Transcript: Julie DiMauro podcast

A regulatory expert and the newest addition to the GRIP team, Julie shared her insights on several key issues.

This is a transcript of the podcast Julie DiMauro on the FCPA and how compliance has shifted since the pandemic between GRIP Senior Reporter Carmen Cracknell and Julie DiMauro, GRIP’s new US Content Manager.

[INTRO]

Carmen Cracknell: Welcome to the GRIP Podcast, where we discuss the biggest topics in regulatory compliance. Our guests are experts in the law, regulation and technology. Welcome to the GRIP Podcast. I’m joined today by Julie, the newest and very welcome addition to the GRIP team. Julie, could you just briefly introduce yourself and your background?

Julie DiMauro: Sure, of course. Thank you, Carmen. Thank you for having me. So I just joined last Monday, very excited to be here. I came from Compliance Week, where I headed up on their compliance training department, which was a new department for the company and a very exciting enterprise.

Before that, I worked atThomson Reuters for a really long time, about 10 years. I was in their regulatory intelligence division, doing some speaking, a lot of writing.

Yeah, it was regulatory intelligence, like I said before that, was Complinet And Complinet was the small company that was acquired by Thomson Reuters, how I got to Thomson Reuters. I was at Complinet for a couple of years, writing for their regulatory intelligence platform.

Prior to that, I was a compliance officer at Fidelity Investments in Boston, where I reviewed marketing literature and sales literature for compliance with, at the time, an NASD role, student to become FINRA.

Carmen Cracknell: Awesome, great. Well, such a varied, interesting background. You did at some point write for the FCPA blog, I believe.

Julie DiMauro: No, I did. I did. For a short time, I was a contractor working for them, and then I worked for our regulatory tracking service. I did. And then now with the FCPA blog, they call it a contributing editor, basically kind of an advisory board of sorts.

Carmen Cracknell: And I mean, for those who are not based in the US, the FCPA stands for the Foreign Corrupt Practices Act. Could you just give a sort of lay person’s intro to what that is, to explain to listeners outside the US?

Julie DiMauro: Yes, so that foreign bribery law is the US’s version of a foreign bribery law. There are many different ones around the globe. The UK Bribery Act is one that a lot of people know about. And it has anti-bribery provisions and accounting provisions. So they want to make sure that not only are you not committing bribery in practice, but you’re also not hiding the fact that you’re making payments, inappropriate payments, to foreign officials and covering it up in your accounting.

And there are so many different types of FCPA cases. It’s interesting. It’s an ever-evolving area. We’ve seen foreign officials and their family, like payments to their family, running afoul of the law as well, because that’s just very close. It still benefits the foreign official if you’re helping their wife or children, giving them jobs is considered a thing of value, especially if you’re giving them a different type of– you’re hiring them through a different means, maybe an easier way of getting the job, an easier access to the job.

And amounts, as far as violations of the FCPA, they can even be fairly small payments. They don’t have to be huge payments to run afoul of the law.

And it’s an area where the DOJ and SEC are predominantly involved. And they share enforcement, obviously, DOJ with the criminal side, although they handle also civil actions and SEC with their civil actions. And as far as being very proactive, and definitely in the past 10 years, there’s been a lot of activity in the area. So looking at last year, I just want to give you some stats. The DOJ and SEC brought FCPA enforcement actions against eight companies and imposed financial penalties totaling $1.5 billion.

Now, that was down, actually, in terms of penalties. But one company hit the top 10 list in 2022. That was Glencore. It got the number 10 spot with $700 million settlement in May 2022.

They had paid over $100 million in bribes overall to officials in seven different countries. So just wanted to bring up that one case because it was such a sizable one. An interesting one last year too involved Ericsson. And it’s a telecommunications company, multinational, located headquartered in Sweden. And the problem with them was that they had had a 2019 resolution with the DOJ, but they breached their deferred prosecution agreement by failing to truthfully disclose all factual information and evidence related to bribery payments that they had made in Middle East and Asia and other potential violations of the FCPA’s anti-bribery or accounting provision. So as part of the resolution that they had had with the DOJ in 2019 was to keep the DOJ informed about their internal investigations, anything that they uncovered that was still very relevant to the ongoing investigation and resolution of this case. And they didn’t do that, unfortunately. So their disclosure failures prevented the United States, the DOJ said, from bringing charges against certain individuals and taking key investigative steps following that 2019 resolution. So it impeded the investigation.

There were multiple cooperation and disclosure failures there. So it’s just a breach of its obligations of the DPA. And the DOJ wrote about it extensively, had a press release, obviously, and multiple documents talking about the case just to bring home their statements about cooperation policies and taking DPAs very seriously.

Carmen Cracknell: When a company is charged and fined, is it just a case of them paying the fine? How much sort of reputational damage does this do? Is it kind of the information is sent to the press that this what happens next?

Julie DiMauro: Yeah, there is a lot of reputational damage to the company or potentially so. You know, it is a breach of trust. It looks like you’re trying to curry favors in far flung jurisdictions instead of being more by the book in terms of your business practices.

And yeah, it also looks very apparent that you haven’t done your third party mismanagement very well, because if you’re hiring people on the ground in these far flung places that are not well versed in what type of payments you can make and how to treat foreign officials, what kind of accounting is supposed to happen and how to spend money appropriately, you know, then that looks like you’re not hiring your vendors on the ground very well.

So all around, yeah, it carries a lot of reputational risk.

Carmen Cracknell: Because everywhere has such different rules, I guess. You really need to localize and have the right people with the legal knowledge in each jurisdiction.

Julie DiMauro: Absolutely. Know what the rules are, know who foreign officials are, you know, how to distinguish, you know, the right type of payment from the wrong type of payment. And yeah, and to have a speak up culture where they can ask you if they’re very confused about any of these nuances. And something you wanted to discuss was the latest, I mean, you can tell me whether it’s the latest addition to the FCPA, the corporate enforcement policy. Why has that been introduced right now? So the corporate enforcement policy from the DOJ has gone through a number of different changes, as you implied, since 2017, actually. So we’ve seen different iterations of it, all kind of talking about how companies can best demonstrate cooperation to get a percentage off of the U.S. sentencing guidelines. That’s kind of your goal.

And hopefully to get a declination instead of actually, you know, even a deferred prosecution agreement or another type of settlement. And DOJ has been through their documents, their speeches, all of their materials that they put out to the public and companies. They’re trying to let them know, you know, like this, but they’re trying to incentivize cooperation. That’s basically what they’re trying to do. They’re trying to incentivize cooperation. It makes it a lot easier and more effective and more streamlined for everyone involved in terms of the investigative work that needs to be conducted. All of the evidence that needs to be collected, etc. So they’re trying to tell companies, listen, here are the incentives for timely self-reporting, telling us the names of the culpable individuals, for turning over documents, translating them possibly from other jurisdictions, making people available for interviews, and showing us that you are in real time correcting the compliance program weaknesses that led to the violation in the first place. So that’s their CEP. But the interesting thing most recently is they suddenly announced at the DOJ that there was going to be, you know, even if a company had aggravating factors involved in the violation, that there was still definitely an opportunity for the company to get a declination and to use the compliance enforcement policy to get that cooperation credit. And those aggravating factors could be that they’re a recidivist, that, you know, they’ve had the same violation in the past, that they had top-level executives involved in the violation, those type of things. But they’re saying that doesn’t close the door. But in those circumstances with those aggravating factors involved, you will need to show extraordinary cooperation.

And they kind of spelled out what that means in terms of being even more prompt with your voluntary self-disclosure, et cetera, turning over documents a little more promptly and in a more fulsome manner, et cetera. But it was an interesting kind of update because, again, they’re incentivizing companies to come forward. Listen, just because you’ve gotten in trouble before, don’t feel like you need to hide this or delay in some manner because you’re afraid of coming to knock on our door. I mean, we really want you to. It’s in everybody’s best interest.

I just wanted to mention one thing. There’s an interesting case that actually brings together the FCPA and the cooperation enforcement policy together. There was a declination for Jardine Lloyd Thompson Group Holdings, or JLT. They had paid over $3 million in bribes to Ecuadorian government officials through an intermediary to win contracts in violation of the FCPA. But here’s the thing. If the company detected and voluntarily disclosed the misconduct to the department, fully cooperated with the investigation, made immediate enhancements to its compliance program to reduce the risk that the misconduct would recur, and agreed to return the ill-gotten gains from the scheme immediately. The department issued a declination letter to JLT and have been using that kind of case and resolution to just kind of describe, this is how it could work in practice. Right? This is really a good example of a company cooperating in a fulsome manner and a prompt manner. And they avoided prosecution, they avoided the DPA, the deferred prosecution agreement. They avoided having a compliance monitor embedded in their company and all the collateral consequences that come with it. So it was a good example, I thought, of FCPA plus CEP in practice.

Carmen Cracknell: Yeah. I mean, as someone who doesn’t know that much about the law, I’m interested to know, when did voluntary self-disclosure become a thing? Has it been a thing for a long time? Is it a new thing because companies have been behaving more badly in recent years? How did it become a thing?

Julie DiMauro: I mean, there’s always been some sort of regime in terms of having incentives to cooperate and try to get a little bit of a lesser penalty because of it. But in 2017, they rolled this program out for FCPA courses, cases specifically. That was its first iteration of it. In 2018, they made it applicable to all cases. So it’s not just FCPA cases now. And they just decided, listen, this should be really a well-articulated program that companies know about to incentivize prompt voluntary disclosure and cooperation during this investigation. So it really got going back in 2017, 2018. We’ve just seen, like I said, just some tweaks to it since then.

Carmen Cracknell: And does it lessen the fines that companies get?

Julie DiMauro: It does. It really does. It can be 10%, 20%, 25%, even up to 50% off the sentencing guidelines. Absolutely. It can make a big dent.

Carmen Cracknell: Okay. Interesting. I’m not sure if this fits in with the order you wanted to go in. I was going to talk about ESG next.

Julie DiMauro: Yeah, that’s perfect.

Carmen Cracknell: Okay. Yeah, I’ve seen that you’ve written quite a bit about that. I also saw on the FCPA blog, I’m not sure if this was a piece to do with you, someone described it as an alphabet soup giving compliance officers indigestion, which I thought was a good description given the criticism of the acronym. What’s your view on ESG?

Julie DiMauro: So it’s ill-defined. It’s confusing. It lacks some transparency. It needs a lot more reliable and meaningful data. Stronger standards. Companies are confused about which standards to use. They seem to be using different ones, three or four in particular. And it can be hard to develop policy around that to gain traction and a good following adherence around that when there’s so much uncertainty in the area. Plus, in the United States, we lack some clarity from the regulators in terms of what they’re looking for in terms of disclosure, in terms of metrics, what good looks like. We’re still really piecing that together. What we’ve seen from regulators in the United States mostly is cases revolving around green washing. So your marketing efforts and being exaggerative in your marketing efforts, your communication.

It’s tough. I regret the fact that some leaders, I feel like some corporate leaders now are afraid to even say the acronym because they’re afraid of being called out for being too woke, for being held politically captive, for engaging on one side of the political spectrum when actually a company might be just really trying to actually mitigate some risks in certain areas, environmentally speaking. Plus, think about how their workplace can be a more diverse and inclusive place to work that reflects the greater society. So there are a lot of goals there. But again, some of the problems that we just mentioned exist.

And the thing is, honestly, it does make sense to have, I think, for companies to think about ESG and the different components of ESG because how are you going to attract younger employees into your workforce? They care about it so much. Your clients and customers also very much care about it. You’re really behind the eight ball if you’re not thinking about these topics and really structuring a policy around it. So quite honestly, the longer term horizons and risk gauging that go into considerations of climate change and having a more diverse workplace, those are the type of analyses that we’re supposed to be having along with shorter term analyses of revenues and of profits, longer term and shorter term. They both belong, I think, at the board level in C-suite in terms of your thinking about risk. Some companies could be literally washed away, I mean, quite literally, or their integral business suppliers if they don’t address these looming issues as part of their business continuity plan.

Carmen Cracknell: Absolutely. It seems to be really hard for companies to strike that balance between what could be seen as greenwashing and real action to, as you say, attract employees and customers. I guess they need a long term plan.

Moving on to what should regulators, oh, sorry, chief compliance officers be looking out for in the next year. And if you have any insights on crypto regulation in particular, I’d be interested to hear those.

Julie DiMauro: Okay, I hadn’t thought about crypto. Sorry about that.

Carmen Cracknell: No worries. We can do it in a separate…another time.

Julie DiMauro: But to be honest with you, there’s so much that we could talk about, but I want to really focus on the fact that last year and beginning of this year, there has been, you know, regulators have talked repeatedly about how they expect compliance programs to be well-resourced, risk-based, and tested for effectiveness.

Interestingly, they have actually, I wanted to read this to you because it’s very, I think, Kenneth Polite at the DOJ is a former compliance officer. He’s the assistant attorney general for the Criminal Division, excuse me. And DOJ also has two former compliance executives in the fraud section.

And that’s fraud chief Glenn Leon from Hewlett-Packard and Matt Galvin, who came from Anhouser Bush. So anyway, the reason I think that they’ve been focusing on compliance programs and how effective they are and how well-resourced they are and how CCOs need to be in positions of authority independent, but also, you know, definitely part of the C-suite and have access to the board, I think comes from, in some respects, from the fact that DOJ now has these former compliance officers in high-level positions. You’re hearing that focus on CCOs, seeing that focus and hearing about it so much, I think largely because of that. But also, you’ve been hearing a lot about, and I know that, you know, obviously, at Global Relay we deal with this front and center, but, you know, ephemeral messaging applications, use of communications on personal devices that last year and the beginning of this year, that was a big discussion, compensation clawbacks for executives and leveraging data to identify risks. So using artificial intelligence and machine learning to identify risks. I mean, the regulators themselves are using this technology and then definitely expecting that the businesses that they regulate to do so. So just to talk about messaging apps, you know, DOJ and SEC are evaluating whether companies that permit employees to use these messaging platforms are assessing and revising their policies in compliance with their legal obligations, including those related to retention. And, you know, it’s very difficult, raises a host of technical, cybersecurity and privacy issues, but Wall Street companies collectively paid more than one billion in penalties for their sloppy oversight of employee messaging habits. So there definitely is a problem. Law-backed policies, like I mentioned,

Attorney General Lisa Monaco said in September that the Department of Justice wants to see companies use law-backed policies to rescind compensation awarded to executives based on the misconduct. And the Assistant Attorney General also gave a speech about that, too, where saying the Department wants to develop some formula where corporate penalties will be lower for companies that claw back compensation from wrongdoing executives. And the SEC subsequently adopted a policy requiring public companies to disclose their clawback policies. So it’s obviously, you know, an area of interest for these regulators. And they sound great. They sound like, you know, definitely placing your incentives, you know, in the right spot, right, as far as your performance incentives and incentives for top level executives to behave appropriately. But more guidance is probably needed in that area in terms of what those clawbacks exactly need to look like. I put down cyber, too, because that never goes away. Cybersecurity is always an issue. It’s an area of high risk for companies because it’s so easy to be hacked, unfortunately.

Hackers are getting more and more sophisticated. Making a mistake is very easy. And, you know, there needs to be so much training in this area. A true speak up culture. So if you do make a mistake, you feel like you can absolutely report on it and not worry about the repercussions in your workplace. Develop better training, you know, understand about phishing and ransomware and how they appear, you know, in the workplace. And then, you know, make sure that everybody feels empowered and has some level of ownership over cybersecurity. It doesn’t just belong to the IT security team, but everybody collaborates in this area and feels like they have a stake in it. A zero trust security model is always the best one. So you’re always authenticating everything, authorizing and validating for every digital interaction. And, yeah, and I just can’t stress training enough in that area. And then sanctions. You see sanctions by enforcement actions coming through all the time because there’s such a high activity area. The Russian Ukraine war, human rights violations by Iranian officials amid the protests following the tragic death of Masa Amidi, continued forced labor of the Uyghurs in China. All of these events and more have sparked a raft of new sanctions. So you just always have to keep track of those as well.

Carmen Cracknell: Yeah. People are talking so much about the transformation of the workplace since COVID. So sort of current events aside, how different do these priorities look from, say, three, four, five years ago?

Julie DiMauro: That’s a great question. I think that, you know, cybersecurity has been around for a while on sanctions. So, you know, those are the same. I don’t remember this type of incredible analysis and concern over messaging platforms. This is that we’ve had messaging platforms for several years, you know, thinking about how much we were relying on them during the pandemic. And because of our working from different locations, including home, but different locations now to get our work done, that really made it front and center. So that is more recent. And then incentivizing our executives through such things as, you know, we’re going to claw back your bonuses from bad behavior. And that is also something that is a little more recent as well, because I think it goes along with the cooperation policy that I mentioned, incentivizing cooperation and just thinking about, you know, how the C-suite sends a message to its workforce in terms of what good behavior looks like and holding more people accountable and being more transparent about that. That’s a little more recent as well.

Carmen Cracknell: Right. So interesting how things have changed so fast, isn’t it?

Julie DiMauro: It’s true. Absolutely. And we learned so much from the pandemic, actually. It’s absolutely the case that, you know, compliance is definitely different. We’re building policies now that revolve around working outside of the office space that you write that talk about, you know, having information that, you know, that might be in different networks and on different computers and on different devices, about, you know, having people that might have access to certain information, privileged information, and whether or not they still work at the company or not and need to be, you know, whether those permissions need to be revisited. So, yeah, there’s been a lot in terms of that that has been, I think, front and center because of the pandemic.

Carmen Cracknell: Great. Well, that’s a good place to wrap up, unless you have anything else to add.

Julie DiMauro: I don’t. Thank you so much.

Carmen Cracknell: Really interesting discussion. Thank you for joining me, Julie, at such short notice as well. Look forward to chatting further.

Listen to the audio.