Compliance Insights Latest: The Future of Financial Regulation Still Unclear; Meanwhile, New Rules March On

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




The recent election results weigh heavily on the minds of financial services professionals. All manner of questions have been raised regarding potential related regulatory impacts. Currently, there is ambiguity and speculation as to what changes are in store, when they will come, and the extent to which they will occur. What is certain is that change is inevitable, at least based upon what can be gleaned from the campaign trail and the agenda of the existing Congress.

We address some of the immediate reactions to the recent elections in our November edition of Compliance Insights. We will continue to monitor developments as they unfold, and provide our perspective in future editions. In the meantime, refer to Protiviti’s recent flash report for a more detailed, cross-industry perspective on the impacts of the recent elections.

Aside from the election, the November edition of Compliance Insights examines a new rule from the Consumer Financial Protection Bureau, finalized in October, that significantly changes the regulatory environment for prepaid accounts — including general-purpose reloadable and non-reloadable cards, such as payroll cards, student financial aid disbursement cards, tax refund cards, certain federal, state and local government benefit cards, and electronic wallets that store funds. The new rule, due to be implemented at the end of 2017, requires new disclosures to be provided to consumers at the time of purchase, including fees, terms and other comparative information; periodic statements listing recent transactions; dispute resolution procedures; and new protections if the prepaid account contains credit features. The article is on page 2 of the newsletter.

Also in October, the Department of Labor released the first in a planned series of FAQ documents to provide guidance on the implementation of its Fiduciary Rule, issued in April 2016. The rule was issued as an investor protection measure to identify, eliminate and mitigate against investment adviser conflicts of interest that could result in advice not aligned with clients’ best interests. The new rule redefines how retirement investment advice is communicated to investors, how and when adviser relationships are established, and how adviser compensation for products and services is earned. See page 5 in Compliance Insights for some of the specific questions addressed.

Other recent regulatory news we cover in our November edition:

  • The Financial Crimes Enforcement Network published an advisory and FAQs to help financial institutions comply with cybersecurity reporting obligations under the Bank Secrecy Act.
  • The Office of the Comptroller of the Currency published guidance on the periodic risk re-evaluation of foreign correspondent banking applicable to all national banks with foreign correspondent banking relationships.

We discuss all of these new developments, including our take on the financial regulations’ future, in detail in the full edition of Compliance Insights. Read it here.

Strategic Use of Email in Internal Investigations: Your Questions Answered

scott-moritzBy Scott Moritz, Managing Director
Protiviti Forensic




As part of our ongoing internal investigations series and in conjunction with Fraud Awareness Week, Protiviti, in partnership with Morrison & Foerster and Robert Half Legal, presented a webinar last week on the strategic use of email in internal investigations, discussing ways companies can undertake email investigations without letting costs get out of hand. My colleagues Robert Hennigan and Marshall Matus recapped the highlights, but I want to share here a few of the questions addressed during the live Q&A session, which I facilitated.

 Q: What are the points to consider before accessing email data — including legal rights to open email accounts, legal responsibilities to notify users, and how to avoid alerting users that someone is accessing their email?

Robert Hennigan, Protiviti: Any time you have a question specifically about legal issues, we recommend consulting with counsel to help you make those determinations prior to initiating an email investigation. Generally speaking, there is no reasonable expectation of privacy in the United States for work email — and that extends to personal devices if they are being used to send and receive business email. There is no obligation to notify users of a pending examination of email on a company exchange, although some types of information are protected under HIPAA and laws governing the cross-border transfer of personally identifiable information. Employees are not obligated to divulge passwords for personal devices, but case law has established that biometric account security is not protected.

Q: What should you do to ensure you’re following rules of evidence and maintaining a chain of custody?

James M. Koukios, Morrison & Foerster: Companies wouldn’t invest time and resources in an email investigation unless they have a reason to believe that the investigation will yield important evidence. It is therefore important to ensure that the investigation is conducted in a way that ensures the findings will be admissible in court. Specifically, it is important to freeze the account to prevent alteration or deletion of emails. This may involve taking physical custody of a laptop, device or workstation. Searches must be planned and conducted in a way that ensures the resulting analysis will present a thorough and accurate picture. By the end of the investigation, the party presenting the evidence should be able to demonstrate that the evidence is complete, authentic, and authored or received by the individual or individuals being investigated. The evidence should support what actually happened.

Q: How do you search for information embedded in PDFs and other non-searchable “picture” attachments? Is there technology available to extract text that might not otherwise show up in a standard keyword search?

Marshall Matus, Robert Half Legal: An important part of determining the scope of any email investigation is understanding the allegations, and determining how information was communicated. It is not uncommon for perpetrators to try to bypass traditional keyword search capabilities by scanning documents into PDFs or image files. In such cases, optical character recognition (OCR) software can help extract text from such files.

Q: What if someone in the IT organization is the subject of the allegation?

Marshall Matus: That is a tricky one. That said, the proper response, with few exceptions, is to go up. Most organizations of any size have a chief information officer, or chief information security officer, who can be enlisted to help. If the subject of the investigation is the CISO, CIO or CTO, investigators can reach out to the CFO, General Counsel or CEO for assistance.

Because email investigations can be resource-intensive and costly, it is important for companies to do their homework before they initiate the investigation, to make sure the work will yield maximum results and be accepted into evidence in court. Our audience was interested in many more details of an email investigation, and we cannot cover all of them here — but I do invite you to listen to the archived webinar (the Q&A session is at the end of the recording).



Strategic Use of Email in Internal Investigations

robert-henniganmarshall-matus-rhiBy Robert Hennigan, Associate Director
Protiviti Forensic

and Marshall Matus, Engagement Manager
Robert Half Legal



When we first started talking about putting together a webinar on the role of email in internal investigations, none of us anticipated the global impact a single email investigation could have. As it turned out, our well-attended November 15 webinar couldn’t have been more timely.

We presented the webinar during International Fraud Awareness Week together with Scott Moritz, the global leader of Protiviti Forensic, and James Koukios, a partner in Morrison & Foerster’s White Collar and Anti-Corruption practice group.

Our goal was to demystify the process of email investigations. In addition to addressing some of the popular misconceptions that might cause organizations to avoid undertaking a forensic email investigation, we wanted to offer some clear and simple strategies for managing the process, based on our years of experience, both as consulting professionals and as special agents of the FBI.

We thought the webinar was necessary because we’ve heard from a lot of people who believe, incorrectly, that:

  • Due to high volume, email investigations are cost-prohibitive and overly time-consuming.
  • Email investigations are a waste of time because no employee in their right mind would put anything incriminating in an email on a company server.
  • Privacy laws give employees the right to refuse employer access to their individual work emails.

To be sure, the email universe is vast, with more than one hundred billion work-related emails sent and received each day around the globe. We’ve read that employees spend about 28 percent of their work week sending and receiving emails at a rate of 122 emails each day.

It’s easy to see how the prospect of an email investigation of, say, 15 or 20 individuals, spanning several years, could be daunting — not only because of the volume, but also because of the need to maintain the integrity of evidence, which involves following established procedures regarding the acquisition, preservation and processing of email evidence. Managing this process effectively involves striking a balance between sufficiency and overkill.

Planning an Investigation

As with most business controls and processes, the time and cost of an email investigation can be carefully managed through planning. In that regard, it is important to start with a clear understanding of what you are looking for. What is the complaint? How many people could potentially be involved? Over what time frame did the alleged activity take place? Where does that data reside? And who were the custodians of that data?

As for the misconception that employees wouldn’t leave anything incriminating on a company server, experience has shown that it happens all the time. Also, if an employee forwards work emails to a personal mobile phone or home computer, those devices are considered to be discoverable for investigative purposes. There is ample case law to establish that work emails are work product owned by the company. Most U.S.-based organizations have electronic communication policies making it clear that users have no expectation of privacy. There are a few notable exceptions that include communications covered by attorney/client confidentiality, but for the most part, electronic communication at work is fair game for investigators.

Nor do investigations have to be confrontational. Often, investigators can obtain all the evidence they need from system backups or the company email server, without having to notify employees.

Companies also have had great success leveraging email review platforms and other forensic technologies to search for keywords indicative of potential malfeasance. Newer versions of email platform tools have significant capabilities built in.

Each of our expert panelists emphasized the criticality of communication between the various players in an investigation — the review team, forensic accountants, and outside counsel — to ensure coordination, avoid redundancies and share knowledge. A good investigation will follow project management best practices, with phases of the project including data collection, data processing, data analysis and review.

There’s an art to this process that involves knowing how to select key words; when to go broad and when to go narrow; how to leverage techniques and theories from related fields, such as information retrieval; and how to use various forensic technologies. All of this was discussed in our webinar at length, and we encourage you to listen to it.

Finally, we had a number of interesting questions from the audience that followed the presentation and speakers. We will summarize some of these questions in an upcoming post. Subscribe to our blog to be sure not to miss it.

How Expensive Are Cybersecurity Attacks and Data Breaches?

In this Industry Perspective series, we offer the views of Protiviti leaders on developments and news in specific industries. The perspective below focuses on Energy & Utilities.


Danny Rudloff

Cal Slemp mugBy Danny Rudloff, Managing Director
Industry Leader for Energy and Utilities

and Cal Slemp, Managing Director
Solution Leader for IT Security and Privacy


A Journal of Cybersecurity article earlier this year concluded that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Based on a sample of more than 12,000 cyber events that include data breaches, security incidents, privacy violations and phishing crimes, the authors found that the cost of a typical cyber incident in that sample is less than $200 000 (about the same as those firms’ annual IT security budgets), representing only 0.4 percentof their estimated annual revenues.

Our Perspective:

This study may be placing too much emphasis on “counting the trees” and not enough on understanding the value of the “forest.”

For companies in industries like energy, on which the public relies for essential goods and services, reliability and reputation are an integral part of the product or service. So measuring damage from a cyberattack by adding up the costs of breaches, bad debts and fraud risks but not the cost of service interruption or reputation damage minimizes an incident’s true impact.

Similar to the experience of other industries, significant damage from a cyber incident will be seen in the erosion of the customer’s confidence and trust that is the underpinning of future business, or in potential regulatory overreach that can unduly constrain future operations. The impact to reputation, and its implied customer loyalty, can be serious.

In addition, the study identifies the mining and oil and gas industry as suffering the highest litigation rate among all other industries, with more than 30 percent of all cyber events litigated. Therefore, it is wise for the industry to stay focused on this area.

Companies should not be complacent about cybersecurity or rely on the findings of a single report. The consequences and costs of a cybersecurity breach can vary widely, based on the company’s size, customer base, regulatory oversight and other factors. Because the threats and risks related to information security change so quickly, an annual security assessment is recommended so that companies can keep an eye on these trends and evaluate their information security programs in this ever-changing context.

COSO Guide Seeks to Elevate and Evolve Fraud Risk Management Practices

Pamela Verick

By Pamela Verick, Director
Protiviti Forensic



For many organizations, fraud risk management consists of checking boxes and thinking positive thoughts:

“We hire good people.”
“We have a code of conduct.”
“We comply with Sarbanes-Oxley (SOX).”
“Our hotline does not ring (for serious things).”
“Fraud simply doesn’t happen here.”

Of course, as forensic professionals, we know that this is not enough. So does the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Recognizing the need to both elevate and evolve management thinking on the topics of fraud prevention, detection and deterrence, COSO released its Fraud Risk Management Guide (“COSO Guide”) in September 2016.

The COSO Guide provides a valuable blueprint of leading practices and user-friendly templates to help organizations not only correlate, but actively apply, the five fraud risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide (jointly published by the AICPA, The IIA and ACFE in 2008) within the context of the 2013 COSO Framework.

These principles serve as a universal foundation for anti-fraud programs. They are:

  1. Fraud Risk Governance
  2. Fraud Risk Assessment
  3. Fraud Control Activity
  4. Fraud Investigation and Corrective Action
  5. Fraud Risk Management Monitoring Activities

Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of the potential for fraud was explicitly included within the 2013 COSO Framework. Since that time, the identification and assessment of fraud risk has been a focal point of inquiry for internal and external auditors. However, the scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement on an organization’s financial statements. In contrast, the COSO Guide encourages an elevated and evolved assessment of fraud risk in the context of the organization’s overarching fraud risk management program in order to achieve better support of, and greater consistency with, the overall 2013 COSO Framework.

The COSO Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components and principles, and outlines unique characteristics for each fraud risk management principle within specific points of focus. These points of focus are structured similarly to those contained in the 2013 COSO Framework and are useful in considering the design and operating effectiveness of management’s own fraud risk management capabilities. Whether an organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain fraud risk management activities, the COSO Guide provides information that is both thorough and thoughtful, as well as applicable to a variety of audiences.

Whether an organization is in pursuit of a “best-in-class” fraud risk management program, or simply looking to enhance certain elements of its anti-fraud control activities, below are some suggestions for utilizing the information and templates included within the COSO Guide:

  • Map and analyze the fraud risk management process for improvement opportunities
  • Evaluate whether there is proper oversight and assignment of resources for fraud control activities
  • Create or update the organization’s fraud control policy
  • Conduct a fraud risk management survey
  • Expand documentation and visualization of the organization’s fraud risk and controls matrix
  • Assess the organization’s list of potential fraud exposures
  • Review the organization’s fraud response plan
  • Implement a data analytics framework
  • Enhance awareness of fraud risk through communication with various organizational constituencies

It is important to note that the COSO Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence. It is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment. Furthermore, there is no “one size fits all” approach to fraud risk management and fraud risk assessment. Each process needs to be tailored to an organization’s operations, objectives, industry, people, geographies and technologies.

Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and detect fraud can — and should — evolve with the organization’s internal control framework, and the COSO Guide provides a clear roadmap that can help drive organizations toward excellence in fraud risk management.

New Evaluation Tool Enables Boards to Assess and Improve Their Risk Oversight

Jim DeLoach

By Jim DeLoach, Managing Director




Prudent risk-taking is essential to the success of organizations seeking market opportunities and executing aggressive growth strategies. Boards of directors have a growing role in overseeing risk in the companies they govern. In fact, risk oversight is an integral part of a board’s responsibility to ensure the company’s risk profile is aligned with its strategy. Yet according to a NACD study, only three of 10 directors have sufficient knowledge and understanding of their board’s emerging risks.

Identifying and understanding emerging risks is critical, as directors know that disorder and disruption are no longer the exception but the norm. Resilient organizations are the ones that are most likely to survive and thrive in this changing world, and boards play a key role in fostering resiliency in the companies they serve. Investors and regulators are recognizing the importance of boards taking an active approach to risk oversight and applying leading risk oversight practices. Every board has an opportunity to disclose beyond the boilerplate in the proxy statement.

Because it is imperative that directors stay educated about new and emerging risks, we believe that boards should evaluate the effectiveness of their risk oversight practices from time to time. This evaluation is made more effective when it is accompanied by an effective process and insights that provide directors assurance that the evaluation exercise is sufficient and sound. That’s why Protiviti is excited to collaborate with The Board Institute (TBI) in developing the TBI Protiviti Board Risk Oversight Meter to boards desiring to enhance and improve their risk oversight process.

The TBI Protiviti Board Risk Oversight Meter is a recent addition to The Board Institute’s suite of world-class, validated tools. It is unique in that it offers a flexible, cost-effective method for boards to self-evaluate their risk oversight in an objective, participatory exercise. Participants, who include directors and others chosen by the board, can provide input regarding the board’s processes using a web-based tool which saves time and simplifies the usual logistics to conducting board self-evaluations. It also allows participants to contribute their responses according to their own schedules.

Using the information gathered, the tool generates results in a robust, insightful and actionable report that highlights not only the board’s strengths in overseeing risk, but also the areas where the board can improve its practices. In this regard, the report includes quantitative and qualitative information, as well as anonymous commentary that provides further color and context to the results. Additionally, the report benchmarks against best practices and validates the quality of risk oversight considering the expectations of key constituencies in the marketplace. The overlay of best practices and market information enables directors’ confidence, by making it possible for them to come up to speed quickly and improve their risk oversight continuously in these rapidly changing times.

What I like most about the TBI Protiviti Board Risk Oversight Meter is that it not only supports a board best practice (i.e., periodically self-evaluate the board’s effectiveness), but mirrors how boards execute that practice. Having assisted boards with their self-assessment exercise, I particularly like how the tool can facilitate dialogue among directors as to where, how and why to improve their risk oversight process. That is what you look for in a tool of this nature in the board space. And because assessments can be repeated, the oversight process can be refreshed continually to stay current with a dynamic business environment.

Are you focused on improving risk oversight at your company? Engage in a dialog with us. To learn more, click here.

Is a Lack of a Detailed Marketing Plan Undermining Your FCPA Program?

scott-moritzBy Scott Moritz, Managing Director
Protiviti Forensic




Consumer products manufacturers, pharmaceutical companies and other companies that manufacture and sell products to consumers spend billions of dollars promoting their products and creating various incentives to create demand for those products. Whether cooperative advertising, event marketing, point-of-purchase displays, providing free samples, coupons or gift cards, there are numerous channels to provide things of value to prospective customers, be they individual consumers or distributors.

Some products have a fair amount of cachet, inherent value, or both. Other times, product manufacturers provide money to distributors to promote products in their local markets by means of local events or regional advertising campaigns showcasing the products.

Due to the decentralized nature of this type of trade spend and marketing activity, confirming that the money was expended lawfully and for the intended purposes poses a number of challenges.

What if, for example, you manufacture a popular brand of cognac, and your distributor in Shanghai requests 10 cases of the product and $50,000 for a cocktail party and tasting? What if, at the same time, your distributor also has been negotiating with the airport authority to get your product into the duty-free shop at the international airport? How can you be sure that the very expensive cognac wasn’t simply gifted to the government official in charge of duty-free shops at the airport and the invoices for the cocktail party submitted for reimbursement weren’t fabricated?

Sometimes, marketing spend is allocated to promote particular products, and sales personnel are provided with gift cards, in addition to their normal incentive compensation, if they meet certain sales milestones. These gift cards are typically provided in bulk for distributors to award as they see fit. Gift cards are also a popular means of providing petty bribes to government officials and employees of state-owned companies in certain parts of the world. You can see how this has the potential to go very wrong.

Large events are rife with potential liability pitfalls under the FCPA. World Cup and FIFA matches, Formula One races, golf tournaments, tennis or cricket matches, the Olympics and other popular sporting events all rely heavily on corporate sponsorship. With those sponsorships come hospitality tents, junkets, VIP access and seating, tickets, transportation, and sometimes lodging and travel expenses. Events like the World Cup and the Olympics in particular are very expensive, and providing tickets and other perks to invited guests can be construed as offering or giving something of value in an effort to gain an unfair business advantage. But isn’t that the whole point? To curry favor with prospective customers and reward your best customers?

The answer is, sometimes. With a scenario like that, it is critical to submit a list of proposed attendees to someone in legal or compliance, not to executives in the sales organization. The list should come with some background on who the proposed guests are, whether they meet the definition of a “foreign official” as the company has defined that term, and whether the company has any business before that official at the time. Also keep in mind that such lavish gifts can potentially violate the commercial bribery provision of the UK Bribery Act or the Travel Act.

Historically, marketing incentive programs and their execution in the various local markets in which a company – consumer products, life sciences or other – operates are predicated on trust, with very little detail in terms of what the local subsidiaries or distributors are expected to do to ensure that these activities are above board and don’t create FCPA liability.

If your organization engages in marketing and promotional activities in various foreign markets, it’s important to be able to demonstrate that:

  • You have thoughtfully considered all of the potential bribery risks associated with the various marketing activities in which value is being transferred directly or on your behalf, and
  • You have risk-appropriate controls in place to ensure that the events and other marketing activities you are funding actually took place, and that the products that were sampled were provided in strict adherence to your written agreements with your third parties and were in alignment with the detailed marketing plans to which your organization has agreed.

In our experience, many companies have marketing plans that are vaguely worded as to what local marketing activities are planned, how these plans will be documented, and who will be responsible for ensuring that the funds and/or products are disseminated in alignment with the company’s code of ethical conduct and anti-corruption program. Without a detailed marketing plan and clearly stated obligations on the part of the organizations charged with executing on your local marketing activities, your organizations risks operating in the blind with very little to audit or monitor to ensure marketing activities aren’t putting the organization at risk.