Timothy P. Hedley, Ph.D., KPMG’s Global Lead for Fraud Risk Management Services and KPMG LLP’s National and Americas leader for Forensic Advisory Services Richard Girgenti have recently teamed up to author The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk [McGraw-Hill Education]. They supplied Big4.com with some of the background to this latest venture including how geopolitical, technological, regulatory and other events have shaped this new era.
- What are some of the events and circumstances that have given birth to the new enforcement and regulation landscape?
Girgenti: Over the past decade and a half, we have experienced a relentless flow of extraordinary events that have directly shifted the regulatory and enforcement landscape—the war on terror in the wake of 9/11; the financial reporting crisis of the early 2000s; the changing dynamics of global economies; the financial recession of 2008; healthcare reform and associated costs; and the proliferation of digital data, social media, and cyber-attacks. Companies in today’s global economy find themselves in a continuously evolving and increasingly complex, volatile, and risky regulatory environment. Let me explain more fully.
Beginning with the 9/11 terrorist attacks, we became engaged in what has become a seemingly endless war on terror. In an effort to disrupt the financing of terrorist activity, we saw the passage of the U.S. Patriot Act and the launching of a regime of anti-money laundering laws and prohibitions on individuals, companies and countries that limited with whom companies could do business. All of this came with a new regime of government enforcement activity.
Literally within weeks of the 9/11 attacks, the integrity of the capital markets was dramatically called into question when the bubble created by the confluence of earnings pressure, grey areas of accounting, and rationalizations that justified the reporting of false earnings burst, leading to the financial reporting crisis of the early 2000s. This in turn led to the passage of the U.S. Sarbanes-Oxley Act and other reforms designed to revamp fundamental principles of corporate governance, risk management, compliance and practices around financial reporting. And again, a new regime of government enforcement activity followed.
With increased globalization and the growing recognition that corruption, particularly in emerging economies, was undermining the ability of global companies to do business honestly and fairly, countries around the world began passing and enforcing anti-corruption laws.
The financial recession of 2008 sent another shock wave to the global economy, once again calling into question the integrity of the capital markets. Soon to follow were a series of new laws, most notably Dodd-Frank, new regulations and aggressive government enforcement activity. Dodd-Frank, the most sweeping financial regulatory reform since the Great Depression, greatly increased the enforcement powers of the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). It also created a whole new enforcement agency, the Consumer Financial Protection Bureau (CFPB), as a watchdog to write rules for consumer protection that governed all companies offering consumer financial services or products.
By the end of the first decade of the 21st Century, companies found themselves in a new, ever evolving and increasingly complex, volatile, and risky regulatory environment. Together with increased enforcement activity, broader mandates and authority for enforcement agencies, as well as new strategies, tactics, and technology tools, it should be apparent why I have described the environment that companies find themselves in as the new era of regulatory enforcement.
- What are some of the significant areas of risk individuals and companies face?
Girgenti: Let me start off from the perspective of companies doing business globally. The risk of bribery and corruption is the single biggest enforcement issue that they face. Over the last two or three years, we have seen a leveling off of enforcement actions compared to what we saw between 2004 and 2011. However, this may just be the calm before the storm. It has been reported that there were 126 pending investigations as of December 31, 2015, which seems to be very high. In March of last year, the FBI, in conjunction with the Department of Justice (DOJ), established three dedicated international corruption squads, increasing the number of agents assigned to foreign bribery investigations from 10 to 30. In November, the DOJ announced plans to double the size of its Foreign Corrupt Practices Act (FCPA) unit by adding 10 more prosecutors. Additionally, the DOJ hired a new compliance counsel to advise on matters relevant to the prosecution of business entities and the effectiveness of compliance programs and, the fraud section has just launched an FCPA enforcement pilot program. On the global level, we’re seeing more countries engaged in anti-corruption activity and greater cooperation among the various authorities. We’ve seen heavy anti-bribery and corruption enforcement activity in Brazil and China, and even Mexico and South Korea have recently adopted new anti-corruption laws and regulations. Add it all up and we see no letup in sight.
Hedley: I want to add one more risk area that is common across all listed companies: fraudulent financial reporting. We believe the SEC will pursue more accounting-related enforcement actions. The trends indicate it, and the SEC is devoting more resources to the effort, including the creation of a fraud reporting and audit task force.
These areas of risk apply to both companies and the individual employees within a given organization, and there is an increased emphasis being put on the accountability of individuals. In just the last few months, there have been some very interesting developments. For example, the (DOJ), through the Yates memo, seeks accountability from individuals who promote wrongdoing.
- What are some of the frameworks for managing risks outlined in “The New Era of Regulatory Enforcement?”
Hedley: It is our belief that organizations must design, implement and evaluate policies, programs and controls to prevent, detect and respond to integrity risks. For example, some of the prevention controls would include codes of conduct, which are key to a high-quality compliance program. Also important is the notion of due diligence for both your employees and agents. For detection, some of these controls would include misconduct reporting mechanisms, such as hotlines. Auditing and monitoring compliance program effectiveness is increasingly important. For response, these would include investigative protocols, reporting and disclosure protocols, and remediation protocols. All of this is supported by what is known as the three lines of defense: management, which is responsible for control ownership; the compliance function, which supports management in that effort; and internal audit, which provides a level of assurance that your program is indeed operating as designed.
Girgenti: One of the key messages in our book is that compliance and risk management can no longer be viewed as optional, isolated or occasional activities. They must become part of the fabric and DNA of a company. All parts of an organization need to be responsible and accountable for fostering a culture of integrity that sets and supports core values; understanding its risk profile and tolerance; and embedding ethics and compliance into its business strategies and operations, as well as its performance management and compensation framework.
see part two