Trust but Verify: How Security Loopholes Can Undermine Online Compliance Training

Increasingly, companies are using online platforms to build their records of compliance and governance. At the same time, they are leveraging online training as a means of educating their employees about those platforms. However, while such training has proven to be effective and cost efficient, it also presents its own set of complex challenges. “In particular, a vigilant institutional effort is now needed … to audit whether online processes can be ‘gamed’ to falsify the records of course completion and test results,” argues David Lawrence, founder and chief collaborative officer of RANE (Risk Assistance Network & Exchange), in this opinion piece. Otherwise, corporations are leaving themselves open to potential legal, financial and reputational risks, Lawrence and his coauthors write.

Compliance training and supervision has always been the first line of enterprise- defense against legal, operational and reputational risk. Now, it is increasingly the final line of defense that determines how enforcement officials view an institution and, in turn, exercise their considerable discretion in assigning liability for regulatory violations.

Corporations face an evidentiary burden built upon the foundations of the late Senator Howard Baker’s Watergate inquiries. Institutions must not only be able to respond to the question, “What did you know, and when did you know it?”– they also must have a credible answer for: “What did you do to prevent this?”

Recent events have placed the world’s most-respected corporations in the regulatory crosshairs. As a matter of specific and general deterrence, enforcement officials are focused on demonstrating that no enterprise is “too big to jail.” These cases have challenged enterprises to defend their standards of governance and compliance on wide-ranging issues, includingbribery, economic sanctions, money laundering, fraud, terrorism financing, price fixing, insider trading, product safety, tax and information privacy.

“As a matter of specific and general deterrence, enforcement officials are focused on demonstrating that no enterprise is ‘too big to jail.’”

Certain truisms of today’s regulatory environment help explain the prophylactic and defensive importance of compliance training,and why it is preferable for companies to take their own biopsies rather than endure the autopsies of prosecutors:

Enforcement officials are responsible for a wide range of issues that matter — to global safety, security and market competitiveness. They cannot be everywhere or know everything. Out of necessity — not choice — they need assistance. Within this high stakes enforcement environment, companies have been “deputized” to “own” the prevention, detection, mitigation and early reporting of misconduct.
In today’s globalized and competitive economy, corporate violations are not a matter of “if” — just “who,” “when” and “how bad.” Corporations are made up of people, and people don’t always behave. Inevitably, people have lapses in judgment and choose, for various reasons, to break the law. The policy rationale for training is to reduce the likelihood of human omissions and commissions, and mitigate the damages when they do occur.
Companies can ill afford the Damoclean sword of protracted governmental litigation, no less the uncertainty of a trial’s outcome. Once violations are alleged, the question of whether a corporation will settle is no longer a matter of “if” but rather “when and how much.”
When a regulatory issue arises, a parallel process of “death through a thousand nicks” begins. The spectrum of consequences above and beyond direct regulatory liability reinforces a cost-benefit mindset for executives to do whatever it takes to “put matters behind us.” These pressure-points include material legal defense and investigative expenses, reduced market capitalizations, increased borrowing costs, class action litigation, adverse media coverage, political hearings, lost corporate opportunities, reputational damage, distractions to key personnel, and employee and client defections.
Officials understand that companies are not positioned over the long-term to contest governmental actions. This circumstance, in turn, often dictates the terms, conditions and pace of settlement outcomes.
Officials have limited resources and much work to do. Accordingly, they are motivated to do the right thing and also to find negotiated outcomes. They need to leverage their resources by bringing enforcement actions that send broader messages. Their paradigm for regulatory optimality guarantees a timely and certain result, remedies specific incidents, messages general deterrence, preserves enforcement resources and maintains public confidence.
The “new-new” standard of enterprise risk management is that corporate intent and governance should not be in question. If individuals do bad things, they — not the company — should be the focus of officials. Ideally, enforcement results should not come at the cost of innocent employees, investors, creditors and customers — no less at the cost of a company’s competitiveness and future opportunities for innovation and employment.

To these ends, the Department of Justice’s Principles of Federal Prosecution of Corporate Organizations and the United States Sentencing Guidelines clearly communicate the role of effective compliance training programs. Recent U.S. and international enforcement cases, as well as official pronouncements, provide proof of its pragmatic value.

No Good Deed…

Applying both a “carrot and stick” approach to encourage strong corporate governance practices, government officials have time and again cited an enterprise’s internal controls and “culture of compliance” — or lack thereof — as a prevailing rationale for their decisions about whether, what and whom to charge, fine and bar. Moreover, the effectiveness of training and supervision programs also is a significant factor in the government’s decision about the need for remedial measures, such as the costly imposition of an independent monitor.

Increasingly, companies are building their records of compliance and governance through online platforms that communicate with their employees. In particular, companies now scale a significant portion of their training efforts through a range of e-learning courses. In the near future, training through “MOOCs” (massive open online courses) and mobile access holds great promise to scale compliance efforts with even greater efficiencies.

Online learning platforms are an essential cornerstone in many companies’ efforts to ensure that their personnel remain sensitive to the “rules of the road” and understand what to do when violations are suspected. These programs help train all personnel, as well as serve as an important indicator of where gaps in the understanding of compliance rules must be reinforced within an institution.

While online training has proven to be effective and cost-efficient, it also presents its own set of novel and complex challenges. Throughout the digital world, one door closes and another opens. Or to put it another way, it is easy for no good deed to go unpunished.

“Online learning platforms are an essential cornerstone in many companies’ efforts to ensure that their personnel remain sensitive to the ‘rules of the road’ and understand what to do when violations are suspected.”

In particular, a vigilant institutional effort is now needed, in its own right, to audit whether online processes can be “gamed” to falsify the records of course completion and test results. To borrow a phrase from former President Reagan, “trust but verify” is the standard for adjudging the effectiveness of a company’s internal controls.

Recently, Andrew Ceresney, director of enforcement for the Securities and Exchange Commission, warned, “I need to be clear that we have brought — and will continue to bring — actions against legal and compliance officers when appropriate.” He noted that the SEC would target corporate officers who have misled regulators and had “clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility.”

An inadvertent security loophole now exposes a number of institutions throughout the private and public sectors to potential legal, financial and reputational risks. In good faith, many enterprises rely upon a platform known as the Learning Management System (LMS) as the point of record for computing and reporting training results. Together with the SCORM (Sharable Content Object Reference Model) protocol, LMS governs how online learning content is managed and communicated. Indeed, this is now the de facto industry standard for e-learning interoperability, greatly reducing the costs of content integration.

Online compliance courses are loaded onto the LMS platform, and then administered to staff. The problem, as some are just discovering, is that the software protocol used for communication between the “course” and the LMS is, in fact, highly insecure and can easily be compromised. In sum, its technical architecture leaves multiple opportunities for bypassing key security measures.

Here’s how. A simple “bookmark” exists to allow anyone to appear to have completed a course with 100% comprehension (or any score of their choosing). This bookmark — which can easily be emailed around — allows a user simply to begin a course, click the bookmark, close the course and yet still report full attendance and a score as high as 100%. This circumvention can be completed within seconds — without any traceable means that the course and test were never taken, no less a perfect score never achieved. As a result, additional technology must now be applied to override these flaws. Similar questions must eventually be addressed about the ability of external “hackers” to alter online training records on a wholesale basis and launch denial of service attacks.

Past Predicts Future

The larger question, of course, is to assess where we are, why and what broadly needs to be done. In response to regulatory requirements and to maintain corporate governance standards, firms have prioritized the roll-out of compliance training programs. Many companies have significantly increased their investment in improved compliance and ethics training. Understandably, institutional priorities have been on content-creation and the successful enrollment of all personnel, and less on the security of the platform.

“The challenge … is not simply how to fix a single security flaw, but howto be proactive in safeguarding the overall integrity and trust in our evolving methods of training and governance.”

While it is impossible to tell just how widely spread this “hack” is, given that all one needs is a bookmark and a web browser, it is not unreasonable to assume that many are already well aware of this method and are possibly choosing to take advantage of it. Unlike the disclaimer for mutual funds, when it comes to the behavior of individuals, past performance is, in fact, predictive of future returns. Even before the digital-age, universities, government agencies and the private sector have contended with a myriad of scandals involving leaked test questions and individuals being paid to take examinations for others.

Of course, the issue presented is not simply one of regulatory compliance for compliance sake. Misplaced reliance upon the integrity of institutional training can potentially jeopardize standards of public health, safety, welfare and finance, as well as cause unanticipated liabilities for negligence or misconduct.

History has shown that it takes just a few cases of poor judgment or illegal behavior to do damage to an entire enterprise and its reputation. This is equally true within all sectors. Most recently, numerous industries have been implicated in a variety of schemes involving bribery, illicit finance, illegal trading and price fixing. The government, in turn, has contended with its own cases of corruption, theft of confidential information, missed background checks, cheating on military exams and falsified agency records.

Compliance training is intended as a win-win-win proposition to benefit all stakeholders — institutions, regulators, markets and the broad public. The challenge going forward is not simply how to fix a single security flaw, but howto be proactive in safeguarding the overall integrity and trust in our evolving methods of training and governance.

At the very least, we now possess a lesson about a larger and long-term issue that must be collaboratively addressed.

David Lawrence is the founder and chief collaborative officer of RANE (Risk Assistance Network & Exchange). For 20 years, he was associate general counsel and managing director at Goldman Sachs, where he served as the global head of the business intelligence group. Previously, he served for 10 years at the U.S. Attorney’s Office, Southern District of New York, where he was the deputy chief of the criminal division and chief of the public corruption and general crimes units; Jan Sramek is the CEO & co-founder of Better, an enterprise software company focused on e-learning technologies. Previously, he was a proprietary trader at Goldman Sachs; John Squires is a senior partner at the law firm Perkins Coie, where he specializes in intellectual property and technology law. Previously he was the general counsel for intellectual property at Goldman Sachs; Matthew Lawrence is a graduate of Brown University and is currently a legal researcher at Perkins Coie; Curtis Hougland is the CEO of Attention, a social media communications and marketing firm; Stephen Labaton is a former journalist for the New York Times and is currently the president of the corporate communications firm RLM Finsbury.

More From Knowledge at Wharton

How Social Insurance Drives Credit Card Debt

How Financial Literacy Helps Underserved Students | David Musto

Cass Sunstein on Nudging, Sludge, and the Power of ‘Dishabituation’

Looking for more insights?