Episode Transcript
Speaker 0 00:00:00 Hello everyone and welcome to the podcast. This is Kesa Shrine. Today we are going to discuss best practices to avoid a reputational risk and fines, upcoming regulations, as well as top tools for compliance managers in 2020 and three key trends compliance and E s G professionals need to know this year. And our guests today are Tom Fox and Charmaine Simmons. Tom hosts 30 podcasts on his compliance podcast network, and a few of those podcasts include this week in F C P A Life with G gdpr and other shows that are focused on the latest compliance and regulatory news. He's also served as general counsel at Drilling Controls, oil fill, manufacturing, and practice law for 34 years. Charmaine Simmons is the performance director from Re Refinitiv, where she has an expertise in risk strategy. Prior to her role at Refinitiv, she was the head of North America's Ed, Lloyd's Banking Group and VP at Morgan Stanley. Welcome to you both. Tom. What are the major shifts that are taking place related to the E S G component? In business compliance, we're
Speaker 1 00:01:13 Seeing movements from financial institutions and those that provide money and those who provide access to capital. So just recently, um, major banks, uh, announced that they would be looking at companies, uh, E s G efforts going forward in sustainability efforts. Uh, when the banks start grading you on E S G efforts, that is a clear sign to management of every public company that they need to have these processes in place and they need to, uh, be able to demonstrate and document that they are ongoing and functioning. So when you have, uh, a variety of stakeholders all suggesting this is important, uh, and of course the social media amplification of customers and other stakeholders who want to do business with companies that have, uh, a wide variety of compliance within their organization. They want to do business with ethical companies. You have a wide variety of stakeholders both up and down the chain who are now saying, this is important and businesses are listening mm-hmm. <affirmative>.
Speaker 0 00:02:10 But when you think about that, Tom and Charmaine, there is no real standard around the ESG right now. So in terms of customers wanting to do business with firms that are compliant, that meet some e ESG requirements, there's no one size fits all in terms of a standard, um, in the same way that we have standards around other things in industries. So how can a firm get an understanding of what a company is focused on, what they are compliant around, and what they're not doing in terms of compliance to really make that decision, um, around E S G and working with a company?
Speaker 1 00:02:43 Well, if we take, uh, each component of E S G environmental, social and uh, governance, there are certain, uh, well-known best practices in each one of those, uh, good governance practices. Uh, corporations would have split their, uh, CEO and chairman of the board do they have, uh, reporting mechanisms from their senior managers up directly to the board of directors. With Envi Environmental, it doesn't mean your company has to be green, but it certainly has to be climate aware. If you are in a business where you are at risk from flooding or major storms, um, or fires, uh, that is something that you need to, to manage that risk and be able to document that you've managed that risk. And what about your sustainability? Uh, are you working, uh, to reduce your carbon footprint within your organization, within your travel policies and procedures? Are you utilizing some of the modern techniques? Uh, simply, um, having a, uh, uh, over the air meeting or an online meeting, which literally not only saves money, but it reduces a carbon footprint. So each one of those, their best practices and standards with each, within each one of those. And I think if companies will focus on the different components of each, they can bring that forward and demonstrate to a banker, demonstrate to a private equity company, or even demonstrate to a regulator if they come knocking. Great.
Speaker 2 00:03:58 Great. Yeah, and I think the, it, it's a question around is there a standard for this? And, you know, being with Refinitiv, one of our best parts of what we offer is data. And right now there is a lot of data that's out there and available around esg. Um, it's been there for quite a while. It's just how do we harvest that information? How do we bring it together so that organizations can use it?
Speaker 0 00:04:18 So you raise a great point. Even though there's not an overarching sort of standard, there are best practices and governance, uh, there's governance around each of the components, which is great. Clearly not all firms are going to abide by those best practices. Not all firms are going to be compliant. And that kind of put some firms in a challenging situation to say the least in 2019. In terms of fines. Um, you talked about their reputation, reputational risk is a huge piece of it, but fines as equally as important. Do we think that 2020 and 2019 being, I think one of the years we've seen the largest number of fines, do we expect 2020 to deal the same cards or do we expect a bit of a pullback? Have people learned their lessons, so to speak? Or do you think that we will continue to see those increase in fines?
Speaker 1 00:05:04 So certainly in the Foreign Corrupt Practices Act and a corruption world, 2019 was, uh, a banner year, 2.9 billion in fines, 34 individuals, uh, convicted or indicted for F CPA A violations. Uh, but frankly, that's gonna grow in 2020. The reason that's going to grow is, uh, Goldman Sachs has reserved, uh, 2 billion, that's with a b plus for a proposed f CPA sold. When a company reserves money, they generally know that the fine will be in that range. That's gonna be the start. If that fine comes down in q1, uh, that only means 900 million more to beat 2019. So 2020 in terms of dollar amount could be, uh, the number one. But equally importantly, we had a criminal indictment released of two individuals, A C O O, and the C E O from MUN Oil. Within that indictment, there were listed 25 identifiable companies in the energy space who had used UN oil to pay bribes in different countries across the globe.
Speaker 1 00:06:06 Every one of those, uh, companies could have an ffc p a violation. The individuals who authorized those bribes within those companies could also be subject to, uh, indictment and criminal, uh, prosecution. So we could well have individually the largest year, uh, ever as well. So, uh, what the interesting thing though is think about the tone of administrations. This is carried forward from the Obama administration to the Trump administration. So it's been a consistent growth and a consistent pattern within very diverse political philosophies, yet still staying the course and increasing f CPA fines and penalties. Mm-hmm.
Speaker 0 00:06:47 <affirmative>. Great. Great. So, and looking at the direction things look to be headed in there certainly have to be tools, compliance tools that can be used, technologies that can be used to help reduce those numbers to really help pull that back. And Charmaine, can you describe some tools that maybe compliance officers are using now that can assist in helping them meet their goals?
Speaker 2 00:07:08 Absolutely. I think in the last, I'd say perhaps two years, I think I've seen, and I think Tom, you've seen it as well, a change in who the compliance officer necessarily is. We're seeing a lot of general counsel moving across into compliance roles, particularly in the corporate space. And, um, while their skillset is very well, um, understood in, in sort of the legal area as they move into compliance, there's a lot of other things to think about that aren't always top of mind of how do they bring things together. So I think the convergence and having a tool that can bring the, a lot of that together for them. So whether that's external data that they're bringing in-house, whether it's around, um, how they're doing their k yc, they're onboarding process, whether it's for an individual or for a vendor, whether it's something to do with, um, the ESG data components, whether it's something to do with how they're taking the other aspects of risk in their business.
Speaker 2 00:07:55 Let's take a bank, um, anything to do around credit risk, market risk. Um, how do they take some of the internal risk and controlled self assessments and bring those in house for what an audit department might be doing? How do they get that holistic view in order to, um, package it in a nice way so that they can actually understand and assess their risk and, and bring it out, um, to speak confidently to regulators, um, to other particular parties, um, even when they're in different forums about how they're doing that. And what we are seeing is that that ecosystem of systems and technology is really what's, um, really started to take off. So
Speaker 1 00:08:31 Can I, if I can perhaps pick up on Charmaine's point and really hit directly that companies like Refinitiv have a role in the fight against briber and corruption on a global scale. And I say that because as a technology company, as a service provider, Refinitiv can bring access, access to data, access to, for Refinitiv own information, but equally important access to data that it sits within a company's own data lake, number one. Number two is helping people like me. You're absolutely right. Lawyers interpret data. We are not trained to interpret data. Most of us can't interpret data. And so we need a trained professional to help us understand what does that data mean. And then there's a third part, which is partner with the compliance discipline, the compliance function to train us to look at the data, to understand what the data means, to understand when we need to see more data because it's raised a red flag or anomaly, that means that we need further investigation. And so it's not simply the chief compliance officer, it's not simply the regulators, it is the service providers, it's the tech providers, it is the consultants. Everyone is involved in this fight. Everyone has a role. And she said it beautifully. It's the entire holistic approach. Everyone has a role, everyone has a place, and everyone can build upon and raise each other up. Hmm.
Speaker 0 00:09:50 So I hear strong tones around professional development to maybe compliance officers, attorneys in the past there may not have, maybe there had, they didn't use data as much as they do now. And so how can we ensure that they have the tools and that they know how to use the tools, they know how to use data, right? So that's coming down. Yeah. And
Speaker 2 00:10:08 I think that's also around, if you think about like a maturity curve of what a compliance program necessarily looks like mm-hmm. <affirmative>, um, you can probably move through the different phases of, of something that's very basic to something that's coming into a bit more competent, something that's advanced and something that's really taking on things like artificial intelligence, um, those type of things, predictive analytics in order to help them with that process. And that maturity curve is very, very important in terms of how well that ecosystem plays together. Great.
Speaker 0 00:10:33 Great. And if I'm assuming if I'm the head of a compliance department, I would love for my managers and officers to come to me and say, Hey, I really need to level up. I really need to understand what's going on out there now I really need to, um, professional development. So it sounds like that's a really good starting place. I think another good starting place would be just to understand some, the top three issues, whether you are focused in the Americas, whether you're focused on another region, the top three issues that a compliance officer would need to know in order to really lay the foundation. And I know we talked about multiple, um, regulations in several regions across several industries. So I guess I'm asking something that's almost impossible, but if we could name a list of top three things that a compliance officer should really start off with foundational items to really help them get an understanding of the best way to move forward in 2020, what would those be?
Speaker 1 00:11:24 So from my perspective, it would be data, data, data, data. Uh, first of all, access to the data. Do you have access to, do you understand what the data means or do you have access to a resource that can help you understand what the data means? The second, another thing we've been talking about, compliance convergence. Um, what potential risks in your company exist? Is it a climate risk? Is it a business risk? Is corruption risk? Is it a money laundering risk? Is it trade sanction risk? Is it a human rights, human trafficking risk? Whatever that risk might be? Do you one know what that risk is? Two, do you have a risk management or risk, uh, remediation strategy and in place? And then are you monitoring that on an ongoing basis? And then perhaps less foundational and a little bit more aspirational would be number three. Can you move compliance from a cost center to a profit center for your business? If you have data, then you can study a problem and then you can improve your business process. And I am a firm advocate and believe that more effective compliance equates to more efficient business processes, which equates to greater profitability. So I see compliance really as a next step moving into 2020 and perhaps even beyond as moving, understanding data more so that it can move to become a profit center for a corporation.
Speaker 0 00:12:47 Hmm. Data and helping compliance officers move their discipline to a profit center, that certainly is a great aspirational goal. Sounds great. So in terms of your big idea, what did the two of you see coming to bear in 2020 that will really take us by surprise. That will take not only in compliance officers, but those who partner with compliance officers by surprise. Something that, um, is a big idea that we didn't see coming?
Speaker 2 00:13:17 I think that's a loaded question. <laugh>
Speaker 0 00:13:19 <laugh>. It's meant to be a loaded question. Jermaine <laugh>. I think
Speaker 2 00:13:23 The really interesting thing, that's the big idea that people aren't seeing is how fast the regulators are starting to move. Um, if we just take, you know, the F CPA fines that we were talking about before, with that 2.9 billion regulators are getting a lot smarter. They're employing data scientists, they're, um, bringing in AI to help them manage things. They're asking companies to provide them with data. So now they have their own intelligence. So they're becoming a lot more clued up. Um, a lot more data savvy in terms of how they're gonna be looking at things and managing things. Um, anyone from, you know, the doj, the scc, the OCC take, um, s in Singapore, look at what the FCAs doing, um, out in the uk. I, I think people are gonna be surprised about where they're going to start making, um, a jump in what they're looking at and how quickly they're gonna be able to do some of that. Some of the Sspa F CPA a investigations we see now can take years to go through, um, because they're trying to collect and backdate a lot of the data and where they can actually, um, bring forward the right types of corruption, um, misconduct, those type of things. So I think that's probably the one that people aren't anticipating what's gonna happen by the end of this year around what regulators, um, uh, having the capabilities to look into.
Speaker 1 00:14:37 And I think it's going to be, uh, perhaps, uh, not, uh, something we hadn't seen, but really an amplification and speeding up of some of the concept we've talked about, which is that compliance when I started in this field was a law lawyer driven very rules based policies and procedures. Uh, that has evolved certainly. And now we're to the point where we see compliance as a business process, as a business process. That's why data is so important, because it can be studied and improved. And it also requires a completely, not completely, but a largely different set of skills than lawyers are traditionally taught in law school. Uh, you're going to need a data scientist, you're gonna need an economist, you're gonna need a behavioral psychologist. And, uh, compliance officers who are lawyer trained will partner with, uh, service providers and tech companies like Refinitiv. I am a legacy Refinitiv customer. As far back as World Check, the world check product 10 years ago is very different than what Refinitiv provides now. And companies are going to be utilizing, uh, a far more nimble, quick and agile service providers such as Refinitiv to help them not only access the data, but interpret it and then use it going forward.
Speaker 0 00:15:55 Hmm. Great. So the two big ideas, regulators are moving a lot more quickly now and the evolution of compliance, moving to one that really demands, um, lots of stakeholders to really give clarity. Now, Charmaine will provide us with greater insight on C C P A. If you could take us through exactly what C C P A is and then some of the implications that we think it'll have.
Speaker 2 00:16:20 Absolutely. So the C C P A or the California Consumer Privacy Act is a bill that's meant to really enhance privacy rights of consumers and protections for residents in California. Um, it was a bill that was amended a couple of times and passed back in, um, September of 2018. And its goal was really to extend consumer privacy rights for the internet. And that's really off the back of the, um, Cambridge Analytica and Facebook incident that happened. And it really, you know, obviously as most bills take it a little bit of time to come into effect. So this one came into effect on the first of, um, January of 2020. And right now it is probably the most stringent of the data privacy, um, sort of laws that we have in the us. I think the key sort of view of CCPA is really from the consumer side of it, but then also from the business side of it.
Speaker 2 00:17:10 And if we take the consumer side of it, really residents have the right to know what personal information is being collected about them and you know, the right to be able to request information to be deleted. So that really means that they need to know what details somebody has, um, of them, what's, what's being used for, how the day's being sold, who it's being shared with. And they could even request for some of that data to not be, um, sold and shared with up third parties. So if we flip that to the business side of it, what's the impact there for, for businesses, companies, et cetera? Look, CCPA law completely changed how companies now treat consumer data. The primary requirement for the business side of it is really a duty to respond to a data subject access request. So a visa, um, and that's, they can come anywhere from a consumer or an employee or anybody else.
Speaker 2 00:17:59 And really what the crux of all of that means is that they need to be able to verify the data subject's identity. They'll get pretty much triangulate three pieces of data to be able to identify who that person really and truly is. They need to have access to and search sort of a comprehensive and accurate data inventory. It might be a data inventory they hold, it might be pieces of information that sits across their company rather than in one department. They need to be able to collect all that resulting data. They then have to review it, they might have to redact any confidential information that's on there about other subjects that might be in that pool of data that they've got. And then they need to either action it or delete it, and they need to do all of that within a 45 day period from when the consumer actually logs that particular, um, request. So today actually happens to be international data privacy day. So, uh, uh, one of those ones in January that everyone, you know, doesn't necessarily think of. But I think with ccpa, it's one of those ones that, you know, we should be mindful of. And in this month of January, a lot of people have already seen a lot of things coming through about updates of data, um, you know, policies and things like that from different websites they're at whatever else. So we're already in some of that act right now.
Speaker 0 00:19:05 Great. In terms of where this will have an impact, this is in California, do we see this spreading or has there been talk of this type of regulation spreading to other US states?
Speaker 2 00:19:19 So that's a really good question. So yes, this is very particular to California residents, but if you take a little bit of a step back and sort of say, well, who else has privacy sort of regulations in the us? It's not that the US doesn't have any, it actually has pockets of it. And if we look at what's happened with the Cambridge Analytica and the C cpa, um, it's, this is really sort of like a new wave of data privacy act. And the, the best way I can sort of categorize a lot of that is really coming off the back also of GDPR that happened in May of 2018 with the general, um, data Protection Regulation Act. Um, you know, it's the first time that companies really had to recognize sort of the new rights of consumers and sort of personal sensitive data, that type of information.
Speaker 2 00:20:00 And unlike gdpr, which is very broad, it's not really federal in in a sense that it's for a country, but it's for the European Union, the US doesn't have that federal side of it. So if we think about it from a state perspective, that new sort of generation of consumer oriented privacy laws and things, there's a couple of that are already there. So obviously we've got cpa, um, new York's got a proposed bill out at the moment. Um, I think, uh, Massachusetts has a, a proposed bill out at the moment as well. We've got Maryland that already has something in place. Hawaii already has something in place, North Dakota already has something in place. So the two that are sort of the, or the three things that each one of them really wanna pick up on is really do they have a right to delete any information?
Speaker 2 00:20:39 Do they have a right to access that information and find out what people are storing on them and do they have a right to correct any of it? And right now, if I was to associate which one of those is the closest to G D P R, which you know, is probably the, the better standard that we're seeing from a very broad, um, you know, multi-country perspective and what affects global um, organizations. The New York proposed law is probably gonna be the one that's the closest to that. And the reasoning for that is it has the right to delete, the right to access, but it's the only one right now that has the right to correct. What are the future ramifications of this? Good question. I think ramifications and concerns are a worry for anyone these days. And if you look at the digital economy that we're operating in right now, things change really quickly around us.
Speaker 2 00:21:24 Data's all around us, you know, whether it's at home, at work, on your phone, how you shop for your, how you, how you buy birthday presents, how you send flowers to people. A lot of this stuff is done digitally online. So there's a lot of concerns that people need to be aware of. So I think for the near sort of term future, some of those concerns are probably threefold. Let's think about do customers truly know what their ride is under ccpa? Um, you know, will they act on on anything they see coming forward? If, if they're not even a resident of California, but they happen to be at a company that's there that has an association with it, do they know about it? Are they savvy enough, um, about any of the, um, sort of internet ads or anything they click on that might have an association with a company that resides in California that has to follow this particular act?
Speaker 2 00:22:08 So that's one part of it. The second part of it is how prepared are businesses right now with their systems, their processes, their controls, everything else even to deal with those things. We were talking about before the, the D sars, those data requests that come through, you know, they have to fulfill those within 45 days. You know, are they able to inform the parties if they request for them to stop selling their data to third parties? You know, they've got about 90 day timeframe to be able to do that. Um, if a customer opts out of something, how long will that take? What happens if it goes through a third party process? What happens if a company or an organization has implements a new system and their data inventory changes or they go through a merger and an acquisition, they have to sort of recalibrate their risk assessment and their processes around their data inventory of what they hold about an individual so that if one of those details come through, they actually can answer it in holistic perspective.
Speaker 2 00:22:57 So that's the second part. The third part that I think is a near term sort of future thing that we should be considering right now is what's the cost of failure right now? So I think the fines around CCPA is about $2,500 per violation and it increases up to about sort of seven and a half, $8,000 for a violation if it's deemed to be international in it, in its in its course. So if we just look at how many data breaches there've been in the last two years post, you know, the Cambridge Analytica Facebook incident, those fines are probably gonna sort of increase. So there's gonna be a lot more attention about how people are collecting our data, how people are using our data, how much control we have over, and what our data does and what a company does with them. But, you know, that's just short term. I'm, I'm sure that on a longer term basis, um, you know, <laugh> it's legislation, more states will probably start picking up on pieces of it. It's gonna be interesting to see whether at a federal level and under our current administration, whether they decide that we need something more federal in, in nature. But, you know, there's a lot of things to be concerned about. Great.
Speaker 0 00:23:55 C C P A, the background of G D P D R, definitely very resonant there and some of the important implications to come. Customers understanding of this, how if businesses are prepared for this, and then the cost of failure. Tom and Charmaine, thank you so much for joining us.
Speaker 2 00:24:12 Thank you. Thank you. It's been a ton of fun.
