversion – a key aspect in

validating the correctness of the valuation. Otherwise,

remedy action should be put in place, including

analysis of its materiality.

Anderson: IFRS 17 introduces more granular

estimates, assumptions and data requirements that

are not part of insurance accounting today. The

primary concern for many insurers is the availability

and sourcing of quality, controlled data required to

derive the estimates and complete the calculations

used in the preparation of the financial statements.

If they have not already, companies should conduct

an impact assessment to evaluate how the change

will affect their accounting, operations, data, actuarial

modelling and, ultimately, their financial statements.

Companies should plan for a year of parallel runs

prior to the effective date to understand and master

the full impact on their business and operations,



MINI-ROUNDTABLE

working their implementation plans backward from

there.

R&C: What governance and oversight considerations do companies need to make, to manage the risks associated with IFRS 17 implementation?

Anderson: There are multiple layers of

governance and oversight for such a broad reaching

standard. Companies need to appoint a steering

committee with appropriate executive leadership

and oversight to ensure consistent messaging and

to drive progress across the company. Risks include

implementation risk, audit risk and timing risk. Due to

the complexity of CSM calculations, more technical

skills are also needed to produce and interpret

results, which will require tight interactions between,

and oversight of, cross-functional accounting,

actuarial and technology teams.

Terrile: IFRS 17 is an accounting process and, as

such, certain requisites are required to guarantee

the reasonability of each accounting statement.

Validating the integrity, existence, measurement

and exposure are key elements in ensuring the

correctness of each statement. A robust process

also needs to ensure data traceability and generate

auditable evidence of the work done by each

employee so that they can be accountable for their

actions. The highest risk associated with an IFRS

17 implementation is to end up with a process that

cannot provide values with a certain ‘degree’ of

accuracy. In this sense, the implementation process

is as important as the accounting process itself,

and as such, top executive involvement is key to

guaranteeing suitable governance. Clear plans with

defined responsible, expected outcome and cross-

controllers by task are essential in order to achieve

this.

Zhang: The broader impact of IFRS 17 requires

governance across the entire programme. First,

governance around the accounting policy and

decisions on materiality, as well as implications

around the methodology applicable for these

portfolios, for instance portfolios that may qualify

for the premium allocation approach (PAA). Second,

governance around the models, scenarios and

cashflow assumptions used for different products.

Third, governance around ensuring that insurers’

interpretation of the standard is properly relayed and

implemented by their data, IT and vendors. Finally, it

is important to ensure the software implementation

of the standard is built with the right controls and

transparency to ensure governance and auditability

of all the pieces that go into the financial reporting

and disclosures.

R&C: What benefits and opportunities might conversion to IFRS 17 present to proactive, forward-thinking companies?



MINI-ROUNDTABLE

Terrile: The inclusion of a risk adjustment (RA)

in the reserving process could help entities in

the decision-making process, by showing the

performance of each business unit under a risk-

return basis as opposed to only return.

An onerous contract could be profitable

in absolute terms, but not in terms of the

risk it is generating. The RA reflects the

compensation that the entity requires

for bearing no financial risk, being the

best representation of the cost capital

method. In this context, the CSM could

be considered as excessive profit in

relation to the risk the entity is exposed to,

and could provide a good view of those

businesses that are adding or destroying

value from a risk perspective. The use of

CSM for business planning, strategic decisions or risk

premiums definition could be the first step in using

risk as a decision driver.

Zhang: It is still a bit early to know the broader

impacts of IFRS 17. That said, what is clear is that

IFRS 17 is driving institutions to rethink a number of

their internal processes, business drivers, product

strategy, pricing, data landscape and implementation

approaches. We see two broad trends: institutions

that view IFRS 17 as a minimal compliance exercise

and institutions that view IFRS 17 as an opportunity

to modernise their processes and systems. Some

institutions see IFRS 17 as purely a compliance

exercise, necessary but with no long-term benefits.

That said, these institutions do plan to leverage

the IFRS exercise to achieve greater operational

efficiency through improved data, processes and

automation capabilities and look to reuse these for

other parts of the business. Other institutions view

IFRS 17 as an opportunity to modernise. In addition

to operational efficiencies, these institutions seek to

integrate the IFRS 17 measures and approaches in

the financial planning process. This means aligning

pricing and business decisions based on their

IFRS reporting structures and hierarchies. These

institutions will also look to drive business decisions

using the data as well as analytics developed as part

of the IFRS 17 exercise – from product redesign to

internal cost transfers and asset-liability management

(ALM).

Agustin TerrileSAS

“The implementation process is as important as the accounting process itself, and as such, top executive involvement is key to guaranteeing suitable governance.”



MINI-ROUNDTABLE

Anderson: Companies are encouraged to move

beyond a minimal compliance model that adds few

incremental benefits to the organisation and look

instead toward tangible, value-added approaches

which improve management ability to monitor and

operate the business. The incremental data and

processes required by IFRS 17 provide a significant

opportunity to maximise value and look

at the business from a fresh perspective.

Industry analytical tools can provide a

vehicle to assess trends and forecasts

for products, and link forward-looking

predictive results to underwriting,

accounting policy and reinsurance

decisions. IFRS 17 offers a once-in-a-

generation opportunity to modernise

data sourcing and analysis tools, while

leveraging the non-negotiable investments

required to achieve compliance. Carriers

that make this strategic incremental

investment today will realise lower operating costs

and more closely aligned financial and operational

business decisions tomorrow.

R&C: With some of the most significant accounting changes in the history of the insurance industry all going into effect at the same time – for example, IFRS 17, IFRS 9, CECL, LDTI, and so on – what are companies doing to streamline accounting and reporting processes across the

organisation based on the breadth and scale of these new standards?

Zhang: Global multinational insurers reporting

under GAAP and IFRS have a rough road ahead,

with several new standards emerging, from IFRS

17/long duration targeted improvements (LDTI)

to current expected credit losses (CECL) and IFRS

9. In terms of IFRS, there has not been adequate

debate or consensus on the interactions between

IFRS 17 and IFRS 9. It is quite common to see these

standards being addressed and solved separately.

However, some leading institutions are starting to

look at things more holistically to ensure there are no

accounting mismatches between the assumptions

and allocations between the asset and liability side.

For example, is there any impact of electing to flow

David Anderson,KPMG

“The incremental data and processes required by IFRS 17 provide a significant opportunity to maximise value and look at the business from a fresh perspective.”



MINI-ROUNDTABLE

interest rate changes on the IFRS 17 side via other

comprehensive income (OCI)? What is the interaction,

if any, of similar elections on IFRS 9 for Fair Value

through OCI (FVOCI)? If we now layer on CECL and

LDTI, there is additional complexity for consistency in

measurement across the standards, reporting across

different accounting regimes, consolidation and,

more importantly, profit and loss (P&L) impacts. What

is clear is that it is important to get the foundational

design structures right from the start. It will be

important to make longer term design and platform

decisions that allow insurers to analyse impacts

across the standards.

Anderson: One of the greatest and most

immediate opportunities to maximise efficiency and

value is to leverage concurrent workstreams for

accounting-driven change – IFRS 17, IFRS 9, CECL and

LDTI – rather than completing each in a silo. Software

solutions in the industry provide the opportunity for a

centralised approach which can handle data sourcing

through the requisite calculations and financial

reporting, all within a common platform. Entities

will be able to configure separate workflows within

a centralised solution to encompass the specific

requirements of each standard, but the usage of a

common interface across the organisation leads to

synergies from a reduction in redundant training and

technology or IT support to streamlined process and

controls.

Terrile: Entities have different strategies to

comply with busy timelines generated by the new

standards. Nonetheless, there are two things worth

mentioning. First, entities that have existing platforms

to cover one of the standards are trying to extend

functionality by adding new content, such as IFRS

9 and IFRS 17, so that they can leverage existing

knowledge. Second, entities are trying to cover more

than one standard with one platform, so that the

learning curve is done only once. These strategies are

based on the idea that most standards compliance

processes – data management, engine provision

and reserving, accounting and process orchestration

and most of the time relay on the same persona and

manager – are similar.

R&C: What is the current state of implementation with IFRS 17? What is the impact of the one-year delay on implementation plans?

Terrile: The two main drivers that affected the

state of the IFRS 17 implementations were the size of

the entity and jurisdiction. Tier 1 entities were most

concerned about the complexity of implementation

and started the process of selecting software earlier.

The delay partially affected implementation plans,

because IFRS 17 teams were already in place and

they decided to continue with the process. Mid-size

entities, on the other hand, were just starting the

selection process when regulation was delayed



MINI-ROUNDTABLE

and, in general, decisions were delayed for around

six months. Regarding jurisdiction, those with high

expectation of adoption by local regulation, like

Canada and Europe, started the process earlier,

unlike Latin America and the US. The delay gave them

time to re-evaluate their plans, but also to review

controversial topics such as mirroring, allocation, risk

mitigation and analysis of change.

Anderson: The IASB delayed implementation

by a year due to reopening the standard, and

insurers should capitalise on this time to optimise

their implementation efforts. Many insurers were

significantly behind in their assessments and

implementation planning. This delay provides

issuers with the opportunity to get back on track

and optimise their implementation plans. There

is a significant risk that certain insurers will try to

de-prioritise IFRS 17 and will end up in the exact

same situation the following year. Carriers that wait

face higher implementation risk, and may find that

‘A-team’ talent has been committed to projects that

stayed the course. Optimising implementations will

allow companies to add value to their organisations

through more productive enterprise finance

transformation activities rather than relying on

minimal effort now, which will often lead to higher

expenditure in the long run.

Zhang: Some insurers started implementation

early last year while others are only now performing

their impact analysis. The early adopters have

completed their impact analysis, established an initial

view on accounting policy, and identified products for

which the applicability of IFRS 17 is clear. For other

products, such as reinsurance or products that may

or may not qualify for PAA, there are ongoing policy

and methodological discussions on the best way to

classify and measure liabilities. These insurers have

also completed their IFRS 17 solution selections

and are in the process of installing and testing their

initial set of use cases and portfolios using their

platform of choice. The emerging best practice is to

use a sandbox-type environment to test out multiple

use cases end-to-end; that is, take a single product

and go from grouping to measurement to postings.

This allows insurers to not only effectively test their

technology solutions, but also gives them a better

understanding of all flows and control points that will

need to be implemented in their final business as

usual (BAU) process. The end-to-end run also gives

insurers a better understanding of the desired level

of information needed to support various reporting

and analytical requirements.

R&C: What are the big implementation challenges that you see with IFRS 17? How are insurers approaching reporting and analytics needed for IFRS 17?



MINI-ROUNDTABLE

Anderson: Producing more granular source data

will strain many carriers, as will the need to link

accounts receivable to specific policies for

asset-liability presentation. The standard’s

requirement to more tightly link financial

reporting, reserving and underwriting

views in the portfolio-grouping decisions

also represents a new interconnectivity

requirement. Efficiently flowing this

underwriting information into the

financial close and controls frameworks is

needed to maintain operating costs and

close calendars. On the plus side, these

requirements will allow underwriters and

local managers to access more relevant

financial information that is composed ‘bottom up’

from their policy portfolios, compared to current

processes which rely on more ‘top down’ allocations.

Zhang: There are several implementation

challenges with IFRS 17 – from interpretation

of guidance to actuarial models, systems, data,

processes and resources. First, fixing data gaps will

be time consuming. This ranges from availability

of data – historical data as well as going forward

– granularity of data, the number of source systems

and the structure of the data. For example, many

companies may have expenses at a different

aggregation level and this needs to be reallocated to

their IFRS 17 grouping hierarchies. Second, depending

on the methodology selected, actuaries will have

to update their models to reflect new scenarios,

assumptions and outputs required for measurement.

Third, decisions need to be made about the

measurement components – from the approach

to calculate discount rate to the valuation of the

time value of the guarantee (TVOG) and embedded

guarantees for the variable fee approach (VFA).

Fourth, converting actuarial output into accounting

events and postings that roll into the IFRS 17-specific

chart of accounts will require reengineering. Fifth, a

configurable framework for reporting will be critical.

The standard is still evolving, and hence flexibility

to change drivers and orderings for reporting on

movements or analysis of change (AoC) will be

important. Finally, automating all the processes in

a governed and automated fashion will require the

right technology solutions.

Jim Zhang,SAS

“The standard is still evolving, and hence flexibility to change drivers and orderings for reporting on movements or analysis of change (AoC) will be important.”



MINI-ROUNDTABLE

Terrile: One of the main challenges during the

implementation phase is the definition of the groups

of contracts (GoC), because it affects the entire

process: input data, the number of extract, transform

and load (ETL) processes, methodology, the allocation

of RA and reporting. If the GoC is calculated at a low

level, the number of ETL processes that are required

to feed the engine could be problematic. Also, the

time required to process the information could

increase exponentially if the software cannot scale

horizontally. From a methodological point of view,

allocation could be a big challenge, such as expense

risk adjustment. On the other hand, when GoC is

selected at a high level, other challenges could

come up, such as detailed information and analysis

of change of CSM. Low granularity may be required

for internal reports, such as by channel and region.

In these cases, a reporting problem is transformed

into a post-measurement allocation problem, and

approximation methodology is required. RC&



MINI-ROUNDTABLE

MINI-ROUNDTABLE

SEGMENTATION AND AI IN AML ALERTS


MINI-ROUNDTABLE

Alma Angotti is a managing director and co-head of the Global Investigations & Compliance practice at Navigant. With over 25 years of regulatory practice, Ms Angotti has held senior enforcement positions at the SEC, Treasury’s Financial Crimes Enforcement Network (FinCEN) and FINRA (Financial Industry Regulatory Authority). In these positions, she was responsible for conducting investigations involving securities fraud, insider trading, financial fraud, anti-money laundering (AML) and counter terrorist financing, market manipulation, investor and market protection, and other regulatory violations.

Alma Angotti

Managing Director

Navigant

T: +44 (0)738 702 730


PANEL EXPERTS

Salvatore LaScala is a managing director and co-head of Navigant’s Global Investigations and Compliance Practice in New York, NY. Possessing a broad range of subject matter knowledge and expertise, Mr LaScala applies his 20-plus years of hands-on experience to conduct investigations and compliance reviews on behalf of financial institution clients responding to regulatory or law enforcement matters concerning anti-money laundering, the Bank Secrecy Act, the USA PATRIOT Act and the Office of Foreign Assets Control.

Salvatore LaScala

Managing Director

Navigant

T: +1 (212) 554 2611




MINI-ROUNDTABLESEGMENTATION AND AI IN AML ALERTS

R&C: Could you provide an overview of how technology is transforming financial institution’s (FI’s) anti-money laundering (AML) processes?

Angotti: Technology enhancements in financial

institutions (FIs) are becoming indispensable to

managing financial crime risk. Regulators expect FIs

to make use of the enormous amount of data they

have about their customers and their customers’

transactions. The only way to effectively identify

risk from all of this data is through technology. The

United Nations Office on Drugs and Crime estimates

that money laundered globally is about 2-5 percent

of world GDP annually, about $3 trillion. In addition,

the number of noncash transactions will increase

as mobile technology – mobile wallets and mobile

money transfers – are introduced into the global

market and emerging markets. For the past few

years, FIs have wrestled with methods to minimise

loss, remain efficient and maintain proper regulatory

compliance. Technology is transforming FIs’ anti-

money laundering (AML) processes by efficiently

sorting through large amounts of data, developing

more useful predictive modelling and using client

segmentation and behavioural patterning. Technology

has the potential to better identify risk, by eliminating

some of the ‘noise’ in the data and by enabling

compliance personnel to concentrate on actual risk.

LaScala: Over the past few years, FIs have begun

to embrace robotic process automation to expedite

their more tedious work. This is achieved by either

business process automation or by using ‘bots’

designed to perform automated and repetitive tasks.

As such, AML analysts and investigators derive

increased efficiencies and get to focus on the AML

typologies, rather than gathering and exhibiting

investigative artefacts. This shift in focus results

in increased quality, productivity and employee

satisfaction. At the same time, tremendous strides

in artificial intelligence (AI) and machine learning

(ML) are working to increase the quality of AML

alerts while decreasing the volume. Access to this

broader collection of cognitive tools, which have

evolved significantly in recent years to include ML,

deep learning and advanced cognitive analytics,

will, no doubt, yield remarkable benefits relating to

the effectiveness and efficiency of AML transaction-

monitoring systems.

R&C: With AML departments sifting through many alerts to pinpoint suspicious activity, can you outline specifically how artificial intelligence (AI) and segmentation help FIs to avoid wasting time and effort on too many low value alerts?

LaScala: FIs typically interrogate activity of one

large business without segmenting that business


MINI-ROUNDTABLE

into the different kinds of customers. For example,

in retail banking, there might be ‘premium banking’,

which covers students, recent graduates and middle-

class to upper-middle-class-income customers, with

a split only at the ‘private banking’ level.

This can result in applying only one set of

rules with one set of parameters to all the

‘premium banking’ customers. Applying

AI to the ‘premium banking’ segment can

result in the identification of four or five

separate subgroups of customers that

behave similarly and, as a result, now

have their own segments. Customising

the parameters of the detection scenarios

to each of those additional segments, in

our experience, has resulted in significant

efficiencies by reducing the false positives

caused by applying one set of detection scenario

parameters to very diverse groups. Segmenting

and customising the scenarios has been shown

to identify previously undetected suspicious

transactional activity with many fewer false positives.

This combination of more effective and more efficient

monitoring is our goal.

R&C: What should be the key strategic considerations for FIs when using AI as part of the AML alert process? How would you characterise the importance of AML alert analysis along the suspicious activity decision chain?

Angotti: The AI process requires a strategic

approach. Regulators need to see a clear objective;

therefore, it is important that an FI start small. The

FI should target specific areas with proper testing

and controls. Second, be transparent. Regulators

and auditors need the opportunity to access and

understand the solutions that have been provided.

Third, be effective. The AI must efficiently and

effectively address the risks and concerns of the

FI and provide apparent improvements. Next, the

institution should document a clear justification for

the results of the AI. Subject matter experts (SMEs)

must support, review and test the results. The FI must

utilise technology with an industry-proven and vetted

track record. Lastly, the AI should not be considered

a replacement for investigators, analysts and quality

assurance professionals, but rather AI should support

them. This strategic AML analysis plays a very


Alma Angotti,Navigant

“The AI process requires a strategic approach. Regulators need to see a clear objective; therefore, it is important that an FI start small.”


MINI-ROUNDTABLE

important role along the suspicious activity decision

chain. The data captured through the AML process is

used to justify and develop the potential suspicious

activity report (SAR). Therefore, it is important that

the AML process employ a strategic approach when

analysing suspicious activity.

R&C: What transaction data is typically utilised in the AML alert analysis process? What key data needs to be made available to the recipient of an analysis, such as an auditor or regulator?

LaScala: The transaction-monitoring

systems consume many data points to

generate alerts. In some respects, it is

better to define which information not to

include, which might consist of automatic,

accounting or administrative financial

events. Nearly everything customer-

activated is in scope. Deposits, withdrawals

– by cash, check, monetary instrument,

wire or automated clearing house – are

just a few. Transaction codes, product

codes and any predetermined risk codes

or industry designations are also frequently

consumed. In addition to the transactional

data and the transaction codes, customer reference

data is key. This can include account name, number,

opening date, closing date, occupation, politically

exposed person status, and more. Additionally, the

list of products the customer uses, such as custody,

trading, online banking, remote deposit capture and

international wires impact transaction monitoring. All

the data above will be used by an astute investigator

or analyst to disposition an alert. In fact, typically

all detection scenario alerts are reviewed to ensure

that the data points that compose them were

appropriately identified. If any of the data points

were not appropriately identified, the alert could be

a false positive. When the investigator dispositions

the alert, he or she should be working from a defined

investigative protocol specific enough to be tested.

Moreover, the documentation included to support

the alert should consist of enough exhibits for a

third party to repeat the work and come to the

same conclusion as the investigator. As such, other

stakeholders such as internal audit or examiners


Salvatore LaScala,Navigant

“Segmenting and customising the scenarios has been shown to identify previously undetected suspicious transactional activity with many fewer false positives.”


MINI-ROUNDTABLE

should receive the entire investigative file and the

exhibits prepared by the investigator.

R&C: In what format should alerts and resolutions be presented to an auditor or regulator in order to reduce the number of analysis failures? To what extent are alert analysis failures a root cause of AML problems?

Angotti: AI can help make the alerts more

productive, but alert analysis will continue to be

heavily dependent on SMEs evaluating the output

– that is, identifying suspicious activity. Transaction

monitoring is a combination of people, processes

and systems. Alert analysis failures sometimes do

contribute to the failure to identify risk. If the FI is

not properly trained and lacks robust documented

processes, protocols or decision matrices, then the

analysts may not properly identify the risk of the

alerted transactions. In addition, the FI must institute

a good quality control programme, to make sure the

analysts are following the procedures, and a good

quality assurance programme to make sure the

procedures are fit for purpose. Institutions need to

focus on those aspects of the programme to show

regulators that the current Bank Secrecy Act (BSA) or

AML programme can effectively identify transactions

or accounts that may be suspicious and reportable.

LaScala: Alerts and resolutions or dispositions

should be given to an auditor or regulator with the

investigative protocols that the investigator used

for the case. Additionally, the investigative memo

and any exhibits should be provided in one physical

or electronic folder. If stored electronically, the

exhibits should have standard naming conventions

to facilitate review. In essence, provide the reviewers

everything they need in a very organised fashion so

that they can focus on the analysis rather than being

distracted by trying to figure out the process.

R&C: What steps should FIs take to develop an action plan that allows them to research and resolve AML alerts and maximise the effectiveness of their AML protocols?

Angotti: AI requires human tuning and input

and human analysis of the output. Data scientists

and SMEs must work with AI to test and tune it

appropriately so that it works as intended. The FI

should prioritise two things: first, analysing the

high-quality alerts, and second, creating a symbiotic

relationship between the SMEs and the domain

experts. The FI should prioritise the most productive

alerts produced by AI because AI and intelligent

segmentation are able to identify behavioural

patterns that traditional transaction monitoring is

not. The domain experts alongside the SMEs should

play a leading role in assessing the relevancy of



MINI-ROUNDTABLE

the data used by the AI. If the integrity of the data

input into the AI is inadequate, the AI output will be

inadequate and create low-quality alerts. The priority

should be on building a team of data scientists and

SMEs who work in conjunction to create an efficient

and effective BSA or AML AI programme. The overall

process needs to be connected throughout.

R&C: Going forward, do you anticipate segmentation and AI will continue to improve AML processes? What innovations are in the pipeline?

Angotti: Intelligent segmentation and AI will

improve as they become more mainstream.

Eventually, intelligent segmentation and AI will

become more widely recognised and they will not

only become a requirement in the financial services

industry, but regulators will begin to expect intelligent

AI as a best practice in compliance. Segmentation will

also become smarter as technology focuses more

on behavioural and transactional patterns instead

of traditional static coarse segments. Data scientists

and SMEs will continue to improve supervised and

unsupervised ML through tuning and evaluation.

For example, the initial review of alerts may be

completed by AI with little to no human interaction.

Human analysts can then review the alerts most

likely to identify true risk.

LaScala: We have only just begun to exploit the

insights to be gained by AI in the AML process. It is

important to proceed with highly documented and

transparent protocols to help ensure the continued

support of regulators and law enforcement. Cloud-

based software can potentially answer millions of

questions by scanning financial information, as well

as drug approvals, economic reports, monetary

policy changes and political events. The possibilities

are endless. RC&



PERSPECTIVES

The audit profession has been under pressure

in recent years, with much publicised scandals

at Tesco, Patisserie Valerie, BHS and Carillion

propelling the usually quiet world of audit to the

forefront of public consciousness for all the wrong

reasons. Presumably with cries of ‘where were the

auditors?’ resounding in her ears, Rachel Reeves, the

chair of the Business, Energy and Industrial Strategy

Select Committee, commented in November

2018, when launching an inquiry into the future of

auditing, that “Misleading audits have been at the

heart of corporate failures over recent decades.

Recent accounting scandals at BHS, Carillion, and

at Patisserie Valerie have shown accounts bearing

closer resemblance to works of fiction than an

accurate reflection of the true financial performance

of the business. Repeated accounting failures have

contributed to the collapse of major businesses and

undermined public and investor confidence. The

audit market is broken.”

Consequently, the profession has come under

enormous scrutiny, with the Competition and

Markets Authority (CMA) undertaking a study ‘to see

if the market is working as well as it should’ and Sir

John Kingman carrying out an independent review

for the government on the role and performance of

the regulator, the Financial Reporting Council (FRC).

With the dominance of the ‘Big Four’ audit firms

� KPMG, PwC, EY and Deloitte � being called into

question, and even the performance of individual

PERSPECTIVES

ENSURINGTHE FUTUREOF AUDITBY PETER SWABEY

> ICSA: THE GOVERNANCE INSTITUTE


PERSPECTIVES

audit partners coming under challenge, there are

some serious governance concerns that also need

to be addressed.

The expectation gapFirstly, there is a marked difference between what

an auditor would say audit is supposed to achieve

and what the press and public believe this to be. As

the CMA consultation showed, there is a definite

‘expectation gap’: “Stakeholders’ expectations of

statutory audit may differ from what it is required

to provide by law. Sources of this gap may include

expectations some stakeholders have of auditors

in providing assurance on the business’s future

viability.”

There needs to be a much better understanding

of who the stakeholders of a statutory audit are and

what purpose it serves. As we noted in our response

to Sir John Kingman’s review, “There is an important

education issue here – the political, press and public

expectation of the role of audit is very different from

what an auditor would perceive it to be. Whether this

education should be undertaken by the FRC, perhaps

through the Auditing Practices Board and funded by

an increased levy on audit firms, which we believe

to be the better solution or by the accountancy

profession itself is a matter for them. Equally,

whether the law or regulation should be changed

to bring those two views into line is a matter for the

government and/or the FRC.”

Separating fact from opinionA number of the ‘accounting scandals’ that

we have seen in recent years have questions of

judgement at their heart. We believe that particular

value being regarded as crystallised in the accounts

should be a question of fact rather than opinion

– either it is yours or it is not. It should not be

possible for one accountant to draw up the books

for a period and have them audited against current

accounting standards and come up with ‘X’ and for

another to perform the same exercise, for the same

period, have it audited by a different auditor and

they find a difference of millions. Such restatements

are not to the benefit of shareholders and a detailed

examination of the appropriateness of the use of fair

value accounting would be an extremely useful first

step in improving the quality of the audit.

A question of choiceAppointing, replacing and ensuring the

independence of the auditor are key areas of

responsibility for the audit committee. While there

is a perception of a cosy club of unchallenged

members in some quarters, in our experience the

audit committees of most larger corporates consist

of independent non-executive directors who have

been appointed by shareholders to address this

‘principal-agent problem’.

Competition in the audit market between the

‘Big Four’ and other firms is a much debated topic.

ENSURING THE FUTURE OF AUDIT


PERSPECTIVES

The CMA study refers to “the unwillingness of

larger corporates to appoint the mid-tier auditors”

and goes on to state that “the majority of audit

committee chairs for FTSE 350 companies would not

consider a mid-tier firm to be a credible

auditor for the scale and complexity of

their businesses. In particular, for FTSE

350, or other large companies with

significant international operations,

there is a perception that only the

Big Four have sufficiently developed

international networks to service such

accounts.”

Such an analysis places responsibility

on larger corporates alone, which is

unfair. The chief weakness of the audit

market is the lack of confidence, not

just on the part of companies, but also on the part

of investors and some regulators, in the ability of

auditors outside the Big Four to provide an audit

of an adequate standard for large, multinational

companies. While this perception may be unfounded

in some cases, in others there is some evidence

to suggest that only the very largest audit firms

have sufficient range to carry out an audit of an

appropriate standard for more complex international

companies.

The accuracy of this perception should be tested

by an independent body to prove if mid-tier firms

are indeed capable of auditing the very largest

companies. That said, even if these firms were willing

to make the necessary investment to encourage

greater confidence in their auditing ability, there is no

certainty that larger corporates would take them up

on their offer.

According to Grant Thornton, larger corporates

have been more willing to consider a mid-tier

firm as part of the audit tender process following

the intervention of the Competition Commission,

but are no more willing to actually move to one.

The attitudes of their shareholders and regulators

inevitably play a part in this reluctance. This is

probably one of the most important issues affecting

the competitiveness of the audit market.

How to improve the quality of auditThere have been various suggestions as to how to

improve the quality of audit, ranging from breaking

down the dominance of the ‘Big Four’ to replacing


“Ending the dominance of the ‘Big Four’ is not a panacea and it is unlikely that such action will prevent accounting failures in the future.”


PERSPECTIVES

the FRC with a new body, the Audit, Reporting and

Governance Authority.

Ending the dominance of the ‘Big Four’ is not

a panacea and it is unlikely that such action will

prevent accounting failures in the future. Refining the

quality of the work done by the appointed auditor is

where the real focus should lie: improving training

to foster a greater spirit of professional scepticism

among auditors. Revisiting accounting standards to

give greater clarity on where judgement has been

applied by both the preparer and auditor would also

help.

Separating the audit function from the non-audit

practices of audit firms is unlikely to be a magic

bullet either. In many cases, non-audit services

are more remunerative than audit services. If

the ‘brightest and best’ move toward the better

remunerated consultancy roles and leave the basic

audit work to others, this is unlikely to improve

the standards of auditing. Furthermore, there is

anecdotal evidence that partners in other areas

of practice within the Big Four firms are becoming

increasingly irked by the need to defend audit

scandals when they are pitching for business.

Internal pressures of this kind provide a commercial

imperative for audit firms to improve their own

quality and this will be lost if the businesses are

separated.

Similarly, there is no independent evidence that

joint audit is effective and there are legitimate

concerns that it will increase costs for companies,

both financially and in terms of management time, as

well as create confusion if the joint auditors disagree

about a particular treatment.

One of the key challenges for the FRC has been

the fact that its role has changed incrementally over

time, but its powers have failed to keep pace with its

changed responsibilities and the expectations that

politicians, the media and public have of its role. As

Sir John Kingman so succinctly put it, “some of the

biggest and most important economic actors in the

UK are still regulated not by an independent body

but, in effect, by their trade association”, one which

has limited or non-existent powers.

The fact that the suggested new regulator would

have statutory powers and clear terms of reference

from the government is more important than the

fact that it is a new regulator or that it has a new

name. More proactive enforcement by the regulator

in the event that audits are found to be substandard,

and the increased focus on the responsibility of the

audit committee for ensuring the quality of the audit

received, are the best chance of improving auditing.

RC&


Peter Swabey

Policy and Research Director

ICSA: The Governance Institute

T: +44 (0)20 7612 7014



MINI-ROUNDTABLE

MINI-ROUNDTABLE

AUDIT COMMITTEE DISCLOSURES


MINI-ROUNDTABLE

David Chitty is responsible for the global leadership of accounting and auditing services at Crowe Global. He supports the development of the network’s global audit methodology and audit technology, leads the global quality assurance programme, presents seminars and supports business development initiatives. He is also a member of the Institute of Chartered Accountants in England and Wales’ (ICAEW) Independent Regulatory Board, is a former member of ICAEW’s governing Council and ICAEW’s Audit Committee.

David Chitty

International Accounting & Audit Director

Crowe Global

T: +1 (212) 808 2027


Steve Gale is head of audit at Crowe in the UK. He has nearly 30 years’ experience within the audit field and has a particular specialism in dealing with professional services firms and listed companies. He has recently been appointed to the Auditors’ Advisory Group for the Brydon Review into the quality and effectiveness of audit, commissioned by the UK Department of Business, Energy and Industrial Strategy. He is a member of Crowe Global’s International Audit and Accounting Committee.

Steve Gale

Partner

Crowe U.K. LLP

T: +44 (0)20 7842 7262


Jennifer Knecht is the Securities and Exchange Commission (SEC) practice leader for Crowe LLP. She has over 22 years of experience conducting audits and providing other financial assurance services. She also has experience with SEC reporting requirements, including initial public offerings (IPOs) and reverse merger transactions. These projects include working directly with clients and other stakeholders on registration statements, SEC comment letters and comfort letters.

Jennifer Knecht

Partner

Crowe LLP

T: +1 (317) 706 2697


Diana Huang’s practice is focused on public company auditing, including mining and oil and gas companies, as well as the high-tech industry, and she is able to bring a vast amount of knowledge and expertise to industry-specific issues. She routinely assists lawyers and clients with IPOs, reverse takeovers, spinout transactions, prospectus offerings and filings statements. She takes great pleasure in identifying complicated issues and in providing sound, technical solutions.

Diana Huang

Incorporated Partner

Crowe MacKay LLP

T: +1 (604) 697 5274


Michael Jetter is an audit partner responsible for providing audit and accounting services to international, listed and non-listed, companies in Germany. His clients are drawn from sectors including manufacturing, automotive and consumer goods. In addition to his audit work, he provides International Financial Reporting Standards (IFRS) conversion services, as well as financial accounting advisory work for German subsidiaries of foreign owned business in US-generally accepted accounting principles (GAAP) and IFRS reporting matters.

Michael Jetter

Partner

RWT Crowe GmbH

T: +49 7121 489 544


PANEL EXPERTS



MINI-ROUNDTABLEAUDIT COMMITTEE DISCLOSURES

R&C: Could you provide an overview of the main trends and developments affecting audit committees in recent times? How has their role evolved and have you seen a general improvement in quality and oversight?

Chitty: Audit committee disclosures provide

important information for stakeholders about the

audit committee’s activities and exercise of its

responsibilities. The audit committee has a vital

role in corporate governance, including providing

oversight to the financial reporting process led

on a day to day basis by the chief financial officer

(CFO), appointing and maintaining close contact

with the external auditor, and receiving reports

from and providing guidance and support to the

internal auditor. The role of many committees has

evolved into overseeing risk management as well

as financial and ‘traditional’ audit affairs. Legislation

and regulation, as well as codes of practice, may

specify the minimum disclosures expected of an

audit committee, whether in the annual report or

other media issued by the company. However, in

the interests of transparency and good investor

and stakeholder relations, the disclosures may go

beyond this minimum. The 2014 European Union

(EU) Audit Directive extended the list of functions

assigned to the audit committee, as follows.

First, inform the administrative or supervisory

body of the audited entity of the outcome of the

statutory audit and explain its contribution to

the integrity of the financial statements. Second,

monitor the financial reporting process and submit

recommendations. Third, monitor the effectiveness

of the internal quality control and risk management

system. Fourth, monitor the process of the audit

of statutory or consolidated financial statements,

mainly the findings and conclusions. Fifth, review

and monitor the independence of the statutory

auditor. Finally, be responsible for the procedure

for the selection of the statutory auditor or audit

firm. The Directive has been transposed in law

in the Member States of the EU and it ought to

influence disclosures by audit committees, as the

committee has more responsibilities to comment

upon. In practice, disclosures will be influenced by

national requirements, as well as convention, in

the Member State. Studies are beginning to show

how committees are reporting on their extended

responsibilities.

Gale: The UK Financial Reporting Council (FRC)

conducted research under the auspices of the

Audit and Assurance Lab, which resulted in a report,

‘Audit Committee Reporting’, being published at the

end of 2017. Key themes that were addressed in

that publication were the interaction between the

audit committee and the auditors, how the audit

committee reports on significant matters impacting

the financial statements, and internal control matters


MINI-ROUNDTABLEAUDIT COMMITTEE DISCLOSURES

including risk management and internal audit. With

increased focus on mandatory retendering and

rotation – in light of the adoption of the EU 2014

Audit Directive and Regulation, implemented in

2016 – there has been encouragement for audit

committees to describe in their reports the steps

they have taken when undertaking tender

processes, including the key criteria they

are using to assess the firms taking part

in the tender, as well as how they are

assessing the effectiveness of the auditor

and the audit process.

Knecht: US Securities and Exchange

Commission (SEC) regulations require

certain minimum disclosures by audit

committees. Some of the disclosures

required by SEC regulations include

whether the audit committee has

reviewed and discussed the audited financial

statements with management, discussed with the

independent auditors the matters required to be

discussed by Public Company Accounting Oversight

Board (PCAOB) Rule 3200T, received from and

discussed with the auditors disclosures regarding

the auditors’ independence, and whether the audit

committee members are independent as defined

in the applicable listing standards. While these

disclosures provide some transparency to audit

committee oversight, they do not cover the full range

of an audit committee’s activities. Audit committees

play a key role in the oversight of management and

the independent auditor. Effective oversight of the

financial reporting process is absolutely critical to

upholding the integrity of the capital markets. As

more emphasis continues to be placed on disclosure

effectiveness, a natural evolution is for audit

committees to provide more transparency to the full

range of their activities – which go well beyond the

required disclosures. There have not been significant

regulatory or legislative developments around

required audit committee disclosures in the US for

some time. However, in public statements, the SEC

continues to emphasise the importance of effective

audit committee disclosure. For example, in a 2017

speech, Wes Bricker, chief accountant of the SEC,

encouraged audit committees to “consider whether

providing additional insight into how the audit

committee executes its responsibilities would make

Jennifer Knecht,Crowe LLP

“As more emphasis continues to be placed on disclosure effectiveness, a natural evolution is for audit committees to provide more transparency to the full range of their activities.”


MINI-ROUNDTABLE

the disclosures more effective in communicating

with investors”. Mr Bricker also referenced the

SEC’s 2015 concept release on possible revisions to

audit committee disclosures as a potential tool to

assist audit committees in considering disclosure

enhancements. Our experience in practice

is that US public companies of all sizes

have continued to expand voluntary

disclosures within their proxy statements

on oversight responsibilities, for the

benefit of their stakeholders. This push for

additional transparency is understandable

given the rapid pace of change seen

in the economy. Going forward, calls

for increased transparency into audit

committee duties, including oversight of

the independent auditor, are expected

to grow. Audit committees can respond

by providing more meaningful disclosures that

increase awareness of their responsibilities and how

individual committees carry them out.

Huang: In Canada, larger companies are

disclosing more on the background of audit

committee members. There is more focus on

providing investors with information regarding the

experience and expertise that members bring to

the company, and also more transparency with

respect to diversity – such as female representation

on the board. Another trend we have noted is audit

committee members of larger companies starting

to formalise the process of evaluating their external

auditors and providing transparency regarding the

process. Overall, for smaller public companies, in

our view the majority of audit committee disclosures

continue to inadequately address, or completely

disregard, how the committee oversees the external

auditor and assesses the auditor’s qualifications

and work quality. We feel that there have been

improvements in the number of disclosures in

recent years, however this movement has not

been universally or consistently adopted, especially

with junior issuers. The content and adequacy of

disclosures continues to evolve, but largely remains

a work in progress.

Jetter: In Germany, the audit profession recently

adopted the revised ISA 260 ‘Communication With

Those Charged With Governance’, requiring more

Diana Huang,Crowe MacKay LLP

“The content and adequacy of disclosures continues to evolve, but largely remains a work in progress.”



MINI-ROUNDTABLE

intense and more frequent communication between

the auditor and the audit committee compared to

what we have seen previously. This should further

improve oversight quality and may influence external

disclosures by the committee. The main trends and

developments that we are seeing are independence

of the auditor and the provision of non-audit services

by the auditor, as well as tendering. Tendering is

spurred by the need for public interest entities (PIEs)

to change their auditor as a result of EU-imposed

restrictions on the maximum term an auditor can

serve a PIE.

R&C: What factors are influencing and shaping the content of audit committee proxy disclosures issued by small to large public companies?

Gale: The principal factors that would appear

to impact the content of audit committee reports

are the sophistication of the corporate governance

framework adopted by the company, as well as the

nature of the external shareholders. In the UK, not

all listed companies are required to prepare audit

committee reports, for example those listed on AIM.

Where companies do prepare a report, then those

companies with less sophisticated arrangements are

more likely to have reports that are less granular and

detailed than those from larger companies.

Huang: Financial reporting has become more

complex as a result of new standards, disclosure

requirements, cyber security risks, technology

risks and challenges, and additional focus by

regulators, thereby adding more pressure on audit

committees to have appropriate expertise and

engagement, in providing oversight and challenge

to management and providing additional disclosures

to build confidence among investors in their roles of

oversight.

Jetter: In Germany, the supervisory board is

required by law to issue and publish a separate

report to the shareholders on their work during the

preceding year. This supervisory report includes

sections on how the audit committee fulfilled

its legal and statutory obligation to ‘audit’ the

company’s annual and consolidated financial

statements using the auditor’s work – for example

whether the audit committee concurs with the

results of the audit’s work. This statutory obligation

is also relevant for non-PIEs, which means for all

entities in the legal form of a stock corporation,

known as Aktiengesellschaft or a large limited

liability company, known as a GmbH.


Knecht: The growing pressure for increased

disclosures is a reflection of the increasing

importance investors and stakeholders are placing

on corporate governance and audit quality. An

increasingly complex business environment has

propelled stakeholder interest in more detailed

audit committee disclosures. Investors are

keenly focused on audit committee oversight as

companies innovate, expand into new markets, and

implement emerging technologies. One topic where

stakeholders are seeing increased audit committee

voluntary disclosure is cyber security. We are seeing

a positive trend with respect to enhanced voluntary

disclosures by audit committees. Some audit

committees are now providing robust disclosures in

areas such as considerations in the appointment of

the audit firm, criteria used in evaluating the audit

firm, and involvement in lead partner selection.

In the US, the Center for Audit Quality (CAQ) has,

for the last five years, published an annual ‘Audit

Committee Transparency Barometer’ which,

among other objectives, summarises trends in

audit committee voluntary disclosures. The

2018 report indicates positive trends in

a number of key metrics the CAQ uses

to assess voluntary audit committee

disclosures.

www.riskandcompliancemagazine.comRISK & COMPLIANCE Apr-Jun 2019112

MINI-ROUNDTABLE

MINI-ROUNDTABLE

R&C: How would you characterise the general

effectiveness of audit committee disclosures? Do you believe

increased transparency is required in certain areas?

Gale: With the current focus in the UK on

corporate governance and the role of audit, there

is increased scrutiny of how audit committees are

considering audit quality. As the rules from the

EU Audit Directive and Regulation take full effect,

one might expect greater scrutiny of the degree to

which the audit firm provides non-audit services

and how the audit committee assesses whether

or not this might impact the independence of the

audit firm. In terms of financial reporting, investors

are keen to understand the role that the audit

committee has taken in understanding, reviewing

and challenging the key estimates and judgements

made by management in preparing the financial

statements. In addition, audit committees are being

expected to challenge management further in their

use of alternative performance measures (APMs),

which are measures not immediately apparent from

the financial statements but which management

consider are most appropriate for assessing

the performance of the business. The

challenge and transparency

should include

assessing whether the APMs used are most

appropriate for the business as well as the adequacy

of how those APMs reconcile with the measures

evident from the financial statements.

Huang: For larger companies in Canada, there are

general disclosures regarding the presence of audit

committee charter and limited descriptions around

their general responsibilities. For smaller companies

we feel this is an area that is lacking and would

benefit from additional disclosure. Disclosure of the

topics discussed, their risk assessments and the

work performed by the audit committee are lacking.

Many disclose their overall responsibilities, yet fail to

provide transparency around their actual processes,

assessments and conclusions.

Jetter: We still see a lot of ‘boilerplate’ language in

supervisory board reports. As the legal requirements

for stock corporation laws are rather ‘vague’, there is

a need to further clarify, customise and individualise

supervisory board or audit committee reporting

requirements, in order to improve communication

quality with shareholders. One example is the

introduction of reporting key audit matters (KAMs) in

audit reports.

Knecht: One area to look at is the area

of disclosure of fees paid to the auditor. SEC

regulations require companies to disclose fees paid

to the principal auditor in four categories: audit,



MINI-ROUNDTABLE

audit-related, tax, and all other for the two most

recent years. Beyond the required disclosures,

audit committees are not yet providing significant

voluntary disclosures in the area of audit firm

compensation. Audit committees may want to

consider explaining their role in the fee

negotiation process. For example, audit

committees might consider enhanced

disclosure about how the committee

determines and evaluates auditor

compensation, as well as significant

changes in fees paid to the audit firm.

Chitty: It is interesting to consider the

perspective of internal auditors about

how audit committees disclose their

relationship with internal audit. Internal

auditors see the benefit of the audit

committee being to enhance the status of the

internal audit function. An effective audit committee

can strengthen the position of the internal auditors

by acting as an independent forum for internal

auditors to raise matters affecting management.

The chief audit executive (CAE) should report

functionally to the audit committee, which is critical

to good corporate governance. The effectiveness

of the relationship between internal audit and

the audit committee should have an impact on

committee disclosures. Regular meetings between

the audit committee and internal audit make it more

likely that the audit committee remains informed

and knowledgeable about relevant accounting

and auditing issues. Maximum benefit from this

interaction can be expected, however, if members of

the audit committee have the technical expertise to

understand the work of the internal audit function,

together with the independence to enhance the

status of the internal audit. In the absence of this,

the audit committee is a rather theoretical and

obligatory concept without much decisive influence.

Instead of considering the internal auditor as a

valuable and independent information provider, the

audit committee chair may prefer to rely almost

exclusively on the external auditor. Consequently, the

reciprocal relationship between the audit committee

and the internal auditor is underdeveloped, which

can be considered a missed opportunity for

both parties. Therefore, disclosure by the audit

committee internally to the board and externally

David Chitty,Crowe Global

“The reciprocal relationship between the audit committee and the internal auditor is underdeveloped, which can be considered a missed opportunity for both parties.”



MINI-ROUNDTABLE

to stakeholders is less than effective. Due to this

mismatch of interests, there will be cases where

there is an under emphasis on the internal audit

oversight role by the audit committee. In order to

reduce this mismatch, both parties should broaden

their interests in a converging way, in conjunction

with clear communication about the mission and

roles of internal audit. Internal auditors value audit

committee support and seek to be proactive in

achieving it, often by means of educating audit

committee members. An effective relationship

between internal audit and the audit committee

ought to be disclosed and will be positive for

stakeholders to be informed about.

R&C: What are the benefits of increasing transparency in audit committee disclosures?

Huang: Increased transparency provides investors

with information to evaluate audit committee

performance and helps with understanding the audit

committee process and rationale for doing certain

things, for example when appointing auditors. It also

helps with increasing investor confidence.

Knecht: It is important for audit committees to

engage with regulators, auditors and stakeholders.

Proactively engaging in communication with others

on these topics can have a meaningful impact on

the development of future standards. In addition,

it can provide valuable insight to audit committees

about the types of disclosures that are important to

stakeholders. For example, the PCAOB is currently

conducting research on how auditors and audit

committees interact with respect to PCAOB Rule

3526, ‘Communication with Audit Committees

Concerning Independence’.

Gale: For investors, there is the benefit of

reassurance that the audit committee is providing

an appropriate challenge to management and are

focused on ensuring there is high quality corporate

reporting – not only in terms of the reported results,

but also that the auditors will be conducting an audit

of the appropriate quality.

Chitty: Enhancing the transparency of disclosure

could make the financial information more credible

to investors and increase investors’ confidence. This

should have a very positive result in the company’s

development in the long term.

Jetter: Generally, increased trust in the audit

committee strengthens the shareholders’ interests.

In the two tier-board system in Germany, the auditor

explicitly serves and supports the work of the

supervisory board. So, increasing transparency also

means better information about the key aspects of

an audit and how the supervisory board deals with

these issues.



MINI-ROUNDTABLE

R&C: How might enhanced transparency around corporate governance help underscore audit committee improvements?

Gale: It is not a matter only of transparency but

also of the quality of the corporate governance

framework adopted by the company and, as part

of that, the quality of the individuals involved. There

is also the element that might be summed up in

the phrase ‘corporate culture’. If the culture that is

nourished within the company is based on quality,

openness, integrity and transparency, then that

should permeate through all the company’s financial

reporting obligations, including reporting by the audit

committee.

Huang: Increased transparency should lead to

greater accountability and improved oversight. If

audit committees were required to disclose specific

processes, information considered and conclusions

reached, as opposed to a general mandate,

stakeholders would have the ability to monitor,

measure and assess the operational effectiveness

of the audit committee and the degree of their

oversight.

R&C: Have there been any notable legal and regulatory developments in this area? If so, what has been the impact?

Gale: The UK adopted the EU Audit Directive and

Regulation in 2016, which introduced mandatory

audit tendering and rotation. As a result, there has

been an increase in the frequency of audit tenders.

In February 2017, the FRC also published a ‘best

practice’ note for audit committees surrounding

the process for conducting an audit tender. We

might expect to see an increase in the quality of

disclosures around the appointment process for

auditors, including identifying the principal factors

that the audit committee is using in assessing the

firms participating in the tender process. The FRC

publication ‘Audit committee reporting’, published

in December 2017, provides examples of good

practice in various elements of audit committee

reports, which the FRC hopes will stimulate further

improvements in audit committee reports.

Huang: External audit effectiveness has been

subject to increased regulatory focus, by bodies

such as the Canadian Public Accountability Board

(CPAB) and the US PCAOB. Evaluation of external

audit effectiveness is also becoming an important

part of the audit committee role. The Securities

Commission in Canada has also been allocated

additional resources to review public disclosures

– including other than financial statements – and

challenging management on their disclosures. This

requires deep expertise from audit committees in

the areas of financial and non-financial reporting.

We have noted regulators working with companies



MINI-ROUNDTABLE

to establish and monitor key performance indicators

(KPIs). This is a tool that helps to engage audit

committees, establishes an approach to measure

and improves performance, including audit quality.

The Canadian regulator had launched an exploratory

audit quality indicators (AQIs) project with certain

Canadian audit committees to get

feedback on the usefulness of AQIs

and to support broader national and

international discussions. The result of

the project was that AQIs provide a better

understanding among management, the

audit committee and external auditors of

roles and responsibilities related to audit

quality, and their expectations of others.

They also result in more efficient and

effective interactions between the audit

committee and the auditors. There are

now discussions around whether audit

committees should disclose AQIs in their

annual filings, which some see as evidence of robust

audit committee oversight of the external auditor.

Canadian companies that have disclosed their AQIs

publically include Magna, Royal Bank of Canada,

Telus, Intact Financial and Sun Life Financial.

Chitty: There have been developments in China

as the China Securities Regulatory Commission

(CSRC) issued the ‘Code of Corporate Governance

of Listed Companies’ in 2001, for the purpose of

standardising the operation of listed companies

and protecting the legitimate rights and interests

of investors. The code was recently revised and

implemented with effect from 30 September 2018.

The revised guidelines require listed companies

to strengthen the audit committee function and

establish the basic framework for environmental,

social and governance (ESG) information disclosure.

In general, Chinese listed companies are used

to disclose information pursuant to mandatory

provisions, and the revised guidelines encourage

listed companies to voluntarily disclose relevant

information which may have an impact on decision

making, in order to provide more comprehensive

information to shareholders and other stakeholders.

Jetter: Except for the introduction of the new IDW

PS 470 – equivalent to the revised ISA 260 – there

Steve Gale,Crowe U.K. LLP

“If the culture that is nourished within the company is based on quality, openness, integrity and transparency, then that should permeate through all the company’s financial reporting obligations.”



MINI-ROUNDTABLE

have been no significant developments in Germany.

As the standard increases an auditor’s obligation

only in respect of communications between the

audit committee and the auditor, the effect on

shareholders and other stakeholders is probably not

that significant.

R&C: What advice would you offer to companies on drafting voluntary disclosures within their proxy statements that provide stakeholders with greater insight into oversight responsibilities?

Knecht: Invest some time

engaging with stakeholders to gain an

understanding of the voluntary disclosures

they believe are most important. Evaluate

the cost-benefit of voluntary disclosures and seek

ways to enhance disclosures so they will provide the

most benefit.

Huang: Provide more than the basic minimum

requirements. This will help with holding the

committee accountable and also builds investor

confidence in the various governance roles. In

addition to ‘what’ you do, also explain ‘how’ you do

it. In other words, explain the committee’s process.

Gale: If audit committees want to make sure

they are providing valuable insight to readers, an

important element is to really understand what

it is that readers want to know. Engaging with

stakeholders and key shareholder groups will be an

important part of this.

Chitty: In the Chinese market, listed companies

are advised to pay attention to the quality of

voluntary disclosed information (VDI), which may

result in misunderstanding by the market. Care

has to be taken with such voluntary disclosures in

case they have price-sensitive implications. Turning

to audit committee interaction with internal audit,

good practice disclosures could: monitor whether

the internal audit function has adequate resources;

follow up on the internal audit department’s scope,

the results of its operations and recommendations,

and on management’s responses thereto; and

challenge management on critical findings reported

Michael Jetter,RWT Crowe GmbH

“I doubt that in the near term we will see a great expansion of voluntary disclosures in Germany, although stakeholder expectations on this front may change.”



MINI-ROUNDTABLE

by internal audit, and report internal audit’s

perspective to the board.

R&C: How do you expect voluntary audit committee disclosures to evolve in the years ahead? Is there an inevitable trend toward even greater transparency and accountability?

Huang: We see trends towards additional

transparency and more focus around processes and

controls being described in proxy statements. We

expect that regulations will continue to evolve to

require more transparency.

Chitty: In the past few years in China,

audit committees have continued to enhance

transparency and accountability regarding VDI

as required by relevant authorities in China. The

revised Code will have an effect in this area. It

is expected that audit committees could make

improvements to the effectiveness of VDI. Turning

to the EU, we can anticipate that the expansion of

audit committee responsibilities resulting from the

2014 Audit Directive will result in more disclosures

by the committee, because stakeholders will expect

to hear about how these responsibilities are being

discharged.

Jetter: I doubt that in the near term we will see a

great expansion of voluntary disclosures in Germany,

although stakeholder expectations on this front may

change.

Knecht: In the near term, it is possible that

changes to external audit standards may help

facilitate enhanced disclosures by audit committees

– specifically, through auditors’ required disclosures

of critical audit matters (CAMs) under PCAOB

Auditing Standard 3101, ‘The Auditor’s Report on

an Audit of Financial Statements When the Auditor

Expresses an Unqualified Opinion’. Auditor disclosure

of CAMs later this year will provide audit committees

with a great opportunity to communicate through

enhanced disclosure their oversight activities with

respect to the critical areas identified within the

audit. CAMs are similar to KAMs that are required

in other countries, where the reporting of KAMs has

had an impact on disclosures. RC&



PERSPECTIVES

PERSPECTIVES

GENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT SENTINEL OF REPUTATION RISK AND THE CORPORATE CONSCIENCEBY HARLAN LOEB

> EDELMAN

In September 2018, Danske Bank’s CEO resigned

amid the swirl of whistleblower allegations of

Russian interference in European economies and

allegations of massive money laundering. In their

account of that crisis in Raconteur Opinions, Veta

Richardson and Leisbeth De Ridder contend the case

was largely avoidable based on the findings of an

internal review.

The authors concluded that the board of directors

lacked an essential ally – the general counsel (GC).

Sometime before the allegations surfaced, the GC

ceased reporting to the CEO and began reporting to

the chief financial officer. In 2014, in-house counsel

sought to further investigate the whistleblower

allegations, but two executives overruled him. A

modern legal department, the authors contend,

might have averted one of Europe’s biggest

scandals.

A recent global study by the Association of

Corporate Counsel (ACC) delivers a timely and


PERSPECTIVESGENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT...

fascinating footnote to the Danske event. The ACC

concluded that GC who report directly to the CEO

provide a leading indicator of their influence on

critical corporate events and crises, while also

illuminating a new mandate to create a culture that

reinforces ethics and integrity driven by behaviour.

Indeed, the GC is becoming the most important C-

suite executive on reputation, crisis and non-market

risk, among other critical issues that have sparked a

‘constant crisis’ environment at many corporations

with unprecedented operational uncertainty.

As damaging issues increasingly erupt, from

internal espionage and privacy invasions to

consumer outrage and executive misconduct,

the GC has become the crisis management

quarterback with discernibly impressive

impact, influence and positive results.

GCs are leading from the front on

a variety of diverse crisis, reputation

and cultural matters. They include: (i)

rules-based compliance systems that

frequently mortgage common sense

and good judgment; (ii) inadequate

measurement and alignment on top

tier corporate risks; (iii) behavioural risk and

potentially toxic performance incentives; (iv)

inadequate information sharing processes and

networks; (v) top-down management structures

that commoditise promising young talent and future

leaders; and (vi) corporate values that are merely

words on a website.

Like no other corporate officer, the GC is

positioned uniquely to advise business decision

makers proactively on both destabilising market and

non-market risks. In fact, many GCs suggest their

biggest challenges do not involve legal risk.

Consider how the GC of pharmaceutical giant

Sanofi effectively crafted the perfect response

to shut down Roseanne Barr’s attempt to blame

Sanofi’s Ambien for her abhorrent rant that led to


PERSPECTIVES

her TV show’s cancellation. Barr contended Ambien

explained her late-night tweet attack against former

Obama presidential adviser Valerie Jarrett. The Sanofi

GC approved the perfect response: “People of all

races, religions and nationalities work at Sanofi every

day to improve lives of people around

the world. While all pharmaceutical

treatments have side effects, racism is

not a known side effect of any Sanofi

medication.”

Above the Law noted that in vetting

the tweet, the GC asked three basic

questions before unilaterally hitting

the ‘go button’: Is it truthful and not

misleading? Is it consistent with our

values? Is it legal?

Still, against today’s backdrop of

continual fear of a reputational crisis, it is not

surprising GCs feel quite vulnerable. Eighty-five

percent of GCs surveyed recently by Morrison &

Foerster ALM Intelligence (ALM) ranked reputation

and brand crises as their number one concern,

followed distantly by corporate risk at 58 percent.

One GC recently said that the reputation risks that

keep her up at night include consumer activism,

rising operating uncertainties, immediate digital and

iPhone ‘reporting’, and the klieg lights that shine on

workplace and corporate misconduct.

ALM also asked GCs who experienced a significant

corporate crisis in the previous 12 months to rate

their company’s level of preparedness for it. Few

gave themselves high grades, although two-thirds

felt they had been well prepared. That is a significant

improvement over an earlier survey in which only 29

percent of companies experiencing a crisis felt that

they were adequately prepared.

Most GCs noted that a solid crisis response plan

must at least contain fundamental information

tested through simulation scenarios. Swift and

decisive action – especially within the first few hours

– ranks among the most effective ways to diminish

the negative impacts of a crisis. Yet, as emphasised

by many including ALM, only senior leaders – the

CEO and the GC, in particular – are authorised to

make decisions.

Companies must put clear and vigorously

tested escalation procedures in place, and each

senior leader should tap a deputy as a stand-in, if

necessary. Many small issues bust into full-blown

crises because information winds its way too slowly

GENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT...

“Many small issues bust into full-blown crises because information winds its way too slowly through the corporate hierarchy before an executive leader is found with the authority to make a final decision.”


PERSPECTIVES

through the corporate hierarchy before an executive

leader is found with the authority to make a final

decision. ALM maintains that this is a clear and

costly vulnerability for over one-third of companies

that do not include necessary escalation procedures

in their crisis management plans.

Unlike any other professional discipline, lawyers

are trained rigorously to be issue spotters, experts

in multivariable risk and fluent on both sides of

every issue that arises. And, perhaps distinctly,

fully committed to the ‘sanctity of facts’. Thus, they

are equipped to make decisions with imperfect

information and that take calculated risks to manage

and avoid potentially franchise crises.

Multifaceted problem-solving skills,

multidirectional thinking and training to vet all

contingencies are the province of outstanding

lawyers. Against this backdrop, the GC’s broadening

mandate leads to better outcomes on challenges

including crisis management, corporate culture,

values-based leadership and organisational

resilience. GCs are incresasingly the ‘challenger in

chief’ on the most vexing risks, issues and crises

organisations confront.

Ms Richardson, the ACC’s president and chief

executive, notes that as chief advocates and

initiators for developing a collaborative relationship

with the board, GCs increasingly set and oversee

a corporation’s cultural, ethical and performance

values. In-house counsel are essential actors in their

company’s ability to achieve its long-term strategies.

As the ‘defender and challenger in chief’ in

promoting and protecting dynamic corporate values

and performance cultures, GCs prove to be the

stewards of principles-based compliance anchored

in an operating mindset that includes integrity

as well as ethical and cultural values. Because

the GC is accountable to corporate directors and

shareholders, they must educate and direct them

on new operating realties, particularly those rooted

in corporate culture that present reputational

threats. Additionally, the multifaceted thinking skills

of the GC have become imperative in stress-testing

the business, cultural and social repercussions

of corporate decisions and enable durable and

proactive risk management.

Today’s GC has become an essential participant in

setting the tone at the top and driving a corporate

culture that creates long-term and enduring

reputational value by being more responsive to all

stakeholders. RC&

GENERAL COUNSEL HAS QUICKLY BECOME THE VIGILANT...

Harlan Loeb

Global Practice Chair, Crisis & Reputation

Risk Advisory

Edelman

T: +1 (312) 240 2624




José Antonio López Alonso

Partner

Zinser, Esponda y Gomez Mont, Abogados

T: +52 55 5202 8610


José Antonio López Alonso has been involved in criminal law practice since 1994. He has participated in multiple international extradition proceedings between Mexico and countries such as the US, Argentina, Switzerland and Australia. For more than 20 years, his practice has been oriented toward economic, banking, tax, environmental, copyright, intellectual property, election and corruption offences, as well as criminal liabilities related to public service.


CCOS: MANAGING RESPONSIBILITIES AND LIABILITY RISKS



R&C: To what extent has the role of chief compliance officer (CCO) gained greater importance in recent years? How would you characterise its evolution, and where it should rank within the corporate hierarchy today?

López Alonso: Although foreign companies with

US Foreign Corrupt Practices Act (FCPA) and other

compliance regulations are used to having a chief

compliance officer (CCO), this is something new

for Mexican companies. Mexico is only just starting

to develop a compliance culture, having passed its

first compliance laws just a few years ago. Given

that, compliance is only just beginning to form an

integral part of Mexican corporate governance. As

this process advances, in some Mexican companies

the CCO function is frequently assumed – often

temporarily, and sometimes permanently – by the

legal department, whose opinions are seriously

taken into consideration by the board, or at least

should be. Other companies are only just starting to

appoint a CCO as part of their corporate governance

system. In our view, the CCO should be at the top of

the corporate hierarchy in order to ensure that her

recommendations are not disregarded for operational

reasons. She should have direct communication

with the board and the shareholders’ meeting, and

we believe that she should work hand-in-hand with

other executives in order to implement precautionary

measures in a way that does not prejudice the

company’s functionality, since any measure that

prevents a company from running normally will not

be heeded by the employees.

R&C: How has increasing regulatory scrutiny impacted organisations which do not have a CCO?

López Alonso: Since compliance laws have

only recently been passed in Mexico, companies

are only just starting to adjust to this new culture

and take precautionary steps, given that they

may now be deemed criminally liable under the

country’s laws. Furthermore, in order to attenuate

such corporate criminal liability, Mexican judges are

obliged to examine their controls and policies in

order to prevent unlawful actions that would benefit

a company. Some companies have been indicted

for offences committed by their employees, due to

their lack of control, and it is almost impossible to

guarantee that a firm is doing everything it can to put

an end to unlawful practices if it has no executive

who is exclusively devoted to implementing

compliance measures and updating them as she

sees fit. Given that compliance systems should be

tailor-made for each company, it is a full-time job to

implement and update such systems. Companies

that do not have a CCO among their executives

will have a hard time showing that they are really

committed to compliance, and hence run a greater




risk of being held criminally liable, with serious

consequences that may even include dissolution.

R&C: What challenges face today’s CCOs in terms of managing a range of responsibilities and liability risks?

López Alonso: Today, CCOs in Mexico are facing

a huge cultural challenge, given that the concept of

compliance is new here and corporate leaders and

boards do not understand why there is a need to

implement compliance programmes and policies

as part of their governance practices. Mexican

companies are used to running their business a

certain way, being resistant to change and doubtful

as to whether it is needed and will benefit them.

CCOs face the challenge of changing the mindsets

of everyone in the company, from board members

and other leaders to directors and employees,

helping them to understand why such changes are

important. Before making these changes, corporate

leaders and employees should be educated on the

importance of compliance and the risks that the

company is seeking to minimise, so that they will help

to implement compliance policies and observe them

once they are in place.

R&C: Do you believe many organisations, from top to bottom, fail to understand the mechanics and importance of the CCO role?

López Alonso: In Mexico, organisations have

been doing things their own way for many years and

saw no need to implement new ideas, programmes

or policies in their day-to-day practice. Every day,

more organisations are willing to change their modus

operandi as long as they remain successful, but a

lot of companies still consider compliance systems

to be useless. A huge cultural change is needed in

Mexico in order for all companies to understand and

implement compliance policies. Even though their

organisations are subject to criminal charges, many

corporate leaders will only implement systems in

order to comply with the law, being unwilling to make

a genuine commitment to compliance. Perhaps such

firms will only understand the role and importance

of the CCO if they are charged with criminal offences

and fail to prove, in the judge’s opinion, that they

have implemented sufficient controls to prevent

unlawful actions from being committed for their

benefit.

R&C: Are you seeing more CCOs work alongside chief risk officers (CROs) to jointly achieve their company’s compliance objectives?

López Alonso: It is extremely important for

CCOs to work alongside chief risk officers (CROs). A

successful compliance programme should be tailor-

made considering the risks that the company faces

and its structure, areas of risk, directors and staff.




Compliance programmes should be adapted to the

company’s specific needs. A programme designed

for one company will not serve to prevent problems

from arising in another. CCOs and CROs should work

together to educate the company’s board, leaders

and employees, and to change their mindset about

the need to implement a compliance

programme, and the convenience of doing

so.

R&C: In terms of compliance breaches, how would you characterise the extent to which a CCO should be held responsible? How frequently are CCOs essentially used as scapegoats in the event of non-compliance?

López Alonso: A CCO should be

considered successful to the extent that she ensures

commitment to company policies and procedures,

reports to the board and directors, and oversees

the steps taken by her company in response to

specific incidents. Given that most CCOs have to deal

with blindness and indifference on the part of their

colleagues, before assessing their effectiveness,

one should analyse the company environment,

determining whether they are supported by their

bosses and colleagues, or whether the latter use

them as scapegoats. The success of a CCO can be

measured in terms of the number of complaints

filed by employees and measures taken in response

to them. It is impossible for a company to have

no compliance issues, but it should not be held

responsible if one of its directors or employees

commits a criminal act, if it has successfully

implemented a compliance programme and taken

serious steps to prevent the criminal act.

R&C: What broad advice would you offer to CCOs on effectively overseeing company policies, procedures, products and services to ensure they are compliant with regulatory requirements? How important is company-wide compliance training in this regard?

José Antonio López Alonso,Zinser, Esponda y Gomez Mont, Abogados

“A huge cultural change is needed in Mexico in order for all companies to understand and implement compliance policies.”




López Alonso: It is very important for a CCO

to have adequate training and to implement

programmes and measures in conjunction with

the CRO and other executives that improve the

company’s functionality and ensure employees

maintain compliance. A compliance programme that

makes a company less successful or less competitive

is useless. However, the most important advice is to

record everything, from incidents, communications

and recommendations to the board, and the steps

taken in response to these communications and

recommendations. Even if they face apathy or

indifference on the part of leadership and directors,

CCOs should record all their efforts to implement

compliance policies, and all their recommendations

on these matters.

R&C: How do you see the role of the CCO evolving in the years ahead? With regulatory compliance perhaps more complex than ever, to what extent can we say that a CCO is an essential appointment?

López Alonso: Given that compliance legislation

is new to Mexico, in the coming years we will only

see it being taken on board by corporate hierarchies.

Since leaders and directors are facing a cultural

change, they are finding it hard to understand the

importance of including a CCO within the corporate

hierarchy. The evolution of the CCO role in Mexico,

and the importance assigned to it, depend on

companies’ commitment to compliance. Eventually,

companies will be classified into two groups – those

that are really committed to compliance, where the

CCO plays a crucial role, and those that superficially

implement compliance policies and programmes just

to minimally comply with their obligations, where

the CCO is only appointed in order ‘save face’ and

make the company appear as if it is committed to

compliance. RC&



PERSPECTIVES

PERSPECTIVES

YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT, IF THE SEC HAS ITS WAYBY GABRIEL K. GILLETT, HOWARD S. SUSKIN AND ADAM G. UNIKOWSKY

> JENNER & BLOCK LLP

An important component of evaluating risk

is determining when the risk abates. In the

context of enforcement actions brought by

the US Securities and Exchange Commission (SEC),

the risk abates when the SEC runs out of time to

seek relief in court. So, when does that time run out?

For years, the SEC’s position has been never – that

it may seek certain relief at any time, regardless of

how long ago the allegedly improper conduct took

place.

Over the past decade, however, the US Supreme

Court has steadily reined in the SEC by enforcing

the five-year statute of limitations in 28 U.S.C. §

2462, which applies to government actions seeking

“any civil fine, penalty, or forfeiture”. The Court first

applied § 2462 to SEC claims for money penalties.

Then the Court applied § 2462 to SEC claims for

disgorgement. Now, some wonder whether § 2462

applies to SEC claims for an injunction on being

employed in the securities industry or serving as

an officer or director. Although courts have not yet

squarely addressed that question, there are good

reasons to think the answer is yes.

Some brief history may help understand where

we may be going. In the watershed case of Gabelli

v. SEC, the Supreme Court unanimously held that

the SEC must bring claims for money penalties

within five years of when the underlying alleged

misconduct occurred. 568 U.S. 442 (2011). It did

not matter that the SEC had not uncovered the


misconduct until later, or that the SEC was acting

in the public interest, the Court explained; “even

wrongdoers are entitled to assume that their sins

may be forgotten”. And five years was viewed as

plenty of time for the SEC, with its powerful tools to

root out fraud, to discover any untoward activity. As

a result, targets of SEC investigations had a complete

defence if the allegedly improper acts occurred

more than five years before the SEC initiated an

enforcement action.

In 2017, the unanimous Court again constrained

the SEC’s authority to bring claims based on conduct

that had occurred more than five years before the

SEC filed suit. In Kokesh v. SEC, the Court held that

“SEC disgorgement constitutes a penalty within the

meaning of §2462” for three main reasons. 137 S.

Ct. 1635 (2017). First, “[t]he violation for which the

remedy is sought is committed against the United

States rather than an aggrieved individual”. Second,

“disgorgement is imposed for punitive purposes”

– often to “‘label defendants wrongdoers’ as a

consequence of violating public laws” and to deter

future violations – and “[s]anctions imposed for

the purpose of deterring infractions of public laws

are inherently punitive”. Third, “in many cases, SEC

disgorgement is not compensatory” because the

YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT... PERSPECTIVES


PERSPECTIVES

disgorged funds are frequently not returned to

victims. The Court then concluded that because

disgorgement “bears all the hallmarks of a penalty”

under this framework, the “5-year statute of

limitations in § 2462 therefore applies when the SEC

seeks disgorgement”.

Neither Kokesh nor Gabelli had occasion to

address whether § 2462 also applies to SEC claims

for an injunction that bars an individual from being

employed in the securities industry or serving as an

officer or director. Yet the logic of those unanimous

decisions suggests that a bar operates as a penalty,

and so the SEC is limited in when it may seek that

form of relief. As of the time of this writing, no

appellate court post-Kokesh has yet held that § 2462

applies to an employment or officer/director bar.

But the road to that conclusion has arguably been

paved, should a litigant in the right case persuade a

court to take it.

Before Kokesh, some courts of appeals had held

that in some situations § 2462 applies to injunctions

on employment or serving as an officer or director.

The US Court of Appeals for the DC Circuit, most

notably in Johnson v. SEC, held that if the injunction

was directed to remedying bad acts and not to

deterring future misconduct, then it must be based

on conduct within the prior five years. 87 F.3d 484

(D.C. Cir. 1996); but see McCurdy v. SEC, 396 F.3d

1258 (D.C. Cir. 2005) (finding a one-year suspension

“was not to punish... but rather to protect the

public”). The US Court of Appeals for the Fifth Circuit

built on that precedent, in SEC v. Bartek, and found

that lifetime officer/director bars are punitive if

they “have a stigmatizing effect and long-lasting

repercussions”, but neither address “past harm

allegedly caused by the Defendants” nor “the

prevention of future harm in light of the minimal

likelihood of similar conduct in the future”. 484 F.

App’x 949 (5th Cir. 2012). That court also suggested

that a lifetime bar may be punitive in every case,

based on its “severity and permanent nature”. The

US Court of Appeals for the Eleventh Circuit reached

a contrary conclusion – in SEC v. Graham, which

was decided shortly before Kokesh – by holding that

injunctions are never penalties because they look

forward, whereas punishments look backward. 823

F.3d 1357 (11th Cir. 2016).

As of this writing, appellate courts have not yet

waded into this pre-Kokesh disagreement. The US

Court of Appeals for the Eighth Circuit rejected

the SEC’s argument that § 2462 categorically does

not apply to injunctions in SEC v. Collyard, but the

case involved an “obey the law” injunction not an

employment or officer/director bar. 861 F.3d 760

(8th Cir. 2017). And an appeal pending in the US

Court of Appeals for the Third Circuit, SEC v. Gentile,

raises the question whether § 2462 applies to a

“penny stock bar” that enjoined a defendant from

participating in penny stock offerings. The District

Court said yes, finding that the bar was punitive

based on the reasoning in Kokesh. No. 16-1619 (D.N.J.

Dec. 13, 2017). During oral argument in the appeal,

YOU MAY NEVER BE FREE OF LIABILITY FROM OLD CONDUCT...


PERSPECTIVES

Circuit Judge Thomas Hardiman strongly suggested

that he agreed, openly wondering “how could

barring [Gentile] from an industry not be punitive”.

But whether the appellate panel reaches that issue,

what the panel concludes and how far the panel

goes – including whether it discusses employment

or officer/director bars, or just penny

stock bars – will not be clear until its

decision issues.

In the meantime, the DC Circuit’s

decision in Saad v. SEC, and particularly

a concurring opinion by then-Judge

Brett Kavanaugh before his elevation

to the US Supreme Court, may shed

the most light on how employment

and officer/director bars will fare

after Kokesh. In Saad, an employee

misappropriated his employer’s

funds and repeatedly attempted to cover up his

wrongdoing. His efforts failed, and FINRA “imposed a

bar that permanently forbade Saad from associating

with any FINRA member firm in any capacity”. The

SEC eventually “affirmed the permanent bar finding

it to be ‘remedial, not punitive’”. The DC Circuit

vacated that decision in part and remanded “for

the Commission to determine in the first instance

whether [Kokesh], has any bearing on Saad’s case”.

873 F.3d 297 (D.C. Cir. 2017).

Then-Judge Kavanaugh concurred, writing

separately to explain why he viewed the

employment bar as a penalty after Kokesh. Noting

that Kokesh “was not limited to the specific

statute at issue there”, he reasoned that the

employment bar – which the court had earlier

called the “securities industry equivalent of capital

punishment” – deters but does “not provide a

remedy to the victim”. Therefore, following Kokesh’s

logic, the employment bar was “a penalty, not a

remedy”.

Applying then-Judge Kavanaugh’s reasoning, if the

SEC sought an employment or officer/director bar

more than five years after the alleged misconduct

occurred, then § 2462 would provide a complete

defence. But no court has yet reached that

conclusion or faced a case presenting that situation.

So it remains to be seen whether courts will extend

Kokesh, adopt then-Judge Kavanaugh’s view, or take

a contrary position.

The history of Kokesh, and prior cases interpreting

the reach of § 2462, suggest that the SEC will


“The history of Kokesh, and prior cases interpreting the reach of § 2462, suggest that the SEC will ardently maintain its narrow view of the five-year limitations period until the Supreme Court forces the agency to change positions.”


PERSPECTIVES

ardently maintain its narrow view of the five-year

limitations period until the Supreme Court forces

the agency to change positions. Indeed, the SEC

has continued to insist post-Kokesh that it may

seek injunctions, including employment and

officer/director bars, based on alleged misconduct

regardless of how long ago it occurred. So those

in the financial industry – including officers and

directors of public companies – and targets of SEC

enforcement actions should be sure to argue that

employment and office/director bars are punitive,

and that the five-year limitations period applies

to SEC claims seeking those bars as a result.

Targets would also be wise to preserve and press

those arguments in court and on appeal, to both

encourage a court to apply § 2462 to an employment

or officer/director bar, and to take full advantage

should another court apply the statute in a different

case. RC&

Gabriel Gillett

Litigation Associate

Jenner & Block LLP

T: +1 (312) 840 7220


Howard Suskin

Partner

Jenner & Block LLP

T: +1 (312) 923 2604


Adam Unikowsky

Partner

Jenner & Block LLP

T: +1 (202) 639 6041




PERSPECTIVES

PERSPECTIVES

ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK GOVERNANCEBY RUCHI AGARWAL AND SANJAY KALLAPUR

> ISB

Poor risk culture is a major reason for many

financial institutions’ failure. It often manifests

in top management not walking the talk – the

vision and mission statements are on paper only and

do not hold in practice. The recent incident at Wells

Fargo provides several insights into the financial

industry’s risk culture and its association with poor

leadership, improper incentives, weak controls and

unethical employee behaviour.

While the importance of culture is well recognised,

boards have a tendency to take it as a given rather

than something they can create and influence. Risk

culture is all about behaviours by organisational

actors that translate into organisational norms,

values and practices. The UK Financial Conduct

Authority (FCA) has highlighted that culture is not

optional; it exists everywhere, whether we like it or

not. Companies and their boards need to think about

what the right culture is, and how to achieve it.

Risk culture in financial organisations has received

the attention of financial regulators and professional

bodies worldwide. The International Institute of

Finance (IIF), the Financial Stability Board (FSB), the

Institute of Risk Management (IRM) and very recently

the Australian Prudential Regulation Authority (APRA)

have emphasised that organisations are responsible

for their risk culture. The split of the UK regulator,

Financial Service Authority (FSA), into the Prudential

Regulatory Authority (PRA) and the Financial Conduct

Authority (FCA) in 2013 was a stepping stone in this


direction. The FCA’s primary role was to develop

and inculcate good risk culture in UK financial

institutions. Companies have repeatedly found that

merely establishing structures and policies for risk

governance is insufficient until these are aligned with

culture and good practices.

This raises a question for practitioners: how to

develop a good risk culture? To understand this, we

studied several organisations in India and the UK and

found three types of risk culture, described below.

Compliance-based risk culture – do what you are being told

Financial institutions operate in a strict regulatory

environment. Following the 2007-08 crisis,

regulations became more stringent worldwide. In

some companies, regulation rules risk governance

and sets the bar. Their primary interest is in meeting

the regulatory standards in form rather than

substance. This leads to a compliance-based risk

culture, with a tick-box approach. These companies

often find that by the time they make changes in

the system to accommodate changed regulations,

newer regulations are introduced.

Defensive risk culture – do what pleases the management and protects you if something backfires

In many organisations, truthfulness in risk

reporting is not encouraged, and senior executives

ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK... PERSPECTIVES


PERSPECTIVES

have been fired for revealing problems in the

system. Employees wonder why they should put in

the effort to manage risk effectively when they are

asked only to report it at the end of the year. The

actual quality of risk management does

not matter; rather, top management

wants to hear good news in the

short term by prioritising profits over

professional ethics. Defensive attitudes

and behaviours are inculcated: “If

something goes wrong, somebody

else made the decision, not me.”

Fear of action and litigation has led to

defensive behaviour being ingrained

in a defensive risk culture. Over-

reporting of risk is one such behaviour:

the reporting employee is protected

because he or she reported it, never mind that the

higher-ups to whom it is reported do not have the

time or the understanding to process everything that

has been reported. But higher-ups are also protected

because decisions are made by committees,

so either nobody is responsible or everybody is

responsible for any mishap.

Cognitive risk culture – understand your risks, roles and responsibility and report adequate risk to management

In contrast to compliance-based risk culture and

defensive risk culture, a few companies worked

on understanding the root cause of poor risk

culture. The board of a British insurance company

began with the three lines of defence model of risk

governance (frontline employees being the first line,

CRO’s office the second line and internal audit the

third). The company found that the root cause lies

in poor risk reporting: the control self assessment

(CSA) method fails to engage employees and

promotes a defensive attitude. Another challenge

it identified was that risk reporting was considered

to be a year-end activity rather than a regular

activity. The company understood that it is not

possible to improve risk culture until everyone in the

organisation understands the risks, and their roles

and responsibilities in the three lines of defence

model of risk governance. The company created

new rules and introduced several tools to improve

risk culture. Some frontline employees were trained

to become risk champions who bridged the gap

ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK...

“Tick-box or quick-fix approaches backfire and limit the usefulness of risk management efforts.”


PERSPECTIVES

between the first line and the second line. Risk apps

were developed to update senior executives and the

board regularly, while roles and responsibilities of

every employee were mapped using a management

awareness of risk (MAR) index.

ConclusionCognitive risk culture in the organisation supports

good practices in risk governance and thereby

promotes the sustainability of the organisation

in the long term. It must be encouraged, and

organisations must approach risk management

efforts by understanding them holistically from a

system perspective. Tick-box or quick-fix approaches

backfire and limit the usefulness of risk management

efforts. RC&

Ruchi Agarwal

Senior Researcher

Indian School of Business (ISB)

T: +91 981 098 6496


Sanjay Kallapur

Professor of Accounting and Deputy Dean

Indian School of Business (ISB)

T: +91 40 2318 7138


ROLE OF RISK CULTURE IN EFFECTIVE IMPLEMENTATION OF RISK...


MINI-ROUNDTABLE

MINI-ROUNDTABLE

AUTOMATED THIRD-PARTY RISK ASSESSMENT


MINI-ROUNDTABLE

PANEL EXPERTS

Greg Matthews

Partner, Advisory, Operations &

Compliance Risk

KPMG

T: +1 (212) 954 7784


Greg Matthews has significant experience helping his clients to transform their risk management operations based on regulatory and business drivers. Mr Matthews has worked with clients as they seek to manage disruption in their industry, meet regulatory expectations and use technology to drive both effective and efficient risk management practices. He brings his global experience to his clients to provide perspectives on how to implement changes in culture and balance risk and performance drivers. Mr Matthews leads third-party risk management for KPMG.

Lisa D. Rawls

Principal, Advisory, Governance, Risk and

Compliance

KPMG

T: +1 (703) 286 8591


Lisa D. Rawls is a principal in KPMG’s Advisory Services practice and is the Americas leader for the Governance, Risk and Compliance (GRC) Technology service network. Ms Rawls has over 15 years of experience assisting organisations in navigating complex risk transformation initiatives by leveraging her analytical and design-focused thinking, technology and process-engineering skills.

Jon Dowie

Partner, Financial Services Consulting

KPMG

T: +44 (0)20 7311 5295


Jon Dowie has over 20 years experience of delivering and leading third-party risk management projects within the financial services market. With a specialism in third parties, technology and data security, his work often involves working with clients to help improve their maturity and comply with regulatory expectations and best practice. Mr Dowie regularly works with the UK regulators on these topics and has assisted clients with compliance and in improving governance, risk, process and control across the end-to-end vendor lifecycle.

Jorge Blanco

Principal, Advisory

KPMG

T: +1 (212) 872 2173


Jorge Blanco is a principal in KPMG Advisory and leads the Spectrum organisation, which helps clients solve complex ongoing business challenges (e.g., third-party risk management, lease accounting) through insights-driven, outcome-based solutions which leverage a managed services delivery model. He has extensive leadership experience in strategic marketing and product management for companies in the communications, collaboration application, advanced analytics and business consulting industries. Mr Blanco joined KPMG in October 2015 as head of Products and Solutions, responsible for driving the growth of KPMG Spectrum’s global solution portfolio.



MINI-ROUNDTABLE

R&C: How would you characterise the level of risk that can arise from third-party relationships in today’s business world? To what extent are potential liabilities increasing in this area?

Matthews: Outsourcing is where a service you

traditionally performed is handed over to a third party

to deliver. Outsourcing exposes an organisation to

the risk that the third party will not manage risk in

a manner consistent with the outsourcer’s policies

and expectations. For example, if confidential data is

shared with a third party, and that data is lost because

the third party did not safeguard the data in line with

the outsourcer’s policies, the outsourcer’s reputation

is negatively impacted, and the cost of remediation

efforts can severely impact the bottom line.

Dowie: Outsourcing continues to increase, driven

by the need to manage costs and to meet customer

demands. This trend is likely to continue as the

ecosystems of product/service support and client

experiences becomes ever more complex.

Blanco: The ultimate responsibility for managing

risk and negative consequence remains with the

outsourcer. Therefore, third-party risk management

(TPRM) programmes have been evolving to ensure

that each of the responsible risk oversight functions

– such as compliance, information security and

business continuity, among others – and the business

unit itself are deeply involved in assessing how

the third party is managing risk on behalf of the

outsourcer, both pre- and post-contracting. The

business unit which engaged the third-party has the

responsibility to ensure that the service is delivered in

line with expectations and that the requisite controls

deemed essential by the oversight functions are in

place and operating as expected.

R&C: What are some of the common failures and shortcomings you see among companies trying to manage third-party risk?

Matthews: One common failure is the lack of

involvement by the risk oversight functions in the

decision to use a third party to perform activities

previously conducted in-house. These risk oversight

functions are made aware after a contract is signed

and the third party has commenced delivery of its

services. At this point, it is very difficult to demand

the third party improve the control environment to

enhance risk management.

Rawls: Another common failure is lack of clarity

on roles and responsibilities between the various

functions within the organisation – meaning, who

is doing what and when. Coordinating among the

various stakeholders – in some organisations there

can be up to 20 functions – to assess the third



MINI-ROUNDTABLE

party’s ability to deliver the service in line with the

outsourcer’s expectations is time consuming and

complex. The need for clearly defined roles and

responsibilities is the key to successful coordination

of both pre- and post-contracting activities.

Dowie: Ongoing monitoring by multiple

stakeholders over the life of the contract

is required to confirm that the services

delivered remain in line with expectations,

given the constantly changing environment

in which organisations operate. For

example, as data privacy rules change,

is there a change management process

in place to ensure existing contracts

and services are amended to maintain

compliance?

R&C: What advice can you offer to companies on carrying out an effective third-party risk assessment? How important is technology as a means to help detect potential red flags?

Dowie: The starting point is involving the right

set of stakeholders that have a deep understanding

of the service being outsourced and the potential

risks associated with that service. For example, if the

third party requires access to your system, knowing

which system and what data they have access to

helps with identifying the appropriate individual from

the information security function who needs to be

involved, and the control evaluation questions the

outsourcer will need responses to in order to assess

the third party’s ability to manage information and

network security.

Blanco: Advances in technology have greatly

assisted with both pre-contract risk assessment as

well as post-contract risk monitoring of services

delivered. Pre-contracting, given the service delivery

has not yet commenced, the assessment performed

on the third party centres on review of the applicable

control environment. Here, technology can be

leveraged to assist with the identification of anomalies

in responses, for example a service category being

‘cloud storage’ and ‘no data is shared’. Additionally,

gathering intelligence on the third party, such as

negative news, pending lawsuits, regular change in


Lisa D. RawlsKPMG

“The need for clearly defined roles and responsibilities is the key to successful coordination of both pre- and post-contracting activities.”


MINI-ROUNDTABLE

senior management and so on, is important to assess

potential reputational risk.

Rawls: Post-contracting, now that the service

is being delivered, the outsourcer has access to a

greater amount of data to be used to assess the third

party’s compliance with contract terms.

Here, technology can be utilised to assess

compliance with the various service-

level agreements (SLAs) that have been

established within the contract, and assist

the outsourcer with managing the complex

terms of a contract.

Matthews: For critical service contracts,

the need to understand when non-

conformance has occurred is far greater

as the potential impact – in terms of fines

or restitutions – is also exponentially

greater. An example of technology use is call centre

monitoring, where calls are converted to text and

compared to the approved scripts that the agent

should have followed, then deviations are identified,

promptly remediated and the call centre operators

are retrained. This allows for monitoring compliance

with consumer protection requirements.

R&C: Could you outline how automation can be introduced into the third-party risk assessment process? What are some of the advantages and disadvantages associated with automation?

Rawls: Technology automation plays a major

role in the enablement of a programme, helping

with assigning owners to tasks to minimise manual

handoff via email system and storage of individual

files on share folders, establishing workflow based on

third-party risk levels, enabling sharing of assessment

results across third parties which may provide

multiple products or services to the organisation, and

providing the third-party oversight function with the

ability to generate management reporting on a timely

basis.


Greg Matthews,KPMG

“For critical service contracts, the need to understand when non-conformance has occurred is far greater as the potential impact – in terms of fines or restitutions – is also exponentially greater.”


MINI-ROUNDTABLE

Matthews: Using the example of leveraging

technology automation to continuously monitor the

performance of a critical contract and the established

SLAs within, the required SLAs should be defined

along with acceptable operating tolerances. These

operating tolerances drive the metrics required to

be provided by the third party and measured for

conformance. Upon periodic provision of service

conformance data, technology can be configured to

monitor the data against predefined tolerances. Upon

breach of a predefined risk or performance tolerance,

the various stakeholders, including risk oversight

functions and leadership structures, can be informed.

Remediation can be then be put in place

to bring the service back to acceptable

tolerance levels.

Dowie: Automation has a role to play at

many stages in the TPRM lifecycle. Where

automation can have a transformative

effective is helping to manage workflow

across stakeholder groups. At some

organisations, this can involve 15-20

groups. Automation can centralise the

production and storage of due diligence

and monitoring questionnaires, plus the

associated results, and maintain an audit trail of

evidence.

Blanco: The upside of leveraging advanced

technology for oversight of critical and large complex

contracts is having the ability to monitor the delivery

of a service near real-time, in a cost-effective and risk-

based approach. The downside of current technology

is that it can be time consuming and expensive to

configure, as some types of monitoring can take

upwards of six months, and the configuration may not

easily lend itself to monitoring other critical contracts.

R&C: What types of automated solutions are available? What considerations should companies make when evaluating their options?

Matthews: When looking to automate key

aspects of a TPRM programme, there are a number

of available technology options to consider. It is

important to distinguish between the procurement

technology architecture and the risk architecture.


Jon Dowie,KPMG

“Automation can centralise the production and storage of due diligence and monitoring questionnaires, plus the associated results, and maintain an audit trail of evidence.”


MINI-ROUNDTABLE

Rawls: Organisations with a large inventory

of third-party services require automation of the

workflow to assess the third-party’s ability to manage

risk, collect evidence of review and facilitate the

ongoing monitoring of that contract. These types of

workflow solutions can be purchased off-the-shelf,

or built internally. Both approaches have pros and

cons and the decision is largely determined by an

organisation’s preference.

Dowie: Certain risk assessments,

such as negative news, geopolitical risk,

cyber risk and financial viability risk,

have become more cost effective due to

automation, with many service providers

in the market providing services of this

nature. Further, the emergence of industry

utilities that facilitate the collection of

responses to third-party risk assessment

questionnaires and execution of onsite

review are also saving effort in the risk

assessment process.

Blanco: Managing the ongoing performance of

third-party services relative to contract terms and

conditions is an area that is well-suited to automation,

as there are often many components that need to

be assessed as part of the delivery of a complex

service. Additionally, advances in cognitive contracting

solutions further improve the onerous analysis

necessary in the event that changes to terms and

conditions are required across a large set of contracts.

R&C: To what extent should the assessment process be customised or tailor-made for different types of third parties a company interacts with? How can automation assist on this front?

Dowie: Our view is that organisations would

benefit greatly from being ‘intelligence-led’ in their

risk assessment process, in order to customise the

focus and question set. A standardised, blanket

approach may work for low risk third parties, but we

would advocate customisation and risk are the focus

for the remaining population.


Jorge Blanco,KPMG

“It is not enough to expect technology to solve all the problems of a TPRM programme, but rather to use technology to automate and facilitate a well-designed process.”


MINI-ROUNDTABLE

Matthews: The more complex the service

delivered by the third party, the more detailed the

risk assessment is generally. Each organisation has

a different risk appetite and organisational structure,

and therefore a slightly different risk assessment

process is required for similar services. This risk-based

approach to tailoring third-party risk assessment

is foundational in establishing a successful TPRM

programme that is fit for purpose for an organisation.

R&C: What innovations are set to improve automated third-party risk assessments? How do you see the process evolving in the coming months and years?

Matthews: One of the more onerous aspects of

the TPRM process is collecting responses to the risk

assessment questionnaires posed to the third party.

In a number of industries and locations globally,

industry utilities or consortiums are being established

to collect responses to a standard set of questions

asked of a third-party and the validation of the

responses. While this is not technology automation

per se, it does save time and money in the gathering

and evaluation of information connected to the

provision of third-party process. While at the

moment these industry utilities may not cover the

full inventory of third parties used by a large global

organisation, this concept of cost sharing is gathering

a lot of focus.

Rawls: New TPRM workflow solutions continue to

be introduced every year. They provide a high degree

of flexibility in configuration and customisation that

is desirable given the different needs of the ultimate

end-users. Certain providers of workflow solutions

are newer entrants to the market, while others

are established risk management solution and IT

providers moving into having an integrated module

for TPRM. Organisations should conduct a thorough

review of potential solutions to ensure their choice is

aligned to their specific needs.

Dowie: We are seeing organisations re-

evaluate the risk assessment process, challenge

the segmentation approach to ensure it remains

fit for purpose, re-examine their ownership and

operating model, and create a Centre of Excellence.

These efforts are to better understand where the

bottlenecks are and whether the internal stakeholders

are evaluating potential risk and the mitigating

controls in line with their role and responsibilities.

Removing these bottlenecks is helping organisations

to gain greater efficiencies in the process, which

further augment the efficiencies provided through use

of advanced technologies.

Blanco: It is not enough to expect technology to

solve all the problems of a TPRM programme, but

rather to use technology to automate and facilitate a

well-designed process. RC&



PERSPECTIVES

PERSPECTIVES

PROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING TRADE SECRETS AND CONFIDENTIAL BUSINESS INFORMATIONBY ROBERT YONOWITZ

> FISHER PHILLIPS

Companies constantly search for new

advantages over their competition. They

dedicate significant financial and human

capital resources to research and development of

new or improved products and services, marketing

and pricing strategies, and strategic business

plans. However, these same companies often do

not implement appropriate procedures to ensure

that their employees do not take this valuable

information with them when they leave to join a

competitor or start their own competitive enterprise.

It is essential that businesses understand that, in

order to enjoy judicial protection over confidential

or trade secret information, they must be able to

demonstrate that they took reasonable measures to

ensure the secrecy of the information. The purpose

of this article is to provide a practical approach

for companies to take to protect this valuable

information asset and to demonstrate that the


PERSPECTIVES

business has taken reasonable steps to protect the

company’s crown jewels.

Identify the ‘crown jewels’The first step in protecting the crown jewels in

your organisation is to identify to employees what

the jewels are. You should effectively

communicate a sufficient description

and identification of the types of

information that you want treated as

confidential. Each employee should

sign a nondisclosure/confidentiality

agreement. These are valid in every

US state – even in those that do not

permit covenants not to compete

(which are beyond the scope of this

article).

A nondisclosure/confidentiality

agreement accomplishes a variety

of goals, the most important of which is that it

confirms that the employee has been or will be

exposed to certain company trade secrets and other

confidential and proprietary information. Even in

states that do not permit non-compete agreements,

most will enforce a nondisclosure/confidentiality

agreement that contains a non-solicitation provision.

These provisions prohibit a departing employee

from soliciting, directly or indirectly, your customers

or clients through the use of confidential or trade

secret information, regardless of where they are

located, to do business with them.

While the existence of a nondisclosure/

confidentiality agreement is one measure that

demonstrates that your company has taken

reasonable measures to protect your confidential/

trade secret information, you still need to treat the

paper/electronic information like the diamond you

want to protect. Therefore, you must also implement

physical and cyber security measures to control

access to company confidential/trade secret

information.

Setting up security measuresIn terms of physical security, you should restrict

access to servers, routers and other network

technology to those whose job responsibilities

require access. You should keep wire closets, server

rooms, phone closets and other locations containing

sensitive equipment locked at all times and should

PROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...

“The first step in protecting the crown jewels in your organisation is to identify to employees what the jewels are.”


PERSPECTIVESPROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...

lock file cabinets and offices that store sensitive

information. You should utilise sign-in and sign-out

sheets for physical files to establish a traceable

chain of custody that shows who had the files last

before any alleged misappropriation. Finally, you

should implement procedures to watermark or

stamp all documents containing trade secrets or

confidential information as “confidential information

of X company”.

In terms of computer and cyber security

measures, you should start with the basics. Not only

should access to computers and computer networks

be password-protected, but you should also require

a separate level of password protection on sensitive

databases and documents along with the encryption

of key files and documents. Employees should not

be permitted to select their own passwords but

should instead utilise software programs that use

an algorithm to randomly assign passwords that are

a series of random letters and numbers. Passwords

should be changed at regular intervals (e.g., every

10 to 30 days) or, for better protection, can be

changed daily by using access medallions

or similar technology. Have a policy that

prohibits sharing of passwords among

employees. Company policy should require

the immediate deletion of an employee’s

password and all of that employee’s network

access rights on an employee’s termination or

resignation from the company.

You must also have a policy in your handbook that

permits your company to monitor and inspect all

employee usage of company computers, internet,

networks, external electronic storage devices,

company-owned smart phones and other similar

devices. The policy should clearly indicate that the

employee should have no expectation of privacy in

their use or access of any of these devices, networks

or company internet. The policy should provide for

employee consent to the company’s inspection of

an employee’s home or other personal computer

and electronic storage devices to recover the

company’s confidential and trade secret information

if necessary. An increasing number of companies are

utilising keystroke surveillance software to monitor,

record and audit employee usage of company

computers and information to detect in real time

any improper access, copying, downloading, cloud

access or misappropriation of company confidential/

trade secret information.

Regardless of whether you are using a cloud-

based email server or an onsite physical email

server, you should utilise an enterprise vault that

PERSPECTIVESPROTECTING THE CROWN JEWELS: A GUIDE TO SAFEGUARDING...

automatically retains a copy of every sent and

received email. This will prevent employees from

being able to steal the crown jewels by sending

emails containing this information to their personal

email addresses and then deleting those emails

to avoid detection. It is also an excellent way to

preserve emails that may be useful in the event of

litigation over the theft of such data.

TrainingTraining employees not to discuss or disclose

your company’s trade secrets or confidential

information to third parties is also an essential tool

in demonstrating the reasonable measures that

you take to protect your confidential/trade secret

information. This should occur during the on-

boarding process for all new employees.

Exit proceduresNone of the measures discussed

so far will be sufficient if

your company does not

have an established exit

interview procedure to

make sure that, before an

employee separates from

the company, they have

returned all of the crown

jewels in their possession,

custody or control.

The importance of a comprehensive exit interview

cannot be overstated. An employer who does

not take reasonable steps to retrieve any and all

confidential and trade secret information that was in

the possession, custody or control of the soon-to-be-

departing employee will not be afforded protection

of that information by a court. It is not sufficient

to require the employee to sign a confidentiality

agreement during the term of their employment. You

must be able to demonstrate that your exercised

reasonable measures to: (i) prevent the employee

from taking confidential or trade secret information

to a competitor; and (ii) recover the information from

the departing employee, regardless of whether the

information is in paper or electronic form.



PERSPECTIVES

The establishment of exit interview protocols as

a pattern and practice creates positive evidence

of the required reasonable measures, even if the

departing employee misappropriates confidential or

trade secret information. The exit interview protocol

should start with having the departing employee

inform you of and deliver to you all records, files,

electronic data, documents, plans, reports, books,

notebooks, notes, memoranda, correspondence,

contracts and the like, whether in paper or electronic

form, that are in their possession, custody or

control that pertain in any way to the business of

the company, including those that the employee

prepared, used or came in contact with while

employed by the company. During the exit interview,

which should be attended by two members of

management, your managers should remind the

departing employee of their continuing duty not to

disclose, use or misuse your company’s confidential

and trade secret information. The managers should

also remind the departing employee of all other

critical obligations the employee has under the

signed confidentiality agreement, including but not

limited to any non-solicitation of customers through

the use of confidential/trade secret information

provisions. In that regard, the managers should try to

obtain information about the departing employee’s

new employer (which could help determine

the potential risk of misuse of the company’s

confidential or trade secret information).

Particularly in the age of increased telecommuting,

exit interviewers should also request that

the departing employee allow the company’s

representative to inspect the employee’s personal

(including home-based) desktop computers, laptop

computers and removable storage media (such as

CD-ROM discs, thumb drives and zip drives). This

will help determine whether any of your company’s

confidential/trade secret information resides on

these computers or removable storage media and

to remove any such information. You should be

mindful of an employee’s right of privacy; but this is

why good confidentiality agreements should require

the employee to consent to a company search of

such personal devices if used to access company

confidential/trade secret information. It is also a

better practice to only permit employees to access

company confidential/trade secret information on

company-issued devices. You should then have all

accounts, network and remote access privileges and

passwords of the departing employee immediately

disabled.

Secure hardware and mediaBecause of departing employees’ access to

confidential/trade secret information while employed

with the company, all work desktop computers,

laptop computers, hard drives, and removable

storage media (such as CD-ROM discs, thumb drives

and zip drives) used by the departing employee

should be set aside and secured and not reissued to



PERSPECTIVES

new employees. This allows these memory storage

devices to be copied so that the copies can be

examined for any evidence of misuse of confidential

or trade secret information. It is important to put the

original storage devices in a secure place to maintain

chain of custody. The inspection should be done only

on copies of the information in the storage devices.

Once forensic examination is completed, the original

devices can be wiped clean if there are no issues

and then reinstalled or reused. If issues of potential

misappropriation arise, retain the originals in safe

custody for further use and examination in litigation.

EmailNext, you should have the employee’s entire email

mailbox for their last 60 to 90 days of employment

– including inbox, outbox, sent items and deleted

items – immediately copied from your email backup

medium or enterprise vault and preserved for

possible examination for evidence of misuse of the

company’s confidential or trade secret information.

A copy of the employee’s email mailbox may also be

made from the live email server.

Termination certificateFinally, you should request that the departing

employee sign a termination certificate that certifies

they have returned all confidential/trade secret

information. If a departing employee refuses to

sign the termination certificate, that refusal can be

used as circumstantial evidence of at least a threat

of misappropriation of confidential or trade secret

information.

By deploying these procedures, you can not only

detect and prevent theft before it happens, but can

demonstrate that you are entitled to the protection

of your crown jewels. RC&


Robert Yonowitz

Partner

Fisher Phillips

T: +1 (949) 798 2113



PERSPECTIVES

PERSPECTIVES

COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT CONTROL LAWSBY LINDSAY B. MEYER AND DEVIN SEFTON

> VENABLE LLP

In the world of sanctions and export controls, the

only constant is that they are constantly changing.

US sanctions and export controls most readily

reflect the president’s prerogative and can easily

change based on a given president’s agenda and

the evolving geopolitical environment. Furthermore,

US sanctions and export controls can present

extraterritorial risks for non-US businesses, which, in

certain cases, could be exposed to US sanctions or

export controls for transactions that have no nexus

to the US.

Monitoring and processing changes in this area

can present significant compliance challenges,

particularly under the current administration. Here,

we discuss significant developments regarding US

sanctions and export controls that have occurred

over the past year and present guidelines for

anticipating and adapting to such changes.

Key changes to US sanctions and export controls in 2018

On 8 May 2018, president Trump announced

that the US would withdraw from the Joint

Comprehensive Plan of Action (JCPOA) and re-

impose sanctions previously lifted under the deal.

As of 5 November 2018, all sanctions that had

been removed became effective again. Importantly,

non-US persons can now be subject to sanctions

for engaging in transactions involving certain

industries in Iran, including Iran’s energy, shipping


PERSPECTIVES

and automotive sectors. Furthermore, US-owned or

controlled non-US businesses are broadly prohibited

from engaging in any transactions involving Iran.

The US’s withdrawal from the

JCPOA created a peculiar situation,

with European Union (EU) and United

Nations (UN) sanctions on Iran

largely lifted while the US maintains

comprehensive sanctions on Iran. To

complicate matters further, on 7 August

2018, the EU imposed measures to

prohibit EU-based companies from

complying with US sanctions on Iran.

This has put EU businesses ‘between a

rock and a hard place’, forcing them to

choose between violating EU law or US

law.

Although many suspected that the Trump

administration would ease sanctions on Russia,

US sanctions on Russia have continued largely

unabated. This is due, in part, to the Countering

America’s Adversaries Through Sanctions Act

(CAATSA), which Congress passed on 27 July 2017,

and which codified certain sanctions imposed

through executive orders issued by president

Obama. CAATSA further authorised the president

to impose sanctions on non-US persons who help

persons listed on the Office of Foreign Assets

Control’s (OFAC’s) Specially Designated Nationals

(SDNs) list or Sectoral Sanctions Identifications (SSI)

list to ‘evade’ US sanctions.

Since CAATSA’s enactment on 2 August 2018,

the administration has designated numerous

Russian entities and individuals, including a number

of high-profile oligarchs and senior government

officials. Furthermore, on 27 August 2018, the US

State Department imposed new sanctions on Russia

under the Chemical and Biological Weapons Control

and Warfare Elimination Act of 1991 (CBW Act)

in response to Russia’s involvement in poisoning

two UK citizens. On 6 November 2018, the State

Department notified Congress that it would impose

a second round of potentially severe sanctions

on Russia, however the State Department has

not stated when or exactly what sanctions will be

imposed.

The administration has aggressively enforced

export controls, with a clear focus on China. On 15

April 2018, the Bureau of Industry and Security (BIS)

COMPLIANCE WITH THE EVOLVING US SANCTIONS AND EXPORT...

“Although many suspected that the Trump administration would ease sanctions on Russia, US sanctions on Russia have continued largely unabated.”

PERSPECTIVES

issued a Denial Order on ZTE, sending shockwaves

through the international business community.

The Denial Order, which prohibited any person

from supplying US-origin goods to ZTE, sent the

company’s supplier base scrambling to determine

whether they were supplying ZTE with any US-origin

goods or technology. However, on 13 July 2018, BIS

reversed course and lifted the Denial Order after ZTE

paid a $1bn fine and replaced its executive team,

among other measures.

Just months later, Huawei’s chief financial officer,

Meng Wanzhou was arrested in Canada at the

request of the US, because of allegations that Ms

Wanzhou defrauded a number of banks regarding




PERSPECTIVES

Huawei’s ties to Iran. The arrest has raised ongoing

concerns among Huawei’s business partners that

Huawei could suffer the same fate as ZTE, or worse.

On 13 August 2018, the Export Control Reform Act

of 2018 (ECRA) and Foreign Investment Risk Review

Modernisation Act (FIRRMA) were signed into law,

introducing reforms to US export controls and the

Committee on Foreign Investment in the US (CFIUS),

which reviews and approves foreign investment

in the US for national security concerns. The ECRA

requires, among other things, that BIS identify

“emerging and foundational technologies” that are

“essential to the national security of the United

States” and that are not currently controlled under

the Export Administration Regulations (EAR). Once

identified by BIS, these items will, at a minimum,

require licences for export to countries subject to US

arms embargoes, such as China.

Meanwhile, FIRRMA requires foreign investors

in certain US businesses involving “critical

technologies” to obtain approval from CFIUS. FIRRMA

defines “critical technologies” to include items

controlled under the EAR or International Traffic in

Arms Regulations (ITAR), as well as “emerging and

foundational technologies”. FIRRMA also expanded

CFIUS’s jurisdiction to cover certain investments

where a non-US person does not gain control over

the target US business, including in cases where

the non-US person will have access to “material

non-public technical information” possessed by the

US business. Starting 10 November 2018, certain

foreign investors must submit a notification to

CFIUS for “covered transactions” under CFIUS’s pilot

programme.

On 25 January 2019, the Trump administration

issued an Executive Order expanding sanctions on

Venezuela, and shortly thereafter added Venezuela’s

state-owned oil company, Petroleos de Venezuela,

S.A. (PDVSA) to the SDN List. As a result, PDVSA’s

US subsidiary, CITGO Holding, Inc., is now blocked.

However, the administration issued certain general

licences, which, among other things, allow US

persons to wind down transactions with PDVSA and

CITGO.

On 16 January 2019, the Trump administration

announced that it was considering allowing US

nationals to file lawsuits against certain persons,

including non-US persons, that do business with

Cuba. Namely, Title III of the Helms-Burton Act,

enacted on 12 March 1996, provides a private right

of action to US nationals to sue persons that ‘traffic’

in property confiscated by the government of Cuba

on or after 1 January 1959. Since enactment, no

claims could be filed under Title III because every

administration has used its authority under the

statute to suspend the right to file claims. However,

on 1 February 2019, the Trump administration issued

a shortened suspension of 45 days, instead of the

full six months authorised under Title III. On 4 March

2019, the State Department issued a notice that it

was suspending claims for an additional 30 days

through 17 April 2019, except for claims against



PERSPECTIVES

Cuban entities or sub-entities identified by name on

the State Department’s list of restricted entities and

sub-entities associated with Cuba (Cuba Restricted

List). Thus, starting on 18 April 2019, US nationals can

sue persons, including non-US persons, that ‘traffic’

in confiscated property, unless the administration

issues another suspension.

Title III could be a major source of liability for

both US and non-US businesses alike that do

business with Cuba, as the statute defines ‘traffic’

broadly to include virtually any use or benefit from

confiscated property, with exceptions for travel-

related transactions, among other things. Currently,

there are more than 5900 claims certified with the

US Foreign Claims Settlement Commission (FCSC)

relating to the government of Cuba’s confiscation

of property owned by US nationals. These claims

are valued at approximately $8.5bn, indicating the

substantial liability arising from Title III for persons

that do business with Cuba.

In addition to allowing Title III claims, there is

reason to believe that the administration may

implement further restrictions on travel to Cuba

under the Cuban Assets Control Regulations (CACR).

Namely, the CACR authorises US persons to engage

in certain forms of travel that could potentially

create liability under Title III, resulting in a somewhat

inconsistent sanctions regime. Therefore, there is a

good chance that the administration will revise the

CACR to align with Title III, by imposing additional

restrictions, including restrictions on travel and travel

service providers.

Best practices for adapting to changeThe whirlwind of changes in 2018 has presented

unique challenges to both US and non-US

businesses alike. Nonetheless, among the practices

that businesses can use to anticipate and adapt to

changes in US sanctions and export controls are: (i)

monitoring legal and regulatory developments on

a continual basis and revising policies as needed;

(ii) including clauses within all agreements that

ensure such agreements automatically terminate

if, for whatever reason, the agreement violates US

sanctions or export controls; and (iii) engaging in

periodic due diligence of vendors, customers and

other business partners.

To properly monitor, for legal and regulatory

developments, businesses should ensure that

someone is explicitly tasked with this responsibility

and provided with sufficient resources for the task.

Furthermore, among the language that should be

explicitly stated in termination clauses is a statement

that the agreement will automatically terminate if

the counterparty is designated as an SDN, or as a

restricted party or becomes blocked by virtue of the

counterparty’s ownership by an SDN or restricted

party.

Finally, in addition to having a risk-based screening

programme for screening new vendors, customers

and other business partners, it is important to



PERSPECTIVES

conduct periodic screening of existing business

partners, given the almost daily changes that are

made to the SDN List and other restricted party lists.

Furthermore, as noted, because of the ‘50 percent

rule’, companies that are not listed on a restricted

parties list can become blocked parties by virtue of

being owned or controlled 50 percent or more by

an SDN or SSI. Therefore, periodic screening should

include conducting due diligence on each business

partner’s ownership in addition to confirming

whether the company is on the SDN List. RC&

Lindsay B. Meyer

Partner and Co-Chair International Trade

Venable LLP

T: +1 (202) 344 4829


Devin A. Sefton

Associate

Venable LLP

T: +1 (202) 344 4161




PERSPECTIVES

PERSPECTIVES

A WAVE OF EXPORT REGULATION TO HIT US TECHNOLOGIESBY REID WHITTEN AND LISA MAYS

> SHEPPARD, MULLIN, RICHTER & HAMPTON

A wave is coming. An enormous wave of

regulation will soon crash on Silicon Valley,

Boston and other tech centres around

the United States, and very few people have their

surfboards ready.

From biomedicines to virtual reality goggles to

robotics, technologies in exciting emerging fields

will soon be subject to strict export controls that

will limit who can receive them, use them and even

research them. A swell of US export controls is

building and will break across a sweeping expanse of

leading-edge technology that Americans have come

to think of as the new normal.

Forthcoming export controls will disrupt logistics

planning, information sharing, R&D and acquisition

strategies for companies in the US and all around the

world.

A swell on the horizon – the coming controls

In the past, export controls and other regulations

lag a step or two behind the times. That trend

has accelerated with the pace of technological

advancement. As a result, for many years,

commercial technical innovations in fields like data

analytics, microprocessors and navigation could

be freely exported without significant restrictions

because they had simply gone beyond what

regulators could think to name in their regulations.

As long as the items were not designed for military


PERSPECTIVES

application, and no significant encryption technology

was involved, new ideas developed in the US were

simply unaccounted for by the export controls in the

US Export Administration Regulations (EAR).

However, the US Department of Commerce,

Bureau of Industry and Security (BIS) is about to

make up a lot of ground in a single, large leap. The

tsunami it will unleash in its regulatory overhaul will

splash down on sectors like biotech, computing,

artificial intelligence, positioning and navigation,

data analytics, additive manufacturing, robotics,

brain-machine interface, advanced materials, and

surveillance.

Controlling the break – commenting on the rules before they take effect

BIS is in the process of writing the regulations.

Since the regulations are not yet set in stone, you

may formulate and submit the arguments to BIS that

may limit the impact of these regulations on your

business.

On 19 November 2018, BIS published essentially

an open invitation to comment on the criteria for

establishing new export controls on what it calls

“emerging and foundational technologies”. The new

controls are authorised under the Export Control

Reform Act of 2018 and the Foreign Investment Risk

Review Modernization Act of 2018 (FIRRMA).

The list of technology fields targeted for review is

as follows: (i) biotechnology; (ii) artificial intelligence

(AI) and machine learning technology; (iii) position,

A WAVE OF EXPORT REGULATION TO HIT US TECHNOLOGIES


PERSPECTIVES

navigation and timing (PNT) technology; (iv)

microprocessor technology; (v) advanced computing

technology; (vi) data analytics technology; (vii)

quantum information and sensing technology; (viii)

logistics technology; (ix) additive manufacturing;

(x) robotics; (xi) brain-computer interfaces; (xii)

hypersonics; (xiii) advanced materials; and (xiv)

advanced surveillance technologies.

Interested parties submitted public comments

on the proposed rule before 10 January 2019

deadline. This rule was an Advance Notice of

Proposed Rulemaking (ANPRM), so before finalising

the regulations, BIS will likely publish a Notice of

Proposed Rulemaking, again inviting interested

parties to comment on the proposed regulations. In

addition, BIS will issue a separate ANPRM regarding

identification of foundational technologies that may

be important to US national security.

These rulemakings represent your opportunities to

be heard. There is no guarantee that public comment

will alter the course of the new restrictions, but it

may be worth a try to argue for changes that may

help preserve your options for the future.

Feeling the curl – understanding the coming controls

The controls are not yet in final form so we cannot

predict in detail the implications of those controls.

However, we have seen and ridden waves before.

Based upon our experience and the information BIS

provided in its request for comments and industry

chatter, we can provide the following information.

General implications. If your company creates

technology or products in an emerging technology

sector, new export restrictions will not only limit who

can receive your exports, but will also restrict the

disclosure of technology to foreign nationals even

within the US. If the controls follow the pattern of

most EAR controls, the export of products and the

disclosure of related technology and know-how

will require licences, depending on the destination,

end-user and end-use of the product or information.

Where technologies are already widely available

outside of the US, BIS may not be able to restrict that

technology.

Implications for collaboration. Depending on the

criteria BIS develops for these controls, persons who

are not US citizens or green-card holders may need

licences to participate in researching and developing

some of these emerging technologies.

Implications for exports. As the new regulations

are developed, exports of your products, parts and

components in these sectors may require export

controls. This may be true for final shipments as well

as for movements throughout your manufacturing

supply chain. For example, if your logistics chain

includes fabrication in Mexico, or assembly, testing

and packaging (ATP) in China, you may need to plan

for the potential impacts on your manufacturing

process.



PERSPECTIVES

Implications for mergers, acquisitions and

investments. The emerging technology sector

continues to see historic volumes of investment

and M&A activity in a vibrant US economy. The new

regulations will also affect US national security

review of foreign investments in these sectors.

Specifically, when the list of technologies is finalised,

many types of foreign investments in these sectors

(including not only outright acquisitions of US

companies, but also certain minority investments)

will be subject to review by the Committee on

Foreign Investment in the United States (CFIUS).

CFIUS has the power to halt or unwind a deal,

and the power to impose restrictions on a foreign

acquirer’s access to technology. This development

has the potential to radically alter the structuring,

timing and valuation of foreign investments in these

sectors.

Getting ready to ride – planning for the controls

Recently, we have seen companies caught off

guard by the rapid pace of regulatory change in the

Trump administration. This has been the case even

when the president and the administration have

clearly signalled policy changes in advance (as in

the case of the immigration ban, tariffs on China and

changes to NAFTA).

BIS’s announcement of these forthcoming rules

signals a real and substantive movement toward

limiting foreign access to leading-edge technologies.

Companies in the affected sectors could gain an

advantage over their competition if they act early.

They can paddle a bit ahead and ride this coming

wave, rather than tumbling in its wash.

Your company may wish to consider adjustments

to your research, manufacturing, export and

investment strategies to handle the forthcoming

changes. In our view, this wave of regulation will

have a big impact on US advanced technology

sectors. Companies should continue to monitor and

consider submitting comments and implementing

internal controls to account for the upcoming

changes. RC&


Reid Whitten

Managing Partner, London Ofice

Sheppard, Mullin, Richter & Hampton

T: +44 (0)20 3178 7831


Lisa Mays

Associate

Sheppard, Mullin, Richter & Hampton

T: +1 (202) 747 2307



PERSPECTIVES

PERSPECTIVES

ARTIFICIAL INTELLIGENCE AND COMPETITIONBY KATRIN SCHALLENBERG, AMELIE LAVENIR AND FILIP SALAMITOV

> CLIFFORD CHANCE

Antitrust enforcement in the digital space is

one of the hot topics of the moment and

is likely to remain one during the years to

come. The internet economy does indeed attract

increased scrutiny from competition authorities

across the globe. The European Commission’s (EC)

record fines against Google and the recent Facebook

decision by the German Bundeskartellamt (BKA) are

just two prominent examples of this development.

An area that has attracted a lot of media attention

and public debate is how artificial intelligence

(AI) can facilitate anti-competitive behaviour. We

have seen headlines claiming that algorithms will

outsmart consumers by allowing companies to

coordinate and fix higher prices without the need for

any human contact. But is that actually true?

So far the verdict seems to be: no. No (artificial)

smoke without (human) fire; collusion between

competitors animated by technology can always

be linked back to human conspiracy and no matter

how fancy the algorithm, at the end of the day the

machine executes what competitors A and B agreed.

But it would be too simplistic to stop here, as AI

can play a role in increasing a company’s antitrust

risk exposure in various situations: companies or

consultants that use similar algorithms to maximise

profits resulting in aligned pricing strategies. Or the

financial industry’s use of algorithms to obtain and

exchange information among banks for the trading


PERSPECTIVES

floor. AI can help companies with market intelligence

and thus increase market transparency. Another

area where AI can play a powerful role is to help

companies with market power to strengthen their

dominance. One illustration of this is the EC’s Google

shopping case, where Google algorithms favoured

search results for Google’s own shopping sites over

competing sites.

This article aims to address these various

situations and the way AI can expose companies to

an antitrust risk.

Collusion through algorithmsAs stated from the outset, AI has not (yet) replaced

humans when it comes to cheating the system. But

what AI can very efficiently do is to help humans

implement their nefarious plans.

For instance, in 2018 the EC sanctioned Asus,

Denon & Marantz, Philips and Pioneer a total of

over €111m for imposing online resale price to their

distributors, in cases where internal software tools

were used to monitor effectively compliance of the

distributors with instructions and especially with the

set resale price.

In 2016, the UK Competition and Market Authority

(CMA) sanctioned two companies that had agreed

not to undercut each other’s prices on Amazon

Market Place, and had used automated re-pricing

software to implement their agreement. In addition

to a fine, the CMA also sought, for the first time, the

disqualification of the managing director of one of

the undertakings, who undertook not to act as a

director of any UK company for five years.

These examples illustrate that current competition

rules accommodate traditional forms of explicit

collusion implemented through algorithms.

That said, competition authorities will take account

of all relevant factors when assessing the functioning

and effect of an algorithm. For instance, the

Competition Authority of Luxembourg found recently

that although the pricing algorithm implemented

within a taxi booking platform constituted essentially

a horizontal price fixing agreement, as it allowed

companies using the platform to adopt the same

pricing strategy, it also enabled customers to benefit

from improved service and consistent offers that

outweigh the potential unlawful character of the

algorithm.

The situation is less clear when it comes to AI that

helps companies gather market intelligence to adapt

their pricing strategy. In principle, competition law

does not prohibit market parallelism resulting from

companies monitoring the commercial strategy of

their competitors and adjusting their own strategy

accordingly. In other words, tacit collusion is not in

itself illegal, at least in most competition regimes.

Where this can potentially raise concerns, though,

is where markets are concentrated, and where such

increased transparency leads to higher prices and

ultimately consumer harm. Such concerns might

arise in outright agreements between competitors,

but also in ‘hub & spoke’ agreements, e.g., cases

ARTIFICIAL INTELLIGENCE AND COMPETITION


PERSPECTIVES

where competitors use the same third-party

software to help them determine their respective

strategies, and that third-party software feeds the

confidential data provided by each company into

an algorithm to maximise pricing for the industry.

For example, petrol stations in the Netherlands and

Denmark allegedly already use the same third-party

software that allows pricing optimisation based on

dynamic profiles of customers and competitors.

This situation might be regarded as problematic,

as it essentially enables the indirect exchange of

business-sensitive information. There are currently

no decisions sanctioning such behaviour, but as

Maureen Ohlhausen, former Commissioner of the US

Federal Trade Commission, said in a speech: “[i]s it

ok for a guy named Bob to collect confidential price

strategy information from all the participants in a

market, and then tell everybody how they should

price? If it isn’t ok for a guy named Bob to do it, then

it probably isn’t ok for an algorithm to do it either”

(FTC, 2017, p.10).

Personalised pricing: pro- or anti-competitive?

Competition authorities are also turning their

attention to unilateral conduct, which the use of

data and algorithms may allow, and in particular

personalised pricing, i.e., situations where

companies charge different prices to consumers for

the same good or service.

In such cases, prices are set, for each customer,

taking into account a number of additional factors

which can be market-related, notably prices of other

competitors, but also customer-related, especially

the price sensibility of each customer.

Dynamic pricing can therefore be pro-competitive

because it makes prices flexible, hindering collusion

between market players.

However, personalised pricing can also amount to

abusive practice when implemented by a dominant

undertaking, if it leads to discriminatory or excessive

pricing. The CMA launched research into this area

in the autumn of 2018 to assess how widespread

this is in practice, how it is applied and whether it

may indeed prevent customers from getting the best

deals.

Some competition authorities initiated

investigations in situations involving dynamic

pricing, but cases were concluded without finding an

infringement of competition rules.

The French Competition Authority (FCA) looked

into software used by car manufacturers for the

pricing of spare parts whose prices allegedly

increased significantly. Although there were

allegations of excessive prices, the FCA did not

initiate a full investigation.

In Germany, the significant increase in prices

charged by Lufthansa (and set through an algorithm)

on certain routes after the insolvency of Air Berlin

caught the eye of the BKA. The case was, however,

closed as the BKA considered the price increase did



not justify proceedings for an abuse of dominance,

emphasising that “the question whether the price

increases were the result of a price algorithm or

human intervention was of no significance” (BKA

Lufthansa case, Press Release 2018).

Companies should nevertheless be aware that the

approach taken to excessive pricing varies across

jurisdictions. Moreover, authorities dealing with

consumer protection might find appropriate legal

basis for further action – in this regard, it is worth

noting that in the UK, the Financial Conduct Authority

is also investigating personalised pricing (in relation

to car and home insurance).

‘Compliance by design’Some features of the incurred liability remain

uncertain – and the development of artificial

neural networks, and algorithms that move away

from implementing pre-designed functions to

‘autonomous’ reasoning, will no doubt raise

additional issues in this regard.

Companies cannot invoke the involvement of

algorithms to escape liability: in the same way that

a company is liable if one of its employees takes

part in a cartel, even when that individual is acting

alone, the company can also be liable for any

anticompetitive action undertaken through or even

by an algorithm it uses. Companies must respect

ARTIFICIAL INTELLIGENCE AND COMPETITION PERSPECTIVES


PERSPECTIVES

the rules, and may not use algorithms to implement

strategies in blatant violation of antitrust rules – i.e.,

agreements not to undercut a competitor’s prices.

To be on the safe side, before using any AI tool,

companies should always ask the right question:

“Would I do this in the absence of the technology?”

Further, competition authorities consider that

companies have a responsibility to ensure any AI

tool they might use does not enable any violation

of competition law rules. Margrethe Vestager, EU

Commissioner for Competition, thus recommends

a ‘compliance by design’ approach, i.e., that pricing

algorithms be designed in a way which prevents

their collusion (EC, 2017, p.5). For instance, the

actions of algorithms can be restricted in light of

competition rules and show a warning sign in case

of potential infringement. The CMA also presented

helpful red flags for companies, by identifying three

main risk factors where algorithms may lead to some

form of anticompetitive coordination: first, the time

horizon of the designed decision-making process

(short-term objective functions reducing the chances

of collusion); second, the number of actors using the

same algorithm in the market; and third, the type

of data input into the algorithm (i.e., whether data

from many competitors is being used) (CMA, 2018,

pp.48-49).

While traditional antitrust rules seem to

sufficiently capture collusive behaviour facilitated

or implemented by AI, the risk may be more difficult

to manage where companies have strong market

positions and use AI to optimise their market

behaviour. Discrimination is the obvious area where

companies, through technology, discriminate against

competitors (the Google shopping example) or

among customers (through personalised pricing).

However, it is at least questionable whether the

ability to discriminate comes from the technology

or the access to data allowing such discrimination.

In this regard, Peter Norvig, Google’s Chief Scientist,

when asked about the secret to Google’s success,

contended: “We don’t have better algorithms than

anyone else; we just have more data”. RC&


Katrin Schallenberg

Partner

Clifford Chance

T: +33 1 4405 2457


Amelie Lavenir

Associate

Clifford Chance

T: +33 1 4405 5917


Filip Salamitov

Trainee Lawyer

Clifford Chance

T: +33 1 4405 2497





COMPLIANCE CONSIDERATIONS FOR MARIJUANA BUSINESSES

Nick Parfitt


Acuris Risk Intelligence

T: +44 (0)20 3741 1200


Nick Parfitt is responsible for determining Acuris Risk Intelligence’s approach to the market and building subject-matter expertise. He has 18 years’ experience in project and programme management, business process change and in implementing technology and business solutions at financial services, telecoms and public sector organisations. His experience in the financial crime sector spans seven years, helping tier one financial institutions assess and improve AML, KYC and sanctions operations. Mr Parfitt has worked for several tier one banks in the UK and holds an MBA (Distinction) from Cardiff University, and a BA (Hons) in Biochemistry from Imperial College.



R&C: How would you describe the regulatory and compliance challenges currently facing businesses in the regulated cannabis industry?

Parfitt: Regulatory and compliance challenges

in this industry are very much dependent on the

jurisdiction. There is a lot of variation around the

world, and just because cannabis is legalised in one

country does not necessarily mean that it is legal

to do business from another country with entities

that are involved in the industry. As it stands today,

three countries have legalised the recreational use

of marijuana: Canada, Uruguay and Portugal. The

US poses a specific challenge: while most states

have either legalised or decriminalised marijuana

use, at a federal level it remains illegal. Consider

the international dimension too, and the legality

of doing business with legal marijuana-related

businesses (MRBs). In Canada, for example, Deloitte

estimates the value of the legal cannabis industry at

approximately $4.34bn in 2019. Could UK businesses

participate? The UK’s Proceeds of Crime Act (POCA)

only considers whether the predicate activity

– ‘criminal conduct’ – is legal in the UK, and not the

legal status where it was undertaken. So, any revenue

derived by a UK company from a Canadian MRB

would constitute the proceeds of crime.

R&C: What legal and regulatory hurdles do marijuana businesses need to overcome when operating in this market? To what extent are dispensaries, growers and infused products companies struggling to meet these demands?

Parfitt: From a US perspective, the challenge

remains in the banking sector and in anti-money

laundering (AML) regulations, which make banks

reluctant to do business with legitimate MRBs. While

the federal government has been clear that banks

can work with MRBs, they must file suspicious

activity reports (SARs) regardless of whether or not

the related state has legalised marijuana. This is

further complicated by legal requirements to report

on anyone depositing funds ‘derived from illegal

activity’. In theory, this even means a bank should file

a report on a state government that derives taxes

from legal MRBs. So if a dispensary cannot obtain

banking and financial services, it will find it almost

impossible to operate – banking cash, paying wages,

and so on, just becomes too difficult. And, given this

activity is still illegal at the federal level in the US,

then businesses and individuals can still become a

focus for federal law enforcement that can result

in investigation and civil asset forfeiture for non-

compliance. It is therefore imperative that MRBs

understand their regulatory requirements and adhere

to them so that financial institutions can successfully




comply with the Financial Crimes Enforcement

Network’s (FinCEN’s) 2014 guidance and formula for

assessing risk.

R&C: Have you seen an uptick in regulatory enforcement activity and scrutiny of compliance transgressions? What kinds of penalties might marijuana businesses expect to face if they are found to be in breach?

Parfitt: Just considering the US, to

date reports suggest there has been no

instance where federal law enforcement

has cracked down on a legal cannabis

operation, and there is little evidence

either of increasing compliance

transgression enforcement. The whole MRB industry

is really in its infancy, but will change as marijuana

licensing authorities know that the long-term survival

of the industry requires enforcement of rules and

regulations. The main challenge for MRBs operating

legally is that they do not become the subject of

traditional federal AML violations or non-compliance

of regulations or state law, which could invite

official federal investigation. Federal prosecution for

money laundering remains a top concern for MRBs

and the financial institutions with whom they have

relationships. A recent example is the owner of a

Maine company that is licensed to grow medical

marijuana but has a business association with an

individual who is currently facing illegal firearm

possession and marijuana trafficking charges in the

federal district court in Maine. This association left

the business owner open to allegations of non-

compliance with both Maine’s medical marijuana

laws and federal money laundering rules, as well

as drug trafficking. The result is that some of the

business owner’s properties are subject to civil

federal forfeiture, the business is undergoing federal

investigation and a deal to acquire the company for

$8.3m allegedly fell through.

R&C: What essential advice can you offer to marijuana businesses looking to maintain compliance in the regulated cannabis industry? Do you believe they


Nick Parfitt,Acuris Risk Intelligence

“Federal prosecution for money laundering remains a top concern for MRBs and the financial institutions with whom they have relationships.”



need to do more to meet compliance requirements?

Parfitt: Be ‘squeaky clean’, know your compliance

obligations and treat them very seriously, and expect

your compliance spend to be significant. A good

place to start is to understand FinCEN’s guidance to

financial organisations for customer due diligence

compliance, and ensure that you are compliant.

Furthermore, MRBs need to understand that they

are still high-risk businesses and the relevant AML

obligations should be ‘baked’ into everything they

do, along with policies, procedures and controls

to mitigate risks. Many companies that need to

comply with AML regulations fall short in some way

or another. Given the nature of this industry and its

newness, we suspect there will be many gaps and,

more importantly, a lack of real understanding from

businesses as to what their regulatory obligations

are.

R&C: What processes and tools should marijuana businesses consider as they work to remain compliant with regulatory requirements, and create a programme in which they can proactively manage associated risks?

Parfitt: The challenge currently for US MRBs is

that compliance generally refers to state licensing

compliance requirements throughout the whole

‘seed-to-sale’ supply chain. There do not appear

to be AML regulations on the MRBs themselves,

but rather on the financial institutions that provide

financial services to them. This supply chain is long

and includes growers, processors, manufacturers,

wholesalers and retailers who sell cannabis products

to the end consumer. All parts of the chain must be

compliant and ensure each is duly licensed. So, to

be in a good place when it comes to demonstrating

compliance with state licensing, businesses have a

long list of obligations. This list includes performing

due diligence, having a system to record each

party within the supply chain, knowing who the

beneficial owners are, identifying whether there is

any reputational risk exposure hidden within any

of the entities, and proactively monitoring these

relationships. While MRBs are some way from being

required to implement formal AML policies, there

are lessons to be learned which will benefit their

business practices and help meet future regulatory

requirements. As with the Maine example, knowing

your business relationships is very important, so

enhanced due diligence should be applied where

necessary.

R&C: To what extent are marijuana businesses struggling to keep pace with the operational costs of compliance? How can technology help to enhance or upgrade existing systems?




Parfitt: The issue for financial institutions is

whether they have a business risk appetite to

provide services to this sector given the current

legal situation. Although revenues can be significant,

so too can the cost of compliance. The opportunity

is highly material. BDS Analytics forecasts legal

cannabis spending in North America to reach $47.3bn

by 2027, with significant innovations predicted.

Financial institutions need to look for supporting

data and information to support their due diligence

procedures in a more streamlined approach similar

to due diligence performed on entities today under

AML requirements. Who are the beneficial owners?

What licences do they hold and under which state?

Is there are a reputational risk exposure? Current

systems should be looked at to support this niche,

but rapidly expanding, business segment so that

appropriate controls can be implemented to achieve

compliance.

R&C: What is the outlook for the regulated cannabis industry? Are compliance challenges set to increase over the months and years ahead?

Parfitt: Directionally, this industry is only going

to go from strength to strength, albeit at different

paces depending on the jurisdiction. In Canada,

initial public offering (IPO) activity for 2019 is likely to

slow, according to Jason Wilson, a partner at ETFMG

Alternative Harvest ETF, who states that this is likely

due to the existing MRB companies that did achieve

IPO in 2018 and now must deliver to their investors.

In the US, while the legal stance is still precarious, the

likelihood of federal investigations into businesses

that can demonstrate that they are acting legally in

their own states is waning. This follows the dismissal

of attorney general Geoff Sessions, who was seen to

be very biased against the legalisation of cannabis,

the apparent endorsement by FinCEN, and the

hope that a bill proposed in June 2018 by Charles

Schumer gains traction. This bill would remove

marijuana from its difficult place on the Controlled

Substances Act list, effectively decriminalising it at

a federal level. From a global perspective, there are

some 26 countries where cannabis is in effect legal

or decriminalised, and this trend is like to increase

over time. In terms of compliance challenges, as with

any AML programme, as a business becomes more

complex and multijurisdictional, and as revenues

increase, it will become more complex and expensive

to ensure effective controls and to comply with each

jurisdiction’s nuances. RC&



PERSPECTIVES

PERSPECTIVES

THE SHORTAGE OF FUELS IN MEXICO – MANAGING CRISIS AND COMPLIANCEBY JAVIER LOPEZ DE OBESO

> SCOTTHULSE PC

On 1 December 2018, Andres Manuel Lopez

Obrador (popularly known as ‘AMLO’) took

office as president of Mexico after being

defeated in two previous presidential campaigns. One

of AMLO’s principal campaign promises was that he

would end the carcinogenic corruption in Mexico,

generated by the previous governments.

During several years, criminal gangs popularly

known as ‘Huachicoleros’ (and the stolen product

known as ‘Huachicol’) have long targeted the

pipelines that run through Mexico transporting refined

products, from refineries to distribution points. The

Huachicoleros tap into a pipeline, siphon gasoline and

diesel and resell it, all under the blind eye of allegedly

corrupt officials of Pemex, the state-run energy

company, local authorities and security agencies.

The Huachicoleros apparently receive sensitive

information from Pemex’s officials that help the

Huachicoleros tap the pipeline, and allegedly corrupt

officials omit to report any technical sign of an illegal

tap, such as a decrease of pressure in the pipeline

or differences between the product sent into the

pipeline and product received at the distribution

centre. Local authorities and the securities agencies

allegedly provide protection to the Huachicoleros.

This network of allegedly corrupt officials and

Huachicoleros has generated an illegal market of

fuels that authorities estimate costs Pemex, and thus

Mexico, more than US$3bn every year. To fight these


PERSPECTIVES

criminal bands, in the final days of December 2018,

AMLO ordered a shutdown of Pemex’s pipelines that

feed the country with refined fuels. This shutdown

caused a shortage of fuels in several areas of Mexico

for as long as for three weeks. Even today, the

situation has not been resolved in certain areas.

AMLO’s decision to shut down the pipelines,

causing widespread shortage in several areas of the

country, was generally welcomed by the population,

who saw it as necessary to stop the theft of fuels.

However, the overall strategy of the government to

reduce fuel theft have raised several red flags of

corruption such as those outlined below.

Lack of law enforcement. The government

has not announced the commencement of legal

proceedings against all of the Pemex officials who

for years have allegedly allowed the theft of fuels.

Government efforts have been focused on finding and

destroying the illegal taps, but have not advanced to

enforcement of criminal and administrative sanctions

against the corrupt officials who allowed these crimes

over the years, including Pemex officials, local law

enforcement and other authorities that decided to

ignore the problem.

Enforcement against the Pemex union has also

been lacking. The union has more than 200,000

members and has been controlled by Carloss

Romero Deschamps since 1996. This leader was

mentioned by Forbes Magazine as one of the most

corrupt Mexicans of the year 2013. Romero has

THE SHORTAGE OF FUELS IN MEXICO – MANAGING CRISIS AND...


PERSPECTIVES

been implicated in various scandals while head of

the union, including the so-called Pemexgate case

in which the union was found to have diverted 500m

pesos to the 2000 presidential campaign of PRI

candidate Francisco Labastida. He has also been

criticised for his ostentatious lifestyle, including giving

a limited-edition Ferrari to his son and picking up the

tab for his daughter’s lavish wedding.

The lack of supervision and control over the

product transported by the pipelines, allowing the

Huachicoleros to make numerous illegal taps, is

difficult to imagine without the possible participation

of the Pemex union, which may have provided the

technical knowledge to tap the pipeline, insider

information such as possible security operatives

or looked the other way instead of reporting lost

product.

Soon after AMLO launched his crusade against

the Huachicoleros, and the possible participation

of the Pemex union in the theft of gasoline was

raised, Romero obtained a judge order (‘Amparo’ or

Habeas Corpus) that prevents the authorities from

arresting Romero to face charges related to the

alleged cooperation of the Pemex union with the

Huachicoleros.

There cannot be a real strategy against corruption

without exemplary sanctions brought against

offenders, and preventive actions taken to avoid

similar situations arising in the future.

Shady purchase of tanker trucks. In order to avoid

shortages in several regions of the country, Pemex

first had to guarantee supply in those areas affected

by pipeline closure, guarantee supply after closure, by

means of distribution with tanker trucks, and not the

reverse, close the pipeline and then try to normalise

the supply with pipes. Since the need for tanker

trucks arose, the federal government has spent

approximately US$92m to purchase 571 new tanker

trucks that will deliver fuel to states where supplies

have been scarce since the pipeline was shut down.

As a general rule, all governmental purchases

must be made through a public and open bidding

process. Without any explanation or comment, simple

citing the urgent need to address fuel shortages,

the government bypassed the usual public bidding

process and purchased tanker fuels by direct award

to an unknown suppliers of tanker trucks.

In addition to the absence of public bidding, the

tanker trucks did not comply with the technical and

safety regulations required for the transportation

of petroleum products on Mexico’s roads. Once the

press revealed this situation, the Ministry of Transport

changed the security standard, to adapt it to the

tanker trucks purchased, allowing the trucks to roam

freely on Mexican roads.

Following the direct purchases, the Mexican

Association of Ethics and Compliance Professionals

(Asociación Mexicana de Profesionales de Ética y

Cumplimiento, or ‘AMPEC’) among other professionals

organisations, issued a press release in which advised

the federal government to be extremely cautious

during the execution of these ‘panic’ purchases,



PERSPECTIVES

as were not necessarily transparent government

spending.

The decision to skip a bidding process and expedite

a change to transport security standards sends the

wrong message about an apparent lack

of commitment to transparency and to

obtaining the best prices in the market

available to the government.

Alejandro Hope, a security consultant

in Mexico City, recalls the war on drugs

launched by President Felipe Calderon

after he took office in 2006. It was

popular at first, but then the bodies

started piling up – and Mexicans started

to wonder if their government knew

what it was doing. AMLO has opted for

“an epic crusade instead of a permanent, systematic

effort to end gasoline theft,” said Hope, as reported by

Bloomberg. “They’ve focused their strategy on closing

supply and stopping the commercial network, but not

on taking apart the groups that control theft.”

Fuel distribution presents several compliance

challenges, such as those described here. The most

relevant insight from this shortage of fuels is that was

created by action to fight corruption inside Pemex

and in various state and municipals governments; but

such actions to fight corruption should be executed

without affecting citizens.

In recent days, the Mexican government has

announced its investigation into several companies

involved in the resale of Huachicol, and the dismissal

of some Pemex officials involved in the support given

to the Huachicoleros. Many actions are pending,

but in the end, all actions taken in order to fight

corruption must be welcomed, revised and improved.

Is still too early to tell whether this new government

will apply the best international practices to fight

corruption – practices tested and proven in private

industry or in other countries. One thing is certain:

AMLO’s government is going in a different direction

than the previous government regarding its strategy

to fight corruption, with a strong and direct tone-at-

the-top from AMLO. RC&


“Many actions are pending, but in the end, all actions taken in order to fight corruption must be welcomed, revised and improved.”

Javier Lopez de Obeso

Attorney At Law

ScottHulse PC

T: +1 (210) 202 2316



HOT TOPIC

HOT TOPIC

IMPACT OF CFIUS REFORMS FOR PE HOUSES


HOT TOPICIMPACT OF CFIUS REFORMS FOR PE HOUSES

Jeremy B. Zucker, co-chair of the firm’s International Trade and Government Regulation practice, advises clients on international trade regulatory compliance matters, including in relation to anti-bribery (the US Foreign Corrupt Practices Act (FCPA)), export controls (the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR)), economic sanctions programmes administered by the Office of Foreign Assets Control (OFAC) and the anti-money laundering (AML) provisions of the USA Patriot Act. Mr Zucker is a member of the Sanctions Subcommittee of the US Department of State Advisory Committee on International Economic Policy.

Jeremy B. Zucker

Partner

Dechert LLP

T: +1 (202) 261 3322


Tim Keeler, an attorney in the Government Relations & Public Law and International Trade practices, joined Mayer Brown in 2009, and brings an in-depth knowledge of international trade law and economic policy matters, and a history of working in the Executive Branch and Congress on major economic, legislative and regulatory issues.

Timothy J. Keeler

Partner

Mayer Brown LLP

T: +1 (202) 263 3774


Michael Leiter is a partner in the National Security practice of Skadden, Arps, Slate, Meagher & Flom, LLP. Mr Leiter represents clients in matters involving US national security and cyber security, cross-border transactions and government investigations. Mr Leiter has served in a number of senior national security positions in the federal government, including as the director of the National Counterterrorism Center from 2007 until 2011 for both Presidents Bush and Obama. Mr Leiter has also served in senior positions within the private sector including at Leidos and Palantir.

Michael E. Leiter

Partner

Skadden, Arps, Slate, Meagher & Flom LLP

T: +1 (202) 371 7540


PANEL EXPERTS



R&C: Could you provide an overview of the expanded scope of transactions subject to review by the US Committee on Foreign Investment in the United States (CFIUS), following the Foreign Investment Risk Review Modernization Act (FIRRMA) signed into law in August 2018?

Zucker: FIRRMA is the first overhaul of CFIUS

in the past decade; it is the result of longstanding

debates about how best to balance protecting

national security while promoting inbound

investment in the United States. Historically, CFIUS

reviewed ‘covered transactions’, which included

mergers, acquisitions and takeovers that could

result in non-US control of a US business. FIRRMA

significantly expanded this authority to include:

review of inbound real estate investments that

are co-located near US defence installations or

other US national security facilities; investments or

changes in rights involving a US business working

in critical infrastructure or critical technology or

possessing sensitive personal data regarding US

citizens; and investments intended to evade CFIUS

review. Though CFIUS has always been empowered

to initiate reviews on its own, prior to FIRRMA,

the Committee review process generally involved

voluntary notifications by transaction parties.

FIRRMA added a mandatory filing requirement for

certain investments, ‘whether or not controlling’, in

critical US businesses.

Leiter: Before FIRRMA, CFIUS’ jurisdiction was

limited to transactions resulting in foreign control of

a US business. FIRRMA expanded CFIUS’ jurisdiction

in a few key respects. First, CFIUS may now review

some non-controlling investments that concern

critical technology, critical infrastructure or sensitive

personal data of US citizens. CFIUS will consider

how these transactions give foreign investors

access to non-public information and provide

authority to make decisions to develop and use

that information. In October, CFIUS began a ‘Pilot

Program’ to implement this expanded jurisdiction for

critical technology transactions, including FIRRMA’s

requirement for filing mandatory declarations

about these transactions before closing. Second,

FIRRMA expanded CFIUS’ jurisdiction over real

estate transactions, including to properties that are

undeveloped, or that will be leased. Third, certain

changes in rights are now covered transactions,

even if not tied to new investment. Extending

jurisdiction to these transactions and creating

mandatory filing requirements are paradigm-shifting

changes.

Keeler: FIRRMA amended the definition of what

constitutes a ‘covered transaction’. As a result, CFIUS

now has the authority to review non-controlling

investments in certain categories of US businesses



– and under CFIUS rules and practice, ‘control’ is

already a low threshold, for example 15 percent and

one board seat in one publicly known transaction.

FIRRMA defines these categories as US businesses

that own, operate, manufacture, supply or service

critical infrastructure, that produce, design, test,

fabricate or develop ‘critical technologies’, or

that maintain or collect the personal identifying

information (PII) of US citizens that could

be used in a manner that threatens

national security. FIRRMA has defined

such non-controlling investments as any

investment by a foreign person in any of

these three categories of US businesses

that provides the foreign person with

access to material non-public technical

information in the possession of such

US businesses, provides membership or

observer rights on the board of directors,

or provides involvement in substantive

decision making regarding the sensitive

PII of US citizens, critical technologies and critical

infrastructure. FIRRMA also authorises CFIUS to

review transactions that involve the purchase or

lease by, or concession to, a foreign person of

private or public real estate that is located in the US

and is in close proximity to a US military installation

or other sensitive US government facility or property

or that is located within, or will function as part of, an

air or maritime port.

R&C: How might the greater scope of CFIUS impact private equity (PE) deals specifically, and the wider asset class more generally?

Leiter: By expanding CFIUS’ jurisdiction over non-

controlling investments, more PE deals are likely to

come under review. But FIRRMA also provides some

relief for PE by clarifying that US investment funds

and their foreign limited partners will be considered

passive investors whose investments are not subject

to CFIUS’ jurisdiction when certain conditions are

met. These conditions include the fact that the

fund is being managed by a US general partner

or equivalent, that the fund places limitations on

the ability of the foreign limited partner to impact

investment decisions, and that the limited partner

Jeremy Zucker,Dechert LLP

“FIRRMA is the first overhaul of CFIUS in the past decade; it is the result of longstanding debates about how best to balance protecting national security while promoting inbound investment in the United States.”



is foreclosed from making decisions about hiring

or firing the fund manager. CFIUS is expected to

issue rulemaking further clarifying the exemption’s

application, but the exemption was included

in CFIUS’ ‘Pilot Program’ for critical technology

transactions. The fund exemption is already creating

an incentive for foreign investors to

strengthen or develop relationships with

US-led PE firms.

Keeler: As a general matter, CFIUS’s

expanded jurisdiction now has the

potential to capture a wider range of

deals. PE firms therefore have to be more

vigilant, as both buyer and seller, to ensure

that investments that previously were

not captured under CFIUS’s jurisdiction

undergo proper diligence for potential

CFIUS concerns. It is worth noting

that there is an exception to CFIUS’s expanded

jurisdiction that impacts PE funds. FIRRMA exempts

a foreign person’s investment from its expanded

jurisdiction if that foreign person’s investment is

indirect through an investment fund, where the

foreign person is a limited partner or a member

of an advisory board or a committee of the fund,

provided that, firstly, the fund is exclusively managed

by a US general partner, secondly, the advisory board

or committee does not have the ability to control

investment decisions of the fund or decisions made

by the general partner, thirdly, the foreign person

does not otherwise have the ability to control the

fund, and finally, the foreign person does not have

the ability to access material non-public information

as a result of its participation on the advisory board

or committee.

Zucker: While FIRRMA may make regulatory

compliance more complicated for certain

transactions, there also may be market opportunities

associated with these changes. For example,

investors from countries that enjoy good relations

with the US may have a relatively easier time

securing CFIUS clearance, while investors from

countries of relatively greater concern might find

that, while investments in critical US businesses

might become even more challenging, opportunities

remain with respect to targets operating in less

sensitive sectors of the US economy. Significantly,

Timothy J. Keeler,Mayer Brown LLP

“PE firms have to be more vigilant to ensure that investments that previously were not captured under CFIUS’s jurisdiction undergo proper diligence for potential CFIUS concerns.”



FIRRMA also includes an investment fund exception

that clarifies circumstances where investments are

not within CFIUS’ jurisdiction. An indirect investment

through an investment fund that affords a non-US

investor membership as a limited partner is not a

covered transaction as long as certain requirements

are met, including that, first, the fund is managed

by a US general partner or equivalent, second, the

fund board or committee on which the non-US

limited partner sits does not have control over the

US fund’s management or investment decisions

and, third, the non-US limited partner does not have

access to material non-public technical information

of the target company, among other potential

requirements. There may be significant opportunities

for PE funds availing themselves of this exception.

R&C: What types of investment by PE funds could fall under the expanded jurisdiction of CFIUS? Under what circumstances is a CFIUS review triggered under the new regime?

Zucker: FIRRMA places particular focus on US

technologies and industries where the competitive

advantage of the US is perceived to be under

threat from other countries. To that end, FIRRMA

authorises the Committee to review investments

that relate to a critical US business, even when such

an investment does not result in control by a non-US

person. FIRRMA also gives CFIUS jurisdiction over

any action that results in any change in the rights of

a non-US person that could result in either foreign

control of the US business or in an investment in

a company involved in a critical US business. If a

non-US investor will acquire certain rights – such as

access to material non-public technical information

other than financial information, membership or

observer rights on a board, or certain other decision-

making authority – investments in these types of

entities are subject to review. This new authority

allows the Committee to assert jurisdiction based

solely on a change in rights, even when no formal

merger, acquisition or other investment transaction

has occurred.

Keeler: It was widely known that China was at

the forefront of Congress’ mind during the drafting

of FIRRMA, particularly with respect to Chinese

investment involving technology, infrastructure,

Big Data and real estate transactions that present

potential espionage concerns. Given this intent,

investments involving any of these areas raise the

spectre that a CFIUS review may be necessary,

or even mandatory. To be sure, even investments

that do not involve Chinese buyers must consider

whether a CFIUS review is necessary when investing

in these areas. However, deals in these areas that

involve China are certain to draw heightened

scrutiny from CFIUS. It is worth noting that critical

technologies will be an expanding area that investors

will need to pay attention to. FIRRMA was drafted in



conjunction with

the Export Control

Reform Act, which

mandates a process

to identify ‘emerging and

foundational’ technologies – which

will be controlled for export and trigger

mandatory CFIUS filings. This area is

certain to evolve with advancements

in technology. Investments in pure real

estate transactions are also no longer

perfunctory. Given CFIUS’s expanded

jurisdiction to cover non-controlling

investments, the circumstances under

which a review is triggered has

broadened beyond the traditional

‘control’ analysis under the old

regime.

Leiter: FIRRMA granted

CFIUS jurisdiction over certain

non-controlling investments

implicating critical technology,

critical infrastructure and personal

information of US citizens. Specifically,

these investments will be subject to

CFIUS review when they convey board

rights, access to material non-public

information or the ability to be involved in

certain substantive decision making. And, in

the case of critical technology, CFIUS review

will be mandatory, as spelled out in CFIUS’ recently

implemented ‘Pilot Program’. In addition, FIRRMA

also provides that a change in rights affording new

board representation, access to information or

involvement in substantive decision making is also a

covered transaction, even if not associated with new

investment. Accordingly, when PE funds with foreign

limited partners make new investments or exercise

options for existing investments, particularly in the

technology sector, they should consider whether

that will trigger a mandatory notice requirement and

whether they qualify for FIRMMA’s exemption for

certain investment funds.

R&C: To what extent should a PE fund’s non-US limited partners expect additional CFIUS scrutiny during reviews and investigations?

Keeler: The scrutiny will vary depending on the

level of involvement by the non-US limited partner

in the fund and the organisation of the fund. FIRRMA

exempts certain foreign investors from its expanded

jurisdiction based on set criteria. If all such criteria

are met, non-US limited partners could avoid any

scrutiny from CFIUS in the context of its expanded

jurisdiction. Outside of this exemption, non-US

limited partners will likely undergo varying degrees

of scrutiny. Certain investors – such as Chinese

investors – are likely to undergo heightened scrutiny,

which could be amplified if the investment involves

HOT TOPIC




certain industries, such as critical technologies,

critical infrastructure, Big Data, and so on.

Leiter: Even before FIRRMA, PE funds with foreign

limited partners were coming under increased

scrutiny by CFIUS. FIRRMA adds to this scrutiny, for

example by making more PE investments subject to

CFIUS’ jurisdiction. But FIRRMA also provides some

relief by codifying the circumstances under which

investment involving foreign limited partners will be

considered passive and, thus, not subject to review.

This provision is subject to additional rulemaking,

which could narrow its application – CFIUS is unlikely

to exempt captive funds, for example. For non-

exempt funds, their foreign limited partners will

receive the greatest scrutiny if they are controlled by

a foreign government. FIRRMA requires mandatory

declarations for transactions that will result in

a foreign government acquiring a ‘substantial

interest’ in certain companies. But FIRRMA grants

CFIUS the authority to waive this requirement for

a foreign person if CFIUS determines that a foreign

government is not directing the foreign person’s

investments.

Zucker: Non-US limited partners might avoid

scrutiny altogether if, pursuant to FIRRMA’s

investment fund exception, the fund making

the investment is considered a US person

notwithstanding the participation in the fund of

non-US limited partners. Non-US limited partners

in a fund that does not qualify for the investment

fund exception – either because of the rights

afforded to the limited partners, or because the

general partner also is a non-US entity – should

expect to be subjected to CFIUS scrutiny. The level

of attention, and the details required to be provided,

then may vary depending on the limited partner’s

level of participation in the fund or the rights and

authorities enjoyed by the limited partner. FIRRMA

also provides parties to a transaction the opportunity

to file voluntarily a ‘declaration’ – an abbreviated

notification that should not exceed five pages in

length – instead of a formal written notice of a

covered transaction. CFIUS is required to conclude

its review of a declaration within 30 days, offering

a relatively quick means for transaction parties

to receive confirmation whether CFIUS believes it

has jurisdiction to review a transaction – or if, by

contrast, it believes the investment fund exception

applies.

R&C: In light of these developments, what key considerations do fund managers need to make?

Leiter: Fund managers should look closely at

their funds, their investors and their investments.

For funds, fund managers must consider whether

they are poised to meet the requirements for

exemption including whether they qualify as US-

led and whether their fund agreements reflect the



limitations required for foreign limited partners. Fund

managers may begin updating agreements and side

letters now to reflect the intent to qualify for an

exemption, and consider the impact of exemption

requirements on everything from existing advisory

board composition to most favoured nations clauses.

Second, fund managers should evaluate

who their current foreign limited partners

are, what level of state ownership or

control they are subject to, and any

other CFIUS risk factors they present

– for example, ties to China through joint

ventures. Third, fund managers should

evaluate whether they have current

investments in critical technology areas

because certain changes to existing

investments may trigger mandatory

reviews.

Zucker: Even if non-US investors show a

continued willingness to invest in the United States,

US fund managers may be less willing to accept

investments from non-US investors – or at least

some non-US investors – because of the uncertainty

and delay posed by a CFIUS review. In addition, US

funds might be less willing to accept capital from

non-US investors due to concerns that the funds’

investments might be subject to greater scrutiny

depending on their non-US sources of capital

– though FIRRMA does provide exceptions for

investment funds, subject to certain requirements.

Investment agreements defining the rights of

limited partners will merit careful consideration

in this regard. Funds should consider the types of

information and other rights they grant foreign LPs

in any fund side letters they may execute with the

foreign LPs. Investors from countries like China,

which CFIUS has scrutinised closely in recent years,

may continue to face difficulty securing clearance for

investments in a critical US business.

Keeler: Proper diligence has always been critical

in any deal and this has not changed in light of

FIRRMA. However, diligence efforts may need

to be more robust and, in the context of certain

deals, they may need to be tailored to account for

FIRRMA’s expanded jurisdiction. For example, in

deals that involve real estate or technology, fund

managers should tailor diligence efforts to account

Michael E. Leiter,Skadden, Arps, Slate, Meagher & Flom LLP

“Even before FIRRMA, PE funds with foreign limited partners were coming under increased scrutiny by CFIUS.”



for proximity concerns or emerging and foundational

technologies. These efforts can present challenges,

as the US government’s proximity concerns may

not be immediately obvious – for example, top

secret activities at a US military or government

facility are not known to the public. Similarly, if a

deal involves brand new technology, it may not be

immediately clear whether it constitutes emerging

or foundational technology, once defined by the

Commerce Department. Fund managers also need

to consider the timing of such diligence efforts. It

is often critical that parties to a deal start thinking

about potential CFIUS issues early on at the outset

of a deal.

R&C: In your opinion, what does the introduction of the new law mean for the capacity of the US to protect strategic industries while remaining open to investment? How might it affect inbound PE investment in this respect?

Keeler: FIRRMA certainly enhances CFIUS’s

capacity to deal with national security concerns by

allowing it to tackle the changes in technology that

have occurred since the legal framework was last

amended over 10 years ago. Given FIRRMA’s early

stages of implementation, it is not entirely clear

how CFIUS will balance its new authorities while

maintaining an open foreign investment environment

in the US. To be sure, Chinese investment in the

US has already taken a marked dive in the last two

years. While US policy, vis-à-vis CFIUS, is partly the

reason for this change, the Chinese government’s

efforts to rein in foreign investment has also played

a large role. It is worth noting that FIRRMA’s ‘findings’

emphasise the benefits of foreign investment in

the US and note that the new law is intended to

preserve an open investment environment. Notably,

FIRRMA directs CFIUS to “continue to review

transactions for the purpose of protecting national

security and should not consider issues of national

interest absent a national security nexus”.

Zucker: FIRRMA expands government jurisdiction

and makes regulatory compliance more complicated

for certain transactions, especially those touching

on strategic industries involving critical technologies

or critical infrastructure. US companies may be

less willing to accept investments from non-US

investors – especially from certain countries, such

as China – because of the uncertainty and delay

posed by a CFIUS review. In addition, US funds

might be less willing to accept capital from non-US

investors due to concerns about greater scrutiny

depending on their non-US sources of capital. At the

same time, these changes may also provide market

opportunities. For example, investors from countries

under relatively less scrutiny may have a relatively

easier time securing CFIUS clearance. Similarly,

investors from countries of relatively greater

concern might move toward opportunities involving



US industries that are less associated with critical

technologies or critical infrastructure.

Leiter: FIRRMA itself states that the US maintains

an open investment policy, and CFIUS has continued

to reiterate this since FIRRMA’s enactment. In reality,

it is difficult to draw a line that will allow a non-

passive foreign investor to maximise returns on an

investment in a US business without allowing any

sensitive information or critical technology to flow

from that business to the investor. FIRRMA, along

with the Export Control Reform Act of 2018, has

given CFIUS greater leeway to review transactions

and to identify which technologies and industries

are most critical to US national security. FIRRMA

makes passive investment a more attractive option

for many foreign parties looking to invest within

sensitive sectors with lower regulatory risk. PE firms

with foreign limited partners are likely to takes steps

to qualify for FIRRMA’s fund exemption rather than

try to keep pace with CFIUS’ evolving application of

its national security concerns.

R&C: Looking ahead, what are your predictions for PE activity under expanded CFIUS review, over the short and long term?

Zucker: Over the short-run, the new law may

affect both investment and fundraising strategies

of PE funds. For example, PE funds with non-US

limited partners that invest in critical US businesses

will have incentives to utilise the investment

fund exception, shaping the size and nature of

participation by non-US limited partners. Over

the long term, much will depend on how CFIUS’

regulations develop in response to FIRRMA. There is

uncertainty regarding some of the details, such as

how CFIUS will use country-specific considerations

to differentiate the levels of scrutiny and to which

critical US businesses the new requirements will

apply.

Leiter: In the short term, we expect PE firms to

carefully review new investments in technology

areas, and to be mindful of expanding existing

investments in sensitive areas. Many PE firms are

also already looking at their fund agreements and

seeking to revise them to comply with anticipated

exemption requirements. In the longer term, once

CFIUS has completed its full rulemaking under

FIRRMA, PE funds with investments from sovereign

wealth funds or other foreign government-controlled

investors are especially likely to change their

structure to benefit from the US fund exemption or

at least not to be subject to mandatory declarations.

For those PE firms that ultimately qualify for

exemption, we expect to see a greater number

of foreign limited partners investing through their

structures. PE firms that engage experts and do the

legwork to understand FIRRMA and address CFIUS’


HOT TOPIC

concerns are most likely to benefit from continuing

foreign investment.

Keeler: In the short term, there is likely to be more

uncertainty as CFIUS rolls out new regulations under

FIRRMA. This could result in more reluctance on the

part of investors to pursue deals in an uncertain

regulatory environment. At the same time, investors

may also view this interim period as an opportunity

to close deals before CFIUS fully implements its

expanded authorities under FIRRMA. In the long

term, PE activity will likely normalise as investors

acclimate to the new regulatory landscape. It is

possible that PE funds will adjust to take advantage

of the new exemption, which could lead to a normal

level of PE activity. RC&



EDITORIAL PARTNERS

Nick Parfitt


London, UK

T: +44 (0)20 3741 1200


KE

Y

CO

NT

AC

T

Acuris Risk Intelligence helps organisations

to build safer business relationships. The firm

combines human expertise with a world-class

compliance dataset, and makes this intelligence

available to subscribers in a way that suits

how they operate. Using Acuris services,

subscribers can manage risk and compliance

in real time, with minimal effort. A trusted and

independent provider of data intelligence for

anti-money laundering (AML), anti-corruption

and cyber security professionals, the firm

provides a powerful overview and enhanced

risk management service, as well as a unique

database exceeding all expectations.

E D I T O R I A L PA RT N E R

Acuris Risk Intelligencewww. acur i s. com


EDITORIAL PARTNERS


Crowe

For almost 100 years, Crowe has been making

smart decisions for multinational clients working

across borders. Crowe’s leaders work with

governments, regulatory bodies and industry

groups to shape the future of the profession

worldwide. Their exceptional knowledge of

business, local laws and customs provides

lasting value to clients undertaking international

projects. Crowe provides global reach on a

personal scale. Firms are focused on the future

and the client experience, working with clients

to build something valuable, substantial, and

enduring. At Crowe, our professionals all share

one commitment: to deliver excellence.

www. c rowe.com

KE

Y

CO

NT

AC

TS David Chitty

International Accounting & Audit Director

New York, NY, US

T: +1 (212) 808 2027


Steve Gale

Partner, Head of Partner

London, UK

T: +44 (0)20 7842 7262


Jennifer Knecht

Partner

Indianapolis, IN, US

T: +1 (317) 706 2697



EDITORIAL PARTNERS


Edelmanwww. ede lman .com

At Edelman, critical issues, reputation risk and

crisis management is not a resource that lies

dormant until called into battle reactively by a

situation or event. Instead, we implement an

ongoing process of creating a strong foundation

to protect reputational asset value. Using data

and analytics, we build a strategic framework

based on your brand’s positive, day-to-day public

associations, strengthening your reputation

to survive and flourish in the ‘age of constant

crisis.’ Our connected global network of experts

is available to supply insights and counsel at any

time and provide personal service and custom

solutions.

Harlan Loeb

Global Practice Chair, Crisis & Reputation

Risk Advisory

Chicago, IL, US

T: +1 (312) 240 2624


KE

Y

CO

NT

AC

T


EDITORIAL PARTNERS


FTI Consulting

FTI Consulting’s Financial Services (FS)

practice works with clients ranging from high

street banks, investment banks and insurance

companies, to the newer challenger banks,

online gaming firms and casinos. We help

clients to navigate often complex challenges

with their regulators. We also assist regulators

with investigations and thematic reviews often

relating to financial crime, fraud, corruption

and bribery. Our team works with FS firms

both ahead of and during such regulatory

episodes, to help implement robust governance,

policies, procedures controls and systems. FTI

Consulting’s technology expertise is key – either

when back-testing transactional data or when

designing solutions to onerous management

information and reporting requirements.

Jamilia Parry

Managing Director, Financial Crime,

Governance and Conduct, EMEA

London, UK

T: +44 (0)20 3727 1417


Andrew Pimlott

Senior Managing Director, Financial Crime

and Investigative Analytics, EMEA

London, UK

T: +44 (0)20 3727 1285


KE

Y

CO

NT

AC

TS

www. f t i consu l t i ng . com


EDITORIAL PARTNERS


KPMGwww. kpmg .com

KPMG is a global network of professional

services firms providing audit, tax and advisory

services. We operate in 154 countries and

territories and have 197,263 people working

in member firms around the world. KPMG’s

industry focus allows our professionals to

develop a rich understanding of their clients’

businesses and the insight, skills and resources

required to address industry specific issues and

opportunities. A worldwide presence, KPMG

continues to build on its success thanks to a

clear vision, defined values and, above all, its

people.

KE

Y

CO

NT

AC

TS Greg Matthews

Partner, Advisory, Operations &

Compliance Risk

New York, NY, US

T: +1 (212) 954 7784


Jorge Blanco

Principal, Advisory

New York, NY, US

T: +1 (212) 872 2173


Jon Dowie

Partner, Financial Services Consulting

London, UK

T: +44 (0)20 7311 5295



EDITORIAL PARTNERS

Nasdaq is a diversified technology provider

for thousands of global firms and the leading

technology and information services provider to

the capital markets. Its global trading and market

service business has become a significant part

of our client offerings. Founded in 1971, Nasdaq

focuses on synchronising and optimising market

movement – an essential principle in the growth

of business economies. With a high level of

infrastructure, tools and strategic insight, Nasdaq

is acclaimed for its top-rated data offerings

and for the Nasdaq 100 – home to many of the

world’s most heralded securities.


Nasdaq www. nasdaq .com

Taras Chaban

Vice President, Global Head of Buy Side

Solutions

London, UK


Paul Young

Associate Vice President, Head of Product,

Buy Side

London, UK


KE

Y

CO

NT

AC

TS


EDITORIAL PARTNERS


Navigant Consultingwww. nav igan t . com

Navigant Consulting is a specialised, global

professional services firm that helps clients take

control of their future. Navigant’s professionals

apply deep industry knowledge, substantive

technical expertise, and an enterprising

approach to help clients build, manage and

protect their business interests. With a focus

on markets and clients facing transformational

change and significant regulatory or legal

pressures, the firm primarily serves clients in

the healthcare, energy and financial services

industries. Across a range of advisory, consulting,

outsourcing and technology and analytics

services, Navigant’s practitioners bring sharp

insight that pinpoints opportunities and delivers

powerful results.

KE

Y

CO

NT

AC

TS

Salvatore LaScala

Managing Director

New York, NY, US

T: +1 (212) 554 2611


Alma Angotti

Managing Director

London, UK

T: +44 (0)738 702 730



EDITORIAL PARTNERS

SAI Global helps companies take a more

integrated approach to managing risk. Our

world-class solutions and renowned team of

experts provide advice at every step, ensuring

companies have the information they need to

make the decisions required to protect and

grow their businesses and their reputation. We

have global reach with locations across Europe,

the Middle East, Africa, the Americas, Asia and

the Pacific, powered by local expertise and

knowhow.

Rebecca Turco

Vice President of Learning

Boston, MA, US

KE

Y

CO

NT

AC

T


SAI Global www.sa ig loba l . com


EDITORIAL PARTNERS

SAS is the leader in analytics. Through

innovative software and services, SAS empowers

and inspires customers around the world to

transform data into intelligence. SAS solutions

are used by more than 3500 financial institutions

worldwide, including 97 percent of the banks on

the Fortune Global 500.

Thomas Kimner

Director, Global Risk Marketing and

Operations

Washington, DC, US

T: +1 (919) 531 1410


KE

Y

CO

NT

AC

T

www. sas.comE D I T O R I A L PA RT N E R

SAS


EDITORIAL PARTNERS

KE

Y

CO

NT

AC

TS

Zinser, Esponda and Gómez Mont is one

of Mexico’s leading law firms in the area of

white-collar criminal defence and prosecution.

Its experience in both local and international

matters has made it the firm of choice for

financial institutions, international corporations

with interests in Mexico, and high-profile

individuals. Zinser, Esponda and Gómez Mont

has a long history of representing institutions

and individuals in complex criminal cases,

providing advice on strategic matters and cross-

border issues involving anti-corruption and

criminal compliance. Its white-collar practice

includes advice and representation in criminal

investigations and trials involving allegations of

tax, securities and bank fraud.


Zinser, Esponda and Gómez Mont www. zegm.mx

Alejandro Hernández Oseguera

Partner

Naucalpan de Juárez, Mexico

T: +52 55 5202 8610


Alberto Zinser Cieslik

Founding Partner

Naucalpan de Juárez, Mexico

T: +52 55 5202 8610



EDITORIAL PARTNERS

O R G A N I S A T I O N

ICSA: The Governance Institute

ICSA: The Governance Institute is the professional body

for governance. With over 125 years’ experience working

with regulators and policymakers, the organisation supports

its members across all sectors of the economy, including

large corporates, SMEs, the public sector, charities, sports

bodies and academies. ICSA is the only organisation to confer

chartered secretary status on those who are suitably qualified

and experienced. Established in 1891, the knowledge and

expertise of ICSA is rooted in history and continues to lead

current thinking and practice. ICSA’s stated guiding values are

openness, integrity and authority.

Peter SwabeyPolicy and Research Director

London, UK

T: +44 (0)20 7612 7014


WWW.icsa.org.uk

O R G A N I S A T I O N

ISACA

Now in its 50th anniversary year, ISACA is a global

association helping individuals and enterprises achieve the

positive potential of technology. Today’s world is powered by

information and technology, and ISACA equips professionals

with the knowledge, credentials, education and community to

advance their careers and transform their organisations. With

a presence in 188 countries, including more than 220 chapters

worldwide and offices in both the US and China, ISACA

leverages the expertise of its 460,000 engaged professionals

– including its 140,000 members – in information and cyber

security, governance, assurance, risk and innovation, as well as

its enterprise performance subsidiary, CMMI Institute.

Sandeep GodbolePast President of ISACA Pune Chapter

Pune, India

www.isaca.org


APR-JUN 2019

risk &complianceRC&

Documents

risk & compliance · ONE-ON-ONE INTERVIEW CCOs: managing responsibilities and liability risks Zinser, Esponda y Gomez Mont, Abogados PERSPECTIVES You may never be free of liability