Corruption Crime & Compliance

Boeing continues to struggle with its core business activities. As troubles mount for Boeing, it is clear that it continues to suffer from real and pervasive culture issues that have been reflected in serious safety failures, financial difficulties, regulatory violations, and serious reputational damage. Boeing's troubles permeate every part of its organization -- from the board to senior executives to its operations and overall ethics and compliance commitment. As a result, Boeing stands at an important crossroads -- will it make a real commitment to change, reform, and ethics and compliance, or will it continue to limp along, suffering repeated incidents of harm?

In its latest (mis)adventure, Boeing fell victim to a State Department fine for $51 million for violations of a number of export controls, including basic licensing requirements for exports to China and Russia. Boeing voluntarily disclosed the violations to the Directorate of Defense Trade Controls ("DDTC") in the State Department.

The violations of the International Traffic in Arms Regulations ("ITAR") included illegal exports to foreign employees and contractors who work in more than 15 countries, a trade compliance specialist fabricating an export license to illegally ship defense items abroad, and violations of the terms and conditions of other export licenses, among other things.

The DDTC's $51 million penalty is the largest administrative penalty imposed for ITAR violations since it imposed a $79 million penalty against BAE Systems in 2011. Under the terms of the settlement, Boeing must pay $27 million to the DDTC within two years and use the remaining $24 million to improve its compliance program and procedures. In addition, Boeing is required to hire a DDTC-approved special compliance officer to oversee its compliance with ITAR for the next three years. That officer will regularly report to the DDTC on Boeing’s progress.

• Boeing faced a $51 million settlement for ITAR violations, including unauthorized exports and re-transfers to foreign employees and contractors, notably in China.
• Violations involved illegal downloads of ITAR-controlled technical data from Boeing's digital repository, which affected Pentagon platforms like the F-18, F-15, and F-22 aircraft and the AH-64 Apache helicopter.
• Boeing voluntarily disclosed violations to the Directorate of Defense Trade Controls (DDTC) and the State Department, leading to the $51 million penalty, the largest for ITAR violations since 2011.
• The settlement requires Boeing to pay the DDTC $27 million, improve its compliance program with the remaining $24 million, and hire a DDTC-approved special compliance officer for three years.
• Boeing must introduce a new automated export compliance system, update the State Department on its progress every six months, and undergo two export control audits by State Department-approved consultants.
• Despite the violations occurring mostly before 2020, Boeing made significant improvements to its trade compliance program, investigated issues, cooperated with authorities, and expressed regret.
• The case highlights the State Department and DDTC's aggressive enforcement of administrative controls over military items, signaling a broader crackdown on export control and sanctions violations.

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

ESG is a new and important part of the corporate governance landscape.  Prosecutors and regulatory agencies are quickly adding ESG to their lexicon. The real question for every organization is “what are you doing to address it?”  ESG is a terrific opportunity to leverage an organization’s corporate culture to address a broad set of values beyond ESG principles.

In this Episode, Michael Volkov discusses the ESG movement and the implications for corporations.

In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices.

You’ll hear him discuss:

• The SEC's adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
• One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality.
• This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
• Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
• Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
• The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.

KEY QUOTES:

“You can't just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” - Michael Volkov

“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” - Michael Vokov

“Additionally, companies have to go even more comprehensive in their disclosures to ...describe management procedures and practices for assessing and mitigating cybersecurity risks.” - Michael Volkov

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

This week, we bring you a replay of one of our most impactful podcasts from last year, featuring Alex Cotoia and Daniela Melendez. Listen in as we discuss the EU Whistleblower Directive of October 2019. We'll return next week with one of our regular updates.

Directive 2019/1937 of the European Parliament and Council dated 23 October 2019 on the “protection of persons who report breaches of Union law” (the “Directive”) is currently being implemented by EU Member States. The directive has broad applicability to organizations operating in the EU internal market and applies to both public and private sector organizations alike. Whistleblowers are guaranteed legal protection to the extent: (1) they have reasonable grounds to believe that the information reported was true at the time of the report; and (2) the whistleblower reported either internally to the organization, externally to a competent authority, or publicly. Private sector organizations with 50 or more workers are legally required to establish channels and procedures for internal reporting of EU law breaches and conduct appropriate follow-up.

In this episode, Mike Volkov is joined by Daniela Melendez and Alex Cotoia from the Volkov Law Group, who bring their expertise to the table as they delve into the EU Directive and its implementation by several member states. Listen to this discussion to understand and navigate the complexities of the EU Whistleblowing Directive.

• The EU Whistleblower Directive shifts the burden of proof on retaliatory actions to the person taking the detrimental action, requiring them to demonstrate it was not linked to reporting concerns.
• Global companies are taking a proactive stance by increasingly focusing on robust ethics and compliance programs. This strategic move is aimed at mitigating risks and promoting positive corporate citizenship in today's economy, where adherence to legal and ethical standards is paramount.
• France signed the EU Directive into law on March 21, 2022, outlining protocols for gathering and handling whistleblower reports, including a two-month deadline for imposing disciplinary sanctions.
• Germany enacted the EU Directive on May 12, 2023, allowing anonymous reports and setting a three-month investigation deadline after receiving the report.
• Spain addressed the EU Directive on February 2023 by covering additional topics like occupational health and safety breaches. The directive established a three-month deadline for investigations and allowed anonymous reports.
• Italy transposed the EU Directive on August 4, 2022, including administrative, financial, civil, and criminal offenses not covered by the Directive, with a 30-day deadline to conduct investigations upon receipt of reports.
• Companies are advised to make resources available to conduct investigations quickly due to the short timeframes set by various countries' whistleblower protection laws.

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Alex Cotoia on LinkedIn

Email: [email protected]

Daniela Melendez on LinkedIn

Email: [email protected]

Each year, Michael Volkov reviews current trends concerning the state of the chief Compliance Officer.  As we witness the continuing growth in stature of the CCO, it is important to exercise caution and realistically evaluate future trends and concerns.