Welcome to 2019, everyone! The federal government may be shut down, but corporate compliance never stops. Now that we’re done returning Christmas presents and deleting emails clogging our in-boxes, our thoughts turn to how the corporate compliance landscape might evolve in the coming year.
Without further delay, then, my annual list of compliance issues that should be worth watching in the next 12 months. In no particular order…
Whistleblower reforms from the SEC. You might remember that last June the SEC proposed a suite of reforms to its whistleblower awards program. The agency proposed giving itself more discretion to increase the size of small awards (those under $2 million), and to cap award amounts in the $100 million-plus cases at 10 percent, rather than the current 10 to 30 percent range. It also proposed new powers to expedite review of whistleblower tips and to tell would-be tipsters that nope, sorry, your particular tip isn’t news and you won’t get whistleblower protections.
The question for 2019 is how the SEC might act on those proposals. Republican commissioners forced their proposal through on a 3-2 party-line vote, and could do so again with whatever final version they might adopt. That, in turn, will almost certainly be challenged in court.
AML innovation. In December banking regulators published a joint statement urging financial firms to embrace more innovation for their AML compliance programs — so in 2019, I’m curious to see whether any banks take up the challenge, and what that innovation might look like.
The regulators suggested everything from beefing up financial intelligence units to experimenting with artificial intelligence to improve transaction monitoring. They called for pilot programs, and promised no punitive actions if those pilots failed. They even promised that if your innovation uncovers gaps in your existing AML compliance program, that won’t automatically lead to impose some sort of supervisory sanction.
The large GRC vendors catering to financial firms talk about AI and other advanced analytics all the time. Let’s see whether that, plus the regulators’ promise of a light touch, actually produces something innovative.
FCPA enforcement policy. At the end of 2017 the Justice Department announced its new FCPA Corporate Enforcement Policy, with much more leniency for companies that disclose FCPA misconduct and cooperate in resolving the problems. Throughout 2018 we saw that policy put into effect — even as recently as last week, when Polycom avoided prosecution for far-reaching abuses in its China division.
We saw other Justice Department policy moves in 2018, too: a more relaxed approach to imposing compliance monitors (announced in October), and a retreat from the Yates Memo (announced in November) and its requirement to turn over evidence of all participants in misconduct.
My questions: Will all this enforcement generosity truly prod companies to be more forthcoming about FCPA issues they have? Will we see examples of egregious misconduct that still results in a monitor or monetary penalties?
U.S. privacy law. One of the only subjects with bipartisan agreement in Washington is this: the need for new federal privacy legislation. Even the big technology companies want it, if only to give them some protection for their battered public reputations. Moreover, 2019 is the year for Congress to do something, before we all lose our minds in the 2020 election cycle.
So what will Congress actually do? Republicans will oppose anything as onerous as the EU General Data Protection Regulation or the California Consumer Privacy Act, but they’re under populist pressure to do something. Then again, the politics gets difficult because privacy pits consumers against business and states against the federal government.
For compliance officers at global organizations, already laboring under GDPR, state laws, and industry rules, this is one more level of complexity for policy, procedure, and training that may finally land on your head in 2019.
GDPR enforcement. The EU General Data Protection Regulation went into effect last May, and since then the number of complaints to data protection authorities has soared across Europe. In 2019, then, I wonder whether we’ll see the first major enforcement action under the GDPR — one large enough to send a bolt of worry to boardrooms around the world.
After all, Facebook disclosed a breach in September of 50 million user accounts, and Facebook’s reputation is already in the toilet across Europe. Then there’s the breach of 500 million consumer records disclosed by Marriott that same month, which is larger and even more far-reaching than Facebook’s mess.
I suspect privacy regulators in Europe want to impose a large fine, to telegraph to large businesses that GDPR compliance is a serious priority.
I suspect privacy regulators in Europe want to impose a large fine, to telegraph to large businesses that GDPR compliance is a serious priority. Large companies seem to be giving privacy regulators plenty of targets.
Restive employees. One telling outburst of corporate ethics in 2018 happened in May, when Google decided not to bid on a Pentagon defense contract for artificial intelligence. Why? Because Google employees didn’t want to work for the Trump Administration. They forced their ethical values onto the company, and that pressure translated into a concrete action: a decision not to bid on an otherwise lucrative government contract.
We’re going to see much more of that in 2019 and beyond. Employees — especially well-educated employees, at high-profile companies — will use social media to pressure their companies to take actions that the employees deem ethical.
The law firm DLA Piper calls this “consumer regulatory risk,” and dwells more on consumers pressuring companies. The real threat is likely to be employees shrewdly using social media to forge alliances with consumers, to magnify that pressure for ethical conduct.
The GRC vendors. We can’t forget the software that compliance officers actually use, and the vendors who call you pleading to try an online demo.
In 2018 two major compliance vendors, NAVEX Global and LRN, picked up new private equity overlords. Both firms received an infusion of fresh cash so they could expand their operations and product offerings; and they weren’t the only firms receiving more investment capital in 2018. OK — so what are all these vendors going to do with the money?
For example, they might hire more sales reps to expand internationally or into new industry sectors. They might integrate artificial intelligence into their products. They might acquire other, smaller vendors to plug holes in their product lines. Also, if recession arrives in 2019, we could see firms (potentially even large ones) consolidate with each other to weather the storm.
The new lease accounting rule. The new accounting standard for operating leasing expenses went into effect Dec. 15. That means companies will start filing financial statements under the new standard throughout 2019. The accounting requirements themselves aren’t tricky: companies need to report the cost of their operating leases as liabilities on the balance sheet, rather than bury those costs in the footnotes as they did under the old standard.
Developing a capability to find all your operating lease costs will be the tricky part. Companies might to revise policies and procedures for signing leases, implement new document management systems, or build new internal controls to prevent “off-book” leases signed by some employee who doesn’t tell anyone.
How prepared are we? A survey from EY published last month found that 85 percent of respondents expected to meet the standard’s reporting deadline, but 86 percent also expect to use “interim solutions” before a permanent fix — which suggests lots of procedural hiccups as outlined above.
Critical audit matters. The new standard for external audit reports will go into effect for audits performed on fiscal years ending after June 30, 2019. These will also be the first reports to include “critical audit matters” — any matter the audit firm communicates to the audit committee, that relates to material items in the financial statements and involves “especially challenging, subjective, or complex auditor judgment.”
CAMs are likely to be a touchy subject. Many important items in a company’s financial statements (management estimates, goodwill, allowances for doubtful accounts) could be CAMs, depending on how strong the company’s internal controls are around those items.
For example, on Dec. 31 the SEC fined Hertz Corp. $16 million for shoddy accounting that led to a financial restatement in 2015. The problems areas: allowances for doubtful accounts and management estimates. Imagine how much more tense audits like that might be, if the audit firm had to publish its concerns as CAMs.
Those are (only a few) items on my radar screen as we all gear up for 2019. Let me know what you think, or what this list is missing! Drop me a line at [email protected] any time.