Compliance Perspectives

By Adam Turteltaub Benjamin Christenson, Trial Attorney and Special Assistant to the Director for Criminal Enforcement at the US Department of Justice Antitrust Division, joins us for this podcast in which he sheds light on the their document, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (ECCP). First issued in 2019, the ECCP was updated in 2024 to reflect changes in business, the law and technology, as well as what the Antitrust Division had learned over the last five years. He shares that there are three significant areas of focus in the ECCP worth particular study: AI and Emerging Technology. As companies deploy AI, it’s essential that compliance teams have visibility into what is being done, understand it and monitor antitrust issues such as using the technology to fix prices. NDAs and Whistleblowers. Like others in enforcement, the DOJ is concerned when a non-disclosure agreement may have a chilling effect on potential whistleblowers who are considering reportin

By Adam Turteltaub Want to improve your code of conduct? Don’t miss the session: Cornering the Code: A Multi-Disciplinary Approach Toward a Better Code of Ethics at the 2025 SCCE European Compliance &  Ethics Institute. In this podcast Matej Drascek, Head of Internal Audit at LON d.d. and Ursula Schmidt of Schmidt Advisory recommend starting with the right language. Research has shown, they explain, that people react more strongly to words like “we” and “our”, which can convey a stronger sense of shared responsibility  than words like “you”, “I” or “it”. Also, words like “must” or “have to” carry more weight than “may” or “should”. Of course, just using “we” and “must” won’t do it all. The code, they tell us, should have a service character that gives guidance to people and gives employees a sense of purpose. It should also be dynamic and work as a bit of a safety valve. It should provide reassurance that it protects them from making mistakes and helps them feel safer when addressing issues. For the code

By Adam Turteltaub I want to write enough about this podcast to get you to listen to it, but not too much because then you might decide that reading this was enough. I’m conflicted, and conflicts of interest are the topic of this podcast with Kasturi Venkatesh, who spoke on the topic “Ethics in Action: A Fun Guide to Tackling Personal Conflicts of Interest” at the 2024 SCCE Compliance & Ethics Institute. When it comes to managing the issue, she explains, the primary goal for compliance teams is to help the workforce identify and bring forward potential conflicts. The challenge is that they often hesitate to bring these issues to management or the compliance team out of fear and a lack of understanding. Training is helpful, but it can’t demonstrate all the potential issues, nor can it always overcome the anxiety. That takes a personal touch of reassurance. In this podcast, Kasturi makes the case for a gentle hand a nuanced eye. The compliance team needs to be aware of the sensitivities of workers and also

By Adam Turteltaub On November 6, 2024, the U.K.'s Home Office issued Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (the Guidance). It comes out of the  Economic Crime and Corporate Transparency Act (ECCTA), which establishes that a corporation can be held criminally liable for failing to prevent fraud committed by any “associated person” for the benefit of the company. This “associated person” can be an employee or even a third party. There is a defense, explains James Tillen, member at Miller & Chevalier, for organizations that had reasonable prevention procedures at the time of the offence. What constitutes reasonable? There are six principles: Top level commitment A risk assessment Proportionate risk-based prevention procedures Due diligence Communication and training Monitoring and review Sound familiar? It is, since it builds off the guidance for the UK Bribery Act and is very similar to the US approach. It’s not

By Adam Turteltaub Auditing and monitoring of the compliance program is pretty standard these days.  Entain’s Karen Nightingale, Group Director of Ethics & Compliance and Jonathan Fox, Group Head of Ethics & Compliance Programmes, make the case in this podcast for going to the next level and actively testing your program. The two will also be addressing the topic at the 2025 SCCE European Compliance & Ethics Institute, which will take place in Lisbon, 10-12 March. Doing so, they suggest, can turn a reactive compliance program into a proactive one by actively searching for points of weakness, identifying red flags in advance and addressing them early. In practice, testing is more like an audit. It should be done periodically and provide an in-depth look at whether processes and controls are working as intended. By going deeper, it can uncover where there may be a weakness in what may appear to be a strong process as a whole. To determine what controls to test, there are several factors. First is recognizin

By Adam Turteltaub Note:  This podcast was recorded on December 17, 2024.  Any changes made after this date will be addressed at the Compliance Institute. At the 2025 HCCA Compliance Institute in Las Vegas, Adam Greene (LinkedIn), partner at Davis Wright Tremaine LLP will be leading the session “New Developments in Health information Privacy.” In this podcast he provides an overview of what he sees as notable privacy compliance challenges and what compliance teams need to be doing. Starting with the HIPAA Privacy Rule, reproductive information is the top of the list. There was a December 23, 2024 deadline for covered entities and business associates to have implemented a prohibition of using any personal health information (PHI) for the purposes of imposing liability or investigating reproductive health care that is lawful under state or federal law. That information, per the rule, should not even be provided to law enforcement or courts that seek to punish an individual for providing or facilitating tha

By Adam Turteltaub Well, it turns out that you can be in two places at once, if you are a surgeon. Even better, you can bill the government under the Medicare program for being at both of them. It’s not quite as strange as it sounds, explains Sara Brinkmann, Partner, and Lauren Gennett, Counsel, of King & Spalding, and, of course, there are rules. Overlapping surgeries occur when one attending surgeon is responsible for procedures that overlap in time. The attending may perform the critical part of the procedure in both, assuming they are not supposed to happen at the exact same time. Non-critical portions of the procedure, such as closing the patient, are left to a resident. There must also be a backup surgeon in case something goes awry. Payment for both surgeries is possible so long as there are the requisite safeguards in place and the various other CMS rules are followed. There may also be state requirements to be mindful of as well. If those rules aren’t followed, there is substantial risk. As they

By Adam Turteltaub On November 22, 2024, Principal Deputy Assistant Attorney General Nicole Argentieri recapped the changes made during the Biden Administration in enforcement policies and announced a few new ones. To better understand what this all means, we spoke with Daniel Kahn (LinkedIn) , partner at Davis Polk, and himself a veteran of the DOJ. There were a number of meaningful changes during the last few years, he noted. Most notably the voluntary disclosure program was significantly expanded, with companies with aggravating circumstances now able to still have the possibility of a declination. There is a catch, though, the bar for cooperation has been raised. The organization must have disclosed promptly, engaged in extraordinary cooperation and remediation and have had an effective compliance program at the time of the incident. A new change, just announced, is the addition of what we referred to in the podcast as “clawforwards” in addition to clawbacks.  Organizations are expected to not pay bonu

By Adam Turteltaub Once again it is time to sit down with Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance and discuss what happened last year and where the compliance profession is going in the new one. In this podcast we looked back at 2024 and explored five key topics. Changes from the DOJ The DOJ recently issued a recap of its key activities over the last year or so, and Matt notes that a key change has been an increased willingness to give credit to companies that work with the Department of Justice.  In the past, the DOJ had only given full credit to companies that had self-disclosed, but now there is greater leniency for organizations who have demonstrated that they are willing to cooperate with the government and make serious remediation efforts. Lessons from Recent Dispositions Matt pointed to the TD Bank case and noted that, as he saw it, the company laid the seeds for its scandal by having a zero expense growth strategy  across its business.  That led to compliance spending shrinking

By Adam Turteltaub Retaliation is the bane of every compliance program, with the potential of destroying employee confidence in reporting systems, not to mention embarrassing and expensive lawsuits. It is also complex and can be subtle, explains Keith Read, a former chief ethics and compliance officer and author of the book The Unconventional Compliance Officer: Doing Things Differently. There is overt retaliation, such as firing an employee for blowing the whistle. But there is also softer, more subtle retaliation, such as not including the whistleblower in meetings or on projects. He advises compliance teams to be sensitive to all of the many forms of retaliation and to treat it  as a risk area. That means look at where and how retaliation can occur, and then take the time to determine if is occurring. Track how the careers of whistleblowers go and see if the trajectory has changed for the worse. Also, look to patterns in management.  He found that retaliation followed certain managers around the organiz

By Adam Turteltaub How do you know your compliance program is working, both for your peace of mind or if the government comes knocking? It’s a tough question, and many wonder either how to start measuring or if they’re measuring the right thing. Andrew McBride, Founder & Chief Executive Officer at Integrity Bridge, has a great deal of experience in this area from his time serving as Chief Compliance Officer at Albemarle. In the wake of an FCPA scandal, the company had to be able to demonstrate the strength and effectiveness of its efforts. In this podcast he advises you remember three key questions from the US Department of Justice’s compliance program evaluation criteria: Is the program well designed? Is it applied earnestly and in good faith? Is it working? At the same time, though, he cautions not to just seek simple metrics alone. It’s important to also track why you are measuring what you are measuring. Compliance teams need to take the time to build out the supporting narratives that explain why and

By Adam Turteltaub Oh, come on, we all know it: sometimes the business people get tired of all those compliance requirements. That’s okay and to be expected.  But, how do you know when it has progressed beyond the usual (and maybe healthy) resistance to full-blown exhaustion? Cecilia Fellouse, General Manager of Compliance for Good, warns that, ironically, when the business team stops pushing back, it can be a sign of compliance fatigue. They may just be going behind your back to get what they want. Another troubling sign to watch out for is systematic escalation. Instead of addressing issues to you, they’re taking the issue straight to higher-level management. So, what can cause compliance fatigue and these bad behaviors? She cites several factors and ways to avoid them. Saying “no” too often and being perceived as operating from an ivory tower. Constantly denying requests without providing constructive feedback can make the compliance team seem out of touch. Lack of engagement with frontline teams.

By Adam Turteltaub Do you ever ask yourself, “What kind of compliance officer am I?” Netherlands-based  Susan du Becker, Director, Risk & Compliance at Microsoft, thinks we all should. To her experience, there are two answers to that question. One is a regulatory compliance officer: someone who is focused on the requirements of regulators, potential fines and legal consequence. The other is a business compliance officer, who is focused on what the business needs and how to ensure it achieves its goals while staying within the multitude of white lines the laws and regulations have painted. She envisions herself as the latter, balancing business and regulatory requirements. She recognizes that the business unit will test the limits, and that she is there to make sure there are always two feet solidly on the ground. To keep the business team focused on their legal and regulatory obligations, she advocates for making it clear what lines absolutely may not be crossed, taking the time to meet with them regularl

By Adam Turteltaub Rob Tull (LinkedIn), Managing Director at Effective Compliance LLC wants every compliance officer to be both competent and able to demonstrate it. He advocates for the development of four sequential, underlying skills: Communication The ability to be aware of risks Adaptability, and Decision-making/judgement Underlying all of them is knowledge, and together they form a framework for effective compliance programs. The single most important competency area, he argues, is communication. The ability to translate complex laws and regulations into simple language that helps the business make good decisions is paramount. So, too, is the ability to tailor your message to the audience:  management and the board likely need to hear something different than line managers. Listen in to learn more about what makes for competency for compliance professionals. Listen now

By Adam Turteltaub Who are you talking to? When you think about all the employees in your organization, who do you see in your mind? You probably, and should, think of several people: the person in the plant, the R&D people, the sales team. They all have different needs, maybe even different cultures. Adam Balfour, Carsten Tams and Karen Moore (LinkedIn), each of whom is a veteran compliance professional, explain in this podcast why it’s so important to truly know who the people are in your organization and the risks they interact with. They explain that you have to take the time to get in their heads to understand what their needs are and how best to communicate with them. One technique they advocate for is developing personas: Create fictional, yet realistic descriptions of the types of people in your organization. That will help you better flesh out who they are, their goals and their skills. This process also helps you stand in their shoes and understand not what you want to say but how they are likely

By Adam Turteltaub It’s a complex world, we all know, and we all try to simplify it and our lives, at least from time to time. Nitish Upadhyaya, Director-Behavioral Insights at Ropes & Gray’s R&G Insights Lab and podcaster, wants compliance teams to appreciate complexity and, if not embrace it, at least understand how to work with it. For him this journey started many years ago with the recognition that disincentives don’t always work. He wanted to understand why. This led him to an understanding of complexity, which explores the connections between people and systems and how nonlinear and unpredictable things can be. Appreciating that knot of connections is important for compliance teams, he argues, since the nature of the job involves affecting individual behavior and culture. He outlines several principles that compliance teams should follow: Move away from the idea that you can map everything. Context matters. Understand the human dynamics and stories. The only real rule in a complex system is

By Adam Turteltaub The Health Care Compliance Association just published the 4th edition of the Research Compliance Professional’s Handbook, and to see what’s new in it we sat down with the editor, Kelly Willenberg (LinkedIn) of Kelly Willenberg & Associates. The Handbook, she explains is there to help both those who attend the HCCA Healthcare Research Compliance Academy and anyone looking for a desktop reference that addresses the fundamentals of research compliance. It addresses topics such as safety, privacy, monitoring, and biosecurity. For this edition each chapter was reviewed thoroughly with any and all necessary updates made, including to the chapter on FDA regulations. In addition, a new chapter was written to address AI. It defines what AI is and why compliance teams need to look at it from a risk management perspective. The chapter also addresses the integration of AI and how therapies are changing. One admonition that she provides for compliance teams is to watch Europe. As with privacy, Euro

By Adam Turteltaub It’s one thing if a company wants to protect its trade secrets. But, what if it wants to keep its dirty little secrets from getting out? Then, the SEC may want to step in. Stephen Cohen (LinkedIn), partner at Sidley Austin, and a former senior leader in the Enforcement Division at the SEC, explain in this podcast that, to understand the issue, we need to look back to the Dodd-Frank Act. The law led to the SEC whistleblower program and included anti-retaliation authority. The SEC believed it had implicit authority to punish efforts that impeded direct communication by whistleblowers with the Commission and its staff. Both the SEC and CFTC have created similar rules prohibiting organization and individuals from taking any action that inhibits someone communicating directly with the SEC about a possible securities law violation. The SEC has interpreted that to mean that language in non-disclosure and severance agreements, codes of conduct, policies and elsewhere that either require employe

By Adam Turteltaub Greg Walters is an attorney in the Cyber Risk and Governance Branch at the SEC. But in this podcast he’s not speaking as an enforcer but as someone who has seen a lot of compliance training during his career as a government attorney across numerous agencies. He warns that while an organization may boast of 100% completion rates for their training, that doesn’t mean 100% of the employees got the message. That’s especially true of online training, where, unlike live training, it’s hard to tell if people are truly following along and then adjust the learning. The goal, he argues, is not to just give knowledge but to affect behavior. So, to see what impact the training has had, look to changes in the number of types and questions you receive, as well as incidents that do or don’t occur. Also, take the time to understand your audience and make sure that the training is relevant to them and reflects the culture of the organization. Listen in to learn more tips for improving the effectiveness

By Adam Turteltaub There is an expectation in many, if not most people, that at some point they will, or should be, promoted. But how do you know if you are ready? And, once you are promoted, what does it take to succeed in your new role? To find the answers we spoke with compliance veteran, Debbie Hennelly, Founder & President of Resiliti. The first piece of advice she shares is that not everyone needs or wants to be a manager. For many it’s okay to say that they love being a subject matter expert and advisor, and they aren’t ready, or maybe never will be ready, to be something else. If you are looking to move up, how do you know you are ready? She reports that you don’t until you are actually in the job. That’s especially true for compliance people, since we who often don’t benefit from the leadership and management training that is given to other parts of the organization. Once in the role, let the team know that you value them. If there was someone else on it that you beat out for the role, acknowled