02 September 2022
In a world facing ever-intensifying regulatory and stakeholder scrutiny, increasing globalisation but also local divergence, it has never been more important – or challenging – for multinational organisations to be able to navigate global compliance issues. How do organisations develop a robust approach to compliance and seek not only to overcome the challenges faced in today’s global market, but also to thrive from them? Drawing on insights across our international team, we explore some of the many compliance challenges posed across the world and what they might mean for organisations.
This chapter serves as a ‘survival guide’ for in-house legal and compliance teams by providing guidance and tools at every stage of the compliance process including – under ‘Preparing for global compliance risks’, below – a checklist tool for managing crises and internal investigations.
International business expansion has brought countless challenges, few of which are as alarming as the growing exposure to bribery, corruption, money laundering, sanctions allegations and enforcements. As companies move into new and emerging markets, risks of fraud and corruption follow right behind. In response, US and European governments have devised their own legal regimes for counteracting threats to business abroad, as have several governments in other regions. For example, many countries within the Arabian Gulf, Africa, Asia and South America prohibit the bribery of foreign public officials as well as domestic bribery, although with varying levels of enforcement. At the same time, legislators and regulators are imposing ever stricter compliance requirements on companies around the world, from dealing with whistleblowers to preventing human rights violations in supply chains. This has created a labyrinth of legal risks for organisations to navigate. Here, we highlight some of the key ones to be thinking about.
Behavioural misconduct risks (such as bribery and corruption) depend on the countries you are working in and the nature or sector of your business.
For example, the Asia-Pacific region is a highly dynamic market, comprising a broad spectrum of economic, political and cultural systems. Well-developed and more developing economies reside in close proximity to each other, as do some of the most open and protected markets in the world. Within Transparency International’s Corruption Perceptions Index 2021, there is a diverse range of rankings from New Zealand, Finland and Denmark (each with a score of 88) to North Korea (score of 16) and South Sudan (11). Each country needs to be considered individually when assessing bribery and corruption risks. Some common themes characterise bribery and corruption risks in the Asia-Pacific region:
In terms of sector-based risks, considering the financial services sector for example, asset management firms have been the focus of scrutiny by the US Securities and Exchange Commission (SEC) and US Department of Justice (DOJ) for several years. US regulators view sovereign wealth funds as instrumentalities of their respective governments and, accordingly, consider sovereign wealth fund employees to be foreign government officials for the purposes of anti-bribery and corruption enforcement. Consequently, asset management firms need to be particularly careful about assessing the full range of counterparties, clients and other business relationships that may fall with the broad definitions of ‘government officials’ or ‘affiliates’. Similarly, private equity firms and hedge funds that invest in international markets and corporations can find themselves in a dangerous or costly position if anti-bribery violations occur at the portfolio level. This emphasises the need for risk-based anticorruption due diligence procedures to assess bribery and corruption risks and to develop a plan to monitor and mitigate those risks.
Various sanctions regimes (and companies’ efforts to comply with them) had already garnered a huge number of compliance resources even before the start of the war in Ukraine in February 2022, with key focuses being on the economic sanctions and other restrictive measures imposed by the European Union and the UK and US governments. The sanctions imposed on Russia in response to the war have brought the importance of compliance with sanctions, export controls and other restrictive measures into sharp focus. It has highlighted how quickly the landscape can change and, therefore, how quickly organisations must be able to adapt. Sanctions and export control compliance is expected to be a key priority for relevant enforcement agencies in the years ahead, including those agencies that impose, administer and enforce sanctions, such as the US Treasury Department’s Office of Foreign Assets Control and the US Commerce Department’s Bureau of Industry and Security in the United States, the Office of Financial Sanctions Implementation in the United Kingdom, the customs office and state prosecutors in Germany and equivalent agencies across EU Member States. Additionally, some industry regulators (e.g., financial services regulators) are expected to focus on ensuring that companies have implemented tailored and effective risk-based sanctions compliance controls.
For major companies, environmental, social and governance (ESG) issues are not a new phenomenon, but the spotlight has intensified. There is now a raft of ESG-related regulations and legal risk issues that did not exist 10 years ago. That will only escalate, leading to greater investigations and enforcement risk, alongside the potential for litigation and reputational damage.
ESG issues do not exist in a vacuum. They are interrelated with, and in some cases are a rebranding of, many other risks, including market abuse and fraud risk relating to company disclosures, public statements and regulatory filings; sanctions and export control risks; and money laundering. All of these can result in criminal liability. A robust approach to compliance and governance issues is therefore essential to protect against a range of ESG and related risks.
Global compliance teams should be alive to the risks arising from increased scrutiny of company disclosures and public statements on ESG. There is a strong focus on what companies are saying about their ESG efforts and the impact of the ESG agenda on their business and outlook. As with all company disclosures, public statements about ESG issues need to be carefully calibrated and reflect reality to avoid any allegations of ‘greenwashing’, fraud or breach of market regulations. Assurance and verification are therefore key.
It will also be important for compliance teams to keep up to date with the fast-evolving law in this area. In the past five years, many new laws have been enacted in respect of transparency and due diligence within supply chains. More laws are on the horizon that will create further due diligence and related obligations on companies aimed at identifying, preventing and mitigating actual and potential adverse effects on human rights, including labour rights, and the environment. In this context, the European Commission’s proposal on sustainable corporate governance includes a proposed Directive that would create obligations on large companies (and smaller companies in particularly sensitive sectors) to carry out due diligence in their global supply chains with the above-mentioned aims.
Compliance teams will have to consider whether they need to adapt their existing processes to meet the differing requirements of the various laws to which they may be subject. This may include updating their risk assessment processes and codes of conduct and policies, reviewing supplier due diligence and management processes, considering whether further contractual assurances from business partners are required, establishing or amending complaint mechanisms, and ensuring monitoring procedures sufficiently take into account ESG issues.
The focus on ESG brings the need for robust compliance and governance into sharp focus. On the one hand, this creates even greater pressure on compliance measures but it also creates an opportunity for compliance teams when looking to justify investment or seeking board buy-in for certain activities.
In the wake of high-profile cyberattacks during the past few years, and particularly in the midst of the global pandemic when many organisations were operating more remotely than ever, organisations have had to focus their attention increasingly on cybersecurity, and the relevant policies and procedures to prevent and minimise the damage caused by cyberattacks. Attackers are becoming ever more professional and phenomena such as hackers for hire or state-sponsored hackers are blurring the lines between organised crime and cyberwarfare. Cyberattacks can come in many forms. One of the most well known is ransomware, a type of hack in which the perpetrator encrypts a company’s data or otherwise disrupts a company’s systems and will only release the data or cease the interruption if paid a ransom. Often, failure to pay can result in the destruction or leak of the data. Ransomware attacks create many difficult issues, including potential criminal risk if compliance with the ransom is itself a crime. For example, payment of monies to a hacker may risk breaching anti-money laundering or economic sanctions laws.
Fraud risks can manifest for global companies in many ways, including a company being targeted by fraudsters or somehow being used by rogue actors internally or externally to perpetrate or facilitate fraud. The risks here can evolve quickly. For example, as countries across the world implemented lockdowns and restrictions during the covid-19 pandemic, reliance on online activity increased, not only for business continuation but also to enable people to buy essential goods online, leading to a spike in online scams and frauds.
Compliance should always be at the heart of transactional considerations, given the growing risks of transactions involving compliance issues. In an increasing number of jurisdictions, an acquiror can be exposed to successor liability if a company in which it acquires a significant stake has engaged in improper activities and adequate due diligence or remedial measures were not undertaken by the acquiror. If transactional teams are not properly attuned to these compliance issues, sellers can become subject to warranty claims (to the extent that these are available) and buyers will not receive the company they thought they were receiving (and getting what they have paid for it), or, even worse, be subjects themselves of regulatory action. The compliance issues and risk inherent in transactions should be a clear message that traditionally back-office functions should be front of mind for transaction teams.
Here, we discuss the essentials of an effective compliance framework to help companies prepare for and survive global compliance risks. These are key areas to commit appropriate resources to mitigate business risks.
At a basic level, companies should have robust internal systems, policies, procedures and functions to ensure that a culture of compliance is entrenched in the company structure. At a minimum, companies should adopt a clear code of conduct tailored to the company’s risk profile that is easy to understand and provides examples relevant to the organisation. A company’s code of conduct should be published and openly circulated. The company should require all members of the organisations – including intermediaries, third parties and others acting on its behalf – regardless of seniority, to adhere to the code, rules and regulations for both inside and outside the workplace. New joiners should be required to read and understand the code of conduct. A robust internal audit function that reports to an independent risk and audit committee, or similar, has a key role in checking adherence to the relevant policies and rules. Internal audit functions also need to be properly staffed and resourced by experienced professionals. Audits and risk assessments should be carried out frequently to keep diligence and investigation functions on their toes.
Although these elements of a compliance framework apply to all companies, additional attention is required for the risks specific to a given company’s business. For example, oil and gas, and logistics and distribution companies should ensure that appropriate attention is afforded to anti-bribery and anti-corruption policies, and that diligence of counterparties is appropriately thorough. Pharmaceutical companies would need a similar approach to government tender issues and transparency through procurement, while care must be given in particular by financial institutions to the highly developed anti-money laundering and counter-terrorist financing landscape.
Although difficult to define, all members of an organisation understand its culture as ‘the way we do things around here’. Ensuring that a proper compliance framework is in place is key to a company’s compliance robustness, but the effectiveness of governance still depends on the culture and ethos of the organisation. As one legendary management consultant put it: ‘Culture eats strategy for breakfast.’ A culture of integrity and openness will allow employees to raise and deal with compliance issues far better than an institution with well-written procedures but whose policies are not followed in practice. Fostering culture starts with the board and top management expressing and reinforcing the culture of the company. Culture is further reinforced through regular training.
In any organisation, keeping compliance front of mind and on the agenda for any board and middle management is key. Board and middle management engagement is an essential way of ensuring that any change required in anticipation of (or in the wake of) an emergency can be implemented across the company as thoroughly as possible. Furthermore, training members of the board and middle management on compliance issues is important to ensure that they become models of compliance for the rest of the company. The example set by members of the board or middle management will be key in establishing a rigorous internal compliance framework to ‘walk the talk’ when it comes to internal group policies. It is also important to ensure that attitudes to compliance by board members and senior staff are proactive. Many boards already embrace compliance as a key function to ensure that the organisation and its people are protected. But compliance functions inevitably have to compete with many other issues for a board’s attention – making sure there is a standing or regular item on board agendas to address compliance issues can help keep it front of mind. Boards and middle management should be aware that their actions in the wake of a crisis can be closely scrutinised, from within or outside the company, and ensuring that members are properly aware of, and trained about, relevant issues is the best way of ensuring that boards handle compliance issues properly, as and when they arise.
‘Speak up’ or whistleblowing programmes involve an internal or external company hotline that allows employees and directors (and sometimes third parties) to report misconduct anonymously. To be effective, companies need to ensure that reports go to an independent person distinct from management; that person should have a communication channel with the anonymous whistleblower. Companies need to know how to handle whistleblower reports and when to initiate an internal investigation. To be effective, whistleblower programmes should also be publicised to the persons who are to use it – no system, however robust, will be of much use to a company if employees and directors are not aware of it.
As well as fostering a speak-up culture, companies also need to ensure that any whistleblower reports reach trained ears. Recipients should be independent and undertake training on receiving and handling complaints, specifically on how to escalate issues in the correct way, as well as being as open and transparent as possible in dealing with those who are making complaints. In the Middle East and North Africa, for example, where whistleblower laws and programmes are emerging, training compliance professionals on how to manage complaints and when to conduct an internal investigation or escalate issues is key. There can be a perception that there are no issues to address, when in fact there could be a lack of a speak-up culture, or compliance is not aware of how to manage reports.
Monitoring is a key aspect of compliance, although monitoring and reviewing employees’ communications and activities must always be done in compliance with applicable employment, data protection and privacy and telecommunications laws, as well as company policy. The legal context may vary considerably across jurisdictions. Global companies will face a whole spectrum from very robust and established data privacy laws to those that are more nascent and untested to countries where no specific data privacy legislation exists (although other legal mechanisms may be relevant, such as any constitutional right to privacy). Compliance teams should consider:
In considering how to apply global standards, particularly if internal investigations may be conducted across borders or even continents, the best practice is to adhere to the highest common denominator of privacy standards in the applicable jurisdictions. Furthermore, companies should consider having appropriate policies in place as regards acceptable use and investigation, and ensure that they update any consent requirements under employment agreements where applicable.
For a compliance framework to be effective, it is crucial to consider conducting regular due diligence of third parties (e.g., vendors and distributors) as well as conducting periodic risk assessments. Due diligence helps to mitigate the risk of a company working with sanctioned persons, related parties, or exposing themselves to corruption or risks relating to environmental, social and governance (ESG) issues. As mentioned, the type and extent of diligence procedures with third parties will vary for each company or transaction, with certain risks posing a greater threat to companies in different sectors. However, putting policies in place and providing the appropriate training to employees for them to know which type or level of due diligence applies in a given situation is key. Additionally, external advisers and lawyers should be instructed where appropriate as early as possible to assist in any such diligence exercise, especially where the due diligence requirements are extensive.
Furthermore, due diligence can vary in scope. Companies may consider screening customers and counterparties to check whether they are sanctioned, and carry out standard anti-money laundering and know-your-customer checks. In addition, there may be higher standards for due diligence in certain areas in light of regulators’ focus on bribery and ESG issues (where a company’s reputation can be as important as its adherence to regulation for a company’s business).
Risks assessments, typically conducted by consultant lawyers and accountants, can also be a useful tool to measure compliance effectiveness in a specific area or function and may provide strategies for enhancement.
When misconduct occurs, companies need to respond quickly to contain, manage and remedy the crisis. The first step is to determine the nature of the misconduct, gather preliminary facts about the issue, immediately stop any ongoing violations and, where necessary, assemble an independent team to investigate the alleged misconduct.
Where allegations of behavioural misconduct occur, companies might consider whether to conduct an internal investigation and whether to engage external consultants to assist. Companies might also consider which protocols or policies could apply and ensure that the investigation team is aware of them. To assist in-house counsel and compliance professionals in managing these often time-critical situations, we have set out a checklist of practical considerations and steps a company might consider taking when faced with allegations of misconduct (see appendix at the end of this chapter).
The checklist is not intended to be an exhaustive list of what to do and how to react in the event of a crisis or investigation, but it is a helpful guide to some of the key issues to consider. Depending on the nature of the incident, various items in the checklist may need to be reordered or prioritised. The checklist should also be supplemented with professional advice where necessary, particularly in the event of time-sensitive or cybersecurity incidents.
When the dust from any incident, crisis or investigation has settled, organisations should ensure that they are proactive in implementing any necessary changes and taking the business forward, having learned the lessons of any investigation. This is a key factor in business resilience – the ability to overcome difficult situations.
Remedial issues should be a priority coming out of any critical situation, as good organisations will want to ensure that lessons have been learned and the same mistakes are not repeated. Accordingly, it is critical that organisations conduct investigations into exactly what went wrong in a specific situation, where mistakes were made, and what should have been done instead, while taking care to avoid any damaging tendencies, such as scapegoating employees unfairly.
Once an organisation has assessed and identified learning points from a situation, it is important that appropriate changes are implemented, rather than the matter just being filed away in a report. Additionally, training should be delivered to, and conversations may need to be had with, key employees in a constructive way, to avoid any similar mistakes being repeated. The organisation should also use the incident as a case study to teach other and future employees.
As mentioned previously, organisations should ensure that the members of their boards and middle management engage with compliance issues at all times, but this is particularly relevant in the context of remedial efforts following alleged misconduct or other crisis response. Companies might consider providing board members and middle management with specific training on how to deal with alleged misconduct, and directors should take this into consideration when making decisions about any changes to their business.
The way in which organisations react and adapt to alleged misconduct contributes to the tone for the culture and governance of those organisations. Implementing and instilling an appropriate corporate culture is not about working to guarantee that no compliance issues arise, but rather, if issues do arise, that they are dealt with transparently and effectively.
Culture, therefore, is key not just to the elements of good practice in the course of normal operations, but also during times of crisis and post-crisis. A culture of integrity will ensure that where mistakes perhaps are made in an organisation, a positive business culture will mean that people avoid pointing fingers or playing the blame game, but instead focus on how to improve and avoid similar mistakes in the future.
Navigating global compliance is a crucial component of modern international business, and companies should be prepared to mitigate global compliance risks to retain their competitive position in a global business environment. This survival guide has provided a number of tools for what legal and compliance professionals need to be thinking about and doing, and how to do them. Companies would do well to treat these issues with due importance. With the proper consideration, preparedness and response of a business’ various compliance risks, particularly by bringing such considerations to front of mind in any operations, companies will be better positioned to mitigate global compliance risks. Furthermore, companies that are most attuned to the risks of compliance pitfalls can ensure their own robustness and resilience in an increasingly competitive business environment.
The following tables could be expanded to include additional columns or devices to indicate responsibilities, deadlines by which tasks should be completed, the level of urgency or status of tasks.
 Ali Sallaway, Daniel Travers and Xin Liu are partners and Zara Merali is a counsel at Freshfields Bruckhaus Deringer LLP. The authors would like to thank their colleagues Marco Hughes (trainee solicitor) for his invaluable research assistance and contributions, and Andrew Bulovsky (associate) for his contributions.
 See https://www.transparency.org/en/cpi/2021 (last accessed 28 June 2022). The scores are on a scale from 0 (highly corrupt) to 100 (very clean).
 For broader discussions and additional information on sanctions, see Global Investigations Review’s Guide to Sanctions.
 A good example is the many online scams that have posed as government support measures to take advantage of the fear and uncertainty of many individuals and business owners, such as fraudulent schemes regarding the United States’ Paycheck Protection Program, in which individuals have been charged and convicted for bank fraud, money laundering and submitting false statements to financial institutions.
 See also the chapter titled Compliance in Corporate Transactions in this Guide.
 This statement is commonly attributed to Peter Drucker (1909–2005), management consultant and writer.
 For example, under Article 30 of the General Data Protection Regulation.
Author | Partner
Author | Counsel
Author | Partner
Author | Partner
Johanna Walsh, Alejandra Montenegro Almonte and Alison Pople QC
Mishcon De Reya, Miller & Chevalier and Cloth Fair Chambers
Niki Stephens, Alison Geary, Min Weaving and Elizabeth Hope
Mishcon De Reya
Alison Pople QC and Kathryn Arnot Drummond
Cloth Fair Chambers
Alejandra Montenegro Almonte, Ann K Sultan and FeiFei (Andrea) Ren
Miller & Chevalier
Kara Brockmeyer, Ivona Josipovic, Andreas A Glimenakis and Berk Guler
Debevoise & Plimpton LLP
Kyle Wombolt, Pamela Kiesselbach, Valerie Tao and Antony Crockett
Herbert Smith Freehills
Mini vandePol, Christine Cuthbert, Gerald Lam, Andrea Kan and Yuki Yung
Daniel S Kahn
Davis Polk & Wardwell
Maximiliano D'Auro, Rodrigo Allende, Eloy Rizzo, André Luis Leme, Victoria Teles Manhães Barreto Arcos, Carlos Chávez and Marianela Romero
Beccar Varela, Demarest Advogados and Galicia Abogados
Ali Sallaway, Zara Merali, Daniel Travers and Xin Liu
Freshfields Bruckhaus Deringer
Georgie Farrant, Gareth Austin, Michelle Rae Heisner and Andrew Martin
Sara Shaner, Shelly Mady and Jean-Michel Ferat
Kayvan B Sadeghi and Lawrence W McMahon
Jenner & Block
Matthew Ewens, Charlotte Wilson and Christopher Gribbin
Mishcon De Reya
Zachary Coseglia, Amanda Raad, Caitlin Handron, Leah Dowd, Jeffrey Irwin and Karina Thomas
Ropes & Gray
Get more from GIR
Sign up to our daily email alert
Unlock unlimited access to all Global Investigations Review content