Enforcement Goes Into Hyperdrive: In today’s stormy risk environment, a strong culture is the safest harbor


In their new book, “The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk,” KPMG’s Richard H. Girgenti and Timothy P. Hedley paint a harrowing picture of the unprecedented risks facing companies today. Below, they discuss the enforcement landscape and their prescription for navigating it. Their remarks have been edited for length and style.

MCC: Since your first book, “Managing the Risk of Fraud and Misconduct,” came out five years ago, you say we’ve witnessed a seismic shift in enforcement, resulting in unprecedented risk for companies. What’s happened that warrants such strong words?

Girgenti: We completed our first book around 2010. The U.S. Congress had just passed, and the president had signed, two pieces of historic legislation: the Patient Protection and Affordable Care Act (PPACA) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). PPACA provided new tools and resources to fight government fraud, waste and abuse in the healthcare industry and made it easier for citizens to bring false claims actions against healthcare providers. Dodd-Frank, the most sweeping financial regulatory reform since the Great Depression, greatly increased the enforcement powers of the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). It also created a whole new enforcement agency, the Consumer Financial Protection Bureau, as a watchdog to write rules for consumer protection that governed all companies offering consumer financial services or products.

When these were first introduced, we were just finishing our book and didn’t have a chance to assess their impact on the enforcement landscape. During the same period of time, we’ve seen the bar go up in terms of fines and penalties. Whereas 10 years ago, $10 million, $20 million, $100 million or $200 million would’ve been considered extraordinarily large, we’ve since seen a number of major financial institutions paying fines as high as $17 billion for some of the mortgage activities traced back to the early days of the financial crisis. We’ve also seen multibillion dollar fines for U.S. sanctions violations, aiding tax fraud, money laundering and manipulation of interest rates in the Libor scandal. In two heavily regulated sectors, life sciences and energy, we saw a large penalty for unlawful promotion of drugs and failure to report safety data, and almost $19 billion to settle all federal and state claims over a massive oil spill.

Hedley: In addition to the enormous enforcement implications of these major pieces of legislation, it’s interesting to consider what companies are being asked to do in light of all these things. Fundamentally, it comes down to ensuring that organizations have done their best to guide the behaviors of the organization, its employees and its agents. In just the last few months, there have been some very interesting developments. For example, the Department of Justice (DOJ), through the Yates memo, seeks accountability from individuals who promote wrongdoing. DOJ has also hired a full-time compliance expert to advise on matters relevant to the prosecution of business entities, including the existence and effectiveness of compliance programs, and it has a new Foreign Corrupt Practices Act (FCPA) enforcement pilot program to promote greater accountability for individuals and companies that engage in corporate crime.

MCC: You describe your first book as a broad-based primer on managing fraud and misconduct risks. What’s the focus of your new book?

Girgenti: It focuses more on the specific areas that have generated a great deal of enforcement activity. We didn’t try to chronicle all conceivable risks that resulted from new regulations and intensified enforcement from legislation prior to the last book. We saw a rise in anti-bribery and corruption investigations and prosecutions. At the same time, we saw an increased focus and enforcement activity in the areas of economic and trade sanctions, anti-money laundering, and offshore tax evasion, as well as increased enforcement in the healthcare and life sciences industries. We tried to focus on those. We wanted to help readers understand the public policies driving this increased enforcement activity, some of the government’s expectations for organizational compliance and integrity, the tools and techniques that were being deployed by the government to identify, investigate and ensure organizational compliance, and then help the reader understand the steps that prudent organizations must take to prevent, detect and, as necessary, respond to regulatory enforcement risk.

Hedley: Growing out of that focus, we have developed a fundamental framework that organizations can follow to put appropriate and effective compliance programs and policies in place to manage risk effectively and to foster and support a culture of compliance.

MCC: What areas of risk do you think threaten the broadest range of companies?

Girgenti: Let me start off from the perspective of companies doing business globally. The risk of bribery and corruption is the single biggest enforcement issue that they face. In 2015, we saw slight declines in the U.S. in enforcement metrics. The total number of FCPA enforcement actions brought by the U.S. declined slightly. We also saw a decline in corporate fines. However, it has been reported that there were 126 pending investigations as of December 31, 2015, which seems to be very high. In March of last year, the FBI, in conjunction with the DOJ, established three dedicated international corruption squads, which increased the number of agents assigned to foreign bribery investigations from 10 to 30. In November, the DOJ announced plans to double the size of its FCPA unit by adding 10 more prosecutors. Additionally, the DOJ hired a new compliance counsel to advise on matters relevant to the prosecution of business entities and the effectiveness of compliance programs and, as Tim mentioned earlier, the fraud section is conducting an FCPA enforcement pilot program. On the global level, we’re seeing more countries engaged in anti-corruption activity and greater cooperation among the various authorities. We’ve seen heavy anti-bribery and corruption enforcement activity in Brazil and China, and Mexico and South Korea have adopted new anti-corruption laws and regulations. Add it all up and we see no letup in sight.

Hedley: I want to add one more risk area that is common across all listed companies: fraudulent financial reporting. We believe the SEC will pursue more accounting-related enforcement actions. The trends indicate it, and the SEC is devoting more resources to the effort, including the creation of a fraud reporting and audit task force.

MCC: Why do you single out two industries, healthcare and life sciences? What special challenges do organizations in these sectors face?

Girgenti: In addition to covering risks that primarily impact the financial services sector, such as money laundering and offshore tax evasion, we wanted to examine risks in other heavily regulated sectors. In the healthcare area, the PPACA certainly had a significant impact on the industry, including raising the level of regulatory scrutiny on healthcare providers. With the cost of healthcare escalating and the government one of the biggest spenders, there is heightened enforcement scrutiny on expenditures. We’ve seen more settlements with extensive monitoring requirements, and it’s easier for private citizens to be whistleblowers under the False Claims Act, which allows citizens with knowledge of fraud to bring lawsuits in the name of the government and be eligible for up to 30 percent of the amounts recovered. As a result, in 2015 the government recovered $3.5 billion of reimbursable expenses – the fourth consecutive year the number hit or exceeded that level.

The life sciences industry has also come under intense government scrutiny for the misuse of taxpayer dollars, particularly in the pricing of products subject to government reimbursement. Other public policy interests, such as the health and safety of patients and transparency and accountability for drugs and medical devices sold to the public, have been drivers of enforcement efforts, spawning settlement agreements with the government that have fundamentally reshaped business practices and compliance programs in the industry, including unprecedented restrictions on the promotional activities of drug companies.

MCC: You talk about the new tools that government enforcers have at their disposal. How has the state of enforcement changed, and what tools are proving to be especially effective?

Girgenti: I’ve already alluded to the whistleblower laws. They provide strong incentives to encourage people to report potential violations of federal securities laws or the Commodity Exchange Act. Since the whistleblower program came into effect in August 2011, the SEC has received over 14,000 tips, and this past year, eight whistleblowers received more than $37 million. It’s become a game changer.

We’ve also seen the use of data analytics and market surveillance. In the same way that the private sector has learned to harness big data to develop business insights and manage risks, so has the government used the same tools and techniques to assist in its identification of potential wrongdoing. An agency such as the SEC is using very sophisticated techniques to investigate such activities as market manipulation and insider trading. The SEC’s Division of Economic and Risk Analysis developed a computer model to analyze companies’ financial data and uncover indicators of financial reporting abuses. The CFTC also performs broad types of surveillance. Other agencies are right behind them.

There has also been an increase in the use of civil fraud complaints in administrative courts. The SEC has used administrative proceedings to bring many actions that, in the past, might have been brought in federal court. Similarly, the DOJ has relied upon civil fraud proceedings where it once might have considered a criminal action, which creates an advantage for the government because civil fraud cases require a lower burden of proof. And there’s been a heightened focus on the prosecution of individuals and gatekeepers. The SEC has talked about going after compliance officers, general counsel and auditors to examine whether they lived up to their responsibilities.

Hedley: The increased importance of effective compliance programs, including investigative cooperation, seems to be moving to the forefront. Government enforcement agencies now make it a practice to evaluate not only the existence but the effectiveness of an organization’s compliance program. The government will pay particular attention to whether or not there is a strong organizational culture of integrity and whether or not internal controls were properly designed and implemented to ensure that the risk of misconduct in the organization has been addressed.

The challenge for many organizations is there’s not a universally accepted definition of an effective compliance program. We believe that our new book will help organizations think about what it means to have an effective compliance program.

MCC: In the book, you lay out a compliance framework for managing the heightened risks arising from the new enforcement environment. What are the key elements of your “common fundamental framework”?

Hedley: It is our belief that organizations must design, implement and evaluate policies, programs and controls to prevent, detect and respond to integrity risks. For example, some of the prevention controls would include codes of conduct, which are key to a high-quality compliance program. Also important is the notion of due diligence for both your employees and your agents. For detection, some of these controls would include misconduct reporting mechanisms, such as hotlines. Auditing and monitoring compliance program effectiveness is increasingly important. For response, these would include investigative protocols, reporting and disclosure protocols, and remediation protocols. All of this is supported by what is known as the three lines of defense: management, which is responsible for control ownership; the compliance function, which supports management in that effort; and internal audit, which provides a level of assurance that your program is indeed operating as designed.

MCC: What is the most important thing for companies to do in this new
enforcement environment?

Girgenti: If you are going to do one thing, you should work very hard to create and foster a culture of integrity and ethics within your organization. That is the trump card for effective compliance. Organizations that have the right culture are going to be able to deal with the inevitable problems more quickly. If you have the right culture, your organization is going to have a sense of purpose behind it that will make it a stronger and better organization.

Hedley: I completely agree. The right organizational culture will help ensure that your employees and agents apply the appropriate ethical values for decision-making. It is hugely important to understand the points of decision at which integrity breakdowns occur.

MCC: Culture is a slippery concept. How do you measure effectiveness?

Girgenti: There are no clear metrics for organizational culture, but as more and more emphasis is placed on it, we’re seeing organizations get better at evaluating their own cultures. A lot of it is done through surveys and focus groups where you create benchmarks for things that are indices of a good corporate culture. One of the leading indicators is the willingness of individual employees to raise their hands, along with their level of comfort in speaking up. You can begin to test and measure for that, and it has a direct correlation to whether you have an organizational culture that is strong.

There is also the sense of organizational justice. Does the organization take it seriously enough? Are people, no matter where they are within the organization, appropriately disciplined if they engage in misconduct? Leadership, tone at the top, the openness of communication, the climate, clarity of expectations – these are the kinds of things that organizations are beginning to benchmark against other leading organizations and against results in prior years to see whether they’re making improvements.

Hedley: I’ll add one thing to that. A litmus test of a strong culture is the extent to which people understand their affirmative obligation to report wrongdoing and that they act on that obligation.

MCC: Other than federal regulatory enforcement agencies, are there other levels of government involved in the new enforcement landscape?

Girgenti: It seems like everybody is getting into the game. Perhaps the most significant players today are global regulators and enforcers. Some of the biggest matters recently have resulted from several countries not only cooperating with one another but bringing actions together. Nearly all of the significant anti-bribery and corruption actions that have been brought in the U.S. have an international component. The enforcement landscape is very crowded. We are also seeing state attorneys general, local district attorneys and state regulatory agencies playing a larger role in regulatory enforcement actions. It adds to the complexity of what it takes for a company to see its way through an enforcement action.

MCC: You call the 21st century a “new era of regulatory enforcement.” Looking ahead, what will the next era of regulatory enforcement look like?

Girgenti: I think we can say with a high degree of certainty that most of the events that occurred in the past – whether it was 9/11, the financial reporting crisis that followed 9/11, the financial recession in 2008 – were, for the most part, unforeseen. What companies have to do today is prepare for that which may not be foreseen, which means having all of the ingredients of effective compliance and a culture of integrity in place.

One of the things to really keep an eye on right now are the developments coming out of the Panama Papers. Every country has anti-bribery laws, and every country has anti- money laundering laws. Most countries have laws dealing with tax evasion. It seems that despite all of this, there may have been activity in offshore holdings involving politicians and public officials on a massive scale. Like some of the events in the past, organizations, banks in particular, are going to have to look at what they’ve been doing to see if they missed something. The regulators and the enforcement authorities are also going to be looking at their laws and regulations to determine whether there were loopholes. It wouldn’t surprise me, even though I’m not making a prediction here, to see more activity in this area.

Hedley: The closest I would get to a prediction is that staying ahead of organizational and individual compliance expectations is not going to get any easier.

Richard H. Girgenti

National and Americas leader for KPMG’s forensic advisory services, with more than 40 years of experience conducting investigations and providing compliance and fraud risk management advisory services.  He can be reached at rgirgenti@kpmg.com.

Timothy P. Hedley

KPMG’s global lead for fraud risk management services, with extensive experience helping companies prevent, detect and respond to fraud and misconduct allegations.  He can be reached at thedley@kpmg.com.