FRA

Forensic Risk Alliance

FRA News

Convention Judiciaire d’Intérêt Public (CJIP) – A Forensic Approach to Fine Calculation

Download the full article here

Téléchargez l’article en français

How are fines calculated under the French Convention Judiciaire d’Intérêt Public (CJIP), particularly in multi-jurisdictional corruption and bribery investigations?

The procedures and penalties behind the French Convention Judiciaire d’Intérêt Public (CJIP) are generating significant interest among companies and the public. In this article, FRA’s Yousr Khalil, partner and head of the Paris office, and senior associate Justin Michel answer two common questions regarding the calculation of penalties:

  1. How is the amount of a fine determined?
  2. Why it is not possible or advisable to predetermine the amount of a fine in multijurisdictional matters?

At the heart of Sapin II – the French anticorruption law introduced in December 2016 – is a procedure called the Convention Judiciaire d’Intérêt Public (CJIP). Similar to a Deferred Prosecution Agreement in the US or UK, it was created to allow the prosecution of corporate crime. An agreement between a company and its prosecutors is made, whereby a CIJP carries an admission of facts, but not guilt. Fines are calculated and, if appropriate, reduced. This procedure allows companies and their advisers to benefit from an agreement with the French prosecutors, le Parquet National Financier (PNF).

1. How to calculate the fine

Three factors are essential:

  • Legal Liability: Identifying the tainted contracts or projects, as only these form the basis of the calculation
  • A unified and principled approach: In an international regulatory litigation case covering many jurisdictions, it is necessary to establish a common and principled methodology agreed by the various authorities
  • The right team to perform the calculation: Collaboration between the forensic accountants and the company’s internal accounting teams is essential to properly reflect the company’s operations in the gain calculation model and related cost elements

2. Why is it not possible nor advisable to pre-determine a fine

  • Risk of subsequent law suits from other competent jurisdictions, shareholders and competitors
  • Risk of undermining cooperation between authorities in reaching one consistent method of calculation
  • Risk of a company ceasing its efforts to conclude a CJIP if the predetermined fine is considered unfavorable (i.e. too high)
  • Based on FRA’s experience with various authorities around the world, fines have never been predetermined as the company’s legal liability must first be established as the basis for a fine calculation

Want to learn more about our expertise?

Contact Us

FRA Sponsors City & Financial Global’s FCA Investigations and Enforcement Summit, 12 February 2020

How to bullet proof the data gathering and review process in a forensic investigation

FRA Partner, Anant Modi, will be speaking at the FCA Investigations and Enforcement Summit on “Developments in forensic investigations – bullet proofing the data gathering and review process”. Drawing on his 25 years of experience in fraud and regulatory investigations, Anant will discuss different categories of data and how to approach them, potential pitfalls in dealing with evidence, and technological advances in the analysis and review of data.

About the Summit

The Financial Conduct Authority (FCA) has made it clear that increasingly severe penalties and sanctions are not enough to prevent and reduce serious misconduct, and it must increase the likelihood of detection. As a consequence, firms may find themselves subject to an investigation for any suspicion of wrongdoing, even if the outcome clears them of any breach.

The FCA is keen to avoid a “culture of fear,” but the introduction and extension of the Senior Managers and Certification Regime (“SMCR”) imposes personal accountability and liability on a much wider group with significant personal implications for those involved. As a result, much needed guidance and clarity is needed on how you can reduce the likelihood of facing regulatory action and mitigate the impact of it on your organisation and senior managers.
Mark Steward, Director of Enforcement and Market Oversight at the FCA, will address the tools available to you when faced with enforcement action, including the latest focus resolution procedures, allowing you to challenge the severity of the penalty while admitting liability.

Register now to attend this event

City & Financial Global

Responding to Cyber Attacks and Incidents of Data Misuse

How to form a holistic corporate strategy bringing together legal, forensic, cybersecurity and communications perspectives.

In today’s context of public concern over data privacy and proliferating data protection laws, organisations face multifaceted challenges when responding to a cyber incident, whether the incident is data exfiltration or the misuse of data entrusted to companies. Threats could be external or internal, malicious or negligent. The consequences can range from technical to reputational and even criminal (both for the company and its senior managers). To add pressure to this complexity, authorities may expect potential incidents to be reported quickly – namely, the EU GDPR’s 72-hour data breach reporting requirement. Failure to do so could lead to regulatory fines that can apply to any sector and reach amounts that dwarf serious financial crime penalties. What can companies do today to give themselves the best chance of maintaining authority and credibility when – not if – an incident arises?

FRA Partner Simon Taylor joined a panel of legal, cybersecurity and communication experts in London on 23 January, to share his insights with an audience of in-house legal and compliance professionals on the critical elements to piece together when companies respond to cyber incidents.

Assess your In-house Capability

Any organisation with a computer must accept some level of data governance risk, but it is unlikely that all companies have comprehensive in-house crisis management resources standing by in the event that this risk manifests. The threats are multi-faceted: increasingly sophisticated attacks, demanding regulations, intensifying media attention and evolving best practice in risk management. When a crisis hits, you need to assemble a multi-disciplinary response team that extends beyond IT alone, potentially including human resources, finance, internal audit and compliance teams. Given the varying scope of data privacy laws in different jurisdictions, it will likely take a combined effort to respond in a compelling way to the data protection authorities.

Together with the appointment of an internal team, management must carefully consider if the company has the degree of expertise or bandwidth to respond effectively to all aspects of the crisis, particularly if it spans multiple jurisdictions. External counsel may be needed to assess the reporting obligation or highlight potential follow-on litigation, such as class actions. Independent forensic investigation experts can help establish the fact pattern, essential for urgent and well-informed decision-making, while ensuring any internal investigation is performed in a forensically robust manner to withstand regulators’ expectations. Furthermore, Stroz Friedberg VP Heidi Wachs noted that even companies with sophisticated internal IT operations teams might need external cybersecurity specialists to trace the root of an incident and chart an effective plan of action to ensure commercial operations are up and running as quickly as possible.

Cooperate and communicate to mitigate the damage

Whether to clients, the public or the regulator, failure to communicate swiftly can have significant reputational and financial repercussions. In many spheres of alleged corporate wrong-doing companies have the luxury of conducting their internal investigations confidentially – GDPR has changed the game. In the age of GDPR and intense media scrutiny, a company no longer has the option nor the time to investigate in private. Depending on the nature of the compromised data, the GDPR requires that companies report incidents to the respective competent authority and potentially to data subjects as well.

Reducing FinesFRA_JennerandBlock1

It is very early days in the development of a GDPR fine regime to understand and predict an enforcement authority’s approach to the calculation of a financial penalty. The few notices of intention to fine or fines that have been publicised reveal some inconsistency from one jurisdiction to another. The UK ICO’s proposed “mega fines” of 2019 suggest they may be taking a ‘top down’ approach, considering the maximum ceiling of 4% global annual turnover as an initial figure, and working downwards balancing mitigating factors and the need for a deterrent. For example, Jenner & Block’s Kelly Hagedorn and FRA’s Simon Taylor agreed that the UK ICO seemed to be taking any failure to adhere to the 72-hour reporting requirement as a serious aggravating factor in determining penalties in GDPR data breach cases. In other EU jurisdictions where 2019 fines were smaller, regulators may have taken a ‘bottom up’ approach, building up the quantum of the fine based on case-specific factors.

In FRA’s experience with regulatory fines in other areas, a number of discounts and reductions can be negotiated if the company is cooperative and demonstrates that proper technical controls and compliance programmes were in place. As Simon Taylor highlighted, the authorities would be aware of the need to defend their imposed fine robustly should the penalised parties ever challenge it in court, so there is incentive on both sides to negotiate.

Establishing a credible public voice

Instances of corporate data breach and misuse are firmly in the media’s crosshairs. As seen in the recent Travelex ransomware attack, even if a company believes it has fair reason not to report an incident, keeping the matter quiet does not avoid a public furore if journalists interpret a company’s silence as negligent or even dishonest. Portland Communications’ Steve Morris advised companies to establish their own platforms and channels for communicating with the media and public when in crisis mode. Be in charge of the story by being the authoritative source of facts, rather than reacting. The public is much more likely to be forgiving if companies are seen to be transparent and responsible.

Involve the board

If the potential extent of regulatory fines, reputational harm and technical damage to business operations were not enough to draw board members’ attention to cyber incident response planning, the emerging regulatory trend of accountability at the board level should do it. A key milestone is the US Federal Trade Commission’s settlement order (2019), which requires Facebook to “restructure its approach to privacy from the corporate board-level down” and implement mechanisms to ensure executives are accountable for decisions about privacy. There are signs that this mandatory reporting to the board is gradually gaining traction in other jurisdictions.

Build the narrative, starting now

For a company to speak credibly and authoritatively in times of crisis, the fact pattern must be established. At the point an incident is triggered, a high calibre and forensically sound investigation is needed, as has been the case for many years in financial crime compliance. The challenge in cyber attacks and incidents of data misuse is that the timeline for investigation is heavily compressed by GDPR requirements and the need to make public disclosures.

Establishing appropriate ‘technical and organisational measures’ is the best, and only, defence given the inevitability of a cyber breach or the misuse of data. This is an exercise that can begin now and needs to be constantly refreshed. Seek advice from your legal, forensic, cybersecurity and communications experts on proactive risk assessments and contingency planning that can be initiated in advance of a crisis.

The above is a summary of “Responding to Cyber Incidents”, which took place on 23 January 2020 at The Ivy Club, London.

Event Speakers:

Simon Taylor, Partner, FRA
Kelly Hagedorn, Partner, Jenner & Block
Steve Morris, Managing Partner, Portland Communications
Heidi Wachs, Vice President, Stroz Friedberg

Event Moderator:

Paul Feldberg, Partner, Jenner & Block

Responding to cyber attacks

FRA Promotes Tamara Vitagliano to Global Director of Technology Solutions and Forensics

Forensic Risk Alliance (FRA) announced today that Tamara Vitagliano has been promoted to Global Director of Technology Solutions and Forensics, effective immediately.

In her new role, Vitagliano will oversee FRA’s global data processing, digital forensics, and Mobile Discovery Solutions offerings. FRA has six secure global datacenters and more mobile discovery processing solutions deployed globally in the context of fraud investigations, internal investigations, litigation, and other contentious matters than any other firm. Vitagliano will ensure the highest levels of data security, in compliance with global regulations, and will partner closely with FRA’s Data Governance Advisory Services team to offer clients integrated, customized consulting and technology solutions under one roof.

“Tamara Vitagliano is among the most highly qualified and technical women in compliance today,” said Frances McLeod, FRA Co-Founding Partner and Co-Head of its Data Governance Practice. “She not only has expert knowledge of industry leading software, but also has the hands-on experience and business acumen needed to leverage the right tools in their best application to address clients’ unique data governance challenges.”

Vitagliano brings more than 15 years’ experience helping clients around the world leverage innovative technology solutions to manage their most complex data governance and eDiscovery needs. A Relativity Processing Specialist, Relativity Certified User, Certified Public Accountant (CPA), Certified Fraud Examiner (CFE), Certified Anti-Money Laundering Specialist (CAMS) and Certified in Financial Forensics (CFF), Vitagliano is one of the most credentialed and experienced practitioners in the industry. She is particularly expert in complex data collection, processing, review, analysis, and production, and has extensive experience managing and supervising investigations into insider trading, compliance violations and investment fraud, advising counsel on litigation matters, managing eDiscovery and computer forensics projects, and conducting anti-money laundering compliance risk reviews for Latin American clients.

Vitagliano joined FRA in 2015 as an Associate Director in its Forensic Accounting practice, and is based in its Washington, DC office. She earned an Executive MBA from Boston University’s Questrom School of Management, and a BS in Accounting with minors in Computer Information Systems and Spanish from the State University of New York College of Geneseo.

FRA strengthens Data Governance practice with two new senior hires

Forensic Risk Alliance (FRA) welcomes Kwaku Asiamah, Director and Nirav Daftary, Associate Director, to the Data Governance, Technology Solutions, and Forensics team, continuing at pace its investment in the practice.

Kwaku and Nirav bring more than 20 years’ of combined eDiscovery experience to the Data Governance team having worked with Am Law 100, FTSE and Fortune 500 companies across many industries including financial services, pharmaceuticals, and technology. They have been involved in cross-border litigation, internal investigations, white-collar crime and regulatory matters such as the landmark investigation into the manipulation of interbank interest rates.

Kwaku joins the London office, providing specialist professional and consulting services with particular focus on all aspects of the electronic discovery reference model (EDRM) cycle from forensic data collections through to processing, review, analytics and production. Kwaku’s expertise includes strategizing, planning and managing the collection, processing and transfer of multiple datasets whilst putting in place defensible protocols across multiple jurisdictions. He is well-versed in international data privacy regulations, regularly communicates with multiple global regulators preparing data deliveries for their review.

Nirav joins the Paris office, providing advanced technical expertise in the eDiscovery domain and extensive experience managing global operations teams. He has hands-on experience in quickly processing, analysing and culling complex data sets whilst applying innovative technologies, including mobile solutions, advanced analytics, predictive coding (such as TAR/CAL), and other review management methodologies.

Frances McLeod, co-founder and head of FRA’s Data Governance, Technology Solutions and Forensics practice comments, “The pace of data regulation and enforcement is increasing across the globe, impacting our clients and many other companies. Kwaku and Nirav bring a unique combination of technical excellence, unrivalled subject matter expertise, and client-focus, which will be invaluable in addressing these challenges within a rapidly evolving environment.”
Upon their joining, Kwaku and Nirav said, “We are excited to work with FRA’s market leading team of highly specialized and diverse practitioners. Their passion and innovative approach to data governance makes it easy to see why FRA take on the most complex data challenges of many of the world’s largest multinational organizations. We’re looking forward to bringing our experience in cross-border litigation, internal investigations, white-collar crime and regulatory matters to the FRA team.”