FRA

Forensic Risk Alliance

FRA News

Navigating disgorgement and fine calculation in co-ordinated regulatory investigations

Live Webinar | Find out how approaches to disgorgement and fine calculations are evolving

Date: Tuesday, March 31, 2020

Time: 14.30 GMT / 9.30 EDT

Duration: 45 minutes

FRA experts Toby Duthie and Rik Workman share high level trends as well as detailed technical expertise gathered from decades of involvement in high profile cross-border disgorgements and fine calculations. From jurisdiction-specific challenges to harmonisation of fine calculation methodology across agencies, they offer you insights from major FRA engagements that have helped clients find beneficial outcomes from the most complex investigations.

Register now

What you will learn

As more companies such as Airbus and Rolls Royce negotiate landmark global settlements with multiple national regulators at once, there is an evident international shift away from prosecution and towards self-reporting and remediation as the preferred route. So, what can we learn from recent investigations on the approach to reaching these types of settlements? Join us as we discuss:

1. Key considerations for managing data across borders
2. How gain differs from gross profit
3. How much does cooperation count in the final settlement
4. What pre-emptive steps can your company or client take today

Click here to register now.

Find out more about our expertise with Disgorgement, Gain and Ability to Pay Calculations

Our engagements in complex calculations require an empirical approach to financial data and a strong understanding of accounting and reporting in international businesses. Our strength in data mining combined with strong accounting knowledge and financial modeling skills enables us to provide empirical, robust and defensible analysis.

Contact us to learn more

A Message from FRA’s Chief Technology Officer, Greg Mason

Ransomware is a serious and growing cyber threat, underscored by recent attacks impacting the legal sector. These attacks are a stark reminder that no matter how robust a security program is, we are always under threat and it is critical for IT teams to stay current and vigilant.

At FRA, we pride ourselves on offering clients the highest levels of data security, and we hold ourselves to that same standard every single day. We actively monitor and analyze cyber threats and have implemented best-in-class technical and operational measures—including a ISO27001 risk management process— specifically designed to prevent ransomware-type attacks and mitigate the spread of ransomware in the event of a compromise.

We perform independent audits on a regular basis, which have re-affirmed that the processes we have in place are robust and market leading. However, even with all the best policies and controls in place, no one is impervious to a cyberattack. The biggest risk-factor for companies—including our own—is human error. That’s why, in addition to our technical and operational measures, we also require our staff, at all levels across our global team, to undergo formal training to prepare them to identify, prevent and mitigate cyber risks and other information security concerns.

Rest assured that we take data security very seriously—it is at the core of our business. If you have any questions, or if you would like to discuss how FRA can help your business address data governance challenges, please contact me or any of our FRA Data Governance, Technology Solutions and Forensics Partners.

Sincerely,

Greg Mason
Co-founding Partner and Chief Technology Officer
Forensic Risk Alliance

Convention Judiciaire d’Intérêt Public (CJIP) – A Forensic Approach to Fine Calculation

Download the full article here

Téléchargez l’article en français

How are fines calculated under the French Convention Judiciaire d’Intérêt Public (CJIP), particularly in multi-jurisdictional corruption and bribery investigations?

The procedures and penalties behind the French Convention Judiciaire d’Intérêt Public (CJIP) are generating significant interest among companies and the public. In this article, FRA’s Yousr Khalil, partner and head of the Paris office, and senior associate Justin Michel answer two common questions regarding the calculation of penalties:

  1. How is the amount of a fine determined?
  2. Why it is not possible or advisable to predetermine the amount of a fine in multijurisdictional matters?

At the heart of Sapin II – the French anticorruption law introduced in December 2016 – is a procedure called the Convention Judiciaire d’Intérêt Public (CJIP). Similar to a Deferred Prosecution Agreement in the US or UK, it was created to allow the prosecution of corporate crime. An agreement between a company and its prosecutors is made, whereby a CIJP carries an admission of facts, but not guilt. Fines are calculated and, if appropriate, reduced. This procedure allows companies and their advisers to benefit from an agreement with the French prosecutors, le Parquet National Financier (PNF).

1. How to calculate the fine

Three factors are essential:

  • Legal Liability: Identifying the tainted contracts or projects, as only these form the basis of the calculation
  • A unified and principled approach: In an international regulatory litigation case covering many jurisdictions, it is necessary to establish a common and principled methodology agreed by the various authorities
  • The right team to perform the calculation: Collaboration between the forensic accountants and the company’s internal accounting teams is essential to properly reflect the company’s operations in the gain calculation model and related cost elements

2. Why is it not possible nor advisable to pre-determine a fine

  • Risk of subsequent law suits from other competent jurisdictions, shareholders and competitors
  • Risk of undermining cooperation between authorities in reaching one consistent method of calculation
  • Risk of a company ceasing its efforts to conclude a CJIP if the predetermined fine is considered unfavorable (i.e. too high)
  • Based on FRA’s experience with various authorities around the world, fines have never been predetermined as the company’s legal liability must first be established as the basis for a fine calculation

Want to learn more about our expertise?

Contact Us

FRA Sponsors City & Financial Global’s FCA Investigations and Enforcement Summit, 12 February 2020

How to bullet proof the data gathering and review process in a forensic investigation

FRA Partner, Anant Modi, will be speaking at the FCA Investigations and Enforcement Summit on “Developments in forensic investigations – bullet proofing the data gathering and review process”. Drawing on his 25 years of experience in fraud and regulatory investigations, Anant will discuss different categories of data and how to approach them, potential pitfalls in dealing with evidence, and technological advances in the analysis and review of data.

About the Summit

The Financial Conduct Authority (FCA) has made it clear that increasingly severe penalties and sanctions are not enough to prevent and reduce serious misconduct, and it must increase the likelihood of detection. As a consequence, firms may find themselves subject to an investigation for any suspicion of wrongdoing, even if the outcome clears them of any breach.

The FCA is keen to avoid a “culture of fear,” but the introduction and extension of the Senior Managers and Certification Regime (“SMCR”) imposes personal accountability and liability on a much wider group with significant personal implications for those involved. As a result, much needed guidance and clarity is needed on how you can reduce the likelihood of facing regulatory action and mitigate the impact of it on your organisation and senior managers.

Mark Steward, Director of Enforcement and Market Oversight at the FCA, will address the tools available to you when faced with enforcement action, including the latest focus resolution procedures, allowing you to challenge the severity of the penalty while admitting liability.

Register now to attend this event

City & Financial Global

Responding to Cyber Attacks and Incidents of Data Misuse

How to form a holistic corporate strategy bringing together legal, forensic, cybersecurity and communications perspectives.

In today’s context of public concern over data privacy and proliferating data protection laws, organisations face multifaceted challenges when responding to a cyber incident, whether the incident is data exfiltration or the misuse of data entrusted to companies. Threats could be external or internal, malicious or negligent. The consequences can range from technical to reputational and even criminal (both for the company and its senior managers). To add pressure to this complexity, authorities may expect potential incidents to be reported quickly – namely, the EU GDPR’s 72-hour data breach reporting requirement. Failure to do so could lead to regulatory fines that can apply to any sector and reach amounts that dwarf serious financial crime penalties. What can companies do today to give themselves the best chance of maintaining authority and credibility when – not if – an incident arises?

FRA Partner Simon Taylor joined a panel of legal, cybersecurity and communication experts in London on 23 January, to share his insights with an audience of in-house legal and compliance professionals on the critical elements to piece together when companies respond to cyber incidents.

Assess your In-house Capability

Any organisation with a computer must accept some level of data governance risk, but it is unlikely that all companies have comprehensive in-house crisis management resources standing by in the event that this risk manifests. The threats are multi-faceted: increasingly sophisticated attacks, demanding regulations, intensifying media attention and evolving best practice in risk management. When a crisis hits, you need to assemble a multi-disciplinary response team that extends beyond IT alone, potentially including human resources, finance, internal audit and compliance teams. Given the varying scope of data privacy laws in different jurisdictions, it will likely take a combined effort to respond in a compelling way to the data protection authorities.

Together with the appointment of an internal team, management must carefully consider if the company has the degree of expertise or bandwidth to respond effectively to all aspects of the crisis, particularly if it spans multiple jurisdictions. External counsel may be needed to assess the reporting obligation or highlight potential follow-on litigation, such as class actions. Independent forensic investigation experts can help establish the fact pattern, essential for urgent and well-informed decision-making, while ensuring any internal investigation is performed in a forensically robust manner to withstand regulators’ expectations. Furthermore, Stroz Friedberg VP Heidi Wachs noted that even companies with sophisticated internal IT operations teams might need external cybersecurity specialists to trace the root of an incident and chart an effective plan of action to ensure commercial operations are up and running as quickly as possible.

Cooperate and communicate to mitigate the damage

Whether to clients, the public or the regulator, failure to communicate swiftly can have significant reputational and financial repercussions. In many spheres of alleged corporate wrong-doing companies have the luxury of conducting their internal investigations confidentially – GDPR has changed the game. In the age of GDPR and intense media scrutiny, a company no longer has the option nor the time to investigate in private. Depending on the nature of the compromised data, the GDPR requires that companies report incidents to the respective competent authority and potentially to data subjects as well.

Reducing FinesFRA_JennerandBlock1

It is very early days in the development of a GDPR fine regime to understand and predict an enforcement authority’s approach to the calculation of a financial penalty. The few notices of intention to fine or fines that have been publicised reveal some inconsistency from one jurisdiction to another. The UK ICO’s proposed “mega fines” of 2019 suggest they may be taking a ‘top down’ approach, considering the maximum ceiling of 4% global annual turnover as an initial figure, and working downwards balancing mitigating factors and the need for a deterrent. For example, Jenner & Block’s Kelly Hagedorn and FRA’s Simon Taylor agreed that the UK ICO seemed to be taking any failure to adhere to the 72-hour reporting requirement as a serious aggravating factor in determining penalties in GDPR data breach cases. In other EU jurisdictions where 2019 fines were smaller, regulators may have taken a ‘bottom up’ approach, building up the quantum of the fine based on case-specific factors.

In FRA’s experience with regulatory fines in other areas, a number of discounts and reductions can be negotiated if the company is cooperative and demonstrates that proper technical controls and compliance programmes were in place. As Simon Taylor highlighted, the authorities would be aware of the need to defend their imposed fine robustly should the penalised parties ever challenge it in court, so there is incentive on both sides to negotiate.

Establishing a credible public voice

Instances of corporate data breach and misuse are firmly in the media’s crosshairs. As seen in the recent Travelex ransomware attack, even if a company believes it has fair reason not to report an incident, keeping the matter quiet does not avoid a public furore if journalists interpret a company’s silence as negligent or even dishonest. Portland Communications’ Steve Morris advised companies to establish their own platforms and channels for communicating with the media and public when in crisis mode. Be in charge of the story by being the authoritative source of facts, rather than reacting. The public is much more likely to be forgiving if companies are seen to be transparent and responsible.

Involve the board

If the potential extent of regulatory fines, reputational harm and technical damage to business operations were not enough to draw board members’ attention to cyber incident response planning, the emerging regulatory trend of accountability at the board level should do it. A key milestone is the US Federal Trade Commission’s settlement order (2019), which requires Facebook to “restructure its approach to privacy from the corporate board-level down” and implement mechanisms to ensure executives are accountable for decisions about privacy. There are signs that this mandatory reporting to the board is gradually gaining traction in other jurisdictions.

Build the narrative, starting now

For a company to speak credibly and authoritatively in times of crisis, the fact pattern must be established. At the point an incident is triggered, a high calibre and forensically sound investigation is needed, as has been the case for many years in financial crime compliance. The challenge in cyber attacks and incidents of data misuse is that the timeline for investigation is heavily compressed by GDPR requirements and the need to make public disclosures.

Establishing appropriate ‘technical and organisational measures’ is the best, and only, defence given the inevitability of a cyber breach or the misuse of data. This is an exercise that can begin now and needs to be constantly refreshed. Seek advice from your legal, forensic, cybersecurity and communications experts on proactive risk assessments and contingency planning that can be initiated in advance of a crisis.

The above is a summary of “Responding to Cyber Incidents”, which took place on 23 January 2020 at The Ivy Club, London.

Event Speakers:

Simon Taylor, Partner, FRA
Kelly Hagedorn, Partner, Jenner & Block
Steve Morris, Managing Partner, Portland Communications
Heidi Wachs, Vice President, Stroz Friedberg

Event Moderator:

Paul Feldberg, Partner, Jenner & Block

Responding to cyber attacks