United States: The Evolution Of Corporate Compliance Programs: Key Issues For Multinational Companies (Podcast)

Dave Dalton:

You're about to hear a first in a series program focusing on corporate compliance programs, with an emphasis on proactivity in risk mitigation. Jones Day partner Henry Klehm, who heads the firm's securities litigation and SEC enforcement practice, will lead this discussion. You'll enjoy this conversation, and we know you'll want to join us for the upcoming podcast we're planning and recording on corporate compliance. I'm Dave Dalton. You're listening to "JONES DAY TALKS®."

Henry Klehm:

Welcome to a special series of "JONES DAY TALKS®." My name is Henry Klehm. This is the first podcast in a series that we're presenting on corporate compliance programs. The future episodes of this will be much more substantively oriented to different topics within compliance and the law. Today's discussion, though, is on a much more generalized basis, and I'm pleased to have with me today Paloma Valor and Toni-Ann Citera. Paloma, why don't you start off by introducing yourself?

Paloma Valor:

Thank you, Henry, and hello to everybody. I joined the firm a bit over a year ago. I spent my entire career in IBM, most of the time as a business lawyer, to lead the legal department in Europe. I served over six years, in my last tenure in IBM, as Chief Trust and Compliance officer of IBM Corporation, at the time where the company was modernizing and transforming an already robust compliance program.

Henry Klehm:

Toni, why don't you say hello?

Toni-Ann Citera:

Hi Henry. Hello everyone, and thank you. My name is Tony Citera, and I have spent a lot of my career at Jones Day, as a partner in our litigation practice. I was at some point asked to join Celgene, a pharmaceutical company that focused on oncology and hematology products, and was asked to join them as their chief compliance and risk officer. I returned to the firm in 2020, and focus on litigation, investigations and compliance counseling.

Henry Klehm:

Again, I'm Henry Klehm. I've been with Jones Day now for about 14 years. I lead the securities litigation and SEC enforcement practice. Before I came here though, from 2002 until about late 2007, I was the global head of compliance for Deutsche Bank, a multinational bank doing business in more than 39 countries around the world, and ran the compliance program there for about five and a half years. Even before that, when I was a deputy general counsel at Prudential Financial, I was responsible for providing legal support to all of the compliance functions within the company, including the compliance department, internal audit and risk management.

We thought we'd start off today with a little bit of a very brief history of corporate compliance programs, beginning back in the 1950s and going up to the 2000s. I think it can be summed up pretty quickly, so we're not going to take 40 or 50 years to do that. Compliance really began with the settlement of what was known as the electronics manufacturer cases in the 1950s, which was a large series of antitrust cases brought against electronics manufacturers. There were way too many of them at the time. There was an antitrust conspiracy that had been formed, and in the wake of the enforcement actions following that, one of the remedies that was brought about resulted in the advent of the first set of compliance programs, which is really around undertakings not to violate antitrust or competition laws, and to require employees and officers of those companies to sign up for codes of conduct, saying that they wouldn't engage in conduct that would violate the law by combining with others in the electronic space to fix prices or allot markets.

Over time, in the sixties and seventies, it spread to the securities industry, pharmaceutical industry, environmental protection and the like. In the late 1980s, in the Michael Milken years, there was an explosion within the securities industry of the need for improved compliance, and it began to go from just codes of conduct to other types of controls, including eventually electronic surveillance of trading that went on. By the time we get to 2000, Enron/WorldCom era, in the wake of the dotcom bubble burst, programs had spread far beyond just the security industry and highly regulated industries, into many other companies. Certainly, the advent of 9/11 created a substantial need for the expansion of anti-money laundering programs, which really brought technology to the fore in the compliance space.

One of the things we wanted to talk about today, though, was since that time, what have we, as three former chief compliance officers, seen as the biggest changes in the compliance space? What are those changes over the last 20 years that have really taken place? Maybe I'll start by asking Paloma that question. Paloma, you and I are a little older than Toni maybe, and I wonder what you've seen in the last 20 years that is really notable, from your perspective?

Paloma Valor:

You have described the history, and the basis comes from the United States, but I think that as more and more countries have been developed, the regulation in all the different fronts that you have described also have gotten more sophisticated in the enforcement. Compliance programs are becoming more and more international, cross jurisdictions, and in many cases, even global, was the case in my former company. I also believe that many of these systems are targeting individuals under the understanding that if you target the individuals, you deter wrongdoing better. I think the compliance programs are also becoming more personal.

There is an evolution on the complexity of the risk mapping, it's getting extremely complex, and extremely multifaceted and multi-dimensional. The last thing that for me is very critical is that compliance has become part of the strategy of the companies. I think it has to do with your value proposition. If you are a global player, integrity, transparency, and compliance has to be part of your value proposition. At the same time, you need to operationalize it in every part of the chain of value of the company. That balance between a very high level of strategic thinking and a very nuanced, operations-driven compliance program is one of the biggest challenges I think the last few years have developed.

Henry Klehm:

Toni, maybe you can build on that. Tell us a little bit about your time at Celgene, as the chief compliance officer there.

Toni-Ann Citera:

Companies in the beginning focused on operationalizing compliance, as Paloma was talking about, but there was that shift, at least while I was a compliance officer, how can we be more strategic? How can we be a strategic advantage to the business, as opposed to purely an operational function? Can we leverage the work we're doing to get in front of issues? Does it allow us as a company to be more nimble, to establish trust with our customers and our partners more quickly? That was the focus while I was in compliance. The operational is important, but you also have to think about yourself as a strategy partner, and the business will embrace that.

The other thing that I've seen is companies moving to more principles-based policies. Not every company is doing that, but the idea is empowering your employees to make the right ethical decisions, as opposed to having those traditional detail-prescriptive policies, which continually need to be updated as the law changes.

Henry Klehm:

From my own part, I would say that the pendulum swings back and forth, Toni, to your last comments about more strategic principles based and the like. I think that's true, and I think if I look back on securities compliance programs, that was very true in the 1980s. In the wake of the financial crisis, and even before that, in the wake of 9/11, the regulated industries became much more prescriptive as to what was required for a compliance program to be considered effective. One of the biggest changes I think I've seen in the last 20 years really comes from that, which is that now, even if we look at the Department of Justice guidelines on effective compliance programs, or those things that are developing in the EU on compliance programs, they're becoming more and more prescriptive, while there's always this tension about, you want employees to be making decisions based on sound principles. You can't be so prescriptive as to protect the company in every situation, people have got to use their heads.

At the same time, the governments and regulators in particular have looked at compliance programs more as a way for expediting their investigations, requiring the maintenance of more and more data, the capturing of more and more data. Whether you take the securities industry here, that now requires every text message to be captured, every text message with a customer, all the way through to you look at financial transactions, and the potential for money laundering, even within corporate entities doing international business, the records requirements have grown just tremendously in that respect. To move on just a little bit of that, the role of the compliance officer in all of this, what have you seen Toni in the change in the role of the compliance officer? I know you just touched on that a little bit, but maybe you can expand?

Toni-Ann Citera:

The compliance officer sets the tone in terms of building a culture of compliance, but they have to have buy-in from the business, and of course, the leaders of the company. Compliance, after all, is a shared responsibility, and everyone needs to understand that. If you think about it in terms of branding, what's your brand as compliance officer? That may vary in terms of who you are, in terms of your company, what stage your company is at. There's no one size fits all in terms of your messaging, but for me, as appropriate, I want to be at the table from the beginning, as programs or strategies are being built, rather than having to be the person who has to say "No," or, "That doesn't work" at the end.

Working to make sure my messaging, and my practices are aligning with that idea of a partnership is critical. Also, making sure you're visible to the business. Are you meeting with your business leaders regularly? Do they view you as that trusted advisor, or partner? Are you offering solutions rather than just roadblocks? Then of course, having discussions about risk and risk ownership, so that the business does understand that in many instances, they own the risk, and again, that compliance is that shared responsibility.

Henry Klehm:

Paloma, what do you think about the role of compliance and the compliance department and the compliance officer in compensation decisions?

Paloma Valor:

That's an interesting question, and more in light of the new Department of Justice guidance, I think that it's very difficult to incentivize, particularly in those companies where compliance is a condition of employment. However, I also believe that good behavior should be properly recognized and properly incentivized, and it should be one of the parameters of at least the bonuses, at the variable part of the compensation. Since compliance and integrity is part of the value proposition, it's part of the equation, it's part of the financial equation. I think it should be one of the parameters to be taken into account for appraisals, and the compensation of the employees of the relevant company.

Henry Klehm:

It's interesting that you reflect on the new DOJ guidelines. It's fascinating to me, because of course 25 years ago, the department would've taken the position, "We have nothing to say about compensation decisions within companies." Now, they're saying, "Maybe we should weigh into that."

Paloma Valor:

Which, in a way, is connected with this point of, it's becoming more personal, so you need to target what, in some cases, move the individuals. Toni also said earlier that you need to invest in culture, and you need to get the buy-in of the business. This is also part of it, how you use all the tools of the company in the strategy of the business to achieve the business results, but with the standard of integrity of the values and principles of the company.

Henry Klehm:

Right. Well, let's move on for a second, and talk about the optimal structure for the compliance department. We've already made the point that there is no one size fits all ever, but what are the driving considerations that you think should be there, that underlie how the compliance program is structured? Maybe Paloma, you want to take a shot at that one?

Paloma Valor:

We have already said that it should be, in my opinion, owned by the business. It should be owned by the board, the CEO and all the layers of the organization. Still, there are minimum common denominators that need to come and be cascaded down from the jurisdiction of the relevant company, the parent company. It's very important to adjust to the risk of the company, meaning geographic footprint, industries, sectors, reputational risk of the company, and then structure it depending on all of that.

Henry Klehm:

How does that play out in a large organization, where there are going to be entities or locations that are at the end of the pier, if you will? In my former life, I always thought about the poor compliance officer that was sitting in an office of 40 people in a remote country. That poor individual is sitting down there on their own, and then also, there's the issue of subsidiaries. If you have a structure where the company is really run through different subsidiaries, and you have a subsidiary that's not 100% owned by the parent company, how do you handle those structuring decisions? That's a hard one, so we'll go to Toni for that.

Toni-Ann Citera:

I'll take the first part, and I think I'll let Paloma take the second part. The challenges, as you say, in the countries where there may not be a lot of employees in a particular country, can't support a full-time compliance professional, and so maybe you have somebody who's wearing multiple hats, and that person may not report into compliance. They may report into the general manager of the country, or the business. That person of course has to have some line to the compliance organization, and so that's important, making sure that there is at least that dotted line to compliance, but also making sure that person is supported, and also is insulated from certain tasks that a different compliance professional in a different country, with lots of resources may be able to do.

You don't want your compliance professional who's wearing multiple hats investigating your business, because they may also be part of that business. Taking things like that and maybe moving them up to somebody outside of the country to handle those types of tasks is important, and making sure at least there's that open line of communication for those people who are wearing multiple hats, and aren't necessarily in your organization but are supporting compliance.

Henry Klehm:

Paloma, I know IBM had a lot of joint ventures around the world. How did you navigate that tumultuous sea?

Paloma Valor:

On subsidiaries, as I've said earlier, fully owned subsidiaries should be relatively easy, and again, it should be the minimum common denominator of the parent company. There are other countries that are more demanding. In the case of IBM, it was the United States, and many Western European countries have commercial bribery, so you need to add on top of the already demanding minimum common denominator. On non-fully owned joint venture subsidiaries, it's a much harder question. As businesses evolve, the values remain, but the compliance principles, the regulations evolve. The difficulties, the legacy, partially owned entities, whatever they are, how you renegotiate that? I still believe that the momentum in the area is such that you can renegotiate in the past. For the future, I also believe in, again, values, and it's part of the relevant business you are discussing to really align the values, and the consequent compliance matters to those values when you do business around the world.

Henry Klehm:

From my own experience, I would say that there are, however, some functions within a broad compliance program that might need to be centralized, just for reasons of control and consistency. Allowing a compliance officer in a remote location, or remote partially owned subsidiary to make certain decisions, it can lead to a lot of inconsistency. In the financial institution world, that's been pointed out time and time again, in the AML and sanctions compliance space. The need to have those types of vast surveillance programs ultimately, where certain risk decisions have to be made centrally just to get the consistency where you don't want, for example, the compliance officer in Bahrain making a decision about approving a transaction that might need to have been done at a headquarters level, because that individual just is not in a position to know all of the issues that may be associated with a transaction that turns out to be with Iran, or a partially owned subsidiary of a customer that happens to have some ownership with someone that's on a sanctions list.

There are also sometimes places where there can be conflicting laws, particularly in the sanction space, or the AML space, the customer approval space, where it just is very difficult to navigate that. I know from my own experience, we had situations where, in certain countries you could do certain types of trades, but you couldn't do them in the other countries. People sitting in Singapore might approve a trade that was prohibited in Korea, and even though it was done through a different legal entity, it ultimately was a prohibited transaction within Korea. Sometimes you have to find those things that need to be centralized, and those risks that have to be run by a smaller, tighter group of people that can bring consistency to those decisions. I'm sure these issues never came up, Paloma, at IBM.

Paloma Valor:

It's a company that, at my time, was more than 400,000 employees in more than 170 countries. I agree with all what you have said, and that was the approach. My point on minimum command denominator, and that was in the case of IBM, the U.S. principles, and then adding on top, the alternative sometimes is not doing business. You were talking about sanctions. You have seen how many companies, European Union and American companies, have withdrawn from countries for sanctions. I agree with all of what you have said, and that how it was done in IBM.

Henry Klehm:

Before we get too tight on time, I wanted to turn to the issue of other corporate resources, and the compliance department's relationship with other control functions, and how those things function where you were, Toni, at Celgene.

Toni-Ann Citera:

It goes back to partnerships, and whether you're partnering with business, or in this instance, the corporate functions, that's important, and knowing who to work with to ensure success. If you're a compliance officer sitting within the legal department, you're obviously partnering with legal, but even if you're not sitting in legal, and you have your own organization, they're going to be one of your key partners. They're going to help you keep abreast of changes in the law, new guidance policies, and of course, assist as appropriate with investigations.

The other department that is critical is human resources. I'm a big proponent of looping HR in early and often. At the end of the day, in compliance, you're dealing with people, so making sure that they're part of the training, and they're part of the investigations process, and they may have a better understanding of when you're developing your policies and procedures, what's going to work, what's not going to work, HR is going to be important there. The other two corporate functions that are important, of course, are IT, particularly as companies become more sophisticated in doing risk assessments and investigations, IT is going to be critical, and internal audit. Internal audit may flag issues that aren't necessarily on your radar, so you need to make sure you have an open dialogue with them. You may also see an issue that you think requires an audit. Having a good relationship with that function is also, I think, going to be important to your success.

Henry Klehm:

I think the role of internal audit with compliance is not always the easiest, because certainly in the regulated entities, the auditors are supposed to audit the execution of the compliance program and the like. You used the key phrase, which is partner. I found, at least in my time, that the best thing to do was get them involved way earlier than they thought they should be involved, so they could be brought along as whatever it is developed. Whether it's the implementation of a new IT system or something like that, having them alongside, even if they don't necessarily sometimes want to be there, is a helpful thing. Any thoughts Paloma on that, from your side?

Paloma Valor:

Again, I completely back what you both have said. I think that the partnership is critical. I also believe that we have complimentary points of view, meaning in general, compliance is normally more lawyering, and the partnership with finance, with HR, with internal audit is critical. You have different points of view, and the combination is what makes it quite a powerful tool.

I would like to spend a word, Henry, on technology. If you look to the modern compliance program, the partnership with technology is critical. In my time in IBM, in the anti-corruption arena, there is so much you can achieve with technology, building a database from a structure, and structure on government owned entities, for instance. Tracking a pricing of operations, suppliers and distributors, checking on the different controls on business amenities. Again, that also helps when you are expanded all over the world, or in many jurisdictions, because you can reach with technology, many things that you may not be able to have resources. It's a critical feature, and the partnership in my case, with the chief analytics officer and the CIO of the company, was critical to really reinforce the compliance program through technology. Now, as we move into the ESG space, a lot of the companies, the way they are really driving the controls and compliance of the three magic letters is through technology.

Henry Klehm:

Maybe that gets us around to probably the final question. Looking at your crystal ball, in the future, what do you think are going to be the biggest changes in the next 10 years, for compliance programs? I'll let Paloma think about that for a second, but I'll put it onto Toni first.

Toni-Ann Citera:

First of all, I think we're seeing a shift, particularly in the industry that I focus on, in life sciences and pharmaceutical, in terms of regulatory guidance, and making sure that the company can adjust to those changes is going to be important. As you talked about, the compensation, for example, is a new one. Of course, as technology becomes more sophisticated, the company, or the compliance programs are going to have to adapt to that, whether it be dealing with AI, or using AI. The other thing is social media, and that was something that we've already had to deal with. It's only going to get harder to address. What are your policies around social media, and how are you monitoring that, and are you monitoring that, in some instances, for your employees? Those are the things that I'm thinking about, I'll let Paloma add to it.

Paloma Valor:

I believe that there are a lots of growth pains in the international approach of compliance. Many countries are developing, in some ways copying, in others adding to the most mature, that is the U.S. and the UK, and now many European countries catching up. I hope that it will go in the way of more collaboration among countries, minimize contradictions, minimize duplications, understand that it's more important to have a truly professional, sophisticated function for investigations, for receiving whistleblower complaints, that is really professional and specialized, than is local. As Toni was saying earlier, sometimes being local is more a problem than a positive. I think it's going to be tough for a while, in terms of really getting all the jurisdictions, but I hope that we can all influence this debate, to really make compliance a more global play without contradictions, and without these growth pain that we're facing at the moment.

Toni-Ann Citera:

One of the things that we were doing was launching an enterprise risk management program, and Henry, I know it's something we've talked about before. Looking at risk across the company, and oftentimes now, compliance officers are asked to lead that function, perhaps in cooperation with finance. Being able to understand not just what compliance risks you're facing as a company, but also what other risks, whether it be cyber, or depending on your organization, what specific risks you're facing, being able to look at those risks across the company, and having those conversations and mitigation programs to address those risks, I see that moving more into the compliance function as well.

Henry Klehm:

Yeah, I agree with everything you've both said. I would sum it up, I think that the governmental tendency to become more prescriptive will only continue to accelerate for compliance programs. At the same time, as we hear these broader societal notions around ESG, the idea that a lot of that is going to get pushed into compliance in one way, shape, or form is a building tidal wave that is going to break on the shores of the compliance departments. The idea that compliance needs to make sure that the company's carbon footprint is appropriate, or all of these other societal things, that stuff has to go somewhere.

The easy tendency sometimes, whether it's at the governmental level or the business level within the company, is to say, "Those people in compliance, they're pretty good at getting stuff done, and counting noses, and making sure things are running. We're going to make it, at least initially, a compliance function." That tension will do nothing but accelerate in the next five years plus.

I think we have to leave it there. I think we're just about out of time. I want to thank Toni and Paloma for joining me today, and thank you all for listening.

Paloma Valor:

Thank you.

Dave Dalton:

Thank you, Henry. We look forward to additional programs in this series on corporate compliance. For complete bios and contact information for Henry, Paloma or Toni-Ann, please visit jonesday.com. While you're there, check out our insights page, where you'll find timely content, including videos, podcasts, publications, newsletters and blogs. Subscribe to "JONES DAY TALKS®" at Apple Podcast, and wherever else you find your podcast programming. "JONES DAY TALKS®" is produced by Tom Kondilas. As always, we thank you for listening. I'm Dave Dalton, we'll talk to you next time.

Speaker 5:

Thank you for listening to "JONES DAY TALKS®." Comments heard on "JONES DAY TALKS®" should not be construed as legal advice regarding any specific facts or circumstances. The opinions expressed on "JONES DAY TALKS®" are those of lawyers appearing on the program, and do not necessarily reflect those of the firm. For more information, please visit jonesday.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.