In an era of stringent regulations and increasing legal risks, it has become essential for organizations to implement internal enforcement programs. However, in order for such programs to provide legal protection, they must be effective, customized and well-documented.
What is a compliance survey and why is it essential?
A compliance survey is the beating heart of an internal enforcement program. It is an accurate tool for mapping risks, identifying regulatory gaps and assessing existing internal controls. A compliance survey reveals how processes are being performed in an organization from legal, ethical and operational perspectives and enables the organization to precisely customize its enforcement program to its unique risks.
In Israel, the organizations that are obligated to conduct compliance surveys and implement internal enforcement programs include, inter alia, reporting corporations pursuant to the Israel Securities Authority, financial corporations, including institutional entities, banks and insurance companies, public corporations, organizations holding personal data and other supervised entities depending upon the applicable regulations. In addition, the obligation may also apply to Israeli organizations operating in cooperation with companies in Europe and in the United States and to Israeli organizations engaging in international activities requiring compliance with foreign regulations.
Regulatory significance: new global standard
Regulatory authorities in Israel and abroad have made the examination of the effectiveness of internal enforcement programs a key criterion during their assessments of organizations’ conduct. The message is clear: it is not enough to have an internal enforcement program on paper or in procedures on the shelf. Organizations will only be legally protected if their programs and procedures are implemented and enforced in practice during their routine operations.
The regulatory standard in Israel – periodic compliance surveys
Central regulatory authorities in Israel, including the Israel Securities Authority, the State Attorney-General’s Office, the Banking Supervision Department and the Privacy Protection Authority, have published clear directives and set binding standards for organizations to prepare effective internal enforcement programs.
Thus, the Israel Securities Authority set a binding standard whereby periodic compliance surveys must be conducted at least once every four years, while ensuring that the surveys are carried out at high-quality, professional standards and taking corrective actions according to the findings.
The Banking Supervision Department requires ongoing assessments of the effectiveness of the internal controls and the culture of compliance, and the conducting of periodic compliance surveys. The department’s audits thoroughly examine the quality and frequency of the compliance surveys and the methodology applied.
The Privacy Protection Authority emphasizes the importance of compliance surveys as a key mechanism for early detections of privacy risks. Compliance surveys have become essential considering the authority’s power to impose heavy pecuniary sanctions (after amendment 13 to the Privacy Protection Law expanded its powers).
The State Attorney-General’s Office stated in Directive 1.14 that the existence of an effective internal enforcement program in an organization may serve as a significant mitigating factor when deciding upon whether to open criminal proceedings against a corporation. Meticulous documentation of compliance surveys and subsequent corrective actions serve as material evidence of effective implementation.
International standards
Central regulatory bodies in the international arena, including the European Data Protection Commission, the European NIS2 Directive and the U.S. Department of Justice, also obligate organizations to conduct periodic risk assessments and compliance surveys as part of their routine operations.
Thus, the European Data Protection Commission’s directives emphasize the importance of periodic risk assessments. Methodical compliance surveys are considered key evidence of an organization’s compliance with the principle of accountability and directly affect the height of fines in the event of a violation, which can reach up to 4% of the offender’s global turnover (or up to EUR 20 million).
The European NIS2 Directive, which focuses on cybersecurity, imposes an explicit obligation on organizations to conduct risk assessments and compliance surveys as part of the risk management requirements at the board level, and imposes direct responsibility on senior executives for implementing effective compliance mechanisms.
The U.S. Department of Justice obligates organizations to implement bona fide internal enforcement programs that are reflected in the entire organizational culture. The DOJ examines the quality of compliance surveys and their impact on organizations’ actual conduct, and takes a harsh stance towards organizations whose internal enforcement programs lack high quality compliance surveys – i.e. programs merely on paper.
Five structured stages of an effective compliance survey
- Mapping of applicable regulations: thorough review of the laws, regulations, guidelines and directives that apply to the organization.
- Mapping of business processes: to identify interfaces between business processes and regulatory requirements.
- Analyzing existing internal controls: to ascertain the effectiveness of the mechanisms being used to prevent violations, including policies, procedures, training and monitoring measures.
- Analyzing actual compliance: to identify disparities between the requirements and actual compliance, taking into account the severity, reasonableness and potential damage of each instance of noncompliance.
- Formulating an action plan: operational recommendations for rectifying any instances of noncompliance, including clear priorities, timeframes and success indicators.
In conclusion: compliance surveys provide essential protection for organizations and their officers in this era of strict enforcement
Organizations today are exposed to a multitude of risks, with some risks not under their direct control: cyberattacks, inappropriate or criminal behavior by employees (sexual, financial, antitrust), technological malfunctions, etc. Compliance surveys enable organizations to maintain control and, if necessary, prove to regulatory authorities that they implemented effective internal enforcement programs.
In Israeli and international law, organizations that present documented and evolving internal enforcement programs are viewed favorably by regulatory authorities. Regulatory authorities tend to trust organizations that present periodic compliance surveys and their subsequent corrective actions.
More importantly, implementing an orderly internal enforcement program based on comprehensive periodic compliance surveys provides substantive protection to officers and directors. Officers and directors who can prove that they approved and allocated resources to an effective internal enforcement program significantly mitigate the risk of their being held personally liable in the event of violations. Protection is essential in an era when enforcement measures against officers are becoming more stringent on a year to year basis.
***
Adv. Eran Elharar is a partner in our firm’s regulation department.