In 2011, Tim Hedley and I, with the help of many highly experienced forensic professionals at KPMG, completed a book titled Managing the Risk of Fraud and Misconduct: Meeting the Challenges of a Global, Regulated, and Digital Environment.1 The book was intended to serve as a practical primer on a variety of forms of corporate fraud and misconduct, providing a framework for an effective compliance program and a model for managing the risk of fraud and misconduct. It was written for a wide audience that included board members, C-level executives, managers, auditors, compliance professionals and others responsible for, and interested in, maintaining the integrity of an organization.
As we were completing the book, the U.S. Congress passed, and the president signed, two historic pieces of legislation, the Patient Protection and Affordable Care Act (PPACA, popularly known as Obamacare) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). At the same time, a wave of reforms swept through a number of industries, especially financial services, marking the dawn of a new era of aggressive government enforcement. With the ink barely dry, the implications of these new laws and reforms were yet to be determined.
We noted at the time that much had happened in the first decade of the twenty-first century before these new laws and reforms were put in place. There was the passage, in 2001, of the USA Patriot Act, which, among other things, changed the way the government attempted to address terrorist financing and money laundering. The Sarbanes-Oxley Act of 2002 established necessary reforms in the wake of a financial reporting crisis. There was a renewed focus on global corruption, with the stronger enforcement of the U.S. Foreign Corrupt Practices Act (FCPA, passed in 1977) and the adoption of anti-bribery legislation around the world. Enhancements were made in 2004 and 2010 to the Federal Organizational Sentencing Guidelines. These placed the responsibility on corporate executives and boards to ensure that organizations have a culture of integrity and that compliance programs were designed and operated effectively.
Despite these measures, it became quickly apparent that the first decade of this century would not end with a dance to celebrate the success of corporate reform. As we noted in 2011, much of the progress that was made in the area of corporate governance and integrity was soon overshadowed by the worst economic downturn in 75 years. After the financial crisis meltdown, fresh debates emerged over what had caused this crisis and how it had gone unnoticed or unmanaged, or perhaps both. This debate led to new legislation and more aggressive enforcement efforts, creating a new era of regulation and enforcement that goes far beyond the financial sector.
In the past few years, government enforcement has reached unprecedented levels. We have witnessed the demise of such storied institutions as Bear Stearns and Lehman Brothers, the takeover by the government of AIG, record fines and penalties for nearly every major financial institution, from Citigroup, JPMorgan Chase, BNP Paribas, and HSBC, to pharmaceutical giants, such as Pfizer and GSK, and to global energy companies, such as BP, and many others. The list includes many of the most respected companies in the United States and abroad. Of the top 100 companies worldwide by revenue, 20 of them paid fines totaling $72 billion in the 45 month period ending September 2015.2
In this book we have, once again, called upon a number of experienced subject matter professionals at KPMG to help the reader understand the new regulatory and enforcement landscape and how it has evolved since the publication of Managing the Risk of Fraud and Misconduct. What we have witnessed since our last book is nothing less than a seismic shift in the role of enforcement, with more aggressive government enforcement efforts and tactics. At the same time, a wide range of local, state, federal, and global agencies have established enforcement jurisdiction, often bringing parallel proceedings on the same set of transactions and incidents, resulting in record fines and penalties.
Combined with the speed and volume of regulatory change over the past 15 years, there has been a proliferation of digital data, the evolution of new tools and techniques to manage and analyze data, reliance upon the Internet and social media to conduct business, and the availability of a range of new technologies. It therefore comes as little surprise that the risks now faced by organizations are unprecedented. The bar by which the integrity of an organization is judged has never been higher.
Our objective in the following pages is to help the reader deal with this heightened level of risk by answering some important questions:
To accomplish these objectives, we have not attempted to identify all conceivable risks that companies face, but rather, we have selected nine areas that, in our view, have dominated the enforcement landscape. Each of these nine risk areas is the subject of an individual chapter.
In Chapters 1 and 2, Tim Hedley and I attempt to develop a common understanding of the new regulatory enforcement landscape and a compliance framework for managing regulatory risk, resulting from the changed enforcement environment.
In Chapter 3 on bribery and corruption, Pam Parizek discusses the evolution of enforcement, both in the United States and globally, in the area of anti-bribery and corruption. Specifically, she analyzes the laws and approaches being taken in four jurisdictions, the United States, the United Kingdom, Brazil, and China. The aim is to identify a global approach to compliance that may be simpler and more effective than a country-by-country approach.
Chapter 4 is devoted to money laundering. Since the terrorist attacks of 9/11, the subject of terrorist financing has been shaped by the war on terror. Here, Terry Pesce and John Caruso discuss the continuing evolution of enforcement activity surrounding a company’s anti-money laundering (AML) program and the severity of regulatory responses when programmatic weaknesses are identified. Of particular note is the expansion of AML scrutiny beyond traditional financial institutions into new areas such as the alternative investment industry, investment advisors, money service businesses, cyber currency companies, innovative payment technologies, and retail companies offering financing. The chapter also discusses the four pillars of an effective AML compliance program.
Chapter 5 covers the subject of economic and trade sanctions, which is closely related to AML regulations. In light of events in North Korea, Iran, Cuba, the Ukraine, and Russia, there can be no question that the subject of economic and trade sanctions is an arm of foreign policy. In this chapter, Charlie Steele discusses sanctions implementation and enforcement in the United States by providing a history, as well as a forward-looking perspective, of sanctions in the United States. He then moves to a discussion of the unique efforts a company must make to prevent, detect, and effectively respond to violations.
In Chapter 6, the subject of market manipulation and insider trading is covered by Richard Bergin, Nathan Ploener, and Tim Hedley. This includes a broad discussion of the topics of market abuse that have dominated the headlines in the wake of the recent financial crisis. Perhaps no area has garnered more attention since the passage of Dodd-Frank than the government’s efforts to curb insider trading and the manipulation of markets, most notably in the vigorous prosecution of banks and individuals responsible for the fraudulent manipulation of LIBOR (London Interbank Offered Rate) and forex (foreign exchange).
The chapter discusses how these enforcement efforts may intensify as government agencies expand their investigations into other areas of commodity trading. The chapter also provides recommendations regarding the ways in which companies may develop an effective compliance program to prevent, detect, and respond to the risks of market abuse and insider trading.
Chapter 7 focuses on the topic of financial reporting fraud. More than a decade has passed since the financial reporting scandals of the early 2000s. While the instances of enforcement activity in the area of financial reporting fraud declined steadily since just prior to the financial crisis, the U.S. Securities and Exchange Commission (SEC) in 2014–15, in a number of pronouncements, has expressed its intention to refocus on this area. As a result, there were increases in 2014 in accounting and disclosure related enforcement actions for the first time since 2011. And, there have been continuing increases in 2015. In this chapter, Howard Scheck and Tim Hedley take a fresh look at the issue of financial reporting fraud. Using a current perspective, they identify the ways in which companies may be at risk as a result of the new enforcement focus and how they can shape their compliance efforts to manage the risk.
The topic of consumer financial fraud is covered in Chapter 8. The financial crisis unearthed a large number of abusive and unethical business practices in the area of consumer financing, from fraud in the origination and servicing of mortgages to the issuing and financing of student loans. Many of these abusive practices are cited as factors contributing to the financial crisis. Dodd-Frank attempted, among other things, to address these abusive practices by creating a new agency, the Consumer Financial Protection Bureau (CFPB), and providing it with sweeping new enforcement powers. In this chapter, Amy Matsuo looks at the history of government activity in protecting consumers from unfair, deceptive, and abusive practices. She discusses the authority, implications, and activities of the CFPB since its inception in 2010, as well as the role of other government agencies. As with the earlier chapters, Chapter 8 covers in detail the sort of compliance activities that are required to manage the risk of consumer fraud.
Curbing offshore tax evasion has become a government priority over the past few years, and Chapter 9, authored by Laurence Birnbaum-Sarcy, is devoted to understanding the regulatory focus in this area. Tax evasion is not a new area of government enforcement. However, the vigor of recent enforcement activity with regard to offshore tax evasion has made it abundantly clear that this is a high priority for the government, with implications for individuals and financial institutions. The level of risk has grown exponentially with the passage in 2010 of the Foreign Account Tax Compliance Act (FATCA). This imposes a new tax reporting and withholding regime that ultimately affects bank secrecy laws in the United States and elsewhere. The chapter discusses the compliance challenges faced by financial institutions and offers a course of action that these institutions should take to mitigate the risk of offshore tax evasion.
In Chapters 10 and 11, we take a slightly different approach from the one adopted in Chapters 3 through 9. We examine two industries, healthcare and life sciences, and some of the most important risks that these heavily regulated sectors face from government enforcement activity. We discuss a variety of risks in these industries rather than looking at a specific risk area.
In Chapter 10, Glen Moyers explains that the PPACA raised the level of regulatory scrutiny in the healthcare industry, but that the attempt to curtail fraudulent payments in the industry is not a new phenomenon. This chapter focuses on the risks and challenges faced by healthcare providers as pressure increases to deliver higher-quality care at lower costs in a changing regulatory environment. The chapter then provides insights into how healthcare providers can prevent, detect, and respond to the risk of noncompliance in an environment of significant enforcement activity.
The life sciences industry has been the subject of much of the enforcement focus over the past few years. In Chapter 11, Mark Scallon, Regina Cavaliere, and Rick Zimmerer discuss the different practices in life sciences that have been the subject of enforcement activity. These enforcement actions and the subsequent settlement agreements have fundamentally reshaped the business practices and compliance programs in the industry. This chapter will discuss how the industry’s practices have been reshaped and the ways in which the industry is working to avoid these and other risks in the future.
The challenges facing companies today in the new era of regulatory enforcement have never been greater. While we do not have a crystal ball that will enable us to predict the next new crisis or event and what it will bring, we can say with a high degree of certainty that companies can be better prepared than they have been in the past. This book is intended for a range of people, from members of corporate boards and C-suite executives to others within an organization who are responsible for compliance and risk. It is also intended for those who are tasked with providing assurance on the effectiveness of a company’s internal controls, whether as part of the external or internal audit function. And, of course, it should provide a useful guide for others who may want to know more about the risks organizations face in this new era of regulatory enforcement. We hope that this book will improve our readers’ understanding of these risks and provide them with the insights and approaches necessary to respond to these risks. The simple imperative is that getting it right will not only preserve the hard-earned value of the company but also help improve its chances for sustainable business success, for the benefit of all of its stakeholders, whether they are employees, shareholders, customers, or the public at large.
Richard H. Girgenti