The following article is an interview conducted by the Risk & Compliance Magazine which was published in the Jan-Mar 2018 issue. The interviewees are:
- John P. Cunningham – Partner Baker McKenzie
- Crystal Jezierski – Partner Baker McKenzie
- Luz Maria Pineda Lucy – Compliance and Risk Director Fondo de Fondos
- James A. Garret – Chief Risk and Compliance Officer NuVasive, Inc.
- Adeola Kehinde Runmola – Partner Udo Udoma & Belo-Osagie
In your opinion, why it is advisable for companies to localise their global compliance programmes?
Cunningham & Jezierski: Our experience with multinational companies and the current enforcement environment counsels that it is now more important than ever for global compliance programmes to be effectively localised. Recent years have seen a noticeable increase in non-US anti-corruption enforcement, for example, as well as the emergence of more aggressive cross-border cooperation and information sharing, leading to multi- country government investigations. In many situations, conduct that violates the US Foreign Corrupt Practices Act (FCPA) may also run afoul of the laws or regulations of the country in which it occurred and other non-US countries with the authority to exercise jurisdiction over the entity. In addition, non-US authorities can now be expected, in many instances, to pursue enforcement actions. Therefore, enforcement actions involving cross-border cooperation resulting in the payment of financial penalties to multiple jurisdictions are more prevalent.
Lucy: A global entity must have a dual-focus compliance programme. On one hand, the programme must identify compliance points in the different jurisdictions in which the company operates, as well as the local regulations in which it is required to implement its programme. Companies should devise training sessions and identify those employees who, by their functions, have points of contact in risk areas, because for them it will be necessary to provide specialised and recurring training. In order to get a better response to implementation, companies should include practical examples in their training programmes, such as relevant local situations and customs, and whether they are compatible with the company’s larger global compliance programme.
Garrett: Compliance risks arise, for the most part, at the local level and are best mitigated at the local level. To use an analogy, it is easier to put out a fire at its source and before it spreads. The greatest compliance risks, namely bribery and corruption, often stem from interactions with third-parties in local jurisdictions and between individuals in the field. Having a local resource that speaks the local language and knows the local business is key to helping mitigate those risks. Moreover, embedding compliance at the local level can create or bolster a culture of integrity. lt goes without saying that a culture of integrity starts at the top, but it must permeate the organisation, and having compliance at the local level helps to maintain continuity and drive accountability and action on the ground.
Sunmola: lt is advisable to localise global compliance programmes because this helps companies build a culture of compliance across the group. lf such policies are culturally integrated, they will, in turn, be more effective in bolstering internal controls and aiding in the prevention and detection of infractions, thereby producing better compliance results. Localisation of compliance programmes will also make it easier for employers and other stakeholders to utilise and implement these programmes, locally, especially if they are well understood and appreciated. The need for global compliance programmes is also emphasised by the extraterritorial effect of the FCPA in the US and the 2010 Bribery Act in the UK, and the major impact which these statutes have on global corporations. Foreign companies are exposed to risks and liabilities even for offences committed abroad and by officers and employees of subsidiaries, agents or service providers.
How would you characterise the difficulties involved in establishing programmes that are both legally compliant and commercially practical? What, in your experience, are the most common issues that companies face during this process?
Lucy: The involvement of commercial areas is important to the development of a compliance programme that fulfils a practical commercial perspective, with the legal basis required in the commercial sector in which the company is operating. Both areas must be in harmony in order to have a robust compliance programme and an important aspect of this harmony is advanced communication. lf, on the other hand, a product is launched without revisions and compliance being taken into consideration, problems can arise. In order to avoid such issues, companies would be advised to establish a committee governing new products. This committee may be responsible for reviewing the pros and cons of the product in question. During this process it is most likely that time-based non compliance issues will arise when a new product is going to market.
Garrett: The compliance function is, by its very nature, contrary to driving business. Business, regardless of the industry, is value focused and generally needs to be nimble and quick moving. Compliance policies, processes and procedures are often an impediment to speed and can result in red tape. The challenge, and ultimate goal, of an effective compliance programme should be to align the programme with the risks the company is willing to take and be a value driver. Unfortunately, even with the best of intentions, most programmes fall short, in part because the business is distrustful that compliance is aligned with business goals. This can be overcome by truly understanding the business and tailoring the compliance programme to the business, rather than taking a ‘one-size-fits-all’ approach to compliance.
Sunmola: In our experience, companies face three common challenges in establishing programmes that are both legally compliant and commercially practical. First, staying abreast of the constantly evolving laws and regulations in a bid to ensure that compliance programmes, which are commercially expedient, meet any requirements introduced by the new legislative climate. Second, a lack of clarity and sufficient direction, as well as gaps, in the laws and regulations, which may serve as an impediment to developing and implementing commercially practical compliance programmes. Third, company culture. Measures necessary to address the foregoing issues and the costs involved in correcting them, require the support of company management and not a culture that simply treats compliance programmes as a mere box-ticking exercise.
Cunningham & Jezierski: The most effective programmes are those that articulate and apply consistent standards of conduct and compliance processes across all operations. However, this can be challenging when accounting for differing law enforcement and regulatory frameworks, particularly with respect to the potential liability of corporations and other organisations, as this may vary from country to country. Furthermore, anti-corruption laws, for example, although often similarly constructed, will not typically mirror each other precisely in terms of content. lndeed, the FCPA is one of the few anti-corruption laws that allow facilitation payments. Moreover, the UK Bribery Act prohibits commercial bribery, while the FCPA does not directly cover such activity. These differences require companies to consider how their compliance programmes should be customised to address such disparities. Multinational companies must also evaluate how other key regulatory requirements, such as data privacy and employment-related rules, impact the overall content and efficacy of their compliance programmes.
What specific strategies can companies deploy to ensure they avoid coming into conflict with local legislation in markets perceived to have high levels of corruption?
Garrett: This is a constant challenge, even for the largest companies and most developed programmes. lt requires companies to have a close relationship with local counsel who can provide cost effective advice and counsel at the local level. lt is nearly impossible to avoid local legal and regulatory pitfalls without such guidance, and it is impossible – and not cost effective – to have those resources internally.
Sunmola: As a first step, it would be useful to obtain legal advice in the relevant jurisdictions in order to understand the legal landscape and the compliance requirements in that jurisdiction generally and in the relevant sector of operations. especially in specialised sectors. such as manufacturing, capital markets. banking and insurance. Thereafter. local counsel should be engaged to review the company’s global compliance framework, in order to confirm that it conforms to local laws. lf a global compliance framework does not exist, the company should draft a local business conduct and compliance policy that emphasises its zero tolerance for corruption and the penalties for any breaches of the policy. Where a company will require permits or licences to operate, it is important that those licences and permits are obtained or renewed as and when due, to avoid violating local laws. Where it is necessary to engage agents to carry out acts or services on behalf of the company, the company should engage reputable ones and ensure that such agents accede to the company’s business and ethics or compliance policy, before undertaking any tasks on behalf of the company. The company should carry out pre on-boarding due diligence on such agents before engaging them to act on the company’s behalf. The importance of compliance and risk monitoring teams within a company cannot be overemphasised, as this would ensure that violations are kept to a minimum and, if unavoidable, are addressed through prompt remedial measures.
Cunningham & Jezierski: As an initial step, areas where local laws and requirements may, and often do, differ. For instance, with respect to anti-corruption compliance, common areas of variance among relevant local laws include the treatment of facilitation payments, the appropriate provision of gifts and hospitality to government officials, and data privacy requirements. With careful and deliberate contemplation of local legislative requirements, corporations can then tailor the design, implementation and monitoring of their programmes to address unique local expectations, statutory and regulatory mandates, and even cultural idiosyncrasies.
Lucy: Companies considering initiating operations in countries with high levels of corruption must undertake comprehensive due diligence procedures that will allow them to investigate whether the sector in which the company operates is a susceptible or high-risk sector. The company must carefully analyse and anticipate in its compliance programme whether there are adequate internal controls to comply, not only with local regulations, but also with its own internal compliance programme. lt is important that the person in charge of implementing the programme is aware of corruption and is able to verify, at all times, that the company has the required licences. lt must also carry out regular training exercises for the relevant employees.
What types of data analytics are companies leveraging to measure and monitor culture and compliance throughout their international operating locations?
Sunmola: Tracking the completion of compliance training and opinions about compliance training and analysing the results of internal audits and investigations, help in monitoring an organisation’s compliance culture. Companies are also leveraging the usage of smart devices and workplace technologies, such as image recognition, biometrics and artificial intelligence, for risk monitoring and enforcement.
Cunningham & Jezierski: Our experience confirms that the regular collection, review andevaluation of programme data can be a particularly effective tool for monitoring and measuring both culture and compliance programme effectiveness in global operations. Collecting appropriate data and evaluating it on a regular basis as a method of ultimately enhancing programme performance has the dual benefit of facilitating the identification of robust and functional programme areas, while also earmarking those in need of reinforcement.
Furthermore, the leveraging of relevant data analytics adds another layer of protection in higher-risk markets. For example, the identification of government clients and the tracking of sales metrics may permit companies to identify key trends and potential red flags, such as an increase in government sales in certain regions, an uptick in the use of third parties or an elevated reliance on high risk payments or commissions. These trends can be indicators of higher-risk activity that often should be subject to focused compliance scrutiny.
Lucy: lt would be best to review all available data. Failure to review any available information could mean that companies miss red flags. In terms of culture, it would be best to have various sources of information available. lt is very difficult to know the culture of a country or region without first operating in that region for a while.
Garrett: There are a multitude of metrics available to compliance professionals to measure the effectiveness of programmes, but we have found that the best way is to get out and talk to employees directly. Hotline numbers are generally low, and investigation rates are invariably poor indicators of what is going on in the business. Using risk management tools to track enquiries and contacts with the business can be helpful. These tools allow companies to categorise enquiries and contacts by type and jurisdiction or business unit so that they can assess trends. Because many of these tools are based online, they can be used with international compliance liaisons and track progress, trends and engagement at the local level.
How are the recent and significant cross-border corruption investigations, which involved regulators from multiple jurisdictions , affecting the way multinational companies manage their compliance programmes?
Cunningham & Jezierski: By way of example, in the area of anti-corruption enforcement, global organisations should now expect non-US authorities to assess the effectiveness of their compliance programmes as part of any local enforcement action. The silver lining here is that, while anti corruption laws and compliance programme requirements differ from country to country, there are typically certain common components or elements embedded among these variances that, viewed collectively, represent the key tenets of any effective global compliance programme. Adherence and commitment to these common programme elements, in many instances, will help companies meet the varying expectations of authorities in multiple jurisdictions. Five particular elements, in our experience, appear with frequency across jurisdictions – leadership, risk assessment, standards of conduct and controls, training and communication, and monitoring, auditing and testing. When appropriately accounted for in a functional and regularly enhanced compliance programme, they can work symbiotically to assist companies in satisfying the compliance programme expectations of multiple jurisdictions.
Lucy: Extraterritorial conflicts will always require greater efforts, which must be foreseen by companies’ legal departments. Companies should also source advice from law firms that operate in the relevant jurisdictions as this will give the company greater certainty that the advice it is receiving is adequate, and will allow the person in charge of compliance to work with the legal department and to anticipate possible breaches or gaps that can affect the development and implementation of the programme in question.Companies must ensure that they collaborate with regulators and provide relevant information or documentat ion when required. Cases that have been best known by the compliance community at the international level can serve as case studies to provide ideas to implement better internal controls and mechanisms within companies to prevent similar situations.
Garrett: In one sense, recent investigations have made the job easier because they help focus the regions of risk, such as Brazil, China and Iran, but it is difficult to align policies and procedures with the different local regimes and regulations. Recent transparency developments in France are an example. On the enforcement side, the US and the FCPA are still leading the pack, and staying clear of FCPA violations generally mitigates the largest local enforcement risks.
Sunmola: Cross-border corruption investigations have caused multinational companies to be more proactive in implementing compliance programmes, which incorporate anti-corruption and anti-bribery policies. Typically, in addition to implementing anti corruption and anti-bribery policies in relation to their local and global employees, most multinational companies also extend the application of such policies to their external advisers and such other persons or ‘agents’ that may act on their behalf.
The contracts of engagement of the agents, for instance lawyers, accountants and so on, are drafted to include relevant representations and covenants pursuant to which such agents undertake not to breach applicable anti-corruption and anti-bribery laws. The extraterritorial effect of the FCPA and the 2010 Bribery Act have steered global corporations in the right direction of an increased emphasis on zero tolerance for breach of law and compliance policies.
To what extent can appropriate due diligence on third parties help overcome geographical, cultural and industry-specific challenges?
Lucy: lt is necessary to know the third parties with whom the company maintains commercial relations. Companies should ensure that they are able to communicate the values of the company and the company’s code of ethics to their third parties. Companies must also ensure that they get confirmation of third parties’ adhesion to the code, while also reviewing the code of ethics of the third parties. Background checks should also be performed, with the consent of the third parties, to avoid future conflicts. Third-party monitoring systems should also be deployed.
Garrett: Due diligence only goes so far toward mitigating the challenges companies face. Questionable business practices are not uncovered absent enforcement and a Dow Jones or other report only finds what is in the public space. More in-depth diligence can be very expensive and local custom and language issues can hinder diligence efforts. Initial diligence is a minimum, but ongoing monitoring and assessments are critical to mitigating compliance risks with third parties .Similarly, training is only so effective. Understanding what is happening at the local level is key to mitigating the risk.
Sunmola: Due diligence reviews may be helpful regarding overcoming geographical, cultural and industry-specific compliance challenges, where adequate information is available regarding the target for review. In Nigeria, however, due diligence reviews may be limited by the amount of information that is available for review and, therefore, the ability of due diligence exercises to overcome the various challenges remains limited.
Cunningham & Jezierski: Recent enforcement matters in the US and abroad have demonstrated that robust and appropriately customised due diligence on third parties can significantly help protect multinational companies from the myriad risks that such relationships create. To be effective, such due diligence should involve, among other things, the careful vetting of government connections, insight into potential conflicts between third parties and pertinent regulatory bodies, the nature of the specific work involved, each third party’s qualifications to conduct the work under consideration, a rational explanation with documented support for the proposed compensation, and a clear and unambiguous business justification for retention of the third party.
In your opinion, how should companies tailor their compliance programmes to correspond with global policies that may allow exceptions and defences in certain regimes but not in others?
Garrett: This is a constant struggle, and compliance with regimes like Medtech Europe may be the only way to address this issue. lt does not fully address the risk because local rules and regulations still conflict, but it is a start. Cross-jurisdictional engagements are nearly impossible to address, but complying with one overarching, and logical, regime helps create a defensible position in the event there is an enforcement action because all of the rules are basically designed to prevent the same thing: undue influence and bribery. As such, whether your meal limit in one jurisdiction is $10 higher than another jurisdiction should not matter if the intent was not to bribe. Further complicating things is that most, if not all, of the regulations do not take into consideration the economics of certain cities, such as Sydney, London or Tokyo, that are significantly more expensive than other cities in those countries.
Sunmola: Companies should tailor their compliance programmes to correspond with global policies that may sometimes allow exceptions and defences by, first of all, conducting a comparative analysis between local compliance policies and local laws and global policies to ensure that any policies, exceptions and defences found in other regimes, if included in local compliance policies, would not have the effect of contravening any existing laws and policies in the local jurisdiction. Where such exceptions and defences would constitute a contravention of local laws, they should not be adopted in the relevant local jurisdiction. They would also have to develop compliance mechanisms that incorporate aspects of global policies but do not violate local laws.
Cunningham & Jezierski: While this is certainly a demanding challenge for most, if not all, global business organisations, multinational companies must carefully heed the differences in the various regimes in which they operate, and, to that end, spend dedicated time training local employees to be aware of the uniqueness of the jurisdictions in which they operate. Simply put, organisations have to tailor their programmes with a keen eye to local requirements, including those that may involve exceptions or defences that are not allowable elsewhere. A common, yet important, example with respect to anti-corruption compliance is that of facilitation payments. While such payments may be allowable under the FCPA, they are outright illegal in many countries. Compliance personnel need to account for these types of conflicts.
Lucy: A robust compliance programme should avoid incurring exceptions. Exceptions should be established specifically to avoid ambiguity. Companies with global operations would likely have a history of situations that may be regarded as an exception. lt may be appropriate, in any case, to appoint a committee that will make a collegiate decision and duly document, to avoid the decision to leave, a single person who may have a bias or who can incur responsibility for not having an accurate analysis to authorise the exception. The compliance department must maintain a record of all exceptions.
What essential advice can you give to companies on developing a legally compliant and localised global compliance programme?
Sunmola: Companies should be aware of any changes to the laws and regulations of the specific jurisdiction. lt is important to have compliance and risk monitoring teams that will interface with legal, tax and other advisers, with a view to ensuring that the company is up to date on legal requirements, as well as compliance trends within the jurisdiction of its operations. Furthermore, in order to ensure that all relevant stakeholders are knowledgeable and well apprised of the company’s global compliance programme, the company should mobilise effective teams to achieve this purpose. ldeally, such teams should emanate from a collaboration between representatives from all relevant and key departments, such as the legal, regulatory and compliance, risk management, human resources, operational business units and corporate communications teams. Companies must also establish adequate and effective reporting, such as whistleblowing, and enforcement mechanisms for implementation purposes. The relevant company handbooks should also set out the investigation processes and procedures, as well as the sanctions and penalties for any breaches.
Cunningham & Jezierski: As most compliance professionals know by now, there is no ‘one-size fits-all’ approach that will work across the board for all organisations. Perhaps the most essential advice, in light of the current enforcement climate, is for companies to conduct regular, well-planned and comprehensive risk assessments that are designed to reveal differences in compliance programme effectiveness among business units and operations around the world. such assessments assist in evaluating gaps in internal controls, flagging policy shortcomings and helping compliance personnel stay apprised of updates in relevant enforcement environments, including recent statutory revisions and noteworthy cases that could potentially impact an organisation. Risk assessments will also help inform the auditing and monitoring functions of a company, which are often responsible for ensuring that the programme is working according to specifications. Other actions that sometimes get overlooked by global companies in developing their programmes include the proper translation of policies, procedures and training modules for local markets, and the crafting of localised whistleblower procedures. Finally, companies should consider strategically placing qualified compliance personnel in countries and local jurisdictions where compliance shortcomings are most pronounced.
Lucy: Companies must take as much time as necessary to know the region in which they will be carrying out operations, collect information through field research and have a list of the regulatory requirements required to develop a compliance programme. At times, there may be local requirements that vary from one federal entity to another, which, if not foreseeable, may result in penalties, so it is necessary to have a thorough review, and if needed, receive legal advice from a law firm in order to gain a more complete picture of the local requirements, to be able to make a global programme.
Garrett: Do not take a ‘one-size-fits-all’ approach and attempt to tailor your programme to the region. Do an assessment of the local industry groups that you belong to and learn what is driving or motivating their rules and local legislation. Get the input of the business when you draft your policies and procedures and do not be afraid of adjusting things based on logic and the practicalities of the business. Having an effective programme requires buy-in from the business and local support. Set up local liaisons to champion compliance and ethics and develop a system to track progress and develop metrics – not for the sake of justifying the programme, but to better align your programme with the strategic direction of the company, while at the same time mitigating risk.
What guidance would you offer to companies considering expanding their international footprint through an acquisition, and the modifications that may be required for the target company’s existing compliance programme?
Cunningham & Jezierski: lt is critical that companies in such circumstances conduct pre acquisition due diligence and a comprehensive and proportionately tailored risk assessment to uncover specific compliance issues. Acquiring entities in particular will want to ensure that they fully understand the target’s operations and its compliance culture and leadership structure in order to create an accurate risk profile. This will also assist in identifying gaps between the acquiring company’s programme and that of the target. lf a fulsome pre acquisition review cannot be conducted due to the nature and timing of the acquisition, it should be executed immediately following the acquisition and within the confines of a circumspect post-acquisition integration plan that sets target dates and stated goals for each phase of the review.
Lucy: Prior to any acquisition, the policies of the company to be acquired, as well as its compliance programme, should be analysed. Checklists can be helpful when comparing the differences between the acquirer and the target’s compliance schemes. Another important element to bear in mind is the organisation of training sessions for all employees which will outline the provisions and requirements that the acquiring company requires to meet its internal compliance obligations.
Garrett: Do as much diligence as you can and get boots on the ground as soon as possible after close. Set the tone and provide a compliance starter kit with the code, policies and core procedures on day one. Make sure the contracts with third parties are assessed and terminated or amended to allow for compliance and auditing.
Sunmola: A company that intends to expand internationally through an acquisition would be required to conduct adequate due diligence on the target company that it intends to acquire. The buyer should also seek legal advice regarding the regulatory compliance obligations of the target, in order to determine whether such obligations are consistent with, or could be harmonised with, its existing compliance policy. Simultaneously, with the completion of the acquisition, the buyer should integrate its compliance policy with that of the target.
Looking ahead, do you anticipate that more multinational companies will take steps to localise their global compliance programmes? What are the potential consequences for those organisations that fail to adequately address this issue?
Lucy: Multinational companies face greater challenges, precisely because of the diversity of the legislation in the jurisdictions in which they operate. Unilaterally imposing an unfamiliar compliance programme on employees may result in failure, because the company’s plan could face resistance. Compliance activities are not a simple task, and aligning policies can be met with emotional resistance from employees who consider these compliance programmes to be an imposition rather than a point of convergence between the two parties.
Garrett: Very few compliance programmes have the resources, either in terms of bodies or dollars,to effectively mitigate international compliance risks without putting some resources at the local level.Compliance and ethics liaisons (CELs) can be rolled out in core jurisdictions with a dotted line back to compliance teams. These CELs should meet with the company regularly and have monthly calls.Companies should track their progress and highlight their contributions and involvement, both locally and to the overall organisation. Companies that do not implement a similarly effective approach will have a hard time defending their programmes and may face enforcement challenges as they expand.
Sunmola: lt is expected that more companies will take steps to localise their global compliance programmes in order to avoid violating local laws in the face of increased regulatory scrutiny. The extraterritorial effect of the FCPA and the UK Bribery Act, as well as other, newer country-specific legislation, have caused the global regulatory landscape to grow increasingly conscious of the need for global compliance strategies and internal control policies. Companies that do not localise their compliance programmes may find that they are faced with constant violations of their compliance policies, which may subject them to regulatory sanctions and reputational damage.
Cunningham & Jezierski: In most instances, the primary goal of a global entity’s compliance function should be to design and implement a programme that will meet the expectations of all applicable law enforcement and regulatory regimes, including local ones. As cross-border coordination and information sharing continue, and more countries integrate enhanced compliance programme requirement into their statutory schemes and enforcement expectations, non-US countries are better equipped to initiate related enforcement actions, as we are seeing with increased frequency in the area of corruption. In this environment of burgeoning expectations and enforcement, multinational companies that do not adequately localise their programmes are, more likely than not, inviting greater regulatory scrutiny and increased incidents of compliance-related misconduct.