Guest Speaker: Tom Fox, Charmain Simmons
2020 Guide to ESG compliance and CCPA overview
Episode 12 | Duration: 24 minutes
What’s changing in the space of business compliance, and what’s the role of the ESG component? Learn from Tom Fox, the Compliance Evangelist and the founder of the Compliance Podcast Network, as he lists the best practices for avoiding the reputational risk and newly introduced fines. What’s coming in the nearest future, what are the best tools for compliance officers and which are the 3 key items to set the game in 2020?
Keesa Schreane: Welcome to the Refinitiv Sustainability Perspectives podcast, where we share examples of leadership and innovation. Small entrepreneurial businesses, large megacorporations and all types of enterprises in between are seeing a global shift in perspectives around the role of business and society. From ESG investing to sustainable finance to social impact in our communities, we're on a journey to leverage data and intelligence to make the best business decisions possible. Enjoy the podcast.
Hello everyone, and welcome to the podcast. Today, we're going to discuss best practices to avoid reputational risk and fines, upcoming regulations, as well as top tools for compliance managers in 2020. And three key trends compliance and ESG professionals need to know this year.
Our guests are Tom Fox and Charmian Simmons. Tom hosts 30 podcasts on his compliance podcast network. And a few of those podcasts include This Week in FCPA, Life with GDPR and other shows that are focused on the latest compliance and regulatory news. He's also served as general counsel at Drilling Controls, oilfield manufacturing and practiced law for 34 years. Charmian Simmons is the performance director from Refinitiv, where she has expertise in risk strategy. Prior to her role at Refinitiv, she was the head of North America at Lloyds Banking Group and a V.P. at Morgan Stanley.
Welcome to you both. Tom, what are the major shifts that are taking place related to the ESG component in business compliance?
Tom Fox: We're seeing movements from financial institutions and those that provide money and those who provide access to capital. So just recently, major banks announced that they would be looking at companies’ ESG efforts going forward and sustainability efforts. When the banks start grading you on ESG efforts, that is a clear sign to the management of every public company that they need to have these processes in place and they need to be able to demonstrate and document that they are ongoing and functioning.
So when you have a variety of stakeholders all suggesting this is important and of course, the social media amplification of customers and other stakeholders who want to do business with companies that have a wide variety of compliance within their organization, they want to do business with ethical companies. You have a wide variety of stakeholders both up and down the chain who are now saying this is important and businesses are listening.
Schreane: But when you think about that, Tom and Charmian, there is no real standard around ESG right now. So in terms of customers wanting to do business with firms that are compliant that meet some ESG requirements, there is no one size fits all in terms of a standard. I mean, the same way that we have standards around other things and industries. So how can a firm get an understanding of what a company is focused on, what they are compliant around and what they're not doing in terms of compliance to really make that decision around ESG and working with the company?
Fox: Well, if we take each component of ESG environmental, social and governance, there are certain well-known best practices in each one of those good governance practices. Corporations would have split their CEO and chairman of the board. Do they have reporting mechanisms from their senior managers up directly to the board of directors? Within environmental, it doesn't mean your company has to be green, but it certainly has to be climate aware. If you're in a business where you are at risk from flooding or major storms or fires. That is something that you need to manage that risk and be able to document that you manage that risk. And what about your sustainability? Are you working to reduce your carbon footprint within your organization, within your travel policies and procedures? Are you utilizing some of the modern techniques of simply having an over the air meeting or an online meeting, which literally not only saves money, but it reduces a carbon footprint? So each one of those their best practices and standards within each one of those. And I think if companies will focus on the different components of each, they can bring that forward and demonstrate to a banker, demonstrate to a private equity company or even demonstrate to a regulator if they come knocking.
Simmons: Right. And I think the question around. Is there a standard for this? And, you know, being with Refinitiv, one of the best parts of what we offer is data. And right now, there is a lot of data that's out there and available around ESG. It's been there for quite a while. It's just how do we harvest that information? How do we bring it together so that organizations can use it?
Schreane: So you raise a great point, even though there is not an overarching sort of standard. There are best practices and governance. There's governance around each of the components. Clearly, not all firms are going to abide by those best practices. Not all firms are going to be compliant. And that kind of put some firms in a challenging situation, to say the least, in 2019 in terms of fines. You talked about their reputation. Reputational risk is a huge piece of it, but fines are equally as important. Do we think that 2020 and 2019 being I think one of the years we've seen the largest number of fines, do we expect 2020 to deal the same cards or do we expect a bit of a pullback? Have people learned their lesson? So to speak or do you think that we will continue to see those increase in fines.
Fox: So certainly in the Foreign Corrupt Practices Act, anti-corruption world, 2019 was a banner year, $2.9 billion in fines. Thirty four individuals convicted or indicted for FCPA violations. But frankly, that's going to grow in 2020. The reason that's going to grow is Goldman Sachs has reserved $2 billion -- that's with a B -- plus for a proposed FCPA settlement. When a company reserves money, they generally know that the fine will be in that range. That's going to be the start. That fine comes out in Q1. That only means $900 million more to beat 2019. So 2020 in terms of dollar amount could be the number one.
But equally importantly, we had a criminal indictment released of two individuals, a COO and the CEO from Unaoil within that indictment. There were listed 25 identifiable companies in the energy space who had used Unaoil to pay bribes in different countries across the globe. Every one of those companies could have an FCPA violation. The individuals who authorized those bribes within those companies could also be subject to indictment and criminal prosecution. So we could well have individually the largest year ever as well. So what the interesting thing, though, is, think about the tone of administrations. This is carried forward from the Obama administration to the Trump administration. So it's been a consistent growth and a consistent pattern within very diverse political philosophies, yet still staying the course and increasing FCPA fines and penalties.
Schreane: Right. So in looking at the direction things look to be headed in, there certainly have to be tools, compliance tools that can be used, technologies that can be used to help reduce those numbers to really help pull that back. Charmian, can you describe some tools that maybe compliance officers are using now that can assist in helping them meet their goals?
Simmons: Absolutely. I think in the last I'd say perhaps two years, I think I've seen and I think, Tom, you've seen that as well, at changing who the compliance officer necessarily is. We're seeing a lot of general counsel moving across into compliance roles, particularly in the corporate space. And while their skill set is very well understood in sort of the legal area as they move into compliance is a lot of other things to think about that aren't always top of mind of how do they bring things together. So I think the convergence and having a tool that can bring a lot of that together for them. So whether that's external data that they're bringing in-house, whether it's around how they doing their KYC [know your customer], their onboarding process, whether it's for an individual or for a vendor, whether it's something to do with the ESG data components, whether it's something to do with how they are taking the other aspects of risk in their business, take a bank, anything to do around credit risk, market risk, how do they take some of their internal risk and control self-assessment and bring those in-house for what an audit department might be doing? How do they get that holistic view in order to package in a nice way so that they can actually understand and assess their risk and bring it out to speak confidently to regulators, to all the particular parties when they're in different forums about how they are doing that. And what we are seeing is that that ecosystem of systems and technologies what's really start to take off.
Fox: So if I can perhaps pick up on Charmian’s point and really hit directly that companies like Refinitiv have a role in the fight against bribery and corruption on a global scale. And I say that because as a technology company, as a service provider, Refinitiv can bring access to data, access for Refinitiv’s own information, but equally important, access to data that sits within a company's own data, number one. Number two is helping people like me. You're absolutely right, lawyers interpret data. We're not trained to interpret data. Most of us can’t interpret data. And so we need a trained professional to help us understand what does that data mean. And then there's a third part, which is partner with the compliance discipline, the compliance function to train us, to look at the data, to understand what the data means, to understand when we need to see more data, because it's raised a red flag or anomaly that means that we need further investigation. And so it's not simply the chief compliance officer. It's not simply the regulators. It is the service providers. It's the tech providers. It is the consultants. Everyone is involved in this fight. Everyone has a role. And she said it beautifully. It's the entire holistic approach. Everyone has a role. Everyone has a place. And everyone can build upon and raise each other up.
Schreane: So I hear strong tones around professional development too, maybe compliance officers, attorneys in the past. They may not have used data as much as they do now, and so how can we ensure that they have the tools and that they know how to use the tools, they know how to use data. So that's coming down.
Simmons: And I think that's also around if you think about lack of maturity curve on what a compliance program necessarily looks like. You can probably move through the different phases of something that's very basic to something that's coming into a bit more competence, something that’s advanced, something that's really taking on things like artificial intelligence and those type of things, predictive analytics in order to help them with that process. And that maturity curve is very, very important in terms of how well that ecosystem plays together.
Schreane: And I'm assuming if I'm the head of a compliance department, I would love for my managers and officers to come to me and say, hey, I really need to level up. I really need to understand what's going on out there now. I really need to get professional development. So it sounds like that's a really good starting place.
I think another good starting place would be just to understand the top three issues, whether you're focused in the Americas, whether you're focused on another region. The top three issues that a compliance officer would need to know in order to really lay the foundation. And I know we talked about multiple regulations in several regions across several industries. So I guess I'm asking something that's almost impossible. But if we could name a list of top three things that a compliance officer should really start off with foundational items to really help them get an understanding of the best way to move forward in 2020, what would those be?
Fox: So from my perspective, it would be data, data, data, data. First of all, access to the data. Do you have access, two, do you understand what the data means or do you have access to a resource that can help you understand what the data means? The second another thing we've been talking about -- compliance, convergence. What potential risks in your company exist? Is it a climate risk? Is it a business risk? Is corruption risk? Is it a money laundering risk? Is a trade sanction risk? Is it a human rights, human trafficking risk, whatever that risk might be? Do you, one, know what that risk is? Two, do you have a risk management or risk remediation strategy in place? And then are you monitoring that on an ongoing basis? And then perhaps less foundational and a little bit more aspirational would be number three, can you move compliance from a cost center to a profit center for your business? If you have data, then you can study a problem and then you can improve your business process. And I am a firm advocate and believe that more effective compliance equates to more efficient business processes, which equates to greater profitability. So I see compliance really as a next step moving into 2020 and perhaps even beyond as moving, understanding data more so that it can move to become a profit center for a corporation.
Schreane: Data and helping compliance officers move their discipline to a profit center, that certainly is a great aspirational goal. So in terms of your big idea, what did the two of you see coming to bear in 2020 that will really take us by surprise, that will take not only compliance officers, but those who partner with compliance officers, by surprise? Something that is a big idea that we didn't see coming.
Simmons: I think the really interesting thing that's the big idea that people aren't seeing is how fast the regulators are starting to move. If we just take the FCPA fines that we were talking about before, with that $2.9 billion, regulators are getting a lot smarter. They're employing data scientists. They're bringing in AI to help them manage things. They're asking companies to provide them with data. So now they have their own intelligence. So they're becoming a lot more clued up, a lot more data savvy in terms of how they're going to be looking at things and managing things. Anyone from the DOJ, the SEC, the OCC, take BMAS in Singapore. Look at what the FCA is doing out in the UK.
I think people are going to be surprised about where they're going to start making a jump in what they're looking at and how quickly they're going to be able to do some of that something. Some of the FCPA investigations we see now can take years to go through because they're trying to collect and backdate a lot of the data and where they can actually bring forward the right types of corruption, misconduct, those type of things. So I think that's probably the one that people aren't anticipating what's going to happen by the end of this year around what regulators are having the capability to look into.
Fox: And I think it's going to be perhaps not something we hadn't seen, but really an amplification and speeding up of some of the content we've talked about, which is that compliance when I started in this field was lawyer driven, very rules based policies and procedures. That has evolved certainly and now we’re to the point where we see compliance as a business process. As a business process that's why data is so important, because it can be studied and improved. And it also requires a completely, not completely, but largely different set of skills than lawyers are traditionally taught in law school.
You're going to need a data scientist. You're going to need an economist. You're going to need a behavioral psychologist. And compliance officers who are lawyer trained will partner with service providers and tech companies like Refinitiv. I'm a legacy Refinitiv customer as far back as World Check. The World Check product 10 years ago is very different than what Refinitiv provides now. And companies are going to be utilizing a far more nimble, quick and agile service provider such as Refinitiv to help them not only access to data but interpret and then use it going forward.
Schreane: Great. So two big ideas. Regulators are moving a lot more quickly now. And the evolution of compliance moving to one that really demands lots of stakeholders to really give clarity.
Now, Charmian will provide us with greater insight on CCPA. If you could take us through exactly what CCPA is and then some of the implications that we think it will have.
Simmons: The CCP or the California Consumer Privacy Act is a bill that's meant to really enhance privacy rights of consumers and protections for residents in California. It was a bill that was amended a couple of times and passed in September of 2018. And its goal was really to extend consumer privacy rights for the Internet. And that's really off the back of the Cambridge Analytica on Facebook incident that happened. And it really, you know, as most will take it a little bit of time to come into effect. So this one came into effect on the 1st of January of 2020. And right now, it is probably the most stringent of the data privacy laws that we have in the U.S.
I think the key view of CCPA is really from the consumer side of it, but then also from the business side of it. And if we take the consumer side of it, residents have the right to know what personal information is being collected about them. And the right to be able to request information to be deleted. So that really means that they need to know what details somebody has of them, what's being useful, how the data’s being sold, who it's being shared with. And they could even request for some of that data to not be sold and shared with third parties. So if we flip that to the business side of it and what's the impact, there for businesses, companies, et cetera, CCPA law completely changed how companies now treat consumer data. The primary requirement for the business side of it is really a duty to respond to a data subject access request. So a DSAR and that's it can come anywhere from a consumer or an employee or anybody else.
And really what the crux of all of that means is that they need to be able to verify the data subject's identity, then get pretty much triangulate three pieces of data to help identify who that person really, truly is. They need to have access to and search sort of a comprehensive and accurate data inventory. It might be data they hold, it might be pieces of information that sits across their company rather than in one department. They need to be able to collect all that resulting data. They then have to review it. They might have to redact any confidential information that's on there about other subjects that might be in that pool of data that they've got. And then they need to either action it or delete it. And they need to do all of that within a 45 day period for when the consumer actually logs that particular request.
So today actually happens to be International Data Privacy Day. So one of those ones in January that everyone doesn't necessarily think of. But I think with CCPA, it's one of those ones that we should be mindful of. And in the month of January, a lot of people have already seen a lot of things coming through about updates of data, policies and things like that from different websites there and whatever else. So we're already in some of that act right now.
Schreane: In terms of where this will have an impact, this is in California. Do we see this spreading or has there been talk of this type of regulation spreading to other U.S. states?
Simmons: So that's a really good question. So, yes, this is very particular to California residents. But if you take a little bit of a step back and sort of say, well, who else has privacy regulations in the U.S., it's not that the U.S. doesn't have any. It actually has pockets of it. And if we look at what's happened with the Cambridge Analytica and the CCPA, it's a new wave of Data Privacy Act. And the best way I can sort of categorize a lot of that is really coming off the back also of GDPR that happened in May of 2018 with the General Data Protection Regulation Act. You know, it's the first time that companies really had to recognize the new rights of consumers and personal sensitive data, that type of information. And unlike GDPR, which is very broad, it's not really federal in a sense that it's for a country, it's for the European Union. The U.S. doesn't have that federal side of it.
So if we think about it from a state perspective, that new sort of generation of consumer oriented privacy laws and things, there's a couple of that are already there. So obviously we've got CCPA. New York's got a proposed bill at the moment. I think Massachusetts has a proposed bill out at the moment as well. We've got Maryland that already has something in place. Hawaii already has something in place. North Dakota already has something in place.
So the two that are sort of the three things that each one of them really want to pick up on is really do they have a right to delete any information? Do they have a right to access that information and find out what people are storing on them? And do they have a right to correct any of it? And right now, if I was to associate which one of those is the closest to GDPR, which, you know, is probably the better standard that we're seeing from a very broad, multi country perspective and what affects global organizations, the New York proposed law is probably on to be the one that's the closest to that. And the reasoning for that is it has the right to delete, the right to access, but it's the only one right now that has the right to correct.
Schreane: Great, wonderful background and insight here. And I'm sure the first of what's to come. We'll see a lot more of this. OK, so Charmian, what are the future ramifications of this?
Simmons: Good question. I think ramifications and concerns are a worry for anyone these days. And if you look at the digital economy that we're operating in right now, things change really quickly around us. Data is all around us. You know, whether it's at home, at work, on your phone, how you shop, how you buy birthday presents, how you send flowers to people. A lot of this stuff is done digitally, online. So there's a lot of concerns that people need to be aware of.
So I think for the near term future, some of those concerns are probably threefold. Let's think about do customers truly know what their right is under CCPA? You know, will they act on it on anything they see coming forward if they're not even a resident of California, but they happen to be a company that's there, that has an association with it. Do they know about? Are they savvy enough about any of the sort of Internet ads or anything they click on that might have an association with a company that resides in California that has to follow this particular act? That's one part of it.
Second part of it is how prepared are businesses right now with their systems, their processes, their controls, everything else, even to deal with those things we'll talk about before the DSARs, those data requests that come through, you know, they have to fulfill those within 45 days. You know, are they able to inform the parties if they request for them to stop selling their data to third parties? You know, they've got about 90 day timeframe to be able to do that. If a customer opts out of something, how long will that take? What happens if it goes through a third party process? What happens if a company or an organization implements a new system and their data inventory changes or they go through a merger and acquisition? They have to sort of recalibrate their risk assessment and their processes around their data inventory of what they hold about an individual. So if one of these DSARs come through, they actually can answer it in holistic perspective. So that's the second part. The third part that I think is a near term sort of future thing that we should be considering right now is what's the cost of failure right now? So I think the fines around see CPA is about $2,500 per violation and it increases up to about sort of $7,500-$8,000 for a violation if it's deemed to be international in its course.
So if we just look at how many data breaches there’ve been in the last two years, post the Cambridge Analytica Facebook incident, those fines are probably going to increase is going to be a lot more attention about how people are collecting our data, how people are using our data, how much control we have over what our data does and what a company does with them. But that's just short term. I'm sure that on a longer term basis, it's legislation, more states will probably start picking up on pieces of it. It's going to be interesting to see whether at a federal level or under our current administration, whether they decide that we need something more federal in nature. But, you know, there's a lot of things to be concerned about.
Schreane: Great. CCPA, the background of GDPR, definitely very resonant there. And some of the important applications to come, customers’ understanding of this, if businesses are prepared for this and then the cost of failure. Tom and Charmian, thank you so much for joining us.