Bad Things Come In Threes For CCOs

by Thomas Fox

It is often said that bad things come in threes. I have often wondered where this phrase came from. So I checked out Wikipedia, no luck there. How about trying Google as the harbinger of all knowledge? Again no such luck there. Not even could help. Of course there is the good old saying ‘3 strikes and you’re out’ but I suspect that was based on something which preceded it. Whatever the origin of this folkloric belief, all I can say is that over the past couple of weeks, Chief Compliance Officers (CCOs) have taken it on the chin three times and, once again, the job of the CCO just got quite a bit harder and more challenging.

I.                   Banned for Life

Submitted for your consideration is the first item of bad news for the CCOs out there. It is the decision released on August 2nd by the Securities and Exchange (SEC) Administrative Law Judge Carol Fox Foelak (no relation) In the Matter of Daniel Bogar, Bernerd Young and Jason Green. Young was the CCO for disgraced financier Allen Stanford’s companies. For those who may not remember, Allen Stanford who sold “so-called certificates of deposits” through his offshore bank in Antigua, Stanford International Bank Ltd. Unfortunately for all, it turned out that Stanford was running a massive Ponzi-scheme by paying off old investors with monies invested by new ones, to the tune of over $7bn. Stanford was convicted for his crimes.

Young was not charged or convicted with participating in the Ponzi-scheme. However, he was slapped with an administrative penalty for failing to note or follow up on red flags, which, had he investigated, may have uncovered the scheme earlier. These acts (or perhaps inactions) included providing materials to financial advisors, which had he inquired into would have led to a determination that they were false. There were instances where company whistleblowers and others brought information to Young, which if he had properly investigated, he would have determined that a Ponzi-scheme was in place. The Administrative Law Judge also cited the conduct of Allen Stanford himself as raising a red flag which the CCO should have investigated.

As to the penalties that Young received, how about the following: disgorgement of $591,992.46,  a penalty of $260,000 and is barred from “association with any broker, dealer, investment adviser, municipal securities dealer, municipal advisor, transfer agent, or nationally recognized statistical rating organization and IS PROHIBITED, permanently, from serving or acting as an employee, officer, director, member of an advisory board, investment adviser or depositor of, or principal underwriter for, a registered investment company or affiliated person of such investment adviser, depositor, or principal underwriter.” In other words, Young can never be a CCO again or work in this industry again.

Why is this decision so significant to CCOs? It is often said that bad facts make bad law. The facts surrounding Allen Stanford and his multi-billion Ponzi-scheme, short of Bernie Madoff, are about as bad as it gets. Maybe Young does deserve a severe spanking for his role in not asking questions. But the problem for CCOs is now there is a precedent for at least a civil proceeding to be filed by the SEC for failure to engage in sufficient due diligence, see red flags and perform proper investigations. This coupled with the size of the disgorgement, penalty and lifetime ban in working as a CCO or in the industry makes the CCO world quite a bit darker today.

II.                Is Your Code of Conduct Mere Puffery?

The second example is the Dismissal granted by the US District Court for the Northern District of California, in the shareholder derivative action, entitled “Cement & Concrete Workers District Council Pension Fund, et al., v. Hewlett Packard Company, et al.” This lawsuit was some of the continued fallout from the Mark Hurd era at Hewlett Packard (HP). As reported in an AmLaw Litigation Daily article, entitled “Morgan Lewis Beats HP Securities Suit over Hurd Conduct”, “in the fall of 2007, the company hired a marketing consultant named Jodie Fisher.” Fisher later “accused Hurd of sexual harassment. He resigned later that year. The harassment claims were never substantiated, but an internal investigation performed by Covington & Burling turned up evidence that Hurd used company resources to wine and dine Fisher and then tried to hide the relationship from HP’s board.” Hurd later admitted that he had a “very close personal relationship” with Fisher.

A shareholder action was brought by the plaintiff who claimed in part that “HP and Hurd made false and misleading statements when they (1) issued and updated HP’s Standards of Business Conduct Brochure (SBC) in 2006, May 2008 and June 2010”. In the Plaintiff’s Complaint they said that “These statements were misleading because in light of Hurd’s endorsement of these tenets, there was an implication that Hurd was in fact in compliance with them. In truth, Hurd was knowingly violating each of these tenets in his dealings related to Fisher, by (a) inappropriately using his position as CEO to attempt to pursue a romantic relationship with Fisher, (b) submitting expense reports that did not accurately reflect their meetings, and (c) knowingly allowing Fischer to receive compensation and/or expense reimbursement where there was not a legitimate business purpose.”

However the District Court made short shrift of the plaintiff’s claims. In its dismissal, the Court said, ““Generally speaking, the 2008 and 2010 SBCs, as well as other statements relating to HP’s ethical code of conduct, do not constitute actionable misrepresentations or omissions because they are not material. “‘[V]ague, generalized, and unspecific assertions’ of corporate optimism or statements of ‘mere puffing’ cannot state actionable material misstatements of fact under federal securities laws. Such statements include those that are not “‘capable of objective verification’” or “‘lack[ ] a standard against which a reasonable investor could expect them to be pegged.’” “When valuing corporations, . . . investors do not rely on vague statements of optimism like ‘good,’ ‘well-regarded,’ or other feel good monikers.” “Instead, “professional investors, and most amateur investors as well, know how to devalue the optimism of corporate executives.””

How about that to warm the heart of every CCO out there? For that matter how about the Department of Justice (DOJ) or SEC who said in their jointly released FCPA Guidance that “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” So all the talk that we preach about the importance of a Code of Conduct; at least one court has now said it is ‘mere puffing’. Do you think that the Chief Executive Officer (CEO) will want to spend a bunch of money for an aspirational, puffery statement? I hope so because the DOJ and SEC still say it is important. But if a corporation ever takes the DOJ to trial in a Foreign Corrupt Practices Act (FCPA) matter, there is at least one court who has said a Code of Conduct is not important.

III.             Try Getting Your Records Out of Germany Now

Our third, and final item, comes courtesy of Nicholas Elliott from the Wall Street Journal (WSJ) Risk and Compliance Journal, in an article entitled “The Morning Risk Report: Germany’s Forceful Privacy”. Elliott reports that it is “going to be more complicated to do business in Germany, the fifth largest trading partner of the U.S. Angered by news that the U.S. National Security Agency’s electronic surveillance efforts included Germans, that country’s data-protection body declared last month that most data transfers to the U.S. breach its laws. This stance affects not only data transfers for which companies seek approval but also those covered under safe-harbor provisions of European law”.

This may well severely constrict the ability of US companies to investigate, audit or even monitor their German operations or German citizens who are employees or third parties to the company. Not that German companies and citizens have always been 100% lean when it comes to bribery and corruption (See: Siemens-corp division and Ecclestone, Bernie-ind. division). But clearly the US government has seriously infuriated some of its major trading partners for its spying to try and enforce the FCPA and this will come back to bite many US companies in the behind if they cannot get data and information out of Germany and are faulted by the DOJ and SEC for their failure to do so.

I wrote about the data privacy issue back in June in light of Edward Snowden’s revelations about National Security Agency (NSA) spying and the attendant fallout. This issue is now in the forefront of EU-US trade negotiations. An article in the Financial Times (FT), entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament, was quoted as saying “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Elliott ends his article with the following, “At the same time, European privacy rules will probably be tightened, with a proposal for fines levied on companies that share data without customers’ permission. The Wall Street Journal reported last week that such rules could create further legal uncertainty by conflicting with U.S. laws such as the Patriot Act and Foreign Intelligence Surveillance Act.” Amen.

These three strikes have the effect of the following: (1) denigrating an entire compliance regime of a company by declaring its foundational document ‘mere puffing’; (2) puts the CCO backside on the firing line for a civil or potentially criminal action if they do not uncover FCPA violations; and (3) making illegal the removal of certain data from Germany where not do so may well be a FCPA violation. Be afraid, be very afraid…


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.