Save Money Where You Can, But Leave Compliance Alone

The full magnitude of the global implications of COVID-19 is still largely unknown, as both the humanitarian and financial costs continue to unfold. We have already seen a glimpse of the financial impact, with businesses walking back earnings projections and signaling financial strain. Amidst calls for closure of nonessential businesses across the majority of the U.S. and lower foot traffic attributable to individuals sheltering in place, businesses across industries are looking for a lifeline to remain afloat. Preserving cash has become of paramount importance, with companies around the world looking for ways to cut spending — drastically and quickly.

Compliance may be one such area where companies attempt to reduce costs. To be sure, it would be financially prudent and reasonable from a business perspective to scale back or eliminate specific compliance functions that have become unnecessary, but this would be appropriate only if the company’s risk profile has changed – due to the closing or restructuring of a division, for example. Achieving short-term savings by cutting compliance costs — when not related to changes in the company’s risk profile — poses serious risks. This risk is particularly acute for companies that benefit from the COVID-19 stimulus packages, including the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which comes with robust oversight mechanisms.

Enforcement is Not Slowing Down

As companies look for ways to reduce costs, they need to keep in mind that, COVID-19 or not, enforcement is not slowing down. Prior to the pandemic, the last few months brought some of the largest Foreign Corrupt Practices Act (FCPA) and Arms Export Control Act (AECA) settlements in history. In December 2019, telecommunications multinational Ericsson agreed to pay over $1 billion to settle FCPA charges, and in January 2020, Airbus agreed to pay $3.9 billion to settle FCPA and AECA charges. Likewise, False Claims Act (FCA) settlements grew last year to $3.05 billion after a slow 2018.

Since the beginning of the pandemic, U.S. enforcement authorities reaffirmed their commitment to investigating and prosecuting COVID-19-related fraud. On March 16, 2020, Attorney General William Barr directed every U.S. Attorney’s Office “to prioritize the detection, investigation and prosecution of all criminal conduct related to the current pandemic.” On March 22, the Department of Justice announced it brought its first civil enforcement action to combat fraud related to COVID-19. A March 23 statement by the Securities and Exchange Commission (SEC) confirmed that, notwithstanding having transitioned to remote work, it is business as usual at the SEC.

It will continue to enforce insider trading and related laws and is “committing substantial resources to ensuring that our Main Street investors are not victims of fraud or illegal practices in these unprecedented market and economic conditions.”

If Anything, Enforcement Will Intensify

Business activity related to the U.S. government’s administration of COVID-19 relief funds will be subject to additional scrutiny. The CARES Act, signed into law on March 27, establishes three oversight bodies:

1. the Office of the Special Inspector General for Pandemic Recovery within the Treasury Department;
2. the Pandemic Response Accountability Committee, consisting of the IGs for Departments of Defense, Education, Health and Human Services, Homeland Security, Justice, Labor and the Treasury, among others; and
3. the Congressional Oversight Commission.

Additionally, a select House committee to serve as another watchdog over the government’s coronavirus spending has been created. Called the House Select Committee on the Coronavirus and chaired by Representative James E. Clyburn (D-SC), this committee will be modeled after the WWII-era committee chaired by then Senator Harry Truman.

Experience with the oversight under Troubled Asset Relief Program (TARP) within the Emergency Economic Stabilization Act of 2008 (EESA) teaches that any entity that accepts government funds related to the COVID-19 pandemic will be subject to scrutiny by overseers committed to finding any improprieties, directly and even indirectly related to their receipt. To date, TARP’s Special IG’s criminal investigations have led to the conviction of 381 defendants, including 76 bankers, and many more defendants have been subjected to civil fines or other enforcement actions by the DOJ, SEC and other agencies.

A Company’s Risk Profile Remains as Relevant as Ever

With the robust oversight provisions in the CARES Act and the enforcement authorities’ commitment to investigate and prosecute fraud with as much fervor as ever before, there is no doubt the enforcement activity will not slow down, but rather will intensify in the aftermath of the pandemic. For this reason, companies need to ensure they continue to keep compliance top of mind, even as they navigate the unknowns that COVID-19 brings.

At any time, even without a global crisis unfolding before our eyes, the success of a compliance program depends, to a large degree, on whether it has been tailored based on the company’s risk assessments and updated as necessary. The results of a company’s risk assessment “are integral” in informing a company’s compliance “policies, procedures, internal controls and training in order to mitigate such risks.” For this reason, risk assessments are “the starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program,” as prosecutors “consider whether the company has analyzed and addressed the varying risks” it faces.

Risk assessments are especially critical now, when the potential for fraudulent behavior and misconduct has increased due to intensified pressures on sales and revenue generation, loosened controls and a greater risk of misappropriated assets as individuals are worried about their personal financial situations. Thus, now is the time to reassess a company’s risk profile with an eye toward tightening controls and reaffirming commitment to compliance.

Managing Compliance Through Tumult

Given how quickly and significantly the business landscape has changed under COVID-19, it is important to ensure that your organization is adequately equipped to address the compliance risks your business faces — both existing and new risks – that may arise as a result of market turbulence and a remote workforce. A company should tailor its policies and procedures to account for such areas of high risk and confirm it has an effective compliance program in place. Effective compliance departments will proactively respond to the current crisis, recognizing that nimbleness and agility are essential to this ever-changing situation.

There are serious challenges to fostering a unified, cohesive culture when companies are forced into remote work situations. Because a commitment to compliance starts from the top, senior management must communicate the organization’s values and priorities to its employees, and the compliance team must remain visible to, and in constant contact with, its scattered workforce. With 97 percent of Americans under a stay-at-home order, it is important that your organization continues to maintain a helpline that employees can reach while remote. It is also critical that your organization’s investigations department is equipped to continue investigating potential issues and that the systems and tools the investigators use can be accessed remotely if your team is unable to work on-site.

While implementing cost-cutting measures, organizations should not make changes that would reduce the overall effectiveness of the compliance program. However, there may be changes — temporary and permanent — that an organization can make without diminishing the program’s ability to fulfil its mandate. Travel spend, for example, may be an obvious target to reduce in the short-term, given that current restrictions on travel have likely already changed plans for travel planned through the second quarter of 2020 (if not further).

For companies that have restructured, closed or divested of a substantial portion of operations, it is prudent to evaluate whether the compliance function can be re-scaled to match the future needs and risk profile of the business. Companies can also consider whether postponing compliance enhancements designed to improve efficiency, such as automating a process that already has effective controls in place, would be a solution to preserve cash in the short-term. Companies should proceed cautiously, however, and avoid delaying program enhancements that would leave a risk unmitigated.

Conclusion

While the current circumstances may prove so dire that a company has no option but to reduce compliance spend, it is imperative to first perform a thorough assessment to evaluate the impact cost-cutting would have. With the market turmoil presenting the prime circumstances for potential misconduct, and the regulators signaling they are not planning to turn a blind eye, the long-term costs of noncompliance can be much greater than the current compliance spend.