Law Enforcement Reads the News. Your Company Should Too.
LEGAL, COMPLIANCE AND RISK MANAGEMENT LESSONS FROM THE MICHAEL COHEN SAGA
The case of Michael Cohen, “personal lawyer” to the U.S. President, continues to yield rich legal, compliance and risk management lessons for a growing group that includes U.S. and foreign companies, banks, lobbyists, government officials, and lawyers. Recent developments in the Cohen matter highlight how news awareness can enhance compliance and risk management for companies and others.
One of the more enduring storylines in the Cohen drama concerns his banking transactions, particularly through a bank account belonging to Essential Consultants LLC (EC LLC), the Delaware limited liability company that Cohen reportedly established for the purpose of remitting a “hush payment” to adult film star Stormy Daniels. (Oddly, rather than form EC LLC with the help (and signature) of a registered agent or other third party, Mr. Cohen himself signed Essential Consultant’s Certificate of Formation.)
As has been well-documented by the news media, activity on Cohen’s EC LLC bank account resulted in the filing of Suspicious Activity Reports (SARs) by banks. Not surprisingly, the public disclosure of the SARs raised important legal questions. For example, in this April 13, 2018 article, I explained that federal law prohibits the public disclosure of SARs and predicted that the disclosure “may trigger (it if has not already) law enforcement and/or regulator inquiries as to how the report’s existence came to be in the public domain.”
On May 8, 2018, Ms. Daniels’ lawyer released an “Executive Summary” purporting to list details of transactions on the EC LLC bank account, including the receipt of payments from major companies like Novartis and AT&T and from Columbus Nova, an entity owned by Viktor Vekselberg, a “Russian Oligarch” who was sanctioned by the United States on April 6, 2018.
The Executive Summary led to further questions as to how EC LLC’s bank records had become public. The New Yorker provided some answers in a May 16, 2018 article, reporting that a “law enforcement official” with access to a Financial Crimes Enforcement Network (FinCEN)-maintained database of SARs and other financial transaction filings had disclosed Cohen’s EC LLC account information that had been documented in SARs. (For more information about FinCEN’s database and SARs more generally, see this MassPoint infographic and related Business Update).
The New Yorker article was a news blockbuster. The article, and the Michael Cohen drama more generally, offers these (and other) important compliance and risk management lessons for companies: read the news to avoid becoming the news for the wrong reasons.
It is well-known, or should be, that law enforcement—including regulators and prosecutors—read and react to news reports, including by launching investigations and other actions. Business partners and associates, like banks and other companies, also read the news and act on it, as First Republic Bank and other banks did in the case of Michael Cohen and EC LLC.
According to the New Yorker,
Other banks also noticed Cohen’s suspicious transactions and filed their own SARs about his activity. Some of those show the banks piecing together the reasons for the transactions from news reports, citing articles from publications including the Wall Street Journal and Vanity Fair about Trump, Russia, and secret election-season payments, including the payment to Clifford.
This passage of the New Yorker article is instructive—it shows, in practical detail, the extent to which the news can influence perceptions of and actions toward companies, other entities and individuals. The investigation by the Treasury Department’s Office of Inspector General into the public disclosure of the EC LLC SARs illustrates the obvious but often overlooked fact that the news is a source of actionable information for regulators and other law enforcement authorities.
Most companies will not find themselves entangled in headline news of national importance, but enough of them are likely to get caught flat-footed by news about them or their business partners and peers (such as in the same industry, where news of one company’s bad behavior can lead law enforcement authorities to scrutinize peer companies in industry sweeps).
It is not reasonable to expect that companies—particularly the large firms like AT&T—will at all times have the ability to follow and act upon relevant and potentially adverse news developments. Nor would it be a good use of financial, human and other resources to attempt to do so. But there are measured, risk-based steps that companies and others can and should take to proactively and cost-effectively manage the direct and indirect risks of publicity, including the following.
- Set Risk-Based Priorities. Not all of a company’s business activities and relationships are equally important or present the same risks. A risk-based approach to gathering, monitoring and acting on news-based information is appropriate. For example, commercially, legally or politically sensitive business lines or relationships should get the most attention.
- Get the Right People Involved. Some employees or departments of a company—such as sales or government relations, given the nature of their functions, are likely to have the most relevant and current business and industry news. But these employees and departments are not likely to be in a position to spot and act on legal, compliance and reputational risks generated or made evident by news reports. Integrating the right people in the process of spotting actionable information is necessary to transform information to intelligence. The “right people” will often be (or include) legal and compliance personnel, both employees and external legal and compliance services providers.
- Establish Protocol for Disseminating and Responding to News. Assuming that risk-based intelligence priorities have been set and that the right internal and external functions are involved (points 1 and 2 above), a protocol for ensuring (or making it more likely) that relevant and potentially actionable information is put before the right people is essential. A protocol need not necessarily be exact or hyper-formal, particularly in the early phases. To start, an internal memorandum, email or short video informing employees of the company’s risk-based priorities, why those priorities have been set, and why it is important to share information with the right people may be sufficient to create awareness.
- Assess Direct and Follow-on Effects of News Developments. After information has been shared internally, an assessment involving business, legal and compliance personnel working together should be undertaken. Each of these functions is positioned to bring important expertise and information to the process and, together, paint a complete (or reasonably informative) picture to assess potential impact, relative risks, and next steps from key vantage points. It is important to keep in mind at this point that there may be potential follow-on effects of adverse news. For example, if a newspaper reports that a peer company (same industry, for example) is under investigation for its dealings with a vendor with which your company does business, a follow-on effect might be that your company might be contacted by regulators/law enforcement for information, or your company might itself come under investigation or other scrutiny.
- Understand Who Reads the News and Why it Matters to Them. Readers of the news are diverse and have different interests. As the Cohen matter shows, at least two constituencies—banks and the Treasury Department—had an interest in and acted on news reports concerning Cohen and EC LLC. Companies should understand that their business partners and peers are increasingly risk-averse and do not wish to be tarnished by or ensnared in the legal or other travails of other companies, even when valuable commercial interests are at stake. Of course, regulators and law enforcement have an interest in inquiring into news that falls within their jurisdiction, and, if nothing else, will not want to be seen as lax when compelling and potentially actionable information enters the public domain. Companies doing business internationally should be aware that foreign regulators—particularly those stepping up regulation and enforcement, or that cooperate with their overseas counterparts—are more likely these days to initiate follow-on initiatives when actions in other jurisdictions implicate companies or conduct within their purview.
- Be Measured in Acting on Intelligence. Effective compliance and risk management can be of great value to companies and other entities. But effective programs must also be smart and measured. Among other things, this means that companies must create conditions to avoid frequent false alarms. Companies should also understand that news and information awareness, unlike ignorance, is not always bliss. For example, when a company identifies potentially adverse news and deems it actionable, it must then determine what action should be taken internally and/or vis-à-vis outside parties, including whether any voluntary reports to regulators or other law enforcement should be made. Such decisions are not easy and require careful assessments of the relative costs and benefits of a certain course of action (or inaction). Understanding the broader responsibility that comes with managing news and information-based risk should inform a company’s overall efforts and specific actions. Here again, having the right people at the table—e.g., business, legal, compliance—is essential.
To learn more about the thinking behind this piece and how your business can integrate news and information awareness into your compliance, legal and risk management functions, contact Hdeel Abdelhady at firstname.lastname@example.org.