My friend the Corporate Secretary called me the other day. He works at a consumer products company, and we chat every now and then about various compliance and governance issues. On his mind this time: the new whistleblower reward program established by the Dodd-Frank Act, and how it might ruin any incentive employees have to report fraud via company hotlines.

The Secretary is not alone in his concern, and that worry is legitimate. Section 922 of the law allows whistleblowers to collect as much as 30 percent of any fraud settlement the Securities and Exchange Commission might reach based on the whistleblower’s information. In settlements over insider trading or the Foreign Corrupt Practices Act, that 30 percent could easily be $10 million or more. If you were an employee sitting on knowledge of misconduct, would you pass up that opportunity in favor of calling the company hotline? Neither would I.

This basic truth has unsettled quite a few compliance types, who fear that the SEC, Justice Department and other regulators will now take that lack of hotline usage as a sign that the company’s compliance program isn’t effective. In reality, the compliance program just isn’t as effective as offering a multi-million dollar reward.

Anyway, the Secretary asked me if Compliance Week had heard of anyone out there trying to formulate a more coherent response to this problem—not outright opposition, but perhaps a working group of some kind that might reach out to the SEC as it begins making rules to implement Section 922. The Secretary’s theory is that the SEC might not be thrilled with Section 922 either, since Congress has essentially told the agency how it should be doing its job. What’s more, Congress is undercutting one of the SEC’s core messages about compliance programs—that hotlines and voluntary self-disclosure are important—by creating a financial incentive to ignore that practice. That’s got to be annoying if you’re an SEC commissioner.

To answer the Secretary’s specific question: I don’t know of any coordinated effort to express concerns about this forthcoming rule to the SEC. Anybody else out there hear anything yet?

The SEC is accepting comments on Section 922, even before any formal rule is proposed or adopted. Already about 10 comments are posted there, mostly supporting the expanded whistleblower incentives and protections. None seem to be from corporate compliance executives wondering how the bounty program might undo all the effort to support voluntary self-disclosure.

Speak up, folks. The Dodd-Frank Act requires the SEC to implement any rules for Section 922 with 270 days of the law’s passage. That was July 21, 2010, which means a final rule should go into effect no later than late April 2011.

Last Friday afternoon I had the opportunity to meet a newly minted chief compliance officer. She had been in the job only one month, was passing through town, and wanted to talk about the current events in compliance over lunch. We settled into a restaurant near my office and began chatting.

“So are you a lawyer?” I asked.

“No, I spent 12 years in the HR department,” she told me. “I’m also a licensed private investigator, and I assume that will help too.”

I thought about that for a moment. “Actually,” I said, “compliance departments want lawyers in the role mostly so they can exercise attorney-client privilege when that legal protection might be necessary. But really, on a daily basis, most of the work is finding the facts behind dumb things employees do. So your background is great, because no matter how clear the rules are, employees do some pretty dumb things.”

Four hours later, Hewlett-Packard announced that Mark Hurd was stepping down as CEO amid a sexual harassment probe.

Of course, in the week since then, we’ve seen all manner of speculation that Hurd’s supposed sins were not nearly as egregious as HP’s board first portrayed them to be. As time passed and more details dribbled out, a counter-story emerged that perhaps HP’s board overreacted—that perhaps directors rushed to fire Hurd because they were more worried about bad publicity than bad conduct, or were looking for an excuse to fire him and impulsively seized on a harassment complaint that wasn’t as strong as they expected. Or maybe Hurd really was the ethical scofflaw the board alleged him to be, billing various travel and personal expenses to HP.

I won’t venture any speculation myself about Hurd’s relationship with the woman in question, Jodie Fisher. (I suspect Mrs. Hurd will conduct an extensive internal investigation of her own.) In fact, even the question of whether Hurd deliberately falsified expense reports or his staff simply goofed on names and dates doesn’t interest me all that much. Those are serious questions for HP’s own compliance department to investigate, but they don’t relate to the broader point I want to raise here.

My point being? Go back to the newly minted compliance officer I met for lunch. Her expertise is in finding the real facts behind alleged misconduct, and determining what punishment may (or may not) be warranted. As HP and Hurd so colorfully demonstrated, even the largest companies, with extensive compliance programs and a genuine awareness that good conduct is important, can still stumble over the basics: What happened? Did misconduct happen? What punishment is appropriate? How do we deliver that punishment in a way that demonstrates our commitment to ethical conduct?

Those questions, and the skills you need to answer them, transcend any particular educational background you might have. Corporate compliance is an endless, often exhausting cycle of repeating the same procedures over and over again. And why do we keep repeating that cycle? Why do even the most successful and high-profile executives (and boards) put themselves in awkward, if not downright stupid, situations?

Well, I can’t help but think of our cover story this week, a Compliance Week editorial roundtable exploring the overlap between legal and compliance functions. We had a fantastic discussion (read the article!), but one point raised at the end stuck with me: that for all our focus on compliance, corporations should worry foremost about ethics—because, in the end, misconduct happens when an employee deliberately decides to break the rules. For all our other talk about exercising privilege during an investigation, or sophisticated monitoring tools, or thorough documentation and reporting, ethics is still the best way to prevent misconduct. Everything else just remedies misconduct after it happens.

And somehow, I think the newly minted compliance officer I met will do just fine.

The reporter in me is fascinated by the ongoing story of Wiki-leaks, and its decision to post online 76,000 classified or otherwise secret documents about the U.S. war in Afghanistan—mostly because I no idea that our messy situation in Afghanistan was, you know, news. Nevertheless, Wiki-leaks made a gigantic splash by sharing those documents with the New York Times, the Guardian and Der Spiegel, which on July 25 jointly broke the supposed story that our military mission in Afghanistan has been going poorly pretty much since U.S. troops arrived there in 2001.

I won’t comment on the ethics of leaking such information. We in the compliance community can be plenty alarmed just by talking about the mechanics of leaking it.

More than anything else, the Afghanistan Document Dump underscores just how quickly and easily people can now move huge volumes of information. Consider this: 91,000 pages is equivalent to more than 342 copies of The Big Short by Michael Lewis, or a pile of Stieg Larsson’s The Girl Who Kicked the Hornet’s Nest stacked more than 26 feet high. That’s a lot of information by anyone’s measure. And Wiki-leaks shared it with the media in less than a day.

Now compare that to Robert Hanssen, the FBI agent turned spy for the Soviet Union and Russia in the 1980s and 1990s. At the time of his arrest in 2001, most people described his espionage as one of the worst intelligence failures in U.S. history. He leaked only several hundred documents—that is, less than one Stieg Larsson novel—over the course of 22 years.

Welcome to the information insecurity age, folks. Anyone can now steal huge volumes of information, perhaps even all your company’s information, with a portable hard drive available at an office supply store for less than $100. That thief can walk out the door with that flash-drive in his pocket, get a drink at the local coffee shop, and then share all that information with anyone in the world almost instantly.

And just to feed your paranoia a bit more: The person believed to have provided the documents to Wiki-leaks is Bradley Manning, a 22-year-old from Oklahoma who joined the U.S. Army in 2007. He had been working as an intelligence analyst, and has the rank of private first class.

As always, your biggest security risks are your employees.

Attention compliance and financial reporting executives in the Pacific Northwest: Compliance Week will be hosting its next editorial roundtable in Seattle in early September, to talk about how companies are handling new requirements for proxy disclosure—risk management, climate change, executive compensation details, and everything in between. Joining us to co-host the discussion will be Colleen Cunningham, global managing director of Resources Global Professionals and a columnist right here at Compliance Week.

If you’d like to participate in the discussion and be featured in a subsequent article about the event, please contact me at mkelly@complianceweek.com. Participants must be in-house executives at publicly traded corporations, but beyond that, we welcome anyone who plays a role in proxy disclosure at his or her company, whether you’re in the legal, accounting, risk management or internal audit department.

These are excellent opportunities to meet and talk with your compliance peers about the struggles you all have, so I do recommend them to anyone in the field. But be warned: we only have room for 16 seats at the table, and these events fill up. Interested parties should let me know soon.

Compliance Week took to the road again last week, this time hosting an editorial roundtable in Chicago with Thomson Reuters to talk about the overlap of corporate legal and compliance functions. Apparently we hit upon a popular subject; normally our roundtables attract about 12 to 14 compliance executives, but this one had 20 attendees. Conversation was lively, and we’ll have complete coverage of the discussion in our Aug. 3 newsletter. For now, however, let me give a few initial observations.

The general counsel is still the boss. Yes, I know, the revised U.S. Sentencing Guidelines say companies should have an independent compliance function, with a chief compliance officer who answers to the CEO or (ideally) the board. Well, that’s not happening yet. Fourteen of our 20 attendees said they report into the legal function; only two reported directly to the audit committee. Some attendees said their company was in the midst of creating an independent compliance function, but by far and away, corporate compliance was still subordinate to the legal department.

At firs that surprised me, since every best practice in the universe says an independent CCO is vital for compliance. But another theme from the roundtable was that these companies and their leaders do want a strong compliance function; they just don’t know what steps they should take to get there. They are terrified of adopting some organizational structure that can’t be changed easily, should the need arise (say, in a restructuring). They are terrified of leaving ethics and compliance in the hands of someone who isn’t a company lawyer, should an investigation be necessary and the company wants to protect itself with legal privilege. Everyone wants to take incremental steps to achieve strong compliance, but they all start from the general counsel’s office.

Coming soon to a compliance function near you: charters. Two attendees said their companies have charters specifically for the compliance function. This intrigued everyone else, and one of the two said his company adopted a charter to adhere to the U.S. Sentencing Guidelines. Another person quickly shot back: “Wait a minute—we need a charter to be in compliance with the guidelines?”

“Not yet,” the first attendee replied, “but that’s where this is going.”

There’s a lot of wisdom in that response, as cynical as it may be. Charters probably are the way of the future, especially if you’re in a highly regulated industry and want to appear nice and clean to your regulators. At the very least, a charter can’t hurt. It sends a message of seriousness, and if tone at the top really does matter to regulators, then a charter would fit the bill.

So where do charters come from? Apparently one emerging habit (I won’t call it a best practice, but it seems sensible to me) is to crib the language of your internal audit department’s charter, or the language of your audit committee’s charter if you don’t have an internal audit function per se. You’ll want the compliance charter to specify what information about ethics and compliance will be reported to the audit committee. You’ll also want it to specify who gives that information to the committee—which forces the board to address that question of whether compliance is an independent function, or reports into the legal department. There’s a deft piece of office politics for you.

Ethics matters. One attendee approached me just before the roundtable started to ask why Compliance Week doesn’t devote more attention to problems of ethics. I answered honestly: because we’re so busy following all the minutiae of regulatory compliance that we just don’t have time for ethics, and most of our readers are in the same boat. So as much as I enjoy discussing ethics—which I do—why bother? I can’t say I like that answer, but it’s the truth.

Well, as the roundtable closed, this same attendee gave an excellent reason why we should bother. At the end of the day, for all our regulations and policies and procedures and monitoring, misconduct comes down to one employee deciding whether or not to behave in some improper way. We can either monitor that employee (and all the others) constantly, or we can trust him to do the right thing—if he has a good sense of ethics. Or, as this attendee put it, “That’s what I worry about. An ethics problem will trump a compliance problem any time.”

You know, he’s right.

I don’t often recommend articles from a rival publication, since (of course) Compliance Week delivers every bit of information our readers could possibly want. But an essay from the Wall Street Journal’s latest weekend edition merits an exception.

The July 23 article, “Lost in Translation” by Lera Boroditsky, explores how differences in language shape peoples’ thinking. That is, the very way a person speaks and understands his native language can cause his brain to develop differently than the speaker of another language. Ultimately, two people who speak different languages might even have different natural abilities to, say, sense which direction they’re facing, or to recall events they’ve seen—all because the act of speaking their native tongue forces their brains to develop differently.

Somehow, I suspect that concept resonates with chief compliance officers whose employees are scattered all over the world.

Boroditsky, a psychology professor at Stanford University who studies linguistics, gives a great example from Spanish and Japanese. In both languages, a native speaker would see a vase accidentally knocked over and describe it as: “The vase broke itself.” In English, however, we instinctively assign responsibility to someone: “John broke the vase.”

But here’s where it gets interesting: Native Japanese and Spanish speakers, when viewing an accident, are less able to remember who did it. Their years of speaking a language with that blameless syntax hard-wires their brains to put less focus on responsibility when watching an accident. Likewise, Boroditsky gives the example of an aboriginal tribe in Australia that describes spatial orientation in terms of “east” and “west” rather than “left” and “right.” Its tribesmen have a better sense of direction the rest of us. Russians use more words to describe shades of blue, and have a sharper visual ability to distinguish shades of blue than someone who speaks English. You get the idea.

So often when I talk with compliance officers, the conversation turns to the challenge of convincing non-US cultures to obey our laws, rules and customs. Under the best circumstances, we face uphill battles winning over employees in Europe, who already have a natural inclination to the same values and habits we consider normal in the United States. When we talk about cultures even more alien from ours—Africa, the Middle East, and above all China—the battle seems hopeless. One friend of mine, the former CCO of an electronics distributor with an extensive presence in China, expressed frustrations that I’m sure sound familiar: “How do we reach people who seem to have fundamentally different values from ours? I mean, to their mind, of course you give the contract to your friend or brother-in-law—what sort of person would not do that? They just see things differently than us, and I don’t know how to cross that gap.”

I don’t know how to cross that gap either. Boroditsky goes one step further, raising the idea that perhaps we can’t cross it at all. That’s little solace to compliance officers doing business globally, I know—but it’s certainly food for thought. Read the article if you can.

Hooray, Congress passed the Dodd-Frank regulatory reform bill into law last week! Now we can all start speculating about how ineffective, irrelevant and incomplete it is! Right? Um … right?

Here’s the unvarnished truth, folks: Nobody talking about the Dodd-Frank Act today has any idea whether it will really achieve its intended aim of creating a stronger financial system. Not the lawmakers who passed it, nor the special interests who drafted it; not the chattering classes who gabbed about it on CNN and CNBC all weekend long, nor your outside counsel who will keep gabbing about it while billing you $500 an hour. Nobody really knows what the consequences of this law will be—not even me, much to my dismay.

We can, however, describe what the success or failure of all this reform will look like. After all, we know what the Dodd-Frank Act is supposed to do, at least according to the vague sense of public sentiment out there. So I’ve been pondering what we collectively—Corporate America, Congress, and the investing public—will all want to know about the Dodd-Frank Act at some (still undetermined) point in the future. Seven questions came to mind:

• Will it improve how we handle systemic risk?
• Does it embolden enforcement?
• Does it improve corporate governance?
• Will it reduce liquidity risk?
• Does it hold reckless parties accountable for their behavior?
• Will it reduce taxpayer bailouts?
• Will it prevent another financial crisis?

Sometimes landmark court cases turn out to be little more than bumps in the road. Today’s Supreme Court ruling against the Public Company Accounting Oversight Board is one of those times.

We will, of course, hear all manner of headlines and hyperbole about the case, Free Enterprise Fund v. PCAOB, and how it is a victory for conservative activists who had been trying to undermine the whole governance regime spawned by the Sarbanes-Oxley Act. And that’s accurate; the parties pushing this case finally won their argument that the way PCAOB board members are appointed is unconstitutional. That argument has merit, too. The PCAOB is an unusual constitutional creature—an appointed board overseen by an appointed board—and the court reached a reasonable decision that such a beast is too far removed from presidential authority. Its solution: to give the Securities and Exchange Commission power to remove PCAOB members at will.

But that’s pretty much where the victory ends. For compliance and financial reporting officers, life continues, and you might as well get back to your usual routines for testing internal controls over financial reporting. There’s not much else to see here.

The court specifically said that this particular provision of SOX can be “severed” from the rest of the law, meaning the rest of SOX remains intact. It also said the PCAOB can continue to function, and that Congress and the SEC don’t necessarily need to take any action to fix any legal defect here. If the PCAOB continues to exist, and all the rest of Sarbanes-Oxley continues to be in force—well, I’m hard-pressed to see how this will have substantial consequence for those of us toiling in the fields of corporate compliance.

The plain truth is that the conservative activists who filed this suit several years ago had dreams that the whole of Sarbanes-Oxley would be overturned, but the Supreme Court’s conservative majority didn’t take the bait. Clearly those five conservative justices could have made a much more dramatic ruling had they chosen; previous decisions this term such as Citizens United demonstrate that they have no qualms about engaging in good old judicial activism when the mood strikes them. For example, the court could have diluted enough of the PCAOB’s authority that board members no longer qualified as officers of the U.S. government, or neutered the board’s enforcement powers so that they were recommendations only. It did not.

Instead, the justices blinked in the face of political and legislative reality: SOX may be a law noble in its intention and messy in its execution, but it’s something nobody in Washington wants to revisit. So the justices ruled narrowly on one specific provision of SOX, and left the rest of the law alone. They gave Congress and the SEC as small of a headache as possible.

Your headaches, in contrast, will continue as usual.

Like most human beings, I somewhat wish derivatives had never been invented—not because they aren’t useful (they are), but because discussion of how to regulate the derivatives trade makes my head hurt. I’m sure I am not alone on this.

Nevertheless, how derivatives are created, traded, and disclosed to the public is indeed an important discussion to have. Congress is in the final stages of hashing out its regulatory reform bill—which at last count has hit more than 1,900 pages—and apparently derivatives have become a late-stage battleground before the final legislation passes and becomes law.

To many executives, this may seem like an obscure fight that only matters to the corporate treasurer or maybe the risk-management office if your company works in financial services. It isn’t. The more you dig into exactly what the derivatives business might look like after reform, the more queasy accounting, financial reporting, and compliance officers should feel. Let me give you a simple, hypothetical example.

Acme Airlines is an international airline that has to worry about fluctuations in the price of oil. It wants to purchase derivative instruments that will off-load those risks to another party more willing to shoulder them. Those derivatives will cost Acme some money, yes, but that’s a small price to pay for stability in a very uncertain part of Acme’s business.

Right now, Acme can buy those derivatives by calling around to various investment bankers, hedge funds, or anyone else willing to enter into the deal. XYZ Bank steps forward and says it is happy to provide oil for $72 per barrel for the next 12 months, in a deal worth a total of $100 million. Of course, XYZ wants some protection in case Acme goes bankrupt during that time, so Acme posts one of its jets as collateral. The deal is done.

Now let’s consider that deal in a post-reform world.

At the core of Washington’s reforms is the idea of a clearinghouse to manage derivatives trading. Instead of Acme shopping around for derivatives and buying them from XYZ, it approaches the New York Derivatives Exchange and buys its derivatives directly from the exchange. The Derivatives Exchange, in turn, then sells that derivative exposure to another party—perhaps XYZ Bank, but perhaps some other party or even several parties, each getting a piece of the $100 million in exposure.

What’s happened here? The risk of the derivative instruments has shifted from the counter-party (XYZ Bank) to the clearinghouse. That prevents Acme from getting screwed should XYZ ever fail to deliver its end of the contract—but it also means that our clearinghouse, New York Derivatives Exchange, carries a lot of risk. And that, in turn, means the exchange will need sky-high capital reserves.

You, Acme Airlines, will be paying for those higher reserves.

Exactly how much more this new clearinghouse model will drive up costs is still anyone’s guess. Lawmakers hope that multiple clearinghouses will emerge, competing against each other for business and keeping price increases minimal. I see the Econ 101 logic in that, but I’ll believe it only when I see it.

We have two other headaches in our clearinghouse world. First, remember that jet Acme posted as collateral to XYZ? That option flies away. The clearinghouse will want cash as collateral. After all, if Acme does default on its end of the contract, what good is it for the clearinghouse to take possession of a plane? Second, the amount of cash the clearinghouse will want as collateral will fluctuate as well, every day, to offset the clearinghouse’s own risks and capital reserve requirements.

Again, nobody yet knows exactly how much cash this new model will cost, although I suspect the Wall Street quants are already working on that. But it will cost something.

Foremost, accounting and financial reporting executives should feel the most unease here. They’ll be the ones calculating all these shifting derivative prices, and they’ll be part of that finance team ensuring that the company has enough cash on hand to meet the clearinghouse’s demands every day. None of that will be easy.

Compliance and risk officers won’t get off the hook either. Risk officers will need to pay more attention to whether the company should take out derivatives contracts in the first place, given the higher cost of purchasing them. They’ll need to ensure that the company stays within any financial restraints (say, a debt covenant or some key leverage ratio) that might trigger higher collateral requirements from the clearinghouse. Compliance officers will need to ensure all reporting is done accurately, promptly, and properly. And of course, all that cash going to collateral payments has to come from somewhere—like, say, that anti-bribery training program you wanted to launch in 2011.

All this is not to say that reforming derivatives is a bad idea; on the contrary, this is one part of the financial world that desperately needs more oversight. But Congress is down to brass tacks now, and no matter how boring or complicated derivatives oversight may seem, it’s worth paying attention. Occasionally those folks in Washington do stuff that actually matters.