Global Featured Wired

How Do You Evaluate a Risk Assessment?

FCPA Compliance & Ethics -

Yesterday we considered how to perform a risk assessment. Today how do you evaluate the information you have developed.  After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, [...]

The post How Do You Evaluate a Risk Assessment? appeared first on Compliance Report.

“The Big Chill”: Personal Liability and the Targeting of Financial Sector Compliance Officers

Program on Compliance and Enforcement, New York University School of Law -

by Court E. Golumbic


Prominent law enforcement and regulatory officials have referred to financial sector compliance officers, as “essential partners”[1] in ensuring compliance with relevant laws and regulations, whose “difficult job[s]” merit “appreciat[ion] and respect.”[2] Officials have noted the critical role these professionals play in shaping the culture of financial institutions, as well as the industry more generally.[3] However, a series of recent enforcement actions in which financial sector compliance officers have been personally sanctioned[4] has strained this partnership, fueling concerns among financial sector compliance officers that they are being unfairly targeted.[5]

Law enforcement and regulatory officials have responded to these concerns with assurances that both the ethos of a partnership and their even-handed enforcement approach remain intact.[6] Officials have stressed that in the rare instances in which financial sector compliance officers have been held personally accountable, the majority had engaged in affirmative misconduct.[7] Rarer still, they contend, are cases where compliance officers were found to have exhibited “wholesale” or “broad-based” failures in carrying out responsibilities assigned to them.[8] In these particular cases, officials have stressed that the enforcement actions proceed only when, after carefully weighing the evidence, the facts indicate that the compliance officers “crossed a clear line.”[9]

The Perception of Compliance Officer Targeting 

Efforts to allay compliance officers’ fears and justify regulators’ charging practices appear to have been ineffective, however, for the perception of targeting endures. Indeed, the perception has coincided with increased attrition within the ranks of senior compliance officers in the industry.[10] In February 2016, The Wall Street Journal reported that the number of senior bank compliance executives who had left their jobs in 2015 was three times greater than in 2014.[11] Evidence also suggests that the specter of personal liability is causing potential leaders in financial sector compliance to reconsider their career paths.[12] In a recent survey of Chief Compliance Officers (“CCOs”) of public companies, sixty percent said they would think more carefully about future roles they might consider given the risk of personal liability.[13]

Regulators are thus confronted with a fundamental policy question: whether the benefits of current charging practices, such as the potential for increased vigilance, justify the continued exodus of senior compliance professionals from the industry.

There is little reason to question the validity of law enforcement and regulatory officials’ expressions of support for the financial sector compliance function. Nor is there reason to doubt their representations that enforcement actions against individual compliance officers are the product of careful consideration, and are undertaken only when supported by evidence indicating that a clear line was crossed.  Given that efforts to quell the sense of anxiety among compliance officers appear to have had little effect, however, we must consider other possible causes of the perception of compliance officer targeting.

Possible Explanations for the Enduring Perception

  1. The Aggregate Impact of Recent Enforcement Actions

One explanation is the aggregate impact of recent enforcement actions. Senior SEC officials have proffered compelling statistics to demonstrate that the number of cases brought by the Commission against compliance officers, in the absence of allegations of willful misconduct or obstruction, is an extremely small fraction of the whole.[14] This also appears to be the case with FinCEN and FINRA, the other agencies that have brought recent cases against financial sector compliance officers personally.[15]

Perhaps it is the totality of these actions that catches the attention of the average compliance officer, rather than the merits of any individual case. This seems especially plausible given that the recent enforcement actions have been brought by multiple agencies in a relatively close time frame. The fact that it has been historically rare for these agencies to bring personal charges against financial sector compliance officers may therefore offer scarce comfort when they appear to be doing so presently, and in relatively close proximity to one another.

  1. The “Isolation Factor”

The second possible explanation for the perception of targeting can be termed the “isolation factor.” One common feature linking recent enforcement actions against financial sector compliance officers (Brown Brothers, Haider, Raymond James, Aegis, BlackRock, SFX, etc.) is the fact that, in each case, the compliance officer was the only individual charged. Indeed, a substantial number of the enforcement cases brought against individual compliance officers in the past several years have not included charges against other senior business or control-side personnel.[16]

The success of a financial institution’s compliance program depends on the efforts of multiple stakeholders.  While compliance figures prominently in this equation, so too do legal, operations and the business.   Indeed, regulators view the business as the “first line of defense” with primary responsibility for implementing internal controls.[17] Compliance and other control functions are considered the “second line,” responsible for unearthing issues that are not captured by the first line.[18]

Imposing personal liability on compliance officers for the frailties of their firms’ compliance programs only addresses one part of the equation. Each line of defense should operate in a robust and effective fashion toward the shared goal of strengthening a financial firm’s overall control environment. Enforcement actions that fail to reflect this sense of shared responsibility, and instead focus exclusively on the role of the compliance officer, may not be ensuring the appropriate level of engagement by all senior managers with the ability to influence a firm’s compliance culture. In addition, these actions risk being viewed by the compliance community as unfairly placing the totality of responsibility for the effectiveness of a firm’s program on the compliance officers’ shoulders.[19]

  1. Recent Trends in Law Enforcement and Regulatory Policy

Finally, the perception among financial sector compliance officers that they are being targeted may also be attributed to recent trends in law enforcement and regulatory policy. At the same time that they have witnessed an uptick in noteworthy enforcement actions against their peers, compliance officers have also observed an increased focus on individuals in cases of corporate misconduct.[20]  Former Deputy Attorney General Yates’ issuance of new DOJ guidance in September 2015, which compels federal prosecutors to examine individual culpability as a condition of resolving cases against corporations, is the most significant illustration of this shift.[21] Another is the tonal shift among prominent law enforcement and regulatory officials emphasizing individual accountability.[22] Accompanying this enhanced focus on individuals is a greater emphasis on the role of compliance more generally, as evidenced by the appointment in 2016 of the first-ever Compliance Counsel to the DOJ and the corresponding compliance guidelines.[23]

While these initiatives have signaled a new era of individual scrutiny, a proposed regulation introduced by the New York State Department of Financial Services (“DFS”) in December 2015 threatened to take this notion to a potentially troubling extreme.[24] The proposed rule required CCOs or their functional equivalents to annually certify as to the compliance of their financial institutions’ AML and sanctions screening controls with applicable regulations, facing potential criminal penalties for false or incorrect certifications.

The criminal sanctions were ultimately dropped from the final version of the DFS rule. However, when viewed in the context of the new DOJ guidance, the appointment of Compliance Counsel and other policy developments, the inclusion of criminal penalties in the earlier iteration may have been sufficient to heighten the anxiety of financial sector compliance officers and fuel the impression that they are receiving a disproportionate amount of attention.[25]

The “Big Chill” and its Attendant Consequences     

Regardless of the cause, the potential “chilling effect” of the recent enforcement actions against financial sector compliance officers is deeply concerning. If the “demoralizing belief” persists among compliance officers that the system is potentially undermining them, and that “even exercising their best judgment will not protect them from the risk of a career-ending enforcement action,” many more will leave, or forego the profession entirely, rather than endure the risks.[26] The level of ensuing “brain drain” could diminish significantly the efficacy of financial sector compliance programs, and the integrity of the industry more generally.[27]

One proposal for countering the perception of compliance officer targeting is the adoption in U.S. of an accountability regime similar to the Senior Manager Regime (“SMR”) in the U.K., which compels financial institutions to allocate certain conduct rules and other responsibilities to designated “Senior Management Functions.” [28]  Because these Senior Management Functions include not only senior compliance functions, but a range of other senior business and control-side roles,[29] this shared responsibility would provide greater assurance to compliance officers that their conduct will be assessed not in isolation, but within the context of a broader managerial effort.

Whether by adopting a U.S. analogue to the SMR or through some other measure, the perception of compliance officer targeting must be reversed before the “big chill” sets in, and the industry finds that this critical function has been robbed of its best and brightest.

[1] Id.

[2] See, e.g., Andrew Ceresney, Dir., Div. of Enf’t, U.S. Sec. & Exch. Comm’n, Keynote Address at the 2015 National Society of Compliance Professionals, National Conference (Nov. 4, 2015),

[3] See, e.g., Preet Bharara, U.S. Attorney for S. Dist. of N.Y., SIFMA’s Compliance and Legal Society Annual Seminar Prepared Remarks of U.S. Attorney Preet Bharara (Mar. 31, 2014), sdny/speech/sifma-s-compliance-and-legal-society-annual-seminar-prepared-remarks-us-attorney.

[4] See Letter from Raymond James & Assoc., Inc., et al., to Dep’t of Enf’t, Fin. Indus. Regulatory Auth., Financial Industry Regulatory Authority Letter of Acceptance, Waiver & Consent No. 2014043592001 (May 18, 2016); see also U.S. Dep’t of the Treasury v. Haider, No. 15-1518 (D. Minn. Jan. 8, 2016) (order denying motion to dismiss); Dep’t of Enf’t v. Aegis Capital Corp., No. 2011026386001 (Aug. 3, 2015) (order accepting order of settlement); In the Matter of SFX Fin. Advisory Mgmt. Enterprises, Inc., SEC; Investment Advisers Act Release No. 4116, Administrative Proceeding No. 3-16591 (June 15, 2015); In the Matter of Blackrock Advisors, LLC, SEC; Investment Advisers Act Release No. 4065, Investment Company Act Release No. 31558, Administrative Proceeding No. 3-16501 (Apr. 20, 2015); Brown Bros. Harriman & Co., Letter of Acceptance, Waiver and Consent No. 2013035821401 (Feb. 4, 2014).

[5] See, e.g., Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry, Wall St. J. (Feb. 11, 2016, 4:39 PM), compliance-officers-1454495400; Dawn Causey, Who Should Have Personal Liability for Compliance Failures?, A.B.A. Banking J. (Aug. 17, 2015), who-should-have-personal-liability-for-compliance-failures/.

[6] See, e.g., Ceresney, supra note 1 (“I am hopeful that, after you hear my remarks, you will understand that [recent SEC actions against compliance officers] . . . are consistent with the partnership we have developed to foster compliance with the laws.”); see also Mary Jo White, Chair, Sec. & Exch. Comm’n, Opening Remarks at the Compliance Outreach Program for Broker-Dealers (July 15, 2015) (“To be clear, it is not our intention to use our enforcement program to target compliance professionals.”).

[7] See Ceresney, supra note 1 (explaining that in the vast majority of cases the SEC brings against CCOs the compliance officers “are affirmatively involved in misconduct that is unrelated to their compliance function” or have engaged “in efforts to obstruct or mislead.”).

[8] See id. (“The third category of cases where we have charged CCOs are where the CCO has exhibited a wholesale failure to carry out his or her responsibilities. . . . This category is considerably smaller . . . but has drawn significantly more attention.”).

[9] See id. (“[W]e in Enforcement and the Commission take the question of whether to charge a CCO very seriously and consider it carefully. We think very hard about when to bring these cases. When we do, it is because the facts demonstrate that the CCO’s conduct crossed a clear line.”); see also Jennifer Shasky Calvery, Dir., Fin. Crimes Enf’t Network, Securities Industry and Financial Markets Association Anti-Money Laundering and Financial Crimes Conference (Jan. 30, 2014), crimes-enforcement-network-8 (“I think if you look at our past enforcement actions, and review the facts, you can see clearly why FinCEN took action in these cases.”).

[10] See Glazer, supra note 5; DLA Piper, DLA Piper’s 2016 Compliance And Risk Report: CCO’s Under Scrutiny 3 (2016),

[11] See Glazer, supra note 5.

[12] See DLA Piper, supra note 10.

[13] See id. at 9.

[14] See supra notes 7–9.

[15] See FinCEN Seeks Civil Money Penalty and Injunction Against Former Chief Compliance Officer of MoneyGram, SIDLEY (Jan. 2, 2015), 2015-01-02_banking_and_financial_services_update (“The Complaint [against Thomas Haider] is significant because it is highly uncommon, and possibly unprecedented, for FinCEN to hold a compliance officer personally responsible for the AML failures of an employer.”).

[16] See supra note 4.

[17] Geoffrey P. Miller, The Law of Governance, Risk Management, And Compliance 4 (2d ed. 2017).

[18] Id.

[19] See Glazer, supra note 5 (quoting one compliance officer who had worked for large U.S. and foreign banks as saying, “It’s easier for firms to give up their compliance officer, because what are they going to do, give up the CEO?”); Chris Kentouris, Compliance Officers: Taking the Regulatory Heat, Personally, FinOps Rep. (Apr. 1, 2014), compliance-officers-taking-the-regulatory-heat-personally/ (“We’re caught between a rock and a hard place,” one compliance officer at a New York brokerage tells FinOps. “We can provide the best advice possible, but if it falls on deaf ears, we’re the ones paying the price.”).

[20] See Jeremiah Buckley, The Compliance Officer Bill of Rights, Am. Banker (Feb. 22, 2016), (“Regulators and prosecutors are under increasing pressure to bring charges not only against companies, but also against individual corporate officers.”).

[21] Memorandum from Sally Quillan Yates, Dep. Att’y Gen., Individual Accountability for Corporate Wrongdoing, U.S. Dep’t of Justice (Sept. 9, 2015).

[22] See, e.g., J. Bradley Bennett, Exec.Vice President & Dir. Of Enf’t, Fin. Indus. Regulatory Auth., Remarks from the SIFMA Anti-Money Laundering and Financial Crimes Conference (Apr. 5, 2016), financial-crimes-conference (“When we look at cases and charging decisions, we look at potential liability for individuals in every case.”); Sally Quillan Yates, Dep. Attorney Gen., Remarks at New York University School of Law Announcing New Policy on Individual Liability in Matters of Corporate Wrongdoing (Sept. 10, 2015), general-sally-quillian-yates-delivers-remarks-new-york-university-school (“[N]othing discourages corporate criminal activity like the prospect of people going to prison.”); Benjamin M. Lawsky, Superintendent, N.Y State Dep’t of Fin. Serv., Remarks on Financial Institution Regulation in New York City at Columbia Law School (Feb. 25, 2015), news/new-york-state-department-of-financial-services-superintendent-benjamin-m-lawsk/ (“In my opinion, if in any particular instance [of corporate wrongdoing] we cannot find someone, some person, to hold accountable, that just means we have stopped looking. Moreover, even if there are certain circumstances where misconduct does not rise to the level of criminal fraud, civil financial regulators can also play a role in imposing individual accountability.”); Andrew Ceresney, Dir., U.S. Sec. & Exch. Comm’n Div. of Enf’t, American Conference Institute’s 32nd FCPA Conference Keynote Address (Nov. 17, 2015), (“Holding individuals accountable for their wrongdoing is critical to effective deterrence and, therefore, the [Enforcement] Division considers individual liability in every case.”).

[23] New Compliance Counsel Expert Retained by the DOJ Fraud Section, U.S. Dep’t of Justice (Nov. 3, 2015),; Evaluation of Corporate Compliance Programs, U.S. Dep’t of Justice (Feb. 8, 2017),

[24] Regulating Transaction Monitoring and Filtering Systems Maintained by Banks, Check Cashers and Money Transmitters, 37 N.Y. Reg. 9, 11 (proposed Dec. 16, 2015).

[25] See DLA Piper, supra note 10 (“Coupled with the appointment of Hui Chen as the Justice Department’s first-ever compliance counsel and accompanied by a steady drumbeat of guidance from Andrew Ceresney, Securities and Exchange Commission director of enforcement, the [Yates] memo seemed to signal a new era of scrutiny and personal liability for senior executives and compliance officers.”); see also Personal Liability or Talent Drain?, ACAMSToday (May 9, 2016), (“Ultimately, regulators were put under severe criticism for not having been able to hold responsible key executives for all failings of the financial crisis. The lack of meaningful enforcement actions against senior individuals shifted the nature of supervisory responsibilities to personal liability. That said, compliance officers gradually became the target of ‘witch hunts,’ in which some ended up being ‘burned alive’ at the stake for all noncompliant obligations and wrongdoings.”).

[26] See Letter from Lisa D. Crossley, Exec. Dir., Nat’l Soc’y of Compliance Prof’ls to Andrew Ceresney, Dir., U.S. Sec. & Exch. Comm’n Div. of Enf’t (Aug. 18, 2015) (suggesting that enforcement actions against compliance officers will engender “a demoralizing belief that even exercising their best judgment will not protect them from the risk of a career ending enforcement action, with the result that many of the best compliance officers will choose to leave the profession rather than face the risks.”).

[27] See e.g., Luis Aguilar, Comm’r, U.S. Sec. & Exch. Comm’n, Public Statement, The Role of Chief Compliance Officers Must Be Supported (June 29, 2015), (“[I] am concerned that the recent public dialogue may have unnecessarily created an environment of unwarranted fear in the CCO community. Such an environment is unhelpful, sends the wrong message, and can discourage honest and competent CCOs from doing their work.”).

[28] Senior Managers and Certification Regime, Fin. Conduct Authority (Sept. 9, 2016), The SMR, which was conceived in response to the financial crisis of 2007–2008 and LIBOR rate-fixing scandals, is designed to “embed personal accountability into the culture” of the UK financial services industry. FCA Publishes Final Rules to Make Those in the Banking Sector More Accountable, Financial Conduct Authority (July 7, 2015), rules-make-those-banking-sector-more-accountable (quoting Martin Wheatley, Chief Exec., Fin. Conduct Auth.).  The SMR contemplates enforcement actions against individuals serving in Senior Management Functions who have “contravened the statements of principle that apply to them,” or if the manager is “knowingly concerned in a breach of regulatory requirements by the firm.” Id.

[29] Senior Managers and Certification Regime, supra note 28.

This blog post is based on an article of the same name, to be published in the Hastings Law Journal, Volume 69, Issue 1.  

Court E. Golumbic is a Partner and the global head of Financial Crime Compliance for the Goldman Sachs Group, Inc. (“Goldman Sachs”).  He is also a former Assistant United States Attorney with the United States Attorney’s Office for the Southern District of New York, and a former Senior Adviser to the Under Secretary for Enforcement at the United States Treasury Department. He is currently an adjunct professor at the New York University School of Law and has formerly been an adjunct professor at the University of Pennsylvania School of Law. The author would like to thank Jason Driscoll for his assistance in writing this post.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.

Calif. Mudslides Leave 15 Dead

Risk Management Monitor -

Heavy rains in southern California have caused mudslides in some areas, killing at least 15 people and trapping hundreds. The deluge of mud now covering homes, businesses and freeways are the result of heavy rains washing away ground laid bare by the Thomas Fire—the state’s largest wildfire to-date—which burned more than 280,000 acres in December.
Many of those who had returned home after the wildfires have been evacuated for mudslides. The New York Times wrote:

As the mud rushed into lower-lying neighborhoods in Montecito, a wealthy hillside community where many celebrities have homes, the power went out and gas lines were severed, said Thomas Tighe, a resident. Officials said Tuesday night that it could be several days before gas service would be restored. They also said power failures were affecting more than 6,000 homes and businesses in the area, adding that many parts of Montecito were without drinkable water.

Driving rain started at about 3:00 a.m. on Jan. 9. By Tuesday, more than 5.5 inches of rain had fallen in parts of Ventura County, the National Weather Service said.  A mandatory evacuation order for about 7,000 residents was issued by Santa Barbara County officials, but many would not leave. As a result, people were trapped in homes and cars and on rooftops by fast-moving rivers of thick mud carrying trees and debris.
CNN reported that dozens of people have been rescued in Santa Barbara County, including a 14-year-old girl trapped beneath a house, and that parts of US 101 in Santa Barbara and Montecito have been closed.

Mudslides are not uncommon in the area, especially following wildfires, and they can be deadly. In January 2005, a landslide struck La Conchita in Ventura County, killing 10 people.

Compliance: Maintain the Status Quo or Question Everything?

Compliance Experts - Compliance Audit & Management Blog -

At face value, compliance can easily be interpreted as maintaining the status quo, following the rules, and conforming to predetermined and universally accepted norms. And if you choose to believe and adhere to that definition and understanding of the term and the practice, that's exactly what it will be. But you do have a choice. It's just like a paraphrase of the old saying: whether you believe that you can or you can't do something, you're right. 

Calculated Risk Mangement for a Successful Startup

Ezine Articles - Business Risk Management -

Risk taking is an art and can only be perfected by practice. There is saying:- the biggest risk of life is not taking any risk. It's better to take a chance right now than to regret in future. But in the world of startups you just can't take a risk casually. There has to be an appropriate step by step strategy. This is where Risk Management comes into the picture.

The Basics: Part 1

The Compliance & Ethics Blog -

By Jan Schramke Compliance Administrator, EMEA Region Sometimes the basics are all we need to us help predict outcomes in advance. Perhaps that is why the basics are always a relevant topic. I would love to hear your opinion and learn from you. Perhaps you made different observations or have valuable insights you would like […]

Webinar: 2018 Ethics and Compliance Program Trends and Expectations

Corruption, Crime & Compliance Blog -

Webinar: 2018 Ethics and Compliance Trends and Expectations

Tuesday, January 16, 2018, 12 noon EST


The compliance profession continues to increase its influence in the corporate governance landscape.  The Justice Department’s aggressive prosecution of global companies for anti-corruption violations, as well as international enforcement and compliance developments, has created a comprehensive set of compliance trends and government expectations as to compliance functions.

Join Michael Volkov, CEO of The Volkov Law Group, as he reviews 2018 ethics and compliance trends and expectations.

The post Webinar: 2018 Ethics and Compliance Program Trends and Expectations appeared first on Corruption, Crime & Compliance.

Breaking News in the Industry: January 10, 2018

Loss Prevention Media -

K9 Gunnar tracks down theft suspect who fought, bit, threatened store employees

Saturday night several Spokane, Washington, deputies responded to a theft call where the suspect took off after she fought, bit, and threatened store employees. Ladarion M. Roberts was eventually tracked down and charged with three felonies. It happened just before 8 p.m. Spokane Valley deputies responded to the ShopKo, located at 13414 E. Sprague for a reported theft. Loss prevention associates said a woman, later identified as Roberts, entered the store, picked up several items, including a prepaid cell phone and several makeup items, as she walked around. Roberts went into a dressing room with all the items, but when she came out, she didn’t have the phone or makeup. The employee checked the dressing room for the items, but didn’t find them. She attempted to pay for other items, but her credit card was declined and she left the store. the LP associates followed Roberts outside, identified themselves, and attempted to take her back to the loss prevention office in the store. Deputies say Roberts refused and became combative, pushing, hitting, kicking and even biting one of the employees. She also threatened to mace them and yelled she had a gun during the encounter, then she ran off on foot. After viewing store security video, Deputy Wang recognized Roberts and confirmed her identity by matching video with a previous booking photo.

The deputy provided Roberts’ description via radio to patrol cars in the area. A short time later, Deputy Wilson spotted a purse hanging on a fence which matched the description of the one Roberts was carrying when she ran from the store. Deputy Hunt and K9 Gunnar arrived and began tracking Roberts in the area where the purse was found. Fresh footprints in the snow were observed as Gunnar led the deputies to an unsecured back door of a house on McCabe, just north of Sprague. K9 warnings were given with a response. As deputies worked to obtain a search warrant, a resident of the home was contacted. The resident said he did not know Roberts, and he did not give her permission to enter his house, but gave deputies permission to enter and search for her. K9 Gunnar was deployed on a lead in the house. He located a black coat and new makeup lying on the floor before leading deputies to a closet. Additional K9 warnings were given and went unanswered. The closet door was opened and K9 Gunnar went in. He made contact with Roberts who was hiding under a pile of blankets and other items. Roberts initially failed to comply with deputies’ demands, but soon surrendered and was taken into custody without further incident. Roberts was provided medical attention before being transported and booked into the Spokane County Jail for Robbery 1st Degree, Burglary 1st Degree and Resisting Arrest.  An additional charge of Possession of a Controlled Substance-Methamphetamine was added after a white crystalline substance was located inside Roberts’ purse, which tested and showed a presumptive positive result for methamphetamine. [Source: KHQ Q6 News]

Google “free bikes” stolen by the hundreds each week

Stroll through Mountain Valley, Calif., and you’ll probably notice some funky-looking bikes out and about. Red baskets, yellow frames, and green-and-blue wheels are telltale signs you’re looking at a “GBike.” And if you do see one, there’s a good chance it’s stolen. That’s according to a Wall Street Journal report claiming the complimentary campus bikes for Google employees go missing at a rate of up to 250 per week. According to the report, Google has generally written off the pedal-pilferers. But the uptick in theft has the Silicon Valley behemoth adding GPS trackers, hiring a bike recovery team, and – for the first time – considering locks. Google’s enormous Mountain View campus plays home to about 1,100 of the multi-colored GBikes. That’s because the company’s sprawling left-coast headquarters comprises more than 3.5 million square feet of office space alone. Needless to say, the bikes are tantamount to a necessity for the 20,000 employees stationed there.

But the brand has so far resisted security, opting instead for convenience and a “Don’t Be Evil” culture (after its famous former motto). Despite posted instructions explaining how and where the bikes should be used, the colorful cruisers continually wander off campus. Employees report bringing them home for the night, while locals say it’s not uncommon to find the bikes left in their yard. In fact, two of the Gbikes found their way atop the roof of a local pub. In light of the ongoing malfeasance, Google hired a retrieval team that scours the streets around Mountain View and pick up wayward sets of wheels. Plus, Google last year began installing GPS trackers in its bikes. Since then, the company discovered missing Gbikes traveled as far away as Fairbanks, Alaska, and on down to Mexico. In all, Google estimates it successfully recovers about two-thirds of the bikes. While it doesn’t put a dollar estimate on replacing lost bikes, similar cruisers retail between $100–400. Hopefully, Google can update its bike security as well as its browser security.  [Source: GearJunkie]

Ohio man stealing items swings knife at LP associate

Columbus police are looking for a man they say pulled a knife on a loss prevention associate at The Mall at Tuttle Crossing. Police said the loss prevention asssociate stopped 30-year-old Shain Barrett around 9 p.m. as he left the Macy’s store with a $100 jean jacket and three watches. As the officer tried to handcuff him, Barrett fought back and grabbed a knife from his pocket according to police. Police said Barrett swung the knife at the officer and ran away. Police said Barrett has been known to be homeless in Columbus and his last known address was West Main Street in Plain City. Police ask anyone with information on where Barrett may be to call the Columbus Division of Police robbery unit at 614-645-4665.  [Source: 10TV WebNews]

Hundreds of counterfeit Air Jordans seized

In what could be called the case of the seven parcels, federal customs seized what they said were 400 pairs of counterfeit sneakers. Various models of Nike Air Jordan sneakers arrived in separate air cargo shipments and were seized “near Dulles International Airport,” U.S. Customs and Border Protection said. They said the parcels were to go to an address in Northern Virginia. According to the customs agency, the sneaker shipments began in December. The final seizure was made Jan. 2, customs said. According to the federal agency, the suggested retail price, for authentic sneakers like those seized was $54,715. Customs officers examine imports as a matter of routine, and suspected that the items in question were not genuine, authorities said. They said they checked through the trademark holder to determine that the sneakers were counterfeits.  [Source: The Washington Post]

Toy firm fined $650,000 over data breach

Electronic toymaker VTech will pay $650,000 to settle charges that it failed to protect the privacy of children using its gadgets. The US Federal Trade Commission (FTC) levelled the charges at VTech following a data breach in 2015. While investigating the breach, the FTC found the firm had broken US laws governing the way data about children is gathered. The FTC said VTech also “failed to take reasonable steps” to secure that data., VTech gathered a lot of data about children via its Kid Connect app that was bundled in with many of the electronic toys it makes. Almost 650,000 children downloaded the app and used it in conjunction with VTech’s educational toys. The app collected personal information but did so without seeking consent from parents or telling children what data was being collected and the uses to which it would be put, said the FTC. VTech’s poor data security practices meant a security researcher could get at the firm’s network and take personal information which included customers’ names as well as email addresses, it added in its complaint. The hacker was also able to get at an internal database that held copies of encryption keys that, if used, would have let an attacker view photos and audio files uploaded by children and parents.

VTech was unaware that its network had been penetrated and data taken until it was contacted by a journalist. “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Maureen Ohlhausen, acting FTC chairwoman, in a statement. “Unfortunately,” she added, “VTech fell short in both of these areas.” As well as paying the financial penalty, VTech has pledged to uphold US child data protection laws in future. It has also agreed to improve its security practices and will be subjected to regular independent data and privacy audits for the next 20 years. In a statement, VTech said parents were left in no doubt about the type of information being collected about children and were able to decide who they talked to via the app. It said it collected data only to help users of its products to communicate with each other, not for marketing purposes. Marc Rotenberg, president of the Electronic Privacy Information Center which campaigns on privacy issues, welcomed the FTC’s action but said the penalty could have been levied more swiftly. “This is good news that the FTC finally took action but we feel like they are moving too slow and clearly following and not leading,” Mr. Rotenberg told the New York Times.  [Source: BBC News]

Apple’s flagship Chicago retail store wasn’t designed to handle snow

Apple’s new flagship retail store in Chicago, the one with a MacBook-shaped rooftop, is nothing short of an architectural marvel. At least, that’s how some news reports put it when the store opened back in October. Beyond standing out among the less inspired buildings of the downtown Chicago area, the new Apple Store also happens to be very poorly thought through considering its thin roof now has dangerous icicles hanging perilously over public walkways. The deadly ice daggers have forced the closure of those spaces, as pointed out by local blogger Matt Maldre and reblogged by Daring Fireball’s John Gruber. As Maldre explains, the fancy building design, while seemingly in service of Apple’s new “town square” ideal for its retail stores, doesn’t seem to have been designed for the actual city it’s located in. “Maybe next time Apple will consider the actual community where their stores are built,” Maldre writes. “Y’know, basic things like in Chicago, the weather gets cold. It snows. The snow falls off the roof. Don’t design a slopping roof where the snow can’t be caught or guttered off somewhere.”  [Source: The Verge]

The post Breaking News in the Industry: January 10, 2018 appeared first on LPM.

When Employees Leave, Keep a Close Eye on Your Data

Loss Prevention Media -

Many years ago, when Conan O’Brien was battling NBC over his role in late-night programming, he announced his intentions while waiting for a resolution. “I will continue to put on as good a show each night as I can,” Conan told his audience. “While stealing as many office supplies as humanly possible.” The line got a good laugh, but it’s no joke to employers who struggle against insiders who are willing to use termination—or just a smaller than expected raise or a lack of promotion—as justification to steal. Theft of physical assets is a substantial concern when employees leave, but case studies suggest that the theft of business information or purposeful data destruction can be more costly.

.inline-text-ad h1, .inline-text-ad h2, .inline-text-ad h3 { margin-top: 0; } .inline-text-ad h1 { font-size: 18px !important; font-weight: bold !important; } .inline-text-ad p { font-size: 1.0rem; } .inline-text-ad { border-top: 1px dotted #cccccc; border-bottom: 1px dotted #cccccc; padding-top: 20px; } @media only screen and (max-width: 768px) { .inline-text-ad { text-align: center; } .inline-text-ad h1, .inline-text-ad h3, .inline-text-ad h3 { font-size: 1.15em; } } @media only screen and (max-width: 460px) { .inline-text-ad h1, .inline-text-ad h3, .inline-text-ad h3 { font-size: 1em; } } Get the details on the hottest new trend in retail: Read our FREE Special Report, Top Omni-channel Retail Trends: A Guide to the Proven Value of an Omni-channel Retail Strategy.

In one case, included in a compilation by Carnegie Mellon University of insider threat cases, an e-commerce software developer was angered when his benefits were cut in conjunction with his moving to a different state. His relationship with the company subsequently soured, and it eventually told him that his employment would be terminated in a month’s time.

After a week and a half, the insider logged in remotely from home, deleted the software he was developing as well as other software under development, modified system logs to conceal his actions, and then changed the root password. He then announced his immediate resignation. His actions cost the company over $25,000, 230 staff hours, and associated costs.

Forbes recounted a story from the “Once Upon a Vine” wine shop in Richmond, VA, in which the shop’s email newsletter was altered in order to bad mouth the retailer to its customers. The culprit turned out to be an ex-employee who had logged in to the company’s cloud newsletter service.

“Organizations are still finding it difficult to completely disable access for terminated employees,” notes the CERT Division of the Software Engineering Institute at Carnegie Mellon. “Commonly accepted best practices are still not being followed.”

“Some aspects of the termination process are quite obvious, such as disabling the terminated employee’s computer account,” notes CERT—and this is where the wine shop reportedly failed. The retail store had terminated the employee but not her passwords.

Ex-employees—or those about to leave—can cause any number of headaches for a retailer, such as exporting contact lists to a rival, or causing havoc to a shop’s inventory or their payroll service. The FBI has tried to alert business owners to the threat. “The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company,” the agency said in an alert.

Although terminating an employee’s computer account seems like a straightforward best practice, real-world examples show that incomplete account-management procedures make this simple-sounding task difficult. The result is dangerous vulnerability. “Many employees have access to multiple accounts; all account creations should be tracked and periodically reviewed to ensure that all access can be quickly disabled when an employee is terminated,” notes CERT.

Diligently following strict account-management practices is critical for retailers when employees leave, suggest CERT case studies. If a retailer fails on this front, it may be too late to perform an account audit for the terminated employee. A backdoor account could have been created months before, notes CERT.

Retail organizations should develop formal, explicit termination policies and procedures. When not in place, case studies show that the termination process “tends to be ad hoc, posing significant risk that one or more access points will be overlooked.” Furthermore, studies of insider incidents prove that “insiders can be quite resourceful in exploiting obscure access mechanisms neglected in the termination process.” Real-world cases illustrate the importance of terminating access completely for former employees, careful monitoring for post-termination access, and paying particular attention to terminated technical employees.

Part of a termination process must include disabling remote access or virtual private network accounts, as well as firewall access. “Remote access is frequently exploited by former insiders,” notes the CERT study.

When an employee is fired, all relevant employees need to be notified of the worker’s termination, suggest case studies. Multiple insider attacks examined by CERT were facilitated when fired workers gained physical access to their old workplace. “For example, at least one terminated insider lied to the night-shift security guard—who had not been told of the termination—about forgetting his badge.” Access to facilities should be tracked via an automated logging mechanism, the report recommends.

Under favorable termination circumstances, some organizations choose to permit continued access by former employees for some time period. But “it is important that organizations have a formal policy in place for these circumstances and carefully consider the potential consequences,” CERT recommends.

Even with voluntary departures, companies should consider security measures such as monitoring exiting employees’ network usage. According to an LPM/SDR survey, this is a common but not universal precaution taken by retail industry companies. In the study, 58.3 of responding retail companies said that they monitor or review departing employees’ access/use of computer systems to ensure sensitive or confidential data are not downloaded or sent to personal e-mail accounts. This is slightly less than the figure for all employers (67.9 percent).

If an employee is terminated under adverse circumstances, the CERT study recommends that organizations consider reviewing the employee’s desktop computer and system logs to ensure no software or applications have been installed that may permit the employee back into the organization’s systems. “In one case, a terminated employee left software on his desktop that allowed him to access it, control it remotely, and use it to attack.” A few insiders who stole intellectual property immediately before leaving an organization were caught when their desktop computer activity logs were analyzed, according to the study.

Finally, CERT warns all organizations to be cognizant of social relationships that could provide a disgruntled worker an avenue to commit harm. The report cites an example: Almost two months after his termination, an ex-employee got a system administrator account password from a female employee with whom he’d had a relationship. “Using this password, the insider was able to hide a project folder on the server that was needed the next day for an important customer demonstration.” In this case, even though the company took all recommended security precautions for handling the employee’s termination, the ex-worker still managed to sabotage its computer system.

The post When Employees Leave, Keep a Close Eye on Your Data appeared first on LPM.

Police Search for Suspect Accused of Putting Gun to LP Associate’s Head

Loss Prevention Media -

Tulsa, Oklahoma. police are looking for a suspect thief who they say put a gun to a loss prevention associate’s head. A loss prevention associate at the Kohl’s near 71st and Garnett stopped a man when they saw him trying to steal a speaker Monday afternoon, according to police. The loss prevention associate reportedly took the suspect to the LP office, where police say the suspect pulled out a handgun and pointed it at the employee. Police say the suspect then ran out of the office and out the door, where they say he got into a car and drove away. Police say the associate was injured trying to get out of the office, but other than that he was OK. Officers are still searching for the suspect. Police say the suspect will face charges of grand larceny and pointing a deadly weapon. Kohl’s corporate office has provided a brief e-mail response: “Thank you for contacting Kohl’s. A police investigation is under way into this matter. We are cooperating with the authorities leading the investigation and are referring all media inquiries to police.” [Source: Fox23 News]

The post Police Search for Suspect Accused of Putting Gun to LP Associate’s Head appeared first on LPM.

Day 10 of 31 Days to a More Effective Compliance Program-The Use of Social Media in Compliance

FCPA Compliance & Ethics -

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free [...]

The post Day 10 of 31 Days to a More Effective Compliance Program-The Use of Social Media in Compliance appeared first on Compliance Report.

Activist Investing in Europe—2017 Edition

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Armand Grumberg, Scott Hopkins, and Lorenzo Corte, Skadden, Arps, Slate, Meagher and Flom LLP, on Wednesday, January 10, 2018 Editor's Note: Armand W. GrumbergScott C. Hopkins, and Lorenzo Corte are partners at Skadden, Arps, Slate, Meagher and Flom LLP. This post is based on a Skadden publication by Mr. Grumberg, Mr. Hopkins, Mr. Corte, Matthias HorbachFrancois Barrière, and Holger Hofmeister. Related research from the Program on Corporate Governance includes The Long-Term Effects of Hedge Fund Activism by Lucian Bebchuk, Alon Brav, and Wei Jiang (discussed on the Forum here); and Dancing with Activists by Lucian Bebchuk, Alon Brav, Wei Jiang, and Thomas Keusch (discussed on the Forum here).

By the end of September, 2017 had seen more than 100 European-based companies publicly subjected to shareholder demands. Reached slightly later this year than last, and much earlier than in 2015, that milestone signals that if activism in Europe has lost its capacity to shock, its future also looks secure.

Activity is still a long way behind the U.S., where the annual number of companies publicly targeted has ranged from more than 300 to nearly 500 over the last four years. And at least part of the increase in European activism in recent years has been due to a higher incidence of foreign activists looking for opportunities as the U.S. market has become increasingly picked-over. Often the most high-profile of situations, campaigns by U.S. activists at European companies this year have included Third Point Partners at Nestlé, Elliott Management at AkzoNobel, and Corvex Management at Clariant.


CEO Gender and Corporate Board Structures

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Melissa B. Frye (University of Central Florida) and Duong T. Pham (Georgia Southern University), on Wednesday, January 10, 2018 Editor's Note: Melissa B. Frye is an Associate Professor of Finance at the University of Central Florida and Duong T. Pham is an Assistant Professor of Finance at Georgia Southern University. This post is based on a recent article by Professor Frye and Professor Pham, forthcoming in the Quarterly Review of Economics and Finance.

In our article, CEO Gender and Corporate Board Structure (forthcoming in the Quarterly Review of Economics and Finance), we investigate the relationship between the gender of the CEO and corporate board structures. In recent years, women have made strides in cracking the glass ceiling in leadership positions in corporate America. Female CEOs have been appointed not only in female-friendly industries such as healthcare and consumer products but also in fields that are traditionally dominated by their male counterparts such as energy, utilities or automotive. The number of female CEOs leading S&P 500 companies reached a record high in 2016 with 27 women at the helm of these firms. However, women CEOs only make up 5.4% of the total S&P 500 CEO positions.


Pay-for-Performance Mechanics

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Subodh Mishra, Institutional Shareholder Services, Inc., on Wednesday, January 10, 2018 Editor's Note: Subodh Mishra is Executive Director at Institutional Shareholder Services, Inc. This post is based on an ISS publication by Mr. Mishra.

Following the implementation of mandated advisory shareholder votes on executive compensation under the Dodd-Frank Act of 2010, investors have regular opportunities to opine on executive pay programs. Investor feedback on the issue of pay-for-performance has indicated a preference for a focus on long-term alignment, board decision-making, and pay relative both to market peers and company performance. As a result, ISS’ approach to evaluating pay-for-performance comprises an initial quantitative assessment and, as appropriate, an in-depth qualitative review to determine either the likely cause of a perceived long-term disconnect between pay and performance, or factors that mitigate the initial assessment.

The initial quantitative screens are designed to identify outlier companies that have demonstrated significant misalignment between CEO pay and company performance over time. The screens measure alignment on both a relative and absolute basis, and over multiple time horizons. The screening process applies to constituents of the Russell 3000E Index, a collection of the largest 3,500 (approximate) equity securities traded on U.S. stock exchanges. Beginning with annual meetings on or after Feb. 1, 2018, the quantitative screen includes a new financial performance assessment that measures on a long-term basis the relative alignment between CEO pay and key financial metrics. Before this 2018 model change, the financial performance assessment was limited to ISS’ qualitative evaluation.


The Numbers Problem

Loss Prevention Media -

For decades, demographers and workforce planners have been anticipating a transformation in the workforce, a trend that the team at RainmakerThinking calls The Great Generational Shift. For more than 20 years, Rainmaker Thinking has been tracking this process as it reshapes what it means to have a job and go to work. This is the final stage of a historic period of profound global change, and there is a corresponding transformation in the very fundamentals of the employer-employee relationship. The Great Generational Shift presents a whole new set of challenges for employers, employees, and managers at all levels.

.inline-text-ad h1, .inline-text-ad h2, .inline-text-ad h3 { margin-top: 0; } .inline-text-ad h1 { font-size: 18px !important; font-weight: bold !important; } .inline-text-ad p { font-size: 1.0rem; } .inline-text-ad { border-top: 1px dotted #cccccc; border-bottom: 1px dotted #cccccc; padding-top: 20px; } @media only screen and (max-width: 768px) { .inline-text-ad { text-align: center; } .inline-text-ad h1, .inline-text-ad h3, .inline-text-ad h3 { font-size: 1.15em; } } @media only screen and (max-width: 460px) { .inline-text-ad h1, .inline-text-ad h3, .inline-text-ad h3 { font-size: 1em; } } Want an awesome LP career? Download this FREE Special Report, How to Find the Best Loss Prevention Jobs and Build a Successful Loss Prevention Career.

I began conducting in-depth interviews with young people, Generation X, in the workplace back in 1993, when I was myself a young person in the workplace. Since then, we’ve been tracking the ever-emerging, ever-“newer” new young workforce. By the late 1990s, we started tracking the “First Wave” of the great Millennial cohort, born 1978-1989, and by the early 2000s, we began tracking the “Second Wave”, born 1990-2000, when they first entered the workforce as teenagers in part-time jobs.

Since then, we’ve kept our finger on the pulse of how these generational shifts are affecting the workforce as a whole, maintaining a comprehensive picture of where each generation is coming from and where they are going in the changing workplace.

Based on our model, there are six different generations still working side by side in 2018, but just barely:

NOTE: Demographers differ about the exact parameters of each generation. The definitions are always somewhat in flux. Because both the Baby Boomers and the Millennials are such large generations, our model splits them both into “First Wave” and “Second Wave” cohorts.

In just the last year alone, millions of First Wave Boomers and pre-Boomers have left the North American workforce, while millions of Second Wave Millennials have joined:

The long-dominant Boomers are on the wane, while the Second Wave Millennials are on the rise. The oldest of the First Wave Boomers are now in their 70s and every single day, in North America alone, another ten thousand First Wave Boomers turn 70. The trends (percentage-wise) are very similar throughout Europe and in Japan.

By 2020, First Wave Boomers will be well under 6 percent of the workforce, and those who do remain in the workforce will continue trending heavily toward reinventing retirement and late-career-pre-retirement: working less than full time, often partially telecommuting, and often working non-exclusively for more than one employer.

At the same time, and for the foreseeable future, the Second Wave Millennials (and soon post-Millennials) will be the fastest growing segment of the workforce. By 2020, those born 1990 and later will be greater than 28 percent of the workforce altogether (including post-Millennials).

While the shift in numbers is swift and steady even in “older” North America, Europe, and Japan, the youth bubble is much, much larger in Africa, Latin America, and much of Asia. By 2020, in these “younger” parts of the world, those born 1990 and later will be more than 60 percent of the workforce.

These numbers represent the essence of what we call the “numbers problem” for employers—as older workers leave the workforce, they take with them the skill, knowledge, wisdom, and institutional memory gained throughout their career. At the same time, organizations that rely disproportionately upon young workers will be facing challenges that require dedicating substantial resources to staffing strategy, attraction, selection, on-boarding, training, performance management, accountability, differential rewards, and retention.

For more information about age bubbles and the numbers problem, check out The Numbers Problem – Workforce 2020 on YouTube.

For more information about the Great Generational Shift, check out the 2018 Update to Rainmaker Thinking’s annual Great Generational Shift white paper.

The post The Numbers Problem appeared first on LPM.

Compliance into the Weeds-Episode 65-The Trouble with Non-GAAP Metrics

FCPA Compliance & Ethics -

In this episode Matt Kelly and I take deep dive into the issue of non-GAAP metrics and its implications. We were inspired an article in this quarter’s MIT Sloan Management Review entitled, “The Pitfalls of Non-GAAP Metrics” by H. David Sherman and S. David Young. It is fascinating review of this topic, which as the [...]

The post Compliance into the Weeds-Episode 65-The Trouble with Non-GAAP Metrics appeared first on Compliance Report.

Post-conference report: Reporting and Communications Summit 2017

Ethical Corporation Feeds -

2017's Reporting and Communications Summit focused on portraying total impact in reports, bringing the most innovative companies together, from Dell, Microsoft, and Vodafone to GSK, Kellogg's, and Virgin Media. This post-conference analysis covers:

  • Total impact reporting: Understand how companies are conveying sustainability data and showcasing their impacts on the environment, society and the business


Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator - Global Featured Wired

HKLPA (@the_hklpa) Tweets

RT @mikevolkov20: Episode 14 - What Every Compliance Officer Needs to Know About Data Privacy and the EU's GDPR - Corruption, Crime &… 2 weeks 3 days ago
RT @ComplianceXprts: What You Need To Know About Auditing And Risk Management In The Transport Industry 3 weeks 5 days ago
RT @EthicalSystems: Our 2017 End of Year Letter from @JonHaidt and @azishf "This is the time for the business… 4 weeks 21 hours ago
RT @ComplianceXprts: Inspection of Facilities and Sporting Venues - Due Diligence 4 weeks 21 hours ago
RT @ComplianceXprts: 14 Essentials For Your Compliance Management System 1 month 2 weeks ago
RT @ComplianceXprts: Our focus is on what people don't want to do. #ce 1 month 2 weeks ago
RT @mikevolkov20: ISO 37001: Board, Top Management and Anti-Bribery Compliance Responsibilities (Part III of V) - 3 months 1 day ago
RT @RSAFraud: 1 in 4 retailers state loyalty #fraud is one of the most detrimental threats to their e-commerce business… 3 months 3 weeks ago
RT @ComplianceXprts: FTAs, Risk Management and The Transport Industry #riskmanagement 3 months 3 weeks ago
RT @ComplianceXprts: How To Navigate Audit Road Blocks : Part II Avoid Challenges To The Audit Scope 4 months 1 day ago