Why ‘Michael Cohen Risk’ Still Matters

Over the weekend an ethics and compliance leader emailed me. This person has long, substantive experience in the field, and speaks about corporate compliance often; you would recognize the name immediately. The person had a question. Other than Radical Compliance, is anyone else talking about Corporate America’s suspicious payments to Michael Cohen, personal lawyer to President Trump; and the anti-bribery implications of them?

This person thought those payments were a grave example of corporate misconduct and poor ethics, but hadn’t seen much discussion of Cohen anywhere else. What was my observation?

I have to admit, to the best of my knowledge, I don’t see much of that discussion. That’s a shame, because Cohen and the suspicious payments that AT&T, Novartis, other companies gave to him are a prime example of modern internal control failures and anti-bribery risk.

So let’s walk through this again, and exactly what peril payments like this mean for the companies and executives that pay them.

If you ask corporate executives in their private, unguarded moments, “Would you really worry all that much about an enforcement action for criminal corporate misconduct?” — I suspect most of them would say no.

An enforcement action is never anyone’s idea of a good time, of course; but the company will pay penalties, perhaps accept a monitor, invest more in compliance department resources, and move on with life. Two years later, you’re on the conference circuit talking about lessons learned.

On the other hand, if you ask corporate executives, “Would you worry all that much about getting fired as a result of social media outcry over suspicious corporate conduct, with those allegations tagged next to your name in Google searches forever more?” — well, good lord, they’d be terrified at that prospect.

That’s why Cohen and the payments to him should be a serious concern for corporations and the executives who lead them. I don’t know that we’ll ever see any enforcement actions arising from the scandal, although the payments do raise legitimate questions about accounting controls required by federal securities law. But we have seen executives get sacked for it.

AT&T pushed out its top Washington lobbyist, Bob Quinn. Novartis did the same to its general counsel, Felix Ehrat. Those men paid the price demanded by an outraged public, the outrage magnified by social media. The price was their jobs and their reputations.

On those grounds alone, corporate compliance officers should be telling their boards and C-suites that l’affaire de Cohen is worth their attention. It’s one set of circumstances — suspicious payments to a politically connected person, allowed by poor internal control and oversight — that could manifest as several different types of risk.

That’s what is important here. Even if the enforcement risk is small, the reputation risk is high. And reputation risk demands a price paid in resignations and ruin, rather than penalties that aren’t even material to a company’s balance sheet.

Cohen Risk Isn’t Done Yet

It’s worth remembering how all this came to light. Cohen’s bank, First Republic, filed three suspicious activity reports to the Treasury Department. So far only one of those three reports has been leaked: to Michael Avenatti, lawyer for Stormy Daniels. He promptly posted the details of that SAR online. Those details are what got AT&T, Novartis, and others into so much trouble.

So what about the other two SARs? If we’re to believe published news reports, they were removed from the database at FinCEN that houses these documents. Their disappearance apparently even motivated someone in law enforcement to leak the first SAR, fearing that all three would vanish from scrutiny forever.

Read between the lines of multiple reports, and it seems that those two SARS were not destroyed to hide misconduct. Rather, they were removed because their contents are so sensitive, even most law enforcement can’t be trusted to keep those details secret.

In other words, it’s entirely possible that special counsel Robert Mueller already has these SARs. And Mueller doesn’t leak.


Therefore, compliance officers are left with only this: There are two more time bombs out there. We don’t know where they are, when they might detonate, and what companies might be hit by the shrapnel. But they’re out there. And Cohen is only one grifter in Donald Trump’s orbit. We don’t know how many other grifters were running the same number on Corporate America either.

If I were a large company with business before the Trump Administration in the last 18 months, I’d be worried about Michael Cohen risk all the time, until we had ironclad evidence we had not done anything as dumb as AT&T or Novartis.

If you disagree, ask Quinn from AT&T or Ehrat from Novartis. They have plenty of time on their hands these days.

Ethics and Internal Control

As I’ve said previously: If these payments were made to the personal lawyer of a president in any other country, all the companies involved would be panicked about possible violations of the Foreign Corrupt Practices Act. Thanks to ridiculously weak anti-bribery laws within the United States, however, criminal liability is negligible. So, as my emailing friend noted, the corporate community has moved on.

I also can’t help but notice the mechanics of the Cohen payments. In each instance, one high-ranking executive decided to pay inflated prices for Cohen’s “insights,” apparently without any documentation that Cohen could provide the services promised (he couldn’t), and no independent review to challenge whether these payments would raise any red flags.

L’affaire de Cohen is one set of circumstances — suspicious payments to a politically connected person, allowed by poor internal control and oversight — that could manifest as several different types of risk.

That sounds an awful lot like the same stunt Panasonic Avionics pulled in Asia in the 2000s, which led to its FCPA enforcement settlement in April — complete with $280 million fine and a compliance monitor.

Those improper payments and poor internal controls happened 10 years ago. How many millions has Corporate America spent on FCPA compliance and improving internal control since then? And we still have loopholes allowing this Michael Cohen nonsense now?

That says a lot about what really matters in the C-suite: compliance, more than ethics. Companies worry about suspicious payments that might violate the FCPA. They don’t address suspicious payments that don’t violate the FCPA.

Yet when you look at the Cohen mess, the outcome is what senior executives fear most: careers now in the ditch. And should the Democrats retake the House in November (which I believe they’ll do) — an investigation into this mess will be a top priority come January. Good luck when that happens.

A risk doesn’t care whether it’s regulated or not. The risk only cares whether you have the good judgment to discern right from wrong and then do something about it. That’s the issue with payments to people like Michael Cohen.

So keep talking about it, because those time bombs are still ticking out there somewhere.

Leave a Comment

You must be logged in to post a comment.