Compliance. TODAY October Why compliance matters to the enforcement community. Loretta Lynch. See page 16

Transcription

1 Compliance TODAY October 2013 a publication of the health care compliance association Why compliance matters to the enforcement community Loretta Lynch U.S. Attorney, Eastern District of New York See page Medicaid vs. Medicare claims audit appeals: A road less clear Cornelia M. Dorfschmid and Lisa Shuman 35 Sunshine Act reporting: Minimizing consulting and royalty payment risks Stephanie J. Kravetz 41 OIG issues updated guidance on exclusion: What it means for providers Lester J. Perling 47 Be part of the solution: Stop medical identity fraud Marita Janiga

2 w w w. n a ve x g l o b a l. co m +1 ( ) i n f n a ve x g l o b a l. c o m

3 Letter from the CEO by Roy Snell, CHC, CCEP F Just when you think you have seen all the stupid you can handle Please don t hesitate to call me about anything any time Cell Direct corporatecompliance.org Snell In the May 31, 2013 issue of the New York Times, some guy who calls himself The Ethicist wrote an article entitled, Can I Use the Same Paper for Multiple College Courses? He single-handedly made the case as to why this country now relies on compliance and ethics professionals rather than on just ethics programs to ensure our companies comply with the rule of law and behave ethically. In the article he says that it is not unethical to use the same paper twice. After receiving numerous responses to his article he said, It might get you expelled in some schools, but using the same paper in multiple colleges courses is not unethical. It s people like this who have been claiming they can cure all company regulatory and ethical ills simply by relying on building an ethical culture. Building an ethical culture is very important. Ethics is important. However, it is subjective. When you look up beauty is in the eye of the beholder in the dictionary, there is a picture of an ethical culture. Everyone has a slightly different definition of what ethical means. You can t prevent, find, and fix regulatory and ethical infractions by relying on ethics alone. In this case, a compliance officer would say to you, You can believe whatever you want from an ethics perspective, but you can t break the rules. People who say, Go beyond compliance to ethics drive me crazy. They are implying compliance programs are not important. They are implying that ethics is more effective at regulatory compliance than a compliance program. They have been saying this for a hundred years and the respect for the business community is at an all-time low. It does not work. Even though this example is extreme, the problem with ethics is that it s not an exact science. This guy needs to consider a career in auto body repair. Even though this example is extreme, the problem with ethics is that it s not an exact science. No two ethicists agree on everything. Everyone has a slightly different view of what is ethical. Ethics is a good start. We need ethics training and tone from the top. But ethics is so vague, that it alone is not enough to prevent, find, and fix ethical and regulatory problems. You need an ethics and a compliance program to have any hope of being effective. We need to educate, audit, monitor, develop policies, manage a hotline, investigate, etc. We need to enforce ethical behavior, policies, and the rule of law. We can t just talk and render our opinion. We need a compliance and ethics program

4 Contents October 2013 Features Columns 16 Meet Loretta Lynch an interview by Adam Turteltaub 27 Medicaid vs. Medicare claims audit appeals: A road less clear by Cornelia M. Dorfschmid and Lisa Shuman Because Medicaid RACS are administered by the states, there are as many nuances and variations in the appeals process strategy as there are states. 35 Sunshine Act reporting: Minimizing consulting and royalty payment risks by Stephanie J. Kravetz Some risk factors that can be lurking in product development consulting and royalty agreements, and how to spot them before a government review does. 41 OIG issues updated guidance on exclusion: What it means for providers by Lester J. Perling Regular screening of employees and contractors can save you from claims denials, civil monetary penalties, and the risk of exclusion from federal healthcare programs. 47 Be part of the solution: Stop medical identity fraud by Marita Janiga Medical personnel can play a key role in safeguarding patients and personnel from the nightmare of identity theft. 3 Letter from the CEO Roy Snell 25 Exhale Shawn DeGroot 51 The Compliance Quality Connection David Hoffman 6 News Departments 12 People on the move 78 HCCA congratulates newly certified designees 80 HCCA welcomes new members 83 Takeaways 84 Events calendar Compliance Today is printed with 100% soy-based, water-soluable inks on recycled paper. Interior pages are double-coated sheets made from 80% recycled content, which includes 60% post-consumer waste. The remaining 20% is virgin fiber that comes from responsibly managed forests and is FSC certified. Cover stock is made from 10% post-consumer waste and is produced near the printing facility in Minnesota. The energy used to produce the paper is 100% renewable. Certifications for the paper include The Forest Stewardship Council (FSC), Sustainable Forestry Initiative (SFI), and Green-e.org

5 government actually does understand that things can and will go wrong, even where there is a strong compliance program. Articles See page Finding your Snowden: Identifying insider threats by employees and contractors by Adam H. Greene The data breach by a contractor at NSA offers a number of important lessons to healthcare providers and health plans. 58 Face-to-face requirements: What pitfalls lie ahead for home health agencies? by Kristen P. McDonald, Lindsey Lonergan, and Krunal Shah Strategies to help home health agencies cope with the requirements of the final rule for certifying the eligibility of their Medicare clients. 63 [CEU] Schooled in fraud: Compliance lessons from the Lying Dutchman by Scott Killingsworth The story of Dutch social psychologist Diederik Stapel, who perpetrated one of the most spectacular and longest running academic frauds in history. 71 [CEU] Rehab risks in a RAC world by Nancy J. Beckley Therapy providers face greater liability as new financial and policy changes from CMS have taken effect. 75 [CEU] The HIPAA final rule: Transforming the business associates landscape by Dan Ross Business associates and their subcontractors must manage their relationships with care to avoid increasing liabilities. Compliance TODAY Editorial Board Gabriel Imperato, Esq., CHC, CT Contributing Editor, Managing Partner, Broad and Cassel Ofer Amit, MSEM, CHRC, Manager, Research Operations, Miami Children s Hospital Janice A. Anderson, JD, BSN, Shareholder, Polsinelli PC Christine Bachrach CHC, Chief Compliance Officer, University of Maryland Dorothy DeAngelis, Managing Director, FTI Consulting Gary W. Herschman, Chair, Health and Hospital Law Practice Group, Sills Cummis & Gross P.C. David Hoffman, JD, President, David Hoffman & Associates Richard P. Kusserow, President & CEO, Strategic Management F. Lisa Murtha, JD, CHC, CHRC, SNR Denton US LLP Robert H. Ossoff, DMD, MD, CHC, Assistant Vice Chancellor for Compliance and Corporate Integrity, Vanderbilt Medical Center Jacki Pemrick, Privacy Officer, Mayo Clinic Deborah Randall, JD, Law Office of Deborah Randall Emily Rayman, General Counsel and Chief Compliance Officer, Community Memorial Health System Rita A. Scichilone, MSHA, RHIA, CCS, CCS-P, Director of Practice Leadership, American Health Information Management Association James G. Sheehan, JD, Chief Integrity Officer, New York City Human Resources Administration Lisa Silveria, RN, BSN, Home Care Compliance, Catholic Healthcare West Jeff Sinaiko, President, Altegra Health Reimbursement and Advisory Services Debbie Troklus, CHC-F, CCEP-F, CHRC, CHPC, Managing Director, Aegis Compliance and Ethics Center Cheryl Wagonhurst, JD, CCEP, Partner, Law Office of Cheryl Wagonhurst Linda Wolverton, CHC, CPHQ, CPMSM, CPCS, CHCQM, LHRM, RHIT, Vice President Compliance, Team Health, Inc. Executive Editor: Roy Snell, CHC, CCEP F, CEO, HCCA, hcca-info.org Managing Editor: Brook Matthiesen, , hcca-info.org News and Story Editor/Advertising: Margaret R. Dragon, , hcca-info.org Copy Editor: Patricia Mees, CHC, CCEP, , hcca-info.org Design & Layout: John Goodman, , hcca-info.org Compliance Today (CT) (ISSN ) is published by the Health Care Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN Subscription rate is $295 a year for nonmembers. Periodicals postage-paid at Minneapolis, MN Postmaster: Send address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN Copyright 2013 Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of the HCCA. For Advertising rates, call Margaret Dragon at Send press releases to M. Dragon, 41 Valley Rd, Nahant, MA Opinions expressed are not those of this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions. Volume 15, Issue

6 News Salary survey reveals tendency toward higher compensation for those holding credentials of Certified in Healthcare Compliance (CHC) or Certified Compliance & Ethics Professional (CCEP) The 2013 Compliance Staff Salary Survey data released by the Society of Corporate Compliance and Ethics (SCCE) and its sister association, the Health Care Compliance Associations (HCCA), offers a comprehensive look into the compliance and ethics department staff annual salaries. With this data, businesses and individuals may now compare their salary with peers. The data in the survey demonstrates the maturity of the compliance profession. We are seeing that salaries are related, as they should be, to organizational and program size, as well as the level of the individual compliance professional, said SCCE and HCCA Chief Executive Officer Roy Snell. According to the data, compliance professionals holding the Certified in Compliance and Ethics Professional (CCEP) and the Certified in Healthcare Compliance (CHC) certifications tended to earn significantly higher average compensation compared to those with other certifications or no certification. The numbers show that employers value compliance professionals with the demonstrable level of expertise that comes from earning the CCEP or CHC certification, said Snell. About the survey The data is aggregated to help individuals and organizations compare their own data to the results of similar operations; these groupings include, but not limited to: title/level, compliance responsibilities, number of direct reports, Read the latest news online annual compliance budget, advance degrees, and certifications held. The survey reveals that typically, healthcare Compliance and Ethics department staff tenure is 5 years; 24% of respondents indicate 6- to 10-year tenure, and 5% report 16 years or longer in the Compliance department. Two-thirds of survey respondents work at non-profit organizations. Similarly, cross-industry Compliance and Ethics department staff tenure is 4 years; 25% of respondents noted 6- to 10-year tenure, and 14% indicate 3-year tenure. More than one-third of respondents work at publicly traded companies, 22% of respondents work in privately held companies, and 22% work at non-profit organizations. In both the cross-industry and healthcare survey, more than 50% of responding Vice Presidents and Directors had JD or MBA degrees. Links to the surveys Cross-Industry Compliance & Ethics Staff: Healthcare Compliance Staff: The results are available to anyone, at no charge, on the HCCA and SCCE websites, though log-in is required. SCCE and HCCA members may also access an interactive version of the survey, allowing them to create custom salary comparisons

7 News Regulatory News CMS issues FY 2014 inpatient payment rule CMS recently issued a final rule updating fiscal year (FY) 2014 Medicare payment policies and rates for inpatient stays at general acute care and long-term care hospitals (LTCHs). According to the government press release, The rule improves value and quality in hospital care and provides clarification about when a patient should be admitted to the hospital and responds to recent concerns about extended Medicare beneficiary stays in the hospital outpatient department. The final FY 2014 Hospital Inpatient Prospective Payment System (IPPS) rule increases overall hospital payments (capital and operating) by $1.2 billion. The rule also moves forward with healthcare delivery system reforms made possible by the Affordable Care Act. These include a new program aimed at improving safety in hospitals and refining the Hospital Readmissions Reduction program. The press release also outlined the FY 2014 payment update. The final rule would increase IPPS operating rates by 0.7 percent after accounting for inflation and other adjustments required by the law. This increase reflects a temporary reduction of 0.8 percent to implement the American Taxpayer Relief Act s requirement to recoup overpayments from prior years as a result of a new patient classification system that better recognizes patient severity of illness. CMS is also making an additional 0.2 percent reduction to offset projected spending increases associated with changes to admission and medical review criteria for inpatient services. CMS projects that LTCH PPS payments would increase by 1.3 percent, or approximately $72 million, in FY The key FY 2014 payment and quality changes include: New Hospital-Acquired Condition (HAC) Reduction Program Readmissions Reduction Program Admission and Medical Review Criteria for Inpatient Services Read the latest news online Medicare Disproportionate Share Hospitals (DSH) Other changes For more information: go.cms.gov/1fgnora CMS finalizes FY 2014 payment and policy changes for Medicare skilled nursing facilities CMS has also issued a final rule (CMS-1446-F) outlining fiscal year (FY) 2014 Medicare payment rates for skilled nursing facilities (SNFs). According to the CMS press release, the major provisions of the final rule include: Changes to payment rates under the SNF Prospective Payment System (PPS) for FY 2014 Revising and rebasing the SNF market basket Reporting of distinct therapy days For more on the final rule: 1.usa.gov/1en9Bbk CMS press release: go.cms.gov/15caegd For further information, visit the SNF PPS webpage:

8 Clinical Practice Compliance Conference OCTOBER 13 15, 2013 PHILADELPHIA, PA Preview Darrell Contreras Oct 15 General Session presentation HIPAA: The New Era at HOT TOPICS WILL INCLUDE: As a Compliance Officer, Are You Assuring that Your Physicians are Ready for ICD-10? Health Care Fraud Enforcement: Intake to Resolution HIPAA: The New Era Quality of Care Avalanche: PPACA Requirements, Patient Expectations, and Physicians Compliance Risks with Non-Physician Practitioners Fighting Government Audit Attacks to Your Practice And much more! WHY YOU SHOULD ATTEND: Get updated on government initiatives specific to physicians and their practices Network with your peers Learn the latest enforcement trends Earn CEUs Full Agenda Available ONLINE Learn more at

9 HCCA News HCCA conference news Research Basic Compliance Academy November 4 7, 2013 Chicago, IL This Academy focuses on compliance issues related solely to research. With a wide range of research-related issues becoming hot topics with enforcement agencies, this Academy provides attendees with the opportunity to get information on many areas that affect research compliance officers and their staff on a day-to-day basis. A small audience encourages hands-on educational techniques, small group interaction, and networking. Privacy Basic Compliance Academy December 9 13, 2013 Orlando, FL This Academy covers subject matter in-depth, including HIPAA privacy, general compliance, the Federal Privacy Act, and other privacyrelated topics relative to healthcare. An integral feature of HCCA s Academies is the ability to meet and network with industry colleagues. Basic Compliance Academy December 9 13, 2013 Orlando, FL This Academy focuses on subject areas at the heart of healthcare compliance, including: corporate responsibility, education and training, auditing and monitoring, Stark and Anti-Kickback, risk assessment, HIPAA, and conflicts of interest. Attendees should have a basic knowledge of compliance concepts and some professional experience in a compliance function. Academies are limited to 75 attendees, and this December Academy was recently added because all other dates filled quickly so be sure to register today if you want to attend in New Regional Conferences in 2014 Greater St. Louis March 7 St. Louis, MO DC Metro March 14 Washington, DC Delaware Valley June 6 Philadelphia, PA Find the latest conference information online To see the full schedule of upcoming regional conferences, visit Managed Care Compliance Conference February 9 11, 2014 Scottsdale, AZ Learn essential information for those involved with the management of compliance at health plans. Plan to attend if you are a compliance professional from a health plan (all levels from officers to consultants), in-house or external counsel for a health plan, internal auditor from a health plan, regulatory compliance personnel, or managed care lawyer. Audit & Compliance Committee Conference February 24 25, 2014 Scottsdale, AZ This conference is designed for board members and members of a board Audit Committee and/or board Compliance Committee of notfor-profit healthcare organizations. Compliance officers and other senior leaders in the organization are welcome to accompany board members

10 HCCA News HCCA website news Contact Tracey Page at or her at hcca-info.org with any questions about HCCA s website. New library HCCA s library has been redesigned. Check out all the new documents that are easily searchable or sorted by topical categories for your convenience. Find that policy form or template you need or do some research on the latest updates, all available to you on the HCCA website Calendar HCCA s 2014 Event Calendar is now available online, featuring all of HCCA s upcoming events plus historical events that have played a role in the compliance field. You can print the calendar or call HCCA and request to have one mailed to you. Tweeting with HCCA Tweeting just became easier. You don t even need to go to Twitter s website; you can tweet with HCCA right on our homepage. Just start typing in the Tweet Box on the left (it may ask for your Twitter login). Then in just a few short minutes you can see your tweet displayed on the homepage of the HCCA website. Invoices Need to pay off a balance at HCCA, but your office won t pay without a copy of the invoice? Now you can print your own invoices by logging in, clicking on My Account, and then selecting Transaction History. Here you will find a list of all the invoices you have paid and all of the outstanding ones. Need a few extra CEUs? HCCA offers 1 non-live CCB CEU for each Compliance Today quiz you pass. When you take each month s quiz during your two-year certification renewal period, it adds up to 24 non-live CEUs at no additional cost. (Remember, though, only half of your CEUs can come from non-live events.) Upcoming HCCA Web Conferences 10/16 10/17 10/29 effective Vendor Oversight: Developing a Program that Meets CMS Requirements for Oversight of First Tier, Downstream, and Related Entities Mark J. Fleming and Fadi Khuri general Counsel: Their Role and Hiring, Working With, and Managing Outside Counsel Jonathan Peri and Jonathan A. Segal the Nuts and Bolts of Launching and Growing a Compliant Telemedicine Program Sarah E. Swank learn more and register at Find the latest HCCA website updates online

11 HCCA News news Contact HCCA at or us at with any questions about HCCAnet. Login to your complimentary social network of healthcare compliance professionals HCCAnet is the most comprehensive social network for compliance and ethics professionals, now with more than 12,000 members. Subscribe to discussion groups and get your compliance questions answered. Stay informed on the latest compliance and ethics news and information. Subscribe to popular discussion groups Once logged in to HCCAnet, click My Subscriptions and subscribe to more than 40 healthcare compliance-related discussion groups, including these popular groups for news and information: Chief Compliance and Ethics Officer Health Care HIPAA CHC Certification Study Group Earn CEUs by guest commentating Spend a week guest commentating on HCCA s social network, HCCAnet, and earn up to 10 live CCB CEUs for the week or 2.0 per day. Guest commentating includes posting one discussion topic each day of the week and responding to posts. It s a great way to get involved and to earn CEUs you might need for certification. Contact HCCA for more information and to receive your guest commentator credentials. Find the latest HCCAnet updates online Explore these current HCCAnet discussions Review these recent discussions to explore how HCCAnet can help answer some of your healthcare compliance questions. Appointment Reminders Compliance Board resolution Compliance Reporting Form Everybody Cuts and Pastes in the EHR Oh Really? Here s a new one HIPAA Business Associate HIPAA Complaint from HHS HITECH Question Restricting Information from Health Plans Home Health Care Agencies Mail to Mental Health Clients PBM Calling for Protected Health Information Picture on Facebook Staff Orientation to Compliance/HIPAA Video taping/recording doctor visits

12 People on the Move Richard Meeks recently joined EvergreenHealth as the Kirkland-based healthcare system s compliance officer. Kim Baker, PT, MPT, CHC, CHPC was recently promoted to Corporate Compliance Officer at Fox Rehabilitation in Cherry Hill, NJ. Fox Rehabilitation is a private practice specializing in geriatric rehabilitation, offering physical, occupational, and speech therapy in eight states on the East Coast. Deloitte recently announced the appointment of Mitchell Morris, MD, as leader of its National Providers Industry practice. Dr. Morris, a principal with Deloitte Consulting LLP, was most recently head of the practice s Health Information Technology group. He succeeds Russ Rudish who now is leader of Deloitte Touche Tohmatsu Limited s Global Healthcare practice. People on the Move Kathleen O Brien, RHIT, was recently named Director of Coding Compliance for Pyramid Healthcare Solutions, headquartered in Clearwater, Florida. In her new position, O Brien, a Mason City, Iowa resident, is responsible for overseeing all assigned operational functions for Pyramid s Compliance Division including coding delivery, quality and education, and strategic company initiatives. Broad and Cassel recently announce that Miami Partner Mike Segal, chairman of the statewide Health Law Practice Group, has been named among the region s Top 100 Power Leaders in Health Care in the latest issue of the South Florida Business Journal. Each year, the South Florida Business Journal honors individuals from a wide range of industries who make a difference in business and the region s future. Received a promotion? Have a new hire in your department? If you ve received a promotion, award, or degree; accepted a new position; or added a new staff member to your Compliance department, please let us know. It s a great way to keep the Compliance community up-to-date. Send your updates to hcca-info.org. Are you subscribed to This Week in Corporate Compliance? If not, you should be. It s informative and FREE. HCCA News Once subscribed, TWCC will arrive every Friday in your with a wrap-up of the week s healthcare compliance-related news. To subscribe, visit:

13 Help Keep Your Compliance Program Fully Staffed List Your Job Openings Online with HCCA It s hard to have an effective compliance program when you have openings on your team. Help fill those openings quickly list your compliance job opportunities with the Health Care Compliance Association. Benefits include: Listing is posted for 90 days to maximize exposure Targeted audience Your ad is also included in our biweekly HCCA Jobs Newsletter, which reaches more than 24,000 s Don t leave your compliance positions open any longer than necessary. Post your job listings with HCCA today. Visit Or call us at

14

15

16 Feature Loretta Lynch U.S. Attorney for the Eastern District of New York an interview by Adam Turteltaub Meet Loretta Lynch Adam Turteltaub HCCA Vice President for Membership, conducted this interview with Loretta Lynch in June. AT: Loretta, this is your second stint at the U.S. Attorney s Office. During the intervening time, you were in private practice at a major firm in New York. How does the time doing white collar criminal defense work inform your work as a prosecutor? LL: My time in private practice was invaluable in providing the corporate perspective on enforcement matters. I was able to see the pressures that influence a company s response to government actions, pressures one doesn t always readily see from the government side. At the same time, I tried to provide the government s perspective to companies, and help them focus on the substance of a government request rather than what can often be collateral consequences. Now that I m back in government, familiarity with the corporate perspective is extremely useful in analyzing presentations and ultimately determining if a company is truly committed to resolving an issue. AT: What did you learn about compliance programs, good and bad, in your practice? LL: The most important thing I learned about compliance programs is also the most basic thing the tone at the top truly sets the parameters for whether one has an effective or ineffective compliance program. And by effective, I don t mean a program in a company where there is never any wrongdoing, because that company does not exist

17 Feature If there is one message I d like to leave with corporate America, it is that the government actually does understand that things can and will go wrong, even where there is a strong compliance program. Every company develops issues. It s how you deal with them that defines your corporate culture and informs me if you are serious about fixing the problem and preventing it from recurring going forward. AT: One of the things that strikes me about your career in the U.S. Attorney s Office is that fighting corruption has been an ongoing focus. And, it s notable to point out that we re not just talking about the Foreign Corrupt Practices Act (FCPA), but also corruption here in the U.S. Are there common threads that you see among government corruption cases everywhere? LL: Corruption, whether here in Brooklyn or on the other side of the globe, has real and far-reaching consequences. The common thread is that someone in power loses their connection to the constituency they are supposed to serve, whether citizens or shareholders. When government officials engage in self-dealing, when they abdicate their responsibility, when they succumb to greed, the average citizen pays for it dearly and on many levels. Constituents everywhere end up spending more for services infrastructure, healthcare, education and sometimes have to go without these vital services, when government officials line their own pockets with public funds. Law-abiding companies here in the U.S. and abroad are placed at a competitive disadvantage when business is won or lost based on bribes, not the quality of a company s products and services. Corruption, whether here in Brooklyn or on the other side of the globe, has real and far-reaching consequences. And because corruption involves, at its heart, the breaking of a trust relationship, its ramifications often go far beyond the financial. Corruption infects society as a whole, increasing the level of cynicism and distrust that constituents have about their elected officials and government processes. In this way, corruption also impacts those government officials who are truly trying to do the right thing. They get tarred with the same brush. We all deserve honest and effective representation, and my office is committed to investigating and prosecuting those who trade on the trust we place in them to enrich themselves, who let greed get in the way of helping the people that they represent. AT: What should businesses be aware of domestically? Looking at the Transparency International Index, the U.S. falls on the cleaner side of the scale, but we re not as clean as we might think. Are companies vigilant enough about the domestic risk? LL: In this global economy, foreign corruption is a significant risk for many companies. But as your question correctly points out, for some companies, the most significant risks may well be right here in the U.S. Companies are sometimes complacent about domestic risk. There can be a perception that our employees grew up with us and would not put the company at risk. This view, however, ignores the changing nature of risk, and each company s obligation to give their employees the tools to both recognize issues and protect themselves and the company from being drawn into compromising situations. To be effective, your compliance program has to be tailored to the industry you

18 Feature are in, and to the part of the world in which you operate. Management needs to sit down and literally say, what could go wrong in our company? How do we prevent it? How do we find out about it? And how do we handle it? You need to understand the risks that flow from the nature of your business and where you do that business. Your company may be susceptible to organized crime infiltration, employee and workplace fraud, or immigration violations. Potential anti-trust, importexport, supply chain, and cyber security issues may present significant risks for your organization. In industries that are heavily regulated, like healthcare or the financial sector, you may need to spend a lot of your time focusing on domestic regulatory risks and getting compliance policies in place to ensure employees are complying with applicable regulations. Management needs to sit down and literally say, what could go wrong in our company? How do we prevent it? How do we find out about it? And how do we handle it? local government official who had provided assistance to Peterson in securing business for Morgan Stanley in China. During the conspiracy, Peterson repeatedly and falsely told Morgan Stanley that the corporation buying the ownership interest in the building was owned by the Shanghai government when, in fact, it was owned by Peterson and the local government official, among others. By lying and providing false information to Morgan Stanley, Peterson was circumventing the company s internal controls, which were created and intended to prevent FCPA violations. Peterson was charged with one count of conspiring to circumvent Morgan Stanley s internal controls, and after pleading guilty, he was ultimately was sentenced to a period of incarceration. We declined to take any action against Morgan Stanley in that case. AT: The Morgan Stanley FCPA case was a very high-profile declination by main Justice and your U.S. Attorney s Office. They don t come that often, and it s very rare to see compliance efforts cited so widely as the reason why. Can you give a brief description of the case for those who are not familiar with it? LL: Absolutely. In April of 2012, my office and the Department of Justice s (DOJ) fraud section prosecuted Garth Peterson, the former Managing Director in charge of the Morgan Stanley s real estate group in Shanghai, China. Peterson had engaged in a conspiracy to sell an ownership interest in a Shanghai building owned by Morgan Stanley to a AT: Again, what s notable is that it was the first major FCPA case I can recall in which there was a public declination, and just as importantly, the compliance program was cited so publicly as a major part of the reason why. In fact, it s hard to remember many cases of any type in which the compliance program s effectiveness was cited so publicly, which suggests to me that even people without FCPA risks should take note. What made this case so different? LL: You re right. This was an unusual case. Morgan Stanley self-reported Peterson s conduct, and cooperated fully and extensively with the government s investigation

19 Feature But that s not what made the case different. What set Morgan Stanley apart was that, after considering all the available facts and circumstances, the government concluded that Morgan Stanley was a company that had done all that it could. It had a compliance program specifically tailored to its business risks, with commitment to compliance from the very top of the company, that itself did not tolerate wrongdoing. The bank acted to fire Peterson before any of the facts became public. We concluded that Peterson was the quintessential rogue employee who schemed to affirmatively sidestep compliance because he knew his behavior would not be countenanced. Every company says its bad actors are rogues, and that they do not promote corruption, but at Morgan Stanley we could see it. There was a stark contrast between the bank s corporate culture and Peterson s actions. This presented a fundamentally different situation from companies that say they don t tolerate wrongdoing, yet push employees to meet goals and quotas overseas with little to no guidance on the risks and consequences. It was fundamentally different from companies who distance themselves from their agents and consultants overseas, and then argue that they have to go along to avoid being disadvantaged in overseas markets. And it was fundamentally different from companies that say That s not who we are, yet have nothing on record that informs me otherwise. What we saw was that Morgan Stanley conducted extensive due diligence with respect to the sale that Peterson orchestrated. Every company says its bad actors are rogues, and that [the company does] not promote corruption, but at Morgan Stanley we could see it. We saw that Peterson had circumvented a compliance program that was an active component of the company s business Peterson himself was trained on FCPA compliance seven times and reminded about FCPA compliance at least 35 times. Compliance at Morgan Stanley was also proactive, with the bank routinely adjusting and updating its compliance program to address new issues and problems as they arose. It was not simply a program that was put in place 10 years ago, set apart from the business, and left unchanged over time, without regard to changes in the company s business or the increasing complexity of transactions. When we looked at Morgan Stanley, we also saw a bank that invested resources, that had internal controls in place to ensure accountability, that regularly monitored transactions, and that randomly audited employees, transactions, and business units. This case stands out because it also touched on a common complaint in the FCPA world, and that is the supposed lack of transparency regarding the government s consideration of a company s compliance efforts in making charging decisions. The lengthy description of Morgan Stanley s compliance program in the Peterson charging document was a deliberate response to that criticism. The Peterson case was even cited for that purpose in the FCPA Resource Guide prepared by DOJ and the Securities and Exchange Commission (SEC) in November AT: What should compliance professionals take away as key learning from that case?

20 Feature LL: There are actually two takeaways in this case. The first is that the government will aggressively pursue those who engage in criminal conduct involving corporate corruption. The second is that companies that employ robust and effective compliance programs are not only better able to detect and identify potential compliance issues that may negatively affect the company s business and reputation, but also those unusual instances where an employee is intent on circumventing a company s internal controls. An added benefit for a company that employs a robust compliance program is that the company will be in a better position to address concerns raised by regulators or the government, if the company s conduct ever comes under scrutiny. Morgan Stanley was able to demonstrate that Peterson truly was a rogue, that he had betrayed them, and he had rejected their culture of compliance. AT: More recently we had the declination in the Ralph Lauren case. In that case, Ralph Lauren discovered questionable payments by a third party working on their behalf in Argentina. You were the US attorney on that case as well. What were some of the factors that led to the decision not to prosecute? LL: Actually we did not decline prosecution in that case. Rather, we entered into a non-prosecution agreement with Ralph Lauren. The agreement is for a two-year term and requires the implementation of various corporate reforms. Ralph Lauren also paid an $882,000 penalty to the DOJ and disgorged $700,000 in ill-gotten gains and interest to the SEC. There were several reasons for that outcome. Ralph Lauren discovered criminal conduct involving violations of the FCPA while it was in the midst of trying to improve its internal controls and compliance worldwide. Our investigation revealed that, over the course of five years, the manager of Ralph Lauren s subsidiary in Argentina had made roughly $580,000 in corrupt payments to customs officials for unwarranted benefits, like obtaining entry for its products into the country without the necessary paperwork or without any inspection at all. The bribes were funneled through a customs broker who, at the manager s direction, created fictitious invoices that were paid by Ralph Lauren in order to cover up the scheme. Several factors compelled our decision to enter into a non-prosecution agreement with Ralph Lauren. First, there was the detection of the wrongdoing by the corporation itself, as part of an effort to improve global compliance standards. Following the discovery of the corruption, the company also undertook an exceedingly thorough internal investigation of the misconduct and cooperated fully with our investigation. They made foreign witnesses available for government interviews; they provided real-time translation of foreign documents. It was also very significant that Ralph Lauren implemented a host of extensive, remedial measures, including the termination of employees engaged in the wrongdoing, and improvements in internal controls and compliance programs. Finally, we took into account that they swiftly and voluntarily disclosed the conduct to the government and the SEC. The company first self-reported the misconduct to the government within two weeks of discovering it. They basically did everything that a company that finds itself in that unfortunate situation can possibly do. AT: This was the first time the SEC publicly stated it would not proceed. What got their attention and led to the decision? LL: I cannot speak for the SEC, but we do typically have parallel investigations of FCPA violations, and I believe that they were swayed

21 Feature by the same factors that we were. Although Ralph Lauren did not have an anti-corruption program and did not provide any anticorruption training or oversight during the five-year span of the conspiracy, all of the government agencies investigating the case were impressed with their resulting commitment to compliance in this area globally, as well as their self-disclosure and full cooperation. AT: HSBC s money laundering settlement also holds some lessons for compliance programs. The bank agreed to a $1.9 billion settlement, which is obviously a lot of money. However, what was lost by many are some of the steps they took in the compliance arena that helped prevent the penalties from being much more severe. What were some of the actions that they took that had the most resonance with you as the prosecutor? LL: You are right; much attention was given to the $1.9 billion that HSBC paid in fines and forfeiture and understandably so. It was the largest forfeiture ever by a financial institution in connection with a compliance failure. There were, however, other truly groundbreaking aspects of that settlement, most of which did get overshadowed by the amount of money involved. First and foremost, HSBC stood before a court of law and admitted its criminal conduct. They also gave the government every remedy we could have gained, and arguably even more, had we indicted the bank and taken it to trial to prove that guilt. As part of the deferred prosecution agreement, HSBC committed what resonated with the government was the fact that HSBC made sweeping, sometimes unprecedented, changes that were designed to foster and maintain a deeply engrained, lasting culture of compliance. to a far-reaching overhaul of its compliance practices around the world. Given the systemic, global compliance failures uncovered during the investigation, I think it is fair to say that extraordinary remediation saved HSBC from indictment. HSBC did not simply replace its senior management and then come to us with a report that it had fixed its compliance problems. To be sure, the bank did replace its senior management, and even clawed back bonuses from the CEO, CCO, and other senior compliance officials. But what resonated with the government was the fact that HSBC made sweeping, sometimes unprecedented, changes that were designed to foster and maintain a deeply engrained, lasting culture of compliance at the bank. HSBC took a hard look at the root causes of their compliance failures, and what came out of that review was a significant restructuring of their organization. The revamped structure allows compliance issues and information to be shared horizontally, across a very large, global institution. The new structure, which includes a stand-alone Compliance department and new reporting lines, enhanced the prominence and independence of the compliance function. HSBC s head of global compliance is now one of the bank s top 50 executives worldwide. It was also important to us to see that HSBC provided its revamped compliance function with enough resources to be effective. You can make all the structural changes you want in an organization, but if you don t

22 Feature properly staff and fund it, you won t realize the intended improvements. At HSBC, antimoney laundering (AML) compliance staffing was increased ten-fold, compliance officers were retrained, and investments were made in better-automated monitoring systems. HSBC s efforts to more closely align the organization s commitment to compliance with the interests of its employees also resonated with us. Going forward, the bank s bonus structure for senior executives will be closely tied to performance regarding compliance standards and values. In making this change, HSBC sent a strong message to its employees. It told them that, if you don t share in the bank s commitment to compliance, you will be hit where it hurts in your wallet, in your bank account. This aligns the employees interests with the interests of the bank in a very real, tangible way. I think the remedial measure that stood out to most to me, because it is seemingly unprecedented, was HSBC s agreement to subscribe to a single global standard for compliance. This means that HSBC will apply the highest or most effective compliance requirements for operations worldwide, regardless of the laws and regulations that apply where a particular office or affiliate is located. In other words, if the U.K. has the toughest anti-corruption laws in the world, HSBC will apply them worldwide. If the AML requirements in the United States are the most stringent, they will apply globally. What this said to us was that HSBC was really striving to be the gold standard for compliance. AT: One of the things that was notable is that HSBC split the compliance officer from the General Counsel s Office. There s been a lot I just don t think that a one-size-fits-all approach works when it comes to compliance. of push within the Compliance community to move out of Legal. Judging by the HSBC settlement, it seems that you as a prosecutor would agree that the jobs should be separate. What do you see as the virtue of separating the roles? LL: Separating the Legal and Compliance functions within HSBC was part of a deliberate, carefully crafted effort to give Compliance more prominence, more autonomy and more authority within the bank. It also was intended to make senior management more directly accountable for compliance values and standards. In companies where the CCO has a position equal in stature to the GC, with a separate reporting line to the CEO or the board or audit committee, it not only ensures the independence of the Compliance function, but it also conveys to employees that the company values, and is committed to, compliance. This structure also typically provides a direct line of communication, without potential interference from senior management, straight to the top of the house, if and when compliance issues must be escalated. That being said, it is not my position that separating the CCO and GC roles will make sense in every organization. It made sense for HSBC, which was, at the time, the fourth largest bank in the world, a bank that had global operations in what is arguably the most heavily regulated industry in the world. There may be situations where it makes sense to have the Compliance department housed within the Legal division, reporting up to the GC, or a GC that also fulfills the duties of a CCO. On the other hand, there will be cases where a combined GC-CCO position is cost effective in the short term, but results in costly, long-term consequences, because the individual wearing both hats doesn t

23 Feature have enough time or sufficient ability to do both jobs well. I just don t think that a one-size-fits-all approach works when it comes to compliance. The optimal structure of the Legal and Compliance functions within an organization may depend on any number of factors organizational size, industry, regulatory environment, staffing constraints and individual capabilities, to name a few. No matter how a company structures the roles of the GC and CCO, I think it is critical to the success and effectiveness of a compliance program to ensure cooperation and coordination between the Compliance and Legal functions. That being said, when an investigation reveals that significant, systemic failures and flaws exist within a company s Compliance function, the government will question as should the company whether the organizational structure in place contributed to that failure. I will also add that, in my experience, successful compliance programs regardless of whether the GC and CCO roles are split are found within companies that have and maintain a culture of compliance. It will matter not that the GC and CCO are subsumed in a single role, or that they are separate and distinct positions, if the company does not demonstrate to its employees in tangible and intangible ways that compliance matters that everyone, from the top down, must value integrity, and that issues of legal, financial, and ethical rules will be handled in a rigorous and transparent manner. Without that culture, even companies with separate legal and compliance leaders will face an uphill battle. AT: As I recall, part of the settlement also includes a change so that Compliance reports directly to the board. Is that something you would advocate for compliance professionals and the companies they work for to take note of? LL: Again, I don t think one size fits all. I do believe, however, that an organizational structure that gives the CCO unfettered access to the board or audit committee goes a long way toward ensuring that compliance issues are appropriately escalated, without undue influence from senior management. You want your CCO to have a seat at the table to be able to speak truth to power when necessary. You want an autonomous CCO who is heard, a CCO who is empowered to candidly report information to the board or audit committee. It may be that, in order to fulfill that wish list, some organizations will need to put in place a structure where the CCO operates separate and apart from the GC, and has a direct reporting line to the CEO or the board or audit committee. On the other hand, some organizations may be able to accomplish that without installing a direct reporting line. AT: Finally, are we seeing the start of a new era in which compliance programs are going to be looked at more closely by prosecutors? And, just as importantly, will good programs earn organizations public credit for their efforts? LL: Absolutely. Compliance is the lens through which we view your company. A robust compliance program demonstrates to us that the company gets it. Making your compliance program a top priority is an investment a company can t afford not to make. To put it more bluntly, by the time you have a problem that has drawn the government s attention, under our principles and guidelines that govern corporate prosecutions, the existence of a robust compliance program can save you, as in the Morgan Stanley case. While Ralph Lauren and HSBC were able to implement compliance programs that allowed them to escape indictment, they should nevertheless be viewed as guidance to other companies, not a guarantee. You re still far better off making compliance part of the fabric of your company and the face you present to the world