Skip to content

The Integrity Agenda: Compliance news

SBF: From Crypto King to Convicted Fraudster

Sam Bankman-Fried, the disgraced former founder and CEO of cryptocurrency exchange FTX Corp., has been convicted by a U.S. jury of masterminding one of the largest financial frauds in U.S. history. He could now face decades in prison.

Bankman-Fried founded FTX in 2019 and he quickly built it into a huge crypto trading platform, at one point worth an estimated $32 billion — but it was all a charade. On the inside, Bankman-Fried and his cronies squandered billions in customer assets and kept virtually no records. The company finally imploded in November 2022. Bankman-Fried was indicted the following month.

Compliance professionals might think the lessons here are esoteric (“I’m not in crypto, how can this relate to me?”), but actually Bankman-Fried’s downfall underlines some powerful lessons about corporate governance. For example, the company had no real board of directors; the board was Bankman-Fried himself plus a few henchmen. Without a board to impose accountability, FTX lacked fundamental systems such as cash controls, books and records, or a personnel system. Without such systems in place, fraud was virtually inevitable.

Another lesson here, however, is for all the venture capital firms that poured investment money into FTX. They fell in love with the promise of huge returns on crypto investing, and ignored red flags such as Bankman-Fried’s inexperience, his weak board, and an external audit firm far too small and unknown to handle such a (supposedly) huge client as FTX. The VC firms, which should have known better, didn’t perform due diligence, ignored red flags, and ultimately got burned by Bankman-Fried’s fraud.

If we could boil down the saga of Bankman-Fried and FTX into one lesson, it’s this: integrity matters in business, and you should look for business partners who demonstrate it.

We can derive many other lessons from FTX too, about proper policies and procedures, internal controls, and the importance of documentation. Those are valid concerns for any business — but they all flow from a strong tone at the top, set by executives who take ethical conduct seriously. FTX never had that in Bankman-Fried, everything that followed should be no surprise.

SEC Sues SolarWinds and ITs CISO on Cyber Failures

The U.S. Securities and Exchange Commission has sued IT services firm SolarWinds and its CISO for failing to disclose proper information about the company’s cybersecurity risks before the company suffered a disastrous cyber attack in 2020.

SolarWinds sells software to help corporate and government customers manage their IT infrastructure. In 2019, hacking groups sponsored by Russia penetrated SolarWinds defenses and implanted spyware in the company’s flagship product. When SolarWinds then sent a routine software upgrade to its customers, those customers were also implementing the Russian spyware. The attack was finally discovered at the end of 2020, and today is considered one of the most damaging attacks in cyber history.

Now the SEC wants to hold SolarWinds and its CISO, Timothy Brown, liable for statements the company made to investors before the attack was discovered. The agency’s argument is that while SolarWinds was declaring externally that its security was strong, employees were constantly warning internally that the company had numerous glaring weaknesses. Since those internal red flags were never addressed or disclosed to investors, the SEC says, both the company and Brown personally are liable for misleading investors.

This case has potentially huge implications for compliance officers, internal auditors, and other risk assurance professionals. Essentially, the SEC is arguing that you could carry personal liability for the company failing to act promptly to address risks under your purview. Is that fair, when many times the company’s inaction is beyond your control? Should you start asking for professional liability insurance? Should the company start pressuring employees not to raise red flags too loudly, for fear that a casual “this is so bad!” email might be misconstrued in a court hearing?

Right now we don’t know the answers to those questions. For its part, SolarWinds calls the SEC lawsuit “misguided and improper” and claims it will fight the SEC in court.

Clearly, however, this case raises the specter of more personal liability for compliance officers, especially those who answer directly to senior management or the board. It could well be that your internal reporting processes will need to work much more efficiently and robustly, so that you can force attention to troublesome risks. Otherwise, the name on the next lawsuit might be yours.

U.K. Companies Admit Violating Russia Sanctions

More than 100 British businesses have confessed to the U.K. government that they have violated sanctions against Russia, hoping that their voluntary self-disclosure will secure more lenient settlements with regulators who enforce those sanctions.

We don’t know the names of any specific companies that have come clean with their sanctions violations, but law firm Pinset Masons submitted a freedom of information request to the British Treasury earlier this year; when the Treasury replied, it confirmed that 127 companies self-reported violations to the U.K. Office of Financial Sanctions Implementation, which is responsible for enforcing U.K. sanctions law. That figure was as of May 17, so it’s quite likely that the current number is higher.

The companies’ thinking is that by self-reporting their violations — some of which might be innocent mistakes, rather than deliberate intent to evade sanctions — they’ll be able to secure smaller monetary penalties or other favorable terms to resolve their violations. British regulators, like their U.S. counterparts, do offer more leniency to companies that self-report their compliance violations and cooperate with regulators during the ensuing investigations.

Compliance officers have two lessons to ponder from this news.

First is the sheer difficulty of identifying potential sanctions violations among your customers and third parties. Russian oligarchs are notorious for hiding behind shell companies or exerting power of a company behind the scenes, and translations from the Cyrillic alphabet (used in Russia( to the Roman alphabet (used in the West) makes it much easier to confuse names of people and companies. Plus, Western governments are adding new Russian entities to their sanctions lists all the time.

So the screening technologies you use to identify Russian targets needs to be sophisticated and carefully calibrated. It also needs to capture and integrate those new additions to sanctions lists as they happen, so you’re screening as effectively as possible.

The second lesson, however, is about the value of self-disclosure. U.S. regulators have been preaching that gospel for years: if your company operates with a culture of integrity and compliance, working with regulators to uncover and correct misconduct, those regulators will then give you more favorable settlement terms. Now we see that same dynamic happening in the United Kingdom, with an issue (Russia sanctions) that’s both immediate and pressing. If you do find sanctions violations in your enterprise, and your company is serious when it talks about supporting integrity — then there’s really only one correct course of action.

More Pressure Over China, Forced Labor

U.S. lawmakers have sent a letter to Costco Wholesale, asking the CEO to explain how goods allegedly tied to forced labor in China continue to be sold on Costo shelves.

The letter, dated Oct. 31 and from the heads of a bipartisan congressional committee on human trafficking and other trade issues involving China, asked Costco chief executive Craig Jelinek numerous questions about security cameras that Costco sells which come from the Chinese company Lorex. Lorex uses components from another Chinese company, Dahua, whose products are restricted for sale in the United States because of suspected ties to forced labor in the Xinjiang region of China.

The letter noted that Costco competitors such as Best Buy, Home Depot, and Lowe’s have all stopped selling Lorex products, “making Costco’s continued sale of the equipment all the more puzzling” and seemingly in conflict with Costco’s public statements in favor of human rights.

Costco has confirmed that it received the lawmakers’ letter, but so far has made no further statement.

This is just the latest example of lawmakers trying to exert public pressure on U.S. companies to do better with their supply chain compliance, particularly regarding China and the Uighur Forced Labor Protection Act enacted in 2021.

The Biden Administration has started enforcing that law, usually by seizing suspect goods as they reach U.S. shores. More often, however, we see these letters published by Congress — specifically, the Congressional-Executive Commission on China, which monitors human rights abuses — as a name-and-shame tactic to pressure companies to do better at compliance.

Compliance with the Uighur forced labor law is not easy. Companies are required to prove that goods they import from Xinjiang are not contaminated by forced labor in their supply chains. That is, the burden of proof lies with the company to show that it’s in compliance, not with regulators to show that the companies aren’t. This means companies need strong supply chain due diligence capabilities and robust documentation procedures, so that they can peer all the way down their China supply chains and identify forced-labor risks.

Moreover, calling out China for forced-labor abuses is politically popular in the United States. The congressional committee monitoring human rights abuses has plenty more letters in its pipeline, and will keep using them to needle companies into better compliance.


Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution