Feed aggregator

OFAC Sanctions Compliance Insights from Standard Chartered Bank Enforcement Action (Part III of III)

Corruption, Crime & Compliance Blog -

The Treasury Department’s Office of Foreign Asset Control (OFAC) has promised to issue guidance on effective sanctions compliance programs.  This is a long-anticipated update to prior information OFAC has released on the same subject.

OFAC has raised the stakes for sanctions enforcement, especially with respect to Iran and Venezuela sanctions programs.  So far this year, OFAC has announced a number of significant enforcement actions and is sending a strong message on the importance of compliance.  Companies that ignore these stakes are only asking for trouble (how is that for a trite phrase).

OFAC’s Settlement Agreement (here) with Standard Chartered Bank contains some important details surrounding sanctions compliance.  DOJ’s amended deferred prosecution agreement incorporates these details be reference (here).  The SCB DPA also includes some important factors credited by DOJ as part of SCB’s remedial measures.

Companies that are in the process of implementing or updating their OFAC sanctions compliance program should review these documents and should incorporate these compliance expectations and elements into their own analysis. 

As part of its settlement agreement, SCB agreed to maintain sanctions compliance measures.  The key elements include:

  • Management Commitment
  • Risk Assessment
  • Internal Controls
  • Testing & Audit
  • Training

A brief description of each element and the expectations relating to each is set forth below:

Under Management Commitment, SCB has to ensure that senior management reviews and approves SCB’s sanctions compliance program; and senior management executives and board of directors maintain commitment and support of SCB’s sanctions compliance program. 

Senior managers also are required to delegate sufficient authority and autonomy to deploy its policies and procedures to mitigate SCBS’ sanctions risks; and compliance units(s) must receive adequate resources, including in the form of human capital, expertise, information technology and other resources, as appropriate, that are relative to SCB’s breadth of operations, target and secondary markets, and other factors affecting to its overall risk profile.

Senior management has to promote a “culture of compliance” throughout the organization; and demonstrate recognition of the seriousness of apparent violations of the laws and regulations and the importance of preventing recurrence.

Under Risk Assessment, SCB has to conduct an OFAC risk assessment in a manner and with a frequency that adequately accounts for potential risks posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations; and SCB has to develop a methodology to identify, analyze, and address the particular risks it identifies.

With respect to Internal Controls, SCH has to design and implement written policies and procedures outlining its sanctions compliance program. These policies and procedures have to be relevant to the organization, captures SCB’s day-to-day operations and procedures, are easy to follow, and prevent employees from engaging in misconduct.

Further, SCB’s internal controls have to adequately address the results of its OFAC risk assessment and profile, and should enable SCB to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC.

Interestingly, with respect to automated databases used for sanctions compliance, SCB has to ensure that it has selected and calibrated the solution in a manner that is appropriate to address SCB’s risk profile and compliance needs, and SCB routinely tests the solution to ensure effectiveness.

SCB has to enforce its policies and procedures through internal and/or external audits and has to ensure that its OFAC-related recordkeeping policies and procedures adequately account for its requirements.  SCB specifically has to ensure that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

SCB further has to clearly communicate the sanctions compliance program’s policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of SCB.

In particular, SCB has to appoint personnel to integrate the sanctions compliance program’s policies and procedures into SCB’s daily operations. This process includes consultations with relevant business units and ensures that SCB employees understand the policies and procedures.

With respect to Testing and Audits, SCB has to ensure that the testing and/or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization.  SCB has to employ testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and ensure that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of SCB’s OFAC-related risks and internal controls.  Further, SCB has to ensure that, upon learning of a confirmed negative testing or audit result pertaining to its sanctions compliance program, it will take immediate and effective action to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

Finally, with respect to Training, SCB has to ensure that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support SCB’s sanctions compliance efforts.  SCB’s training program has to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.  SCB has to conduct training for all relevant employees at least once a year.  SCBs training resources and materials have to be available to all personnel and easily accessible.  Upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, SCB has to take immediate and effective action to provide training to relevant personnel.

The post OFAC Sanctions Compliance Insights from Standard Chartered Bank Enforcement Action (Part III of III) appeared first on Corruption, Crime & Compliance.

2019 Compliance Institute Guest Blogs: The Art of Collaboration

The Compliance & Ethics Blog -

By Chris Kuhlmann, MBA, CHC, CHPC Compliance Officer & Privacy Officer Spectrum Health Lakeland Early in my compliance career, my CEO challenged me to be collaborative and welcoming as I built our compliance program.  He was concerned that traditional views of compliance programs were more about “gotcha” and less about solving problems and providing actual […]

Are You a Board-Ready Executive? Take These 10 Steps First

Corporate Compliance Insights -

Executive coach and strategic advisor Amii Barnard-Bahn provides guidance on how executives can prepare for a board appointment: Start by following the 10 steps outlined here. The post Are You a Board-Ready Executive? Take These 10 Steps First appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

67% of Hotel Websites Expose Guest Data, Study Finds

Risk Management Monitor -

According to new research from cybersecurity company Symantec, 67% of hotel websites are leaking customer reservation details and other personal information. Candid Wueest, the company’s principal threat researcher, tested more than 1,500 hotels in 54 countries, including low-cost to high-cost hotels, as well as both chain and independent hotels.

When a customer uses a hotel’s website to book a room, the site usually creates and sends them a link so that the customer can directly access  and manage their reservation. According to Symantec, part of the problem is that third-party advertisers on hotels’ booking websites and web analytics companies (which track web traffic) can access customers’ bookings because they also get those links. This means that advertisers and analytic companies – including any potential malicious actors among their employees – could access and steal the information that the customer entered when booking a room, and even change or cancel the reservation.

Symantec also found that more than a quarter of the hotel websites examined do not send secure, encrypted links in their confirmation emails. Encrypted links prevent anyone trying to hijack a customer’s data from being able to see that data. If a customer received a confirmation email while using an unprotected WiFi (a public network in a café or an airport, for example), a cybercriminal could intercept that customer’s emails and use the unencrypted hotel booking link to access the customer’s booking. Some of these automatically generated links also contain details like customers’ email addresses in the web address, which makes accessing their information even easier for cybercriminals.

Additionally, many hotel websites are vulnerable to a type of cyberattack called “brute forcing,” where an attacker can use the customer’s email address and guess their booking number to gain access to the reservation and personal information. In some cases, Symantec found that hotel websites did not even require an email address to access customers’ reservation information via brute forcing. Though this method would not be useful to gain access to large amounts of customer data, attackers could use it to target individuals, like a specific CEO or conference attendee.

Wueest noted that hotels have thus far been slow to respond to these data exposure risks, and some have not responded at all. When he alerted the hotels’ data privacy officers to the problems in their sites, 75% responded, and those who did took an average of 10 days. Hotels and their information security staff should promptly assess their booking processes to ensure they are minimizing the risk of potential data leaks and breaches. By leaving these gaps in their websites’ security, they are endangering their customers and opening themselves up to risk, including potential liabilities and reputational damage.

Symantec recommends that hotels use encrypted links, and ensure that the automatic links generated do not include information like customers’ email addresses. It also recommends that customers use Virtual Private Networks (VPNs, services that protects users’ internet traffic) when booking or accessing their reservations using public WiFi to prevent any cyberattacker from intercepting any information that would provide a way in.

The report should also serve as a reminder that corporate employees’ personal devices and personal information are popular targets for cybercriminals and can be especially vulnerable to risks while traveling. Any time an employee exposes their devices to unprotected networks or, in this case, insufficiently protected websites, it leaves both the employee and their employer at risk. Even if an employee is using their own device to conduct business, it still endangers their employer because it may expose valuable business information. Cybercriminals have particularly used the hospitality industry as a hunting ground for such attacks, for example, targeting individuals using hotel WiFi, tricking them into downloading malicious software and stealing their information or spying on their internet activity.

Management can own honesty or deceit. So pick one

The FCPA Blog -

At Fresenius Medical Care, according to a recent post on the FCPA Blog, management owned the graft and senior executives directed the bribery and the global cover up. The failures were both wide and deep, where “legal, compliance, and internal audit functions failed to detect and prevent the bribery,” the company said in an SEC filing.

5 Lessons in Data Governance from Game of Thrones

Corporate Compliance Insights -

What can this epic teach us about success and failure in a data governance strategy? Turns out, quite a lot. Adlib Software’s Fahad Muhammad outlines five principles from Game of Thrones that can inform your approach. The post 5 Lessons in Data Governance from Game of Thrones appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

How to Bolster Your Hiring Practices as More Pay Equity Laws Come Online

Corporate Compliance Insights -

States and local communities are passing pay equity laws that ban questions about a candidate’s salary history. Is your organization in compliance? The post How to Bolster Your Hiring Practices as More Pay Equity Laws Come Online appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

Has the Belt and Road Initiative Become a Political Liability for China?

BRINK News -

Given the international community’s ambivalent attitude toward the so-called Belt and Road Initiative, the world will be closely watching the second BRI Forum, which is due to be held April 26-27 in Beijing. Two years after the first BRI summit, which was greeted with enthusiasm by the developing world, things have changed rather quickly.

Since President Xi Jingping announced the Belt and Road Initiative in late 2013, shortly after his arrival to power, China has invested some $300 billion in it, mainly in connectivity among neighboring countries. While the project is only five years old, President Xi Jingping’s grand plan for China’s global expansion has elicited strong reactions from the rest of the world, both from countries that will benefit from the BRI as well as other major players, such as the United States and the European Union.

A Tool of Soft Power

Over the five years since its announcement, the BRI has evolved in terms of its objectives: from its initial economic focus related to trade connectivity—and a way for China to export its excess capacity—to much more of a soft-power tool. A large number of the BRI’s infrastructure projects now appear to be strategic rather than economic in nature.

This change in tone is driving the increasingly negative view of BRI in the West with the EU expressing concerns about China’s strategic ambition at the annual EU-China summit earlier this month. Nonetheless, this has not stopped Italy from becoming the first G7 country to formally join the BRI. There has also been backlash in the developing world where recipients of BRI’s infrastructure projects are having to borrow aggressively to be able to finance them.

Worsening Sentiments

A recent analysis that we conducted confirmed that sentiment toward the Belt and Road has indeed worsened in many countries. Our report, which drew data from the Global Database of Events, Language, Tone (GDELT) that covers broadcast, online and printed news from 132 countries in over 100 languages, shows a sharp move away from an averagely positive image before 2018 to a negative one thereafter. The only exceptions are the Middle East and North Africa. The worsening image of BRI is a wake-up call for China as it seeks to increase its soft power globally.

Sentiment towards BRIToo Many Objectives

Our analysis offers some insights into the reasons for the worsening image of BRI. The first and foremost is trade. Countries appear increasingly wary of excessive dependence on Chinese imports and an imbalanced trade pattern. In addition, the difficult debt dynamics in recipient countries are an issue.

More generally, China may have been piling up too many objectives under the guise of the BRI, some of which could be inconsistent with one another as it tries to replicate its internal way of doing business in overseas markets: using China’s resources and materials with a clear flavor of state capitalism.

While keeping state-owned companies busy with BRI projects may be appealing from an economic perspective, it only exacerbates foreign concerns, weakening China’s international image. Most of the recipient countries welcome infrastructure financing from China, but also expect transparency and fair competition. The latter is at odds with China’s existing strategy.

The fact that the BRI’s image is suffering is also demonstrated by the announcement of alternative proposals from both the U.S., through its Indo-Pacific strategy with Australia, India and Japan, and the EU with its EU-Asia connectivity plan. Some argue that the BRI may have been the tipping point for the U.S. administration to move from engagement to containing China, which has contributed to the current trade war between the two.

Learning How To Handle Soft Power

While painful, this is not a complete negative for China, as it is clearly learning how difficult it is to acquire soft power, no matter a country’s economic size. In fact, such a backlash offers China an opportunity to explore a more sustainable strategy. China is realizing that a confrontation with the U.S. may not be a winning strategy, no matter the economic benefits.

Given the diminishing returns on investment at home, China needs to expand in overseas markets, but it should not do so by excluding other investors from benefiting from such projects. Against this backdrop, the next path for China’s Belt and Road needs to be a more flexible and open route to building its soft-power image.

The worsening image of the Belt and Road is definitely a wake-up call for China in its pursuit of increasing its soft power globally.

A More Flexible Approach

To that end, China has recently made a number of strategic changes regarding the BRI, which have largely remained unnoticed, given the lower-key approach.

First, China has sharply increased the number of countries signing MOUs from the original 63 to 150. The key is to make the Belt and Road less targeted, so as to limit the West’s geopolitical concerns about this project.

Secondly, China is trying to use a more multilateral framework to push the BRI, and especially the Asian Infrastructure Investment Bank. Such a multilateral framework retains Chinese characteristics, thereby allowing China to keep the ultimate control of key projects, but it also offers room for other developed countries to get involved, especially Europe and South Korea.

China may be willing to make some compromises in the way it shares the benefits of the BRI, but multilateralizing the strategy does not equate to a full retreat to the Western model.

Standard Chartered Bank’s Continuing Culture Challenges and Sanctions Compliance (Part II of III)

Corruption, Crime & Compliance Blog -

Standard Chartered Bank certainly has its troubles.  You know a company is in trouble, however, when it breathes a sigh of relief after paying nearly $1.1 billion in fines and penalties and compares itself to BNP Paribas, the global French bank, which paid over $8 billion for pervasive US sanctions violations. 

The Justice Department and OFAC have had a target-rich environment when reviewing global bank compliance with US sanctions.  It is an important enforcement priority because global banks cannot engage in US dollar transactions without compliance with US sanctions – it is as simple as that.

According to the Factual Statement (here), the Justice Department confronted SCB officials with evidence of the criminal conduct and SCB provided substantial cooperation in the government’s investigation by providing significant evidence of criminal wrongdoing by SCB employees and customers involved in the scheme.  In addition, since mid-2013, SCB has engaged in significant remediation of its US economic sanctions compliance program.

SCB’s continuing violations of the Iran Sanctions program was the result of a conspiracy conducted by two employees and a significant Iranian client at SCB’s Dubai branch during the years 2007 to 2011.  In August 2007, SCB enacted a policy to suspend Iran business.  Certain customers in SCB’s Dubai office sought to continue US dollar transactions with Iranian entities using deceptive means.

The two former SCB employees (Persons A and B) appear to be cooperating with the criminal investigation and will testify against the Iranian national, Mahmoud Reza Elyassi. 

Persons A and B helped Elyassi open commercial accounts in SCB’s Dubai office knowing that the accounts were fronts for Elyassi’s business operations in Iran.  Persons A and B helped Elyassi and other persons conduct transactions involving US dollars to benefit Elyassi and his Iranian businesses. 

Persons A and B also advised Elyassi on ways to structure financial transactions to avoid detection of any connection to Iran.  Persons A and B also provided false information in order to disguise the Iran connections of Elyassi and his companies.  In several instances other financial institutions rejected payment requests from SCB on behalf of Elyassi’s companies, Persons A and B provided false information to conceal Iranian connections to try and resolve compliance concerns.

Over half of the US dollar transactions occurred because of deficiencies in SCB’s compliance program that allowed customers to order US dollar transactions via fax and online payment instructions submitted from sanctions countries, including Iran, without confirming the location of the customer requesting the transaction.  SCB compliance employees in the UAE were aware of these risks and did not take adequate steps to identify the location of the customers. 

In the case of Elyassi, Persons A and B knew that Elyassi resided in Iran and operated business accounts at SCB’s Dubai branch.  Elyassi was listed in SCB bank records with both UAE and Iranian contact information, including a fax and phone numbers beginning with the +98 country code prefix assigned to Iran.  SCB also maintained records of Elyassi’s Iranian passport.  In a recorded phone call, Elyassi told Person B that he was in Iran and invited Person B to visit him in Iran.

Between 2008 and 2010, SCB stopped multiple payments for one of  Elyassi’s companies based on Iran-related references in the payment instructions, includi8ng the names of various cities in Iran, as well as references related to Iran shipping lines.  In June 2009 and September 2009, SCB blocked two outgoing payments from an ELyassi company to Iran banks.  In August 2010 and again in January 2011, SCB was aware that outgoing payments from one of Elyassi’s companies were rejected by other financial institutions due to Iranian connections.

Person A and B also provided false and misleading information to SCB compliance in order to disguise Elyassi’s Iran connections.  For example, Person A told SCB compliance that Elyassi did not have any branch operations outside of Dubai.

In December 2010, SCB decided to terminate its banking relationship with one of Elyassi’s companies based in part on the number of payment requests stopped by SCB and other correspondent banks because of Iran sanctions concerns.  Persons A and B helped Elyassi to create a new company account for a second Elyassi company to resume the transactions.  Elyassi named a non-Iranian person as the nominee of the new company and Persons A and B knew that Elyassi continued to control the operation of the new company.  Elyassi was authorized to sign for the new account and much of the contact information was the same as the prior, closed account.

Persons A and B instructed Elyassi on how to structure transactions going forward to avoid suspicion by SCB and other banks.  For example, in a recorded telephone call, Person A told Elyassi not to send payments to Iranian individuals directly from the new company account but to have the nominee transfer the funds from the company’s SCB commercial account to the nominee’s personal account at SCB Dubai and then send payments to the Iran individuals to avoid having the company account monitored and possibly closed.  Eventually, SCB Dubai closed this second company account in September 2011.

Persons A and B assisted other Iranian nationals with accounts at SCB Dubai to circumvent Iran sanctions to complete US Dollar transactions.

By December 2009, SCB officials knew that SCB Dubai’s SME business posed a high risk of Iran sanctions violations because of: (1) the close proximity of Dubai to Iran; (2) the large number of Iran nationals operating SMEs in Dubai; and (3) corporate clients associated with Iran nationals.  Additionally, senior SCB officials were aware of the risk that UAE-based general trading companies could be subsidiaries or branches of parent companies in Iran. 

In May 2011, high-level SCB compliance employees had compiled a list of GTC customers of SCB Dubai whose transactions were being declined based on potential Iran Sanctions violations.  SCB compliance professionals were not able to block a large number of suspect transactions.

SCB’s compliance program was not equipped to mitigate the significant risks of Iran-related transactions in SCB’s Dubai office.  It was insufficiently staffed and inadequately resources.  Although SCB was aware of the high-risk nature of many of its SCB Dubai customers, SCB failed to allocate sufficient employees to review customer due diligence and KYC documents.

The post Standard Chartered Bank’s Continuing Culture Challenges and Sanctions Compliance (Part II of III) appeared first on Corruption, Crime & Compliance.

Susan Roberts and Nadege Rochel on Creating Compliance Addicts [Podcast]

The Compliance & Ethics Blog -

By Adam Turteltaub adam.turteltaub@corporatecompliance.org One of the most provocatively titled sessions at the 2019 SCCE European Compliance and Ethics Institute was “Becoming ‘Invited In’:  Creating Compliance ‘Addicts’ Globally.” Aversion, not addiction, is more typically associated with compliance, unfortunately, and it made me want to learn more.  So, I asked the two co-presenters to sit down […]

Kellogg 2019 Proxy Vote Recommendations

Corporate Governance -

Kellogg 2019 annual meeting is April 26th. Stock price fared poorly for the last five years, so the CEO should not be paid as if he had average performance. Vote AGAINST pay. The Compensation Committee should not be reelected, since they recommended average pay for below average performance. Vote AGAINST Laschinger and Tasted. Vote AGAINST […]

The post Kellogg 2019 Proxy Vote Recommendations appeared first on Corporate Governance.

The European Union approves whistleblower protection rules, 591 to 29

Whistleblower Protection Blog -

The European Union approved EU whistleblower protection rules Tuesday.

Virginie Rozière / Wikimedia Commons

“This is a good step toward protecting whistleblowers and toward protecting European democracy,” Virginie Rozière, a member the European Parliament (MEP) said in French at a press conference following the decision.

The new law, approved by the European Parliament on Tuesday, shields whistleblowers from retaliation. It also creates “safe channels” to allow them to report breaches of EU law. It is the first time whistleblowers have been given EU-wide protection.

The rules have previously been in the hands of member states, resulting in a range of vastly different approaches.The law was approved by 591 votes, with 29 votes against and 33 abstentions.

Moments after the vote, Virginie Roziere, the French centre-left MEP who steered the file through the parliament, in a tweet claimed victory for European democracy.

“There were a lot of links in the chain for this to be passed,” she said at a press conference in Strasbourg, noting that the negotiations had taken some 13 months.

From Open Society Foundations:

Of course, the directive is not perfect. But once it is implemented, it will introduce sanctions for people attempting to retaliate against whistleblowers, and it will exempt whistleblowers from civil or criminal liability relating to the disclosure of information which is in the public interest. 

Four years after an EU commission staffer said that there was neither the legal basis nor the political will to institute an EU-wide directive on whistleblower protection, coordinated action from civil society and a groundswell of support from European citizens had led to just that. Their perseverance not only demonstrates the value and importance of civil society; it should be an inspiration to those fighting hard for the rights of whistleblowers, as well as to all those who believe that the European Union can be an agent of positive change.

Under the proposed rule, whistleblowers would be permitted to report wrongdoing to outside authorities before reporting to their company or agency internal review program. Earlier versions required internal reporting first, which the NWC believes would interfere with the right of employees to confidentially report suspected crimes.

The ability to report to outside authorities was a contentious issue during the March debate over the directive. Several member countries, led by Germany and France, wanted to require employees to report potential crimes and fraud internally before going to regulators and law enforcement. In addition to the NWC, other transparency and anti-corruption groups argued that that the approach would have made it more difficult for individuals to come forward with information about wrongdoing.

In a letter to National Whistleblower Center chair Stephen M. Kohn, Georgia Georgiadou, deputy head of the EU’s Fundamental Rights Policy program,  wrote that the rules will strengthen enforcement of EU laws and policies regulating a range of areas including food and product safety, environmental protection and corporate taxation.

Moreover … EU Member States are encouraged, when transposing the Directive, to extend the application of its rules also to other areas, so as to establish comprehensive and consistent frameworks for whistleblower protection.

The Commission believes that, once transposed, the Directive will make a real difference in the workplace culture, both in the public and the private sector, throughout the EU. More generally, it will contribute to promoting transparency, good governance, accountability and freedom of expression, which are values and rights on which the EU is based.

La conférence de presse sur la protection des #LanceursDAlerte débute, à suivre en direct : https://t.co/BTscnZJKp9 pic.twitter.com/u9Bh3fOMV7

— Virginie Rozière (@VRoziere) April 16, 2019

Teaching Compliance Part I of III

Program on Compliance and Enforcement, New York University School of Law -

by Veronica Root Martinez 

This is the first in what is a three-part series of blog posts describing my experience teaching compliance at Notre Dame Law School.

I first began teaching a compliance course in the fall of 2015.  At the time, there were not many compliance courses being taught within law schools, and I was aware of only one casebook on the subject.  I began, as many professors do, by gathering syllabi from individuals currently teaching the topic.  Most of the syllabi I was able to obtain were of courses taught by practitioners that included significant skills-based components, which, although valuable, was not where I wanted to focus.

Instead, I decided to tackle teaching the course in a manner that I hoped would allow students to think through the different roles they might play within compliance efforts, followed by a few classes dedicated to specific compliance areas in an attempt to allow students to better understand how their role might look in practice.  To do so, I draw on enforcement, compliance, behavioural ethics, and professional responsibility materials.  Each class session has one dedicated case study to help students understand the concept being presented.

In Corporate Compliance & Ethics, I begin the first module of the course by providing students a foundation in what compliance is and where it comes from.  At the same time, I introduce them to (i) behavioural ethics literature and (ii) the way the Rules of Professional Conduct do and do not apply to a practice focused in compliance.  I then turn to the importance of self-policing and internal enforcement within firms using Enron as the case study. 

In the second module, I focus on different compliance actors.  This is the meat of the course.  It allows students to understand the different ways they might interact with or participate in compliance efforts.  We begin by studying the role of regulators, prosecutors, and courts.  We then spend a class session on each of the following: gatekeepers, whistleblowers, investigators, remediators (e.g., monitors), and private enforcers.  In this part of the course, we have covered case studies that include Wells Fargo, Deflategate, the General Motors ignition switch scandal, and Penn State.  This method of teaching, which is admittedly more akin to many business school courses, allows students to apply the underlying concepts to real world examples.  In particular, it allows them to think through what they, as lawyers, would be responsible for in each situation. 

In the third module of the course, we have traditionally focused on the FCPA, antitrust, the False Claims Act, and Title IX.  In this module I try to provide them with a variety of enforcement and regulatory sources of “law,” so they get a sense of the grey areas (e.g., Dear Colleague Letters) from which compliance requirements emerge.  Additionally, they are able to take the concepts from the first two modules and then apply them to these specific compliance areas that can have quite different risk and monitoring challenges.  I have, of course, picked rather extreme examples as case studies (e.g., Siemens; Baylor), but they present students with the stark realities of what can happen when compliance programs fail and allow them to think through how they might have avoided or prevented similar compliance failures from occurring.

In the fourth module of the course, the one that has changed the most over the years, I attempt to merge theory and practice.  Most recently, we have focused on conflicts of interest and sanctions for compliance officers, but in the past I have covered the rise of global compliance programs and assigned actual compliance policies and documents.

This course has been successful and rewarding.  Students like it.  I feel as if they learn information they might not have otherwise been exposed to in law school.  And I’ve even had some students follow-up with me after the fact to express how the course helped them in various summer employment opportunities. 

Veronica Root Martinez is an Associate Professor of Law at Notre Dame Law School.  Her scholarship is available here.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.

Man Accused of Throwing 5-Year-Old from Mall Balcony Charged with Attempted Murder

Loss Prevention Media -

A Minnesota man accused of throwing a 5-year-old boy off a third-floor balcony at the Mall of America last week told police that he was “looking for someone to kill,” prosecutors alleged in a criminal complaint filed Monday. Emmanuel Aranda, 24, was charged Monday with first-degree attempted premeditated murder in the Friday morning incident. The […]

Pair Nabbed after LPA Stabbed during Shoplifting

Loss Prevention Media -

Durham Police in North Carolina say they have arrested and charged two women who allegedly stabbed a security worker while they were shoplifting from a Durham mall in March. Police say the stabbing and shoplifting happened at The Streets at Southpoint Mall at 4:30 p.m. on March 31. “A loss prevention officer sustained serious injuries […]


Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator

HKLPA (@the_hklpa) Tweets

RT @ComplianceXprts: #Drones reduce costs, increase responsiveness and reduce risks for workers providing reconnaissance work in respons… https://t.co/CFXaa4Wj7p 4 months 3 weeks ago
RT @LPmag: Making the Most of Loss Prevention Resources https://t.co/tACG4KvYvR https://t.co/KtpZfCQEgg 6 months 1 week ago
RT @leadingincontxt: #Ethical #leaders seek mutual good. https://t.co/Rz0gB8LPrm #csr #leadership #culture 6 months 1 week ago
RT @IBEUK: * New IBE Blog * IBE's researcher, Linn Byberg, asks how you interview for #ethics. It's not just a question of et… https://t.co/JBTK5D6OqI 6 months 1 week ago
RT @LPmag: The future of facial recognition technology will see increased demand and a growing market. https://t.co/aNwTugHDP0 https://t.co/ww340qjL5X 6 months 1 week ago
https://t.co/RetIuNgM90 9 months 21 hours ago
RT @leadingincontxt: How do we help young people become #ethical #leaders? https://t.co/5kSl0nJpfT #culture 10 months 1 week ago
RT @SecurityInsured: The latest Security Insured News! https://t.co/Q5ptMLOY71 #cybersecurity #edmonton 10 months 1 week ago
RT @IBEUK: Let #GDPR test your ethical temperature. Communicate the importance of the ethical usage of personal data, the atti… https://t.co/at80gWDWiD 10 months 1 week ago
RT @RSAFraud: This is what happens when fraudsters move from the Dark Web to social media. https://t.co/AS729FbPSz https://t.co/bdF6TELgYU 10 months 1 week ago