Author: Jonathan J. Rusch

On September 14, the Australian Federal Police (AFP) announced that on September 13, they arrested a director in the Sydney-based Radiance International group of companies, Mozammil Gulamabbas Bhojani, on a charge of conspiring to bribe foreign officials in Nauru.  Bhojani’s arrest stemmed from “Operation Regatta,” which the AFP began in 2015 to investigate allegations that Radiance International and its related group of companies, which specialize in trading rock phosphate, conspired to pay bribes to Nauruan public officials.

Bhojani allegedly was involved in making five payments totaling more than AU$100,000 to the officials. According to ABC News, court documents show that Bhojani “operates a multinational business with a network of international contacts,” and has “appears to have extensive business interests on Nauru” and “has access to large quantities of cash.”  Subsequently, ABC News reported that Radiance International had also received a AU$2.5 million contract from the Australian Department of Home Affairs for refugee accommodation structures on Nauru.

Note: This case is a reflection of the increasing sophistication in Australian law enforcement’s pursuit of foreign bribery over the last five years.  Since 2013, the AFP has not only provided cooperation in other countries’ foreign-bribery investigations such as Alcoa and Unaoil, but also been a participant in the four-nation International Foreign Bribery Taskforce (IFBT) with the Federal Bureau of Investigation, the Royal Canadian Mounted Police, and the United Kingdom National Crime Agency.

Historically, Australian authorities were criticized for pursuing only a very few foreign-bribery cases.  Last September, in just the second foreign-bribery prosecution in Australia, the New South Wales Supreme Court in Regina v. Jousif imposed sentences of imprisonment on three individual defendants.  But the December 2017 OECD Working Group on Bribery’s Phase 4 Report credited Australia with “significantly” increased enforcement since 2014, noting that the AFP had 19 active investigations and three further case referrals to the Commonwealth Director of Public Prosecutions.

Since the Phase 4 Report, the Bhojani case is the second foreign-bribery case that the AFP has brought in 2018.  Previously, Australian-based consulting firm SKM was charged with allegedly bribing Vietnamese officials between 2006 and 2011 and Philippine officials between 2000 and mid-2005.

Moreover, public information about the Bhojani case contains some indications of its complexity.  Evidence amassed to date includes telephone intercepts and bank records, as well as “a large number of documents and electronic records” seized in a series of raids on Bhojani’s home and the Brisbane office of Ronphos, Nauru’s state-owned phosphate corporation that supplies rock phosphate to customers internationally.  If the experience of other countries in complex foreign-bribery cases is any guide, the Bhojani prosecution is likely to be the first, but not the last, prosecution in Operation Regatta.

On September 18, the Japanese cryptocurrency exchange Zaif confirmed that it was the target of a September 14 cyberattack that yielded an estimated $60 million (¥6.7 billion), in the form of 5,966 Bitcoins and an unknown quantity of other cryptocurrency assets. The points of attack reportedly were Zaif customers’ “hot wallets,” the online digital wallets that customers use to store cryptocurrency assets.

Tech Bureau, the Osaka-based cryptocurrency exchange that operates Zaif, stated that it had reported the theft to the Japanese Financial Services Agency (FSA) and law enforcement authorities.  Tech Bureau plans to raise the funds to compensate customers for their losses by selling a majority of its shares to a group company under the Japan-based financial services provider Fisco.  Fisco’s group company is expected to provide ¥5 billion to Tech Bureau as both companies “work to complete an agreement by the end of the month.”

Note:  The Zaif hack is not the first cyberattack against Japanese cryptocurrency exchanges this year.  In January, Tokyo-based cryptocurrency exchange Coincheck Inc suffered a “hot wallet” cyberattack that stole approximately $532.6 million (¥58 billion).  These two attacks – combined with the fact that the FSA had previously ordered Tech Bureau twice this year “to improve its operations, including its response to system failures” – demonstrate the urgency with which the cryptocurrency-exchange community needs to commit to installing and maintaining robust cybersecurity and data-protection measures.

Explanations like “technical difficulties and a shortage of staff” will not satisfy regulators in Japan or other countries who have seen multiple large-scale cryptocurrency hacks; indeed, an FSA official has already said that the Zaif hack “will likely have an impact on future screenings” for newly registered exchanges.  Although cryptocurrency-related market capitalization may have increased vastly since 2014 – when the bitcoin exchange Mt. Gox lost an estimated $473 million – neither consumer confidence nor regulatory patience can remain infinitely elastic.

One indication that the cryptocurrency sector recognizes that fact is the August 2018 application by the Japanese Virtual Currency Exchange Association (JVCEA) for certification by the FSA.  The JVCEA reportedly “plans to work with the government on drafting and overseeing legislation that will allow the Japanese crypto exchange industry to become self-regulating,” and to that end submitted to the FSA a detailed 100-page document containing its proposed self-regulatory measures.  In the end, some combination of self-regulatory and government regulatory measures will likely be necessary to impress on the industry the importance of adopting and implementing meaningful cybersecurity defenses and other internal controls and compliance measures.

On September 24, Sky News reported that the United Kingdom Financial Conduct Authority (FCA) is seeking a fine of more than £30 million against Tesco Bank relating to the 2016 cyberattack on the bank’s online services.  At the time of the attack, the bank’s then-Chief Executive Officer, Benny Higgins, stated that “a systematic, sophisticated attack” had taken money from about 20,000 customer accounts.  Tesco Bank shortly thereafter refunded £2.5 million to about 9,000 customers, and is now contesting the proposed FCA fine.

Note: This action is only the latest in a series of enforcement actions that United Kingdom authorities have brought against various companies and entities in 2018 for data breaches or inadequate data protection:

• September 2018: The United Kingdom Information Commissioner’s Office (ICO) imposed a £500,000 fine on Equifax Ltd. for “failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.”
• July 2018: The ICO stated its intent to fine Facebook the maximum of £500,000 for two violations of the Data Protection Act 1998, stemming from Facebook’s alleged failure to protect Facebook users’ personal data that Cambridge Analytica harvested for political purposes.
• June 2018: The ICO imposed a £250,000 fine on Yahoo! for a 2014 data breach that resulted in the theft of at least 500 million records.
• May 2018: The ICO imposed a £120,000 fine on the University of Greenwich for a security breach in which 19,500 students’ personal data were placed online.

This particular report, however, is a timely reminder – as reports of other significant United Kingdom-related data breaches at British Airways, Dixons Carphone, and Ticketmaster have come to light in recent months — that companies doing business in the United Kingdom need to see that their data-security compliance programs focus not only on the General Data Protection Regulation (GDPR), but on other laws and regulatory regimes that mandate effective protection against data breaches.

On September 11, five of the leading U.S. financial regulatory agencies — the Federal Reserve Board, the Bureau of Consumer Financial Protection, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency – issued a joint interagency statement explaining the role of supervisory guidance for regulated institutions.  The agencies stated that they were issuing this statement “to explain the role of supervisory guidance and to describe the agencies’ approach to supervisory guidance.”

First, the interagency statement explained the difference between supervisory guidance and laws or regulations:

The agencies issue various types of supervisory guidance, including interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions, to their respective supervised institutions. A law or regulation has the force and effect of law.1  Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area. (Citation omitted.)

On this point it added, that “[s]upervisory guidance often provides examples of practices that the agencies generally consider consistent with safety-and-soundness standards or other applicable laws and regulations, including those designed to protect consumers.”

Second, the statement declared that the agencies “are clarifying” five policies and practices related to supervisory guidance.  The key points for those five policies and practices are as follows:

• Numerical Thresholds: “The agencies intend to limit the use of numerical thresholds or other ‘bright-lines’ in describing expectations in supervisory guidance. Where numerical thresholds are used, the agencies intend to clarify that the thresholds are exemplary only and not suggestive of requirements. The agencies will continue to use numerical thresholds to tailor, and otherwise make clear, the applicability of supervisory guidance or programs to supervised institutions, and as required by statute.”
• Violations: “Examiners will not criticize a supervised financial institution for a ‘violation’ of supervisory guidance. Rather, any citations will be for violations of law, regulation, or non-compliance with enforcement orders or other enforceable conditions. During examinations and other supervisory activities, examiners may identify unsafe or unsound practices or other deficiencies in risk management, including compliance risk management, or other areas that do not constitute violations of law or regulation. In some situations, examiners may reference (including in writing) supervisory guidance to provide examples of safe and sound conduct, appropriate consumer protection and risk management practices, and other actions for addressing compliance with laws or regulations.”
• Public Comment: “The agencies also have at times sought, and may continue to seek, public comment on supervisory guidance. Seeking public comment on supervisory guidance does not mean that the guidance is intended to be a regulation or have the force and effect of law.”
• Multiple Documents: “The agencies will aim to reduce the issuance of multiple supervisory guidance documents on the same topic and will generally limit such multiple issuances going forward.”
• Future Guidance: “The agencies will continue efforts to make the role of supervisory guidance clear in their communications to examiners and to supervised financial institutions, and encourage supervised institutions with questions about this statement or any applicable supervisory guidance to discuss the questions with their appropriate agency contact.”

Note: In general, the interagency statement can be considered a welcome reminder of the broad principles in the Administrative Procedure Act (APA).  Subsection 553(b) of the APA generally requires that federal agencies must follow the formal notice-and-comment process for substantive rulemaking, but makes an exception for “interpretative rules [or] general statements of policy.”  In practice, the line between substantive rules and interpretative rules or policy statements has been not only imprecise but subject to varying degrees of erosion.  As indicated in a recent post in the Regulatory Review, for a federal agency that has designs on expanding its power and influence, it is an understandable temptation to set standards that it wishes to enforce by issuing “guidance” documents that can be issued or revised on the agency’s timetable, rather than by submitting to the more time-consuming and cumbersome APA notice-and-comment process.

To the extent that the statement reminds both the participating agencies and regulated entities about the APA’s substantive-interpretative distinction, and reflects those agencies’ aspirational promises about maintaining the line between substantive and interpretative rules, it certainly does no harm and may do some good for the financial sector.  At the same time, financial-firm compliance officers should expect that in the short term, regulatory agencies are not likely to revise their existing compliance-related guidance in any substantial respect, and will continue to expect firms to hew closely to such guidance.

In addition, a leading law firm recently noted that financial regulators may able to use their “guidance” as the basis for finding “safety and soundness” violations without calling that guidance a “rule”:

[A]lthough examination staff may no longer state a finding that a bank “violated” guidance or interpretive rule, they are not precluded from finding that a bank violated the governing statute or interpretive rule, and citing to the guidance to detail what the agency believes a statute or rule requires. Failure to follow agency guidance is not in and of itself a violation of law, but for an industry such as the banking industry, which is governed by amorphous “safety and soundness” obligations, departing from agency guidance may nevertheless pose a risk of being deemed an unsafe or unsound banking practice.

That risk is not limited to civil enforcement.  A prime example of this is the FCPA Corporate Enforcement Policy that the U.S. Department of Justice issued in November 2017.  As Deputy Attorney General Rod Rosenstein stated last November, the Policy “specifies some of the hallmarks of an effective compliance and ethics program.  Examples include fostering a culture of compliance; dedicating sufficient resources to compliance activities; and ensuring that experienced compliance personnel have appropriate access to management and to the board.”  Rosenstein added that “companies are free to choose not to comply with the FCPA Corporate Enforcement Policy.  A company needs to adhere to the policy only if it wants the Department’s prosecutors to follow the policy’s guidelines.”

That statement is too clever by half.  A declaration that a company is “free” not to comply with the Policy, at the risk of facing potentially massive FCPA criminal penalties and other enforcement measures, sounds remarkably like “guidance” that in fact establishes substantive conduct requirements, even if those requirements are vague and amorphous (e.g., “fostering a culture of compliance”).  Nonetheless, compliance officers can expect that the interagency statement will have no effect on the Department’s application of the FCPA Corporate Enforcement Policy, which is now being applied in a much broader range of white-collar crime matters.

In the immediate aftermath of Hurricane Florence, one question that has recurred in media reports – as it often has after other natural disasters – is why people stayed in their homes and neighborhoods and risked harm to themselves or their families, rather than flee to safety when they had time to do so.  Television or newspaper accounts of a family clinging to a tree to avoid being swept away by floodwaters, or of a mother whose infant son was torn from her grasp when she tried to drive through a flooded street, often prompted reactions of sympathy, along with critical and judgmental questions along the lines of “What were they thinking?”

Compliance officers who are newly hired to build or rebuild corporate compliance programs after a major compliance failure might have similar reactions.  When they learn that executives at their firm, over multiple years, paid tens of millions of dollars in bribes to secure business or to evade U.S. sanctions, or allowed accounts at the firm to be used to launder hundreds of millions of euros, their first thought might also be, “What were they thinking?”

In both cases, however, that question should be factual rather than rhetorical.  Disaster experts and compliance experts alike need to understand the thought processes that prompt people in risky situations to make decisions that put them at greater risk.  In fact, how people make decisions before and during disasters may be critically influenced by the same factors that can influence corporate employees who are tempted (or expected or pressured) to participate in improper or illegal activity.

Those factors, as risk expert Robert J. Meyer recently explained in a Washington Post essay, are “cognitive biases that lead people to underplay warnings and make poor decisions, even when they have the information they need.”  A number of those biases that Meyer – a co-director of the Wharton Risk Management and Decision Processes Center at the University of Pennsylvania – identified can also be found in corporate settings:

Overconfidence Bias: This bias, simply defined, “is the tendency people have to be more confident in their own abilities, such as driving, teaching, or spelling, than is objectively reasonable. This overconfidence also involves matters of character.” In Hurricane Sandy in 2012, Meyer wrote, East Coast residents “knew all too well that a storm was at their doorstep and that many people would be affected – they just thought it wouldn’t affect them.”  Studies have shown “that, even when reliable information about probable danger is available, it is difficult to effectively warn large populations that cannot directly perceive the danger associated with a disaster. If a storm warning is at all vague, people will underestimate the threat and be less likely to heed evacuation orders.” In addition, “the longer people have lived in an area, the less likely it is that they will evacuate, in part because they have successfully ridden out past hurricanes.”

Overconfidence bias is widely prevalent in the business world, including decisionmaking on matters of finance and investment.  As Meyer noted, overconfidence bias “also involves matters of character.”  For example, what Harvard Business School Dean Nitin Nohria calls “moral overconfidence” is evident when there is a gap “between how people believe they would behave and how they actually behave.”  That gap, Dean Nohria wrote, “tends to be most evident in high-pressure situations, where there is some inherent ambiguity, when there are competing claims on our sense of right and wrong, and when our moral transgressions are incremental, taking us down a slippery slope.”  Discussing proposals to expand or retain business in higher-risk markets, especially if the company is suffering declining profits or other reversals, can reflect all of those factors.

“Herd Thinking”/Social Proof: Meyer also noted the effects of “herd thinking” in compounding the problem.  “Herd thinking” is a colloquial term for the cognitive bias that social psychologists term “social proof” or “conformity bias.”  Social  proof, as Professor Robert Cialdini wrote in his seminal work Influence: The Psychology of Persuasion, is “the tendency to see an action as more appropriate when others are doing it.”  In the case of Hurricane Sandy, Meyer wrote that residents who looked around before the storm “and [saw] that few others were making preparations . . . felt no social pressure to do more.” 

Social proof can also influence people in corporate settings.  For example, if one or more meetings are held to discuss and implement a proposal for a course of action that is improper or illegal, and no one speaks up to challenge the improper course of action, participants who have doubts may remain silent when they see that no one else is speaking against the proposed action.

Inertia and Simplification/Normalcy Bias: Meyer also singled out inertia and simplification as

enemies of sound decision-making.  When we are unsure of what to do in the face of an incoming storm, we tend to stick to the status quo — doing nothing. If we are uncertain about when to evacuate, we tend not to evacuate at all. And we tend to simplify our course of action, selectively focusing on a few factors.     . . . Before Hurricane Sandy, for example, 90 percent of residents secured supplies — but typically only enough to get them through a single day without power. Again, most failed to make evacuation plans.

This “status quo” tendency has also been labeled “normalcy bias,” for situations in which people in imminent or immediate danger “freeze” or wait to consult with multiple other people rather than acting immediately to flee that danger.  As journalist Amanda Ripley documented in her book The Unthinkable, the consequences of normalcy bias in those situations are often fatal.

Corporate executives and employees who are caught up as intracorporate misconduct become more severe may also display inertia or normalcy bias.  Especially if they believe that their in-house mechanisms for reporting misconduct are untrustworthy or ineffective, they may default to acting as if there is no heightened or imminent risk to themselves or their company, and keep on with “business as usual.”  Or they may simplify their responses by taking only half-hearted steps – perhaps talking to one or two colleagues or family members — rather than decisive action to separate themselves from the misconduct.

To overcome the effects of these biases and situational factors in disaster situations, Meyer maintained that “[t]he key to better preparedness is not to eliminate those biases – a hopeless task, since they’re part of who we are – but to design measures that anticipate biases.”  Here are some possible approaches to anticipating biases in disaster or business scenarios:

Overconfidence Bias: Two techniques have successfully reduced overconfidence bias, according to Professor David Myers in his book Exploring Social Psychology. One “is prompt feedback on the accuracy of [people’s] judgments.”  For impending natural disasters, that may mean communications at the town or neighborhood level from credible sources – local weather forecasters, emergency-management teams, or police – to convey to residents in specific terms that the danger for them is real.  When a National Weather Service meteorologist, the day before Hurricane Katrina made landfall, issued a warning for the New Orleans area that described the probable dangers in highly specific and graphic terms, that warning was later deemed “the most dire—and effective—weather forecast ever issued by the National Weather Service.”

To address risky corporate situations — say, a proposed entry into a new market in which bribery of national government officials is common – effectively, corporate compliance officers need to take two types of actions.  First, they should make efforts to attend every meeting in which senior executives are discussing or preparing to implement a plan that could involve improper or illegal conduct, to ensure that compliance risks are neither ignored or downplayed.  Second, both in and outside those meetings, they need to engage with participating executives and refute, with specific examples from prior enforcement actions, any assumptions that the planned course of action presents little or no compliance risk.

The other, Professor Myers wrote, relates to the fact that “[w]hen people think about why an idea might be true, it begins to seem true . . . .  Thus, another way to reduce overconfidence is to get people to think of one good reason why their judgments might be wrong, forcing them to consider why opposing ideas might be right . . . .”  For impending disasters, that could mean using local media and community meetings with local officials to confront “we-can-ride-it-out” beliefs with information as specific as possible on the impending disaster’s likely impact in that community – perhaps even supplemented with examples of people in previous disasters who came to regret their “ride-it-out” decisions.  For corporate situations, that could mean compliance officers talking with key participants in a risky course of action about what those participants believe to be non-risky decisions and actions, and pointing out information that would support opposing ideas and recommendations.

“Herd Thinking”/Social Proof: To combat “herd thinking” or social proof-based decisionmaking by people before disasters, officials should use public-service messages and community- meeting talks that call attention to that particular bias.  One example would be, “Folks, don’t assume that just because others in your community are talking about staying, that’s the right decision for you and your families.  Talk with your neighbors and friends all you want, but in the end make your decision based on the latest information, not assumptions about what others are doing and why.”

A similar approach can work in corporate environments.  Compliance training, for instance, can include guidance to employees that says, “If you hear or see something that you feel in your gut is wrong, trust your first instincts and talk about it with someone – your manager or our ethics line.  Don’t assume that because no one else is speaking up about it, no one shares your concerns.”

Inertia and Simplification/Normalcy Bias: To combat inertia, Meyer recommended that governments “work hard to persuade people to develop precise preparedness plans that include a shopping list of supplies and exact plans for when and where to evacuate, should that be necessary.” To combat simplification, he similarly urged officials to present people with short lists of the most important preparation measures they should take.

In corporate settings, compliance officers need to supplement in-house compliance training and messaging to employees in two ways.  First, the training and messaging should convey that the need for employees to speak up or report misconduct is even greater when it appears that that misconduct is well underway.  Second, it should set clear priorities for how employees should report when that misconduct is advanced (i.e., directing an employee to notify a senior compliance officer rather than consulting his or her immediate supervisor or reporting through conventional whistleblower reporting channels).

This discussion cannot do justice to all of the cognitive biases and influences that can affect business decisionmaking and compliance.  It should indicate, however, why compliance officers need to pay closer attention to cognitive biases, and see that their compliance programs move beyond “check-the-box” policies and conventional internal controls to operationalizing measures that can counteract or reduce the influence of those biases.