This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The region has witnessed significant corporate investigations, substantive legal reform and aggressive enforcement in recent years. Although legislative developments and enforcement have been slowed down by the effect that covid-19 has had on the operation of government departments, the general trends of recent years are continuing. The Banking Royal Commission in Australia, corporate criminal liability provisions inspired by the UK Bribery Act across several jurisdictions in Asia and the omnipresent focus of the US Department of Justice (US DOJ) on China mean that companies in the region continue to face clear business risk. At the same time, covid-19 has resulted in an uptick in criminal activity in certain areas, such as money-laundering, cyber-related crimes and corruption. For example, the Australian Competition and Consumer Commission reported in June 2020 that business email compromise scams have caused the highest losses of all types of scams. This is a trend that has been replicated in other Asia-Pacific countries, such as China and Hong Kong, Thailand, Malaysia and Singapore, resulting in the theft of hundreds of millions of US dollars. And although the continued effects of the United States cannot be underplayed, national authorities continue to demonstrate an appetite for investigating and prosecuting large cases themselves. Partly as a result of this, there is a sustained increase in complex, multi-jurisdictional investigations. This highlights a further regional trend – increased co-operation between regulators in different jurisdictions. On a practical level, enhanced information sharing requires a coordinated response by investigated parties to manage competing requests for information, determine appropriate remedial steps and ultimately find solutions to conclude multiple investigations. In a region that combines civil law and common law jurisdictions, it is not surprising to find different approaches to data privacy and legal privilege. However, the challenges that this poses have been exacerbated by the introduction of a number of blocking statutes in China, prohibiting individuals and entities from providing information to criminal enforcement and regulatory authorities outside the country without the approval of Chinese authorities. This can lead to challenges for corporates and their advisers when conducting internal investigations and responding to external regulatory investigations. In this chapter, we highlight some of the overarching themes and developments that we have been seeing.
Areas of enforcement risk
Bribery and corruption remain core areas for law enforcement, with domestic and international agencies homing in on conduct in the region. National anti-corruption agencies in Australia, Indonesia, Malaysia and China have all bolstered their powers of investigation and oversight. In tandem, some governments (such as in Australia and China) have introduced more stringent corporate penalties. In terms of international enforcement, misconduct in China has long been the subject of more corporate bribery investigations under the US Foreign Corrupt Practices Act than any other jurisdiction. The US DOJ continues to pursue its China Initiative. This focuses on Chinese companies’ outbound activity and reflects the United States’ desire to pursue prosecution when Chinese companies’ offshore activities affect US national interests. Having said this, China’s focus on corruption-related enforcement continues unabated and corruption convictions have nearly doubled in the past year.
Money laundering, tax evasion, (accounting) fraud, competition and cybercrime are other key areas for corporate investigations in the Asia-Pacific region.
Anti-money laundering (AML) and counter-terrorism financing (CTF) have been under the spotlight. Although some country evaluations scheduled by the Financial Action Task Force (FATF) for 2020 have been delayed because of the covid-19 pandemic (e.g., Japan), FATF has published material setting out particular risks and policy responses relevant to covid-19 with regard to money laundering and terrorism financing. It is clear that law enforcement agencies continue to prioritise AML/CTF efforts, although some have shifted their focus to emerging covid-19 predicate offences, which is evidenced by, among other things, relevant guidance published by criminal enforcement and regulatory authorities in China, Hong Kong and Singapore. Many jurisdictions, including Hong Kong, Singapore, Vietnam, India and China continue to ramp up domestic AML legislation and corporate enforcement. The region’s focus on money laundering is best highlighted by hydra-styled investigations such as 1MDB, which started in Malaysia but has spread to the highest levels of public office and corporate business globally, including world-famous banks. Governments are pursuing regulatory and criminal actions against financial and other institutions for their failure to implement sufficient controls to monitor global transactions. Banks, in particular, are subject to increasing scrutiny through audits, examinations, inspections and investigations. The Monetary Authority of Singapore (MAS) has been particularly active in revoking licences and imposing significant fines during the past few years, and has continued to do so in 2020, including with regard to asset management and trust companies.
Tax evasion is another area in which there is heightened activity in the region. This has been led by the United States under its Foreign Account Tax Compliance Act and the aftermath of its Swiss bank programme, when the US DOJ announced that it would be following funds that are the subject of US tax evasion from Switzerland to financial centres in Asia, such as Hong Kong and Singapore. The pressure on taxpayers and financial institutions has been accelerated and broadened further by the Organisation for Economic Co-operation and Development’s Common Reporting Standard. The ‘follow the money’ initiatives that are being pursued by a number of jurisdictions, including the United States, have highlighted Asian financial centres as targets. An Indonesian tax amnesty – the aim of which was repatriating off-shore funds – is another obvious example, as a vast majority of the funds were located with banks in Singapore. The upshot is a further focus on banks in the region, with authorities in India, Australia and New Zealand showing an appetite for reviewing tax-sharing information to root out corporate tax evasion, particularly through multilateral treaties to prevent base erosion and profit shifting.
Fraud, particularly tax and accounting fraud, continue to occupy law enforcement too. There are a number of recent high-profile examples, including Wirecard (across several Asia-Pacific countries) and Kangmei Pharmaceutical Co, one of China’s biggest pharmaceutical companies. The latter resulted in the China Securities Regulatory Commission blacklisting six executives for their role in a US$4.2 billion accounting scandal.
Cybercrime has been a board-level issue for the past few years regardless of jurisdiction, but some of the biggest corporate investigations have touched on the Asia-Pacific region. Asia is considered relatively insecure in terms of infrastructure, meaning cyberattacks are more common. Singapore, one of the leading global digital economies, has become a target, particularly in the health sector. We have also seen a marked increase in state-sponsored cyberattacks, which has led to the first set of sanctions being introduced under the European Union’s new cyber sanctions regime. The sanctions were imposed in relation to individuals and organisations in North Korea, China and Russia. In response, domestic authorities and regulators have increased compliance and reporting requirements. This turns up the temperature on corporates, who must be ready for internal and external investigations emanating from cybercrime.
A shift from individual to corporate liability
Historically, enforcement agencies in the Asia-Pacific region have focused on individual criminal liability in the context of public sector bribery, often concentrating on prosecuting the government officials receiving the bribes. However, there have been some clear shifts in focus, demonstrated by legislative changes and statements made by enforcement agencies. The most uniform shift in a number of Asia-Pacific jurisdictions relates to the introduction of corporate criminal liability and accountability of senior management. Thailand, India, Japan, Singapore, Malaysia, Indonesia and China have all introduced legislation, making it easier either to attach corporate criminal liability or to penalise companies involved in bribery. Australia continues to review its corporate criminal responsibility regime. India, Indonesia, Malaysia and Thailand were all inspired by the UK Bribery Act section 7 corporate offence in crafting their own legislation, and the corporate liability regime has come into effect most recently in Malaysia on 1 June 2020. In simple terms, under these often still fairly new rules, companies may be held criminally liable if their employees or agents or otherwise ‘associated persons’ commit bribery or other criminal offences while acting on behalf, or for the benefit, of the company. As is the case under the UK Bribery Act, these rules take into account whether a company had adequate procedures in place to prevent the criminal offence when determining the company’s liability. Although some provisions are limited to bribery offences (e.g., in Malaysia and India), others are more broadly drafted to cover other criminal offences as well (e.g., in Indonesia). However, the new corporate criminal liability offence introduced in Vietnam covers tax evasion and money laundering offences and does not extend to bribery offences.
The corporate liability offences plug gaps in domestic regimes, give law enforcement and regulators greater powers, and ease the requirement of meeting the difficult threshold of showing involvement of the ‘directing mind and will’ of the company to establish corporate liability. Critically, there is increasing pressure on companies to put adequate procedures and controls in place to prevent bribery if they wish to escape liability for misconduct carried out by employees or agents when acting for the company.
The new corporate liability provisions in Malaysia and India make it clear that they cover foreign entities that carry on their business, or part of their business, in the jurisdiction. Indonesian laws go one step further and provide that a group company, including a parent or affiliate company, may be held criminally liable if it is considered to be involved in the bribery. As a result, companies operating in the region should ensure that appropriate internal control measures are in place or re-evaluate their measures so that they do comply with relevant domestic guidelines. The increased corporate exposure has also resulted in investors and, in some instances, lenders conducting heightened compliance-related due diligence on local companies before entering into a merger or a joint venture, or making an investment to gauge and manage their exposure.
Senior managers are also facing enhanced exposure to liability, putting their companies under additional compliance risk. A Senior Managers Regime, similar to the United Kingdom’s Senior Managers’ and Certification Regime, has been introduced in Hong Kong and Singapore to enable the financial sector to improve the individual accountability of senior managers. Anti-bribery provisions in Malaysian, Indian and Indonesian laws potentially extend criminal liability to senior management. This means that senior managers may be held liable for bribery committed under their watch when they are seen to have either proactively authorised or at least known of, and acquiesced in, bribery. Although largely untested at this stage, there is a risk that liability may be inferred when there is a suspicion of bribery and a senior manager does nothing to stop the bribery, or turns a blind eye to clear indications of bribery. Indonesian law potentially goes further, in that senior management may be held responsible for wrongdoing by employees or agents acting on behalf of a company simply based on their status.
Other trend shifts relate to broadening the focus to cover private sector bribery and supply-side bribery to an increasing extent. Notable illustrations of the former are the introduction of a private sector bribery offence in Vietnam and the fact that around 70 to 80 per cent of bribery-related prosecutions in Singapore and Hong Kong concern incidents within the private sector. Although public sector bribery is still considered to attract a higher level of enforcement risk, it is important not to lose sight of the criminality of private sector bribery. In jurisdictions that still ‘only’ provide for prohibitions on public sector bribery (e.g., India and Indonesia), the scope of who may be considered a public official is often extended. Further, recent legislative changes in India have introduced a supply-side bribery offence and officials at Indonesia’s anti-graft body, the Corruption Eradication Commission (KPK), have been issuing statements indicating that they intend to focus more on those who give bribes and not just on the public officials receiving bribes.
Culture has become a central tenet of, and compliance imperative for, corporate investigations in the region. Banks in particular have been facing a culture and conduct storm. The Banking Royal Commission in Australia illustrates the role of corporate culture at the meso (organisation) and macro (industry) levels. Further, regulatory and stock exchange authorities in Hong Kong and Singapore (i.e., the Hong Kong Monetary Authority, the MAS, the Singapore Exchange Regulation and the Stock Exchange of Hong Kong Limited) have published consultation papers in May, July and August 2020, reaffirming the regulators’ continued focus on culture and conduct, and keeping ‘bad apples’ out of financial institutions and public companies.
With most jurisdictions moving to disclosure-driven, risk-based systems, an assessment of corporate culture involves a top-down review to assess the readiness of a company to limit the occurrence of misconduct and its reaction to it once on notice. A failing corporate culture can be evidenced by any of the following: a lack of corporate policies and training, poor tone from the top, turning a blind eye, lack of personal accountability and express or tacit authorisation of poor conduct.
UK Bribery Act-inspired legislation in certain jurisdictions, particularly those with adequate procedures defences, highlights the growing relevance of corporate culture in Asia. Further, corporate culture continues to affect enforcement outcomes. For example, the US DOJ Criminal Division’s updated Guidance on the Evaluation of Corporate Compliance Programs helps to benchmark the effectiveness of a company’s compliance programme. The Guidance assists US authorities with decisions when conducting an investigation, determining whether to bring charges, or negotiating pleas or other arrangements. Whether in the United States, the Asia-Pacific region or elsewhere, the Guidance sets out useful prompts for a best practice compliance framework. Given the propensity of regulators to borrow from each other’s procedures and practices, it will also be of interest to companies subject to regulatory scrutiny, investigation or enforcement outside the United States, as a benchmark for appropriate remediation and resolution.
Guidance has also been issued by the Prime Minister’s Department in Malaysia, setting out anti-corruption programmes and procedures to be adopted by companies doing business in Malaysia. The guidance (which is similar to that issued in the United Kingdom under the Bribery Act 2010) describes an effective, risk-based compliance programme that minimises the risk of misconduct occurring and, where it does occur, mitigates the potential consequences for the company. However, when reviewing anti-corruption policies and procedures of listed companies, the Securities Commission Malaysia found that just under 60 per cent of listed companies had anti-corruption policies in place and most of these policies were not in line with the guidance.
Information-sharing and multi-jurisdictional investigations
It is rare for an allegation into corporate misconduct to remain a domestic affair, such is the global nature of modern commerce and communication. Regulators are ramping up cross-border co-operation and resolutions in response. Some very high-profile corporate investigations demonstrate how concurrent multi-jurisdictional investigations are now the norm. It is noteworthy in this context that cross-border information sharing between authorities is often informal and will not always follow formal and time-consuming procedures under mutual legal assistance treaties.
An example of where local enforcement action has followed and built on enforcement by US or UK authorities (or both) is the Rolls-Royce matter, in which the settlement covered allegations that Rolls-Royce bribed officials in multiple countries for more than 20 years. The British company’s alleged bribery of officials at airline company Garuda Indonesia and others was covered in the £671 million settlement that Rolls-Royce reached with the United Kingdom’s Serious Fraud Office (SFO), the US DOJ and Brazil’s Federal Prosecution Service in January 2017. Using information obtained from the SFO/US DOJ investigation, the KPK in Indonesia opened an investigation against several individuals at Garuda, including the company’s former president and chief executive officer, Emirsyah Satar. Mr Satar was convicted of accepting illicit payments totalling US$1.5 million and other items worth US$2 million and was sentenced to eight years in prison in May 2020. Garuda has commenced civil proceedings against Rolls-Royce for compensation in the Indonesian courts. Indian authorities, including the Central Bureau of Investigation, have also opened an investigation into the use by Rolls-Royce of third-party intermediaries to win contracts. A similar pattern has been playing out involving allegations of corruption, involving Airbus and executives of the Malaysian airline, AirAsia. Airbus entered into a deferred prosecution agreement (DPA) at the beginning of 2020 involving authorities in the United Kingdom, the United States and France requiring Airbus to make payments totalling €3.6 billion. Shortly after that, the Malaysian Anti-Corruption Commission initiated an investigation against executives of AirAsia with regard to the alleged acceptance of bribes and has been in touch with the SFO seeking relevant information.
GlaxoSmithKline plc (GSK) is another famous example of a global brand being caught up in bribery in Asia, leading to investigations and charges in multiple jurisdictions. Between 2004 and 2010, GSK’s sales teams in China were alleged to have bribed doctors to prescribe GSK products. A Chinese court fined GSK China a record 3 billion yuan (US$492 million) for bribery in 2014. The former head of GSK China and four other former GSK senior executives were also found guilty, and GSK China’s financial compliance and legal departments were found to have been complicit. Related international investigations have been carried out in the United States by the DOJ and the Securities Exchange Commission (SEC) for potential violations of the Foreign Corrupt Practices Act, and in the United Kingdom by the SFO for possible breaches of the Bribery Act. The US investigation ended in a settlement in October 2016, with GSK paying the US SEC a US$20 million civil fine. The US DOJ and the SFO later declined to prosecute.
Privilege and data privacy: complexities in the Asia-Pacific region
With a mixture of common law and civil law jurisdictions, law enforcement agencies and regulators in the region adopt very different approaches to legal professional privilege and data protection. For example, China, Japan, Korea, Indonesia, Thailand and Vietnam do not recognise legal privilege, but lawyers owe duties of confidentiality over documents provided to them by their clients. However, this can be overridden by authorities in investigations.
In contrast, common law jurisdictions such as Hong Kong, Singapore, Malaysia, India, Australia and New Zealand all recognise legal privilege to a greater or lesser extent. In general, internal investigation notes and investigation reports produced in the context of corporate investigations may be covered by legal privilege and protected from disclosure in common law jurisdictions, depending on the extent of involvement of either internal or external lawyers in the investigation process. In the same vein, there is a basis for pushing back against seizure of privileged material during dawn raids or other inspections by authorities and regulators. This does not apply in civil law jurisdictions, meaning that in cross-border investigations, the approach of authorities and regulators on the question of legal privilege can be diametrically opposed. Corporates and their lawyers will often try to assert legal privilege in civil law jurisdictions, expecting it to be claimed as part of a broader regional investigation in which common law jurisdictions are also involved. However, this will not prevent documents and data being seized or handed over to authorities and regulators in civil law jurisdictions. These bodies could potentially then share the evidence with authorities and regulators overseas, resulting in a broader loss of privilege protection.
A related issue is data privacy. In the context of cross-border investigations, the extent to which Asian countries restrict data transfers offshore varies. India, for example, is in the process of introducing a Bill that, if passed, will introduce comprehensive protections for personal data modelled on the European Union’s General Data Protection Regulation (GDPR). However, the draft law also includes data localisation provisions that require ‘sensitive’ and ‘critical’ personal data to be stored onshore. New Zealand has also passed amendments to its Privacy Act, which came into force in December 2020. The changes will bolster New Zealand’s data privacy regime by, for example, introducing mandatory data breach reporting and restrictions on offshore transfers. However, China and Korea have already imposed very strict data protection requirements in the past few years, and China is continuing to build restrictions under its cybersecurity and data security laws. State secrets laws are usually also engaged in China, preventing the transfer offshore of documents that may contain politically sensitive information. However, more recently, China published a new draft Data Security Law for consultation, which provides significant additional restrictions and requirements, including a prohibition on providing data stored within China to foreign law enforcement authorities, without the prior approval of the Chinese authorities. In practice, most multinational companies in the region tend to seek employee consent for data use and transfer at the onboarding stage. However, these may not suffice under local laws, which should always be checked. For example, the prohibition contained in the draft Data Security Law in China will apply regardless of consent provided by a data subject and, in any event, applies to data more generally (i.e., not to personal data in particular). Personal data will be protected by another law, namely the proposed Personal Information Protection Law.
The extraterritorial nature of the GDPR adds a further potential layer of complexity for corporates operating in the Asia-Pacific region, since many have branches or processing operations within the European Union. The substantial fines that may be issued under the GDPR are a sober warning to all companies, regardless of location. Ensuring that the processing of data complies with the GDPR, where it applies, is a commercial imperative. In the context of investigations, the GDPR, in line with most domestic data privacy laws, gives authorities the right to receive personal data from investigated companies, or other authorities, in the context of regulatory criminal investigations. In internal investigations, a combination of processing conditions under the GDPR and local data privacy law exemptions and derogations (where applicable) will dictate whether transfers are permissible. This needs to be assessed in each individual case and will remain an area of interest in investigations in the region.
Increased pressure and incentives to co-operate
The Asia-Pacific region has seen the emergence of corporate settlement regimes in recent years. As seen in the United States and the United Kingdom, DPA regimes create strong incentives for self-disclosure by companies, and those that disclose, co-operate and remediate may avoid prosecution in favour of fines or monitorship. However, they have also been criticised as providing an ability to companies to ‘buy’ their way out of ‘meaningful punishment’. This criticism has been directed at the Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2019 by Australian Labor Party senators after it was reintroduced to the Senate at the end of 2019. The Australian Law Reform Commission has recently recommended some changes to the proposed regime to provide for judicial oversight.
These voluntary self-reporting regimes are to be differentiated from statutory reporting obligations that exist under many anti-money laundering laws across the region and in some jurisdictions in relation to certain predicate offences. Anti-money laundering laws may require the reporting of a suspicion of criminal proceeds flowing from a criminal act such as bribery. Laws in Malaysia and Vietnam go further and require the reporting of a bribery offence (regardless of whether the offence has resulted in criminal proceeds). The failure to report will often constitute a criminal offence in itself, and reporting obligations will need to be kept in mind whenever potential criminal misconduct is being investigated.
In anticipation of a new DPA regime in Australia, various authorities, including the Federal Police, have issued self-reporting guidelines to assist corporations that wish to self-report actual or suspected foreign bribery offences. Self-reporting (and co-operation) will be taken into account both in deciding whether to prosecute and, if prosecuted, as a mitigating factor during sentencing. Early guilty pleas by a company may also result in significant reductions in sentencing. New Zealand’s regime falls short of a DPA system, but certain agencies, such as the Financial Markets Authority, may obtain ‘enforceable undertakings’ that help companies avoid prosecution.
Financial regulators such as the Securities and Futures Commission in Hong Kong, in limited circumstances, entertain negotiation resulting in reduced sanctions or declinations to prosecute. India and China have no non-prosecution agreement or DPA system, although in practice, self-reporting and co-operation may be taken into account in mitigation.
DPAs were introduced in Singapore in late 2018. This followed on the heels of the first multi-jurisdictional DPA entered into with the US DOJ involving Singaporean authorities. This was a rare example of a Singapore company being penalised by the Singapore authorities under national anti-bribery laws for bribery committed abroad. It was by far the highest penalty levied against a Singapore company and was the first DPA involving co-operation between the Brazil, Singapore and US authorities. Singapore’s DPA regime is similar to that of the United Kingdom, except that Singapore DPAs cover a more limited range of criminal offences and Singapore prosecutors are not required to issue guidelines on when a DPA is appropriate and on what ‘discounts’ may be offered in the case of self-reporting, meaning that prosecutors retain maximum flexibility. Further, the Singapore DPA regime is unusual in that, unlike other jurisdictions with a DPA regime, Singapore has not yet introduced a corporate bribery offence, which means that there is likely to be less of an incentive to self-report and seek a DPA.
In Japan, a plea bargaining regime was introduced in June 2018. Unlike DPAs, this regime applies to individuals rather than companies. Suspects and defendants will be rewarded with leniency if they co-operate by providing information or evidence in resolving another person’s crimes or by giving depositions against partners in crime (including corporates). This is likely to lead to an uptick in corporate investigations, as individuals become incentivised to inform the authorities about the activities of others, including their employers.
Whistleblowing regimes are a corollary of DPAs; both encourage early notification and co-operation. Australia has introduced new whistleblower protection laws, which came into effect on 1 July 2019. These strengthen protection and compensation for whistleblowers and impose on regulated companies the requirement to implement corporate whistleblowing frameworks, including confidentiality and non-retaliation provisions. India passed a Whistleblowing Act in 2014 but it has not yet been brought into effect. Long-awaited amendments were introduced to Japan’s whistleblowing law in June 2020 to address criticism that its current law had no teeth, owing to the lack of sanctions on companies that treat whistleblowers unfairly. Although the amendments introduce additional protective elements, such as a duty to protect confidentiality, extend the scope of the law to former employees and provide for a duty to establish a reporting mechanism, there is still no provision for penalising companies that retaliate against a whistleblowing employee. Hong Kong and Singapore still lack dedicated whistleblower legislation, but do have provisions in a patchwork of laws and regulatory requirements to protect whistleblowers in certain circumstances. China’s whistleblower legislation goes further than most in the region in including a reward mechanism for whistleblowers who report crimes to people’s procuratorates. Various other financial reward schemes are scattered in sector-specific regulations. However, this does not compare to the huge financial incentives and bounties available in the United States under the Dodd-Frank Act. Regardless of incentives and protections, in Asia at least, there remain cultural and hierarchical norms that often militate against blowing the whistle and reporting up. These may mean that new legislation has limited traction, but time will tell.