Chief compliance officers (CCO), the architects of their company’s compliance strategy, structure and processes, are growing in numbers, especially in large corporations. These professionals must understand complex regulations and laws and simplify them down to required behaviors in a policy document. CCO responsibilities include education, monitoring and detection programs. The CCO serves as the primary contact to the regulators, and works closely with the GC during investigations and audits.
Speaking of investigations and audits, most CCOs in large enterprises find themselves in an unrelenting flurry of digital investigations. CCOs are fast becoming contenders for the gold medal in running digital investigations for regulatory and policy compliance. Yet a 2015 Compliance Week survey revealed that “59% of CCOs are only somewhat confident, or not confident at all, that the IT systems the compliance department uses can fulfill the CCO’s reporting and responsibilities.” How is this key C-Suite role evolving, and what do they need to succeed as digital investigators?
The government increasingly sees the CCO as a “watchdog.” Evangelizing a culture of accountability and compliance is also central to the role. Whistleblowers must feel safe to come forward to report any unethical or other misconduct.
After a record-setting corporate integrity agreement and $2.3 billion settlement with a pharmaceutical giant, federal authorities commented that “[t]he lawyers tell you whether you can do something, and compliance tells you whether you should. We think upper management should hear both arguments.”
In recent months, a drug company raised the price of a toxoplasmosis drug by 5000 percent,
with major reputation hits quickly following. Another pharma company increased a cardiac drug price by 525 percent after acquiring it. Both were within the
letter of the law, with moves no doubt designed to increase shareholder value. Yet they both sparked huge ethical debates, with the cardiac drug company
experiencing a 91 percent drop in share price in the last year. How strong was the CCO’s voice in these companies?
The rising importance of the ethical and culture-building role is evident in the growing use of the chief compliance and ethics officer (CECO) title, putting more emphasis on the ethical bullhorn of the role.
Who do CCOs Report to?
CCOs or CECOs reporting structures vary greatly. In some companies the compliance responsibilities reside in a General Counsel-Chief Compliance Officer dual role, reporting to the CEO. PWC reports that 62 percent of pharmaceutical companies have a separate compliance role, frequently reporting to the CEO. In some organizations the CCO reports to the Board, CFO or legal. In 2016 Bloomberg reported that a major U.S. bank shifted its compliance group from legal to risk management under pressure from regulators. The concern was the legal group was trying to minimize rules application. Other major banks similarly took the CCO role out from under the direction of the GC following government settlements.
Why CCO Gold in Digital Investigations Matters
Regardless of who the CCO reports to or how much they evolve to be the ethics voice inside corporations, there is no doubt that this role will need to be champions in using technology to monitor digital data for misbehavior and regulatory compliance. When you think about it, compliance officers are one of the biggest digital investigators going with the increasingly demanding regulatory environment. CCOs must quickly gather highly accurate, forensically sound information on possible violations, assess what happened, who is responsible and determine what disclosure and remediation actions are needed.
Though human resources (HR) and legal may rival them for the “gold medal” in digital data hunts, CCOs and their internal partners find themselves in continual 1500-meter races to scan massive amounts of information and activity across today’s mobile enterprises.
Financial Industry Regulatory Authority (FINRA) has stepped up focus on a culture of compliance in recent years. “The challenge of how you deal with good people making bad decisions … is more and more important than it’s ever been before,” commented FINRA’s CEO in May 2016. He added that there is a direct line “between culture and the probability or severity of an enforcement action.” In the last few years, CCOs have been held personally liable for compliance violations , making them even more motivated to excel at digital investigations to root out bad behavior. In June 2016, the SEC fined a CCO of a financial advisory firm $25,000 and the company $150,000 for failing to implement polices to prevent misappropriation of client assets, failing to conduct an annual review and filing misstatements.
Chief compliance officers may lead audits to identify all protected health information (PHI) across the organization, and collaborate with IT and governance to secure it and limit access to a “need to know basis” to comply with the Health Information Portability & Accountability Act (HIPAA). The government has been much more aggressive in enforcing HIPAA regulations in 2016, fining one healthcare provider $5M for lapses. As HIPAA initiates phase 2 audits, CCOs at health insurance, provider and their service partners are bolstering their digital investigative capabilities to monitor PHI safeguards and employee activities to avoid hefty fines.
Global company CCOs must ensure their enterprise is ready to comply with the EU General Data Protection Regulations (GDPR) by 2018. Security measures and protocols must be in place to protect European citizens’ data stored on U.S. servers. The regulation applies to data gathered online on customers, users and even to the companies’ EU HR data. With non-compliance fines up to 4 percent of annual revenues, CCOs will want to be confident in the technology they have to monitor and audit GDPR compliance.
An Equal Employment Opportunity Commission (EEOC) action settlement can involve a full-scale audit of all management activity related to hiring practices, and updates to policies. Fraud investigations require finding and analyzing the content of tens of thousands of emails.
Foreign Corrupt Practices Act regulator actions are increasing. Monitoring and collecting data from mobile laptops, phones, tablets and other devices used by global employees conducting business around the world is becoming table stakes. Not having forensic mobile technology in your arsenal could mean missing out on favorable outcomes under the new Department of Justice pilot disclosure program.
Train and Execute with the Best
Evolving chief compliance officers looking for speed and Olympic-quality digital investigations will want to learn about a blended suite of forensic and e-discovery technology that is changing how compliance monitors and analyzes misconduct in large companies. When you are competing against bad actors or simply sloppy employee practices somewhere in your organization, you want to train and execute with the very best to take the gold medal in sound digital investigations.