Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2020 eBook.You can download the full eBook here.
The compliance officer woke up in a cold sweat. In his nightmare, once again the regulator had spoken. Only this time, it was a marauding hoard of regulators spouting guidance, regulations and legislation. The acronyms came thick and fast – OFAC, ABAC, UKBA, FCPA, DOJ, SEC, MSA… As he tried to calm himself, he realized this wasn’t just a dream. It was real.
Welcome to 2020. There was a time when compliance officers clamored for more specific regulations and guidance. During the past several years, however, what used to be a dearth of specific enumerated expectations has become a sea of guidance that can be hard to track, much less interpret and implement into your program.
Recently, we’ve seen OFAC publish its Framework for OFAC Compliance Commitments, the DOJ’s new Evaluation of Antitrust Compliance Programs guidance, and regulations and amendments to the California Consumer Privacy Act. We’ve also seen numerous publications of guidance from the European Data Protection Board interpreting pieces of the General Data Protection Regulation, and of course, the DOJ’s Evaluation of Corporate Compliance Programs guidance. And this only scratches the surface.
By using these strategies, you can face the onslaught of guidance with a plan.
With all of the major pronouncements in 2019 by U.S. authorities, 2020 may be a slow year for national guidance. Stateside, the CCPA isn’t finished yet, so expect more guidance on this law. Be aware of the potential for new laws that may come into force with the next national election in November. The 2018 national election brought in a slate of new laws relating to sexual harassment training and policies, and we may see that trend expand on a state-by-state basis by the end of 2020.
On the international front, prosecutions under the GDPR will likely produce significant guidance by the Article 29 Working Party, European Data Protection Board, and individual countries’ Data Protection Authorities. Guidance for newer anti-bribery laws like the Brazilian Clean Companies Act and France’s Sapin II may very likely come out in 2020. And the UK’s Ministry of Justice may issue additional guidance on the UK Bribery Act based on the recent deferred prosecution agreements (especially when it comes to what an adequate procedures defense looks like). Lastly, if Brexit is accomplished, expect tremendous amounts of guidance on how businesses are to deal with the new legal landscape between the EU and Britain.
What’s a compliance officer to do? Try out the following to find your sea legs.
Steps for Organizations to Take
Perform the Two-Step Application Review
The noise can make it difficult to figure out what actually needs your attention. There are two different analyses to complete to find out if the guidance really applies to you. First determine what is in your remit? Compliance’s areas of expertise need to be enumerated specifically so you know what you need to track. If compliance’s remit is antitrust, bribery, data privacy, and trade sanctions, then it isn’t your responsibility to track what is happening with the UK Modern Slavery Act. Make sure you know what is in your remit so you can become an expert in those areas, while ignoring the rest.
The second analysis is which regulations and guidance apply to your company? Look carefully at the business. If privacy is in your remit, do you serve California residents and meet the other criteria such that you’re caught by the California Consumer Privacy Act (CCPA)? Is your business solely outside the U.S., so the DOJ’s guidance has little bearing on your day-to-day work? Prioritize that which directly applies to you in the compliance department and your company. Once you’ve done that…
Open Up Your Risk Assessment
Prosecutors have (slowly) recognized that boiling the ocean is not a realistic expectation for companies. The near-universal endorsement of using a risk-based approach should make the compliance world smile. The DOJ’s recent Evaluation of Corporate Compliance Programs was explicit about this point. It said that a risk-based approach to the program is expected, “even if [the program] fails to prevent an infraction in a low-risk area.”
One can’t apply a risk-based approach unless one has reviewed the risks. Assuming you have a written risk assessment, pull it out and review the various risks facing your company. Use the risk assessment to inform where to you focus your energy. It can be overwhelming to look at all of the guidance at once. Instead of spending time glancing through every piece of advice, save yourself the stomachache by performing a deeper dive into one piece of guidance. Review your risks, compare them to the guidance, and create a plan to update your program appropriately.
Let Someone Else Do the Work for You
You don’t have to read every piece of legislation or guidance. Law firms and consultants are happy to do that for you, and to provide you with updates, checklists, and webinars highlighting the important elements of the new guidance or legislation. You may even be able to get a free session or continuing education course at your company if you ask nicely. Instead of putting the burden on yourself to learn everything new, use the synopses and tools provided by the legal and consulting world to help you discern what matters.
Find the Synergies
When it comes down to it, the world’s regulators have more or less agreed on what makes a good compliance program. Whether considering an adequate procedures defense under the UK Bribery Act, or the seven elements of an effective compliance program under the U.S. Federal Sentencing Guidelines, there are only so many variations of what is considered important. These common elements include a code of conduct, policies, procedures, training, risk assessment, monitoring and auditing, good governance, due diligence, investigations, whistleblowing, and promoting an ethical culture.
When looking at the guidance and regulations that apply to your program, look for synergies across the various guidance. For instance, completing a risk assessment is an expectation/requirement under the Federal Sentencing Guidelines, DOJ Antitrust Guidance, OFAC Guidance, ISO 19600 standard, and ISO 37001 standard. Training on critical policies for those affected by risk is required for every area of your program. This includes trade sanctions, import/export, bribery, anti-money laundering, privacy, competition/antitrust, etc. Looking at the guidance holistically can help in planning your next moves.
Find the Low-Hanging Fruit
Within every piece of guidance or new regulation, there is probably low-hanging fruit for your program. For instance, if CCPA applies, call your eLearning company and find out if they have a CCPA course that you can use instead of developing your own PowerPoint training. Review and update your current trade sanctions policy rather than build a new one for the OFAC guidance. Think about updating your current metrics to show effectiveness rather than researching all possible metrics you could implement to meet the DOJ’s program evaluation standards.
By using these strategies, you can face the onslaught of guidance with a plan. You can focus on what matters and drown out the white noise. And that will have you sleeping like a baby.