Compliance Q&A with Jay Cohen, Of Counsel at Giordano, Halleran & Ciesla
September 16, 2021 | Blog
Jay Cohen is Of Counsel to the New Jersey Law Firm of Giordano, Halleran & Ciesla, which provides a wide range of legal services, including advice and counsel for M&A and financing transactions. He’s worked as a Brooklyn prosecutor, served as a legal advisor to both Mayor Ed Koch and Governor Mario Cuomo, and worked for many years as a corporate compliance professional.
Q: How has compliance changed in recent years?
A: Everything about compliance has gotten riskier and more challenging. Regulations are more pervasive and intrusive, regulators are tougher and more sophisticated, external complaints by customers and employees are more likely. The costs of non-compliance have grown, while tolerance for even minor violations has diminished.
It’s also more common for internal and external stakeholders to raise questions about companies’ commitment to doing business ethically. Every company and CEO says “We do business the right way. We treat our customers fairly.” And people are increasingly asking, “How do you know? What evidence tells you that your message is getting across to the people who actually deal with customers?”
Leaders need to have these answers, and a compliance program can help them with that.
Q: What are the legal risks of non-compliance?
A: First, regardless of size or industry, every company has regulations to follow, regulators to satisfy, and penalties to pay for non-compliance. And all signs point to an even tougher regulatory environment in the years to come.
Second, federal and state prosecutors and regulators have set expectations for company compliance programs, and companies can get in trouble when they don’t meet those expectations.
Third, directors - whether they are directors of public or private companies - have an additional duty to oversee the management of compliance risks, just as they do for financial and operational risks.
Fourth, whistleblowers have become more common across a wide range of industries, and state and federal laws protect and encourage whistleblowing.
Fifth, class actions and other lawsuits invariably accompany compliance issues.
Finally, for companies that are thinking about going public, both the SEC and the stock exchanges have their own standards for compliance programs and codes of ethics.
Q: Setting the law aside, what are some of the practical risks associated with non-compliance?
A: The first and most important is that compliance violations inevitably result in lost business. We’ve all witnessed companies that struggle to retain existing customers or win new customers after issues have come out. And some clients, such as the federal government, can’t legally do business with companies that have compliance violations.
In addition, investors, acquirers, and potential partners may walk away from deals or pay smaller prices for companies with compliance issues. The violation itself also carries its own costs - fines, penalties, legal settlements, remediation - which almost always exceed the expense of investing in proactive compliance. And insurance can be more costly for companies that have compliance issues.
Finally, in a number of reported cases, regulators have restricted companies in their ability to expand into new markets, acquire new businesses, or develop new products and services until they fix existing compliance violations.
Q: Do you think people are aware of the hazards of compliance issues in a deal-making context?
A: Legal issues and compliance have always been part of the checklist in deal diligence. But because of the issues we’ve already talked about, the level of scrutiny behind that checklist has increased tremendously in recent years. Companies want to find out if the compliance program in an organization they’re thinking of partnering with, investing in, or acquiring is the real deal, or if it only exists on paper.
Let me give you three recent examples that demonstrate how much things have changed.
In the first, the SEC announced charges against both a SPAC and the target company it acquired. The SEC alleged that the SPAC failed to conduct adequate due diligence on the claims that the target made about its technology - which constituted a compliance violation by the SPAC itself.
In the next example, a health-care company was fined for compliance violations, and so was one of its minority shareholders. The regulator said that this private equity investor found out about the violations during diligence but didn’t fix them.
The third example shows the value of effective compliance measures. In this case, the target health company paid a fine for compliance violations - but its acquirer did not, because it found the issue, disclosed it to the government, and fixed the problem.
The bottom line in each of these cases is that compliance readiness or unreadiness makes a big difference in the cost to target companies, investors, and acquirers.
"Compliance readiness or unreadiness can make a difference in the impact in the cost to both the company being acquired and the investors and acquirers."
Q: What are the big questions companies should consider from a compliance standpoint?
A: The first question is: What are the principal laws and regulations that apply to this company? What are the mission-critical rules based on our industry, markets, regulators, customers, products, and geographic region?
The next question is: What is the organization doing to understand and comply with those rules? What processes are in place?
The third question: How do we know if these processes are working? How are the company’s leaders measuring and analyzing the effectiveness of their efforts at compliance risk management?
Compliance also gets at the heart of another fundamental question: Do we mean what we say? When we say, “We protect your personal information,” how do we know that that’s what we’re doing? When we say, “We’ll treat you fairly as a customer,” how do we know that’s what’s happening? When we say, “We have good governance,” where’s the proof?
Q: How can the people in charge of compliance get buy-in from other teams and get them to take the process seriously?
A: Change management and communication have to be a part of any compliance program. Leaders have an important role to play here - they have to help employees understand that compliance readiness is just as important as getting finances and operations in order and lining up customers. Failure in this area can have legal, financial, and reputational consequences.
Q: What are the key things that companies should do from a compliance standpoint in advance of an exit?
A: All of them can be lumped under the heading of “Compliance Readiness”. Are we ready for the increased scrutiny that will come through the deal process? And are we ready to operate on a bigger stage?
Q: When should companies start thinking about compliance as a part of exit prep?
A: As we’ve discussed, every company has regulations to follow and therefore has a compliance risk profile. So ideally, they should be thinking about compliance well before preparations for a deal or an exit get underway.
But because of the increased scrutiny that comes with a deal, compliance should be an integral part of the readiness process. It shouldn’t just be treated as a side issue or left until the last minute.
Q: Implementing all of these changes can be overwhelming. How do you break this into concrete steps for organizations to follow?
A: One of the reasons compliance can seem so daunting is that companies assume it’s going to take a lot of money and time, and a whole army of people. But not every company has to have the same compliance program as JP Morgan Chase. Companies should have a program that is scaled to their business and tailored to their risks. A practical compliance check-up can help accomplish that.
Step one is the current state assessment - this is where we are now. Here’s our compliance risk profile, and this is what we’re currently doing to address those risks.
Step two is identifying the target state - this is where we need to be, based on critical risks, external expectations and our own internal commitment to compliance.
Step three is the road map - this is how we’re going to get from Point A to Point B. This is where it’s helpful to have an experienced compliance professional who can make this road map shorter and less complicated. There are three ways they can do this.
Number one: helping you focus on the most important issues - the mission-critical rules we’ve already discussed.
Number two: Making the most of what’s already there. Most companies already have compliance measures in place, even if they’re called something else. An experienced compliance professional can help identify the procedures already implemented, make them work together, maximize their impact and spot any gaps.
Number three: effective change management based on what has worked elsewhere.
Q: How have companies used you and your firm to carry out these changes?
A: GHC has a long track record of helping companies strengthen corporate governance, effectively address due diligence, and understand and fulfill their legal and regulatory obligations.
I’ve helped clients with existing compliance programs which they wanted to improve, and other companies with little or no programs at all. That includes companies in the middle of legal and regulatory crises, companies on both sides of due diligence assessments, and companies looking to enter new markets or industries. More recently, I’ve worked with organizations looking to get compliance-ready for the public stage.
Q: How can companies leverage technology to minimize the costs associated with compliance?
A: The best way to look at it is in the context of data.
When I was a CCO, our regulators told us all the time, “If it’s not documented, it didn’t happen.” Technology can help produce and capture the evidence of compliance readiness. That includes documenting the effectiveness of a compliance program, not just its existence.
Even when we had the documentation, we would often struggle to find, gather, and package it in a way that was persuasive and relevant to regulators’ concerns. We might be asked to produce 100 client files to evidence our treatment of customers and compliance with the rules - which would take hours or even days because so many different parts of the organization were involved. Technology can help us bring together the information we need and present it effectively and persuasively.
Third, and even more basic: technology can help build or implement the right data repository to have the critical information ready and available whenever it's needed.
Q: What key questions should companies ask when choosing a legal vendor for compliance?
A: First: Does this vendor understand the company and the industry well enough to hit the ground running?
Second: Do they have practical experience with what works and what doesn’t?
Third: Do they have a comprehensive, tested framework for the task at hand? And can they adapt that framework to the size, culture, leadership, resources, and compliance risk profile of a specific organization?
Fourth: Can they look ahead to where rules and regulators are heading, to ensure that the company is prepared not just for today, but for the future?
Fifth: Can they work and communicate effectively with all levels of the organization?
Sixth: Will they focus on what is most important: minimizing cost and maximizing the return on the investment in compliance readiness?
Q: What compliance-related questions should companies ask when reviewing a technology platform?
A: Here are the key attributes I look for when evaluating technology vendors:
- Experience with the task at hand
- Understanding of the industry and its related issues
- Fit for purpose
- Ease of installation, application, and use
- Adaptability and scalability
- Quality customer service
When we’re talking specifically about data and analytics, you need to consider a couple of other important issues:
- Security - if sensitive information about the company or employees is stored in this database, you need to know it will be safe.
- Ability to shape the production - can the technology help us find and produce the information we need, and not produce what should not and need not be disclosed?
Q: How can you judge the effectiveness of a compliance program?
A: I think about effectiveness in two ways. The first is activity and the second is impact. A lot of compliance focuses on the former: did we carry out some specific set of activities intended to help us adhere to regulations and standards?
But I think the second piece - impact - is even more important. What information tells us that thse compliance program activities are working to identify and address the most important risks? Is what we’re doing having an impact where it’s needed?