The region has witnessed significant corporate investigations, substantive legal reform and aggressive enforcement in recent years. The Banking Royal Commission in Australia, corporate criminal liability provisions inspired by the UK Bribery Act across several jurisdictions in Asia, and the omnipresent focus of the US Department of Justice (DOJ) on China means that companies in the region face clear business risk. And while the continued impact of the United States cannot be underplayed, national authorities are demonstrating an increasing appetite for investigating and prosecuting large cases themselves. Partly as a result of this, there is a continuing increase in complex, multi-jurisdictional investigations. This highlights a further regional trend – increased co-operation between regulators in different jurisdictions. On a practical level, enhanced information sharing requires a coordinated response by investigated parties to manage competing requests for information, determine appropriate remedial steps and ultimately find solutions to conclude multiple investigations. In a region combining civil law and common law jurisdictions, we also see different approaches to data privacy and legal privilege. This can lead to challenges for corporates and their advisers when conducting internal investigations and responding to external regulatory investigations. We highlight below some of the overarching themes and developments that we have been seeing.
Areas of enforcement risk
Bribery and corruption remain core areas for law enforcement, with domestic and international agencies homing in on conduct in the region. National anti-corruption agencies in Australia, Indonesia, Malaysia and China have all bolstered their powers of investigation and oversight. In tandem, some governments (such as Australia and China) have introduced more stringent corporate penalties. Regional efforts such as the Guangdong–Hong Kong–Macao co-operation project highlight a focus on multilateralism in combating regional graft. In terms of international enforcement, misconduct in China has long been the subject of more corporate bribery investigations under the US Foreign Corrupt Practices Act than any other jurisdiction. Further, in the past year, the US DOJ has launched its China Initiative. This focuses on Chinese companies’ outbound activity and reflects the US’s desire to pursue prosecution where Chinese companies’ offshore activities affect US national interests.
Money laundering, tax evasion, (accounting) fraud, competition and cybercrime are other key areas for corporate investigations in Asia-Pacific.
Anti-money laundering (AML) and terrorist financing have been under the spotlight, with several evaluations being undertaken by the Financial Action Task Force (e.g., in China and Hong Kong), and visits on the horizon for Japan, Korea and key south-east Asian countries. Many jurisdictions, including Hong Kong, Singapore, Vietnam and India, are ramping up domestic AML legislation and corporate enforcement. The region’s focus on money laundering is best highlighted by hydra-styled investigations such as 1MDB, which started in Malaysia but has spread to the highest levels of public office and corporate business globally, including world-famous banks. Governments are pursuing regulatory and criminal actions against financial and other institutions for their failure to implement sufficient controls to monitor global transactions.
Banks, in particular, are subject to increasing scrutiny through audits, examinations, inspections and investigations. In tandem, authorities are increasingly relying on sophisticated technology to identify suspicious payment patterns. A recent example is the Singaporean law enforcement agencies’ collaboration with OCBC Bank to quicken financial crime detection. Project Poet (Production Orders: Electronic Transmission) automates data retrieval from the bank such that information that would have taken three months to process will now be available to law enforcement agencies within one or two working days. Project Poet also makes use of artificial intelligence and data analytics to improve Singapore’s anti-money laundering risk management systems.
Tax evasion is another area in which there has been heightened activity in the region. This has been led by the United States under its Foreign Account Tax Compliance Act (FATCA) and the aftermath of its Swiss bank programme, when the US DOJ announced that it would be following funds that are the subject of US tax evasion from Switzerland to financial centres in Asia, such as Hong Kong and Singapore. The pressure on taxpayers and financial institutions has been accelerated and broadened further by the Organisation for Economic Co-operation and Development’s Common Reporting Standard. The ‘follow the money’ initiatives that are being pursued by a number of jurisdictions, including the United States, have highlighted Asian financial centres as targets. The Indonesian tax amnesty – the aim of which was repatriating off-shore funds – is another obvious example, as a vast majority of the funds were located with banks in Singapore. The upshot is further focus on banks in the region, with authorities in India, Australia and New Zealand showing an appetite for reviewing tax-sharing information to root out corporate tax evasion, particularly through multilateral treaties to prevent base erosion and profit shifting.
Fraud, particularly tax and accounting fraud, continue to occupy law enforcement too. In one of the most significant recent examples, Punjab National Bank – one of India’s largest state-owned banks – reported massive fraudulent activity at its Mumbai branch by junior branch officials issuing fraudulent letters of credit, resulting in fraudulent transactions amounting to nearly US$2 billion.
Cybercrime is now a board-level issue regardless of jurisdiction, but some of the biggest corporate investigations have been in Asia-Pacific. Asia is considered relatively insecure in terms of infrastructure, meaning cyberattacks are more common there. Singapore, one of the leading global digital economies, has become a target, particularly in the health sector. Elsewhere, Toyota Corp suffered a series of data breaches in Australia, Thailand, Vietnam and Japan, while in the Philippines, retailer Cebuana and two fast-food chains, Wendy’s and Jollibee, suffered major cyberattacks. In response, domestic authorities and regulators have increased compliance and reporting requirements. This turns up the temperature on corporates, who must be ready for internal and external investigations emanating from cybercrime.
A shift from individual to corporate liability
Historically, enforcement agencies in Asia-Pacific have focused on individual criminal liability in the context of public sector bribery, often concentrating on prosecuting the government officials receiving the bribes. However, there have been some clear shifts in focus, demonstrated by legislative changes and statements made by enforcement agencies. The most uniform shift in a number of Asia-Pacific jurisdictions relates to the introduction of corporate criminal liability and accountability of senior management. Thailand, India, Japan, Singapore, Malaysia, Indonesia and China have all introduced legislation making it easier either to attach corporate criminal liability or to penalise companies involved in bribery. Australia has announced a review of corporate criminal responsibility, to be delivered in 2020. India, Indonesia, Malaysia and Thailand were all inspired by the UK Bribery Act section 7 corporate offence in crafting their own legislation. In simple terms, under these often still fairly new rules, companies may be held criminally liable if their employees or agents or otherwise ‘associated persons’ commit bribery or other criminal offences while acting on behalf, or for the benefit, of the company. As is the case under the UK Bribery Act, these rules take into account whether a company had adequate procedures in place to prevent the criminal offence when determining the company’s liability. While some provisions are limited to bribery offences (e.g., in Malaysia and India), others are more broadly drafted to cover other criminal offences as well (e.g., in Indonesia). On the other hand, the new corporate criminal liability offence recently introduced in Vietnam covers tax evasion and money laundering offences and does not extend to bribery offences.
The corporate liability offences plug gaps in domestic regimes, give law enforcement and regulators greater powers, and ease the requirement of meeting the difficult threshold of showing involvement of the ‘directing mind and will’ of the company to establish corporate liability. Critically, there is increasing pressure on companies to put adequate procedures and controls in place to prevent bribery if they wish to escape liability for misconduct carried out by employees or agents when acting for the company.
The new corporate liability provisions in Malaysia and India make it clear that they cover foreign entities that carry on their business, or part of their business, in the jurisdiction. Indonesian laws go one step further and provide that a group company, including a parent or affiliate company, may be held criminally liable if it is considered to be involved in the bribery. As a result, companies operating in the region should ensure that appropriate internal control measures are in place or re-evaluate their measures so that they comply with relevant domestic guidelines. The increased corporate exposure has also resulted in investors and, in some instances, lenders conducting heightened compliance-related due diligence on local companies before entering into a merger or a joint venture, or making an investment to gauge and manage their exposure.
Senior managers are also facing enhanced exposure to liability, putting their companies under additional compliance risk. A Senior Managers Regime, similar to the UK’s Senior Managers’ and Certification Regime, has been introduced in Hong Kong and Singapore to enable the financial sector to improve the individual accountability of senior managers. Anti-bribery provisions in Malaysian, Indian and Indonesian laws potentially extend criminal liability to senior management. This means that senior managers may be held liable for bribery committed under their watch when they are seen to have either proactively authorised or at least known of, and acquiesced in, bribery. Although largely untested at this stage, there is a risk that liability may be inferred when there is a suspicion of bribery and a senior manager does nothing to stop the bribery or turns a blind eye to clear indications of bribery. Indonesian law potentially goes further, in that senior management may be held responsible for wrongdoing by employees or agents acting on behalf of a company simply based upon their status.
Other trend shifts relate to broadening the focus to cover private sector bribery and supply-side bribery to an increasing extent. Notable illustrations of the former are the recent introduction of a private sector bribery offence in Vietnam and the fact that around 70 to 80 per cent of bribery-related prosecutions in Singapore and Hong Kong relate to incidents within the private sector. Although public sector bribery is still traditionally considered to attract a higher level of enforcement risk, it is important not to lose sight of the criminality of private sector bribery. In jurisdictions that still ‘only’ provide for prohibitions on public sector bribery (e.g., India and Indonesia), the scope of who may be considered a ‘public official’ is often extended. Further, recent legislative changes in India have introduced a supply-side bribery offence and officials at Indonesia’s anti-graft body, the Corruption Eradication Commission (KPK), have been issuing statements indicating that they intend to focus more on the givers of bribes and not just on the public officials receiving the bribes.
Culture has become a central tenet of -– and compliance imperative for – corporate investigations in the region. Banks in particular have been facing a culture and conduct storm. The Banking Royal Commission in Australia best illustrates the role of corporate culture at the meso (organisation) and macro (industry) levels.
With most jurisdictions moving to disclosure-driven, risk-based systems, an assessment of corporate culture involves a top-down review to assess the readiness of a company to limit the occurrence of misconduct and its reaction to it once on notice. A failing corporate culture can be evidenced by any of the following: a lack of corporate policies and training, poor tone from the top, turning a blind eye, and express or tacit authorisation of poor conduct.
UK Bribery Act-inspired legislation in certain jurisdictions, particularly those with adequate procedures defences, highlights the growing relevance of corporate culture in Asia. Further, corporate culture continues to affect enforcement outcomes. For example, the US DOJ Criminal Division’s updated Guidance on the Evaluation of Corporate Compliance Programs helps to benchmark the effectiveness of a company’s compliance programme. The Guidance assists US authorities with decisions when conducting an investigation, determining whether to bring charges or negotiating pleas or other arrangements. Whether in the United States, Asia-Pacific or elsewhere, the Guidance sets out useful prompts for a best practice compliance framework. Given the propensity of regulators to borrow from each other’s procedures and practices, it will also be of interest to companies subject to regulatory scrutiny, investigation or enforcement outside the United States, as a benchmark for appropriate remediation and resolution.
Guidance was also recently issued by the Prime Minister’s Department in Malaysia setting out anti-corruption programmes and procedures to be adopted by companies doing business in Malaysia. The guidance (which is similar to guidance issued in the United Kingdom under the Bribery Act 2010) describes an effective, risk-based compliance programme that minimises the risk of misconduct occurring and, where it does occur, mitigates the potential consequences for the company.
Information-sharing and multi-jurisdictional investigations
It is rare for an allegation into corporate misconduct to remain a domestic affair, such is the global nature of today’s commerce and communication. Regulators are ramping up cross-border co-operation and resolutions in response. Some very high-profile corporate investigations demonstrate how concurrent multi-jurisdictional investigations are now the norm. It is noteworthy in this context that cross-border information-sharing between authorities is often informal and will not always follow formal and time-consuming procedures under mutual legal assistance treaties.
The Rolls-Royce settlement covered allegations that Rolls-Royce bribed officials in multiple countries for a period of more than 20 years. The British company’s alleged bribery of Garuda Airlines and other Indonesian officials was covered in the £671 million settlement Rolls-Royce reached with the UK’s Serious Fraud Office (SFO), the US DOJ and Brazil’s Federal Prosecution Service in January 2017. The KPK in Indonesia has been questioning individuals at Garuda, and in August 2019 arrested Garuda’s former president, Emirsyah Satar, who stands accused of accepting several illicit payments totalling €1.2 million (US$1.5 million) and other items worth US$2 million. The KPK has charged him with money laundering and will take forward his prosecution, while also pursuing related individuals. Meanwhile, Garuda is suing Rolls-Royce for compensation in the Indonesian courts. More recently, Indian authorities, including the Central Bureau of Investigation, have also opened an investigation into the use by Rolls-Royce of third-party intermediaries to win contracts.
GlaxoSmithKline plc (GSK) is another famous example of a global brand being caught up in bribery in Asia, leading to investigations and charges in multiple jurisdictions. Between 2004 and 2010, GSK’s sales teams in China were alleged to have bribed doctors to prescribe GSK products. A Chinese court fined GSK China a record 3 billion yuan (US$492 million) for bribery in 2014. The former head of GSK China and four other former GSK senior executives were also found guilty, and GSK China’s financial compliance and legal departments were found to have been complicit. Related international investigations have been carried out in the United States by the DOJ and the Securities Exchange Commission (SEC) for potential violations of the Foreign Corrupt Practices Act, and in the United Kingdom by the SFO for possible breaches of the Bribery Act. The US investigation ended in a settlement in October 2016, with GSK paying the US SEC a US$20 million civil fine. The DOJ and the SFO later declined to prosecute.
Privilege and data privacy: complexities in Asia-Pacific
With a mixture of common law and civil law jurisdictions, law enforcement agencies and regulators in Asia-Pacific adopt very different approaches to legal professional privilege and data protection. For example, China, Japan, Korea, Indonesia, Thailand and Vietnam do not recognise legal privilege, but lawyers owe duties of confidentiality over documents provided to them by their clients. However, this can be overridden by authorities in investigations.
In contrast, common law jurisdictions such as Hong Kong, Singapore, Malaysia, India, Australia and New Zealand all recognise legal privilege to a greater or lesser extent. In general, internal investigation notes and investigation reports produced in the context of corporate investigations may be covered by legal privilege and protected from disclosure in common law jurisdictions, depending on the extent of involvement of either internal or external lawyers in the investigation process. In the same vein, there is a basis for pushing back against seizure of privileged material during dawn raids or other inspections by authorities and regulators. This does not apply in civil law jurisdictions, meaning that in cross-border investigations, the approach of authorities and regulators on the question of legal privilege can be diametrically opposed. Corporates and their lawyers will often try to assert legal privilege in civil law jurisdictions, expecting it to be claimed as part of a broader regional investigation in which common law jurisdictions are also involved. However, this will not prevent documents and data being seized or handed over to authorities and regulators in civil law jurisdictions. Such bodies could potentially then share the evidence with authorities and regulators overseas, resulting in a broader loss of privilege protection.
A related issue is data privacy. In the context of cross-border investigations, the extent to which Asian countries restrict data transfers off-shore varies. India, for example, has no specific legislation covering data protection, and provisions on international data transfers in its proposed (draft) Data Protection Bill are expected to be watered down before it is brought into force. New Zealand is also in the process of bolstering its existing data privacy regime. In contrast, China and Korea, for example, already impose very strict data protection requirements. In China, state secrets laws are usually also engaged, preventing the transfer off-shore of documents that may contain politically sensitive information. In practice, most multinational companies in the region tend to seek employee consent to data use and transfer at the on-boarding stage. However, these may not suffice under local laws, which should always be checked.
The extraterritorial nature of the EU General Data Protection Regulation (GDPR) adds a further potential layer of complexity for corporates operating in Asia-Pacific, since many have branches or processing operations within the European Union. The mega-fines issued recently pursuant to the GDPR are a sober warning to all companies, regardless of location. Ensuring that the processing of data complies with the GDPR, where it applies, is a commercial imperative. In the context of investigations, the GDPR, in line with most domestic data privacy laws, gives authorities the right to receive from investigated companies or other authorities, personal data in the context of regulatory criminal investigations. In internal investigations, a combination of processing conditions under the GDPR and local data privacy law exemptions and derogations (where applicable) will dictate whether transfers are permissible. This needs to be assessed in each individual case and will remain an area of interest in investigations in the region.
Increased pressure and incentives to co-operate
Asia-Pacific has seen the emergence of corporate settlement regimes in recent years. As seen in the United States and the United Kingdom, deferred prosecution agreement (DPA) regimes create strong incentives for self-disclosure by companies, and those that disclose, co-operate and remediate may avoid prosecution in favour of fines or monitorship.
These voluntary self-reporting regimes are to be differentiated from statutory reporting obligations that exist under many anti-money laundering laws across the region and in some jurisdictions in relation to some predicate offences. Anti-money laundering laws may require the reporting of a suspicion of criminal proceeds flowing from a criminal act such as bribery. Laws in Malaysia and Vietnam go further and require the reporting of a bribery offence (regardless of whether the offence has resulted in criminal proceeds). The failure to report will often in itself constitute a criminal offence, and reporting obligations will need to be kept in mind whenever potential criminal misconduct is being investigated.
In anticipation of a new DPA regime in Australia, various authorities, including the Federal Police, have issued self-reporting guidelines to assist corporations that wish to self-report actual or suspected foreign bribery offences. Self-reporting (together with co-operation) will be taken into account both in deciding whether to prosecute and, if prosecuted, as a mitigating factor during sentencing. Early guilty pleas by a company may also result in significant reductions in sentencing. Federal DPA legislation is expected to be introduced in Australia in late 2019. New Zealand’s regime falls short of a DPA system, but certain agencies, such as the Financial Markets Authority, may obtain ‘enforceable undertakings’ that help companies avoid prosecution.
Financial regulators such as the Securities and Futures Commission in Hong Kong, in limited circumstances, entertain negotiation resulting in reduced sanctions or declinations to prosecute. India and China have no non-prosecution agreement or DPA system, although in practice, self-reporting and co-operation may be taken into account in mitigation.
DPAs were introduced in Singapore in late 2018. This followed on the heels of the first multi-jurisdictional DPA entered into with the US DOJ involving Singapore authorities. This was a rare example of a Singapore company being penalised by Singapore authorities under national anti-bribery laws for bribery committed abroad. It was by far the highest penalty levied against a Singapore company and was the first DPA involving co-operation between the Brazilian, Singapore and US authorities. Singapore’s DPA regime is similar to the UK’s except that Singapore DPAs cover a more limited range of criminal offences and Singapore prosecutors are not required to issue guidelines on when a DPA is appropriate and on what ‘discounts’ may be offered in the case of self-reporting, meaning that prosecutors retain maximum flexibility. Further, the Singapore DPA regime is unusual in that, unlike other jurisdictions with a DPA regime, Singapore has not yet introduced a corporate bribery offence, which means that there is likely to be less of an incentive to self-report and seek a DPA.
In Japan, a plea bargaining regime was introduced in June 2018. Unlike DPAs, this applies to individuals, not companies. Suspects and defendants will be rewarded with leniency if they co-operate by providing information or evidence in resolving another person’s crimes or by giving depositions against partners in crime (including corporates). This is likely to lead to an uptick in corporate investigations, as individuals become incentivised to inform the authorities about the activities of others, including their employers.
Whistleblowing regimes are a corollary of DPAs; both encourage early notification and co-operation. Australia has introduced new whistleblower protection laws, which came into effect on 1 July 2019. These strengthen protection and compensation for whistleblowers and impose on regulated companies the requirement to implement corporate whistleblowing frameworks, including confidentiality and non-retaliation provisions. India passed a Whistleblowing Act in 2014 but it has not yet been brought into effect. Japan is consulting on expanding whistleblower protections as current laws have been criticised as a toothless tiger, owing to the lack of sanctions on companies that treat whistleblowers unfairly. Hong Kong and Singapore still lack dedicated whistleblower legislation, but do have provisions in a patchwork of laws and regulatory requirements to protect whistleblowers in certain circumstances. China’s whistleblower legislation goes further than most in the region in including a reward mechanism for whistleblowers who report crimes to people’s procuratorates. Various other financial reward schemes are scattered in sector-specific regulations. However, this does not compare to the huge financial incentives and bounties available in the United States under the Dodd-Frank Act. Regardless of incentives and protections, in Asia at least, there remain cultural and hierarchical norms that often militate against blowing the whistle and reporting up. These may mean that new legislation has limited traction, but time will tell.