Corruption continues to be a hot topic as its effect is widespread economically, politically and socially across the globe. There is no denying that the impact of corruption is significant. As a result, there have been many actions and initiatives launched in the last 10–15 years intending to reduce global corruption, the most influential being the strong enforcement of anti-bribery legislation by certain countries.
Enforcement has seen a wave of enhanced anti-corruption compliance programmes by companies who have either dealt with governments on settling allegations of misconduct, or by companies in industries where there have been ‘government sweeps’. Others recognise that compliance with anti-corruption legislation is a must as a matter of being a good corporate citizen. Despite these enhancements and recognition, companies continue to struggle with what specific risks should be addressed and how much compliance should be implemented. Truly effective compliance programmes are able to strike a balance to satisfy all stakeholders: investors, regulators, employees, customers, business partners and society at large. But how does one get there?
The US Foreign Corrupt Practices Act of 1977 (FCPA) and the UK’s Bribery Act 2010 (UKBA) are the laws that generally provide the global benchmark for companies with regards to anti-corruption compliance programmes. These laws are comprehensive, have wide jurisdictional reach and, in the case of the FCPA, have been actively enforced by the US government for years. As a result, we have a plethora of learnings from prior enforcement actions. Detailed guidance on compliance with these laws has also been issued, including the UK Ministry of Justice’s issuance of ‘The Bribery Act 2010 Guidance’ and the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the US Securities and Exchange Commission (SEC) publishing of ‘A Resource Guide to the US Foreign Corrupt Practices Act’. Other guidance and best practices are published by globally recognised organisations, including the ‘Good Practice Guidance on Internal Controls, Ethics, and Compliance’ adopted by the Organisation for Economic Co-operation and Development (OECD), ‘Anti-Corruption Ethics and Compliance Handbook for Business’, which was jointly developed by the OECD, the United Nations Office on Drugs and Crime and the World Bank, ‘Internal Control – Integrated Framework’, issued by the Committee of Sponsoring Organizations of the Treadway Commission and the UN Convention against Corruption.
Though described in different ways, the underlying elements of these guides are similar and speak to an anti-corruption compliance programme that:
- creates a culture of compliance;
- assesses risk;
- has supporting policies and procedures;
- manages risks created by third parties;
- engages stakeholders; and
- monitors compliance and continuously improves.
While the guides are prescriptive in the actions a company can take to develop an anti-corruption compliance programme, this article considers two different perspectives on how the actions apply practically. The first perspective is the compliance challenges Western multinational companies (W-MNCs) may face when operating in Asia. The second perspective is the challenge an Asian company has in developing an adequate global anti-corruption compliance programme, coming from a country where enforcement may not be as robust.
Compliance programme challenges for Western multi-national companies operating in Asia
Most W-MNCs operating in Asia have likely implemented certain elements of an anti-corruption compliance programme in their regional operations. Quite often, the design of the programme occurs at corporate headquarters, with insufficient attempts to understand the local challenges of achieving effective compliance in Asia. The following practical considerations may help to address some of the more common realities.
Accurately measuring corruption risk can be difficult
The risk profile of countries in Asia is diverse and presents a unique challenge. On one end of the spectrum are Japan and Singapore, which are developed nations perceived to be two of the least corrupt countries in the world (18 and eight, respectively, out of 168 countries ranked by Transparency International in its 2015 Corruption Perceptions Index (CPI)). On the other end are newcomers to the global marketplace such as Myanmar (147), where W-MNCs are eager to make foreign investment. In the middle are rising economic powerhouses that include China and Indonesia (83 and 88, respectively), where W-MNCs struggle to navigate the corruption risks in these countries, despite decades of operations therein.
Risk assessment is fundamental to effectively allocating finite compliance resources across a company’s operations. For many W-MNCs, the allocation is based, in part if not entirely, on a mathematical exercise designed to risk-rank operations around the world, with the CPI and revenue as two of the most common criteria used. Other factors, however, may more accurately reflect the risk to the business. If revenue were always the most heavily weighted factor, some of a W-MNC’s highest risk operations may be ignored as immaterial. The following are real examples where revenue for a particular operation might not be the most appropriate measure.
- An ‘exploration stage’ mine in Indonesia that is not generating revenue would show no risk if a traditional revenue measure were used. This would not reflect the true corruption risk, however, given that during this time in a mine’s lifecycle there is already interaction with government officials for a variety of reasons. In fact, this may be one of the riskiest times. The number of permitting and licensing activities or touchpoints might be a better measure of risk.
- A wholly owned pulp mill in the Philippines, based there because a W-MNC’s paper products require a specific pulp only found in trees grown in the Philippines, acts as a supplier to the W-MNC’s group companies. As the only supplier of this special pulp, the mill is a significant operation with many employees. However, the ‘revenue’ from this subsidiary would be inter-company and more akin to cost than arms-length generated revenue. As a result, revenue may not be an appropriate measure for the business when assessing corruption risk. A better measure might be volume of pulp produced by the mill.
- South-East Asian sales recorded by a sales office based in Singapore would show a lower risk profile for this revenue because of Singapore’s lower CPI ranking. However, if sales in Singapore are based on selling product to customers in Indonesia, Malaysia and Vietnam, Singaporean revenue is not likely to be the right measure because the corruption risk in these countries is perceived to be higher than it is in Singapore. A more accurate gauge may be revenue based on end customer destination.
In addition to the quantitative assessment of risk, equally important is understanding what the business does on a daily basis, and the accompanying challenges. In many instances this understanding may be more valuable than the quantitative analysis, as risks on the ground may differ from assumptions that are made from afar. In the example of the pulp mill in the Philippines, a reasonable assumption would be that the operation potentially has heightened risk around environmental compliance because it is a manufacturing operation with wastewater. However, discussion with local personnel may reveal that the mill has less risk in this area because of a strong focus on repairs and maintenance of the wastewater equipment, but a more real challenge of dealing with local government officials as the company moves trees from the forestland to the mill.
The use of prescribed risk assessment methodologies is valuable in assessing risk, but in Asia interpreting the results correctly can be difficult. W-MNCs must be careful not to get trapped in decisions based on materiality assumptions and judgements made from corporate headquarters. Engaging the business locally to understand what is really driving risk in the operations is critical.
Navigating the cultural differences between Asian and Western societies
Cultural differences between Asian and Western societies can present challenges that W-MNCs must consider. Some may consider Asian societies to be intensely hierarchical, with deference given to authority and directions executed without question. In addition, the notion of ‘saving face,’ or retaining respect and avoiding humiliation, are all core social values that are deeply rooted in many Asian societies. As such, situations may arise where individuals (or groups) feel the need to engage in risky, even illegal, behaviour to avoid the appearance of failure.
These aspects of Asian societies can make it difficult for W-MNCs to be successful in creating a culture of compliance, where people make the right choices, feel empowered to raise questions about compliance and are comfortable with transparency within the organisation. Given these dynamics, the messages given by local leadership, middle management and regionally based compliance resources are critical and should be considered key to effective compliance in W-MNC operations in the region.
W-MNCs can enhance the effectiveness of their compliance programmes in Asia by having compliance messaging delivered by local, in-country leadership. The messaging should emphasise that success, through unethical or illegal means, is the real failure. The message must be filtered down so that employees feel empowered to walk away from unethical business, in the knowledge that they will be supported by the company and that there is no shame in doing so. Decisions made at local operations level can have the greatest effect on compliance because this is where the day-to-day activities are most likely to expose the company to corruption risk.
Messaging from local middle managers should encourage employees to raise questions when they have concerns over unethical or illegal behaviour that they believe may have occurred. Middle managers are most visible to the employees, guiding them every day on the company’s expectations regarding their behaviour and performance. Therefore, it is imperative that employees hear and see the right messages and action from their direct superiors.
Lastly, effective compliance programmes have adequate resources to support the compliance function in mitigating the corruption and bribery risks to which the organisation is exposed. This includes compliance professionals who are available to the business for guidance and support. For W-MNCs, some of these resources should be based in the region to help country management navigate difficult situations that will arise. These resources should be adequately experienced compliance professionals who understand the cultural differences within Asian societies, local markets and customs, and the associated inherent compliance risks.
The use of third parties (and third parties using third parties) in high-risk functions is inevitable
Third parties and intermediary relationships are common for W-MNCs operating in Asia. These relationships are fundamental to helping a company successfully conduct business in the region due to the local knowledge and relationships, and reduction in financial exposure they provide to W-MNCs. In some instances, these local business partners may be legally required. Despite the necessity of third parties to operate in Asia, W-MNCs should be on high alert as many violations of anti-corruption legislation involve the use of third parties. Therefore, effectively managing third-party risk is a critical component of an organisation’s anti-corruption compliance programme.
Due diligence – the process through which companies vet third parties and decide whether to enter a business relationship – is an area that garners much attention in discussions regarding effective anti-corruption compliance programmes. No doubt most W-MNCs with operations in Asia have some sort of process in place, with varying degrees of rigour in the procedures that are undertaken. There are two nuances in Asia that W-MNCs should be aware of: lack of available information; and the reality of third parties using third parties.
Getting to know a third party with an appropriate degree of certainty can be very difficult due to the limited availability of electronic records or the lack of transparency of information in many countries in Asia. Not only is the sophistication of the country in general a consideration, but the specific location of where the third party operates – often outside major or capital cities – compounds the issue. In some cases, the only way to obtain or verify information is for someone to physically go to a third party’s place of business or government agency. Due to these challenges in obtaining reliable information, the use of investigative specialists is sometimes employed when higher-risk third parties are being screened.
Furthermore, another factor that complicates this is when a third party uses other third parties in service delivery. For example, in China medical device makers typically sell to distributors who in turn sell to sub-distributors who market directly to hospitals. Similarly, the movement of goods around the islands in archipelago nations can mean a global freight forwarder is using a series of sub-contractors ending in a final carrier that is more akin to a fisherman. Quite often this is not disclosed unless the W-MNC knows to ask the question. Spending resources evaluating the first-tier third party may be wasteful if the real risk sits at the next levels down where higher risk activity is occurring.
Once a third party has been approved through due diligence and becomes a business partner, many W-MNCs will subject the third party to compliance requirements similar to those required of employees, which includes monitoring the behaviour of the third party. In addition to monitoring compliance with contractual obligations for service delivery, payments to higher-risk third parties should be reviewed by both the business and a compliance function prior to being approved. The payment should only occur after adequate supporting documentation has been provided, appropriate approvals have been obtained from the business and the transaction as recorded in the general ledger reflects the business purpose.
In Asia, obtaining adequate supporting documentation and determining business purpose can be challenging. A practical solution is to train the third party on what documentation is expected in order to receive payment and only allow deviations in limited and fully explained circumstances. Appropriate approval may include an individual in the business signing off on the payment after having performed an appropriate level of supporting documentation review. In some instances, the risk posed by a third party may be so high that business-level approval should equate to accepting responsibility for the third party’s actions with employment consequences for knowingly approving an inappropriate payment.
With the focus on compliance increasing in Asia, so has the complexity of schemes being used to hide nefarious payments. Companies must be aware of these shifts and consider changes in their processes for monitoring third parties. Previously in China, it was common for travel agents to be used to set up trips for officials where sightseeing and leisure activities were provided alongside legitimate business travel. In some instances, the leisure activities were so elaborate that they may have been perceived as bribes. More recently, the scheme has evolved, whereby companies pay travel agents to organise events, which are then scaled down or cancelled altogether, though the travel agent is still paid. This creates a slush fund with the travel agent, which could then be used to pay bribes.
Many compliance teams in China have responded to these risks by implementing enhanced procedures around payments to third-party travel agents. Given the shift in the scheme, adequate supporting documentation now may include evidence that the event, as planned and paid for, actually occurred. This is just one example of the point being that effective compliance programmes must continually evolve to recognise and address changing risks and schemes.
The regulatory landscape in Asia is changing
The regulatory landscape in the region is changing. In response to continued pressure from the global business community and NGOs such as the OECD, countries in the region are enacting and beginning to enforce their own anti-corruption laws. Although enforcement across the region varies, it is not just the FCPA and UKBA that W-MNCs need to be worried about complying with anymore. Western companies took notice when China levied its largest corporate penalty in 2014 for bribery. Other indications include Japan and Korea both making great strides in their anti-corruption legislation or the newly elected president of the Philippines making it clear that he will not tolerate graft and corruption.
The need for an anti-corruption compliance programme for Asian companies operating abroad
Aside from a stance of zero tolerance for corruption being the right way to do business in today’s global marketplace, more and more there are strong pressures on Asian companies that highlight the need to develop a thorough and effective anti-corruption compliance programme. The reasons for this are varied, but below are four key points of consideration.
- Asian companies can expose themselves to US or UK ties by something as simple as a wire transfer routed through a US or UK bank (sometimes without even knowing it, if for example, a third party is involved), therefore making it subject to the extraterritorial reach of international anti-corruption legislation such as the FCPA and UKBA. For these companies, compliance is something that cannot be ignored given that eight of the top-10 FCPA enforcement actions of all time to date involve non-US companies. Actions by US regulators against international companies show no signs of abating.
- As Asian economies grow and develop, their companies are being subject to a global anti-corruption compliance standard when wanting to do business either locally or abroad with W-MNCs. This is because international anti-corruption legislation may make the W-MNCs responsible for any corrupt activities conducted by their business partners when acting on their behalf. To mitigate this risk, a business partner may be required to demonstrate the compliance efforts they undertake so as not to condone bribery in any form. Accordingly, an Asian company that does not take anti-corruption compliance seriously may be at a significant competitive disadvantage to those that do.
- The third reason is the potential for an Asian company to be involved in an M&A transaction. When an Asian company wants to be involved in a friendly takeover by a W-MNC, the due diligence procedures it is subject to will likely include an anti-corruption compliance assessment. Under laws like the FCPA and UKBA, the acquiring company may be subject to successor liability for past conduct of the acquired company, even if the acquired company had no knowledge whatsoever that it may have broken the law of the acquiring company’s country. To put it simply, the acquirer may be liable for prior corrupt activities of the target. It is not uncommon for a W-MNC to walk away from a deal where it cannot guarantee that its target has taken anti-corruption compliance seriously.
- Finally, Asian companies are finding themselves caught up in global corruption scandals. Media reports from the recent Unaoil scandal allege involvement of companies from Korea, Japan, China, Singapore and Malaysia. The companies named are subject to adverse media reports and are on the defensive. For these companies, having an anti-corruption compliance programme that helps prevent any alleged misconduct in such a scandal would be much more desirable than being on the defensive. Even more so, being able to demonstrate an effective anti-corruption compliance programme may put the company in a defendable position should they be subject to any regulatory action or investigation that arises from the scandal.
Overall, a fit for purpose anti-corruption compliance programme designed on the best practice elements discussed earlier should be the aspiration of an Asian company. Some of the key considerations for Asian companies in developing such an anti-corruption compliance programme are discussed below.
Going beyond paper compliance
Going beyond paper compliance involves the company having adequate resources (people and budget) to design, implement and monitor an effective anti-corruption compliance programme. This is something Asian companies are grappling with – what are appropriate resources for compliance?
While a team may be identified within the company’s headquarters as being responsible for compliance, it is common for an Asian company to provide little or no guidance to operational or local country management on the overall compliance standards expected by the company. Quite often, interactions between headquarters and local country management on compliance-related matters are neglected leading to a lack of consultation on priorities, thereby contributing to a lack of effectiveness of the programme. Even worse, corruption risks that local operations are exposed to may not be identified or fully appreciated.
For the successful integration of compliance-related policies and procedures throughout the company, it is crucial for operational or country management to identify and have ready access to compliance subject matter experts. SMEs provide necessary guidance and feedback to ensure that the compliance programme is adequately understood and procedures are being followed by the business.
Knowledgeable employees who understand the local market, business customs and inherent compliance risks should be deployed to high-risk locations where the company operates, to help country management identify high-risk government touchpoints and navigate the difficult situations they are bound to encounter. Such resources should have a reporting line back to headquarters about the operation of the programme so that the headquarters are aware of the compliance challenges faced by the local operations and can provide appropriate support when necessary. The company should implement a reporting mechanism where local operations are required to report to headquarters on a regular basis with items concerning the operation of the programme. For example, training statistics, progress on remedial actions, and the local gift and entertainment register should be provided to headquarters for review.
The use of a hotline or whistleblower mechanism through which anyone can report concerns without fear of retaliation is a crucial tool to help with detection of potential misconduct. It is important that all allegations are centrally reported, so that they can be appropriately addressed, avoiding a situation where local management may not appreciate the severity of an allegation, or may even be the subject of such allegations, and thus appropriate attention is not given.
Companies should also undertake proactive independent assessments of their anti-corruption compliance programs such as conducting employee surveys or performing controls testing with the help of either an outside consulting firm or the internal audit or internal control group within the company. This should not be just at headquarters level. A rotational assessment programme can be set up where different countries or operations are independently tested every few years. More importantly, observations from these assessments must be actioned in a timely manner with the appropriate remedial plans developed and lessons learned shared across the company.
Managing third parties abroad
Often, there is the misconception among Asian companies that bribery can be outsourced. That is if the bribery is not committed by an employee of the company, then the company cannot be held liable. One only has to look at all the FCPA enforcement actions involving the use of third parties and recent high-profile global corruption scandals to see how the use of an agent to help win contracts from state-owned entities can expose the company to scrutiny.
While an agent, be it an individual or company, can be a business necessity in order to expand and do business in a foreign country, it is imperative that the company keep a tab on the agent to ensure they act ethically and within the boundaries of the law. Some of the red flags to be aware of when engaging an agent are as follows:
- A vague description of services to be provided in the consulting agreement and lack of detailed regular reporting on activities performed on behalf of the company.
- Remuneration includes excessive commission, requests made for payments in cash or substantial upfront payment.
- Payments made for items outside of what is covered in the consulting agreement.
- Over or under-invoicing.
- Payment is requested to be made to an offshore bank account.
- A third party is requested to be part of the transaction by a foreign official.
The company should also ensure it makes the agent appropriately aware of the company’s compliance expectations. This can include appropriate anti-corruption contract clauses in their agreement with the company, having the agent sign compliance certifications and subjecting the agent to regular and specific anti-corruption compliance training and periodic audits. Overall, an Asian company that engages with an agent must be aware of how the agent does business and be comfortable that this will not lead to the company falling afoul of international anti-corruption legislation.
Responding to issues appropriately
Should the unthinkable happen and the company find itself embroiled in a global corruption scandal or subject to regulatory scrutiny, it must take appropriate action to put itself in a defendable position. This means having a crisis response plan that includes conducting a thorough investigation to determine the scope of any improper transactions and associated misconduct and undertaking appropriate remedial actions. Determining the scope may involve formulating theories to prove or disprove allegations and reaching appropriate conclusions.
Unfortunately, Asian companies have been caught in the crosshairs of regulators such as the DOJ and the SEC and may not fully understand what actions need to be taken in such circumstances. These regulators place a lot of emphasis on what the company does when it uncovers an issue. The lack of cooperation, failing to take action or covering up the issue places the company at risk of greater scrutiny and a more severe penalty.
Key considerations when conducting a thorough investigation include:
- Oversight of the investigation. It is common for internal investigations to be conducted under the direction of the company’s general counsel or senior management. However, if the allegations potentially implicate senior management, the company should consider an independent investigation overseen by the audit committee or another committee of the board of directors.
- Engage outside counsel. This is to maintain attorney–client privilege over the investigation to avoid involuntary disclosure of investigation findings or other privileged communications. Counsel will also help the company consider relevant local laws, data privacy considerations and navigate interactions with regulators. This can include helping the company to negotiate a settlement with the foreign regulators.
- Engage forensic accountants and other experts. These professionals should work at the direction of counsel. They will help the company conduct an objective investigation and will apply their experience to ensure appropriate evidence is forensically collected and analysed. A good forensic accountant will be well versed in identifying and determining the scope of potentially inappropriate transactions and thus help put the company in a defendable position for its investigation.
The authors wish to acknowledge the contributions of Eddie Lam, managing director in Shanghai, and Eu Sun Chan, senior director in Singapore, in drafting this article.