Third-Party Risks and Sanctions Compliance

Dottie Schindlinger is Executive Director of Diligent Institute, the global corporate governance research arm of Diligent - the largest SaaS software company in the Governance, Risk, Compliance (GRC), and ESG space. She co-authored the book Governance in the Digital Age: A Guide for the Modern Corporate Board Director, co-hosts “The Corporate Director Podcast,” and co-created Diligent Institute’s Certification programs for directors and executives, including AI Ethics & Board Oversight. Dottie was a founding team member of the tech start-up BoardEffect, acquired by Diligent in 2016. She graduated from the University of Pennsylvania and is a Fellow of the Salzburg Global Seminar Corporate Governance Forum. Diligent and Bitsight recently issued an important report on corporate board oversight of cybersecurity risks. Dottie Schindlinger, Executive Director of Diligent Institute, joins Michael Volkov to discuss the important findings of Diligent's report.You'll hear Dottie and Michael discuss:Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings. On average, the Total Shareholders’ Return (TSR) over three and five years for companies in the advanced security performance range is approximately 372% and 91% higher, respectively, than their peers in the basic security performance range.Companies with a specialized risk or audit committee had higher security performance ratings on average. Companies falling within these two categories have an average security rating of 710, whereas companies lacking both committees have an average security rating of 650.The findings also suggest that the distribution of security ratings among companies with specialized risk and audit committees tends to skew towards the advanced security performance range, whereas companies lacking either of these committees tend to skew toward the basic security performance range.Having a cybersecurity expert on the board is not enough. Integrating a cybersecurity expert into the board committee tasked with cybersecurity risk oversight makes a significant difference in an organization’s performance.Merely having a cybersecurity expert on the board does not correlate to having a higher security performance rating. Highly regulated industries tend to outperform other industries in terms of cybersecurity performance. Of the companies with advanced-level security performance ratings, a full third (33%) came from the financial services sector – with an average rating of 720. The sector with the highest average rating overall was healthcare at 730. Nearly a quarter (24%) of companies with basic security performance ratings came from the industrial sector. ResourcesDottie Schindlinger on LinkedInDiligent Institute | Diligent | Board EffectThe Report can be downloaded at: Cybersecurity, Audit and the Board ReportMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

A new compliance cottage industry surrounds artificial intelligence. We are at such an early stage of AI development, and companies are still figuring out how they can employ the technology. However, some industries, such as financial institutions, have been using AI for fraud detection and other issues. These early adopters will likely set the tone for AI compliance practices. There is no question that AI holds terrific promise. The hype surrounding AI is just that -- hype. Until there is more certainty surrounding AI technology, we will witness a lot of bloviating. But this aside, corporate boards, senior executives, and business developers need to pay attention until the dust settles. The AI industry is moving so fast that the sooner we start to focus, the nimbler our response will be.Luckily, ethics and compliance principles are easily adaptable to AI risks. In this episode of Corruption, Crime, and Compliance, Michael Volkov discusses how the compliance profession is more than capable of building effective compliance programs around AI operations.Financial institutions have been using AI for fraud detection and other issues. They are at the forefront of developing compliance practices around AI.Companies need to embrace AI's promise and not get overwhelmed by all the hype. Corporate boards, senior executives, and business developers must pay attention until the dust settles.The AI industry is moving fast, and companies need to focus on what’s happening. Compliance has to be nimble and quick, just like the technology.Like every aspect of a business, any new technology presents risks, and AI certainly presents risks that need to be mitigated. This, in turn, leads to the necessary question: How should a company structure its AI risk and compliance program?AI can be a very productive tool. It can easily end up reducing costs and increasing efficiency. More efficient companies can help the economy expand and create new opportunities for growth.Financial institutions, tech companies, pharmaceutical, medical device and transportation logistics industries are likely to be significant users of AI technology.Generative AI use may increase the risk of fraud and will need to incorporate risk mitigation costs and capabilities.Compliance professionals have the intelligence, professional capabilities, and integrity to rise to the challenge of AI technology and onboard a third party.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

With the beginning of the “New FCPA” era coined by DOJ’s Deputy Attorney General Lisa Monaco, we now need to focus on third-party risk and sanctions enforcement. The law, the practice, and the risks are important and not just the same as FCPA legal requirements. As we embark on a new criminal enforcement era surrounding sanctions violations, companies have to address this issue and do it correctly. In this episode, Michael Volkov takes a comprehensive look at third-party risks from the distribution and supply sides and outlines appropriate strategies to manage these risks.Epsilon Electronics serves as a stark reminder of the financial consequences of non-compliance. The company faced an OFAC enforcement action due to a shipment to Iran, resulting in a staggering penalty of over $4 million.Apollo Aviation Group settled with OFAC for $210,600 for leasing aircraft engines which ultimately ended up being placed in to aircraft of a prohibited entity, Sudan Airways, violating sanctions regulations.ELF Cosmetics settled with OFAC for $996,000 for importing false eyelash kits containing materials sourced from North Korea, highlighting supply chain due diligence failures.The ELF Cosmetics case underscores the crucial role of supply chain due diligence in preventing sanctions violations. Instead of sticking their heads in the sand, companies must undertake basic supply chain due diligence when sourcing products from regions close to high-risk countries or regions.“Reason to know” is now the key phrase guiding the New FCPA era. OFAC does not need to prove goods ultimately end up in a sanctioned country. When you see red flags, you must resolve them or they could be considered a “reason to know” in OFAC’s eyes.Seven essential elements to boost your compliance program and effectively mitigate third-party sanctions risks include risk assessment, varying levels of due diligence, end-user documentation, monitoring, training, and red flag identification.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

Carlos Villagrán is the Director of Compliance at CMPC, a 100-year-old Chilean-based holding company, one of the worldwide leading pulp, paper, packaging, personal care, and other forest products manufacturers. With more than 20,000 employees, CMPC has industrial operations in 9 countries (LatAm and the US) and commercial offices in the US, Europe, and China, selling and distributing its products to more than 45 countries around the world. Carlos joined CMPC to remediate and rebuild CMPC's culture and compliance program after a devastating scandal -- CMPC was prosecuted for its involvement in a decade-long conspiracy to fix prices in Peru and Chile for consumer paper products. Carlos discusses the challenges he faced in rebuilding CMPA's culture and commitment to compliance. His story is an inspiration to all legal and compliance professionals and provides important instructive lessons to corporate leaders and compliance professionals.You'll hear Michael and Carlos discuss:The importance of rebuilding and rediscovering the values and purpose of CMPC after a major corporate crisis.The effects on market share quotas and sales prices when CMPC faced an investigation and found to be the leader of a cartel in Chile and Peru.How the crisis significantly impacted CMPC's reputation, leading to public protests and consumer backlash in Chile and Peru.CMPC’s compliance team addressed the company’s complex nature because of its diverse workforce, including data analytics experts, IT professionals, and engineers.How the compliance program at CMPC shifted from a traditional approach to a more cultural and system-thinking perspective, aligning with the company's values and operations.Success for the compliance program at CMPC is defined by the number of critical tables the team is seated on, indicating their value and integration within the business operations.ResourcesCarlos Villagran on the Web | LinkedInEmail: [email protected] or [email protected] Volkov on LinkedIn | TwitterThe Volkov Law Group

Over the last ten years, we have seen a marked shift from the Delaware Chancery Court chipping away at corporate board member liability claims. In a number of seminal cases involving Boeing airplane crashes (In re the Boeing Co. Derivative Litig., No. 2019-0907 (Del. Ch. Sept 7, 2021)), and deadly listeria outbreaks from tainted ice cream (Marchand v. Barnhill, 212 A.3d 805 (Del. 2019)), Delaware Courts have upheld plaintiffs' cases against claims of failing to adequately plead violations of the standards set forth in Caremark, 698 A.2d 959 (Del. Ch. 1996), (establishing basic pleading requirements to withstand motions to dismiss). In this episode, Mike Volkov provides a comprehensive update on the recent Caremark decisions issued by the Delaware Chancery Court, underscoring their importance for accountability and governance in the corporate world.Caremark oversight duties stem from the well-established duty of loyalty and its subsidiary duty of good faith. To plead a Caremark claim, a plaintiff is required to put forth adequate facts from which a factfinder can make a reasonable inference that the fiduciary acted in bad faith. Under Caremark, bad faith can be established when a fiduciary: “(1) utterly fail[s] to implement any reporting or information system or controls," or (2) having implemented such a system or controls, consciously fail to monitor or oversee its operations, which results in a failure to act or attend to a risk or problem requiring their attention or response. Last year, the Chancery Court made a groundbreaking decision, extending the so-called Caremark oversight obligations and governance requirements to senior management in the McDonald's case. In re McDonald’s Corp. S’holder Derivative Litig., 289 A.3d 343 (Del. Ch. 2023). This ruling is one of the most significant developments in recent years, advocating for increased accountability for oversight and governance failures.Recent cases, such as the Boeing 737 MAX crashes and the Listeria outbreak from tainted Blue Bell ice cream, have highlighted failures in proper board governance and oversight responsibilities.In a case involving Segway, the Chancery Court dismissed a motion against an officer for failing to detect financial discrepancies, emphasizing the need to demonstrate a lack of good faith in monitoring central compliance risks.The trend in Delaware Chancery Court decisions is moving towards holding directors and officers accountable for failures to act in response to indications of potential illegal conduct, with a focus on bad faith actions.The Boeing case exemplifies the consequences of board members ignoring safety concerns and focusing solely on the bottom line, leading to tragic outcomes that could have been prevented with proper oversight and accountability.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

Directive 2019/1937 of the European Parliament and Council dated 23 October 2019 on the “protection of persons who report breaches of Union law” (the “Directive”) is currently being implemented by EU Member States. The directive has broad applicability to organizations operating in the EU internal market and applies to both public and private sector organizations alike. Whistleblowers are guaranteed legal protection to the extent: (1) they have reasonable grounds to believe that the information reported was true at the time of the report; and (2) the whistleblower reported either internally to the organization, externally to a competent authority, or publicly. Private sector organizations with 50 or more workers are legally required to establish channels and procedures for internal reporting of EU law breaches and conduct appropriate follow-up. In this episode, Mike Volkov is joined by Daniela Melendez and Alex Cotoia from the Volkov Law Group, who bring their expertise to the table as they delve into the EU Directive and its implementation by several member states. Listen to this discussion to understand and navigate the complexities of the EU Whistleblowing Directive.The EU Whistleblower Directive shifts the burden of proof on retaliatory actions to the person taking the detrimental action, requiring them to demonstrate it was not linked to reporting concerns.Global companies are taking a proactive stance by increasingly focusing on robust ethics and compliance programs. This strategic move is aimed at mitigating risks and promoting positive corporate citizenship in today's economy, where adherence to legal and ethical standards is paramount.France signed the EU Directive into law on March 21, 2022, outlining protocols for gathering and handling whistleblower reports, including a two-month deadline for imposing disciplinary sanctions.Germany enacted the EU Directive on May 12, 2023, allowing anonymous reports and setting a three-month investigation deadline after receiving the report.Spain addressed the EU Directive on February 2023 by covering additional topics like occupational health and safety breaches. The directive established a three-month deadline for investigations and allowed anonymous reports.Italy transposed the EU Directive on August 4, 2022, including administrative, financial, civil, and criminal offenses not covered by the Directive, with a 30-day deadline to conduct investigations upon receipt of reports.Companies are advised to make resources available to conduct investigations quickly due to the short timeframes set by various countries' whistleblower protection laws.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law GroupAlex Cotoia on LinkedIn Email: [email protected] Melendez on LinkedInEmail: [email protected]

NAVEX continues to produce high-quality compliance reports, many of which are a must-read in the compliance industry. Its annual Whistleblower Report is of particular note -- NAVEX is the leading provider of hotline services in the world, and its data is invaluable as a source of trends in this industry. This year --2024 -- is no exception. NAVEX combed through the data from 3784 organizations for 2023. Its headline conclusion -- 2023 was a busy year, with a record level of use and the substantiation rate reaching an eleven-year high. More reports came in, and more were found to be true. Listen in as Michael discusses the findings of these reports and why the increase is a good sign, not a bad sign. It means that employees trust their respective hotline reporting systems to produce results.NAVX's 2024 Whistleblower Report revealed a record level of use and an 11-year high substantiation rate, indicating increased trust in employee reporting systems.Accounting-related reports, comprising approximately 4.3% of all reports in 2023, had a significant impact. With a median substantiation rate of 50%, these reports often led to employment separation events, underscoring the seriousness of the issues raised.Third-party reports were more likely to focus on business integrity and financial misconduct issues, accounting for 50% of reports compared to employees' 17%.Reports of imminent threats had a high substantiation rate in 2023, with nearly 9 out of 10 reports proven to be substantiated, highlighting the seriousness of such issues.Workplace civility complaints increased to 18% of reported cases, reflecting a growing concern within organizations about maintaining a respectful work environment and culture.HR issues, a significant portion of all reports in 2023, accounted for 55% of the total. This underscores the importance of addressing internal workplace issues, such as workplace discord, discrimination, harassment, and retaliation, to maintain a healthy and productive work environment.Clear Channel's extensive cooperation with the investigation, prompt sharing of facts, document production, and employee interviews demonstrated a commitment to transparency and accountability in addressing compliance issues.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

OFAC is capable of extending a long arm of enforcement, reaching sometimes non-U.S. companies that may "cause" another company to violate U.S. Sanctions laws. If you need to find an example of this long reach, look no further than OFAC's recent settlement with SCG Plastics ("SCG"). In this settlement, SCG, a Thai company that sells plastic resins, agreed to pay $20 million for violations of the Iran Sanctions Program.In this episode, Michael Volkov explores the series of actions that led to that $20 million dollar settlement, and the consequences.In a recent enforcement action, SCG Plastics paid OFAC $20 million to resolve violations of the Iran sanctions program, showcasing OFAC's far-reaching jurisdiction.SCG Plastics caused U.S. financial institutions to process $291 million in wire transfer sales of High-Density Polyethylene Resin (HDPE) of Iranian origin from 2017 to 2018, which violated the Iran sanctions program.SCG Plastics voluntarily disclosed 10 violations but did not disclose 457, which led to OFAC determining all 467 violations as egregious.The size of the settlement was due to multiple aggravating factors: SCG Plastics willingly engaged in a multi-year pattern of conduct designed to circumvent the Iran sanctions program, causing significant harm to OFAC sanction policy objectives while earning substantial revenues.Importantly, commercial activity that may fall outside the jurisdiction of OFAC sanctions can still result in a violation when the financial transactions related to the activity are processed through or involve U.S. financial institutions.OFAC emphasized the risks for non-U.S. companies engaging in conduct that causes U.S. persons to violate sanctions, in this case processing the transactions, which would not have been done with adequate disclosure, highlighting the importance of compliance with U.S. sanctions and export control laws.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

LRN continues to set the standard for ethics and compliance program research. Volkov Law is  a supporter of, and advocate for, LRN’s research because it has consistently confirmed what we all know and believe - ethical companies perform better in the marketplace over the long run. It is an intuitive fact that employees respond better to values-based leadership than a rules-based environment and culture. Volkov Law is committed to that mission with our clients, colleagues, partners, and thought leadership. In this Episode Michael Volkov discusses LRN's latest PEI Report, a copy of which can be obtained at https://lrn.com/resources/ethics-compliance-program-effectiveness-reportLRN's 2024 Program Effectiveness Report highlights the importance of corporate values, culture, and accountability in mitigating risks and maximizing financial performance.The report is based on a survey of over 1,400 ethics and compliance professionals from 19 countries and 26 industries.60% of organizations now incorporate ethical behavior into performance management, hiring decisions, promotions, and bonuses to elevate ethical conduct incentives.Top priorities for 2024 include training content, measuring ethical culture, improving web-based compliance resources, internal controls, and audit and compliance monitoring plans.Companies are adapting compliance programs to include remote and hybrid employees post-COVID-19, reflecting changing workplace needs.Senior management engagement in risk mitigation controls and company values is crucial, with 52% of respondents confirming actions over words in fulfilling ethics and compliance responsibilities.Nearly two-thirds of respondents stated their boards actively address misconduct by senior executives or excellent performers, relying on values to ensure ethical behavior.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

On the heels of the Gunvor FCPA settlement for $661 million, DOJ announced its settlement with Trafigura, the latest commodities trading company to fall under DOJ's FCPA Sweep against the industry. Trafigura joined the list of international commodity trading companies to suffer FCPA enforcement actions like Vitol, Sargeant Marine, Glencore, Freepoint, and Gunvor.DOJ's corporate resolutions are connected to individual prosecutions and guilty pleas of 19 individuals, including six government officials, eight corrupt intermediaries, and five trading companies.Trafigura Beheer B.V. ("Trafigura"), based in Switzerland, plead guilty and agreed to pay $126 million as part of a plea agreement to resolve FCPA violations in Brazil. Trafigura pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA and agreed to pay a fine of over $80 million and forfeiture of $46 million. DOJ agreed to credit up to $26 million of the fine against the amounts Trafigura pays to resolve an ongoing Brazil investigation.Trafigura, a global commodity trading company, pled guilty and agreed to pay $126 million to resolve FCPA violations in Brazil, involving a corrupt scheme to pay bribes to Brazilian officials to secure business with Petrobras.DOJ cited Trafigura's cooperation and acceptance of responsibility, including providing timely updates, facilitating employee interviews, and producing relevant documents, but criticized their failure to preserve and produce certain evidence in a timely manner.Trafigura's bribery scheme involved paying bribes to Petrobras officials from 2003 to 2014 to obtain and retain business, with payments ranging from 5 to 20 cents per barrel for oil transactions.The bribery payments were facilitated through offshore bank accounts, U.S. banks, and coded language in emails, with Trafigura entities earning approximately $51 million in profits from the scheme.DOJ's successful sweep of the commodities trading industry resulted in six corporate resolutions and 20 individual convictions, totaling over $1.7 billion in penalties, emphasizing the importance of robust compliance and surveillance strategies.Trafigura's lack of compliance oversight and failure to maintain proper third-party due diligence or risk management programs allowed the bribery scheme to operate with impunity, highlighting the need for enhanced controls and monitoring in high-risk industries.Despite the challenges faced during the investigation, Trafigura's guilty plea and cooperation with DOJ demonstrate a commitment to addressing corruption and compliance issues in the global commodity trading sector.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group