Navigating Global Compliance Issues

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Introduction

In a world facing ever-intensifying regulatory and stakeholder scrutiny and increasingly complex geopolitical and economic circumstances, it has never been more important – or challenging – for multinational organisations to navigate global compliance issues. How do organisations develop a robust approach to compliance and seek not only to overcome the challenges faced in today’s global market, but also to thrive from them? Drawing on insights across our international team, we explore some of the many compliance challenges posed across the world and what they might mean for organisations.

This chapter serves as a ‘survival guide’ for in-house legal and compliance teams by providing guidance and tools at every stage of the compliance process, including a list of steps to take when managing crises and internal investigations.

Compliance risks and what to be thinking about now

International business expansion, not to mention recent economic disruption and inflation, has brought countless legal challenges, such as the growing exposure to bribery, corruption, money laundering, sanctions risks and regulatory enforcement. As companies move into new and emerging markets, risks of fraud and corruption follow right behind.

In response, US[2] and European[3] governments have devised their own legal regimes for counteracting threats to business abroad, as have several states in other regions. For example, many countries within the Arabian Gulf, Africa, Asia and South America prohibit the bribery of foreign public officials as well as domestic bribery, although with varying levels of enforcement.[4]

At the same time, legislators and regulators are imposing ever stricter compliance requirements on companies around the world, from dealing with whistleblowers to preventing human rights violations in supply chains. This has created a labyrinth of legal risks for organisations to navigate. Here, we highlight some of the key ones to be thinking about.

Know the risk vulnerabilities in your business

Behavioural misconduct risks (e.g., bribery and corruption) often vary depending on the country and the nature or sector of the business in question.

For example, the Asia-Pacific region is a highly dynamic market, comprising a broad spectrum of economic, political and cultural systems. Well-developed and more developing economies reside in close proximity to each other, as do some of the most open and protected markets in the world. Within Transparency International’s Corruption Perceptions Index 2022,[5] there is a diverse range of rankings from Denmark, Finland and New Zealand (with scores of 90, 87 and 87 respectively) to North Korea (score of 17) and Somalia (12). Each country needs to be considered individually when assessing bribery and corruption risks.

Some common themes characterise bribery and corruption risks in the Asia-Pacific region:

  • deeply rooted traditional influences on East Asian business culture, particularly concerning an emphasis on relationships, giving gifts and reciprocal patronage;
  • a record pace and scale of foreign direct investment in some of the rapidly growing economies, which has created a flood of capital and can be abused by inadequate internal controls;
  • massive infrastructure spending as the region is transforming at an unprecedented speed to build hospitals, airports, highways, telecommunications, utilities and high-speed rail; and
  • the pressure to sustain and expand growth is profound in the region. One consequence of high single-digit and double-digit growth in the Asia-Pacific emerging economies is an expectation that this will continue indefinitely, leading sometimes to unrealistic targets. This can create a ‘growth at any price’ culture, which can lead to corruption, fraud or unethical behaviour to maintain a growth forward image.

In terms of sector-based risks, considering the financial services sector for example, asset management firms have been the focus of scrutiny by the US Securities and Exchange Commission (SEC) and US Department of Justice (DOJ) for several years. US regulators view sovereign wealth funds as instrumentalities of their respective governments and, accordingly, consider sovereign wealth fund employees to be foreign government officials for the purposes of anti-bribery and corruption enforcement.[6] Consequently, asset management firms need to be particularly careful about assessing the full range of counterparties, clients and other business relationships that may fall with the broad definitions of ‘government officials’ or ‘affiliates’.

Similarly, private equity firms and hedge funds that invest in international markets and corporations can find themselves in a dangerous or costly position if anti-bribery violations occur at the portfolio level. This emphasises the need for risk-based anticorruption due diligence procedures to assess bribery and corruption risks and to develop a plan to monitor and mitigate those risks.

Sanctions and trade controls related risks

Various sanctions regimes (and companies’ efforts to comply with them) had already garnered a huge number of compliance resources even before the start of the war in Ukraine in February 2022, with key focuses being on the economic sanctions and other restrictive measures imposed by the European Union and the UK and US governments. The sanctions imposed on Russia in response to the war have brought the importance of compliance with sanctions, export controls and other restrictive measures into sharp focus. It has highlighted how quickly the landscape can change and, therefore, how quickly organisations must be able to adapt.

Sanctions and export control compliance is expected to be a key priority for relevant enforcement agencies in the years ahead, including those agencies that impose, administer and enforce sanctions, such as the US Treasury Department’s Office of Foreign Assets Control and the US Commerce Department’s Bureau of Industry and Security in the United States, the Office of Financial Sanctions Implementation in the United Kingdom, the customs office and state prosecutors in Germany and equivalent agencies across EU Member States. This has already resulted in agencies directing greater resources towards sanctions and trade control enforcement in various jurisdictions. In some countries, enforcement quickly picked up speed. In 2022, for example, Germany conducted more than 100 criminal proceedings for violations of Russian and Belarusian sanctions.[7]

Additionally, some industry regulators (e.g., financial services regulators) are expected to focus on ensuring that companies have implemented tailored and effective risk-based sanctions compliance controls.[8]

These changes in the enforcement environment are coupled with new regulations and tools to facilitate the agencies in holding individuals and companies to account for breaches. As part of these moves, the EU Commission intends to introduce criminal offences and penalties for the violation of EU sanctions, with an expectation on Member States to increase their efforts to enforce EU sanctions.[9] These penalties would be substantial, with most attracting a minimum fine of 5 per cent of worldwide annual turnover. Further, in June 2022, the United Kingdom amended its civil penalties regime for sanctions breaches to introduce strict liability (i.e., by removing the need to prove intent or knowledge of a breach).[10]

ESG risks

For major companies, environmental, social and governance (ESG) issues are not a new phenomenon, but the spotlight has intensified. There is now a raft of ESG-related regulations and legal risk issues that did not exist 10 years ago. That will only escalate, leading to greater investigations and enforcement risk, alongside the potential for litigation and reputational damage.

ESG issues do not exist in a vacuum. They are interrelated with, and in some cases are a rebranding of, many other risks, including market abuse and fraud risk relating to company disclosures, public statements and regulatory filings; sanctions and export control risks; and money laundering. All of these can result in criminal liability. A robust approach to compliance and governance issues is therefore essential to protect against a range of ESG and related risks.

Global compliance teams should be alive to the risks arising from increased scrutiny of company disclosures and public statements on ESG. There is a strong focus on what companies are saying about their ESG efforts and the impact of the ESG agenda on their business and outlook. As with all company disclosures, public statements about ESG issues need to be carefully calibrated and reflect reality to avoid any allegations of ‘greenwashing’, fraud or breach of market regulations. Assurance and verification are, therefore, key.

It will also be important for compliance teams to keep up to date with the fast-evolving law in this area. In recent years, many new laws have been enacted in respect of transparency and due diligence within supply chains.[11] More laws are on the horizon that will create further due diligence and related obligations on companies aimed at identifying, preventing and mitigating actual and potential adverse effects on human rights, including labour rights, and the environment.[12] In this context, the European Commission’s proposal on sustainable corporate governance includes a proposed directive[13] that would create obligations on large companies (and smaller companies in particularly sensitive sectors) to carry out due diligence in their global supply chains with the above-mentioned aims.

Compliance teams will have to consider whether they need to adapt their existing processes to meet the differing requirements of the various laws to which they may be subject. This may include updating their risk assessment processes and codes of conduct and policies, reviewing supplier due diligence and management processes, considering whether further contractual assurances from business partners are required, establishing or amending complaint mechanisms, and ensuring monitoring procedures sufficiently take into account ESG issues. A particular problem arises where management teams must comply with – often conflicting – legal requirements and investors’ or other stakeholders’ expectations surrounding ESG commitments and sustainability.

The focus on ESG brings the need for robust compliance and governance into sharp focus. On the one hand, this creates even greater pressure on compliance measures; on the other hand, it creates an opportunity for compliance teams when looking to justify investment or seeking board buy-in for certain activities.

Cybersecurity risks

In the wake of high-profile cyberattacks during the past few years, and particularly following the global covid-19 pandemic with many organisations now operating more remotely than before, organisations have had to focus their attention increasingly on cybersecurity, and the relevant policies and procedures to prevent and minimise the damage caused by cyberattacks. Attackers are becoming ever more organised, and phenomena such as hackers for hire or state-sponsored hackers are blurring the lines between organised crime and cyberwarfare.[14]

Cyberattacks can come in many forms. One of the most well known is ransomware, a type of hack in which the perpetrator encrypts a company’s data or otherwise disrupts a company’s systems and will only release the data or cease the interruption if paid a ransom. Often, failure to pay can result in the destruction or leak of the data. Ransomware attacks create many difficult issues, including potential criminal risk if compliance with the ransom is itself a crime. For example, payment of monies to a hacker may risk breaching anti-money laundering or economic sanctions laws.

Fraud risks

Fraud risks can manifest for global companies in many ways, including a company being targeted by fraudsters or somehow being used by rogue actors internally or externally to perpetrate or facilitate fraud. Addressing fraud is a key priority for many governments across the world. One example of this is the UK government’s planned introduction of a corporate offence of failure to prevent fraud.[15] This new offence will increase the threat of criminal prosecution for companies and impact how businesses currently manage the risk of fraud.

Transactional risk

Compliance should always be at the heart of transactional considerations, given the growing risks of transactions involving compliance issues. In an increasing number of jurisdictions, an acquirer can be exposed to successor liability if a company in which it acquires a significant stake has engaged in improper activities, and adequate due diligence or remedial measures were not undertaken by the acquirer. If transactional teams are not properly attuned to these compliance issues, sellers can become subject to warranty claims (to the extent that these are available), and buyers will not receive the company they thought they were receiving (and getting what they have paid for it) or, even worse, be subjects themselves of regulatory action. The compliance issues and risk inherent in transactions should be a clear message that traditionally back-office functions should be front of mind for transaction teams.

Preparing for global compliance risks

Here, we discuss the essentials of an effective compliance framework to help companies prepare for and survive global compliance risks. These are key areas to commit appropriate resources to mitigate business risks.

Compliance framework

At a basic level, companies should have robust internal systems, policies, procedures and functions to ensure that a culture of compliance is entrenched in the company structure. At a minimum, companies should adopt a clear code of conduct tailored to the company’s risk profile that is easy to understand and provides examples relevant to the organisation.

A company’s code of conduct should be published and openly circulated. The company should require all members of the organisations – including intermediaries, third parties and others acting on its behalf – regardless of seniority, to adhere to the code, rules and regulations for both inside and outside the workplace. New joiners should be required to read and understand the code of conduct.

A robust internal audit function that reports to an independent risk and audit committee, or similar, has a key role in checking adherence to the relevant policies and rules. Internal audit functions also need to be properly staffed and resourced by experienced professionals. Audits and risk assessments should be carried out frequently to keep diligence and investigation functions on their toes.[16]

Although these elements of a compliance framework apply to all companies, additional attention is required for the risks specific to a given company’s business. For example, oil and gas, and logistics and distribution companies should ensure that appropriate attention is afforded to anti-bribery and anti-corruption policies, and that diligence of counterparties is appropriately thorough. Pharmaceutical companies would need a similar approach to government tender issues and transparency through procurement, while care must be given in particular by financial institutions to the highly developed anti-money laundering and counter-terrorist financing landscape.

To assess the effectiveness of a compliance programme, guidance from the US Department of Justice (DOJ) places a focus on compliance metrics and data.[17] Given the increasing number of artificial intelligence (AI) tools available, companies should consider how AI can assist in the process of monitoring compliance and identifying risk to ensure that they have the most effective procedures in place – always ensuring they are doing so in a way that is consistent with other obligations (e.g., data privacy or employee rights).

Corporate culture and training

Although difficult to define, all members of an organisation understand its culture as ‘the way we do things around here’. Ensuring that a proper compliance framework is in place is key to a company’s compliance robustness, but the effectiveness of governance still depends on the culture and ethos of the organisation. As one legendary management consultant put it: ‘Culture eats strategy for breakfast.’[18]

A culture of integrity and openness will allow employees to raise and deal with compliance issues far better than an institution with well-written procedures but whose policies are not followed in practice. Fostering culture starts with the board and top management expressing and reinforcing the culture of the company. Culture is further reinforced through regular training.

Evidence also suggests an increasing correlation between corporate culture and compliance. In March 2023, the US Department of Justice launched a three-year pilot programme on compensation incentives and clawbacks.[19] The programme promotes prohibitions on bonuses for employees that do not satisfy compliance performance requirements and disciplinary measures for employees that violate applicable laws, alongside incentives for employees who do satisfy compliance requirements. These measures are intended to promote compliance at all levels within companies and place a new importance on adherence to company policies and relevant laws .

Board engagement and tone from the top – not forgetting the middle

In any organisation, keeping compliance front of mind and on the agenda for any board and middle management is key. Board and middle management engagement is an essential way of ensuring that any change required in anticipation of (or in the wake of) an emergency can be implemented across the company as thoroughly as possible.

Furthermore, training members of the board and middle management on compliance issues is important to ensure that they become models of compliance for the rest of the company. The example set by members of the board or middle management will be key in establishing a rigorous internal compliance framework to ‘walk the talk’ when it comes to internal group policies.

It is also important to ensure that attitudes to compliance by board members and senior staff are proactive. Many boards already embrace compliance as a key function to ensure that the organisation and its people are protected. But compliance functions inevitably have to compete with many other issues for a board’s attention – making sure there is a standing or regular item on board agendas to address compliance issues can help keep it front of mind.

Boards and middle management should be aware that their actions in the wake of a crisis can be closely scrutinised, from within or outside the company, and ensuring that members are properly aware of, and trained about, relevant issues is the best way of ensuring that boards handle compliance issues properly, as and when they arise.

Speak up and listen

‘Speak up’ or whistleblowing programmes involve an internal or external company hotline that allows employees and directors (and sometimes third parties) to report misconduct anonymously. To be effective, companies need to ensure that reports go to an independent person distinct from management, and that person should have a communication channel with the anonymous whistleblower. Companies need to know how to handle whistleblower reports and when to initiate an internal investigation. To be effective, whistleblower programmes should also be publicised to the persons who are to use it – no system, however robust, will be of much use to a company if employees and directors are not aware of it.

As well as fostering a speak-up culture, companies also need to ensure that any whistleblower reports reach trained ears. Recipients should be independent and undertake training on receiving and handling complaints, specifically on how to escalate issues in the correct way, as well as being as open and transparent as possible in dealing with those who are making complaints. In the Middle East and North Africa, for example, where whistleblower laws and programmes are emerging, training compliance professionals on how to manage complaints and when to conduct an internal investigation or escalate issues is key. There can be a perception that there are no issues to address, when in fact there could be a lack of a speak-up culture, or compliance is not aware of how to manage reports.

Employee monitoring

Monitoring is a key aspect of compliance, although monitoring and reviewing employees’ communications and activities must always be done in compliance with applicable employment, data protection and privacy and telecommunications laws, as well as company policy. The legal context may vary considerably across jurisdictions. Global companies will face a whole spectrum from very robust and established data privacy laws to those that are more nascent and untested to countries where no specific data privacy legislation exists (although other legal mechanisms may be relevant, such as any constitutional right to privacy).

Compliance teams should consider:

  • the legal basis for any monitoring;
  • whether consent or advance notice to the employee is required, the form that should take and any restrictions or limitations on the degree of reliance on that consent or notification. For example, consider whether the consent has to be freely given and whether that is possible in the employer/employee context;
  • the scope of data collected and how it will be reviewed and stored. For example, Article 5 of the EU General Data Protect Regulation (GDPR) enshrines principles such as data minimisation, storage limitation and purpose limitation. New data protection laws implemented throughout the Arabian Gulf countries in the past few years mirror these principles;[20]
  • whether any types of data are considered sensitive or otherwise within a special category that requires extra care or specific procedures;
  • whether there are restrictions on exporting the data out of the jurisdiction or transferring data to another entity. For example, China has passed a number of laws that have gradually tightened the flow of data from China to other jurisdictions (e.g., the Data Security Law and the Personal Information Protection Law, effective from September 2021 and November 2021, respectively);
  • what documentation may be required. For example, under the GDPR, organisations should record the measures they have taken with regard to data and data privacy (e.g., during an investigation). This is important because the risk of a potential audit from a supervisory authority is real, especially as data privacy is often used as a weapon by individuals who are the subject of an investigation and who may face disciplinary or other action. Other documentation may be required, including contractual protections in agreements with relevant third parties or intercompany data transfer agreements to ensure that group data transfers are compliant with local data transfer restrictions; and
  • any other steps that may be required to ensure fair treatment of employees and compliance with the relevant local laws.

In considering how to apply global standards, particularly if internal investigations may be conducted across borders or even continents, the best practice is to adhere to the highest common denominator of privacy standards in the applicable jurisdictions. Furthermore, companies should consider having appropriate policies in place as regards acceptable use and investigation, and ensure that they update any consent requirements under employment agreements where applicable.

Due diligence and risk assessments

For a compliance framework to be effective, it is crucial to consider conducting regular due diligence of third parties (e.g., vendors and distributors) as well as conducting periodic risk assessments. Due diligence helps to mitigate the risk of a company working with sanctioned persons, related parties, or exposing themselves to corruption or risks relating to environmental, social and governance (ESG) issues.

As mentioned, the type and extent of diligence procedures with third parties will vary for each company or transaction, with certain risks posing a greater threat to companies in different sectors; however, putting policies in place and providing the appropriate training to employees for them to know which type or level of due diligence applies in a given situation is key.

Additionally, external advisers and lawyers should be instructed where appropriate as early as possible to assist in any such diligence exercise, especially where the due diligence requirements are extensive.

Due diligence can vary in scope. Companies may consider screening customers and counterparties to check whether they are sanctioned, and carry out standard anti-money laundering and know-your-customer checks. In addition, there may be higher standards for due diligence in certain areas in light of regulators’ focus on bribery and ESG issues (where a company’s reputation can be as important as its adherence to regulation for a company’s business).

Risk assessments, typically conducted by consultant lawyers and accountants, can also be a useful tool to measure compliance effectiveness in a specific area or function and may provide strategies for enhancement.

What to do when something goes wrong: survival checklist

When misconduct occurs, companies need to respond quickly to contain, manage and remedy the crisis. The first step is to determine the nature of the misconduct, gather preliminary facts about the issue, immediately stop any ongoing violations and, where necessary, assemble an independent team to investigate the alleged misconduct.

Where allegations of behavioural misconduct occur, companies might consider whether to conduct an internal investigation and whether to engage external consultants to assist. Companies might also consider which protocols or policies could apply and ensure that the investigation team is aware of them.

To assist in-house counsel and compliance professionals in managing these often time-critical situations, a checklist has been set out in the appendix at the end of this chapter. It contains practical considerations and steps a company might consider taking when faced with allegations of misconduct. The checklist is not intended to be an exhaustive list of what to do and how to react in the event of a crisis or investigation, but it is a helpful guide to some of the key issues to consider.

Depending on the nature of the incident, various items in the checklist may need to be reordered or prioritised. The list should also be supplemented with professional advice where necessary, particularly in the event of time-sensitive or cybersecurity incidents.

What to do next and going forward

When the dust from any incident, crisis or investigation has settled, organisations should ensure that they are proactive in implementing any necessary changes and taking the business forward, having learned the lessons of any investigation. This is a key factor in business resilience – the ability to overcome difficult situations.

Remediation

Remedial issues should be a priority coming out of any critical situation, as good organisations will want to ensure that lessons have been learned and the same mistakes are not repeated. Accordingly, it is critical that organisations conduct investigations into exactly what went wrong in a specific situation, where mistakes were made, and what should have been done instead, while taking care to avoid any damaging tendencies, such as scapegoating employees unfairly.

Once an organisation has assessed and identified learning points from a situation, it is important that appropriate changes be implemented, rather than the matter just being filed away in a report. Additionally, training should be delivered to, and conversations may need to be had with, key employees in a constructive way, to avoid any similar mistakes being repeated. The organisation should also use the incident as a case study to teach other and future employees.

Board and middle management engagement

As mentioned previously, organisations should ensure that the members of their boards and middle management engage with compliance issues at all times, but this is particularly relevant in the context of remedial efforts following alleged misconduct or other crisis response. Companies might consider providing board members and middle management with specific training on how to deal with alleged misconduct, and directors should take this into consideration when making decisions about any changes to their business.

Corporate culture and governance

The way in which organisations react and adapt to alleged misconduct contributes to the tone for the culture and governance of those organisations. Implementing and instilling an appropriate corporate culture is not about working to guarantee that no compliance issues arise, but rather, if issues do arise, that they are dealt with transparently and effectively.

Culture, therefore, is key not just to the elements of good practice in the course of normal operations, but also during times of crisis and post-crisis. A culture of integrity will ensure that where mistakes perhaps are made in an organisation, a positive business culture will mean that people avoid pointing fingers or playing the blame game, but instead focus on how to improve and avoid similar mistakes in the future.

Conclusion

Navigating global compliance is a crucial component of modern international business, and companies should be prepared to mitigate global compliance risks to retain their competitive position in a global business environment. This survival guide has provided a number of tools for what legal and compliance professionals need to be thinking about and doing, and how to do them. Companies would do well to treat these issues with due importance. With the proper consideration, preparedness and response of a business’ various compliance risks, particularly by bringing such considerations to front of mind in any operations, companies will be better positioned to mitigate global compliance risks. Furthermore, companies that are most attuned to the risks of compliance pitfalls can ensure their own robustness and resilience in an increasingly competitive business environment.

APPENDIX

Survival checklist for managing legal risks when misconduct occurs

These tables could be expanded to include additional columns or devices to indicate responsibilities, deadlines by which tasks should be completed, the level of urgency or the status of tasks.

1 | Preliminary fact gathering
🗹Checklist task
Preliminary explanation of what occurred and why: who, what, where and why?
How was it discovered?
Who has knowledge or would have potentially relevant documents or information?
What is the value? What is the currency of the transactions?
What is the nationality of the persons involved or management?
What initial risks could there be (in country, above country)? Are there regulatory risks or immediate reporting obligation?
Are there immediate risks that need to be contained or a risk of ongoing harm or ongoing violations of law that need to be addressed?
2 | Investigation team and external advice
It is important to consider whether an internal investigation is needed, or whether internal or external advice is sufficient?
🗹Checklist task
Is there a risk of a government investigation or private litigation?
Are there reputational risks?
Do other risks arise due to the use of the US dollar or the existence of certain nationals (e.g., US or UK nationals) involved?
Does legal privilege apply, and what is required to maintain that privilege?
How significant is the incident (significance may not always be measured in direct financial impact)?
Is data in jeopardy of being tampered with or lost?
3 | Assembling the investigation team
Who is best placed to join the investigation team?
🗹Checklist task
Independent in-house counsel
External legal counsel
External forensic consultants
Lawyers are usually best placed to manage and advise on a company’s legal risks and managing an internal investigation. The team should be independent and report to appropriately senior levels within the company. Reporting lines should take into account any potential for actual or perceived conflict of interest. The team should act in accordance with the company’s investigation policy (if any).
Once the team is assembled, an investigation governance plan should be developed and tasks in this checklist should be delegated. The tasks may be run concurrently or re-prioritised depending on the nature of the investigation.
4 | Preservation of documents and people
🗹Checklist task
Who has knowledge of what occurred, where are they based, and are they suspected of any wrongdoing?
Who would hold potentially relevant documents and where are they based?
Are any documents in physical form?
Who would want access to the data?
Should a preservation notice be sent to custodians to notify them to preserve potentially relevant documents and any legal obligations to which the company may be subject? Anyone who holds potentially relevant documents or information is a custodian for the purpose of an internal investigation.
Should data be held electronically or imaged (have appropriate steps been taken to ensure any data collection complies with relevant data privacy laws)?
Do any actions need to be taken to secure data before any individuals leave employment?
5 | Communications strategy
🗹Checklist task
If the allegations were true, would reputational risks arise for the company?
Is there a risk the company’s share price could be affected?
Is there financing that could be affected by news of the allegations, or is it required to notify financiers?
Are there other stakeholders, even employees, who will need to understand what is happening and what the company is doing to manage it?
Could legal privilege be compromised if information is disclosed?
Could communications result in admissions of liability?
6 | Structuring the investigation and legal privilege
Structuring the investigation is an important matter that must be considered in the early stages of any investigation and when preparing the investigation plan; it will often shape other considerations such as data preservation, collection and interviews. Legal privilege is of vital importance to any company or business that may be subject to external investigation or litigation; therefore, while taking best practice global approaches in structuring investigations, local privilege laws or related protections must also be properly considered.
🗹Checklist task
Which jurisdictions are involved in the investigation? To what extent does legal privilege apply in those jurisdictions?
Where did the alleged misconduct occur? Where do the managers sit?
Where are the investigators located?
Are the allegations confidential or public?
What types of risks does the company or management face?
Where will interviews be conducted?
How can business interruption risks be minimised?
What form will the investigation report take, and what risks are associated with the form of reporting?
How will the company deal with collateral findings?
7 | Consider data protection laws and data subject rights
In the context of an internal investigation, data protection and employee monitoring laws can place restrictions on the processing, review, collection, storage and transfer of data. Several factors should be considered.
🗹Checklist task
Where is the data located?
Where will data be stored for review? Is the platform secure?
What are the data subject rights around personal data in the applicable jurisdictions?
Are any data transfers contemplated? What are the relevant laws relating to data transfers?
Does the company have intergroup transfer agreements in place?
What is the legal basis for the processing of the data?
8 | Data collection and review
🗹Checklist task
Does data need to be collected or preserved to fact-find around the allegations?
How will data collection preserve the integrity of the data (i.e., without changing the metadata and to prove that the data has not be tampered with)?
Will evidence be required for formal proceedings?
What do the company’s acceptable use policy, investigations policy and employment policies and agreements say about data collection, processing or review?
Are there paper documents that need to be digitised?
Is the company required to conduct an impact assessment before reviewing voluminous data?
Is a chain of custody form required?
Is an external consultant required to image data and thereby preserve its integrity?
9 | Conducting interviews
There is no one-size-fits-all approach to conducting investigations, and the investigation team must consider the nuances of the allegations and the jurisdictions in which they are working.
🗹Checklist task
Where are the interviewees based, and what rules or rights apply in those jurisdictions?
What procedural requirements apply for conducting interviews in the applicable jurisdictions?
Do notices need to be issued before the interviews? What potential consequences may arise from the interviews?
Which languages do the interviewees speak and understand?
What is the level of seniority of the interviewees?
What is the best way to conduct the interviews to put the interviewees at ease, elicit information and limit information leaks?
Where will the interviews be held?
If interviews will be held virtually, how will associated risks be minimised?
How will the interviews be recorded and what legal privilege considerations apply?
10 | Closer assessment of regulatory/reporting risks
In many jurisdictions, companies have a responsibility to report certain incidents as and when they arise, such as a data breach. Seeking legal advice is key in making a decision to report and deciding the form and wording of any report.
🗹Checklist task
Given the alleged misconduct, what reporting requirements could arise?
What is the timing of the reporting?
When are the reporting obligations triggered?
What considerations apply if a potential self-reporting obligation arises?
Does the company face any reputational risks for reporting or failing to report?
11 | Remedial issues
From any investigation, lessons are learned to remedy failures and strengthen business culture and controls.
🗹Checklist task
What policies, procedures or controls could be improved?
How can compliance frameworks be enhanced?
How can business culture be strengthened?
Was the misconduct reported through a whistleblower line? If so, what was the effect on the whistleblower, and what could be improved? If not reported, how could speak-up programmes be improved to detect incidents sooner?
How can training programmes be improved?
How can management and the board be more engaged?

Footnotes

[1] Ali Sallaway, Daniel Travers and Xin Liu are partners and Zara Merali is a counsel at Freshfields Bruckhaus Deringer LLP. The authors would like to thank their colleagues Marco Hughes (associate) for his invaluable research assistance and contributions, and Andrew Bulovsky (associate) for his contributions.

[2] For example, the Foreign Corrupt Practices Act 1977 (FCPA).

[3] For example, the UK Bribery Act 2010 and French Law No. 2016-1691 (Sapin II).

[4] For example, South Africa, Brazil, Colombia, Cambodia and Oman have laws prohibiting bribery of foreign public officials.

[5] Transparency International, ‘Corruption Perceptions Index’, www.transparency.org/en/cpi/2022 (accessed 4 September 2023).

[6] US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC), ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’, 2nd edn., July 2020, p. 13. See also, for example, the 2015 resolution between the SEC and BNY Mellon to settle charges that the latter violated the FCPA by providing valuable student internships to family members of foreign government officials affiliated with a Middle Eastern sovereign wealth fund. See SEC Press Release No. 2015-170, ‘SEC Charges BNY Mellon With FCPA Violations’, www.sec.gov/news/press-release/2015-170, 18 August 2015 (accessed 4 September 2023).

[7] Eric Beres, SWR Research, ‘Many proceedings for infringements of sanctions’, 23 September 2022, www.tagesschau.de/investigativ/swr/sanktionen-russland-ermittlungen-101.html (accessed 4 September 2023).

[8] For example, the UK Financial Conduct Authority conducted 38 proactive reviews of firms’ sanctions compliance systems and controls in 2022/23 according to its annual report.

[9] European Council, Press Release, ‘EU sanctions: Council finalises position on law that aligns penalties for violations’, 9 June 2023, www.consilium.europa.eu/en/press/press-releases/2023/06/09/eu-sanctions-council-finalises-position-on-law-that-aligns-penalties-for-violations (accessed 4 September 2023).

[10] His Majesty’s Treasury and Office of Financial Sanctions Implementation, ‘OFSI enforcement and monetary penalties for breaches of financial sanctions Guidance’, updated June 2022.

[11] For example, the German Supply Chain Due Diligence Act 2023, the US Uyghur Forced Labour Prevention Act 2021, the Norwegian Transparency Act 2022, the UK Modern Slavery Act 2015 and the French Duty of Vigilance Law 2017.

[12] For example, the EU Corporate Sustainability Due Diligence Directive and the reform of the Australian Modern Slavery Act 2018.

[13] COM (2022) 71: Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937.

[14] National Cyber Security Centre, ‘Cyber experts warn of rising threat from irresponsible use of commercial hacking tools over the next five years’, 19 April 2023, www.ncsc.gov.uk/news/cyber-experts-warn-of-rising-threat-from-commercial-hacking-tools-over-the-next-five-years; Nicole Perlroth, ‘Cyberwarfare and state-sponsored hackers – the next global crisis?’, The Times, 25 February 2021, www.thetimes.co.uk/article/cyberwarfare-and-state-sponsored-hackers-the-next-global-crisis-2bw3xsxqv (web pages accessed 11 August 2023).

[15] GOV.UK, ‘Factsheet: failure to prevent fraud offence’, updated 20 June 2023, www.gov.uk/government/publications/economic-crime-and-corporate-transparency-bill-2022-factsheets/factsheet-failure-to-prevent-fraud-offence (accessed 11 August 2023). See also Chapter 3 on ‘US Compliance Requirements’ and Chapter 4 on ‘US Compliance Enforcement’.

[16] See Chapter 11 on ‘The Role of Audit and Monitoring in Compliance’.

[17] DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’, updated March 2023.

[18] Quote ascribed to Peter Drucker.

[19] US Department of Justice, ‘The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks’, 3 March 2023.

[20] For example, the United Arab Emirates’ Federal Decree-Law No. 45 of 2021 and Oman’s Personal Data Protection Law.

Unlock unlimited access to all Global Investigations Review content