As SEC broadens international enforcement focus, compliance efforts must adapt

In an age of multinational trade and commerce, the world can be both “flat” and crooked.

Technological advances, trade dependencies, and international supply chains mean that even the smallest of companies may be connected to vendors and customers around the globe. That lattice of connectivity—a boon in a multitude of ways for businesses—also means an expanded risk landscape. There is an intersection of money laundering and terrorist activity. Corruption and bribery more easily crosses borders. The digitally connected world fosters cyber-criminals and creates privacy and data protection concerns. And cultural norms incubate ethical confusion.

Globalization has pushed the Securities and Exchange Commission—as well as its colleagues in the Commodity Futures Trading Commission and Department of Justice—to refocus its regulatory and enforcement regime with an international focus.

Doing so is crucial as the world’s capital markets are undeniably global and interconnected—growing more so by the day. As of 2015, U.S. investors held nearly $9.6 trillion in foreign securities and foreign holdings of U.S. securities were over $17.1 trillion. Advisers registered with the SEC with principal offices outside the U.S. account for $8.7 trillion of assets under management, an amount that has quadrupled since 2003. The Commission must supervise these registrants, wherever in the world they maintain operations, personnel, and records.

In the United States, the financial crisis of 2008 gave rise to a flood of new regulations under the Dodd-Frank Act. Financial accounting improprieties, years earlier, brought the Sarbanes-Oxley Act onto the regulatory landscape. The systemic problems underlying those monumental acts of legislation were not unique to the United States. As regulators tackle emerging risk areas around the world, companies with cross-border interests face unprecedented compliance challenges and conundrums.

“As the U.S. and other countries seek to regulate the same individuals, entities, and conduct, in increasingly similar ways, parallel international investigations and enforcement have been on the rise,” notes the law firm BakerHostetler in its annual Year-End Cross-Border Government Investigations and Regulatory Enforcement Review. “Our increasingly global regulatory and enforcement environment presents unique challenges to companies that operate trans-nationally. Companies with global reach now face a web of overlapping domestic and foreign regulatory requirements. [They] must now also frequently defend against investigations and proceedings commenced by multiple regulators across multiple jurisdictions.”

“This environment also presents unique difficulties for defending against cross-border investigations and enforcement, as applicable laws concerning data privacy, labor and employment, and the attorney-client privilege, among other areas, vary by jurisdiction and need to be reconciled,” the report adds.

In their recently published book, “The New Era of Regulatory Enforcement: “A Comprehensive Guide for Raising the Bar to Manage Risk” (McGraw-Hill Education, 2016), Timothy Hedley, KPMG’s global lead for fraud risk management services, and Richard Girgenti, national and Americas leader for KPMG’s forensic advisory service, provide an overview of the challenges companies face in conducting business in this new, oftentimes perplexing environment.

Over the past decade, growing awareness of the harm of corruption on the legitimacy of governments and international commerce “has prompted efforts to curb the practice of bribery, particularly in the passage and enforcement of anti-bribery and corruption laws around the globe,” they wrote. “For more than two-and-a-half decades since the passage of the Foreign Corrupt Practices Act in 1977, the U.S. stood virtually alone in criminalizing the bribery of foreign government officials, and there seemed to be little appetite in the U.S., and virtually none outside [it], to prosecute this activity. But, in 2004-2005, all this changed. The Department of Justice and SEC dusted off the FCPA and, with unprecedented vigor, started prosecuting companies and individuals who violated its provisions.”

“You have greater coordination between law enforcement agencies around the world, but you also get this incredibly complicated chess game that you have to play. This government here wants this information, but this other government, where I gathered the information, doesn’t want me to give it up.”

Michael Shepard, Partner, Hogan Lovells

At the same time, dozens of foreign countries passed similar anti-corruption laws and stepped up their enforcement efforts. Enforcement activities ramped up as never before in Brazil, China, and the European Union.

“For many, many years, American businesses were lobbying to get other countries into the anti-corruption business because they thought the FCPA unfairly hampered them,” says Michael Shepard, a partner at law firm Hogan Lovells, a former federal prosecutor and Interim U.S. Attorney in Chicago. “I understand why they did that, but there is a downside in that you now have all these other countries that are potentially looking at them.”

“You have greater coordination between law enforcement agencies around the world, but you also get this incredibly complicated chess game that you have to play,” he adds. “This government here wants this information, but this other government, where I gathered the information, doesn’t want me to give it up.”

While ever-expanding data repositories give regulators added investigative tools, the information can also be leveraged to improve compliance efforts and guard against FCPA violations. Improved accounting systems, for example, can take advantage of larger data sets and better control where every dollar goes within an organization, and how it needs to be tallied before returning to the outside world. Shepard says. “Who is it going to? How much due diligence did you do before it went here?” Shepard says. “Now you can, at least with some systems, keep a tighter lid on it than ever before.”

If evidence is needed of the SEC’s international focus, it is telling that Chairman Mary Jo White addressed it in both of her very first speeches after joining the Commission, and in one of her very last ones.

In May, 2013, White spoke to the Investment Company Institute on Day 18 of her tenure. “Already, I find myself emphasizing to some outside the agency that the international aspect of the SEC’s role is not a distraction from our important core domestic duties,” she said. “Rather, that role must be understood in order to fully appreciate the agency’s whole mission.”

“A defining fact of life at the SEC today is that we are not alone in the global regulatory space,” she added. “We must find common ground with our counterparts abroad, collaborate on everyday matters like enforcement and accounting, and knit together a regulatory network that offers protection, consistency, and stability to market participants—especially in the United States, but abroad as well.”

Ways the SEC is integrating itself into the global financial system, White said, include one-on-one negotiations, membership in global organizations, participation in bilateral and multilateral discussions, and domestic regulatory recognition of foreign reporting and accounting practices. Over the years, the SEC has played an active role in international bodies like the International Organization of Securities Commissions and the Financial Stability Board. This has “helped to ensure coordination among financial regulators who share common regulatory objectives.”

Negotiations with foreign regimes, by both the SEC and CFTC (they share oversight of the derivative marketplace) include a focus on “substituted compliance. It allows foreign market participants, whose transactions would otherwise be subject to Dodd-Frank Act requirements, to comply instead with their home country’s requirements so long as regulatory outcomes are comparable with those under U.S. law.

INTERNATIONAL PARTNERSHIPS

The following is from a Sept. 21 speech, delivered by Securities and Exchange Commission Chair Mary Jo White before the International Bar Association.
Today, all securities regulators need to be very cognizant of our global, as well as domestic, responsibilities, whether we are implementing standards for the global over-the-counter derivatives markets; detecting and protecting against new systemic risks in our financial systems; helping each other enforce our respective laws by gathering evidence from across the globe; examining our registrants, wherever they may be located, to ensure that they are abiding by the rules; or raising the bar on world-wide enforcement efforts to combat corrupt corporate payments, through our Foreign Corrupt Practices Act (FCPA) or similar regimes in other jurisdictions.
All securities regulators, around the world, share the overarching obligation to protect investors – the end-users of the products and services that we regulate. Fulfilling this all-important function is not possible if we stop our work at country borders or fail in our efforts to achieve robust international cooperation. Neither the SEC, nor other regulators, can go it alone, and we have many avenues to facilitate working together.
The SEC communicates frequently with market regulators, central banks, finance ministries and law enforcement authorities in other jurisdictions, directly and through our participation in international organizations – most notably, the International Organization of Securities Commissions (IOSCO) and the Financial Stability Board (FSB). The SEC also works bilaterally and multi-laterally with foreign authorities, both on policy issues with a cross-border dimension and on supervisory and enforcement issues.  Indeed, the SEC has over seventy-five formal cooperative arrangements with foreign regulators and law enforcement agencies and is a signatory to the IOSCO Multilateral Memorandum of Understanding (MMOU) on enforcement cooperation, to which there are now over 100 signatories.  All of these arrangements facilitate sharing critical enforcement and supervisory information.  And the SEC and other countries make extensive use of them.
While international cooperation and coordination have increased significantly in recent years, we still face significant challenges from laws and practices that can impede strong regulation, supervision, and enforcement.  And it is incumbent upon the SEC and our international counterparts to work through these issues in a way that provides maximum cooperation and coordination and avoids regulatory arbitrage.  We must do this while recognizing that we do not operate in a one-size-fits-all world and that there are, for good reason, significant differences in our domestic markets, as well as our regulatory regimes. 
Source: SEC

“This approach recognizes that we live neither in a ‘my way or the highway’ world nor a world of whole-cloth acceptance of another jurisdiction’s regulatory regime,” White said. Also, the Enforcement Division formed the Cross-Border Working Group, an inter-divisional team to address risks associated with U.S. issuers whose primary operations are located overseas.

“Regulatory globalization is now a continuous and ongoing process, and one that has gotten much more intensive and complex,” White said. “We often find ourselves sailing in previously uncharted waters.”

The waters were less uncertain but still a bit choppy when White revisited the topic in September 2016, as she prepared to depart the agency at the conclusion of the Obama Administration.

Although most foreign-based issuers are engaged in legitimate business operations, others may take advantage of the remoteness of their operations to engage in fraud or other securities law violation, she said during a keynote address before the International Bar Association. This has resulted, for example, in numerous cases against China-based issuers involving market manipulation, accounting and disclosure violations, and auditor misconduct among other charges.

The SEC currently has more than 75 formal cooperative arrangements with foreign regulators and law enforcement agencies. It is a signatory to the IOSCO Multilateral Memorandum of Understanding (MMOU) on enforcement cooperation, to which there are now over 100 signatories. These arrangements facilitate sharing critical enforcement and supervisory information. In 2015, the SEC made 165 requests for enforcement cooperation and received 243 requests for enforcement cooperation under the IOSCO MMOU.

An “internationally important topic” affecting the SEC is foreign privacy and other data protective laws that complicate cross-border data transfers for supervisory purposes. Various countries’ laws, including blocking statutes, privacy, bank secrecy, and state secrecy laws, are designed to achieve important national objectives. “They also frequently create obstacles to cross-border flows of information between regulators and foreign-domiciled registrants, thus complicating, and in some instances impeding, the regulators’ ability to carry out their supervisory responsibilities,” White said. Some of these laws “can prevent foreign-domiciled registrants in certain jurisdictions from responding directly to SEC requests for information without authorization by the foreign government.” Others can prevent the Commission from being able to conduct any type of examinations of registrants, either onsite or by correspondence.

“More than ever before, it is critical that jurisdictions break down their information-sharing walls,” White said. “As regulators, we cannot afford to have a blind or even cloudy spot.”

As for FCPA enforcement, the SEC has received assistance from an expanding list of countries in FCPA cases filed in 2015 and 2016. A global settlement with a telecommunications provider based in the Netherlands, where the company agreed to pay $795 million to resolve its violations of the FCPA in Uzbekistan, included “significant cooperation” from civil and criminal authorities in 14 countries and territories.

As for the Justice Department, which often works alongside the SEC on FCPA enforcement, it is also stepping up international cooperation efforts. It recently announced a new initiative that devotes an attorney to enhancing cooperation with the United Kingdom’s Financial Conduct Authority and the Serious Fraud Office.

“This new position builds on years of parallel investigations and significant cooperation,” a statement announcing the effort says. As an example of existing cooperation, it cites the multinational investigation into the manipulation of LIBOR, a key benchmark interest rate. “Our combined efforts prosecuting LIBOR manipulation have expanded into several other cross-border investigations, and we see this new attorney position as a natural outgrowth of what will continue to be a close relationship for years to come,” the agency said.

“You will see, more and more often, that both the SEC and Justice Department are working with overseas counterparts. LIBOR is a good example of that,” says John O’Donnell, a partner at law firm Herbert Smith Freehills, a former U.S. federal prosecutor for the Southern District of New York, and a former SEC enforcement attorney. “When you see an SEC or DoJ settlement, there will usually be some acknowledgement in the press release that thanks the U.K.’s SFO, the public prosecutor of the Netherlands, the Hong Kong Monetary Authority, or whatever foreign counterpart they worked with on an investigation. You see that regularly now.”

There will likely be a continued increase in international coordination regarding charging decisions. “It makes negotiations to resolve a matter that much more intricate,” O’Donnell says. “You need to be thinking of multiple regulators who want a seat at the table and who are going to have their own interests they want vindicated in the resolution of the action … If you have another regulator who is not going to take a reasonable approach [of allowing one regulator primacy] and is going to insist on their own slice of the settlement, that’s a factor that has to be dealt with in the overall resolution.”

The SEC, DoJ, and CFTC “are constantly pushing the jurisdictional envelope and I think you are starting to see some of the international firms push back,” says Brett Ingerman, chair of law firm DLA Piper’s global governance and compliance practice. “There have been some recent court opinions and challenges to the jurisdictional reach of U.S. regulators. We are starting to get some definition, through the courts, of what the extent of that global reach is.” That said, his advice to multinational companies is “to assume a global regime and act accordingly.”

“In the old days, the U.S. government was kind of the Lone Ranger out there trying to enforce FCPA and other actions,” he adds. “They were not getting a whole lot of cooperation from foreign regulatory or enforcement authorities and they would need to issue MLATS (mutual legal assistance treaties) in order to get information. That was a cumbersome, time- and resource-consuming, and expensive process. Companies knew that and were not very concerned about the DoJ or SEC being able to get information from foreign subsidiaries or foreign countries abroad unless it was a really major investigation. That has changed dramatically and there is now tremendous cooperation with foreign regulatory enforcement authorities.”

From a policy perspective, “it is probably a good thing,” he says. “If there is a global coordination to root out corruption, price fixing, and other violations of the law, that’s a good thing. [Global companies] need to be mindful of the new environment and make sure they have a robust compliance program that addresses not only U.S. or their local foreign regulatory enforcement risk, but one that really addresses global risk. It is critical.”

Controls and policies, he says, must prioritize enforcement concerns through risk assessments. “Savvy and sophisticated companies do that on a risk basis,” Ingerman says. “If they are in a business where money laundering and corruption is their greatest risk, they are going to focus more resources on a compliance program that deals with those issues, as opposed to a company that’s greatest risk might be data privacy or corruption. You are not trying to address every risk in every jurisdiction for every business sector. That is unrealistic, and you will end up with a program that collapses under its own weight.”

Third-party due diligence programs should similarly be risk-based. “You don’t need to spend nearly as much time vetting UPS, Home Depot, or Apple as you do the guy who is dealing with the customs folks in China,” Ingerman says. “Companies are intimidated by third-party due diligence because they view it as this behemoth of a project. They look in their accounts payable system, see that they have 25,000 vendors, and ask how they can ever have a comprehensive third-party due diligence program. The reality is that a great majority of those vendors don’t need any significant vetting if you manage things on a risk basis. You look at industry risk, look at business risk and geographic risk, and you can put together a program that captures, probably, 98 percent of your third-party risk.”

One recent, unique result of the changing climate: an increase in international companies with little or no connection to the United States, nevertheless developing U.S.-centric compliance programs. “They view that as a market differentiator for them, even if they don’t do business in the United States,” Ingerman says. “When they go to a correspondent bank or a counterparty in another jurisdiction, they can sit at the table and say: ‘By the way, in addition to all of the business advantages we bring to this deal, we also have this U.S.-based compliance program. We really do have strong policies and procedures in place We are doing transaction testing, and we are making sure that we are not going to get caught up in some web of corruption somewhere.’ That becomes a market advantage.”